Skip to content

How to Use iptables TCP Flags Matching

DodaTech Updated 2026-06-24 2 min read

TCP flags matching detects malformed and malicious packets. Combined with logging, it identifies port scans and attack attempts. This guide walks through the specific troubleshooting steps to diagnose and resolve TCP flags issues.

Before You Begin

Before you begin, be sure to have the following in place:

  • A Linux server with the relevant software installed
  • Access to the command line interface
  • Appropriate permissions (root or sudo)

Quick Fix

Wrong

iptables -A INPUT -p tcp --dport 22 -j ACCEPT (no flag checking)

Wrong: Accepting all TCP packets regardless of flags

iptables -A INPUT -p tcp --dport 22 --tcp-flags SYN,ACK,FIN,RST SYN -j ACCEPT

Right: Only accepting SYN packets for new connections

Output

TCP flag rule added:\n  Match: SYN flag\n  Checked flags: SYN, ACK, FIN, RST\n  Port: 22

Prevention

To avoid future issues, follow these best practices:

  • Use --tcp-flags to specify which flags to check and which must be set
  • The format is --tcp-flags CHECKED_FLAGS SET_FLAGS
  • Detect port scans with --tcp-flags FIN,URG,PSH FIN,URG,PSH
  • Detect Xmas scans with --tcp-flags ALL FIN,URG,PSH
  • Detect NULL scans with --tcp-flags ALL NONE

DodaTech Tools

For further assistance with any of the above issues, consider using DodaTech consulting services or DodaTech tutorials for more in-depth guidance.

Common Mistakes with tcp flags

  1. Non-exhaustive pattern matches that compile with warnings then crash at runtime
  2. Misunderstanding that String is [Char] with poor performance for large text operations
  3. Using foldl instead of foldl' causing stack overflow on large lists

These mistakes appear frequently in real-world IPTABLES code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

How do I detect SYN flood attacks?|||Use hashlimit or limit with --syn flag and DROP to rate-limit SYN packets.
What is a NULL scan in iptables? A NULL scan has no TCP flags set. Detect with --tcp-flags ALL NONE and log/drop those packets.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro