?
Solved

I'd like to understand this rule.

Posted on 2004-10-01
3
Medium Priority
?
276 Views
Last Modified: 2010-04-20

This rule is correct?
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST -m limit --limit 1/s -j ACCEPT

For what do you use it?

Sorry, I'm starting in Iptables

0
Comment
Question by:ipsystems
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
net_sec_guru earned 1000 total points
ID: 12205280
iptables -A FORWARD (the FORWARD chain) used for ip forwarding / nat'ing

-p tcp (protocol)

--tcp-flags:
Match when the TCP flags are as specified. The first argument is the flags which we should examine, written as a comma-separated list, and the second argument is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN - will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.

-m limit (mark limit)
--limit rate
Maximum average matching rate: specified as a number, with an optional `/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour.

-j ACCEPT (Jump -specifies target of the rule or action to take - in this case accept)

I believe this is correct.
0
 

Author Comment

by:ipsystems
ID: 12205362

is this correct?
I need to close ALL ports and open only 25, 80 and 100

the final rule is problematic or can i use it ?  iptables -I INPUT 11 -i eth0 -j DROP

iptables -I INPUT 3 -m unclean -j DROP
iptables -I INPUT 4 -p icmp --icmp-type echo-request -j DROP
iptables -I INPUT 5 -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -I INPUT 6 -p tcp -m limit --limit 1/s -j ACCEPT
iptables -I INPUT 7 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -I INPUT 8 -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 9 -i eth0 -p tcp --dport 110 -j ACCEPT
iptables -I INPUT 10 -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -I INPUT 11 -i eth0 -j DROP
0
 
LVL 6

Expert Comment

by:admin0
ID: 12216888
For just 25,80 and 100, you can use something like:


iptables -F INPUT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 100 -j ACCEPT
iptables -A INPUT -j DROP
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month12 days, 3 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question