Re: Query: Stateful parameters Explicitly and Implicitly defined, which is it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



netfilter-owner@xxxxxxxxxxxxxxx wrote:
Mart Frauenlob wrote:

Usually I normalize TCP traffic, even before it hits the rules for the servers, but if i wouldn't do it globally, I'd rather write the rule like this: iptables -A FORWARD -i eth0 -m tcp --dport 80 --tcp-flags SYN -m state --state NEW -j ACCEPT

I see your using stateful operators also in the above rule. Why would there be a need to use the stateless SYN flag operator given the NEW operaror implicitly handles this?


Because NEW to the connection tracker means any new packet, which is not ESTABLISHED,RELATED, or INVALID. So it's not necessarily a tcp syn packet. Explicitly defining -m tcp --syn makes sure it's a valid tcp connection attempt.
I understand you now, I hope!

Although, given the protocol is TCP we know explicitly its not a UDP new connection attempt. But forcing the syn check ensures that the particular TCP packet is the kind we want.

So in all, its a further set of "checks and balances" that provide additional security, perhaps from various packet crafting situations where a packet may have both the syn and ack for example set.

That's why I talked about normalizing the tcp traffic. Many rulesets place a rule like this (quite on top) to remove bad tcp packets:
iptables -N bad_tcp
iptables -A bad_tcp -p tcp ! --syn -m state --state NEW -j DROP

for c in INPUT FORWARD; do
   iptables -A $c -p tcp -j bad_tcp
done

Yes another common rule that's on top of the bad_tcp chain is:
-p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

but you can read that in the tutorials ;-)

You might check out the iptables tutorial on frozentux, which may answer many of your questions:
http://www.frozentux.net/documents/iptables-tutorial/

and also read this:
http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf

perfect, thanks.

Regards

Mart
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux