On November 8, 2003 06:01 am, Alex wrote: > What rules should be set with iptables to block syn attacks and still allow > legitimate traffic? The machine that I'm talking about is a squid cache > server with about 200 clients which also acts as a router with NAT for one > box on the private LAN. > > > I did tried several approaches but it seems that the rules also interfere > with client-to-squid connections. > > Any thoughts on that? > > Thanks! > > Alex Hi, if the syn is to a valid listening port, I don't see what can be done to stop the scan as it is a valid packet. However, if you are being flooded with syn's from a single source to a specific port, you may want to set IPtables to limit requests. Of course this may also interfere with legitimate client traffic to that service. i don't know that you could set a limit on an inbound source IP without calling some script from within the rules, which would likely bogg down the fw. I haven't tried them, but according to nmap, Synlogger and Courtney will detect the syn scans, so at least you could find the source and block them. Not too dynamic of a solution but you may get some info as to who is causing you greif. -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
