?
Solved

How do you say "Deny all packets without the response bit set"?

Posted on 2003-03-14
9
Medium Priority
?
186 Views
Last Modified: 2010-04-22
I beleive there is a way to add a rule to iptables that drops all incoming packets without the response bit set. I want to only drop the packets from eth1.

0
Comment
Question by:rfr1tz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 8137774
iptables .... -m state --state NEW -j DROP
# or
iptables .... ! --syn -j DROP
0
 
LVL 3

Author Comment

by:rfr1tz
ID: 8140533
I've got three NIC's. Only one is connected to the internet (eth1). This command looks like it may stop packets coming in from inside the firewall.

Maybe I shouldn't route and firewall on the same box?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 400 total points
ID: 8142115
iptables ... -i eth1 ....

> .. looks like it may stop packets coming in from inside ..
if you didn't specify the interface for iptables, the rule applies to all interface
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 1

Expert Comment

by:jerich1
ID: 8147307
Blocking Pings:

iptables -A INPUT -p icmp --icmp-type echo-reply -i eth1
-j DROP

iptables -A INPUT -p icmp --icmp-type echo-request -i eth1 -j DROP




Let me know if this works.
0
 
LVL 1

Expert Comment

by:jerich1
ID: 8147320
Blocking Pings:

iptables -A INPUT -p icmp --icmp-type echo-reply -i eth1
-j DROP

iptables -A INPUT -p icmp --icmp-type echo-request -i eth1 -j DROP




Let me know if this works.
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 8147532
If my guess about what you want to do is right, have also a look at -m state --state ESATBLISHED,RELATED
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 8147574
jerich1, what's the relation of your suggestion to the question?
mbarbos, my suggestion was to DROP all packets with state NEW, so the packets with state ESATBLISHED,RELATED are passed
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 8162059
ahoffmann, did I say "ahoffmann is wrong" ? I just pointed out that the state machine also knows about ESTABLISHED and RELATED (and INVALID:).
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 8162700
mbarbos, no you didn't say "wrong",
I just tried to point out that ESATBLISHED,RELATED are passed when dropping NEW.
It's some of the mystery dragons in iptables, somwhow ...
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question