> $IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG
^^^^^^^^^^
There has also been a debate over whether -t nat should be used in favor of
-t filter and the answer was: do it in -t filter -A INPUT.
> # FIN scan, nmap v3.0 sends ACK,FIN FIN
It send what matches --tcp-flags ALL FIN
> # SYN,FIN SYN,FIN does not match nmap
> # FIN FIN gets false positives when using SSH TARPIT
> $IPT -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -m state --state NEW
> -j LOG --log-prefix "PREROUTING: " --log-tcp-options --log-ip-options
> $IPT -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -m state --state NEW
> -j DROP
>
> Kind Regards and thanks in advance
> Brent Clark
>
> P.s. If anyone knows of any other rules I can add, it would be greatfully be
> appreciated.
You can make it simpler:
http://lists.netfilter.org/pipermail/netfilter/2005-July/061531.html
Jan Engelhardt
--
| Alphagate Systems, http://alphagate.hopto.org/
