Thursday, April 13, 2006

IPtables - Decent Tutorial

I have just learnt from the website on how to tweak the sysctl to prevent non-syn packet to start the tcp connect stream to connect. This is kinda useful where I don't need to load iptables rules in order to filter and reject such bad packets. I would like to share this url since I have never seen any IPtables tutorial as clean and clear as this which is free.

To drop non-syn packet that starting tcp stream just run

shell>echo '0' > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose


shell>sysctl -w ip_conntrack_tcp_loose=1

If you want to use IPtables to filter it, that's how it can be done, I didn't write the rule but copy and paste from the web tutorial because I'm afraid I may forget next time since I'm not frequent IPtables user.

-p tcp ! --syn -m state --state NEW \
-j LOG --log-prefix "New not syn:"

shell>iptables -A INPUT \
-p tcp ! --syn -m state --state NEW -j DROP

Another important rule that can be applied is avoiding successful spoofing attack when receiving packets with syn+ack flags from the unknown host, reset should be sent to that unknown host that sending syn+ack packet, hence intruder can't simply take over the connection with it's own ack packet.

shell>iptables -N bad_tcp_packets

shell>iptables -A bad_tcp_packets \
-p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset

I've actually read it quite sometimes ago, however tend to forget because of lacking practice on IPtables. Coming back to reading it is good for me since the tutorial seems more shiny than previously.

Enjoy :]


Anonymous said...

Shouldn't that be:

shell>sysctl -w ip_conntrack_tcp_loose=0

geek00L said...

Yeah, it should be 0, that's wrong and I need to correct it. Thanks.

Anonymous said...

its really a nice tip for dropping syn attacks. THanks

Best Regards,
eliena andrews

Anonymous said...

Hii Geekool,
THIs IPTables decent tutorial is nice for IPTables users, do you have same for IPFW users like me... I use IPFW and looking for really good and decent IPFW tutorial. Could you come up with it on your new posts. I will be keeping my eye on your blog.

Best Regards,
Eliena Andrews