On Sun, 08 Jun 2003 at 05:11:43PM -0500, Jones wrote: > can this weakness be fixed by having these lines in the iptables rules? > > ---- > EXTERNAL_IF="eth0" > > # Log and drop incoming TCP connection establishment packets. > iptables -A INPUT -i $EXTERNAL_IF -p tcp --syn -j LOG --log-prefix > "TCP-SYN: " > iptables -A INPUT -i $EXTERNAL_IF -p tcp --syn -j DROP > > # Allow packets from already established connections (redundant?) > iptables -A INPUT -i $EXTERNAL_IF -m state --state > ESTABLISHED,RELATED -j ACCEPT
Assuming your default policy is drop or the last rule in your chain a log/drop, then yes, the second rule would be redundant. Stick with rule 3 and ESTABLISHED/RELATED. Of course, no TCP based services on this machine will work... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #116: New guy cross-connected phone lines with ac power bus.
