Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I found this iptables rule in some project I am working on:
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
What does this rule mean? How does it make the network more secure?
It could be translated by "Drop every incoming segment that initialize a new TCP connection and where SYN control bit is not set among FIN,SYN,RST,ACK." (see here).
A TCP segment used to initialize a connection should have the SYN control bit set so that rule is there to ensure that. Also, I think this rule avoid the use of different port scan techniques involving segments without the SYN control bit set, like ACK scan. It silently drops the segment instead of sending an RST segment that could give information to a potential attacker.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 4 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I came across a rule:
iptables -A INPUT -p tcp -s 17.3.3.5/24 -d 0/0 --dport 22 -j DROP
and I was just wondering if someone could explain what this rule is doing. More importantly, I would like to know what the
-d 0/0
part means, in the whole rule (I know its destination specification, so the 0/0 part should be an IP address, but why is it 0/0?).
Im speculating that the rule is dropping that one source address when it arrives at destination port 22, but I'm not sure.
If someone could explain, that would be great.
Couldn't find an answer when searching the interwebs :C
Just like -s 17.3.3.5/24 means any source within the CIDR block 17.3.3.5/24, -d 0/0 means any destination within the CIDR block 0.0.0.0/0. Since there are no bits in the network number, every address is inside this network. So it means any destination at all.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I am wondering how do I set a rule in my IPTables to drop packets from a specific IP address at a given probability of dropping.
Eg. for dropping any random packet from any IP, I would use the command:
# for randomly dropping 10% of incoming packets:
iptables -A INPUT -m statistic --mode random --probability 0.1 -j DROP
However, I want to drop a specific IP at a given probability.
Seems like you read this tutorial here. Have you tried this. Assuming your IP address is 123.456.78.90:
iptables -s 123.456.78.90/32 -A INPUT -m statistic --mode random --probability 0.1 -j DROP
Or perhaps:
iptables -s 123.456.78.90/32 -p tcp -m tcp -A INPUT -m statistic --mode random --probability 0.1 -j DROP
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
TCP Reno, HSTCP, STCP or Fast TCP? Or we can change the algorithm with current popular kernel?
Any recent kernel (3.14.0 is the source version I'm looking at), offers a handful of congestion control algorithms:
Binary Increase Congestion (BIC) control
Version 2.0 of BIC-TCP
TCP Westwood+ (a modification of Reno)
H-TCP (another modification of Reno)
Sally Floyd's High Speed TCP (RFC 3649) congestion control
TCP-Hybla
TCP Vegas
Scalable TCP
TCP Low Priority (TCP-LP)
TCP Veno
YeAH-TCP (I reckon this is a Reno modification)
TCP-Illinois (a modification of Reno)
What you actually are using or have available depend on options chosen when the kernel has been compiled. You can see what's available with cat /proc/sys/net/ipv4/tcp_available_congestion_control and control what is actually used by fiddling with the file /proc/sys/net/ipv4/tcp_congestion_control.
In case you have enabled kernel config inclusion in to the running kernel, you can also see what is compiled in with zcat /proc/config.gz | grep CONG. The kernel configuration, e.g. make menuconfig, has more detailed descriptions of each algorithm, but of course nothing beats reading the source, available in your kernel source tree under net/ipv4/ (see files tcp_*.c, filenames are self-explanatory).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
Only using IPTABLES, how would you limit requests (pings for example) from the same Internet host to x number of packets per minute, say 5 for simplicity sake?
iptables -A INPUT -p ICMP -m limit --limit 5/minute --limit-burst 5 -j ACCEPT
-m limit: This uses the limit iptables extension
–limit 5/minute: This limits only maximum of 5 connection per minute. Change this value based on your specific requirement
–limit-burst 5: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.
The above should do the trick!
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I have a fundamental question with respect to iptables processing logic.
I see iptables have chains PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING. And these chains are present in multiple tables.
Based on what I have understood so far, the packet arrives into PREROUTING, then based on routing rules if the packet is meant for the local machine enters INPUT chain. Else it goes to FORWARD chain and then later on POSTROUTING.
But my fundamental question is, if there are multiple INPUT rules in multiple tables. In what order are the tables processed in ? I read that the first table would be raw. But what about the rest ?
Thanks !
For understanding the traversing of each table please go through this guide it would help you understand the flow http://www.faqs.org/docs/iptables/traversingoftables.html
INPUT chains are used only in Filter and Mangle table(used for alteration of packets)
Thanks & Regards,
Alok