2 iptables rules I don't understand

Question

Could anyone explain the following rules:

-A default-INPUT -p tcp -m tcp --sport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A default-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

I think I added them to prevent SYN flood but I'm not sure.

Answer 1

-A default-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

• -A INPUT
  • append rule to the INPUT chain
• -m state
  • load the state module
• --state RELATE,ESTABLISHED
  • using the state module to match on related or established connections
• -j ACCEPT
  • is a jump to the ACCEPT chain which mean the traffic for related or previously establish connection is accepted and allowed through the firewall.

Now for the next command:

-A default-INPUT -p tcp -m tcp --sport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

• -p tcp
  • matches the rule on only tcp protocol
• -m tcp
  • loading the tcp module (also known as "match extensions" in the documentation)
• --sport 0:1023
  • matches on source ports range 0-1023
• ! --tcp-flags FIN,SYN,RST,ACK SYN
  • [!] to invert the sense of the match
  • [!] --tcp-flags mask comp
  • Match when the TCP flags are as specified. The first argument mask is the flags which we should examine, written as a comma-separated list, and the second argument comp is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE.
  • Hence the command: iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
  • will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
  • So i believe this rule matches when FIN,RST,ACK flags are set and SYN is unset; which is the reverse matching of SYN set and FIN,RST,ACK are unset.

In order to understand this modules usage you need to have a little understanding of the TCP segment and its 3 way handshake.

Here is the 3 way handshake:

_{(source: cisco.com)}
.

So the TCP segments have flags which control the state of the connection.

• URG (1 bit) – indicates that the Urgent pointer field is significant
• ACK (1 bit) – indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set.
• PSH (1 bit) – Push function. Asks to push the buffered data to the receiving application.
• RST (1 bit) – Reset the connection
• SYN (1 bit) – Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others when it is clear.
• FIN (1 bit) – No more data from sender

TCP segment:

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Sequence Number                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Acknowledgment Number                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Data |           |U|A|P|R|S|F|                               |
| Offset| Reserved  |R|C|S|S|Y|I|            Window             |
|       |           |G|K|H|T|N|N|                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Checksum            |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                             data                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I don't think this prevents SYN floods mainly because i haven't tried it yet. Though this one will limit SYN floods:

# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP

• --limit 1/s: Maximum average matching rate in seconds
• --limit-burst 3: Maximum initial number of packets to match

Taken from: http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html

Answer 2

The 2nd line is to protect against invalid packets.

-A default-INPUT -p tcp -m tcp --sport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

Rejects all inbound packets that has a SYN bit and any other flag set. This makes sense if this is a server.

Any legitimate inbound connection will send an initial packet with the SYN bit set, but none of the others. Using multiple flags is an attack vector on the tcp stack and need to be dropped.

Two other attacks are NULL, where none of the flags are set and the Christmas Tree, where all flags are set. To protect against those, use

# Protect against common attacks
# Block tcp packets that have no tcp flags set.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Block tcp packets that have all tcp flags set.
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP