Hi,Am Don, 2003-09-04 um 10.50 schrieb Atsushi Nakagawa: > What iptables table/rule can I use to drop RST (TCP) packets that're in > reply to SYN? > This is what I want it to do: > > -SYN-> [NEW] -SYN-> > [CLOSED] <-RST- > ^ > IF TCP & [NEW]: DROP '<-RST-' & SET [CLOSED] Using the current state implementation, AFAIK this is not possible. The RST is already an established packet. There is no way to differentiate between this RST and a later valid and needed RST packet. You can only drop all RST packets -m state --state ESTABLISHED -p tcp --tcp-flags RST,ACK RST,ACK -j DROP Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org
Blocking the RST packets on the firewall is not recommended. If the attacker comes to know that the server is dropping RST packets then he can flood the servers by initiating lacks of connections, which inturn result closewait state.
-- Regards Dharmendra.T dharmu@xxxxxxxxxxx Linux Security and Admin |
