1

We are seeing the issue described here - http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html

In brief, we need to drop bogus packets, such as with SYN+FIN flags set. I can drop this particular packet by adding rule-

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

Now there could be many more combination of flags. So should I add all of them or is there a better way to do it?

sudouser
  • 13
  • 1
  • 3

2 Answers2

4

The best time to drop bogus packets is when the packets are not yet tracked, thus in the "raw" table. Or, to be really precise: -t raw -A PREROUTING

Check out the following Community Wiki: iptables tips & tricks by yours truly. One of the 'answers' there already contains a set of rules to drop bogus packets.

Community
  • 1
pepoluan
  • 4,918
  • 3
  • 43
  • 71
1

I propose to drop all the INVALID packets if you use the connection tracking with : iptables -A FORWARD -m state --state INVALID -m comment --comment "DROP INVALID" -j DROP

You can see too : -A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "Bad TCP Packet" -j DROP -A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m comment --comment "Bad TCP Packet" -j DROP -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m comment --comment "Bad TCP Packet" -j DROP -A FORWARD -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m comment --comment "Bad TCP Packet" -j DROP -A FORWARD -p tcp -m tcp --tcp-flags FIN,ACK FIN -m comment --comment "Bad TCP Packet" -j DROP -A FORWARD -p tcp -m tcp --tcp-flags ACK,URG URG -m comment --comment "Bad TCP Packet" -j DROP

Dom
  • 6,628
  • 1
  • 19
  • 24