-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Bernd Eckenfels wrote: | On Fri, Jan 07, 2005 at 01:18:46PM +1300, Blair Strang wrote: | |>| iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP |>| iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \ |>| SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset |>| iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \ |>| -j DROP | | the NEW Syn,Ack is most likely used to make sure netfiter will not | (re)establich sessions from intermediate packets belonging to a established | session. I think the "! --syn" has more or less the same function (besides | RST) | | | Greetings | Bernd | |
I see what you mean! I found an explanation for these rules here:
http://www.faqs.org/docs/iptables/newnotsyn.html http://www.faqs.org/docs/iptables/synackandnew.html
It seems like the third rule does make sense[1]. I incorrectly believed that a NEW match for TCP always implied SYN. Learn something every day :)
A note on the second rule though: in order for this rule to work as intended, it should come BEFORE the rule which drops INVALID packets.
A glance at ip_conntrack_proto_tcp.c (from 2.6.9) leads me to believe that any "new" TCP SYN+ACK will be state INVALID. The RST (which the OP theoretically wants) will never be sent because of the preceding rule.
Thanks,
~ Blair.
[1] But it means that if you reboot your firewall, all the TCP connections through it must be re-established.... whereas without it some of them might survive...
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB3ihuvJfDavdnqDgRAge7AJ96jdeSqXSxjQADmMeEEiD5swL9/gCfTbcT M7XmPpIZrE2MpfUXet6maw0= =yILY -----END PGP SIGNATURE-----
