[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] how do I build iptable-protection for scanners like nmap

> Sounds like something I can adapt into my *ipchains* rules.
> But why use "!--syn -m state --state"? Anybody can explain?

Just a guess:

Module state tracks connections. Normal TCP connection starts with
the SYN flag set. So if the connection does not exist already (so it
is new in this sense) but does not have the SYN flag "on" THEN
this particular packet is (almost 100% sure?) crafted, i.e. not
originating from a nicely behaving IP stack but generated otherwise.

If the TCP connection is opened the normal way - it has the SYN
in the first packet, ACK/SYN (typically combined) in the reply and ACK in the
third (second incoming) then it is following the specs correctly and
is accepted (unless other rules DROP/REJECT it). Then the state
module is used (and able) to track the connection - probably notices
things such as hijacking attempts too (especially when packets are
properly numbered).

Does this answer your question? (And is this correct answer?)

> ----- Original Message -----
> Subject: Re: [suse-security] how do I build iptable-protection for scanners
> like nmap
> > Good Mornning...
> >
> > To Drop Stealth Scan like nmap you can use the following rules in a
> > simple firewall with iptables:
> >
> >       iptables -A INPUT -p tcp ! --syn -m state --state NEW -j
> > LOG --log-prefix "Stealth scan"
> >       iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here