Deep Dive: TCP Flag Manipulation in iptables – SYN, RST, and ALL Explained for Firewall Rules


2 views

When working with iptables firewall rules for TCP traffic, the --tcp-flags parameter allows us to inspect and match specific TCP header flags. The syntax follows this pattern:

--tcp-flags MASK COMPARISON

Where MASK specifies which flags to examine, and COMPARISON indicates which of those masked flags must be set.

In your example rule:

-p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP

This means we're examining the SYN, ACK, FIN, and RST flags, and we want to match packets where ONLY the SYN flag is set (all others must be unset).

There's no such thing as a "SYN RST" flag - these are separate flags that can appear together in some cases:

  • RST SYN - Not a standard combination, likely means checking for RST and SYN independently
  • SYN RST - Similarly, this isn't a valid flag combination, just checking two separate flags

The ALL keyword in iptables TCP flag matching means "all defined TCP flags". These are SYN, ACK, FIN, RST, PSH, URG, ECE, and CWR.

Compare these two rules:

-p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP

-p tcp --tcp-flags ALL SYN -j DROP

The first rule only checks SYN, ACK, FIN, RST, while the second checks ALL possible TCP flags (but only matches if SYN is set and all others are unset).

Here are some useful iptables rules for blocking suspicious TCP flag combinations:

# XMAS scan protection
-p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

# NULL scan protection
-p tcp --tcp-flags ALL NONE -j DROP

# SYN-FIN scan protection
-p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Common port scanner pattern
-p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
  • Using ALL is more thorough but may have performance implications
  • Some legitimate traffic (like certain OS implementations) might use unusual flag combinations
  • Always test new firewall rules in a non-production environment first
  • Consider combining these rules with rate limiting for better port scan protection

When working with iptables for firewall configuration, understanding TCP flags is crucial for effective network protection. The syntax --tcp-flags takes two arguments:

-p tcp --tcp-flags mask comp

Where mask lists flags to be examined, and comp lists flags that must be set.

The example rule:

-p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP

This checks packets where:

  1. SYN, ACK, FIN, and RST flags are being examined
  2. Only the SYN flag must be set

Key combinations to understand:

  • RST SYN: This isn't a standard TCP flag combination. In iptables syntax, it means checking if both RST and SYN are set
  • RST: Just the reset flag
  • SYN RST: Same as RST SYN, just different ordering

Comparing these two rules:

-p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
-p tcp --tcp-flags ALL SYN -j DROP

The difference:

  • First rule examines only SYN,ACK,FIN,RST flags
  • Second rule (with ALL) examines ALL TCP flags (including URG, PSH, etc.)

When using ALL, the rule will match only if:

  • SYN is set
  • ALL other flags are NOT set

Common rules to block suspicious traffic:

# XMAS scan protection
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

# NULL scan protection
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# SYN-FIN scan protection
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

Use specific flag checks when:

  • You only care about certain flags
  • Other flags might legitimately be set

Use ALL when:

  • You want to ensure no other flags are set
  • You need strict validation of flag combinations

For more complex scenarios, combine with other iptables features:

# Match SYN packets without ACK (new connections)
iptables -A INPUT -p tcp --syn ! --tcp-flags ALL ACK -j ACCEPT

# Match established connections
iptables -A INPUT -p tcp --tcp-flags ALL ACK -j ACCEPT