RE: to understand --tcp-flags

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> -----Original Message-----
> From: netfilter-admin@xxxxxxxxxxxxxxxxxxx 
> [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ralf Braga
> Sent: Sunday, June 01, 2003 12:11 AM
> To: netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: to understand --tcp-flags
> 
> 
> Hi,
> 
> I dont understand this command:
> 
> iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK \
> -m state --state NEW -j REJECT --reject-with tcp-reset
> 
> Because two times is used --tcp-flags SYN,ACK SYN,ACK ?
> 
> 
> This example will be bloqued packages for flags syn and ack ?
> 
> Thanks,

I don't understand this either. But the man page says
       --tcp-flags [!] mask comp
              Match when the TCP flags are as specified.  The  first
argument
              is  the  flags which we should examine, written as a
comma-sepa-
              rated list, and the second argument is a comma-separated
list of
              flags which must be set.  Flags are: SYN ACK FIN RST URG
PSH ALL
              NONE.  Hence the command
               iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST
SYN
              will only match packets with the SYN flag set, and the
ACK,  FIN
              and RST flags unset.

So I think that your command meens that SYN and ACK must be set and it
don't mind the others (FIN RST URG PSH) if they are set or unset.

Perhaps its better to understand the --state. The god thing about state
is that it works with all protocols. The states are: NEW, ESTABLISHED,
RELATED, INVALID.

Still need more info on the tcp flags? Read rfc 793
(ftp://ftp.rfc-editor.org/in-notes/rfc793.txt).

/Klintan




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux