Solved

I'd like to understand this rule.

Posted on 2004-10-01
3
261 Views
Last Modified: 2010-04-20

This rule is correct?
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST -m limit --limit 1/s -j ACCEPT

For what do you use it?

Sorry, I'm starting in Iptables

0
Comment
Question by:ipsystems
3 Comments
 
LVL 4

Accepted Solution

by:
net_sec_guru earned 250 total points
ID: 12205280
iptables -A FORWARD (the FORWARD chain) used for ip forwarding / nat'ing

-p tcp (protocol)

--tcp-flags:
Match when the TCP flags are as specified. The first argument is the flags which we should examine, written as a comma-separated list, and the second argument is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN - will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.

-m limit (mark limit)
--limit rate
Maximum average matching rate: specified as a number, with an optional `/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour.

-j ACCEPT (Jump -specifies target of the rule or action to take - in this case accept)

I believe this is correct.
0
 

Author Comment

by:ipsystems
ID: 12205362

is this correct?
I need to close ALL ports and open only 25, 80 and 100

the final rule is problematic or can i use it ?  iptables -I INPUT 11 -i eth0 -j DROP

iptables -I INPUT 3 -m unclean -j DROP
iptables -I INPUT 4 -p icmp --icmp-type echo-request -j DROP
iptables -I INPUT 5 -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -I INPUT 6 -p tcp -m limit --limit 1/s -j ACCEPT
iptables -I INPUT 7 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -I INPUT 8 -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 9 -i eth0 -p tcp --dport 110 -j ACCEPT
iptables -I INPUT 10 -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -I INPUT 11 -i eth0 -j DROP
0
 
LVL 6

Expert Comment

by:admin0
ID: 12216888
For just 25,80 and 100, you can use something like:


iptables -F INPUT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 100 -j ACCEPT
iptables -A INPUT -j DROP
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Daily system administration tasks often require administrators to connect remote systems. But allowing these remote systems to accept passwords makes these systems vulnerable to the risk of brute-force password guessing attacks. Furthermore there ar…
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now