Thanks allot Pascal, iptables -A FORWARD -p tcp --tcp-option 76 -j REJECT seems to be working. On Mon, 2007-05-21 at 20:27 +0200, Pascal Hambourg wrote: > Hello, > > Glenn Terjesen a écrit : > > What i meant with "experimental tcp options" is that my ids (snort) > > keept logging these "experimental tcp options" > > > > # > > code 76 > > length 8 > > data 01019DEDBEF00005 > > > > I know this aint a snort list, but my servers don't serve any services > > that require this kind of traffic. > > > > So i was wondering if iptables has any way of blocking these. > > If you have a black list of options you want to drop (or a white list of > allowed options), what about the "--tcp-option" option of the "tcp" match ? > > > These to magic lines fixed it all > > iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP > > iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP > > I wonder how these rules could drop packets according to TCP options. > TCP flag combinations are not TCP options. > > -- Mvh Glenn Terjesen @ Webcat AS Tlf: +47 37 02 20 20 E-post: support@xxxxxxxxx
