LinuxQuestions.org - Is it necessary to drop specific flags in IPTABLES with an INPUT DROP policy?

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Is it necessary to drop specific flags in IPTABLES with an INPUT DROP policy? (https://www.linuxquestions.org/questions/linux-networking-3/is-it-necessary-to-drop-specific-flags-in-iptables-with-an-input-drop-policy-4175423487/)

Is it necessary to drop specific flags in IPTABLES with an INPUT DROP policy?

I got the idea of dropping specific flags. Here is what I am referring to:

#Drop spoofed packets
/sbin/iptables -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP

#Drop bogus packets
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

My default policy for INPUT is set to DROP. Another member pointed out a better solution would be to leave it open and delete the above rules and simply use this line below at the end of the INPUT rules

/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp -j DROP

And nothing will get passed that. However, is that true? What about the bogus, spoofed or INVALID packets?

Thanks for any help,
Shawn

Quote:

Originally Posted by rootaccess (Post 4761462)

My default for INPUT is DROP

Code:

Chain INPUT (policy DROP 0 packets, 0 bytes)

In my iptables script I have this for dealing with Badflags

Code:

#deal with known bad flags

$ipt -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Badflags

$ipt -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Badflags

$ipt -A INPUT -p tcp --tcp-flags ACK,URG URG -j Badflags

$ipt -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Badflags

$ipt -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Badflags

$ipt -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Badflags

$ipt -A INPUT -p tcp --tcp-flags ALL ALL -j Badflags

$ipt -A INPUT -p tcp --tcp-flags ALL NONE -j Badflags

$ipt -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Badflags

$ipt -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Badflags

$ipt -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags

and while most are 0 you can see hits against the first even with DROP on INPUT

Code:

iptables -vL |grep Badflags

    2    92 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,ACK/FIN 

    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:PSH,ACK/PSH 

    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:ACK,URG/URG 

    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,RST/FIN,RST 

    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN/FIN,SYN 

    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:SYN,RST/SYN,RST 

    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 

    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 

    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 

    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH,URG 

    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 

Chain Badflags (11 references)

    2    92 LOG        all  --  any    any    anywhere            anywhere            limit: avg 10/min burst 5 LOG level warning prefix `Badflags: '

In other words, I should leave it the way it is

Quote:

Originally Posted by rootaccess (Post 4761580)

In other words, I should leave it the way it is

IMHO yes

should I add any additional flags? I know I should add logging but that is a different topic altogether

Quote:

Originally Posted by rootaccess (Post 4761593)

should I add any additional flags? I know I should add logging but that is a different topic altogether

I only ever see hits against FIN,ACK/FIN with the drop on input by default. It wont hurt to match up yours against mine and add what you don't have. It's not going to hurt anything to add