
IP Fragmentation Is Broken - ausjke
https://blog.cloudflare.com/ip-fragmentation-is-broken/
======
LinuxBender
Nobody asked, but I will volunteer this regardless. I block ICMP and
fragmented packets on all my own servers and home router. I realize this
violates RFC's, I am doing it on purpose to minimize some shenanigans.

To block ICMP on linux:

    
    
        iptables -t raw -I PREROUTING -i eth0 -p icmp -m icmp --icmp-type any -j DROP
        iptables -t raw -I OUTPUT -p icmp -m icmp --icmp-type any -j DROP
    

Block fragmented packets

    
    
        iptables -t raw -I PREROUTING -i eth0 -f -j DROP
    

Block packets with a small or too big mss: (this stops a lot of poorly coded
scanners and hping defaults)

    
    
        iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m tcpmss ! --mss 540:65535 -j DROP
    

I've done this for well over a decade without issue. I also set all outbound
packets with a ToS code based on size. Not everyone respects this, but I cargo
cult as a hobby.

    
    
        iptables -t mangle -I OUTPUT -m length --length 321:65535 -j TOS --set-tos 0x04/0xff
        iptables -t mangle -I OUTPUT -m length --length 0:320 -j TOS --set-tos 0x10/0xff

