Re: iptables and INVALID packet filtering.

To: Daniel Curtis <sidetripping@gmail.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: iptables and INVALID packet filtering.
From: David Dejaeghere <david.dejaeghere@gmail.com>
Date: Thu, 4 Apr 2013 16:22:17 +0200
Message-id: <[🔎] CAO9DwO8BCTtU8Sw=yMLVa2BVT=r3d6KmuEBskM_46=r3meSduQ@mail.gmail.com>
In-reply-to: <[🔎] CAASvXNseOJy8__QFKFir=nUmCGZDR47vFFYkeToCO3=PYp7sCw@mail.gmail.com>
References: <[🔎] CAASvXNseOJy8__QFKFir=nUmCGZDR47vFFYkeToCO3=PYp7sCw@mail.gmail.com>

>> iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Should be fine if you want to drop any INVALID packers both tcp, udp

Kind Regards,

David

2013/4/4 Daniel Curtis <sidetripping@gmail.com>

Hi

I would only ask about iptables (1.4.14-3.1) rule, which is responsible for filtering INVALID packets. If I decide to use this rule;

>> iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

That's an example. By using this rule, iptables will also check tcp and udp protocols or should I use something like;

>> iptables -A INPUT -p tcp (...)
>> iptables -A INPUT -p udp (...)

Which solution/rule is correct and it is better to implement?

Best regards.

Reply to:

Follow-Ups:
- Re: iptables and INVALID packet filtering.
  - From: Daniel Curtis <sidetripping@gmail.com>

References:
- iptables and INVALID packet filtering.
  - From: Daniel Curtis <sidetripping@gmail.com>

Prev by Date: iptables and INVALID packet filtering.
Next by Date: Re: iptables and INVALID packet filtering.
Previous by thread: iptables and INVALID packet filtering.
Next by thread: Re: iptables and INVALID packet filtering.
Index(es):
- Date
- Thread