[Dshield] IP Chains.

Johannes B. Ullrich jullrich at euclidian.com
Wed Oct 17 22:40:48 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



> know you can do it easily with IPTABLES with the line:
> iptables -A INPUT -i eth0 -p tcp --syn -j DROP

no. this line is wrong (and just rejects syn packets, something easily
done in ipchains). The lines for iptables are more like:

This will drop all new connections (syn flag set or not)

iptables -A INPUT -m state --state NEW -j DROP

This will allow all established connections and packets related to
established connections:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

related packets are things like icmp packets that are send in response to
denied UDP connections and such.

There are packages like that allow connection tracking for the more
complex protocols like ftp. The basic connection tracking assumes regular
tcp or udp connecitons.

For more about iptables/netfilter see:
http://netfilter.samba.org/

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7zgjxVOIizK5pIDMRApr5AKCwNHan8JzTblU+S0al43SaW8zGigCfQBAw
5oFM+X+xRajlBqtKlfSRLIU=
=41Jf
-----END PGP SIGNATURE-----




More information about the list mailing list