Sounds like something I can adapt into my *ipchains* rules. But why use "!--syn -m state --state"? Anybody can explain?
Just a guess: Module state tracks connections. Normal TCP connection starts with the SYN flag set. So if the connection does not exist already (so it is new in this sense) but does not have the SYN flag "on" THEN this particular packet is (almost 100% sure?) crafted, i.e. not originating from a nicely behaving IP stack but generated otherwise. If the TCP connection is opened the normal way - it has the SYN in the first packet, ACK/SYN (typically combined) in the reply and ACK in the third (second incoming) then it is following the specs correctly and is accepted (unless other rules DROP/REJECT it). Then the state module is used (and able) to track the connection - probably notices things such as hijacking attempts too (especially when packets are properly numbered). Does this answer your question? (And is this correct answer?)
----- Original Message ----- Subject: Re: [suse-security] how do I build iptable-protection for scanners like nmap
Good Mornning...
To Drop Stealth Scan like nmap you can use the following rules in a simple firewall with iptables:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth scan" iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP