I have recently encountered some malicious TCP traffic that came in with a destination of port 80, and also with a source port of 80. This traffic is obviously invalid, and would be so for any application that I can think of, as the source port should be both random and in the ephemeral range. While dropping packets with source ports below the ephemeral range or with a source and destination port of 80 is easy enough, I would like to take this a step further and block ALL traffic where the source and destination ports are identical.
Is it possible to drop all packets with iptables where the source and destination ports are identical, without creating thousands of rules? If so, is it a good idea?
0 Answers