Iptables TCP Flags
In this sample iptables_tcp_flags_programs.cfg, we validate TCP flags. Any packet with an invalid combination of TCP flags is routed to the BADFLAGS chain, where it is logged and dropped.
///////////////////////////////////////////////////////////////////////////////
//
// iptables_tcp_flags_programs.cfg
//
///////////////////////////////////////////////////////////////////////////////
// BADFLAGS -- log and drop bad flags
=iptables -N BADFLAGS
=iptables -A BADFLAGS -j LOG --log-prefix "IPT BADFLAGS: " =logopt
=iptables -A BADFLAGS -j DROP
///////////////////////////////////////////////////////////////////////////////
// TCP_FLAGS -- check tcp flags
=iptables -N TCP_FLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ACK,FIN FIN -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ACK,PSH PSH -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ACK,URG URG -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags FIN,RST FIN,RST -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ALL ALL -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ALL NONE -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ALL FIN,PSH,URG -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j BADFLAGS
=iptables -A TCP_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j BADFLAGS
///////////////////////////////////////////////////////////////////////////////
This iptables_tcp_flags_programs.cfg file is #included by the higher-level iptables_programs.cfg file. In that file, we might have code invoking the TCP_FLAGS chain as follows:
=iptables -A IN_NETWORK -p tcp -j TCP_FLAGS
For more examples, see Samples.
