Is it necessary to drop specific flags in IPTABLES with an INPUT DROP policy?
I got the idea of dropping specific flags. Here is what I am referring to:
#Drop spoofed packets /sbin/iptables -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP #Drop bogus packets /sbin/iptables -A INPUT -m state --state INVALID -j DROP /sbin/iptables -A FORWARD -m state --state INVALID -j DROP /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP My default policy for INPUT is set to DROP. Another member pointed out a better solution would be to leave it open and delete the above rules and simply use this line below at the end of the INPUT rules /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp -j DROP And nothing will get passed that. However, is that true? What about the bogus, spoofed or INVALID packets? Thanks for any help, Shawn |
Quote:
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes) In my iptables script I have this for dealing with Badflags Code:
#deal with known bad flags Code:
iptables -vL |grep Badflags |
In other words, I should leave it the way it is
|
Quote:
|
should I add any additional flags? I know I should add logging but that is a different topic altogether
|
Quote:
|
All times are GMT -5. The time now is 03:52 AM. |