top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

IPTABLE: does INVALID state match FIN, Xmas tree, and NULL packets?

+2 votes
336 views

Does the rule 'iptables -I INPUT -m state --state INVALID -j DROP' get rid of those scans? Also, what exactly does INVALID match?

posted Nov 5, 2013 by Ahmed Patel

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button

Similar Questions
0 votes

I am trying to queue the packets of a process so I can use libnetfilter_queue to modify them.

I read in the documentation that I should use --pid-owner processid to filter packets of a process and iptables -I

  -j NFQUEUE --queue-num  to add them to the queue.

I read the documentation but I am still confused how to do this. If any one can help me to understand this command I would appreciate it a lot.

+1 vote

I have multiple wan port and multiple routing table in a box. The wan port should be the final destination of outside word. (eg: all the packets come from internet should have destination IPAddress of my wan port, there are no further routing beyond the wan IPAddress).

rp_filter seems not work correctly under multiple routing table situation, so I need to set rp_filter to 0.

I want to know if there are simple setup method to secure the wan port ? or I need to use iptables to drop the incoming packet not matching the wan interface IP?

The problem is I have dynamic PPP interface, so matching the ip via iptables is a little complicated. so I want to know if there are smarter ways to do the job.

+1 vote

I am trying to use byte counters to know how much total data is transferred from an IP. However, simple test with ping shows that it counts 14 bytes less, probably ignoring later 2 header.

Is my understanding correct or am I missing something in this?

+1 vote

After testing and looking at the kernel source, I realize that this mapping:

iptables -t nat -I PREROUTING -p tcp -m tcp --dport 30000:40000 -j DNAT --to [local_ip]:10000-2000

Doesn't do a one-to-one port mapping
e.g.:

100.0.0.1:30000 > 192.168.0.5:10000
100.0.0.1.30001 > 192.168.0.5:10001
100.0.0.1.30002 > 192.168.0.5:10002

I was wondering if it was possible to do the 1:1 port range forwarding to different port ranges or if you have to use individual rules.

+2 votes

We suffer from DNS lookups with a response IP address which is not existing. Can Iptables check on this?

...