0

I often see samples of IPv4 rules for iptables which are there to stop what is viewed as invalid or broken TCP packets. Certain combinations of TCP flags should never be used.

Here is an example of 4 such rules:

-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ALL ACK
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ALL RST
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ALL ACK,FIN
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ALL ACK,PSH

I used these to see how many such invalid packets I receive (i.e. notice the lack of a target, no -j DROP).

If I insert that at the very beginning of the INPUT table, I see a ton of those errors.

When I insert them after the ESTABLISHED,RELATED rule:

-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -m tcp ! --syn -j ACCEPT

I see no errors at all... meaning that those broken TCP packets are being sent to the service the client is connected to.

I am thinking that blocking such is rather futile/unnecessary. Especially, I use the INVALID state first anyway:

-A INPUT -m state --state INVALID -j DROP

and I would imagine that is enough to eliminate really dangerous packets.

What is the consensus about those 4 rules blocking broken TCP packets?

Alexis Wilke
  • 2,210
  • 1
  • 20
  • 37
  • 1
    When your device is a firewall for other devices, then these rules could provide some value. I think Linux networking stack is good enough to handle the packets properly, so having those rules for packets destined to the box running firewall isn't relevant. – Tero Kilkanen Nov 16 '22 at 20:40
  • Why do you believe those rules would catch invalid/broken packets? I'm not a TCO wizard, but those all look like perfectly valid flag sets to me. – Joel C Nov 17 '22 at 03:54
  • @JoelC [Here](https://unix.stackexchange.com/questions/651646) is an example on Unix & Linux. [This web page](https://kromey.us/2016/08/setting-up-an-iptables-firewall-part-5-810.html) has rules called "attacks". Do you need more? – Alexis Wilke Nov 19 '22 at 04:05

0 Answers0