[svlug] what about those tcp flags?

George Georgalis georgw at galis.org
Thu Mar 13 09:32:50 PST 2003

I did another search and was been swamped with examples, but not the doc
I'm looking for...

Using iptables you can filter based on tcp flags, but under what
circumstances do the various combinations come up? Ideally I'd like to
find a webpage that has a short paragraph explaining the circumstances
of every tcp flag permutation. :-} Surly somebody has done this...

In the past I've asked and was pointed to the Stevens book, I'm
sure the answer is in there but I'm also sure more specific doc is
available than I've been able to find.... what I'm looking for could
take quite a while (and prone to errors) if done from scratch. (cf

These are some specific examples I have, but I don't always know
what to do with them, for example I _sometimes_ get a "--tcp-flags
SYN,ACK,FIN,RST RST" back when delivering mail, can I drop it?....

 --tcp-flags SYN,FIN SYN,FIN -j DROP # syn/fin-scan
 --tcp-flags SYN,ACK,FIN,RST RST # Stealth-Scan but might be normal too --limit 5/m
 --tcp-flags ALL FIN,URG,PSH -j DROP # nmap-xmas scan 
 --tcp-flags ALL FIN # fin-scan
 --tcp-flags ALL NONE # null-scan

Here are some resources I've saved...

TCP/IP Illustrated, Volume 1: The Protocols, W. Richard Stevens
 Pocket guide (2 pages: pictures of IP, UDP, and TCP headers)
 TCP Bulk Data Flow
packet handling in Linux 2.4 (essentially ipv4) and including the
5 netfilter hooks. xfig source available from author.
SYN cookies are particular choices of initial TCP sequence numbers by
TCP servers.
kernel doc
List of frequently seen TCP and UDP ports and what they mean.
Default ports used by some known trojan horses
The aim of the iptables-tutorial is to explain iptables in a complete
and simple way.

// George

GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:george at galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george 

More information about the svlug mailing list