|
On Wednesday 02 October 2002 13:00, Roberto Nibali wrote:
> > iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j REJECT
> > with these enabled both http and ftp are unavailable.
> > from the external network and I get log entries.
>
> How do they look like, the log entries I mean?
>
> IIRC the semantic of iptables with your rules you REJECT packets with
> the state NEW (every incoming packet).
Not quite :-)
Only 'NEW' packets _without_ SYN bit ('! --syn') are rejected, and that's
quite a good practice if your machine doesn't get assymmetrically routed
packets.
On the netfilter mailinglist a related issue was raised yesterday btw about
the combination SYN+FIN, which is considered 'legal' for the --syn option,
but only serves a goal as portscanning tool and should also be dropped.
Something like '--tcp-flags SYN,FIN SYN,FIN -j DROP' (or reject) should work.
--
Martijn
|
