Solved

I'd like to understand this rule.

Posted on 2004-10-01
3
265 Views
Last Modified: 2010-04-20

This rule is correct?
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST -m limit --limit 1/s -j ACCEPT

For what do you use it?

Sorry, I'm starting in Iptables

0
Comment
Question by:ipsystems
3 Comments
 
LVL 4

Accepted Solution

by:
net_sec_guru earned 250 total points
ID: 12205280
iptables -A FORWARD (the FORWARD chain) used for ip forwarding / nat'ing

-p tcp (protocol)

--tcp-flags:
Match when the TCP flags are as specified. The first argument is the flags which we should examine, written as a comma-separated list, and the second argument is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN - will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.

-m limit (mark limit)
--limit rate
Maximum average matching rate: specified as a number, with an optional `/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour.

-j ACCEPT (Jump -specifies target of the rule or action to take - in this case accept)

I believe this is correct.
0
 

Author Comment

by:ipsystems
ID: 12205362

is this correct?
I need to close ALL ports and open only 25, 80 and 100

the final rule is problematic or can i use it ?  iptables -I INPUT 11 -i eth0 -j DROP

iptables -I INPUT 3 -m unclean -j DROP
iptables -I INPUT 4 -p icmp --icmp-type echo-request -j DROP
iptables -I INPUT 5 -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -I INPUT 6 -p tcp -m limit --limit 1/s -j ACCEPT
iptables -I INPUT 7 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -I INPUT 8 -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 9 -i eth0 -p tcp --dport 110 -j ACCEPT
iptables -I INPUT 10 -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -I INPUT 11 -i eth0 -j DROP
0
 
LVL 6

Expert Comment

by:admin0
ID: 12216888
For just 25,80 and 100, you can use something like:


iptables -F INPUT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 100 -j ACCEPT
iptables -A INPUT -j DROP
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will explain how to make squid prevent malwares in five easy steps: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now