I often see samples of IPv4 rules for iptables which are there to stop what is viewed as invalid or broken TCP packets. Certain combinations of TCP flags should never be used.
Here is an example of 4 such rules:
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ALL ACK
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ALL RST
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ALL ACK,FIN
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ALL ACK,PSH
I used these to see how many such invalid packets I receive (i.e. notice the lack of a target, no -j DROP).
If I insert that at the very beginning of the INPUT table, I see a ton of those errors.
When I insert them after the ESTABLISHED,RELATED rule:
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -m tcp ! --syn -j ACCEPT
I see no errors at all... meaning that those broken TCP packets are being sent to the service the client is connected to.
I am thinking that blocking such is rather futile/unnecessary. Especially, I use the INVALID state first anyway:
-A INPUT -m state --state INVALID -j DROP
and I would imagine that is enough to eliminate really dangerous packets.
What is the consensus about those 4 rules blocking broken TCP packets?
