1

iptables -N NEW_TCP_PACKETS_NO_SYN

iptables -A INPUT NEW_TCP_PACKETS_NO_SYN -p tcp ! --syn -m state --state NEW -m limit --limit 10/day -j LOG --log-prefix "New packets but not syn:"

iptables -A INPUT NEW_TCP_PACKETS_NO_SYN -p tcp ! --syn -m state --state NEW -j DROP

iptables -A INPUT NEW_TCP_PACKETS_NO_SYN -f -j DROP

1) I'm making a new user generated chain with the -N option
2) I'm logging NEW packets that aren't syn, and I'm adding a limit trying to prevent my log files from getting flooded
3) I'm dropping the NEW packets that aren't SYN
4) I'm using -f because I'm left with the fragmented packets, and I want to drop those packets.

A recommendation to improve something similar was found here https://serverfault.com/a/245713/114606 , which is to add it in -t raw -A PREROUTING

A) I don't quite understand what's being said, how do I add it "in" ?
And it seems like a risky thing to do, because it sets a mark on packets that they should not be handled by the connection tracking system.

B) And why is that necessary ? I'm dropping those packets so what exactly is the benefit of marking those packets ?

All that being said, is there anything that can be done when I do get the initial SYN fragment, but I don't get the last one ?

Kris
  • 1,347
  • 3
  • 15
  • 16

0 Answers0