|
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j REJECT
with these enabled both http and ftp are unavailable.
from the external network and I get log entries.
How do they look like, the log entries I mean?
IIRC the semantic of iptables with your rules you REJECT packets with
the state NEW (every incoming packet).
Not quite :-)
Only 'NEW' packets _without_ SYN bit ('! --syn') are rejected, and that's
quite a good practice if your machine doesn't get assymmetrically routed
packets.
I stand corrected. You're right of course.
On the netfilter mailinglist a related issue was raised yesterday btw about
the combination SYN+FIN, which is considered 'legal' for the --syn option,
but only serves a goal as portscanning tool and should also be dropped.
Yes. --syn only means SYN bit set.
Something like '--tcp-flags SYN,FIN SYN,FIN -j DROP' (or reject) should work.
You can still remove conntrack entries with a well placed RST flag. Just
send a packet with the matching template <srcIP, srcPORT, dstIP,
dstPORT> and the RST bit set. Will happily remove conntrack entries.
Only the TCP window tracking patch will fix this issue. I don't even
start talking about stateful filtering before this.
Cheers,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
|
