Here is what I do:
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,ACK -j LOG
--log-prefix " SYNACK "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,ACK -j REJECT
--reject-with icmp-host-unreachable
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,FIN -j LOG
--log-prefix " SYNFINSCAN "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,FIN -j REJECT
--reject-with icmp-host-unreachable
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL FIN -j LOG
--log-prefix " FINSCAN "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL FIN -j REJECT
--reject-with icmp-host-unreachable
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL NONE -j LOG
--log-prefix " NULLSCAN "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL NONE -j REJECT
--reject-with icmp-host-unreachable
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL FIN,PSH,URG -j LOG
--log-prefix " NMAPXMAS "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL FIN,PSH,URG -j REJECT
--reject-with icmp-host-unreachable
Hey Chris -
I've taken a rudimentary stab at these kinds of rules with mixed success and your post brings up a couple of questions:
Here are the rules I'm using now:
# Chain to trap bad packets before they enter the system.
$iptables -A Bad_Packet -p tcp -m state --state INVALID -j LOG --log-level debug
$iptables -A Bad_Packet -p tcp -m state --state INVALID -j DROP
$iptables -A Bad_Packet -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW
$iptables -A Bad_Packet -p tcp ! --syn -m state --state NEW -j LOG --log-level
$iptables -A Bad_Packet -p tcp ! --syn -m state --state NEW -j DROP
1. These obviously are different from your rules. Are these rules useful or should I just replace them with rules similar to yours?
2. I tried applying rules like these with -p all and I ended up trapping all kinds of local ICMP traffic and broke lots of things. Should I have these kinds of stateful rules for other protocols or doesn't that matter?
Jeff
