≡ Menu

How to: Linux Iptables block common attacks

Following list summaries the common attack on any type of Linux computer:

Syn-flood protection

In this attack system is floods with a series of SYN packets. Each packets causes system to issue a SYN-ACK responses. Then system waits for ACK that follows the SYN+ACK (3 way handshake). Since attack never sends back ACK again entire system resources get fulled aka backlog queue. Once the queue is full system will ignored incoming request from legitimate users for services (http/mail etc). Hence it is necessary to stop this attack with iptables.

Force SYN packets check

Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Force Fragments packets check

Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.

iptables -A INPUT -f -j DROP

XMAS packets

Incoming malformed XMAS packets drop them:

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Drop all NULL packets

Incoming malformed NULL packets:

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Block Spoofing and bad addresses

Using iptables you can filter to drop suspicious source address. Network server should not accept packets claiming from the Internet that claim to originate from inside your network. Spoofing can be classified as:
a) IP spoofing – Disable the source address of authentication, for example rhosts based authentication. Filter RPC based services such as portmap and NFS,
b) DNS spoofing
Please see Iptables: How to avoid Spoofing and bad addresses attack tip for more information.

Also use NAT for your internal network. This makes difficult for attacker to spoof IP address from outside.

Filter incoming ICMP, PING traffic

It includes the ping of death attack and ICMP floods. You should block all ICMP and PING traffic for outside except for your own internal network (so that you can ping to see status of your own server) . See Linux : Iptables Allow or block ICMP ping request article.

Once system is secured, test your firewall with nmap or hping2 command:
# nmap -v -f FIREWALL-IP
# nmap -v -sX FIREWALL-IP
# nmap -v -sN FIREWALL-IP
# hping2 -X FIREWALL-IP

Further readings

  • Man page : hping2(8), nmap(1), iptables(8)
Share this on:

{ 27 comments… add one }

  • dhaval February 5, 2008, 7:07 am

    Cyberciti is the great.

  • Jlmiller March 1, 2008, 4:51 am

    Cyberciti had the answers I was looking for and the information is quite easy.

  • Matt Newcombe April 2, 2008, 5:40 pm

    Many thanks – just what I was looking for.


  • Ryan Rodriguez August 14, 2008, 6:12 pm

    This would block the more common XMAS packets.

    iptables -A INPUT -p tcp –tcp-flags ALL FIN,PSH,URG -j DROP

    • Cody July 26, 2014, 11:48 am

      Yes, I was thinking similar. In fact, FIN,PSH,URG would be THE Xmas scan. ALL ALL is something else entirely. I was going to elaborate but the man page will state it better than I can (and why bother wording it the iptables man page is so thorough – admittedly it might not be as thorough as some may like, but those people can go find some other document …):

      tcp flags:
      Match when the TCP flags are as specified. The first argument mask is the flags which we should examine, written as a comma-separated list, and the second argument comp is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE.
      Hence the command
      iptables -A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST SYN
      will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.

      Oh, as for Xmas, nmap(1):
      Xmas scan (-sX)
      Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

  • ak November 3, 2008, 3:10 am

    In Drop all NULL packets,

    Please correct spelling.
    Change INPIT to INPUT

  • Hamza Sani October 23, 2009, 9:31 am

    Cyberciti is really very knowledgeable website i would like to say thank you for this.

  • name October 31, 2009, 1:38 pm

    A better way of doing this would be to just use connection tracking:

    -A INPUT -m conntrack –ctstate INVALID -j DROP
    -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

    And instead of blocking ICMP limiting is IMO a better way, -m limit.

  • kunoichi March 31, 2010, 10:17 am

    I would like to share with you my iptables rules… I am not gonna explain it in details.
    They are ready to be used with the iptables-restore command, Just check your ports and substitute xx.xx.xx.xx with your IP… If you have more IPs just add more IP chains. customise to your requirments.



    #clear custom

    #default rules

    #allow localhost
    -A INPUT -i lo -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT

    #allow output for new, related and established connections

    # PACKETS chain
    -A PACKET -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
    -A PACKET -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
    #limit ping to 1 per second
    -A PACKET -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

    # STATE_TRACK chain (connection tracking)
    -A STATE_TRACK -m state --state INVALID -j DROP

    # PORTSCAN chain (drop common attacks)
    -A PORTSCAN -p tcp --tcp-flags ACK,FIN FIN -j DROP
    -A PORTSCAN -p tcp --tcp-flags ACK,PSH PSH -j DROP
    -A PORTSCAN -p tcp --tcp-flags ACK,URG URG -j DROP
    -A PORTSCAN -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
    -A PORTSCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    -A PORTSCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A PORTSCAN -p tcp --tcp-flags ALL ALL -j DROP
    -A PORTSCAN -p tcp --tcp-flags ALL NONE -j DROP
    -A PORTSCAN -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
    -A PORTSCAN -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
    -A PORTSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

    # COMMON chain (everything passes through here)

    # chains relations
    # IP chain
    -N IP1
    -A INPUT -d xx.xx.xx.xx -j IP1
    -A OUTPUT -d xx.xx.xx.xx -j IP1
    -A FORWARD -d xx.xx.xx.xx -j IP1
    #SSH On standard port
    -A IP1 -p tcp --dport 22 -j ACCEPT
    -A IP1 -p tcp --dport 80 -j ACCEPT
    -A IP1 -p tcp --dport 443 -j ACCEPT
    -A IP1 -p tcp --dport 53 -j ACCEPT
    -A IP1 -p udp --dport 53 -j ACCEPT
    Admin Panel (Webmin)
    -A IP1 -p tcp --dport 10000 -j ACCEPT

    #-N IP2
    #-A INPUT -d xx.xx.xx.yy -j IP2
    #-A OUTPUT -d xx.xx.xx.yy -j IP2
    #-A FORWARD -d xx.xx.xx.yy -j IP2
    #-A IP2 -p tcp --dport 22 -j ACCEPT
    #-A IP2 -p tcp --dport 80 -j ACCEPT
    #-A IP2 -p tcp --dport 443 -j ACCEPT
    #-A IP2 -p tcp --dport 53 -j ACCEPT
    #-A IP2 -p udp --dport 53 -j ACCEPT


    • Andy February 12, 2012, 11:08 am

      Very nice, thank you for posting this!

  • Anonymous May 1, 2010, 8:52 pm

    Completely blocking ICMP may result in a Black Hole situation (RFC 2923) since ICMP is vital to the PMTUD process. This may lock out clients coming over a congested link with MTU sizes below 1500 (e.g. tunnels).

  • SLX May 30, 2010, 2:44 pm

    This rule
    iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
    will never work. The !SYN flag and NEW state are mutaully exclusive. Packet will never get NEW state if there has no been SYN flag earlier. And if you use connection tracking then this rule:
    iptables -A INPUT -f -j DROP
    also is not necessary, since enabling contrack also disables fragmented packets, they are merged before processing by iptables.

    • Cody May 28, 2014, 2:00 pm

      If only that were the case (referring to the !syn state NEW).

      “NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions”

      For instance, if you were to do :
      iptables INPUT 1 -p tcp -m conntrack –ctstate NEW ! –syn -j LOG –log-prefix “state test ”
      and then used an ACK scan (e.g., with nmap) then you would find in your logs that you are in fact incorrect.

      That being noted, conntrack is the suggested module nowadays.

  • Sam July 20, 2010, 10:01 am

    -A INPIT -p tcp –tcp-flags ALL NONE -j DROP

    Should be:

    -A INPUT -p tcp –tcp-flags ALL NONE -j DROP

  • scott April 9, 2011, 5:05 pm

    i was wondering if there is a way you can do this in windows as well. i get alot of these attacks and i tried the blocking the ICMP rule in my firewall. it worked for a few days but the attacks continued.

  • JB July 29, 2011, 8:28 pm

    I am still able to get pinged using another computer running Ubuntu 11.04 and using nmap with those commands.

  • JBress November 4, 2011, 2:25 pm

    Great info, was getting molested with SYN attacks now things are stable!

    Just want to correct a spelling mistak, for users like myself, who copy & paste everything into ssh

    Drop null packets:
    iptables -A INPIT -p tcp –tcp-flags ALL NONE -j DROP

    Should be

    iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP

    I knows its no biggie, but its easy to just copy & paste the mistake in and not check


  • Goback June 6, 2012, 5:13 am

    Hi guy
    nice tut,
    but what about “HTTP Slow Post” attacks?

  • Jouni "Rautamiekka" Järvinen August 6, 2012, 12:59 pm

    This tip is great, but it has flaws:
    – typos
    – grammar errors
    – missing other types of attacks, like those told in comments

  • Cosmin September 27, 2012, 6:08 pm

    19:54:10.607064 IP > sd214666.performant-hosting.com.20706: P win 512
    19:54:10.607059 IP > sd214666.performant-hosting.com.20699: P win 512
    19:54:10.607052 IP > sd214666.performant-hosting.com.20579: P win 512

    how to deny iptables? reply me thanks you!

  • fame October 24, 2012, 2:22 pm

    kunoichi, GREAT SHARE!! This is a great iptables setup… and it works great with psad… so far best one that I have seen and liked… takes care of everything..

  • johnlth93 November 16, 2012, 4:46 pm

    iptables -A INPIT -p tcp –tcp-flags ALL NONE -j DROP
    iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP

    anyway, thanks for sharing <3

  • jose jeffrey a. mazaredo April 1, 2013, 9:21 am


    You have a typo:

    iptables -A INPIT -p tcp –tcp-flags ALL NONE -j DROP

  • Jose Tapia November 6, 2013, 6:50 am

    Great Article, i always learn new things in your blog, thanks i appreciate

  • Kozan March 12, 2014, 6:54 pm

    This line:
    iptables -A INPIT -p tcp –tcp-flags ALL NONE -j DROP

    It should say INPUT.

  • Cody July 26, 2014, 1:09 pm

    As for syn floods, here’s an interesting article (that’s not to suggest you should NOT check for SYN and state NEW – you should… and you should rate-limit from same host too, but it is an interesting thing to consider, the article): http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/

  • Wm August 6, 2015, 9:22 pm

    I just wanted to be the 100th person to let you know that:

    iptables -A INPIT -p tcp --tcp-flags ALL NONE -j DROP

    needs to be changed to:

    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Leave a Comment

   Tagged with: , , , , , , , ,