> If you're really paranoid, you can also enforce that TCP packets flagged > as ESTABLISHED should not be SYN ones : > > iptables -A FORWARD -m state --state ESTABLISHED -p tcp \ > ! --syn -j ACCEPT And If you're really really PARANOID try this for new TCP :-) iptables -A FORWARD -p tcp -m state --state NEW --syn -m length \ --length 40:68 -j ACCEPT New SYN packets are 40 to 68 bytes (depending on IP options) - without payload. Regards, Maciej
