iptables rule to drop SYN and FIN attacks

debian iptables nmap

16,773

Solution 1

This rule will match if the syn flag is set

iptables -A BLOCK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP

And this one will match for the FIN flag

iptables -A BLOCK -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -j DROP

note that you will need to tweak this as the syn rule will prevent incoming tcp connections at all for your device, perhaps set the specific port you want blocked?

Solution 2

I use something to prevent this SYN attacks. Not sure if it is correct one for your case but you may take a look. I count requests per second and block IPs with more than X (in my case 20) requests in 1 second. Works for me.

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 1 --hitcount 20 -j DROP

Solution 3

Go check my Community Wiki: iptables Tips & Tricks

Especially the following "answer": Answer #245713

Please note that for the blockage to be effective, it must be placed in -t raw -A PREROUTING

16,773

shadow_of__soul

i'm a developer and technology enthusiast living in argentina :D

Updated on September 18, 2022

Comments

shadow_of__soul over 1 year

From a Trustwave report, we are trying to set our server to block this type of request but after trying several combinations of rules, we can still see the ports.

Could anyone give me a hint or the set of necessary rules to block this request?

I'm using nmap --scanflags SYN,FIN xxx.xxx.xxx.xxx to test if iptables is blocking or not.
- Eduardo Ivanec about 13 years
  
  This should be on by default, but just in case check you have syn cookies enabled with sysctl net.ipv4.tcp_syncookies.
coredump about 13 years

Check some rules on this post too.