iptables -N NEW_TCP_PACKETS_NO_SYN
iptables -A INPUT NEW_TCP_PACKETS_NO_SYN -p tcp ! --syn -m state --state NEW -m limit --limit 10/day -j LOG --log-prefix "New packets but not syn:"
iptables -A INPUT NEW_TCP_PACKETS_NO_SYN -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT NEW_TCP_PACKETS_NO_SYN -f -j DROP
1) I'm making a new user generated chain with the -N option
2) I'm logging NEW packets that aren't syn, and I'm adding a limit trying to prevent my log files from getting flooded
3) I'm dropping the NEW packets that aren't SYN
4) I'm using -f because I'm left with the fragmented packets, and I want to drop those packets.
A recommendation to improve something similar was found here https://serverfault.com/a/245713/114606 , which is to add it in -t raw -A PREROUTING
A) I don't quite understand what's being said, how do I add it "in" ?
And it seems like a risky thing to do, because it sets a mark on packets that they should not be handled by the connection tracking system.
B) And why is that necessary ? I'm dropping those packets so what exactly is the benefit of marking those packets ?
All that being said, is there anything that can be done when I do get the initial SYN fragment, but I don't get the last one ?
0 Answers