I have just learnt from the website on how to tweak the sysctl to prevent non-syn packet to start the tcp connect stream to connect. This is kinda useful where I don't need to load iptables rules in order to filter and reject such bad packets. I would like to share this url since I have never seen any IPtables tutorial as clean and clear as this which is free.
To drop non-syn packet that starting tcp stream just run
shell>echo '0' > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
shell>sysctl -w ip_conntrack_tcp_loose=1
If you want to use IPtables to filter it, that's how it can be done, I didn't write the rule but copy and paste from the web tutorial because I'm afraid I may forget next time since I'm not frequent IPtables user.
shell>IPTABLES -A INPUT \
-p tcp ! --syn -m state --state NEW \
-j LOG --log-prefix "New not syn:"
shell>iptables -A INPUT \
-p tcp ! --syn -m state --state NEW -j DROP
Another important rule that can be applied is avoiding successful spoofing attack when receiving packets with syn+ack flags from the unknown host, reset should be sent to that unknown host that sending syn+ack packet, hence intruder can't simply take over the connection with it's own ack packet.
shell>iptables -N bad_tcp_packets
shell>iptables -A bad_tcp_packets \
-p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
I've actually read it quite sometimes ago, however tend to forget because of lacking practice on IPtables. Coming back to reading it is good for me since the tutorial seems more shiny than previously.