On Wed, 22 Jun 2005, Taylor, Grant wrote:
# Drop any Null scan packets. iptables -t filter -A FORWARD -i $INet -o $LAN -p tcp --tcp-flags ALL NONE -j DROP # We could put any matches for any other type of scan that we wanted to here too. # Allow any stateful traffic back in. iptables -t filter -A FORWARD -i $INet -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
TCP packets without flags are possible during a normal TCP connection, you don't want to drop them. --state ESTABLISHED,RELATED would never let in NULL scans anyway, because a NULL scan won't establish a valid TCP connection before it sends flagless packets.
Alexey
