Iptables Tutorial 1.1.

9

Página 1

Iptables Tutorial 1.1.9
Oskar Andreasson
blueflux@koffein.net

Copyright © 2001 by Oskar Andreasson

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1; with the Invariant Sections being "Introduction" and all subsections, with the Front-Cover Texts being "Original Author: Oskar Andreasson", and with no BackCover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". All scripts in this tutorial are covered by the GNU General Public License. The scripts are free source; you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation, version 2 of the License. These scripts are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License within this tutorial, under the section entitled "GNU General Public License"; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Table of Contents Introduction Why this document was written How it was written About the author Dedications Preparations Where to get iptables Kernel setup 1 userland setup Compiling the userland applications http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 2

Installation on Red Hat 7.1 How a rule is built Basics Tables Commands Matches Generic matches Implicit matches Explicit matches Targets/Jumps ACCEPT target DROP target QUEUE target RETURN target LOG target MARK target REJECT target TOS target MIRROR target SNAT target DNAT target MASQUERADE target REDIRECT target TTL target ULOG target Traversing of tables and chains General Mangle table 1 Nat table 2 Filter table rc.firewall file example rc.firewall explanation of rc.firewall Configuration options http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 3

Initial loading of extra modules proc set up Displacement of rules to different chains Setting up the different chains used INPUT chain The TCP allowed chain The ICMP chain The TCP chain The UDP chain OUTPUT chain FORWARD chain PREROUTING chain of the nat table Starting the Network Address Translation Example scripts rc.firewall.txt script structure The structure rc.firewall.txt rc.DMZ.firewall.txt rc.DHCP.firewall.txt 10. rc.UTIN.firewall.txt rc.test-iptables.txt rc.flush-iptables.txt Detailed explanations of special commands Listing your active ruleset Updating and flushing your tables Common problems and questionmarks Passive FTP but no DCC State NEW packets but no SYN bit set Internet Service Providers who use assigned IP addresses ICMP types Other resources and links Acknowledgements History GNU Free Documentation License 0. PREAMBLE 1. APPLICABILITY AND DEFINITIONS 2. VERBATIM COPYING http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 4

3. COPYING IN QUANTITY 4. MODIFICATIONS 1. 5. COMBINING DOCUMENTS 6. COLLECTIONS OF DOCUMENTS 7. AGGREGATION WITH INDEPENDENT WORKS 8. TRANSLATION 9. TERMINATION 10. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents GNU General Public License 0. Preamble 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. 2. How to Apply These Terms to Your New Programs Example scripts codebase Example rc.firewall script Example rc.DMZ.firewall script Example rc.UTIN.firewall script Example rc.DHCP.firewall script Example rc.flush-iptables script Example rc.test-iptables script

Introduction Why this document was written
Well, I found a big empty space in the HOWTO's out there lacking in information about the iptables and netfilter functions in the new Linux 2.4.x kernels. Among other things, I'm going to try to answer questions that some might have about the new possibilities like state matching. Is it possible to allow passive FTP to your server, but not allow outgoing DCC from IRC as an example? I will build this all up from an example rc.firewall.txt file that you can use in your /etc/rc.d/ scripts. Yes, this file was originally based upon the masquerading HOWTO for those of you who recognize it. Also, there's a small script that I wrote just in case you screw up as much as I did during the configuration available as rc.flush-iptables.txt.

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 5

How it was written
I've placed questions to Marc Boucher and others from the core netfilter team. A big thanks going out to them for their work and for their help on this tutorial that I wrote and maintain for boingworld.com. This document will guide you through the setup process step by step, hopefully make you understand some more about the iptables package. I will base most of the stuff here on the example rc.firewall file since I find that example to be a good way to learn how to use iptables. I have decided to just follow the basic chains and from there go down into each and one of the chains traversed in each due order. This tutorial has turned a little bit harder to follow this way but at the same time it is more logical. Whenever you find something that's hard to understand, just consult this tutorial.

About the author
I'm someone with too many old computers on my hands, sitting with my own LAN and wanting them all to be connected to the Internet, at the same time having it fairly secure. The new iptables is a good upgrade from the old ipchains in this regard. Before, you could make a fairly secure network by dropping all incoming packages not destined to certain ports, but this would be a problem with things like passive FTP or outgoing DCC in IRC, which assigns ports on the server, tells the client about it, and then lets the client connect. There was some child diseases in the iptables code that I ran into in the beginning, and in some respects I found the code not quite ready for release in full production. Today, I'd recommend everyone who uses ipchains or even older ipfwadm etc to upgrade unless they're happy with what their current code is capable of and if it does what they need it to.

Dedications
First of all I would like to dedicate this document to my wonderful girlfriend Ninel. She has supported me more than I ever can support her to any degree. I wish I could make you just as happy as you make me. Second of all, I would like to dedicate this work to all of the incredibly hard working Linux developers and maintainers. It is people like those who makes this wonderful operating system possible.

Preparations
This chapter is aimed at getting you started and to help you understand the role netfilter and iptables play in Linux today. This chapter should hopefully get you set up and finished to go with your experimentation and installation of a firewall which should hopefully run smoothly in the future.

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Connection tracking is used by. If you need to firewall machines on a LAN you most definitely should mark this option. NAT and Masquerading. CONFIG_IP_NF_MATCH_LIMIT . You won't be able to do anything to be pretty honest. Since FTP connections are quite hard to do connection tracking on in normal cases conntrack needs a so called helper. you need to set up the proper configuration options in your kernel. If you don't add this module you won't be able to FTP through a firewall or gateway properly. It adds the whole iptables identification framework to kernel. And of course you need to add the proper drivers for your interfaces to work properly.4. masquerading or NAT. In other words.txt to work.firewall.html 21:25:51 10/06/2002 . -m limit --limit 3/minute would match a maximum of 3 packets per minute.This module isn't exactly required but it's used in the example rc. Kernel setup To run the pure basics of iptables you need to configure the following options into the kernel while doing make config or one of it's related commands: CONFIG_PACKET . http://people.This option is required if you're going to use your computer as a firewall or gateway to the internet. If you want to use the more advanced options in IPTables. ie. this module is required by the rc. The necessary pieces will be discussed a bit further down in this document. CONFIG_IP_NF_IPTABLES .unix-fu. For example.This module is required if you want to do connection tracking on FTP connections.1. this option compiles the helper. that adds the possibility to control how many packets per minute that's supposed to be matched with a certain rule. The iptables package also makes use of kernel space facilities which can be configured into the kernel during make configure.9 Página 6 Where to get iptables The iptables userspace package can be downloaded from the netfilter homepage.org/andreasson/iptables-tutorial/iptables-tutorial. CONFIG_NETFILTER . This option provides the LIMIT match. it just adds the framework to the kernel. This module can also be used to avoid certain Denial of Service attacks. An example would be tcpdump or snort. this is most definitely required if for anything in this tutorial to work at all.Iptables Tutorial 1. Ethernet adapter.This option allows applications and programs that needs to work directly to certain network devices. Here we will show you the options available in a basic 2. PPP and SLIP interfaces.9 kernel and a brief explanation : CONFIG_IP_NF_CONNTRACK . For example. among other things.txt. The above will only add some of the pure basics in iptables.This option is required if you want do any kind of filtering.This module is needed to make connection tracking.firewall. Without this you won't be able to do anything at all with iptables. CONFIG_IP_NF_FTP . I assume you'll want this since you're reading this at all.

CONFIG_IP_NF_MATCH_OWNER .This target allows us to specify that an ICMP error message should be sent in reply to incoming packets instead of plainly dropping them dead to the floor. CONFIG_IP_NF_FILTER . CONFIG_IP_NF_MATCH_MARK . This module was originally just written as an example on what could be done with the new iptables. CONFIG_IP_NF_TARGET_REJECT .With this match we can match packets based on their TOS field.firewall. TCP. if we set up a MIRROR target on destination port HTTP on our INPUT chain and someone tries to access this port we would plainly bounce his packets back to himself and finally he would see his own homepage. This module is required if you plan to do any kind of filtering on packets that you receive and send. Mind you that TCP connections are always reset or refused with a TCP RST packet.unix-fu. UDP and ICMP packets that looks strange or are invalid. if we use the target MARK we could mark a packet and then depending on if this packet is marked further on in the table. and further down we will describe the actual target MARK. TOS can also be set by certain rules in the mangle table and via the ip/tc commands. This module is used extensively in the rc. CONFIG_IP_NF_TARGET_MIRROR .This module will add the basic filter table which will enable you to do basic filtering. CONFIG_IP_NF_MATCH_MULTIPORT .9 Página 7 CONFIG_IP_NF_MATCH_MAC . http://people.firewall. In the filter table you'll find the INPUT.This allows us to use a MARK match. TOS stands for Type Of Service. Normally this wouldn't be possible. Every Ethernet adapter has it's own MAC address. CONFIG_IP_NF_MATCH_STATE . FORWARD and OUTPUT chains. CONFIG_IP_NF_MATCH_UNCLEAN .html 21:25:51 10/06/2002 .This allows packets to be bounced back to the sender of the packet.txt example or anywhere else. we can match based on this mark.This option will add the possibility for us to do matching based on the owner of a socket.This option adds the possibility for us to match TCP packets based on their MSS field. but we never know if they are legitimate or not. We don't use this option in the rc.This allows us to match packets based on MAC addresses.This is one of the biggest news in comparison to ipchains. For example. For example.org/andreasson/iptables-tutorial/iptables-tutorial. For example.This module will add the possibility for us to match IP. if we've already seen trafic in two directions in a TCP connection.txt example. Note that this match is still experimental and might not work perfectly in all cases. this packet will be counted as ESTABLISHED. We could for example drop these packets. For example. This option is the actual match MARK. but with this match it is. CONFIG_IP_NF_MATCH_TCPMSS . CONFIG_IP_NF_MATCH_TOS . we can allow only the user root to have Internet access.Iptables Tutorial 1. We could for instance block packets based on what MAC address used and block a certain computer pretty well since the MAC address don't change. With this module we can do stateful matching on packets. Note that this match is still experimental and might not work for everyone.1.This module allows us to match packets with a whole range of destination ports or source ports.

but mostly is. Do absolutely not look at this as a real long term solution. Hence.Adds a compatibility mode with the old ipchains. You will need the following options compiled into your kernel.firewall.1.2 kernels to 2. CONFIG_IP_NF_COMPAT_IPCHAINS .4 kernels since it may well be gone with kernel 2. For instance if we don't know what IP we have to the Internet this would be the preferred way of getting the IP instead of using DNAT or SNAT. or NAT. We can then use the TCPMSS target to overcome this by clamping our MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit). and most definitely on your network if you do not have the ability to add unique IP addresses as specified above. look at the example firewall scripts section. CONFIG_IP_NF_TARGET_LOG . Instead of letting a packet pass right through. These are only the options available in a vanilla Linux 2. This way. Note that this option is is not required for firewalling and masquerading of a LAN. PPP.Compatibility mode with old ipfwadm.6. In other words. In other words. in it's different forms. CONFIG_IP_NF_COMPAT_IPFWADM . etcetera.unix-fu. http://people. or as modules.This adds the LOG target to iptables and the functionality of it. As you can see.9 Página 8 CONFIG_IP_NF_NAT . This may be for various reasons such as the patch not being stable yet.9 kernel.4. ssh works but scp dies after handshake. this option is required for the example rc.txt script to work. to Linus Torvalds being unable to keep up or not wanting to let the patch in to the mainstream kernel yet since it is still experimental. there is a heap of options. we have the possibility to make a transparent proxy this way.This module allows network address translation. If you need help with the options that the other scripts needs. CONFIG_IP_NF_TARGET_REDIRECT . for the rc. I have briefly explained what kind of extra behaviours you can expect from each module here. we need to use this target instead of SNAT.org/andreasson/iptables-tutorial/iptables-tutorial. we remap them to go to our local box instead. CONFIG_IP_NF_TARGET_TCPMSS . POM fixes are additions that are supposed to be added in the kernel in the future but has not quite reached the kernel yet. We can use this module to log certain packets to syslogd and hense see the packet further on.txt to work properly. Masquerading gives a slightly higher load on the computer than NAT does.This target is useful together with proxies for example. if we use DHCP. small mails getting through while larger mails don't get through. With this option we can do port forwarding. but has not quite made it in yet. CONFIG_IP_NF_TARGET_MASQUERADE . I suggest you look at the patch-o-matic functions in netfilter userland which will add heaps of other options in the kernel. we'll be able to handle what the authors of netfilter themself call "criminally braindead ISPs or servers" in the kernel configuration help. This could be useful for forensics or debugging a script you're writing. Do not look at this as any real long term solution for solving migration from Linux 2.This module adds the MASQUERADE target. If you would like to get a look at more options.html 21:25:51 10/06/2002 .Iptables Tutorial 1.firewall. These functions should be added in the future. SLIP or some other connection that dynamically assigns us an IP. masquerading etc. This can result in webpages not getting through. unless you are able to provide unique IP addresses for all hosts. but will work without us knowing the IP in advance.This option can be used to overcome Internet Service Providers and servers who block ICMP Fragmentation Needed packets.

3. However.unix-fu.Iptables Tutorial 1. one of these are Red Hat 7.2. http://people. lets try to stay focused on the main script which you should be studying now. For more information read the iptables-1.3/INSTALL file which contains pretty good information on compiling and getting the program to run.1. userland setup First of all. Here. this may not work with older versions of tar). Hopefully the package should now be unpacked properly into a directory named iptables-1. In the other example scripts I will explain what requirements they have in their respective section.tar.firewall.html 21:25:51 10/06/2002 . This compilation goes quite a lot hand in hand with the kernel configuration and compilation so you are aware of this.9 kernel. However.txt script.bz2 | tar -xvf .2.4. and other distributions further on in this chapter Compiling the userland applications First of all unpack the iptables package.3.3.tar.bz2. using bzip2 -cd iptables-1. we have used the iptables 1. let's look at how we compile the iptables package. We will check closer on how to enable it on this.2.3 package and a vanilla 2.1 it is disabled per default.1. which should do pretty much the same as the first command. Unpack as usual. in Red Hat 7.2.org/andreasson/iptables-tutorial/iptables-tutorial.(this can also be accomplished with the tar -xjvf iptables-1. For now.2.9 Página 9 CONFIG_PACKET CONFIG_NETFILTER CONFIG_CONNTRACK CONFIG_IP_NF_FTP CONFIG_IP_NF_IRC CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_TARGET_MASQUERADE The above will be required at the very least for the rc. Certain distributions comes with the iptables package preinstalled.

there are some even more experimental patches further along. there is the option to install extra modules and options etcetera to the kernel.Iptables Tutorial 1. because that's what these commands actually do.9 Página 10 After this.org/andreasson/iptables-tutorial/iptables-tutorial. To be able to install all of the patch-o-matic stuff you will need to run the following command: make patch-o-matic KERNEL_DIR=/usr/src/linux/ Don't forget to read the help for each patch thoroughly before doing anything.The step described here will only check patches that are pending for inclusion to the kernel. you may either compile a new kernel making use of the new patches that you have added to the source.unix-fu. but still skip the most extreme patches that might cause havoc in your kernel.1. This only asks about certain patches that are just about to enter the kernel anyways. However. To do this step we do something like this from the root of the iptables package: make pending-patches KERNEL_DIR=/usr/src/linux/ The variable KERNEL_DIR should point to the actual place that your kernel source is located at. Some patches will destroy other patches while others may destroy your kernel if used together with some patches from patch-o-matic etc. http://people. They ask you before anything is changed in the kernel source. but is a bit further away from actually getting there. which may only be available when you do some other steps. it is in other words not necessary to do the above. Normally this should be /usr/src/linux/ but this may vary. However. One way to install these are by doing the following: make most-of-pom KERNEL_DIR=/usr/src/linux/ The above command would ask about installing parts of what in netfilter world is called patch-omatic. Don't forget to configure the kernel again since the new patches probably are not added to the configured options and so on. Note that we say ask. You may totally ignore the above steps if you don't want to patch your kernel.html 21:25:51 10/06/2002 . Some of these are highly experimental and may not be a very good idea to install. there are some really interesting things in the patch-o-matic that you may want to look at so there's nothing bad in just running the commands and see what they contain. though. there are heaps of extremely interesting matches and targets in this installation step so don't be afraid of at least looking at them. You may wait with the kernel compilation until after the compilation of the userland program iptables if you feel like it. There might be more patches and additions that the developers of netfilter are about to add to the kernel. and most probably you will know yourself where the kernel source is available. After this you are finished doing the patch-o-matic parts of installation.

unix-fu. Annoying to say the least. if not. First of all you will need to turn off the ipchains modules so it won't start in the future. or to not run it if it was not previously started. However. By changing this to K we tell it to Kill the service instead. For more information about installing the userland applications from source. Installation on Red Hat 7.1 installation today comes with an utterly old version of the userspace applications so you might want to compile a new version of the applications as well as install a new and homecompiled kernel before fully exploiting iptables. to stop the service from actually running right now we need to run another command. they have disabled the whole thing by using the backwards compatible ipchains module. Now the service won't be started in the future. you're ready to install the binaries by now.x kernel that has netfilter and iptables compiled in. To compile iptables you issue a simple command that looks like this: make KERNEL_DIR=/usr/src/linux/ The userland application should now compile properly. check the INSTALL file in the source which contains excellent information on the subject of installation. and a lot of people are asking different mailing lists why iptables don't work.1 comes preinstalled with a 2. The following command should do it: chkconfig --level 0123456 ipchains off By doing this we move all the soft links that points to the real script to K92ipchains. We would then issue http://people. So. you would issue the following command to install them: make install KERNEL_DIR=/usr/src/linux/ Hopefully everything should work in the program now. It also contains all the basic userland programs and configuration files that is needed to run it. To do this.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. you're on your own. try to think logically about it and find out what's wrong or get someone to help you.1 Red Hat 7.d/ directory-structure. To do this. let's take a brief look at how to turn the module off and how to install iptables instead. The first letter which per default would be S tells the initscripts to start the script. There is a few things that might go wrong with the installation of iptables so don't panic if it won't work.9 Página 11 Continue by compiling the iptables userland application.Iptables Tutorial 1. or possibly try the netfilter mailing list who might help you with your problems.1.4. however. This is the service command which can be used to work on currently running services. If everything has worked smoothly. you will need to change some filenames in the /etc/rc. To use any of the changes in the iptables userland applications you should definitely recompile and reinstall your kernel by now if you haven't done so before. The default Red Hat 7.

It may also be erased by updating from the iptables RPM package.Iptables Tutorial 1.d scripts.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 12 the following command to stop the ipchains service: service ipchains stop Finally. for example. we need to know which runlevels we want it to run in. or when we are entering a runlevel that don't require iptables to run. don't forget to check out the restart section and condrestart. 5. 3 and 5. when you need to fix a screwed up box. 3 and 5. To activate the iptables service.d/init. and don't forget to experiment a bit.d/iptables script. If you'd like the iptables service to run in some other runlevel you would have to issue the same command in those. Normally this would be in runlevel 2.d script. use the iptables-save command. First of all. that will meet your requirements. there is two common ways. ie. don't forget to edit a the stop) section either which tells the script what to do when the computer is going down for example. This would have the bad effect that the rules would be deleted if you updated the iptables package by RPM. you chould edit the /etc/rc. Multiuser without NFS or the same as 3 if there is no networking.d script to restore the ruleset in the future. 3.1 box. ie. if you add the rules under the start) section don't forget to stop the start() function from running in the start) section. none of the other runlevels should be used. to start the iptables service. Red Hat Network automatically updating your packages. Full multiuser mode. However. First of all. the normal runlevel to run in.html 21:25:51 10/06/2002 . you add them under the start) section. These runlevels are used for the following things: 2. First of all. and level 6 is for shutting the computer down. This file is automatically used by the iptables rc. To add rules that should be run when the computer starts the service. This is used if you automatically boot into Xwindows.unix-fu. To add rules to an Red Hat 7. Note that this set up may be automatically erased if you have. make and write a ruleset in a file. To make iptables run in these runlevels we would do the following commands: chkconfig --level 235 iptables on The above commands would in other words make the iptables service run in runlevel 2. When you find a set up that works without problems or bugs as you can see. there is no rules in the iptables script. First we will describe the possibility of doing the set up by cut and paste to the iptables init. or in the start() function. Level 4 should be unused. The other way would be to load the ruleset and then save them with the iptables-save command and then have it loaded automatically by the rc. Note. You could either use it normally. Also. Level 1 is for single user mode. Also. or directly with iptables. such as iptables-save > /etc/ sysconfig/iptables which would save the ruleset to the file /etc/sysconfig/iptables.1. so you should not really need to activate it for those runlevels. The second way of doing the set up would require the following steps to be taken. X11. The other way to save the script would be to use service iptables save which would save the script http://people. we just run the following command: service iptables start Of course.

This step is only necessary if you will install iptables from the source package. To do the deinstallation.d script will use the command iptables-restore to restore the ruleset from the save-file /etc/sysconfig/ iptables. How a rule is built This chapter will discuss in legth how to build your rules. instruction. or matches. or jump. new subchains). do as follows: rpm -e iptables And of course. you would do this normally to get a better readability. None of the old binaries. we have used this way of writing rules since it is the most usual way of writing them. Basics As we've already explained each rule is a line that the kernel looks at to find out what to do with a packet. If all the criterias. we perform the target. When all of these steps are finished we can deinstall the currently installed ipchains and iptables packages. Each line you write that's inserted to a chain should be considered a rule. A rule could be described as the pure rules the firewall will follow when blocking different connections and packets in each chain.org/andreasson/iptables-tutorial/iptables-tutorial. It's not unusual that the new and the old package get's mixed up since the rpm based installation installs the package in non-standard places and won't get overwritten by the installation for the new iptables package. if you read someone elses script you'll most likely recognise the way of writing a rule and understand it quickly. etc: rpm -e ipchains After all this is done you are finished to update the iptables package from source according to the source installation instructions. When you reboot the computer in the future. are met. We will also discuss the basic matches that str available and how to use them as well as the different targets and how we can make new targets to use (ie.html 21:25:51 10/06/2002 . http://people. Also. however. Do not intermix this and the previous set up instruction since they may heavily damage eachother and render each and one useless. why keep ipchains lying around when it is of no use? That is done the same way as with the old iptables binaries. Normally we would write a rule something like this: iptables [-t table] command [match] [target/jump] There is nothing that says that the target instruction must be last in the line. libraries or include files etc should be lying around any more.unix-fu. We do this since we don't want the system to mix up the new iptables userland application with the old preinstalled iptables applications.1.9 Página 13 automatically to this file.Iptables Tutorial 1. the iptables rc. Hence.

However. for example to insert a rule or to add a rule to the end of the chain. There is a heap of different matches that we can use that we will look closer at further on in this chapter. but instead they will automatically have the same actions taken to them as the first packet in the stream. One thing to think about though. Finally we have the target of the packet. it is more or less standard to put the table specification at the beginning of the commandline. Per default. as we will discuss more in length further on. it is not necessary to specify it explicitly all the time since iptables per default uses the filter table to implement your commands on. If all the matches are met for a packet we tell the kernel to perform this action on the packet. This tells the iptables command what to do.org/andreasson/iptables-tutorial/iptables-tutorial. Note that OUTPUT is currently broken. or we could tell kernel to send a specified reply to be sent back. Tables The -t option specifies which table to use. We could tell the kernel to send the packet to another chain that we create ourself. It could be set pretty much anywhere in the rule. The OUTPUT chain is used for altering locally generated packets (ie. on the firewall) before they get to the routing decision. As with the rest of the content in this section. Finally we have the POSTROUTING chain which is used to alter packets just as they are about to leave the firewall. in case they are supposed to have those actions taken on them. The following options are available to the -t command: Table 1.Iptables Tutorial 1. http://people. we presume. The rest of the packets in the same stream are automatically NAT'ed or Masqueraded etc. or to delete a rule. or directly after the table specification. we'll look closer at them further on in the chapter.1. We will enter this a bit further on. however. the filter table is used. We use this first variable to tell the program what to do. or which network interface the packet must come from etc.9 Página 14 If you want to use another table than the standard table. We could specify what IP address the packet must come from. Tables Table nat Explanation The nat table is used mainly for Network Address Translation. The rest of the packets in the stream will in other words not go through this table again. Packets in a stream only traverse this table once.html 21:25:51 10/06/2002 . The PREROUTING chain is used to alter packets as soon as they get in to the firewall. This is one reason why you should not do any filtering in this table. We could tell the kernel to drop this packet dead and do no further processing. It is not required to put the table specification at this location. either.unix-fu. The match is the part which we send to the kernel that says what a packet must look like to be matched. which must be part of this table. The first packet of a stream is allowed. the command should always be first. you could insert the table specification where [table] is specified.

The table consists of two built in chains. The command tells iptables what to do with the rest of the commandline that we send to the program.html 21:25:51 10/06/2002 . PREROUTING is used for altering packets just as they enter the firewall and before they hit the routing decision. TOS or MARK. Note that mangle can not be used for any kind of Network Address Translation or Masquerading. Normally we want to either add or delete something to some table or another.. The rule will will in other words always be put last in the ruleset in comparison to previously added rules. http://people. but a mark for the packet is set in kernelspace which other rules or programs might use further on in the firewall to filter or do advanced routing on with tc as an example.. For example. ACCEPT or REJECT packets without problems as in the other tables. This command appends the rule to the end of the chain. and you should know what to use each chain for. LOG. in other words). The following commands are available to iptables: Table 2. INPUT is used on all packets that are destined for our local host (the firewall) and OUTPUT is finally used for all locally generated packets. There are three chain built in to this table.org/andreasson/iptables-tutorial/iptables-tutorial. filter The listing above has hopefully explained the basics about the three different tables that are available. The filter table should be used for filtering packets generally. Note that the MARK is not really a change to the packet. Commands In this section we will bring up all the different commands and what can be done with them. Examples of this would be to change the TTL. --append iptables -A INPUT . Commands Command Example Explanation -A. unless you append or insert more rules later on. and hence be checked last. the nat table was made for these kinds of operations. We will discuss the tables and chains more in the Traversing of tables and chains chapter.9 Página 15 mangle This table is used mainly for mangling packets.unix-fu.Iptables Tutorial 1. They should be used for totally different things. the PREROUTING and OUTPUT chains. OUTPUT is used for changing and altering locally generated packets before they enter the routing decision. we could DROP. If you do not understand their usage you may well fall into a pit once someone finds the hole you have unknowingly placed in the firewall yourself. We could change different packets and how their headers look among other things.1. The first one is named FORWARD and is used on all non-locally generated packets that are not destined for our localhost (the firewall.

9 Página 16 -D.Iptables Tutorial 1. see the Tables section). In the last case.1. the command would list all the chains in the specified table (To specify a table. etcetera.168. -R. The command can be used without options. This could be done in two ways. it will replace it with a new entry. -I. you have probably seen the packet counter in the beginning of each field. If you use the second way. The exact output is affected by other options sent to the program.org/andreasson/iptables-tutorial/iptables-tutorial. they must match totally to the entry in the chain. -L.html 21:25:51 10/06/2002 . but instead of totally deleting the entry. It works in the same way as the --delete command. --zero iptables -Z INPUT This command tells the program to zero all counters in a specific chain or in all chains. -Z. --delete iptables -D INPUT --dport 80 -j DROP. --new-chain iptables -N allowed http://people. for example the -n and -v options. In the above case. To zero this packet counter. --insert iptables -I INPUT 1 --dport 80 -j ACCEPT Insert a rule somewhere in a chain. the above example would be inserted at place 1 in the INPUT chain. It's also legal to not specify any chain at all.unix-fu. either by specifying a rule to match with the -D option (as in the first example) or by specifying the rule number that we want to match. and will then delete all rules in all chains within the specified table. --replace iptables -R INPUT 1 -s 192. If you have used the -v option with the -L command. --flush iptables -F INPUT This command flushes the specified chain from all rules and is equivalent to deleting each rule one by one but is quite a bit faster. and hence it would be the absolutely first rule in the chain from now on. This might be good while experimenting with iptables mainly. we would list all the entries in the INPUT chain.1 -j DROP This command replaces the old entry at the specified line. If -L and -Z is used together (which is legal). the rules are numbered from the top of each chain.0. the chains will first be listed. -F. -N. If you use the first way of deleting rules. iptables -D INPUT 1 This command deletes a rule in a chain. In other words. --list iptables -L INPUT This command lists all the entries in the specified chain. This option works the same as -L except that -Z won't list the rules. use the -Z option. The rule is inserted at the actual number that we give. and then the packet counters are zeroised. and the top rule is number 1.

change the name of the chain from allowed to disallowed. Note that this will not affect the actual way the table will work. A command should always be specified. --policy iptables -P INPUT DROP This command tells the kernel to set a specified default target.1.org/andreasson/iptables-tutorial/iptables-tutorial. --verbose --list. Here comes a few options that can be used together with a few different commands.9 Página 17 This command tells the kernel to create a new chain by the specified name in the specified table. If this command is used without any options. use the -v option and to get the help message. in other words. All packets that don't match any rule will then be forced to use the policy of the chain. rule options and TOS masks. unless you just want to list the built-in help for iptables or get the version of the command. Legal targets are: DROP.000. use the -h option. To overcome this and to get exact output.000) multipliers. there must be no rules that are referring to the chain that is to be deleted.html 21:25:51 10/06/2002 . It is. -X. all chains that are not built in will be deleted from the specified table. you http://people. To get the version. In the above example we create a chain called allowed. In the example above we would. mail me if so) -E. to the second name. Note that there must be no target of the same name previously to creating it.Iptables Tutorial 1. --replace This command shows a verbose output and is mainly used together with the --list command. Note that we tell you with which commands the options can be used and what effect they will have. --delete-chain iptables -X allowed This command deletes the specified chain from the table. ACCEPT and REJECT (There might be more. or policy. The --list command will also include a bytes and packet counter for each rule if the --verbose option is set. Options Option Commands used with Explanation -v. For this command to work. As usual. in other words. If used together with the --list command it makes the output from the command include the interface address. in other words. In other words. --delete. on a chain. --rename-chain iptables -E allowed disallowed The -E command tells iptables to rename the first name of a chain. you would have to replace or delete all rules referring to the chain before actually deleting the chain. M (x1.unix-fu. -P. --append. Table 3.000. just a cosmetic change to the table. The matches and targets are instead looked upon in a later section of this chapter. These counters uses the K (x1000). --insert.000) and G (x1.000. Also note that we do not tell you any options here that is only used to affect rules and matches.

--modprobe All The --modprobe option is used to tell iptables which command to use when probing for modules to the kernel.unix-fu. This option overrides the default of resolving all numerics to hosts and names if possible. The output from --list will in other words not contain the K. Each rule is numbered together with this option and it might be easier to know which rule has which number when you're going to insert rules. -c.Iptables Tutorial 1. --insert. -x. which would tell the kernel to set the packet counter to 20 and byte counter to 4000.9 Página 18 could use the -x option described later. The syntax would be something like --setcounters 20 4000. If this option is used with the --append. This option is only applicable to the --list command. --line-numbers --list The --line-numbers command is used to output line numbers together with the --list command. Matches This section will talk a bit more about the matches. We can then use the option to initialize the packets and bytes counters of the rule. Instead we will get an exact output of how many packets and bytes that has matched the rule in question from the packets and bytes counters. the program will output detailed information on what happens to the rules and if it was inserted correctly etcetera. Note that this option is only usable in the -list command and isn't really relevant for any of the other commands. Then we have the TCP matches which can only be applied to TCP packets. --exact --list This option expands the numerics. I've chosen to split down the matches into five different subcategories here. --replace This option is used when creating a rule in some way or modifying it. We have UDP matches which can only be applied to UDP packets and ICMP matches which can only be http://people. --numeric --list This option tells iptables to output numerical values. -n. This option can be used with all commands.html 21:25:51 10/06/2002 . --append. It could be used if your modprobe command is not somewhere in the searchpath etc. network names or application names. First of all we have the generic matches which are generic and can be used in all rules. This option only works with the --list command. IP addresses and port numbers will be printed by using their numerical values and not hostnames. --set-counters --insert.org/andreasson/iptables-tutorial/iptables-tutorial. In such cases it might be necessary to specify this option so the program knows what to do in case a needed module is not loaded. M or G multipliers. --delete or --replace commands.1.

The line would then look something like. --protocol is in itself a match. --source iptables -A INPUT -s 192. The protocol may also take a numeric value. The following matches are always available.1.0/24.168. we need to use the --protocol match and send TCP as an option to the match. These final matches has in turn been split down to even more subcategories even though they might not necessarily be different matches at all.1 This is the source match which is used to match packets based on their source IP address. The main form can be used to match single IP addresses such as 192.168.1. Finally. It could be used with a netmask in a bits form.9 Página 19 used on ICMP packets. This would match all packets in the 192. We could also inverse the match with an ! just as before.1. such as udp. 192. No special parameters are in other words needed to load these matches at all. The command may also take a comma delimited list of protocols.Iptables Tutorial 1. If this match is given the numeric value of zero (0). --protocol iptables -A INPUT -p tcp This match is used to check for certain protocols. This means that we could for example add /24 to use a 255. as well as ALL.0 netmask.1.0/255. it means ALL protocols.html 21:25:51 10/06/2002 . which means to match all of the previous protocols. the program knows about all the protocols in the /etc/protocols file as we already explained.255. such as our local networks or network segments behind the firewall.255 form (ie. We could then match whole IP ranges. Generic matches Command Example Explanation -p.0. Generic matches This section will deal with Generic matches. However. 192. I have also added the -protocol match here.255.255. too. Table 4. owner and limit matches and so on. UDP and ICMP. and the other way is to only specify the number of ones (1's) on the left side of the network mask. First of all the protocol match can take one of the three aforementioned protocols. Finally we have special matches such as the state. so --protocol ! tcp would mean to match the ICMP and UDP protocols. I hope this is a reasonable breakdown and that all people out there can understand this breakdown. Examples of protocols are TCP. --src. If we would in other words use a match in the form of --source ! http://people. even though it is needed to use some protocol specific matches.x range.255.168. This list can vary a bit at the same time since it uses the /etc/protocols if it can not recognise the protocol itself. -s. which in turn is the default behaviour in case the --protocol match is not used.tcp which would match all UDP and TCP packets. if we want to use an TCP match. One way is to do it with an regular netmask in the 255. For example. for example.org/andreasson/iptables-tutorial/iptables-tutorial. A generic match is a kind of match that is always available whatever kind of protocol we are working on or whatever match extensions we have loaded.unix-fu.168. This match can also be inversed with the ! sign. such as 255 which would mean the RAW IP protocol.0).0.0. since it can be used to match specific protocols.168.255.255.

0 or like 192. --destination iptables -A INPUT -d 192.1 would in other words match all packets except those not destined to the 192. -d. --dst. http://people. fragments.0/24 and both would be equivalent to each other.255.168.Iptables Tutorial 1. The default behaviour of this match. it works pretty much the same as the --in-interface match. FORWARD and PREROUTING chains and will render an error message when used anywhere else. We also match all packets that has not been fragmented during the transfer. like this ! -f.0.0. there is no way to tell the source or destination ports of the fragments. and hence this match was created.255.1. nor ICMP types.1 The --destination match is used to match packets based on their destination address or addresses. we can add a netmask either in the exact netmask form.1. A single + would in other words tell the kernel to match all packets without considering which interface it came in on. -i. and not the second.0. It would then look like either 192. regardless of where the packet is going. The line would then have a syntax looking something like -i ! eth0. -f. When this match is inversed. It works pretty much the same as the --source match and has the same syntax. This option can also be used in conjunction with the ! sign.9 Página 20 192.168. -o.168. --out-interface iptables -A FORWARD -o eth0 The --out-interface match is used to match packets depending on which interface they are leaving on.1 IP address. is to assume a string value of +.x range.html 21:25:51 10/06/2002 . Of course. in this case the ! sign must precede the match. however. which would mean to match all incoming interfaces. --in-interface iptables -A INPUT -i eth0 This match is used to match based on which interface the packet came in on. --fragment iptables -A INPUT -f This match is used to match the second and third part of a fragmented packet. To match an IP range. except that it matches based on where the packets are going. Other than this. among other things. or in the number of ones (1's) counted from the left side of the netmask bits. in case the match is not specified.0/255. To inverse the meaning of the match. Note that this option is only legal in the INPUT. What this means is that we match all the first fragments of a fragmented packets. Also. --destination ! 192. The reason for this is that in the case of fragmented packets.168.168. third. you can use the ! sign in exactly the same sense as in the --in-interface match. Such fragments of packets will not be matched by other rules when they look like this. Note that this match is only available in the OUTPUT. The + value is used to match a string of letters and numbers. The default is to match all IP addresses. except eth0. the default behaviour if this match is left out is to match all devices. and so on.168.168.0. fragmented packets might in rather special cases be used to compile attacks against computers. in opposite of the --in-interface match. We can also invert the meaning of this option with the help of the ! sign. just as before. FORWARD and POSTROUTING chains.0.unix-fu. The + extension is understood so you can match all eth devices with eth+ and so on.0. We could also invert the whole match with an ! sign. we match all head fragments and/or unfragmented packets.0/24 we would match all packets with a source address not coming from within the 192.org/andreasson/iptables-tutorial/iptables-tutorial. The + string can also be used at the end of an interface. and eth+ would in other words match all ethernet devices.

it could be a little bit harder to read in case you specify the numeric value. the entry of the rule will be slightly faster since iptables don't have to check up the service name. To use these matches you need to specify --protocol tcp on the command line before trying to use these matches. This example would match all source ports between 22 and 80.1. and UDP based matches contain another set of matches that are available only for UDP packets. Implicit matches This section will describe the matches that are loaded implicitly. however. If we omit the first port specification.org/andreasson/iptables-tutorial/iptables-tutorial. Table 5. The other matches will be looked over in the continuation of this section. TCP matches Match Example Explanation --sport. If we would write --source-port 22: we would in turn get a port specification that tells us to match all ports from http://people. These are TCP matches. UDP matches and ICMP matches.unix-fu. If you specify the port by port number. after the TCP match section. And if the last port specification is omitted. port 65535 is assumed. in case you use connection tracking you will not see any defragmented packets since they are dealt with before hitting any chain or table in iptables. Implicit matches are loaded automatically when we tell iptables that this rule will match for example TCP packets with the -protocol match. --source-port :80 would then match port 0 through 80. The --source-port match can also be used to match a whole range of ports in this fashion --source-port 22:80 for example. Note that the --protocol tcp match must be to the left of the protocol specific matches. These matches are loaded implicitly in a sense. If you are writing a ruleset consisting of a 200 rules or more. The TCP based matches contain a set of different matches that are available for only TCP packets. As a secondary note. this could make as much as 10 seconds if you are running a large ruleset consisting of 1000 rules or so). If you specify a service name. --source-port iptables -A INPUT -p tcp --sport 22 The --source-port match is used to match packets based on their source port. There are currently three types of implicit matches that are loaded automatically for three different protocols. just as the UDP and ICMP matches are loaded implicitly.Iptables Tutorial 1.html 21:25:51 10/06/2002 . the service name must be in the /etc/services file since iptables uses this file to look up the service name in. TCP matches These matches are protocol specific and are only available when working with TCP packets and streams. the port 0 is assumed to be the one we mean.9 Página 21 Also note that there are defragmentation options within the kernel that can be used which are really good. There is also explicitly loaded matches that you must load explicitly with the m or --match option which we will go through later on in the next section. and the same thing for ICMP packets. This match can either take a service name or a port number. you should definitely do this by port numbers since you will be able to notice the difference(On a slow box.

unix-fu. ! --syn.ACK. as well as inversions. In other words. The match will also assume the values of 0 or 65535 if the high or low port is left out in a port range specification. hack a legit service and then make a program or such make the connect to you instead of setting up an open port on your host). This command would in other words be exactly the same as the --tcp-flags SYN.FIN SYN match. The correct syntax could be seen in the example above. way. For more information about this. --dport. exactly the same as --source-port in syntax. --syn iptables -p tcp --syn The --syn match is more or less an old relic from the ipchains days and is still there out of compatibility reasons. ALL means to use all flags and NONE means to use no flags for the option it is set. ALL and NONE is pretty much self describing. you should have effectively blocked all incoming connection attempts.html 21:25:51 10/06/2002 .1. RST. however. For more information about this. ACK. It does also reverse high and low ports in a port range specification if the high port went into the first spot and the low port into the last spot. http://people. This match can also be inverted with the ! sign in this. Note that this match does not handle multiple separated ports and port ranges. Such packets are used to request new TCP connections from a server mainly. FIN. iptables automatically reverses the inversion. Both lists should be comma-delimited.org/andreasson/iptables-tutorial/iptables-tutorial. It understands port and port range specifications. It uses exactly the same syntax as the --source-port match. --tcp-flags iptables -p tcp --tcp-flags SYN. The inversion could also be used together with a port range and would then look like --source-port ! 22:80. We could also invert a match by adding a ! sign like --source-port ! 22 which would mean that we want to match all ports but port 22. Also note that the comma delimitation should not include spaces.ACK. and for ease of traversing from one to the other. PSH flags but it also recognizes the words ALL and NONE. Note that this match does not handle multiple separated ports and port ranges. This option can also be inverted with the ! sign. look at the multiport match extension.Iptables Tutorial 1. If we inversed the port specification in the port range so the highest port would be first and the lowest would be last. The match knows about the SYN. --destination-port iptables -A INPUT -p tcp --dport 22 This match is used to match TCP packets depending on its destination port.9 Página 22 port 22 through port 65535. This match is used to match packets if they have the SYN bit set and the ACK and FIN bits unset. -tcp-flags ALL NONE would in other words mean to check all of the TCP flags and match if none of the flags are set. look at the multiport match extension. which in turn would mean that we want to match all ports but port 22 through 80. URG. or turned on. If you block these packets. First of all the match takes a list of flags to compare (a mask) and second it takes list of flags that should be set to 1. you will not have blocked the outgoing connections which a lot of exploits today uses (for example.FIN SYN This match is used to match depending on the TCP flags in a packet. in other words packets in an already established connection. it would be understood just the same as --sourceport 22:80. --tcp-option iptables -p tcp --tcp-option 16 This match is used to match packets depending on their TCP options. This would tell the match to match all packet with the FIN or the ACK bits set. If a source port definition looked like --source-port 80:22.

and hence there is no such thing as different flags to set in the packet to give data on what the datagram is supposed to do. The first would match all UDP packets going to port 53 while the second would match packets but those going to the destination port 53. to invert this we could do --destination-port ! 53.Iptables Tutorial 1. port 0 is assumed. the ports switch place with eachother automatically. For more http://people. It is used to perform matches on packets based on their source UDP ports. add a ! sign in this. Single UDP port matches look as in the example above. --dport. If the high port is placed before the low port. Table 6.9 Página 23 UDP matches This section describes matches that will only work together with UDP packets. it is exactly the same as the equivalent TCP match. To match a single port we do --destination-port 53.1. single ports and inversions. Note that this match does not handle multiple separated ports and port ranges. single ports and port inversions with the same syntax.unix-fu. Note that this match does not handle multiple ports and port ranges. look at the multiport match extension. they are simply lost (Not taking ICMP error messaging etcetera into account). If they are lost. If the first port is omitted. There will be more about the state machine in a future chapter. To invert the port match. such as open or closing a connection. --destination-port iptables -A INPUT -p udp --dport 53 The same goes for this match as for the UDP version of --source-port. If the last port is omitted.html 21:25:51 10/06/2002 . port 0 is assumed. Note that UDP packets are not connection oriented. It has support for port ranges. The match handles port ranges. To specify a port range. or if they are just simply supposed to send data. To make a UDP port range you could do 22:80 which would match UDP ports 22 through 80. they automatically switch place so the low port winds up before the high port. These matches are implicitly loaded when you specify the --protocol UDP match and will be available after this specification. port 65535 is assumed. The state machine works pretty much the same on UDP packets as on TCP packets. --source-port iptables -A INPUT -p udp --sport 53 This match works exactly the same as its TCP counterpart. If the second port is omitted. If the high port comes before the low port. If the first value is omitted. This means that there is quite a lot less matches to work with on a UDP packet than there is on TCP packets. Note that the state machine will work on all kinds of packets even though UDP or ICMP packets are counted as connectionless protocols.org/andreasson/iptables-tutorial/iptables-tutorial. This example would match all packets destined for UDP port 22 through 80. but will work with UDP packets instead. Of course. This would match all ports but port 80. The match is used to match packets based on their UDP destination port. UDP packets do not require any kind of acknowledgement either. port 65535 is assumed. UDP matches Match Example Explanation --sport. For more information about this. we would do --destination-port 22:80 for example. the match can understand service names as long as they are available in the /etc/services file. --source-port ! 53 fashion.

org/andreasson/iptables-tutorial/iptables-tutorial. The headers of a ICMP packet are very similar to those of the IP headers. Explicit matches Explicit matches are matches that must be specifically loaded with the -m or --match option. we would get an ICMP host unreachable in return. among other things. we would have to write -m state to the left of the actual match using the state matches. This match is implicitly loaded when we use the --protocol ICMP match and we get access to it automatically. and hopefully this should suffice. Numerical values are specified in RFC 792. look at the multiport match extension. The difference between implicitly loaded matches and explicitly loaded ones is that the implicitly loaded matches will automatically be loaded when you. see the ICMP types appendix. The main feature of this protocol is the type header which tells us what the packet is to do. These packets are even worse than UDP packets in the sense that they are connectionless. while explicitly loaded matches will not be loaded automatically in any case and it is up to you to activate them before using them. among other things. ICMP matches These are the ICMP matches. or check the ICMP types appendix. Note that some ICMP types are obsolete. for example. or was created for testing/experimental use or plainly to show examples of what could be accomplished with iptables.1. This match can also be inverted with the ! sign in this. fashion.Iptables Tutorial 1. Some of these matches may be specific to some protocols.For a complete listing of ICMP types.unix-fu. match TCP packets. --icmp-type ! 8. ICMP types can be specified either by their numeric values or by their names. so we can know source and destination adress too. redirect packets to the wrong places. There is only one ICMP specific match available for ICMP packets.9 Página 24 information about this. they should mostly be useful since it all depends on your imagination and your needs. Note that all the generic matches can also be used. ICMP matches Match Example Explanation --icmp-type iptables -A INPUT -p icmp --icmp-type 8 This match is used to specify the ICMP type to match. The ICMP protocol is mainly used for error reporting and for connection controlling and such features. Table 7. do a iptables --protocol icmp --help. however. To find a complete listing of the ICMP name values. but contains differences. If we would like to use the state matches for example. This in turn means that all these matches may not always be useful. and others again may be "dangerous" for a simple host since they may. http://people.html 21:25:51 10/06/2002 . but more of a protocol beside the IP protocol that helps handling errors. ICMP is not a protocol subordinated to the IP protocol. One example is if we try to access an unaccessible IP adress.

This would in other words reverse the meaning of the match so all packets except packets from this MAC address would be matched.9 Página 25 MAC match Table 8. This means that all packets will be matched after they have broken the limit. it would then look like -m ! limit. This match is specified with a number and an optional time specifier. The match may be reversed with an ! sign and would look like --mac-source ! 00:00:00:00:00:01. What this means. you could use this to match all packets that goes over the edge of a certain chain. and get limited logging of this. The limit match may also be inversed by adding a ! flag in front of the limit match explicit loading. Limit match options Match Example Explanation --limit iptables -A INPUT -m limit --limit 3/hour This sets the maximum average matching rate of the limit match. Limit match The limit match extension must be loaded explicitly with the -m limit option.html 21:25:51 10/06/2002 . The default value here is 3 per hour. This match is excellent to use to do limited logging of specific rules etcetera. FORWARD and INPUT chains and nowhere else. This is its main usage.1. The following time specifiers are currently recognised: / second /minute /hour /day. The MAC address specified must be in the form XX:XX:XX:XX:XX:XX. This match is also only valid in the PREROUTING. this match will only be possible to use on ethernet based networks. --limit-burst http://people. but there are more usages.unix-fu.Iptables Tutorial 1. Table 9. is that when we add this match we limit how many times a certain rule may be matched in a certain timeframe. MAC match options Match Example Explanation --mac-source iptables -A INPUT --mac-source 00:00:00:00:00:01 This match is used to match packets based on their MAC source address. of course. or 3/hour. This tells the limit match how many times to let this match run per timeunit (ie /minute).org/andreasson/iptables-tutorial/iptables-tutorial. Note that since MAC addresses are only used on ethernet type networks. else it will not be legal. For example.

It tells iptables the maximum initial number of packets to match. It can take a maximum of 15 ports specified to it in one argument. which would sometimes mean you would have to make several rules looking exactly the same just to match different ports. for example. A mark is a special field only maintained within the kernel that is associated with the packets as they travel through http://people. It works exactly the same way as the source port match mentioned just above. Multiport match The multiport match extension can be used to specify more destination ports and port ranges than one. (If anyone got a good/better and simpler explanation than this.80.53. Multiport match options Match Example Explanation --source-port iptables -A INPUT -p tcp -m multiport --source-port 22. up to this number. It can only be used in conjunction with -p tcp and -p udp. send me a mail and I'll try to make this more understandable). Note that this means that it will only match packets that comes from. This match may only be used in conjunction with the -p tcp or -p udp matches.9 Página 26 iptables -A INPUT -m limit --limit-burst 5 This is the setting for the burst limit of the limit match. The default value is 5. It is mainly an enhanced version of the normal -source-port match.unix-fu. except that it matches destination ports.53. port 80 to port 80 and if you have specified port 80 to the --port match.80. Mark match The mark match extension is used to match packets based on the marks they have set. Table 10. --destination-port iptables -A INPUT -p tcp -m multiport --destination-port 22.110 This match matches multiple source ports.80.110 This match is used to match multiple destination ports. It works the same way as the --source-port and --destination-port matches above. as you can see in the example. It has a maximum specification of 15 ports and may only be used in conjunction with -p tcp and -p udp.1. A maximum of 15 separate ports may be specified.Iptables Tutorial 1.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. This number gets recharged by one every time the limit specified is not reached.110 This match extension can be used to match packets based both on their destination port and their source port. The ports must be comma delimited. --port iptables -A INPUT -p tcp -m multiport --port 22.53.

Note that this mark field does not in any way travel outside. The mark specification would then look like. The mark field is currently set to an unsigned integer. with or without the packet. Even within the OUTPUT chain it is not very reliable since certain packets may not have an owner. This match only works within the OUTPUT chain as it looks today.html 21:25:51 10/06/2002 . the actual computer itself. It is pretty much impossible to find out any information about who sent a packet on the other end. it is logically ANDed with the mark specified before the actual comparison. Owner match The owner match extension is used to match packets based on who created them. hence the limit of 65535 possible marks to use within your ruleset. In other words.9 Página 27 the computer. never match. hence there can be a maximum of 65535 different marks. Marks can be set with the MARK target which we will discuss a bit more later on in the next section. This extension was originally written as an example on what iptables might be used for. Mark match options Match Example Explanation --mark iptables -t mangle -A INPUT -m mark --mark 1 This match is used to match packets that have previously been marked. hence. Owner match options Match Example Explanation --uid-owner iptables -A OUTPUT -m owner --uid-owner 500 http://people.Iptables Tutorial 1. If this mark field matches the mark match it is a match. As of today. --mark 1/1.1. you are probably not going to run into this limit in quite some time. Table 11. This was previously done with the FWMARK target in ipchains. namely the MARK target in iptables. this is why people still refer to FWMARK in advanced routing areas. for example. They may be used by different kernel routines for such tasks as traffic shaping and filtering. Table 12. there is only one way of setting a mark in Linux. If a mask is specified. for obvious reasons. Notorious packets of that sort is different ICMP responses among other things. You may also use a mask with the mark. ICMP responses will. or if we where an intermediate hop to the real destination.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial. All packets traveling through netfilter gets a special mark field associated with them. The mark field is an unsigned integer.

--gid-owner iptables -A OUTPUT -m owner --gid-owner 0 This match is used to match all packets based on their Group ID (GID). and works for pretty much all protocols. This match is a bit harder to use. State matches Match Example Explanation --state iptables -A INPUT -m state --state RELATED. or we could write a small script that grabs the PID from a ps output for a specific daemon and then adds a rule for it. This concept will be more deeply introduced in a future chapter since it is such a large area. This means that we match all packets based on what group the user creating the packets are in. Table 13.Iptables Tutorial 1. In all cases. I would love to hear what they used it for and how they did it). This could be used to match outgoing packets based on who created them. (If anyone has actually used this match for a production server. --pid-owner iptables -A OUTPUT -m owner --pid-owner 78 This match is used to match packets based on their Process ID (PID) and which PID created the packets. there will be a default timeout for the connection and it will then be dropped from the connection tracking database. This could be used to block all but the users part of the "network" group from getting out onto the internet. You will then have access to one new match. If anyone have an idea for the usage of this match. or as described above to only allow "httpgroup" to be able to create packets going out on the HTTP port. This allows us to know in what state the connection is.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu.html 21:25:51 10/06/2002 . State match The state match extension is used in conjunction with the connection tracking code in the kernel and allows access to the connection tracking state of the packets.9 Página 28 This packet match will match if the packet was created by the given User ID (UID). including stateless protocols such as ICMP and UDP. One possible use would be to block any other user than root to open new connections outside your firewall.ESTABLISHED http://people. please give me a note of it and of other possible uses. but one example would be to only allow PID 94 to send packets on the HTTP port.1. or another possible use could be to block everyone but the httpuser from creating packets from HTTP. --sid-owner iptables -A OUTPUT -m owner --sid-owner 100 This match is used to match packets based on their Session ID and the Session ID used by the program in question. This match needs to be loaded explicitly by adding a -m state statement to the rule.

and what kind of content it has(not really. there may be times where this could be useful. NEW and RELATED. This match is loaded explicitly by adding -m tos to the rule. TOS matches Match Example Explanation --tos iptables -A INPUT -p tcp -m tos --tos 0x16 This match is used as described above. or that it is associated with a connection that has not seen packets in both directions. Note that the NEW state does not look for SYN bits in TCP packets trying to start a new connection and should. This could be used for.html 21:25:51 10/06/2002 . Note that this option is regarded as experimental and may not work at all times. however you should be aware that this may break legal connections too. ESTABLISHED. TOS stands for Type Of Service. and is located in the IP header. The match takes an hex or numeric value as an http://people. TOS match The TOS match can be used to match packets based on their TOS field. This could be used to DROP connections and to check for bad streams etcetera. How different routers and people deal with these values depends.9 Página 29 This match option tells the state match what states the packets must be in to be matched.1. This match tries to match packets which seems malformed or unusual.org/andreasson/iptables-tutorial/iptables-tutorial. but it tells us if there is any specific requirements for this stream such as that it needs to be sent as fast as possible. INVALID. among other things. Finally. INVALID means that the packet is associated with no known stream or connection and that it may contain faulty data or headers. NEW means that the packet has or will start a new connection. such as packets with bad headers or checksums and so on. RELATED means that the packet is starting a new connection and is associated with an already established connection. Unclean match The unclean match takes no options and requires no more than explicit loading when you want to use it. For more information on how this could be used. or an ICMP error associated with an TCP or UDP connection for example. consists of 8 bits. However. not be considered very good in cases where we have only one firewall and no load balancing between different firewalls. ESTABLISHED means that the packet is part of an already established connection that has seen packets in both directions and is fully valid. Table 14. it can match packets based on their TOS field and their value. This could for example mean an FTP data transfer. Most do not care at all. There is currently 4 states that can be used. nor will it take care of all unclean packages or problems. read in the future chapter on the state machine. TOS is normally used to tell intermediate hosts the preceeding of the stream. to mark packets for later usage together with the iproute2 and advanced routing functions in linux.unix-fu. while others try their best to do something good with the packets in question and the data they provide. hence.Iptables Tutorial 1. or it needs to be able to send as much payload as possible).

or due to a malconfiguration). The TTL field contains 2 bits and is decremented once every time it is processed by an intermediate host between the client and host. the ACCEPT and DROP targets which we will deal with first http://people. At the time of writing it contained the following named values: Minimize-Delay 16 (0x10). it is only your imagination which stops you. If the TTL reaches 0. Maximize-Reliability 4 (0x04). To load this match. Some good protocols that would use this would be RTSP (Real Time Stream Control Protocol) and other streaming video/radio protocols.1. however. Targets/Jumps The target/jumps tells the rule what to do with a packet that is a perfect match with the match section of the rule. or possibly one of the names given if you do an iptables -m tos -h. and not to change anything. TTL matches Command Example Explanation --ttl iptables -A OUTPUT -m ttl --ttl 60 This match option is used to specify which TTL value to match. Minimize-Delay means to minimize the delay for the packets. It takes an numeric value and matches based on this value. and Normal-Service 0 (0x00). There is a few basic targets. MaximizeThroughput 8 (0x08).html 21:25:51 10/06/2002 . you need to add an -m ttl to the rule. This is true here. as well as in all kinds of matches. Table 15. Minimize-Delay means to minimize the delay until the packets gets through all the way to the client/server. for example hosts which seems to have problems connecting to hosts on the internet. One example.unix-fu.9 Página 30 option. or to find possible infestations of trojans etcetera. There is no inversion and there is no other specifics to this match. as described above.Iptables Tutorial 1. a standard protocol would be FTP-data. Maximize-Reliability means to maximize the reliability of the connection and to use lines that are as reliable as possible. Maximize-Throughput means to find a path that allows as big throughput as possible. This match is only used to match packets based on their TTL.org/andreasson/iptables-tutorial/iptables-tutorial. ie find the fastest route. The usage is pretty much limited. example of standard protocols that this includes are telnet. This target could be used for debugging your local network. an ICMP type 11 code 0 (TTL equals 0 during transit) or code 1 (TTL equals 0 during reassembly) is transmitted to the party sending the packet and telling about the problem. SSH and FTP-control. would be to find hosts with bad TTL values set as default (may be due to badly implemented TCP/IP stack. Normal-Service would finally mean any normal protocol that has no special needs for their transfers. TTL match The TTL match is used to match packets based on their TTL (Time To Live) field residing in the IP header. MinimizeCost 2 (0x02). some good protocols that would fit with this TOS values would be BOOTP and TFTP.

However.html 21:25:51 10/06/2002 . see the Traversing of tables and chains chapter. A better solution would be to use the REJECT target in those cases. We could then add a jump target to it like this: iptables -A INPUT -p tcp -j tcp_packets. This may be good in cases where we want to take two actions on the same packet. let us have a brief look at how a jump is done.Iptables Tutorial 1. When a packet is perfectly matched and this target is set. We could for example. Rules that are stopped. For more information on table and chain traversing. We would then jump from the INPUT chain to the tcp_packets chain and start traversing that chain. If a packet is ACCEPT'ed within one of the subchains.org/andreasson/iptables-tutorial/iptables-tutorial. we get dropped back to the INPUT chain and the packet starts traversing from the rule one step below where it jumped to the other chain (tcp_packets in this case). do note that the packet will traverse all other chains in the other tables in a normal fashion. especially when you want to block certain portscanners from getting to http://people. We will try to answer all these questions as we go in the descriptions. Targets may also end with different results one could say. DNAT and SNAT targets. To jump to a specific chain. what TOS value to use etcetera) while others have options not necessary. To use this target. let's say we create a chain in the filter table called tcp_packets like this: iptables -N tcp_packets. Good examples of such rules are DROP and ACCEPT. it is required that the chain has already been created. As we have already explained before. will not pass through any of the rules further on in the chain or superset chains. nor any of the calling chains. before we do that. When/If we reach the end of that chain.unix-fu. Let us have a look at what kinds of targets there are. may take an action on the packet and then the packet will continue passing through the rest of the rules anyway. Some targets will also take options that may be necessary (What address to do NAT to.1. DROP target The DROP target does just what it says. it is accepted and will not continue traversing the chain where it was accepted in. and it does not require. but available in any case (log prefixes. Note that this action may be a bit bad in certain cases since it may leave dead sockets around on the server and client. Other targets. such as both mangling the TTL and the TOS value of a specific packet/stream. A packet that matches a rule perfectly and then has this action taken on it will be blocked and no further processing will be done. Network Address Translationed and then be passed on to the other rules in the same chains. to add options to the target. masquerade to ports and so on). Do note. some targets will make the packet stop traversing the specific chain and superset chains as described above. it drops packets dead to the ground and refuses to process them anymore. The jump specification is done exactly the same as the target definition except that it requires a chain within the same table to jump to. These packets may be logged. or have the possibility. it will automatically be ACCEPT'ed in the superset chain also and it will not traverse any of the superset chains any further. There is nothing special about this target whatsoever. a chain is created with the -N command. we specify it like -j ACCEPT. Targets on the other hand specify an action to take on the packet in question. For example. that packets that was accepted in one chain will still travel through any subsequent chains within the other tables and may be dropped there. ACCEPT target This target takes no special options first of all. a good example of this would be the LOG. There is also a number of other actions we may want to take which we will describe further on in this section.9 Página 31 of all targets. DROP or ACCEPT the packet depending on what we want to do. However.

If the chain is the main chain. It would then be dropped to the default policy as previously described.org/andreasson/iptables-tutorial/iptables-tutorial. Another example would be if the packet hit a --jump RETURN rule in the INPUT chain. either to tell the client or the server as told previously.Iptables Tutorial 1. This is an excellent target to use while you are debugging your rulesets to see what packets go where and what rules are applied on what packets. for example the INPUT chain. The default policy is normally set to ACCEPT or DROP or something the like. If it is a subchain to another chain. which in this case would be the INPUT chain. the packet will have the default policy taken on it. or for pure bughunting and errorfinding. The LOG target will log specific information such as most of the IP headers and other interesting information via the kernel logging facility. QUEUE target Option Example Explanation Option Example Explanation RETURN target The RETURN target will make the current packet stop travelling through the chain where it hit the rule. The target will not send any kind of information in either direction. the packet will not be processed in any of the above chains in the structure either.html 21:25:51 10/06/2002 .unix-fu. LOG target The LOG target is specially made to make it possible to log snippets of information about packets that may be illegal. lets say a packet enters the INPUT chain and then hits a rule that it matches and that gives it --jump EXAMPLE_CHAIN. For example. Also note that it may be a really great idea to use the LOG target instead of the DROP target while you are testing a rule you are not 100% sure about on a production firewall since this may otherwise cause severe connectivity problems for your users.1. Also note that if a packet has the DROP action taken on them in a subchain. the packet will continue to travel through the above chains in the structure as if nothing had happened. and no more actions would be taken in this chain. such as filtered ports and so on. The packet will then start traversing the EXAMPLE_CHAIN. Also note that the http://people. This information may then be read with dmesg or syslogd and likely programs and applications. It will then jump back to the previous chain. and all of a sudden it matches a specific rule which has the --jump RETURN target set.9 Página 32 much information. QUEUE target Table 16.

http://people.Iptables Tutorial 1. The TCP Sequence number are special numbers that identify each packet and where it fits into a TCP sequence and how the stream should be reassembled. warn and panic. The prefix may be up to 29 letters long. Normally there are the following log levels.org/andreasson/iptables-tutorial/iptables-tutorial. emerg and panic.9 Página 33 ULOG target may be interesting in case you are getting heavy logs.conf manpages as well as other HOWTO's etcetera.conf for information about these kind of problems. would make all messages appear in the /var/log/iptables file. Note that it is not a iptables or netfilter problem in case you get your logs to the consoles or likely. Table 17. Note that this option is a security risk if the log is readable by any users.html 21:25:51 10/06/2002 . which may contain logging messages from iptables. Note that all three of these are deprecated. for example. The keyword error is the same as err. In other words.=info /var/log/iptables in your syslog. including whitespace and those kind of symbols. err. notice. crit. warn is the same as warning and panic is the same as emerg. All messages are logged through the kernel facility. or want to set different options to specific values. setting kern.unix-fu. For more information on logging I recommend you to read the syslog and syslog. --log-tcp-sequence iptables -A INPUT -p tcp -j LOG --log-tcp-sequence This option will log the TCP Sequence numbers together with the log message. LOG target options Option Example Explanation --log-level iptables -A FORWARD -p tcp -j LOG --log-level debug This is the option that we can use to tell iptables and syslog which log level to use.conf. in other words do not use error. Note that there may be other messages here as well from other parts of the kernel that uses the info priority.conf file and then letting all your LOG messages in iptables use log level info. For a complete list of loglevels read the syslog. error. --log-prefix iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets" This option tells iptables to prefix all log messages with a specific prefix which may then be very good to use together with. or priorities as they are normally referred to: debug. grep and other tools to distinguish specific problems and outputs from specific rules. or by the world for that matter.conf manual. They are all listed below. Any log that is. but instead a problem of your syslogd configuration which you may find in /etc/syslog. warning. The LOG target currently takes five options that may be interesting to use in case you have specific needs for more information.1. info. alert. since the ULOG target has support for logging directly to MySQL databases and such. Read more in man syslog. warn. The priority defines the severity of the message being logged.

In other words. just the same as the previous option. The MARK values may be used in conjunction with the advanced routing capabilities in Linux to send different packets through different routes and to tell them to use different queue disciplines (qdisc). and will not work outside there. This target is only valid in the mangle table. you will be better off with the TOS target which will mangle the TOS value in the IP header. For more information on advanced routing. you may not set a MARK for a package and then expect the MARK to still be there on another computer. --log-ip-options iptables -A FORWARD -p tcp -j LOG --log-ip-options The --log-ip-options option will log most of the IP packet header options. etcetera. This works exactly thesame as the --log-tcp-options option. which would also http://people. limiting or unlimiting their network speed etcetera. but is an value that is associated within the kernel with the packet.Iptables Tutorial 1. MARK target The MARK target is used to set netfilter mark values that are associated with specific packets. FORWARD and OUTPUT chain or subchains of those chains.unix-fu. check out the LARTC HOWTO.org/andreasson/iptables-tutorial/iptables-tutorial. just as most of the LOG options. but instead works on the IP options. These may be valuable when trying to debug what may go wrong and what has gone wrong. These logging messages may be valuable when trying to debug or finding out specific culprits and what goes wrong. but it also sends back an error message to the host sending the packet that was blocked. MARK target options Option Example Explanation --set-mark iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2 The --set-mark option is required to set a mark. The --set-mark match takes an integer value. The REJECT target is as of today only valid in the INPUT. This option takes no variable fields or anything like that. REJECT target The REJECT target works basically the same as the DROP target.html 21:25:51 10/06/2002 .9 Página 34 --log-tcp-options iptables -A FORWARD -p tcp -j LOG --log-tcp-options The --log-tcp-options option will log the different options from the TCP packets header. Table 18. or on all packets from a specific host and then do advanced routing on that host. we may set mark 2 to a specific stream of packets.1. For example. If this is what you want. Note that the mark value is not set within the actual package.

this is mainly useful for blocking ident probes which frequently occur when sending mail to broken mail hosts. icmp-proto-unreachable. and then the packet is dropped dead to the ground. As noted before. Note that the chains that uses the REJECT target may only be called upon by the INPUT. This is one of the few fields that can be used within iproute2 and its subsystem to route packets. just the same as with the DROP target. icmp-host-unreachable. At worst. TOS target The TOS target is used to set the Type of Service field within the IP header. and you may get some more information by looking in the appendix ICMP types. icmp-portunreachable. you should hence set the TOS field which was developed for this.unix-fu. TCP RST are used to close open connections gracefully. FORWARD. There currently is only one option which controls the nature of how this target works. and OUTPUT chains. the MARK target which sets a MARK associated with a specific packet is only available within the kernel. the tcp-reset option will tell REJECT to send an TCP RST packet in reply to the sending host. which won't accept your mail otherwise. Finally. As stated in the iptables man page.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial. but this option may only be used in conjunction with rules which would match ICMP ping packets.html 21:25:51 10/06/2002 .9 Página 35 be the only chains where it would make any sense to put this target in. As stated previously. and they will not even look at them. For more information about the TCP RST read RFC 793 . Most of them are fairly easy to understand if you have a basic knowledge of TCP/IP. Also note that if you handle several separate firewalls and routers.Transmission Control Protocol. There are currently the following reject types that can be used: icmp-net-unreachable. REJECT target Option Example Explanation --reject-with iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset This option tells the REJECT target what response to send to the host that sent the packet that we found to be a match. and can not be propagated with the packet. The TOS field consists of 8 bits which are used to route packets.1. There is also an option called echo-reply. Table 19. Once we get a packet that matches a specific rule and we specify this target. The default error message is to send an port-unreachable to the host. this is the only way to propagate routing information between these routers and firewalls within the actual packet. At best the routers will do nothing with the TOS field. there is one more option called tcp-reset which may only be used together with the TCP protocol. All of the above are ICMP error messages and may be set as you wish. however. they will look at the TOS field and do the wrong thing based on the information. which in turn may take a huge set of variables. else they won't work. there is most definitely a good use if you http://people. the target will first of all send the specified reply. There are currently a lot of routers on the internet which does a pretty bad job at this so it may be a bit useless as of now to do any TOS mangling before sending the packets on to the internet. If you feel a need to propagate routing information on how to do routing for a specific packet or stream. icmp-net-prohibited and icmp-host-prohibited.

MaximizeReliability (decimal value 4. The TOS target only takes one option as described below. This listing is complete as of iptables 1. hex value 0x08). the MIRROR target would make so computer B got the webpage at yahoo. Lets say we set up a MIRROR target for port 80 at computer A. do an iptables -j TOS -h. or in hex 0x00-0xFF.unix-fu. Maximize-Throughput (decimal value 8. hex 0x02) or Normal-Service (decimal value 0. Note that most of these values will never be used by anyone on the internet so you may be better of by using the named values available (which should be more or less standardized). and then to retransmit the packet. or 0. and hence rendered the packets bad and in need of retransmission.2. either in hex or in decimal value.2. The default value on most packets are Normal-Service.9 Página 36 have a large WAN or LAN with several routers and actually have the possibility to give packets different routes and preference depending on their TOS value.html 21:25:51 10/06/2002 . Note that this target is only valid within the mangle table and can not be used outside it. use the actual names instead of the actual hex values to set up the TOS value. The result of this target is really simple. For a complete listing of the "descriptive values". hex value 0x00). TOS target Option Example Explanation --set-tos iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10 The --set-tos option tells the TOS mangler what TOS value to set on packets that are matched. MIRROR target The MIRROR target is an experimental demonstration target only. and you should be warned of using this since it may result in really bad loops. These values are Minimize-Delay (decimal value 16. If computer B would be coming from yahoo. and it should generally be recommended since the values behind the names may be changed if you are unlucky. Table 20. the value may be 0-255.1.Iptables Tutorial 1. Also note that some old versions (1. at least within your own network.org/andreasson/iptables-tutorial/iptables-tutorial.5 and should hopefully be so for another period of time. and tried to access the HTTP server at computer A. Minimize-Cost (decimal value 2. which in turn most probably would be mangled and the connection would never work. of course. hex value 0x10). hex value 0x04). The option takes a numeric value. and I would be quite sure that someone has had a good laugh at some cracker or another that has cracked his own box via this target by now. hence resulting in a bad kind of Denial of Service. As the TOS value consists of 8 bits. This results in some really funny things. Note that you can.2 or below) of iptables provided a broken implementation of this target which would not fix the packet checksum upon mangling. among other things. The MIRROR target is used to invert the source and destination fields in the IP header.com. http://people.com back (since this is where he came from).

The SNAT target does all the translation needed to do this kind of work. depending on how many hops there is between them. no further processing of rules in the POSTROUTING chain will be commenced on the packets in the same stream. This option.50. the outside world would not know where to send reply packets.9 Página 37 Note that the MIRROR target is only valid within the INPUT.org/andreasson/iptables-tutorial/iptables-tutorial. then all future packets in the same connection will also be SNAT'ed and.236. also.html 21:25:51 10/06/2002 . since our local networks should use the IANA specified IP addresses which are allocated for LAN networks.unix-fu. it would then look like. However. Note that this is a best case scenario for the cracker or scriptkiddie. Table 21. which would be our firewall. at it simplest. The packet will then bounce back and forth a huge set of times. Not bad for a cracker in other words to send 1500 bytes of data. 194. this does not make the target free of any likely problems.1.236. One thing would for example be to send a spoofed packet to a host that uses the MIRRORcommand with a TTL of 255. This is in other words the only place that you may do SNAT in. and eat up 380 kbyte of your connection.236. If we forwarded these packets as is. the packet will jump back and forth 240-255 times. We could then turn on ip forwarding in the kernel. this is good when we want several computers to share an internet connection. If the first packet in a connection is mangled in this fashion. and then set an SNAT rule which would translate all packets from our local network to the source IP of our own internet connection. takes one IP address to which we should transform all the source IP addresses in the IP header.155194. Without doing this. letting all packets leaving our LAN look as if they came from a single host.50.50.155-194. NAT or mangle tables to avoid loops and other problems. The SNAT target is only valid within the nat table. and any user-defined chains which are only called from those chains.50.Iptables Tutorial 1. If we want to balance between several IP addresses we could use an range of IP addresses separated by a hyphen.160:1024-32000 The --to-source option is used to specify which source the packets should use. For example. which means that this target will rewrite the Source IP address in the IP header of the packet. If there is only 1 hop. SNAT target Option Example Explanation --to-source iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 194. Also note that the outgoing packets created by the MIRROR target is not seen by any of the normal chains in the filter. whichever we want to call them. SNAT target The SNAT target is used to do Source Network Address Translation.236.160 as http://people. for example. noone on the internet would know that they where actually from us. and see to it that the packet is spoofed so it looks as if it comes from another host that uses the MIRROR command. within the POSTROUTING chain. FORWARD and PREROUTING chains.

This target can be extremely useful. and any of the chains called upon from any of those listed chains. an :80 statement to the IP addresses to which we want to http://people.1-192. for example. and this is the target of the rule. The source IP would then be set randomly for each stream that we open.23. namely 192. iptables will always try to not make any port alterations if it is possible. iptables will map one of them to another port. This is done by adding.1.168. :1024-32000 or something alike. that a single stream will always use the same host. DNAT target The DNAT target is used to do Destination Network Address Translation.org/andreasson/iptables-tutorial/iptables-tutorial. when you have an host running your webserver inside a LAN. Note that the DNAT target is only available within the PREROUTING and OUTPUT chains in the nat table. Note.1.45. which means that it is used to rewrite the Destination IP address of a packet.1 through 10. for example. and then routed on to the correct device. and all subsequent packets in the same stream will be translated. You could then tell the firewall to forward all packets going to its own HTTP port. as described previously. Also note that we may add an port or port range to which the traffic would be redirected to. All other ports will be mapped to 1024 or above. If no port range is specified.9 Página 38 described in the example above. The above example would send on all packets destined for IP address 15.unix-fu.23. Table 22. it will not be mapped to the FTP control port. but if two hosts tries to use the same ports.168.45. We may also specify a whole range of destination IP addresses. the packet. This would hence look as within the example above. then all source ports below 512 will be mapped to other ports below 512 if needed. we will be able to deal with a kind of load balancing by doing this.1.1. but no real IP to give it that will work on the internet. All the source ports would then be mapped to the ports specified. Note that chains containing DNAT targets may not be used from any other chains. in which case we would always be connected to the same host. and the DNAT mechanism will choose the destination IP address at random for each stream. Those between source ports 512 and 1023 will be mapped to ports below 1024. We could also have specified only one IP address. and that each stream will randomly be given an IP address that it will always be Destinated for. As previously stated. such as the POSTROUTING chain. Note that this has nothing to do with destination ports. Hence. If a packet is matched. within that stream. iptables will always try to maintain the source ports used by the actual workstation making the connection. on to the real webserver within the LAN. and a single stream would always use the same IP address for packets within that stream.67 --dport 80 -j DNAT --to-destination 192. and where to send packets that are matched. host or network. There may also be an range of ports specified that should only be used by SNAT.67 to a range of LAN IP's. DNAT target Option Example Explanation --to-destination iptables -t nat -A PREROUTING -p tcp -d 15.Iptables Tutorial 1.10 The --to-destination option tells the DNAT mechanism which Destination IP to set in the IP header.168.html 21:25:51 10/06/2002 . so if a client tries to make contact with an HTTP server outside the firewall.

kill a specific interface.unix-fu. The reason for this is that the MASQUERADE target was made to work with. the lower port range delimiter and the upper port range delimiter separated with a hyphen. and it is more or less idiotic to keep the entry around. it means that we set the IP address used on a specific network interface instead of the --to-source option. This is in general the correct behaviour when dealing with dialup lines that are probable to be assigned a different IP every time it is up'ed. or like --to-destination 192. which gets dynamic IP addresses when connecting to the network in question.9 Página 39 DNAT the packets. however. for example.1. MASQUERADE target The MASQUERADE target is used basically the same as the SNAT target.168.1:80-100 if we wanted to specify a port range. Do note that port specifications are only valid for rules that specify the TCP or UDP protocols with the --protocol option. and there may be inconsistencies in the future which will thwart your existing scripts and render them "unusable". dialup connections. which is optional.html 21:25:51 10/06/2002 . the syntax is pretty much the same for the DNAT target. you should instead use the SNAT target. The MASQUERADE target also has the effect that connections are forgotten when an interface goes down. MASQUERADE target Option Example Explanation --to-ports iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000 The --to-ports option is used to set the source port or ports to use on outgoing packets. which is extremely good if we.1. for example. or DHCP connections. If we would have used the SNAT target. as for the SNAT target even though they do two totally different things. just as the SNAT target. and the IP address is automatically grabbed from the information about the specific interface. It is still possible to use the MASQUERADE target instead of SNAT even though you do have an static IP. we may have been left with a lot of old connection tracking data. Either you can specify a single port like --to-ports 1025 or you may specify a port range as --to-ports 10243000. This means that you should only use the MASQUERADE target with dynamically assigned IP connections.Iptables Tutorial 1. but it does not require any --to-source option. Table 23. swallowing up worthful connection tracking memory. As you can see. The MASQUERADE target takes on option specified below. Note that the MASQUERADE target is only valid within the POSTROUTING chain in the nat table. If you have a static IP connection. In case we are assigned a different IP. In other words. which we don't know the actual address of at all times. The --to-ports option is only valid if the rule match section specifies the TCP or UDP protocols with http://people.168.1. When you masquerade a connection. the connection is lost anyways.org/andreasson/iptables-tutorial/iptables-tutorial. which would be lying around for days. This alters the default SNAT port-selection as described in the SNAT target section. A rule could then look like --to-destination 192.1:80 for example. it is not favorable since it will add extra overhead.

The REDIRECT target takes only one option. The TTL target is only valid within the mangle table. which tells the REDIRECT target to redirect the packets to the ports 8080 through 8090. TTL target The TTL target is used to modify the Time To Live field in the IP header. transparent proxying.0. It is also valid within user-defined chains that are only called from those chains. and nowhere else. It takes 3 options as of writing this. or something alike. or port range. If we would want to specify an port range. we would do it like --toports 8080-8090. The REDIRECT target is extremely good to use when we want. For more information on how to set the default value used in Linux. to use. all of them described below in the table. --to-ports 8080 in case we only want to specify one port. will effectively make it a little bit harder for them to notify that you are doing this. the destination port is never altered. http://people. One reason for doing this is if you have a bully ISP which don't allow you to have more than one machine connected to the same internet connection. this rewrites the destination address to our own host for packets that are forwarded. since it wouldn't make any sense anywhere else.txt. REDIRECT target The REDIRECT target is used to redirect packets and streams to the machine itself. Note that this option is only available in rules specifying the TCP or UDP protocol with the --protocol matcher. and who actively pursue this. Table 24.Iptables Tutorial 1. on our own host. This is specified. and nowhere else. such as 64 as specified in Linux kernel. for example. Setting all TTL values to the same value. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid. read the ip-sysctl.0. One useful application of this is to change all Time To Live values to the same value on all outgoing packets. as described below.1 address.1. where the LAN hosts do not know about the proxy at all. REDIRECT target Option Example Explanation --to-ports iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 The --to-ports option specifies the destination port. Without the --to-ports option.html 21:25:51 10/06/2002 . Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table.org/andreasson/iptables-tutorial/iptables-tutorial. as above.unix-fu.9 Página 40 the --protocol match. which you may find within the Other resources and links appendix. We may then reset the TTL value for all outgoing packets to a standardized value. In other words. Locally generated packets are mapped to the 127.

org/andreasson/iptables-tutorial/iptables-tutorial. see the ttl-inc. the more bandwidth will be eaten unnecessary in such a case. and if we specified --ttl-inc 4. Traceroutes are a loved and hated thing. In other words. a packet entering with a TTL of 53 would leave the host with TTL 56. ULOG target The ULOG target is used to provide userspace logging of matching packets. This is in other words a more complete and more sophisticated logging facility that is only used by iptables and netfilter so far. where the network code will automatically decrement the TTL value by 1. If a packet is matched and the ULOG target is set. Note that the same thing goes here. from 53 to 49 in other words. The reason for this is that the networking code will automatically decrement the TTL value by 1. the packet information is multicasted together with the whole packet through a netlink socket. since the packet may start bouncing back and forth between two misconfigured routers. TTL target Option Example Explanation --ttl-set iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-set 64 The --ttl-set option tells the TTL target which TTL value to set on the packet in question. which it always does. --ttl-dec iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-dec 1 The --ttl-dec option tells the TTL target to decrement the Time To Live value by the amount specified after the --ttl-decoption. as for the previous example of the --ttl-dec option.1. and it contains much better facilities for logging http://people. Do not set this value too high.txt script. NOTIFY ME --ttl-inc iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-inc 1 The --ttl-inc option tells the TTL target to increment the Time To Live value with the value specified to the --ttl-inc option. One or more userspace processes may then subscribe to various multicast groups and receive the packet. it gives the hacker/cracker some good information about your upstreams if they have targeted you. A good value would be around 64 somewhere. we effectively make the firewall hidden from traceroutes. since it may affect your network and it is a bit immoral to set this value to high. and the higher the TTL.unix-fu.Iptables Tutorial 1. but at the same time. hence the packet will be decremented by 4 steps. and it is not too short. since they provide excellent information on problems with connections and where it happens.9 Página 41 Table 25. This may be used to make our firewall a bit more stealthy to traceroutes among other things. For a good example on how this could be used. It's not too long. This means that we should raise the TTL value with the value specified in the -ttl-inc option. IF ANYONE HAS A GOOD USAGE FOR THIS OPTION. if the TTL for an incoming packet was 53 and we had set --ttl-dec 3. the packet would leave our host with a TTL value of 49.html 21:25:51 10/06/2002 . By setting the TTL one value higher for all incoming packets.

9 Página 42 packets. if we set the threshold to 10 as above. --ulog-cprange iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100 The --ulog-cprange option tells the ULOG target how many bytes of the packet to send to the userspace daemon of ULOG. and other databases. Table 26. With this we mainly mean the different routing decisions and http://people. ULOG target Option Example Explanation --ulog-nlgroup iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2 The --ulog-nlgroup option tells the ULOG target which netlink group to send the packet to. The default value is 0. --ulog-prefix iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: " The --ulog-prefix option works just the same as the prefix value for the standard LOG target. regardless of the packets size. The default netlink groupd used is 1.Iptables Tutorial 1. This option prefixes all log entries with a userspecified log prefix.org/andreasson/iptables-tutorial/iptables-tutorial. The default value here is 1 because of backwards compatibility. It can be 32 characters long. This is extremely valuable information later on when you write your own specific rules. the whole packet will be copied to userspace. If we specify 0. If we specify 100 as above. We will also look at which points certain other parts that also are kernel dependant gets in the picture.html 21:25:51 10/06/2002 . plus some leading data within the actual packet. This target enables us to log information to MySQL databases. --ulog-qthreshold iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10 The --ulog-qthreshold option tells the ULOG target how many packets to queue inside the kernel before actually sending the data to userspace. which are simply specified as 1-32. Traversing of tables and chains This chapter will talk about how packets traverse the the different chains and in which order. and is definitely most useful to distinguish different logmessages and where they came from. we would simply write --ulog-nlgroup 5. and then transmit it outside to the userspace as one single netlink multipart message. so the whole packet will be copied to userspace. There are 32 netlink groups. Also we will speak about in which order the tables are traversed.unix-fu. For example.1. the kernel would first accumulate 10 packets inside the kernel. the userspace daemon did not know how to handle multipart messages previously. which would include the whole header hopefully. and to group log entries etcetera. we would copy 100 bytes of the whole packet to userspace. making it much simpler to search for specific packets. If we would like to reach netlink group 5.

5 6 7 nat POSTROUTING 8 9 As you can see.Iptables Tutorial 1. Do note that there is no specific chains or tables for different interfaces or http://people. there's quite a lot of steps to pass through. Out on the wire again (ie. we are mainly interested in the iptables aspect of this lot.org/andreasson/iptables-tutorial/iptables-tutorial.1. only forwarded packets go through here. Goes out on the outgoing interface (ie. eth1). ie. we're assuming that the packet is destined for another host on another network. filter FORWARD The packet got routed onto the FORWARD chain. The packet can be stopped at any of the iptables chains.unix-fu. avoid doing filtering here since certain packets might pass this chain without ever hitting it. Forwarded packets Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire(ie. eth0) This chain is normally used for mangling packets. The packet goes through the different steps in the following fashion: Table 1. or anywhere else in case it is malformed. Note that all traffic that's forwarded goes through here (not only in one direction). we do all the filtering here. This is also where Masquerading is done.html 21:25:51 10/06/2002 . LAN). Then the packet starts to go through a series of steps in the kernel before it is either sent to the correct application (locally). internet) Comes in on the interface(ie. it hits the hardware and then get's passed on to the proper device driver in the kernel. changing TOS and so on. This chain should first and foremost be used for Source Network Address Translation. Source Network Address Translation is done further on. so you need to think about it when writing your ruleset. is the packet destined for our localhost or to be forwarded and where. however. This chain is used for Destination Network Address Translation mainly. General When a packet first enters the firewall. This is especially needed if you want to write rules with iptables that chould change how different packets get routed. or forwarded to another host or whatever happens to it. In this example. ie. Avoid filtering in this chain since it will be passed through in certain cases. good examples of this is DNAT and SNAT and of course the TOS bits. Routing decision.9 Página 43 so on.

Now. is the packet destined for our localhost or to be forwarded and where. I think it gets clearer with time. This is currently broken. ie. Finally we look at the outgoing packets from our own localhost and what steps they go through. Internet) Comes in on the interface(ie. Most probably the only thing that's really logical about the traversing of tables and chains in your eyes in the beginning. server/client program) 5 6 7 Note that this time the packet was passed through the INPUT chain instead of the FORWARD chain. It would pass through the following steps before actually being delivered to our application to receive it: Table 2.1.Iptables Tutorial 1. 3 4 Nat Filter OUTPUT OUTPUT http://people. Routing decision. could someone tell me when this will be fixed? Please? This is where we filter packets going out from localhost. Avoid filtering in this chain since it will be passed through in certain cases. This chain is used for Destination Network Address Translation mainly. Local process/application (ie. Destination localhost Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire (ie. it is suggested that you do not filter in this chain since it can have sideeffects. changing TOS and so on.unix-fu. Quite logical. Note that all incoming packets destined for this host passes through this chain.html 21:25:51 10/06/2002 . ie. Source localhost Step 1 2 Mangle OUTPUT Table Chain Comment Local process/application (ie. no matter what interface and so on it came from. let us have a look at a packet that is destined for our own localhost. eth0) This chain is normally used for mangling packets. filter INPUT This is where we do filtering for all incoming traffic destined for our localhost.org/andreasson/iptables-tutorial/iptables-tutorial. server/client program) This is where we mangle packets. but if you continue to dig in it. FORWARD is always passed by all packets that are forwarded over this firewall/ router. Table 3. I think.9 Página 44 anything like that.

Goes out on some interface (ie.org/andreasson/iptables-tutorial/iptables-tutorial. This is where we decide where the packet should go.1.unix-fu. This is where we do Source Network Address Translation as described earlier. it would look something like this: http://people. eth0) On the wire (ie. If we would figure out a good map of all this. and certain packets might slip through even though you set a default policy of DROP.Iptables Tutorial 1.html 21:25:51 10/06/2002 .9 Página 45 5 6 Nat POSTROUTING Routing decision. Internet) 7 8 We have now seen how the different chains are traversed in three separate scenarios. It is suggested that you don't do filtering here since it can have sideeffects.

you could use the rc.Iptables Tutorial 1. http://people.html 21:25:51 10/06/2002 .test-iptables.txt script.1. This test script should give you the necessary rules to test how the tables and chains are traversed. All comments welcome.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 46 Hopefully you got a clearer picture of how the packets traverses the built in chains now.unix-fu. this might still be wrong or it might change in the future. If you feel that you want more information.

as we have said before. and sometimes. After this. Don't set this in other words for packets going to the internet unless you want to do routing decisions on it with iproute2. We could also do bandwidth limiting and Class Based Queuing based on these marks. Note that. Some Internet Service Providers does not like users running multiple computers on one single connection. Nat table This table should only be used for NAT (Network Address Translation) on different packets. and there are some Internet Service Providers known to look for a single host generating many different TTL values. In other words. the rest of the packets http://people. you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) fields and so on.9 Página 47 Mangle table This table should as we've already noted mainly be used for mangling packets. Note that this has not been perfected and is not really implemented on the internet and most of the routers don't care about the value in this field. they act faulty on what they get. only the first packet in a stream will hit this chain. This could be used for setting up policies on the network regarding how a packet should be routed and so on. The TTL target is used to change the TTL (Time To Live) field of the packet. One good reason for this could be that we don't want to give ourself away to nosy Internet Service Providers. These marks could then be recognised by the iproute2 programs to do different routing on the packet depending on what mark they have.html 21:25:51 10/06/2002 . Target's that only valid in the mangle table: TOS TTL MARK The TOS target is used to set and/or change the Type of Service field in the packet. SNAT or Masquerading work in this table. and takes this as one of many signs of multiple computers connected to a single connection. nor will any DNAT. it should only be used to translate packets source field or destination field. or if they don't have any. In other words.1.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. The MARK target is used to set special mark values to the packet. It is strongly adviced that you don't use this table to do any filtering in.Iptables Tutorial 1. We could tell packets to only have a specific TTL and so on.

x netmask for example. etc.x. Almost all targets are usable in this chain.Iptables Tutorial 1. The firewall will with this target automatically SNAT and De-SNAT the packets. for example PPP. but need to change our local networks IP numbers to the same of the IP of our firewall. rc. The MASQUERADE target will on the other hand work properly with Dynamic IP addresses that you may be provided when you connect to the Internet with. SLIP or DHCP. The actual targets that does these kind of things are: DNAT SNAT MASQUERADE The DNAT (Destination Network Address Translation) target is mainly used in cases such as when you have one IP and want to redirect accesses to the firewall to some other host on a DMZ for example. instead of doing as the SNAT target does and just use an IP address submitted while the rule was parsed. SNAT (Source Network Address Translation) is mainly used for changing the source address of packets. but the MASQUERADE target takes a little bit more overhead to compute. In other words. A good example when this is very good is when we have a firewall that we know the outside IP address of. This should be used to get a basic idea on how to solve different problems and what you may need to think about before http://people. hence making it possible to make connections from the LAN to the Internet. it automatically checks for the IP address to use. This is the place that we actually take action against packets and look at what they contain and DROP/ACCEPT depending on their payload. We will not go into deeper discussion about this table though. we change the destination address of the packet and reroute it to some other host.html 21:25:51 10/06/2002 . and there is nothing special to this chain or special packets that might slip through because they are malformed.firewall file This chapter will deal with an example firewall setup and how the script file could look. This is mainly done to hide our local networks or DMZ. The reason for this is that each time that the MASQUERADE target gets hit by a packet. however. this is the place that was designed for it.unix-fu. etcetera. mainly used for filtering packets. this is where we (should) do the main filtering.1.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 48 will automatically have the same action taken on them as the first packet. however.168. Of course we may do filtering earlier too. We can match packets and filter them however we want. of course. the targets discussed previously in this chapter are only usable in their respective tables. We have used one of the basic setups and dug deeper into how it works and what we do in it. The MASQUERADE target is used in exactly the same way as SNAT. If you're network uses 192. Filter table The filter table is. the packets would never get back from the Internet because these networks are regulated to be used in LAN's by IANA. as you already know.

so you have everything set up and are ready to check out an example configuration script. It could be used as is with some changes to the variables. We do provide it. note that there might be more efficient ways of making the ruleset. it will very likely run quite smooth with just a few fixes to it. Also. which will point the script to the exact location of the http://people.firewall Ok.txt is the configuration section.firewall. then you should probably look closer at the rc. but is not suggested since it may not work perfectly together with your network setup. Also.0. you need to specify the IP address of the physical interface connected to the LAN as well as the IP range which the LAN uses and the interface that the box is connected to the LAN through.firewall. This should always be changed since it contains the information that is vital to your actual configuration.Iptables Tutorial 1. I suggest you read through the script file to get a basic hum about how it looks. the $INET_IFACE variable should point to the actual device used for your internet connection. Also. The Local Area Network section contains most of the configuration options for your LAN. If you need these parts. as you may see there is a Localhost configuration section. they are however left there so you can spot the differences between the scripts in a more efficient way. Mainly. For example. Instead of looking for comments.DHCP. and then you return here to get the nitty gritty about the whole script.org/andreasson/iptables-tutorial/iptables-tutorial. The $INET_IP should always be a fully valid IP address. For example.txt (also included in the Example scripts codebaseappendix) is fairly large but not a lot of comments in it. hence it is available here. This example rc.html 21:25:51 10/06/2002 . As long as you have a very basic setup however. the script has been written for readability so that everyone can understand it without having to know too much BASH scripting before reading this example rc. then you could always create a mix of the different scripts.1 IP address and the interface will amost certainly be named lo. however you will with 99% certainty not change any of the values within this section since you will almost always use the 127.unix-fu. You should at least be if you have come this far. eth1. This script does not contain any special configuration options for DHCP or PPPoE. ppp0. hence these sections are empty. which are necessary. or (hold yourself) create your own from scratch.firewall.1. explanation of rc.txt. etcetera just to name a few possible device names. This could be eth0.0.9 Página 49 actually putting your scripts into work. The same goes for all sections that are empty. just below the Localhost configuration. if you got one (if not. tr0.firewall Configuration options The first section you should note within the example rc. however. your IP address will always change. this section only consists of the $IPTABLES variable. read on since this script will introduce a lot of interesting stuff anyways). however. you will find a brief section that pertains to the iptables.

if one of your hosts NAT'ed boxes connect to a FTP server on the internet.Iptables Tutorial 1.9 Página 50 iptables application. First off. are extensions of the connection tracking helpers that tells the kernel what to look for in specific packets and how to translate these so the connections will actually work. Connection tracking helpers are special modules that tells the kernel how to properly track the specific connections. which in turn requires some translation to be done. The same thing applies for DCC file transfers (sends) and chats. but you will be a bit more secure to bouncing hacker attacks and attacks where the hacker will only use your host as an intermediate host. the kernel would not know what to look for when it tries to track specific connections. For example.1. Always avoid loading modules that you do not need. however. some other things will not work. and the default location when compiling the iptables package by hand is /usr/local/sbin/iptables. I will not use that module in this example but basically. which could for example be used to only allow certain users to make certain connections. After this we load the modules that we will require for this script.unix-fu. So. you could allow only root to do FTP and HTTP connections to redhat and DROP all the others. Without these helpers. the FTP server will not know what to do with it and hence the connection will break down. and it sends connection information within the actual payload of the packet. Now. and if possible try to avoid having modules lying around at all unless you will be using them. The NAT helpers on the other hand. All modules that extend the state matching code and connection tracking code are called ip_conntrack_* and ip_nat_*. some FTP and IRC stuff will work no doubt. This may vary a bit. This is due to how the DCC starts a connection. you tell the receiver that you want to send a file and where he should connect to. but not be able to send files. look at the Owner match section within the How a rule is built chapter. Without the helpers. Since this local network address is not valid outside your own network. For more information about the ipt_owner match.org/andreasson/iptables-tutorial/iptables-tutorial. since it will take some extra effort to make additional rules this way. Creating these kind of connections requires the IP address and ports to be sent within the IRC protocol. FTP is a complex protocol by definition. it will send its own local network IP address within the payload of the packet. the DCC connection will look as if it wants the receiver to connect to some host on the receivers own local network. you may be able to receive files over DCC. we see to it that the module dependencies files are up to date by issuing an /sbin/depmod -a command. many distributions put the actual application in another location such as /usr/sbin/iptables and so on. REJECT and MASQUERADE targets and don't have this compiled statically into your kernel. and tells the FTP server to connect to that IP address. However. Initial loading of extra modules First. In other words. For example. You could also disallow all users but your own user and root to connect from your box to the Internet. Without these so called helpers. might be boring for others. etcetera. if you want to have support for the LOG. This is for security reasons. we load these modules as follows: /sbin/insmod ipt_LOG /sbin/insmod ipt_REJECT /sbin/insmod ipt_MASQUERADE Next is the option to load ipt_owner module.html 21:25:51 10/06/2002 . The FTP NAT helpers do all of the translations within these connections so the FTP server will actually know where to connect. the whole connection will be http://people. for example. We may also load extra modules for the state matching code here.

http://people. However. I have chosen to turn it on here to maintain consistency with the script breakdown currently user.1.9 Página 51 broken. the other way around. it will work flawlessly since the sender will (most probably) give you the correct address to connect to. As of this writing. there is only the option to load modules which add support for the FTP and IRC protocols.unix-fu. In case you need dynamic IP support. Note that you need to load the ip_nat_irc and ip_nat_ftp if you want Network Adress Translation to work properly on any of the FTP and IRC protocols.html 21:25:51 10/06/2002 . read the Preparations chapter. which is also available within the Other resources and links appendix. as well as some other conntrack helpers. you need to use the patch-omatic and compile your own kernel. For a better explanation on how this is done. in case there are possible additional links added to other and better resources of information. In other words. This will lead to a brief period of time where the firewall will accept forwarding any kind of traffic for everything between a millisecond to a minute depending on what script we are running and on what box. To be able to use these helpers. Also. There are also H.Iptables Tutorial 1. however. In this script and all others within the tutorial. There is a good but rather brief document about the proc system available within the kernel. For a long explanation of these conntrack and nat modules. there's other documentations on how to do these things and this is out of the scope of this documentation.org/andreasson/iptables-tutorial/iptables-tutorial. read the Common problems and questionmarks appendix. this option should really be turned on after creating all firewall rules. ip_dynaddr by doing the following : echo "1" > /proc/sys/net/ipv4/ip_dynaddr If there is any other options you might need to turn on you should follow that style. but it will make it possible for the computer to do NAT on these two protocols. it may be worth looking at that appendix in the future.323 conntrack helpers within the patch-o-matic. PPP or DHCP you may enable the next option. They are used the same way as the conntrack modules. we turn it on before actually creating any kind of IP filters (ie. iptables rulesets). You will also need to load the ip_conntrack_irc and ip_conntrack_ftp modules before actually loading the NAT modules. This may give malicious people a small timeframe to actually get through our firewall. for example if you use SLIP. proc set up At this point we start the IP forwarding by echoing a 1 to /proc/sys/net/ipv4/ ip_forward in this fashion: echo "1" > /proc/sys/net/ipv4/ip_forward It may be worth a thought where and when we turn on the IP forwarding.

Some of the paths I have chosen to go here may be wrong from one or another of aspect. do contain a small section of non-required proc settings. Since the local network is fully trusted.firewall. this script has as a main priority to only allow traffic that we explicitly want to allow.1. In this case. this section contains a brief look back to the Traversing of tables and chains chapter. PPP and SLIP and others). and all others contained within this tutorial. Also. we also want to allow the firewall to act as a server for certain services on the internet. I wish to explain and clarify the goals of this script. The following picture will try to explain the basics of how an incoming packet traverses netfilter. This example is also based upon the assumption that we have a static IP to the internet (as opposed to DHCP. Also. let's make clear what our goals are. Instead of letting a TCP packet traverse ICMP. we want to allow all kind of traffic from the local network to the internet. These may be a good starters to look at. In the case of this scenario. and we trust our local network fully and hence we will not block any of the traffic from the local network. we would also like to let our local network do connections to the internet.txt script. I hope to point these aspects and possible problems out to you when and where they occur.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. Hopefully. This whole example script is based upon the assumption that we are looking at a scenario containing one local network. However. I simply match all TCP packets and then let the TCP packets traverse an user specified chain. Displacement of rules to different chains This section will briefly describe my choices within the tutorial regarding user specified chains and some choices specific to the rc. but instead further on in the chapter. This will effectively kill all connections and all packets that we do not explicitly allow inside our network or our firewall. however. this will remind you a little bit of how the specific tables and chains are traversed in a real live example. With these pictures and explanations. Based upon this picture. the Internet is most definitely not a trusted network and hence we want to block http://people. This way we do not get too much overhead out of it all. We will not discuss any specific details yet. To do this. UDP and TCP rules.unix-fu.9 Página 52 The rc. do not turn these on before actually knowing what they mean. one firewall and an Internet connection connected to the firewall. This is a really trivial picture in comparison to the one in the Traversing of tables and chains chapter where we discussed the whole traversal of chains and tables in depth.firewall.txt script. I have displaced all the different user-chains in the fashion I have to save as much CPU as possible but at the same time put the main weight on security and readability. we want to set default policies within the chains to DROP.Iptables Tutorial 1.

As for our firewall. we have decided to allow HTTP. For the same reason.html 21:25:51 10/06/2002 . we will want to block all traffic from the Internet to our local network except already established and related connections. as well as the fact we want to traverse as few rules as possible.9 Página 53 them from getting to our local network. Because of this. we do not want to allow specific packets or packet headers in specific conjunctions.0. our packets will hopefully only need to traverse as few rules as possible. Also. To do this. we want to split the rules down into subchains. we make the ruleset less timeconsuming for each packet. before we implement this. First of all. However. Therefore. or we just want to offer a few services to people on the internet. This means that we will also have to do some filtering within the FORWARD chain since we will otherwise allow outsiders full access to our local network. All of this is done within the PREROUTING chain. and we need to allow the return traffic through the OUTPUT chain. we want the local network to be able to connect to the internet. we may be a bit low on funds perhaps. the 10. Since we have an FTP server running on the server.0/8 address range is reserved for local networks and hence we would normally not want to allow packets from such a address range since they would with 90% certainty be spoofed. All of these protocols are available on the actual firewall. SSH and IDENTD access to the actual firewall. of course. and hence it should be allowed through the INPUT chain. and reduce redundancy within the network. let's look at what we need to do and what we do not need to do. By doing this. we want to add special rules to allow all traffic from the local network as well as the loopback network interface. we will need to NAT all packets since none of the local computers have real IP addresses. http://people. Since noone on the Internet should be allowed to contact our local network computers. which in turn will allow all return traffic from the Internet to our local network. For instance. nor do we want to allow some IP ranges to reach the firewall from the Internet. FTP. For a closer discussion of this.org/andreasson/iptables-tutorial/iptables-tutorial. By traversing less rules. and because of that we specifically allow all traffic from our local network to the internet. However. We trust our local network to the fullest. read the Common problems and questionmarks chapter.1.unix-fu. and the loopback device and IP address are also trusted. we add a rule which lets all established and related traffic through at the top of the INPUT chain. we must note that certain Internet Service Providers actually use these address ranges within their own networks.Iptables Tutorial 1.0. we also trust the local network fully. Based upon these general assumptions. which is created last in this script.

Finally. now you got a small picture on how the packet traverses the different chains and how they belong together. and hence we accept the directly.org/andreasson/iptables-tutorial/iptables-tutorial. This chain we choose to call the "allowed" chain. Since we are running on a relatively small network. as well as all of the rulesets within the chains. We do not do any specific user blocking. Finally. Setting up the different chains used So. and if not they will be dropped by the default policy in the OUTPUT chain. First of all. we choose to split the different packets down by their protocol family. this box is also used as a secondary workstation and to give some extra levy for this. All incoming UDP packets should be sent to this chain. which will contain rules for all TCP ports and protocols that we want to allow. UDP or ICMP.9 Página 54 In this script. we want to do some extra checking on the TCP packets. such as speak freely and ICQ.html 21:25:51 10/06/2002 .Iptables Tutorial 1. and should contain a few extra checks before finally accepting the packet. As for ICMP packets. we have the firewalls OUTPUT chain.1. You should also have a clear picture of the goals of this script. Also. iptables -P <chain name> <policy> http://people. and hence we only want to allow traffic from the IP addresses assigned to the firewall itself. we set all the default policies on the different chains with a quite simple command. When we decided on how to create this chain. These packets. for example TCP. we do not want people to use this box to spoof packets leaving the firewall itself. Since we actually trust the firewall quite a lot. However. All TCP packets traverse a specific chain named tcp_packets. We would most likely implement this by adding rules that ACCEPT all packets leaving the firewall in case they come from one of the IP addresses assigned to the firewall. so we would like to create one more subchain for all packets that are accepted for using valid port numbers to the firewall.unix-fu. we could not see any specific needs for extra checks before allowing the ICMP packets through if we agree with the type and code of the ICMP packet. we want to allow certain specific protocols to make contact with the firewall itself. these will traverse the icmp_packets chain. nor do we do any blocking of specific protocols. we send to the udp_packets chain which handles all incoming UDP packets. we have the UDP packets which needs to be dealt with. It is now about time that we take care of setting up all the rules and chains that we wish to create and to use. and if they are of an allowed type we should accept them immediately without any further checking. we allow pretty much all traffic leaving the firewall.

168. Finally. These applications will not work properly without it. of ICMP type. First of all we match all ICMP packets in the INPUT chain that come on the incoming interface $INET_IFACE. we do the same match for TCP packets on the $INET_IFACE and send those to the tcp_packets chain. do the same for everything to $LAN_IP. something that some might consider a security problem. we log them to our logs and then we DROP them. Everything that hasn't yet been caught will be DROP'ed by the default policy on the INPUT chain. or finally it might be a problem in our firewall not allowing traffic that should be allowed. some applications depend on it such as Samba etc.html 21:25:51 10/06/2002 . INPUT chain The INPUT chain as I've written it uses mostly other chains to do the hard work. we check for everything that comes from our $LOCALHOST_IP. and after this. tcp_packets.1. we log it so we might be able to find out about possible problems and or bugs. you need to look at the Appendices regarding state NEW and non-SYN packets getting through other rules. will be redirected to tcp_packets and incoming packets of UDP type from eth0 go to udpincoming_packets chain. we create the different special chains that we want to use with the -N command. which in my case is eth0.9 Página 55 The default policy is used every time the packets don't match a rule in the chain. I allow everything that comes from my own Internet IP that is either ESTABLISHED or RELATED to some connection. Also. will be redirected to the chain icmp_packets. Incoming packets on eth0. If you want to fully understand this. of TCP type. which would normally be 127.0. The chains we will use are icmp_packets. These packets could be allowed under certain circumstances but in 99% of the cases we wouldn't want these packets to get through. also we set a prefix to all log entries so we know where it came from. udpincoming_packets and the allowed chain for tcp_packets. and it will work much better on slow machines which might otherwise drop packets at high loads. we want to do some final checks on it to see if we actually do http://people.org/andreasson/iptables-tutorial/iptables-tutorial. After this. we allow broadcast traffic from our LAN. we don't log more than 3 packets per minute as to not getting flooded with crap all over the log files.unix-fu.0. The default policy was set quite some time back. and after this all UDP packets get sent to udpincoming_packets chain. Hence. We do certain checks for bad packets here.0/24. This way we don't get too much load from the iptables. The new chains are created and set up with no rules inside of them. if the connection is against an allowed port. and send those to the icmp_packets. The TCP allowed chain If a packet comes in on eth0 and is of TCP type. it travels through the tcp_packets chain. Either it might be a packet that we just dont want to allow or it might be someone who's doing something bad to us.Iptables Tutorial 1. Before we hit the default policy of the INPUT chain. Though. After this.1 and ACCEPT all incoming traffic from there.0. which was previously described. as you might remember. In either case we want to know about it so it can be dealt with. which in my case would be 192.

and a Time Exceeded is sent back from the first gateway en route to the host we're trying to traceroute. see the appendix ICMP types. DROP the crap since it's 99% sure to be a portscan. then TTL = 2 and the second gateway sends Time Exceeded. The last rule in this chain will DROP everything else. we create the chain the same way as all the others.Iptables Tutorial 1. For more information on ICMP types and their usage. when you traceroute someone. This way we won't have to wait until the browser's timeouts kicks in after some 60 seconds or more. we will be unable to ping other hosts.Internet Control Message Protocol by J. Then we check if the packet comes from an ESTABLISHED or RELATED connection. As a side-note. we then redirect it to the icmp_packets chain as explained before. we didn't reply to the SYN packet. After that. and it gets down to 0 at the first hop on the way out. we allow this.org/andreasson/iptables-tutorial/iptables-tutorial. If it is a SYN packet. Redirect and Time Exceeded. hence. except to portscan people pretty much. First of all. allow it. and a reply to this SYN packet. so for example if we send a HTTP request. we check if the packet is a SYN packet. Postel. Destination unreachable. I only allow incoming ICMP Echo Replies. For example. The reason that I allow these ICMP packets are as follows. if we don't allow this. then we. is allowed in the case where we might want to traceroute some host or if a packet gets its Time To Live set to 0. of course. Here we check what kind of ICMP types to allow. and the host is unreachable. http://people. Destination Unreachable is used if a certain host is unreachable.html 21:25:51 10/06/2002 . There is no practical use of not starting a connection with a SYN packet. In this case this pretty much means everything that hasn't seen traffic in both directions. ie. I might be wrong in blocking some of these ICMP types for you. An ESTABLISHED connection is a connection that has seen traffic in both directions. if it does. and so on until we get an actual reply from the host we finally want to get to. Echo Replies is what you get for example when you ping another host. For a complete listing of all ICMP types. Time Exceeded.1. There is no currently available TCP/IP implementation that supports opening a TCP connection with something else than a SYN packet to my knowledge. again of course. but in my case. If a packet of ICMP type comes in on eth0 on the INPUT chain.unix-fu. you start out with TTL = 1. the connection then must be in state ESTABLISHED. we will get a reply about this. The ICMP chain This is where we decide what ICMP types to allow. and since we've got a SYN packet. the last gateway that was unable to find the route to the host replies with a Destination Unreachable telling us that it was unable to find it. everything works perfectly while blocking all the other ICMP types that I don't allow. As it is now.9 Página 56 want to allow it or not. or they are trying to start the connection with a non SYN packet. i suggest reading the following documents and reports : The Internet Control Message Protocol ICMP RFC 792 . it is most likely to be the first packet in a new connection so.

which is NTP or network time protocol.0 and netmask 0.0. which is used to control FTP connections and later on I also allow all RELATED connections.txt file.org/andreasson/iptables-tutorial/iptables-tutorial.0. in other words your web server. we can unload the ip_conntrack_ftp module and delete the $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed line from the rc. there is still more checks to do. if you want to allow anyone from the outside to use a shell on your box at all. in other words all sources addresses.0. -A tcp_packets tells iptables in which chain to add the new rule.0. in other words if the packet is destined for port 21 they also match. hopefully.9 Página 57 The TCP chain So now we reach TCP connections. and that way we allow PASSIVE and PORT connections since the ip_conntrack_ftp module is. of course. they will be passed back to the original chain that sent the packet to the tcp_packets chain. which is what we use to do DNS lookups. If all the criteria are matched. -p TCP tells it to match TCP packets and -s 0/0 matches all source addresses from 0. As it is now. Note that you are dealing with a firewall. We don't want this behaviour.Iptables Tutorial 1.0. loaded. which we described previously.0. I ACCEPT incoming UDP packets from port 53. I allow TCP port 21. This protocol is used to set your computer clock to the same time as certain other time servers which have very accurate clocks. If we don't want to allow FTP at all. And finally we allow port 113.1. I personally also allow port 123. or FTP control port. its quite self explanatory how to do that by now=). hence we allow DNS. well. this is actually the default behaviour but I'm using it for brevity in here. As it is now. then the packet will be targeted for the allowed chain. --dport 21 means destination port 21. If you feel like adding more open ports with this script.0.0 with netmask 0. which is IDENTD and might be necessary for some protocols like IRC.firewall. http://people.0. Though. in other words everything again. etc to work properly. Port 22 is SSH.unix-fu. If it doesn't match any of the rules. the rule will be added to the end of the chain. much better than allowing telnet on port 23. It is always a bad idea to give others than yourself any kind of access to these kind of boxes. Firewalls should always be kept to a bare minimum and not more.0. we send them on to udpincoming_packets where we once again do a match for the UDP protocol with -p UDP and then match everything with a source address of 0.0. Port 80 is HTTP. This specifies what ports that are allowed to use on the firewall from the Internet. The UDP chain If we do get a UDP packet on the INPUT chain.html 21:25:51 10/06/2002 . delete it if you don't want to run a web server on your site. without this we wouldn't be able to do domain name lookups and we would be reversed to only use IP's. If they have a source port of 53 also. we ACCEPT them directly. hence we send each and one of them on to allowed chain.

or it's a weird packet that's spoofed. FORWARD chain Even though I haven't actually set up a certain section in the rc. OUTPUT chain Since i know that there's pretty much no one but me using this box which is partially used as a Firewall and a workstation currently.html 21:25:51 10/06/2002 . we allow the packets coming back from that site that's either ESTABLISHED or RELATED but nothing else. a headset.org/andreasson/iptables-tutorial/iptables-tutorial. most of you probably don't use this protocol.unix-fu. it should be used for network adress translation. among other things since this chain is only traversed by the first packet in a stream. We currently also allow port 2074. we'll sure as hell want to know about it for some reason or another. Note that this chain should not be used for any filtering or such. I would like to comment on the few lines in there anyways. Everything else might be spoofed in some fashion. As it is now. I allow pretty much everything that goes out from it that has a source address $LOCALHOST_IP. we first of all ACCEPT all packets coming from our LAN with the following line: /usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT So everything from our Localnet's interface gets ACCEPT'ed whatever the circumstances.txt example file. or even better. After this we allow everything in a state ESTABLISHED or RELATED from everywhere. Port 4000 is the ICQ protocol. Finally we DROP the packet in the default policy. I'm allowing it per default since I know there are some who actually do. We log maximally 3 log entries per minute as to not flood our own logs.9 Página 58 Though. Either it's a nasty error. which is used for certain real-time `multimedia' applications like speak freely which you can use to talk to other people in real-time by using speakers and a microphone. if we open a connection from our LAN to something on the Internet. and prefix them with a short line that is possible to grep for in the logfiles. in other words. This should be an extremely well known protocol that is used by the Mirabilis application named ICQ. it does network adress translation on packets before they actually hit the routing tables that sends them onwards to the INPUT or FORWARD chains in the filter table. Last of all we log everything that gets dropped.Iptables Tutorial 1. PREROUTING chain of the nat table The PREROUTING chain is pretty much what it says. There is at least 5 different ICQ clones for Linux and it's one of the most widely used chat programs in the world. And after this we log everything and drop it. $LAN_IP or $STATIC_IP. http://people. We finally hit the default policy of the FORWARD chain that says to DROP everything. even though I doubt anyone that I know would do it on my box.1.firewall. I doubt there is any further need to explain what it is. Also we log them with debug level. If it does get dropped.

We also set a prefix to the log with the --log-prefix and set the log level with the --log-level. isn't it? The next step we take is to ACCEPT all packets traversing the FORWARD chain in the default table filter that come from the input interface eth1 which is my interface connecting to the internal network. This is good if someone starts to flood you with crap stuff that otherwise would generate many megabytes of logs.168.x.unix-fu.x. The -t option tells us which table to use. We allow this rule to be matched a maximum of 3 times per minute with a burst limit of 3.html 21:25:51 10/06/2002 . or logging facility what kind of importance this log entry has. Starting the Network Address Translation So. correct? At least to me. 10. Simple. and since it comes from eth1 we ACCEPT it. mainly to make them easier to configure. per default settings in this script) and finally we target the packet for MASQUERADE'ing. So all packets that match this rule will be masqueraded to look as it came from your Internet interface. it'll have to wait for another 1 minute for the next log entry. but also to improve the readability a bit. In other words. it gets caught by this rule since the connection has seen packets in both directions. In some cases these might be packets that should have gotten through but didn't.org/andreasson/iptables-tutorial/iptables-tutorial.1. This might be used in the opposite direction. we don't do that though. in other cases it might be packets that definitely shouldn't get through and you want to be notified about this. we might drop that too. The next thing we do is to ACCEPT all packets from anywhere that are ESTABLISHED and/or RELATED to some connection. we first send a packet from our local box behind eth1. and they may not fit your exact intentions perfectly.Iptables Tutorial 1. such as in case we get packets from the Internet interface that claim to have a source IP of 192. too. The rest of this tutorial should most probably be http://people. then when the Internet box replies. and to provide an overlook of the scripts and what services they provide. and hits the default policy. As it looks now. These scripts are not in any way perfect. our final mission would be to get the MASQUERADEing up. First of all we add a rule to the nat table. we drop them quicker than hell since these IP's are reserved especially for local intranets and definitely shouldn't be used on the Internet.x or 172.x.16. The last thing we do is to log all traffic that gets dropped over the border. It is in other words up to you to make these scripts suitable for your needs. in this case nat while the A command tells us that we want to Add a new rule to an existing chain named POSTROUTING and -o $INET_IFACE tells us to match all outgoing packets on INET_IFACE (or eth0.x. there are specific variables added to these example scripts that may be used to automatically configure these settings. This means we get maximally 3 log entries per minute from this specific line. However. and the burst is also set to 3 so if we get 3 log entries in 2 seconds. All packets that are being forwarded on our box traverse the FORWARD chain in the filter table.x. Log level tells the syslogd.9 Página 59 First of all we check for obviously spoofed IP addresses. Example scripts The objective of this chapter is to give a fairly brief and short explanation of each script available with this tutorial. in such case. These settings are widely used within the example scripts. in the POSTROUTING chain that will masquerade all packets going out on our interface connected to the Internet.x. if we get an packet from $LAN_IFACE that claims to not come from an IP address in the range which we know that our LAN is on. For me this would be eth0.

2. but only such that pertains to our Internet connection. we will add a DMZ zone configuration at this point. LAN . Localhost . The structure This is the structure that all scripts in this tutorial should follow. 1.If there are possibly any special DHCP requirements with this specific script. we will add options pertaining to that in this section. rc. http://people. PPPoE .This is the configuration section which pertains to the Internet connection. 3. or small corporate network.firewall. DMZ .First of all we have the configuration options which the rest of the script should use. This chapter should hopefully give a short understanding to why all the scripts has been written as they have. 1.txt script structure All scripts written for this tutorial has been written after a specific structure.1. we will add specific options for those here. Most scripts lacks this section. Even though this is the structure I have chosen. Note that there may be more subsections than those listed here. DHCP . 1.These options pertain to our localhost. and if there are any special circumstances that raises the chances that he is using a PPPoE connection.9 Página 60 helpful in making this feat. Hopefully. 2.If there is any reason to it. hence this section will almost always be available.org/andreasson/iptables-tutorial/iptables-tutorial. The reason for this is that they should be fairly conformative to each other and to make it easier to find the differences between the scripts. The first section of this tutorial deals with the actual structure that I have established in each script so we may find our way within the script a bit easier. These variables are highly unlikely to change. will not have one.If there is any LAN available behind the firewall. If they differ in some way it is probably an error on my part. Configuration options should pretty much always be the first thing in any shell-script. This could be skipped if we do not have any Internet connection. This structure should be fairly well documented in this brief chapter.Iptables Tutorial 1. we will add the DHCP specific configuration options here.If there are a possibility that the user that wants to use this specific script. Configuration .unix-fu. there should be no reason to change these variables. do note that this may not be the best structure for your scripts. unless it is specifically explained why I have broken this structure. 4. This is most likely. and why I have chosen to maintain this structure. mainly because any normal home network. but we have put most of it into variables anyway. It is only a structure that I have chosen to use since it fits the need of being easy to read and follow the best according to my logic. Internet .html 21:25:51 10/06/2002 .

This section contains modules that are not required for normal operations. 4.If there are any other specific options and variables. iptables . 1. it should be subsectioned there. All of them should be commented out.This section should take care of any special configuration needed in the proc filesystem. it should be subsectioned directly to the configuration options somewhere. if not.This section should contain all of the required proc configurations for the script in question to work. I have also chosen to set the chains and their rulespecifications in the same order as they are output by the iptables -L command. proc configuration . If it does not fit in anywhere.By now the scripts should most probably be ready to insert the ruleset. while the second part should contain the non-required modules.This section should contain the required modules. It could possibly also contain configurations that raises security.org/andreasson/iptables-tutorial/iptables-tutorial. http://people. 2. Non-required proc configuration .1. 2.Iptables Tutorial 1.unix-fu. they should be commented out per default. rules set up . they should first of all be fitted into the correct subsection (If it pertains to the Internet connection. Module loading . In most scripts and situations this should only require one variable which tells us where the iptables binary is located. The first part should contain the required modules. may have been added even though they are not required.html 21:25:51 10/06/2002 . All user specified chains are created before we do anything to the system builtin chains. Required proc configuration . or add certain services or possibilities. etcetera). since they are not actually necessary to get the script to work. they will be listed as such. 3. but far from all of them. 1. I have chosen to split all the rules down after table and then chain names. Required modules . This should normally be noted in such cases within the example scripts. This list will contain far from all of the proc configurations or nodes. Other . and possibly special modules that adds to the security or adds special services to the administrator or clients. and if you want to add the service it provides. 5. Most of the useful proc configurations will be listed here.9 Página 61 5.This section of the scripts should maintain a list of modules. 6. Note that some modules that may raise security. and possibly which adds special services or possibilities for the administrator or clients. All of these modules should be commented out per default. it is up to you.This section should contain non-required proc configurations that may prove useful. and listed under the non-required proc configurations. Non-required modules .This section contains iptables specific configuration. If some of these options are required.

Set policies .Set up all the default policies for the systemchains.org/andreasson/iptables-tutorial/iptables-tutorial. Create user specified chains . This table should not be used for filtering anyways.After creating the user specified chains we may as well enter all the rules within these chains. I will be satisfied with the default policy set from the beginning. which could possibly lead to packets getting through the firewall at just the wrong timepoint (ie.9 Página 62 1. Normally I will set DROP policies on the chains in the filter table. while the nat table acts as a layer lying around the filter table. At this point we should add all rules within the INPUT chain. The filter table would hence be the core. namely the ACCEPT policy. do try to avoid mixing up data from different tables and chains since it will become much harder to read such rulesets and to fix possible problems.After the filter table we take care of the nat table. First of all we do not want to turn the whole forwarding mechanism and NAT function on at a too early stage. 6. This may be wrong in some perspectives. and finally the mangle table lies around the nat table as a second layer.First of all we go through the filter table and its content.Iptables Tutorial 1. Create content in user specified chains . You may as well put this later on in your script. This way we will get rid of all ports that we do not want to let people use. 4. 1. First of all we should set up all the policies in the table. INPUT chain .Last of all in the filter table. Also. we do not have a lot of things left to do within the filter table so we get onto the INPUT chain. I look upon the nat table as a sort of layer that lies just outside the filter table and kind of surrounds it.1. At this point we start following the output from the iptables -L command as you may see.At this point we go on to add the rules within the FORWARD chain. we add the rules dealing with the OUTPUT chain. Normally. nat table . and specifically ACCEPT services and streams that I want to allow inside. There should hopefully not be too much to do at this point. Set policies .unix-fu.When we have come this far. but none of the filter rules has been run). OUTPUT chain . FORWARD chain .html 21:25:51 10/06/2002 . but not too far from reality. This is done after the filter table because of a number of reasons within these scripts. 2. 1. 2. Filter table . 3. 5. it is totally up to you. and we http://people. when the NAT has been turned on. We will not be able to use these chains in the systemchains anyways if they are not already created so we could as well get to it as soon as possible. Nothing special about this decision.First of all we set up all the default policies within the nat table.At this point we create all the user specified chains that we want to use later on within this table. The only reason I have to enter this data at this point already is that may as well put it close to the creation of the user specified chains. There is no reason for you to stay with this structure. however.

such as masking all boxes to use the exact same TTL or to change TOS fields etcetera. Create content in user specified chains . this section was added just in case someone.org/andreasson/iptables-tutorial/iptables-tutorial. 4. 2. or I.unix-fu. I have in other words chosen to leave these parts of the scripts more or less blank. reason being that we do not want to open up big holes to our local network without knowing about it. I have not set any policies in any of the scripts in the mangle table one way or the other. As it looks now. Normally I do not have any of these. 5. However.Iptables Tutorial 1. send me a line and I will add it to the tutorial. mangle table . but I have been unable to find any good reasons to use this chain so far.At this point we create any user specified chains that we want within the nat table. but in certain cases we are forced to use the MASQUERADE target instead. or at the very least commented out. http://people.The POSTROUTING chain should be fairly well used by the scripts I have written since most of them depend upon the fact that you have one or more local networks that we want to firewall against the Internet. Create user specified chains . If anyone has a reason to use this chain. Create user specified chains .The last table to do anything about is the mangle table. OUTPUT chain . but I have added this section anyways. The table was not made for filtering. Mainly we will try to use the SNAT target. 6. unless they have specific needs. Within some scripts we have this turned on by default since the sole purpose of those scripts are to provide such services. We add this material here since I do not see any reason not to.The OUTPUT chain is barely used at all in any of the scripts. with a few exceptions where I have added a few examples of what it may be used for. 1.Create all the user specified chains. 3. it is not broken.By now it should be time to add all the rules to the user specified chains in the nat table.The PREROUTING chain is used to do DNAT on packets in case we have any need for it. Set policies .9 Página 63 should not let packets be dropped here since there are some really nasty things that may happen in such cases due to our own presumptions. POSTROUTING chain . The same thing goes here as for the nat table pretty much. would have the need for it in the future.1. and hence you should avoid it all together.html 21:25:51 10/06/2002 .Set the default policies within the chain. 7. 4. The same thing goes here as for the user specified chains in the filter table. since it should normally not be used for anyone. and you are encouraged not to do so either. just in case. PREROUTING chain . Note that the user specified chains must be created before they can actually be used within the systemchains. In most scripts this feature is not used. Since I have barely used the mangle table at all in the scripts. Normally I will not use this table at all. I have neither created any chains here since it is fairly unusable without any data to use within it. I let these chains be set to ACCEPT since there is no reason not to do so.

There is nothing that says that this is the only and best way to go. 8.9 Página 64 3. Hopefully this should explain more in detail how each script is structured and why they are structured in such a way. rc. you may att this point add the rules that you want within them here. 4. and should mainly just be seen as a brief explanation to what and why the scripts has been split down as they have.firewall. 5.txt http://people. OUTPUT chain . PREROUTING . POSTROUTING chain .At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. 7. Do note that these descriptions are extremely brief.unix-fu.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.html 21:25:51 10/06/2002 . 6.If you have any user specified chains within this table. Create content in userspecified chains .org/andreasson/iptables-tutorial/iptables-tutorial.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.1. INPUT chain .Iptables Tutorial 1. FORWARD chain .At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.

DMZ.html 21:25:51 10/06/2002 .Iptables Tutorial 1.firewall file chapter should explain every detail in the script most thoroughly.org/andreasson/iptables-tutorial/iptables-tutorial. rc. The rc.firewall. This script also makes the assumption that you have a static IP to the Internet. PPP.9 Página 65 The rc. and hence don't use DHCP.DHCP.1. where you have one LAN and one Internet Connection. If you are looking for a script that will work with those setups.firewall. SLIPor some other protocol that assigns you an IP automatically. Mainly it was written for a dual homed network. please take a closer look at the rc.firewall.unix-fu.txt script.txt script is the main core on which the rest of the scripts are based upon.txt http://people. For example.

You need to have two internal networks with this script as you can see from the picture.1. one for the broadcast address and one for the network address. if someone from the internet sends a packet to our DNS_IP.168. Do note that this will "steal" two IP's for you.9 Página 66 The rc. you must make the box recognise packets for more than one IP.unix-fu.168. giving the firewall one IP both internally and externally. One uses IP range 192.txt script was written for those people out there that has one Trusted Internal Network. You could then set the IP's to the DMZ'ed boxes as you wish. For example. When the DNS sees our packet. to send the packet on to our DNS on the DMZ network.0. If the packet would not have been translated.firewall. The other one uses IP range 192. which stands for Destination Network Adress Translation. The De-Militarized Zone is in this case 1-to-1 NAT'ed and requires you to do some IP aliasing on your firewall.0/24 and consists of the De-Militarized Zone which we will do 1-to-1 NAT to. one is to set 1-to-1 NAT. one De-Militarized Zone and one Internet Connection. the DNS wouldn't have answered the packet. and not to our external DNS IP.Iptables Tutorial 1.html 21:25:51 10/06/2002 . ie.0/24 and consists of a Trusted Internal Network. There are several ways to get this to work.org/andreasson/iptables-tutorial/iptables-tutorial. this tutorial will give you the tools to actually accomplish the firewalling and NAT'ing part. but it will not tell you exactly what you need to do since it is out of the scope of the tutorial.1. then we use DNAT. another one if you have a whole subnet is to create a subnetwork.DMZ. This is pretty much up to you to decide and to implement. We will show a short example of how the DNAT code looks: $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP http://people. the packet will be destined for the actual DNS internal network IP.

txt.txt script is pretty much identical to the original rc. that hasn't been gone through in the rest of the tutorial. This is how basic DNAT works. and is directed to port 53. PPP and SLIP connections to connect to the internet. I've had some people mail me and ask about the problem so this script will be a good solution for you. The reason is that this won't work together with a dynamic IP connection.firewall. By now you should have enough understanding of how everything works to be able to understand this script pretty well without any huge complications. Instead of using this variable the script now does it's main http://people. When the reply to the DNAT'ed packet is sent through the firewall.firewall. it automatically gets un-DNAT'ed. this script no longer uses the STATIC_IP variable.Iptables Tutorial 1. which is the TCP port for zone transfers between DNS's.DHCP. DNAT can only be performed in the PREROUTING chain of the nat table. rc.unix-fu. mail me since it is probably a fault on my side.firewall. The main changes done to the script consists of erasing the STATIC_IP variable as I already said and deleting all referenses to this variable. Then we look for TCP protocol on our $INET_IFACE with destination IP that matches our $DNS_IP. The actual changes needed to be done to the original script is minimal.9 Página 67 First of all. in other words the IP of the DNS on our DMZ network. which is the main change to the original rc. If there is something you don't understand. This script will allow people who uses DHCP. in other words Destination NAT. After that we specify where we want the packet to go with the --to-destination option and give it the value of $DMZ_DNS_IP.DHCP. However. however.org/andreasson/iptables-tutorial/iptables-tutorial.firewall. If we actually get such a packet we give a target of DNAT.1.html 21:25:51 10/06/2002 .txt script.txt The rc.

As you may read from above. we would get a real hard trouble. if you want to block hosts on your LAN to connect to the firewall.txt script. We could for example make a script that grabs the IP from ifconfig and adds it to a variable. One great example is if we are running an HTTP on our firewall. This script might be a bit less secure than the rc. I would definitely advise you to use that script if at all possible since this script is more open to attacks from the outside. it is easier to spot problems. 1.firewall. which could be some dyndns solution. Also. it will hang all currently active connections due to the NEW not SYN rules (see the State NEW packets but no SYN bit set section). However. but at the same time operate a script from the PPP daemon. It is possible to get by. without hurting the already existing ones.org site from the Other resources and links appendix. This in turn forces us to filter only based on interfaces in such cases where the internal machines must access the internet adressable IP.org/andreasson/iptables-tutorial/iptables-tutorial. You will find a link to the linuxguruz. grep the correct line which contains the IP address and then cuts it down to a manageable IP address.html 21:25:51 10/06/2002 . This also applies in a sense to the case where we got a static IP. would e to use for example the ip-up scripts provided with pppd and some other programs. In other words -d $STATIC_IP has been changed to -i $INET_IFACE. which contains static links back to the same host. if you get rid of the NEW not SYN rules for example. as described in the following list. it may be a good idea to grab a script. for example. If the script is run from within a script which in turn is executed by. If the script is kept simple. and if so ACCEPT them. but it is questionable. --in-interface $LAN_IFACE --dst $INET_IP. the NAT'ed box would be unable to get to the HTTP because the INPUT chain would DROP the packets flat to the ground. and to keep order in it. upon bootup of the internet connection. the PPP daemon. For a good site. there is the possibility to add something like this to your scripts: INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` The above would automatically grab the IP address of the $INET_IFACE variable. how would you do it without erasing your already active rules blocking the LAN? 3.1. It may get unnecessarily complicated. The NAT'ed box would ask the DNS for the IP of the HTTP server. For example. http://people. there are serious drawbacks with this approach. then try to access that IP.unix-fu. check out the linuxguruz. A good way to do this. There is some more things to think about though. If you got rules that are static and always want to be around. as seen above which in turn could lead to security compromises.9 Página 68 filtering on the variable INET_IFACE. it is rather harsh to add and erase rules all the time. We can no longer filter in the INPUT chain depending on. 2.org iptables site which has a huge collection of scripts available to download.Iptables Tutorial 1. but in such cases it could be gotten around by adding rules which checks the LAN interface packets for our INET_IP. for example. that handles dynamic IP in a better sense. If we go to the main page. or write one. In case we filter based on interface and IP. This is pretty much the only changes made and that's all that's needed really.

Iptables Tutorial 1. We also disallow people on our LAN to do anything but specific tasks on the Internet. This script follows the golden rule to not trust anyone.org/andreasson/iptables-tutorial/iptables-tutorial.1. but it might need some tweaking depending on your configuration.test-iptables. This script will hopefully give you some clues as to what you can do with your firewall to strengthen it up.UTIN.firewall. We also don't trust the internal users to access the firewall more than we trust users on the Internet.unix-fu.txt script.txt The rc.txt script will in contrast to the other scripts block the LAN that is sitting behind us.test-iptables. The only things we actually allow is POP3. we don't trust anyone on any networks we are connected to. All it really does is set some LOG targets which will log ping reply's http://people.firewall. HTTP and FTP access to the internet. but it does give a few hints at what we would normally let through etc. and setting up masquerading etcetera. In other words.firewall. rc. This is a sad fact. but a large part of the hacks and cracks that a company gets hit by is a matter of people from their own staff perpetrating the hit.txt The rc.txt script can be used to test all the different chains. such as turning on ip_forwarding.UTIN.9 Página 69 rc. It will work for mostly everyone though who has all the basic set up and all the basic tables loaded into kernel. not even our own employees.html 21:25:51 10/06/2002 . It's not very different from the original rc.

it's not a good idea to have rules like this that logs everything of one sort since your log partitions might get filled up quickly and it would be an effective Denial of Service attack against you and might lead to real attacks on you that would be unlogged after the initial Denial of Service attack.firewall start and the script starts. Certain people has mailed me asking from me to put this script into the original rc.on. The script starts by setting the default policies to ACCEPT on the INPUT.firewall script using redhat Linux syntax where you type something like rc. When this step is done. Detailed explanations of special commands Listing your active ruleset To list your currently active ruleset you run a special option to the iptables command. rc.org/andreasson/iptables-tutorial/iptables-tutorial. You may consider adding rules to flush your MANGLE table if you use it. The rc. we consider the script done.flush-iptables. We do this first so we won't have to bother about closed connections and packets not getting through. and hence we only care about opening the whole thing up and reset it to default values.9 Página 70 and ping requests. OUTPUT and FORWARD chains of the filter table. unless the log entries are swapped around for some reason.unix-fu.flush-iptables. One final word on this issue. This should show you all the different chains used and in which order. POSTROUTING and OUTPUT chains of the nat table.txt script will reset and flush all your tables and chains. we jump down to the next section where we erase all the user specified chains in the NAT and filter tables.html 21:25:51 10/06/2002 . This way we know there is no redundant rules lying around anywhere. After this we reset the default policies of the PREROUTING. This script is intended for actually setting up and troubleshooting your firewall. Adding shell script syntax and other things makes the script harder to read as far as I am concerned and the tutorial was written with readability in mind and will continue being so. In other words.txt The rc. This would look like the following: http://people. run this script and then do: ping -c 1 host. I will not do that since this is a tutorial and should be used as a place to fetch ideas mainly and it shouldn't be filled up with shell scripts and strange syntax.txt script should not really be called a script in itself. This way. This script was written for testing purposes only.Iptables Tutorial 1.1.internet And tail -n 0 -f /var/log/messages while doing the first command. However. For example.the. When all of this is done. After this we flush all chains first in the filter table and then in the NAT table. you will get information on which chain was traversed and in which order. which we have discussed briefly previously in the How a rule is built chapter.flush-iptables.

to something useful. it will translate all the different ports according to the /etc/ services file as well as DNS all the IP addresses to get DNS records instead.1.1. This table can not be edited and even if it was possible. if you start mucking around in the mangle table. and translate everything possible to a more readable form.unix-fu. iptables -F INPUT will erase the whole INPUT chain. To get around this problem we would do something like the following: iptables -L -n Another thing that might be interesting is to see a few statistics about each policy. do as how you set it to DROP. in case you've got multiple lines looking exactly the same in the chain.0. rule and chain.168. you might just change the -A parameter to -D in the line you added in error. This table contains all the different connections currently tracked and serves as a basic table so we always know what state a connection currently is in. 192. though.9 Página 71 iptables -L This command should list your currently active ruleset. ie 192. iptables will find the erroneous line and erase it for you. To reset the chain policy. it would be a bad idea. for example iptables -P INPUT ACCEPT. It would then look something like this: iptables -L -n -v There is also a few files that might be interesting to look at in the /proc filesystem. One thing though. I've actually gotten this question a couple times by now so I thought I'd answer it right here. this will not change the default policy. this script will not erase those. I have made a small script (available as an appendix as well) that will flush and reset your iptables that you might consider using while setting up your rc.168. If this is not the wanted behaviour you might try to use the -D option as iptables -D INPUT 10 which will erase the 10th rule in the INPUT chain. The later can be a bit of a problem though. For example. it erases the first instance it finds matching your rule.Iptables Tutorial 1. If you added a rule in error. For example. For example. in this case you might want to run the -F option.0/16 is a private range though and should not resolve to anything and the command will seem to hang while resolving the IP. it will try to resolve LAN IP addresses.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . there are actually commands to flush them. so you don't have to reboot. To see the table you can run the following command: cat /proc/net/conntrack | less The above command will show all currently tracked connections even though it might be a bit hard to understand everything. it might be interesting to know what connections are currently in the conntrack table. There is also instances where you want to flush a whole chain. Updating and flushing your tables If at some point you screw up your iptables. We could get this by adding the verbose flag.1. For example. so if this is set to DROP you'll block the whole INPUT chain if used as above.firewall. it is rather simple to add http://people.txt file properly.

In case your client sits behind a Network Address Translationing system (iptables). ip_conntrack_ftp and ip_nat_ftp code as modules and not statically into the kernel. packets with the SYN bit unset will get through your firewall. then the packets data section needs to be NAT'ed too. you'd just load the ip_conntrack_irc and ip_nat_irc modules. you would load the ip_conntrack_ftp and ip_nat_ftp modules. What these modules do is that they add support to the connection tracking machine and the NAT machine so they can distinguish and modify a Passive FTP connection or a DCC send connection.unix-fu. The client tells the server that it wants to send or receive data and the server replies.9 Página 72 the few lines needed to erase those but I have not added those here since the mangle table is not used in my rc. ip_nat_irc. another firewall. that is what the ip_nat_ftp module does.org/andreasson/iptables-tutorial/iptables-tutorial. As you can understand from this document. telling the client what address to connect to and what port to use. you can for example allow Passive FTP connections. read RFC 959 . Reynolds. but not allow DCC send functions with the new state matching code. during Active FTP the client sends the server an IP address and random port to use and then the server connects to this port on the client. but not the ip_conntrack_ftp and ip_nat_ftp modules. This RFC contains information regarding the FTP protocol and Active and Passive FTP and how they work.4. if you want to let people run IRC from your local network which is using a NAT'ed or masqueraded connection to the internet.firewall. If you use state NEW. the proceeding is reversed.File Transfer Protocol by J.1. Without these modules they can't recognize these kinds of connections. Do note that the ip_nat_* modules are only needed in case you need and want to do Network Adress Translation on the connections. but not the ip_conntrack_irc and ip_nat_irc modules and then do: /usr/local/sbin/iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT To allow Passive FTP but not DCC.Iptables Tutorial 1. This feature is there because in certain cases we want to consider that a packet may be part of an already ESTABLISHED connection on. If you would want to do the reverse. for instance. If you for example want to allow Passive FTP.x kernels. Postel and J. This feature makes it possible to have two or more firewalls. Common problems and questionmarks Passive FTP but no DCC This is one of the really nice parts about the new iptables support in the 2. but not DCC send. In Passive FTP. ie. including me). For more information about Active and Passive FTP.html 21:25:51 10/06/2002 .txt script so far. State NEW packets but no SYN bit set There is a certain feature in iptables that is not so well documented and may therefore be overlooked by a lot of people(yes. and for one of the firewalls to go down without any http://people. Just compile the ip_conntrack_irc. its quite simple once you get to think of it. well. You may ask yourself how.

then load the NEW not SYN packet rules. you connect with telnet or some other stream connection.x IP address range. Certain stupid Internet Service Providers use IP addresses assigned by IANA for their local networks on which you connect to.This does however lead to the fact that state NEW will allow pretty much any kind of TCP connection. the swedish Internet Service Provider and phone monopoly Telia uses this approach for example on their DNS servers.x. the telnet client or daemon tries to send something. It will however not lead to broken connections to my knowledge. OUTPUT and FORWARD chain: $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP The above rules will take care of this problem. and you have the script set to be activated when running a PPP connection.firewall. This is a badly documented behaviour of the netfilter/iptables project and should definitely be more highlighted. To put it simple.org/andreasson/iptables-tutorial/iptables-tutorial. In this case.1. a huge warning is in it's place for this kind of behaviour on your firewall. This only applies when you are running with the conntrack and nat codebases as modules. If someone is currently connected to the firewall. In other words.9 Página 73 loss of data. lets say from the LAN. Start the connection tracking modules. set the --log-headers option to the rule and log the headers too and you'll get a better look at what the packet looks like. or if you are worried anyways. don't worry to much about this rule. the packet will match to the rules and be logged and afterwards dropped to the ground. Internet Service Providers who use assigned IP addresses I have added this since a friend of mine told me something I have totally forgotten. The above rules will lead to certain conditions where packets generated by microsoft products gets labeled as a state NEW and hence get logged and dropped. Finally. which uses the 10. In other words. At this point the faulty Microsoft implementation sends another packet which is considered as state NEW but lacks the SYN bit and hence gets matched by the above rules. the connection tracking code will not recognise this connection as a legal connection since it has not seen packets in any direction on this connection before. Note that there is some troubles with the above rules and bad Microsoft TCP/IP implementations. The problem http://people. Hence.x.html 21:25:51 10/06/2002 . The matter is that when a connection gets closed and the final FIN/ACK has been sent and the state machine of netfilter has closed this connection and it is no longer in the conntrack table. Another way to get this problem is to run the rc. also there will be no SYN bits set since it is not actually the first packet in the connection. There is one more known problem with these rules.unix-fu. regardless if this is the initial 3-way handshake or not. and the modules are loaded and unloaded each time you run the script. The firewalling of the subnet could then be taken over by our secondary firewall. To take care of this problem we add the following rules to our firewalls INPUT.Iptables Tutorial 1. the person previously connected through the LAN will be more or less killed.txt script from a telnet connection from a host not on the actual firewall. when you start the PPP connection. For example.

in this script. Well.unix-fu.Iptables Tutorial 1. For large corporate sites it is more than ok. These IP address ranges are not assigned for you to use for dumb stuff like this. or you could just comment out that part of the script. do not allow connections from any IP addresses in the 10.x. or your own home network.9 Página 74 you will most probably run into is that we. but you are not supposed to force us to open up ourself just because of some whince of yours.0. This is how it might look: /usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10. ICMP types TYPE CODE Description 0 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Echo Reply Network Unreachable Host Unreachable Protocol Unreachable Port Unreachable Fragmentation needed but no frag. here is unfortunately an example where you actually might have to lift a bit on those rules.html 21:25:51 10/06/2002 .0.x range to us.1. You might just insert an ACCEPT rule above the spoof section to allow traffic from those DNS servers.1/32 -j ACCEPT I would like to take my moment to bitch at these Internet Service Providers. because of spoofing possibilities.x. ICMP types This is a complete listing of all ICMP types: Table 1. bit set Source routing failed Destination network unknown Destination host unknown Source host isolated (obsolete) Destination network administratively prohibited Destination host administratively prohibited Network unreachable for TOS Host unreachable for TOS Communication administratively prohibited by filtering Host precedence violation Query x x x x x x x x x x x x x x x x Error http://people.org/andreasson/iptables-tutorial/iptables-tutorial. at least not to my knowledge.

4. http://netfilter.unix-fu.The iptables 1.from the 2. iptables. It is a must for everyone wanting to set up iptables and netfilter in linux. etc : ip-sysctl. http://people.4 man page. This is an HTML'ized version of the man page which is an excellent reference when reading/writing iptables rulesets.txt .1. A really short reference to the ip_dynaddr settings available via sysctl and the proc filesystem.4.2.txt .14 kernel.filewatcher.org/ .The official netfilter and iptables site.9 Página 75 3 4 5 5 5 5 8 9 10 11 11 12 12 13 14 15 16 17 18 15 0 0 1 2 3 0 0 0 0 1 0 1 0 Precedence cutoff in effect Source quench Redirect for network Redirect for host Redirect for TOS and network Redirect for TOS and host Echo request Router advertisement Route sollicitation TTL equals 0 during transit TTL equals 0 during reassembly IP header bad (catchall error) Required options missing Timestamp request (obsolete) Timestamp reply (obsolete) x x x x x x x x x x x x 0 0 0 0 Information request (obsolete) Information reply (obsolete) Address mask request Address mask reply Other resources and links Here is a list of links to resources and where I have gotten information from.14 kernel. ip_dynaddr.8 . Always have it at hand.html 21:25:51 10/06/2002 .Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial. A little bit short but a good reference for the IP networking controls and what they do to the kernel.from the 2.

tc and the ip commands in Linux.filewatcher.The official netfilter Frequently Asked Questions. For helping me out on some aspects on using the state matching code. For major updates to my horrible grammar and spelling. Rusty Russell. http://netfilter.9 Página 76 http://netfilter.filewatcher.Rusty Russells Unreliable Netfilter Hacking HOWTO. Acknowledgements I would like to thank the following people for their help on this document: Fabrice Marie. Excellent documentation about basic packet filtering with iptables written by one of the core developers of iptables and netfilter.linuxguruz.filewatcher.Excellent linkpage with links to most of the pages on the internet about iptables and netfilter.org/mailman/listinfo/netfilter .Iptables Tutorial 1. Maintained by Stef Coene. Excellent documentation about Network Address Translation in iptables and netfilter written by one of the core developers. This was also written by Rusty Russell.Excellent discussion on automatic hardening of iptables and how to make small changes that will make your computer automatically add hostile sites to a special banlist in iptables.unix-fu.html .html . http://netfilter.islandsoft.html .samba.html . http://www. Also a good place to stat at when wondering what iptables and netfilter is about.org/unreliable-guides/packet-filtering-HOWTO/index.Rusty Russells Unreliable Guide to packet filtering. Also a huge thanks for updating the tutorial to DocBook format with make files etc.org/unreliable-guides/NAT-HOWTO/index. http://netfilter. http://people.org/andreasson/iptables-tutorial/iptables-tutorial.filewatcher.1.docum. http://lists.The official netfilter mailing-list.Rusty Russells Unreliable Guide to Network Address Translation. Marc Boucher. One of the few sites that has any information at all about these programs.org .html .net/veerapen.html 21:25:51 10/06/2002 .org/unreliable-guides/netfilter-hacking-HOWTO/index. http://www. And of course the iptables source.org/netfilter-faq.org/iptables/ . Extremely useful in case you have questions about something not covered in this document or any of the other links here. documentation and individuals who helped me. One of the few documentations on how to write code in the netfilter and iptables userspace and kernel space codebase.Excellent information about the CBQ. Also maintains a list of different iptables scripts for different purposes. http://www.

For helping me out with the graphics. Anders 'DeZENT' Johansson. Janne Johansson. Janssen.7 (4 February 2002) http://www.1.boingworld. Chapman Brad. sorry for not mentioning everyone.1. and you're better than most I know who do graphics.html 21:25:51 10/06/2002 . Michiel Brandenburg. Dave Wreski.boingworld. For giving me hints at stuff that might screw up for people and for trying it out and checking for errors in what I've written. Also thanks for checking the tutorial for errors etc.unix-fu. For helping me out with some of the state matching code and getting it to work.org/andreasson/ By: Oskar Andreasson Contributors: Jim Ramsey.8 (5 March 2002) http://www. Vasoo Veerapen. Adam Mansbridge.1. Phil Schultz. And of course everyone else I talked to and asked for comments on this file. For hinting me about strange ISP's and so on that uses reserved networks on the Internet. Myles Uyema. Both for making me realize I was thinking wrong about how packets traverse the basic NAT and filters tables and in which order they show up. Erik Sjölund.1.6 (7 December 2001) http://people. Bill Dossett. Göran Båge.9 (21 March 2002) http://www. Jelle Kalf.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Contributors: Vince Herried.1. Galen Johnson. Thomas Smets.Iptables Tutorial 1. Aladdin and Rusty Russell. Jasper http://people. Nyboe.9 Página 77 Frode E.). Kelly Ashe.firewall rules and giving great inspiration while i was to rewrite the ruleset and being the one who introduced the multiple table traversing into the same file. Steven McClintoc. Jeremy `Spliffy' Smith. Phil Schultz. For greatly improving the rc.boingworld. Jason Lam and Evan Nemerson Version 1. Alexander W. Kent `Artech' Stahre. Doug Monroe.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Version 1. Togan Muftuoglu. Neil Jolly.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Contributors: Parimi Ravi.org/andreasson/iptables-tutorial/iptables-tutorial. I know I suck at graphics. Peter Horst. Version 1.unix-fu. Mitch Landers. History Version 1. or at least on the internet for you.

2 (29 September 2001) http://people.1.1 (26 September 2001) http://people.org/andreasson By: Oskar Andreasson Contributors: Dave Richardson Version 1.org/andreasson By: Oskar Andreasson Contributors: Stig W.unix-fu.html 21:25:51 10/06/2002 .unix-fu.9 Página 78 Aikema.unix-fu.9 (9 September 2001) http://people. Kurt Lieber.org/andreasson By: Oskar Andreasson Version 1.unix-fu.4 (6 November 2001) http://people.7 (23 August 2001) http://people.0 (15 September 2001) http://people.0.org/andreasson By: Oskar Andreasson Contributors: Joni Chu.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie Version 1.org/andreasson By: Oskar Andreasson Version 1. Chris Martin. Branco.0.8 (7 September 2001) http://people.6 http://people.Emile Akabi-Davis and Jelle Kalf Version 1.1.unix-fu. Jonas Pasche. Jensen.1. Chris Pluta and Kurt Lieber Version 1.org/andreasson By: Oskar Andreasson Version 1.unix-fu.1. Chris Tallon.1.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. Steve Hnizdur.unix-fu.0.1.org/andreasson By: Oskar Andreasson Version 1.unix-fu.1.0.5 http://people. Jacco van Koll and Dave Wreski Version 1.org/andreasson By: Oskar Andreasson Version 1.unix-fu.Iptables Tutorial 1.unix-fu.3 (9 October 2001) http://people. Jan Labanowski.0.5 (14 November 2001) http://people.org/andreasson/ By: Oskar Andreasson Contributors: Fabrice Marie. Rodrigo R. N. Merijn Schering and Kurt Lieber Version 1.

1.html 21:25:51 10/06/2002 . below. either commercially or noncommercially. Boston. which means that derivative works of the document must themselves be free in the same sense. because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. it can be used for any textual work. 0. It complements the GNU General Public License. regardless of subject matter or whether it is published as a printed book. Any member of the public is a licensee. March 2000 Copyright (C) 2000 Free Software Foundation. which is a copyleft license designed for free software. This License is a kind of "copyleft". but changing it is not allowed.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie GNU Free Documentation License Version 1. Secondarily. with or without modifying it. MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document. or with modifications and/or translated into another language. or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it. 59 Temple Place. A "Modified Version" of the Document means any work containing the Document or a portion of it. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. APPLICABILITY AND DEFINITIONS This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Document". http://people. this License preserves for the author and publisher a way to get credit for their work.unix-fu. textbook.org/andreasson/iptables-tutorial/iptables-tutorial. while not being considered responsible for modifications made by others. Suite 330. We have designed this License in order to use it for manuals for free software. But this License is not limited to software manuals. refers to any such manual or work. 1. either copied verbatim. We recommend this License principally for works whose purpose is instruction or reference.9 Página 79 http://people. and is addressed as "you".unix-fu. Inc.Iptables Tutorial 1. PREAMBLE The purpose of this License is to make a manual.1.

in the notice that says that the Document is released under this License. ethical or political position regarding them. A "Transparent" copy of the Document means a machine-readable copy. SGML or XML using a publicly available DTD. proprietary formats that can be read and edited only by proprietary word processors. LaTeX input format. and the license notice saying this License applies to the Document are reproduced in all copies.9 Página 80 (For example. The "Title Page" means. preceding the beginning of the body of the text. "Title Page" means the text near the most prominent appearance of the work's title. A copy that is not "Transparent" is called "Opaque". or of legal. either commercially or noncommercially. philosophical. Opaque formats include PostScript. represented in a format whose specification is available to the general public. plus such following pages as are needed to hold. and the machine-generated HTML produced by some word processors for output purposes only. However. if the Document is in part a textbook of mathematics.html 21:25:51 10/06/2002 . for a printed book. the title page itself. VERBATIM COPYING You may copy and distribute the Document in any medium. If you distribute a large enough number of copies you must also follow the conditions in section 3. as Front-Cover Texts or BackCover Texts. whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor. in the notice that says that the Document is released under this License. the copyright notices. For works in formats which do not have any title page as such. you may accept compensation in exchange for copies. provided that this License.org/andreasson/iptables-tutorial/iptables-tutorial. You may also lend copies. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. SGML or XML for which the DTD and/or processing tools are not generally available. Examples of suitable formats for Transparent copies include plain ASCII without markup. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent.unix-fu. commercial.Iptables Tutorial 1. the material this License requires to appear in the title page. and standardconforming simple HTML designed for human modification. The "Invariant Sections" are certain Secondary Sections whose titles are designated. 2. a Secondary Section may not explain any mathematics.1. The "Cover Texts" are certain short passages of text that are listed. under the same conditions stated above. and you may publicly display copies. PDF. and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters.) The relationship could be a matter of historical connection with the subject or with related matters. and that you add no other conditions whatsoever to those of this License. Texinfo input format. as being those of Invariant Sections. http://people. legibly.

1. if any) a title distinct from that of the Document. with the Modified Version filling the role of the Document. be listed in the History section of the Document). It is requested. If the required texts for either cover are too voluminous to fit legibly. you should put the first ones listed (as many as fit reasonably) on the actual cover. as long as they preserve the title of the Document and satisfy these conditions. to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. List on the Title Page. all these Cover Texts: Front-Cover Texts on the front cover. Use in the Title Page (and on the covers. one or more persons or entities responsible for authorship of the modifications in the Modified Version. but not required. Both covers must also clearly and legibly identify you as the publisher of these copies.9 Página 81 3. and Back-Cover Texts on the back cover. In addition. The front cover must present the full title with all words of the title equally prominent and visible. if there were any. or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document.unix-fu. together with at least five of the principal authors of the Document (all of its principal authors. which the general network-using public has access to download anonymously at no charge using public-standard network protocols.org/andreasson/iptables-tutorial/iptables-tutorial. you must do these things in the Modified Version: A.html 21:25:51 10/06/2002 . when you begin distribution of Opaque copies in quantity. If you use the latter option. if it has less than five). You may add other material on the covers in addition. that you contact the authors of the Document well before redistributing any large number of copies. 4. to give them a chance to provide you with an updated version of the Document. provided that you release the Modified Version under precisely this License. you must take reasonably prudent steps. thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. clearly and legibly. Copying with changes limited to the covers. and the Document's license notice requires Cover Texts.Iptables Tutorial 1. You may use the same title as a previous version if the original publisher of that version gives permission. and from those of previous versions (which should. you must enclose the copies in covers that carry. COPYING IN QUANTITY If you publish printed copies of the Document numbering more than 100. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above. http://people. B. If you publish or distribute Opaque copies of the Document numbering more than 100. as authors. free of added material. can be treated as verbatim copying in other respects. and continue the rest onto adjacent pages. you must either include a machine-readable Transparent copy along with each Opaque copy.

and its title. F. in the form shown in the Addendum below.html 21:25:51 10/06/2002 . Delete any section entitled "Endorsements". http://people. E. or if the original publisher of the version it refers to gives permission. unaltered in their text and in their titles. Preserve the network location. add their titles to the list of Invariant Sections in the Modified Version's license notice. new authors. and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. provided it contains nothing but endorsements of your Modified Version by various parties--for example. You may omit a network location for a work that was published at least four years before the Document itself. Preserve the section entitled "History".1. Preserve all the Invariant Sections of the Document. N. You may add a section entitled "Endorsements". State on the Title page the name of the publisher of the Modified Version.org/andreasson/iptables-tutorial/iptables-tutorial. you may at your option designate some or all of these sections as invariant. and publisher of the Modified Version as given on the Title Page. M. These may be placed in the "History" section. L. K. These titles must be distinct from any other section titles.unix-fu. H. I. year. a license notice giving the public permission to use the Modified Version under the terms of this License. immediately after the copyright notices. and publisher of the Document as given on its Title Page. Such a section may not be included in the Modified Version. In any section entitled "Acknowledgements" or "Dedications". Include. If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document. then add an item describing the Modified Version as stated in the previous sentence. as the publisher. Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section. given in the Document for public access to a Transparent copy of the Document. create one stating the title.9 Página 82 C. year.Iptables Tutorial 1. Include an unaltered copy of this License. If there is no section entitled "History" in the Document. preserve the section's title. and likewise the network locations given in the Document for previous versions it was based on. authors. J. G. Section numbers or the equivalent are not considered part of the section titles. and add to it an item stating at least the title. if any. D. statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice. Preserve all the copyright notices of the Document. To do this.

Iptables Tutorial 1.1.9

Página 83

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

5. COMBINING DOCUMENTS
You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."

6. COLLECTIONS OF DOCUMENTS
You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

7. AGGREGATION WITH INDEPENDENT
http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 84

WORKS
A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.

8. TRANSLATION
Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.

9. TERMINATION
You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

10. FUTURE REVISIONS OF THIS LICENSE
The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/. Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 85

following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.

How to use this License for your documents
To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page: Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. A copy of the license is included in the section entitled "GNU Free Documentation License". If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts. If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.

GNU General Public License
Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

0. Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 86

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow.

1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 87

having been made by running the Program). Whether that is true depends on what the Program does. 3. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 4. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: 1. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. 2. You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. 3. If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 5. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Accompany it with the information you received as to the offer to distribute corresponding source code. or. plus the scripts used to control compilation and installation of the executable. and will automatically terminate your rights under this License. and all its terms and conditions for copying. You may not copy. A. 9. C. However. complete source code means all the source code for all modules it contains. However. You are not required to accept this License. or rights.) The source code for a work means the preferred form of the work for making modifications to it. These actions are prohibited by law if you do not accept this License. distributing or modifying the Program or works based on it. 8. sublicense. valid for at least three years. modify. sublicense or distribute the Program is void.org/andreasson/iptables-tutorial/iptables-tutorial. However. in accord with Subsection b above. B. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. since you have not signed it. the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer. you indicate your acceptance of this License to do so. the recipient automatically receives a license from the original licensor to copy. to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of executable or object code is made by offering access to copy from a designated place. or. for a charge no more than your cost of physically performing source distribution. Each time you redistribute the Program (or any work based on the Program). which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. 7. even though third parties are not compelled to copy the source along with the object code.Iptables Tutorial 1.unix-fu. http://people. then offering equivalent access to copy the source code from the same place counts as distribution of the source code. and so on) of the operating system on which the executable runs. For an executable work. Accompany it with a written offer. a complete machine-readable copy of the corresponding source code. modify.9 Página 88 one of the following: 6.1. Any attempt otherwise to copy. distribute or modify the Program subject to these terms and conditions.html 21:25:51 10/06/2002 . nothing else grants you permission to modify or distribute the Program or its derivative works. Therefore. parties who have received copies. You are not responsible for enforcing compliance by third parties to this License. to give any third party. from you under this License will not have their licenses terminated so long as such parties remain in full compliance. kernel. by modifying or distributing the Program (or any work based on the Program). plus any associated interface definition files. or distribute the Program except as expressly provided under this License. Accompany it with the complete corresponding machine-readable source code. as a special exception. unless that component itself accompanies the executable.

12.unix-fu. If any portion of this section is held invalid or unenforceable under any particular circumstance. write to the author to ask for permission. we sometimes make exceptions for this. write to the Free Software Foundation. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations. the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries. if a patent license would not permit royaltyfree redistribution of the Program by all those who receive copies directly or indirectly through you. For software which is copyrighted by the Free Software Foundation. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. 11. they do not excuse you from the conditions of this License. If the Program specifies a version number of this License which applies to it and "any later version". you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues). so that distribution is permitted only in or among countries not thus excluded. but may differ in detail to address new problems or concerns. Such new versions will be similar in spirit to the present version. If the Program does not specify a version number of this License.org/andreasson/iptables-tutorial/iptables-tutorial. this License incorporates the limitation as if written in the body of this License. In such case. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different.9 Página 89 10.html 21:25:51 10/06/2002 . For example. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims. you may choose any version ever published by the Free Software Foundation. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces.1. Each version is given a distinguishing version number. this section has the sole purpose of protecting the integrity of the free software distribution system. then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. http://people. the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. If. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. which is implemented by public license practices. then as a consequence you may not distribute the Program at all. agreement or otherwise) that contradict the conditions of this License.Iptables Tutorial 1. conditions are imposed on you (whether by court order.

INCLUDING. INCLUDING ANY GENERAL. OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE.html 21:25:51 10/06/2002 . and each file should have at least the "copyright" line and a pointer to where the full notice is found. either version 2 of the License.org/andreasson/iptables-tutorial/iptables-tutorial. To do so. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER.9 Página 90 13. the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. SPECIAL. 14. attach the following notices to the program. http://people. NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE.unix-fu. <one line to give the program's name and a brief idea of what it does. REPAIR OR CORRECTION. BE LIABLE TO YOU FOR DAMAGES. or (at your option) any later version. YOU ASSUME THE COST OF ALL NECESSARY SERVICING. BUT NOT LIMITED TO. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND. SHOULD THE PROGRAM PROVE DEFECTIVE. and you want it to be of the greatest possible use to the public.Iptables Tutorial 1. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty. END OF TERMS AND CONDITIONS 2. EITHER EXPRESSED OR IMPLIED.1.> Copyright (C) <year> <name of author> This program is free software. THERE IS NO WARRANTY FOR THE PROGRAM. How to Apply These Terms to Your New Programs If you develop a new program. EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS). you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation.

Example scripts codebase Example rc. Suite 330. if not. MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. if necessary.Initial SIMPLE IP Firewall script for Linux 2.firewall script #!/bin/sh # # rc. 59 Temple Place. use the GNU Library General Public License instead of this License. This is free software. and you are welcome to redistribute it under certain conditions.org/andreasson/iptables-tutorial/iptables-tutorial. write to the Free Software Foundation. if any. You should have received a copy of the GNU General Public License along with this program. Of course.unix-fu. Inc. Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY.Iptables Tutorial 1. alter the names: Yoyodyne. If the program is interactive.. type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. but WITHOUT ANY WARRANTY.html 21:25:51 10/06/2002 . the commands you use may be called something other than `show w' and `show c'. If your program is a subroutine library. You should also get your employer (if you work as a programmer) or your school. 1 April 1989 Ty Coon. President of Vice This General Public License does not permit incorporating your program into proprietary programs. for details type `show w'. Inc. without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.9 Página 91 This program is distributed in the hope that it will be useful.net> # http://people.1.4.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. Boston. See the GNU General Public License for more details. <signature of Ty Coon>. make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69. Here is a sample.. you may consider it more useful to permit linking proprietary applications with the library. to sign a "copyright disclaimer" for the program. they could even be mouse-clicks or menu items--whatever suits your program. hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. If this is what you want to do.firewall .

http://people.2" LAN_IP_RANGE="192.255..3 DMZ Configuration. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. # but WITHOUT ANY WARRANTY.1. Boston.9 Página 92 # This program is free software.unix-fu.155" INET_IFACE="eth0" # # 1.org/andreasson/iptables-tutorial/iptables-tutorial.0 # LAN_IP="192. Suite 330. Configuration options.255" LAN_IFACE="eth1" # # 1. write to the Free Software Foundation.50.html 21:25:51 10/06/2002 .0.0.0/16" LAN_BCAST_ADRESS="192.2 PPPoE # # # 1. # # your LAN's IP range and localhost IP.Iptables Tutorial 1. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. Inc.1 Internet Configuration.168. /24 means to only use the first 24 # bits of the 32 bit IP adress.2 Local Area Network configuration.255. MA 02111-1307 USA # ########################################################################### # # 1.168. # # # 1. version 2 of the License.236.1. See the # GNU General Public License for more details. # # This program is distributed in the hope that it will be useful.1. # INET_IP="194. if not.168. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 59 Temple # Place.255. the same as netmask 255.1 DHCP # # # 1.

2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT http://people.org/andreasson/iptables-tutorial/iptables-tutorial.1" # # 1. # LO_IFACE="lo" LO_IP="127. Module loading. # ########################################################################### # # 2.unix-fu.1.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.Iptables Tutorial 1.5 IPTables Configuration.6 Other Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.html 21:25:51 10/06/2002 .0. # # # Needed to initially load modules # /sbin/depmod -a # # 2.9 Página 93 # # # 1.4 Localhost Configuration.0.

1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4. # ###### # 4.Iptables Tutorial 1.1 Filter table # # # 4.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.1.1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets http://people.9 Página 94 #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3.org/andreasson/iptables-tutorial/iptables-tutorial.1.html 21:25:51 10/06/2002 . # # # 3. /proc set up.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.unix-fu. rules set up.

TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.unix-fu.1.Iptables Tutorial 1.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.1.9 Página 95 # # Create separate chains for ICMP.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports http://people.

1.1.9 Página 96 # # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.html 21:25:51 10/06/2002 . # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.5 FORWARD chain # http://people.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.1. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.4 INPUT chain # # # Bad TCP packets we don't want.unix-fu. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet.RELATED \ -j ACCEPT # # Log weird packets that don't match the above.

9 Página 97 # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.Iptables Tutorial 1.RELATED -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.1.html 21:25:51 10/06/2002 .unix-fu. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.1.org/andreasson/iptables-tutorial/iptables-tutorial.2 nat table # http://people.6 OUTPUT chain # # # Bad TCP packets we don't want.

2.2.3.2.3 Create content in user specified chains # # # 4.4 PREROUTING chain # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.2.3 Create content in user specified chains # # # 4.2.unix-fu.1 Set policies # # # 4.2 Create user specified chains # # # 4.4 PREROUTING chain # http://people.Iptables Tutorial 1.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.html 21:25:51 10/06/2002 .3.2 Create user specified chains # # # 4.3.1.1 Set policies # # # 4.3.2.6 OUTPUT chain # ###### # 4.3 mangle table # # # 4.9 Página 98 # # 4.

net> # # This program is free software.9 Página 99 # # 4.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. # # http://people.org/andreasson/iptables-tutorial/iptables-tutorial. write to the Free Software Foundation.unix-fu.. Suite 330.6 FORWARD chain # # # 4.3.DMZ IP Firewall script for Linux 2.5 INPUT chain # # # 4.3. version 2 of the License.4. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.7 OUTPUT chain # # # 4.firewall .3. See the # GNU General Public License for more details.1. Boston.3.DMZ. MA 02111-1307 USA # ########################################################################### # # 1.html 21:25:51 10/06/2002 . # but WITHOUT ANY WARRANTY. 59 Temple # Place.Iptables Tutorial 1. Configuration options. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.8 POSTROUTING chain # Example rc. Inc.firewall script #!/bin/sh # # rc.DMZ. if not. # # This program is distributed in the hope that it will be useful. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.

1.2 Local Area Network configuration.3" DMZ_IP="192.1.1 Internet Configuration.1.236.50. # INET_IP="194.2 PPPoE # # # 1.168.1. # # your LAN's IP range and localhost IP.4 Localhost Configuration.9 Página 100 # 1.255" LAN_IFACE="eth1" # # 1.154" INET_IFACE="eth0" # # 1.153" DNS_IP="194.0.html 21:25:51 10/06/2002 .255.org/andreasson/iptables-tutorial/iptables-tutorial.1.168.236.0.0 # LAN_IP="192.0.152" HTTP_IP="194.0.unix-fu.Iptables Tutorial 1. # LO_IFACE="lo" LO_IP="127.168.0/16" LAN_BCAST_ADRESS="192.50.1 DHCP # # # 1.168. # DMZ_HTTP_IP="192.255.255.236.2" LAN_IP_RANGE="192.1" DMZ_IFACE="eth2" # # 1. /24 means to only use the first 24 # bits of the 32 bit IP adress.168. # IPTABLES="/usr/sbin/iptables" http://people.3 DMZ Configuration. the same as netmask 255.168.50.5 IPTables Configuration.1" # # 1.1.2" DMZ_DNS_IP="192.

6 Other Configuration.org/andreasson/iptables-tutorial/iptables-tutorial.1.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3.unix-fu.9 Página 101 # # 1.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2. # # # 3.1 Required proc configuration # http://people. Module loading. /proc set up.Iptables Tutorial 1.html 21:25:51 10/06/2002 . # # # Needed to initially load modules # /sbin/depmod -a # # 2. # ########################################################################### # # 2.

TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.1.html 21:25:51 10/06/2002 .1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.unix-fu.Iptables Tutorial 1.3 Create content in userspecified chains # http://people.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.1.1 Filter table # # # 4. # ###### # 4.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.1.9 Página 102 echo "1" > /proc/sys/net/ipv4/ip_forward # # 3. rules set up.org/andreasson/iptables-tutorial/iptables-tutorial.

RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # 4.unix-fu.1. DMZ or LOCALHOST # # # From DMZ Interface to DMZ firewall IP # http://people.1.9 Página 103 # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.org/andreasson/iptables-tutorial/iptables-tutorial.4 INPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Packets from the Internet to this box # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # # Packets from LAN.Iptables Tutorial 1.html 21:25:51 10/06/2002 .

9 Página 104 $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT # # From LAN Interface to LAN firewall IP # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT # # From Localhost interface to Localhost IP # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # # All established and related packets incoming from the internet to the # firewall # $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.Iptables Tutorial 1.html 21:25:51 10/06/2002 .unix-fu.1.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # DMZ section # # General rules # $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT http://people.1.org/andreasson/iptables-tutorial/iptables-tutorial.RELATED \ -j ACCEPT # # Logging rule # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.

Iptables Tutorial 1.1.RELATED -j ACCEPT # # LOG all packets reaching here # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.1.RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT # # HTTP server # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ --dport 80 -j allowed $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ -j icmp_packets # # DNS server # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j allowed $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ -j icmp_packets # # LAN section # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 .6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets http://people.9 Página 105 $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \ --state ESTABLISHED.

2 nat table # # # 4.5 POSTROUTING chain # http://people.2 Create user specified chains # # # 4.3 Create content in user specified chains # # # 4.2.1 Set policies # # # 4.2.2.9 Página 106 # # Allow ourself to send packets not spoofed everywhere # $IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT # # Logging rule # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.2.4 PREROUTING chain # # # Enable IP Destination NAT for DMZ zone # $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \ -j DNAT --to-destination $DMZ_HTTP_IP $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP $IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.1.unix-fu.html 21:25:51 10/06/2002 .Iptables Tutorial 1.2.

3.6 OUTPUT chain # ###### # 4.3 mangle table # # # 4.Iptables Tutorial 1.2 Create user specified chains # # # 4.1 Set policies # # # 4.3.3.3.3.7 OUTPUT chain # # # 4.3.9 Página 107 # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.3.5 INPUT chain # # # 4.4 PREROUTING chain # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.2.6 FORWARD chain # # # 4.1.unix-fu.8 POSTROUTING chain # http://people.3 Create content in user specified chains # # # 4.html 21:25:51 10/06/2002 .3.

Suite 330.UTIN Firewall script for Linux 2.firewall . Configuration options.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.net> # # This program is free software.Iptables Tutorial 1. version 2 of the License.1. Inc. # INET_IP="194. write to the Free Software Foundation. # # This program is distributed in the hope that it will be useful. Boston. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. # but WITHOUT ANY WARRANTY.. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.UTIN. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.9 Página 108 Example rc.1 Internet Configuration.2 PPPoE # # # 1.1.1 DHCP # # # 1.236. # # your LAN's IP range and localhost IP.1.html 21:25:51 10/06/2002 .50. MA 02111-1307 USA # ########################################################################### # # 1.2 Local Area Network configuration. See the # GNU General Public License for more details. # # # 1. if not.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.4. 59 Temple # Place.firewall script #!/bin/sh # # rc.155" INET_IFACE="eth0" # # 1. /24 means to only use the first 24 http://people.

# # # 1.org/andreasson/iptables-tutorial/iptables-tutorial. # LO_IFACE="lo" LO_IP="127.2" LAN_IP_RANGE="192.0.1" # # 1. # # # Needed to initially load modules # /sbin/depmod -a # # 2.168. # ########################################################################### # # 2.unix-fu.255.255.5 IPTables Configuration.168.0.html 21:25:51 10/06/2002 . Module loading.6 Other Configuration.Iptables Tutorial 1.9 Página 109 # bits of the 32 bit IP adress. # IPTABLES="/usr/sbin/iptables" # # 1.0 # LAN_IP="192.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat http://people.0/16" LAN_BCAST_ADRESS="192. the same as netmask 255.0.168.255.4 Localhost Configuration.0.3 DMZ Configuration.255" LAN_IFACE="eth1" # # 1.1.

Iptables Tutorial 1.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. # ###### # 4.org/andreasson/iptables-tutorial/iptables-tutorial.1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP http://people. /proc set up.html 21:25:51 10/06/2002 . # # # 3.1.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.1 Filter table # # # 4.unix-fu. rules set up.9 Página 110 /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.

RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT http://people.unix-fu. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.html 21:25:51 10/06/2002 .2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.1.9 Página 111 $IPTABLES -P FORWARD DROP # # 4.1.1.Iptables Tutorial 1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.org/andreasson/iptables-tutorial/iptables-tutorial.

4 INPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from anywhere # $IPTABLES -A INPUT -p ICMP -j icmp_packets $IPTABLES -A INPUT -p TCP -j tcp_packets $IPTABLES -A INPUT -p UDP -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.1. # http://people.RELATED \ -j ACCEPT # # Log weird packets that don't match the above.9 Página 112 # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.html 21:25:51 10/06/2002 .Iptables Tutorial 1.1.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.

Iptables Tutorial 1. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # http://people.1. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward between interfaces.6 OUTPUT chain # # # Bad TCP packets we don't want.html 21:25:51 10/06/2002 .unix-fu.RELATED -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.1.org/andreasson/iptables-tutorial/iptables-tutorial. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.9 Página 113 $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.1.

1.4 PREROUTING chain # # # 4.html 21:25:51 10/06/2002 .2 nat table # # # 4.unix-fu.3 mangle table # # # 4.2.2.2.3.1 Set policies # # http://people.org/andreasson/iptables-tutorial/iptables-tutorial.2 Create user specified chains # # # 4.3 Create content in user specified chains # # # 4.Iptables Tutorial 1.6 OUTPUT chain # ###### # 4.1 Set policies # # # 4. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.2.2.9 Página 114 # Log weird packets that don't match the above.2.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.

firewall script #!/bin/sh # # rc.Iptables Tutorial 1.4. version 2 of the License.3.firewall .5 INPUT chain # # # 4.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.1. # # This program is distributed in the hope that it will be useful.3.3.3.org/andreasson/iptables-tutorial/iptables-tutorial. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.3.2 Create user specified chains # # # 4. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.3.8 POSTROUTING chain # Example rc.net> # # This program is free software. See the # GNU General Public License for more details.3 Create content in user specified chains # # # 4. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it http://people.DHCP.unix-fu.4 PREROUTING chain # # # 4.DHCP IP Firewall script for Linux 2.3.7 OUTPUT chain # # # 4. # but WITHOUT ANY WARRANTY.9 Página 115 # 4.html 21:25:51 10/06/2002 .6 FORWARD chain # # # 4.

Iptables Tutorial 1.1.9

Página 116

# from; if not, write to the Free Software Foundation, Inc., 59 Temple # Place, Suite 330, Boston, MA 02111-1307 USA # ########################################################################### # # 1. Configuration options. # # # 1.1 Internet Configuration. # INET_IFACE="eth0" # # 1.1.1 DHCP # # # Information pertaining to DHCP over the Internet, if needed. # # Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP # over the Internet set this variable to yes, and set up the proper IP # adress for the DHCP server in the DHCP_SERVER variable. # DHCP="no" DHCP_SERVER="195.22.90.65" # # 1.1.2 PPPoE # # Configuration options pertaining to PPPoE. # # If you have problem with your PPPoE connection, such as large mails not # getting through while small mail get through properly etc, you may set # this option to "yes" which may fix the problem. This option will set a # rule in the PREROUTING chain of the mangle table which will clamp # (resize) all routed packets to PMTU (Path Maximum Transmit Unit). # # Note that it is better to set this up in the PPPoE package itself, since # the PPPoE configuration option will give less overhead. # PPPOE_PMTU="no" # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 117

# 1.2 Local Area Network configuration. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # LAN_IP="192.168.0.2" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth1" # # 1.3 DMZ Configuration. # # # 1.4 Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 IPTables Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. #

########################################################################### # # 2. Module loading. # # # Needed to initially load modules # /sbin/depmod -a # # 2.1 Required modules # /sbin/modprobe ip_conntrack http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 118

/sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_MASQUERADE # # 2.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc

########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. rules set up. # ###### # 4.1 Filter table # # # 4.1.1 Set policies # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 119

$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP, TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 120

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT if [ $DHCP == "yes" ] ; then $IPTABLES -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \ --dport 68 -j ACCEPT fi # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.1.4 INPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

html 21:25:51 10/06/2002 .RELATED -j ACCEPT # # Log weird packets that don't match the above.RELATED -j ACCEPT # # Log weird packets that don't match the above.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.unix-fu.1.9 Página 121 $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \ --state ESTABLISHED.1.6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.1.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial. http://people. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.

6 OUTPUT chain # ###### # 4.html 21:25:51 10/06/2002 .3 Create content in user specified chains # # # 4. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.RST SYN \ -j TCPMSS --clamp-mss-to-pmtu fi $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE # # 4.1 Set policies # # # 4.2.Iptables Tutorial 1.2.2.unix-fu. then $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN.2 nat table # # # 4.2.9 Página 122 # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # # Log weird packets that don't match the above.2 Create user specified chains # # # 4.2.org/andreasson/iptables-tutorial/iptables-tutorial.3 mangle table http://people.4 PREROUTING chain # # # 4.2.5 POSTROUTING chain # if [ $PPPOE_PMTU == "yes" ] .1.

3.1.3.3.3.3.3 Create content in user specified chains # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.8 POSTROUTING chain # Example rc.3.3.Iptables Tutorial 1.7 OUTPUT chain # # # 4.3.unix-fu.9 Página 123 # # # 4.2 Create user specified chains # # # 4.flush-iptables script #!/bin/sh # http://people.html 21:25:51 10/06/2002 .5 INPUT chain # # # 4.1 Set policies # # # 4.4 PREROUTING chain # # # 4.6 FORWARD chain # # # 4.

org/andreasson/iptables-tutorial/iptables-tutorial.Resets iptables to default values.Iptables Tutorial 1. version 2 of the License.1. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.html 21:25:51 10/06/2002 . # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # reset the default policies in the mangle table. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. See the # GNU General Public License for more details. Inc.9 Página 124 # rc. write to the Free Software Foundation. # # This program is distributed in the hope that it will be useful. MA 02111-1307 USA # # Configurations # IPTABLES="/usr/sbin/iptables" # # reset the default policies in the filter table.. # $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT # # reset the default policies in the nat table. if not. # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F http://people. Boston. Suite 330. # but WITHOUT ANY WARRANTY.flush-iptables . # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. # $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT # # flush all the rules in the filter and nat tables.net> # # This program is free software. 59 Temple # Place.unix-fu. # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.

unix-fu. # $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X Example rc.net> # # This program is free software.test-iptables . you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. 59 Temple # Place. Suite 330. See the # GNU General Public License for more details. # # This program is distributed in the hope that it will be useful.org/andreasson/iptables-tutorial/iptables-tutorial.1. write to the Free Software Foundation. version 2 of the License. Inc. # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.9 Página 125 # # erase all chains that's not default in filter and nat table. all chains # iptables -t filter -A INPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter FORWARD:" http://people. MA 02111-1307 USA # # # Filter table.. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. # but WITHOUT ANY WARRANTY. Boston.Iptables Tutorial 1. if not.test-iptables script #!/bin/bash # # rc.html 21:25:51 10/06/2002 . without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.test script for iptables chains and tables.

Iptables Tutorial 1.9 Página 126 iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter FORWARD:" # # NAT table.9 Oskar Andreasson blueflux@koffein.Iptables Tutorial 1.unix-fu.1.html 21:25:51 10/06/2002 . # iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat PREROUTING:" iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat PREROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat OUTPUT:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat OUTPUT:" # # Mangle table. all chains except OUTPUT which don't work. all chains # iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle OUTPUT:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle OUTPUT:" Done.1.net Copyright © 2001 by Oskar Andreasson http://people.org/andreasson/iptables-tutorial/iptables-tutorial.

Boston. version 2 of the License. you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation. A copy of the license is included in the section entitled "GNU Free Documentation License". The scripts are free source. with the Invariant Sections being "Introduction" and all subsections. with the Front-Cover Texts being "Original Author: Oskar Andreasson". without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Inc.1. See the GNU General Public License for more details. under the section entitled "GNU General Public License". 59 Temple Place. but WITHOUT ANY WARRANTY.. if not.html 21:25:51 10/06/2002 . These scripts are distributed in the hope that they will be useful. Suite 330.Iptables Tutorial 1. All scripts in this tutorial are covered by the GNU General Public License.1.9 Página 127 Permission is granted to copy. distribute and/or modify this document under the terms of the GNU Free Documentation License. write to the Free Software Foundation. You should have received a copy of the GNU General Public License within this tutorial. MA 02111-1307 USA Table of Contents Introduction Why this document was written How it was written About the author Dedications Preparations Where to get iptables Kernel setup 1 userland setup Compiling the userland applications Installation on Red Hat 7. Version 1. and with no BackCover Texts.1 How a rule is built Basics Tables Commands Matches Generic matches Implicit matches Explicit matches http://people.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu.

1.Iptables Tutorial 1.firewall Configuration options Initial loading of extra modules proc set up Displacement of rules to different chains Setting up the different chains used INPUT chain The TCP allowed chain The ICMP chain The TCP chain The UDP chain OUTPUT chain FORWARD chain PREROUTING chain of the nat table Starting the Network Address Translation http://people.firewall explanation of rc.html 21:25:51 10/06/2002 .firewall file example rc.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 128 Targets/Jumps ACCEPT target DROP target QUEUE target RETURN target LOG target MARK target REJECT target TOS target MIRROR target SNAT target DNAT target MASQUERADE target REDIRECT target TTL target ULOG target Traversing of tables and chains General Mangle table 1 Nat table 2 Filter table rc.

firewall.UTIN.1.Iptables Tutorial 1. APPLICABILITY AND DEFINITIONS 2. PREAMBLE 1. COPYING IN QUANTITY 4. TRANSLATION 9. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents GNU General Public License http://people. COLLECTIONS OF DOCUMENTS 7.unix-fu. AGGREGATION WITH INDEPENDENT WORKS 8.txt Detailed explanations of special commands Listing your active ruleset Updating and flushing your tables Common problems and questionmarks Passive FTP but no DCC State NEW packets but no SYN bit set Internet Service Providers who use assigned IP addresses ICMP types Other resources and links Acknowledgements History GNU Free Documentation License 0.txt rc.firewall.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 129 Example scripts rc.txt 10. VERBATIM COPYING 3.txt rc.firewall. 5. COMBINING DOCUMENTS 6. MODIFICATIONS 1. TERMINATION 10.flush-iptables.txt script structure The structure rc.DMZ.txt rc.html 21:25:51 10/06/2002 .test-iptables. rc.firewall.firewall.DHCP.txt rc.

this file was originally based upon the masquerading HOWTO for those of you who recognize it.UTIN.Iptables Tutorial 1. This document will guide you through the setup process step by step.flush-iptables. Among other things. I found a big empty space in the HOWTO's out there lacking in information about the iptables and netfilter functions in the new Linux 2.txt. How to Apply These Terms to Your New Programs Example scripts codebase Example rc.test-iptables script Introduction Why this document was written Well. This tutorial has turned a little bit harder to follow this way but at the same time it is more logical. I have decided to just follow the basic chains and from there go down into each and one of the chains traversed in each due order. http://people.firewall script Example rc. hopefully make you understand some more about the iptables package.txt file that you can use in your /etc/rc. I will base most of the stuff here on the example rc.4. Preamble 1. TERMS AND CONDITIONS FOR COPYING. How it was written I've placed questions to Marc Boucher and others from the core netfilter team.x kernels.firewall script Example rc.firewall script Example rc.firewall.d/ scripts.org/andreasson/iptables-tutorial/iptables-tutorial. there's a small script that I wrote just in case you screw up as much as I did during the configuration available as rc. Also.html 21:25:51 10/06/2002 .firewall script Example rc.DHCP. A big thanks going out to them for their work and for their help on this tutorial that I wrote and maintain for boingworld. Is it possible to allow passive FTP to your server. 2.flush-iptables script Example rc. DISTRIBUTION AND MODIFICATION 1. but not allow outgoing DCC from IRC as an example? I will build this all up from an example rc.9 Página 130 0.DMZ. I'm going to try to answer questions that some might have about the new possibilities like state matching.firewall file since I find that example to be a good way to learn how to use iptables.unix-fu. Whenever you find something that's hard to understand.com. Yes. just consult this tutorial.1.

you could make a fairly secure network by dropping all incoming packages not destined to certain ports. and in some respects I found the code not quite ready for release in full production. There was some child diseases in the iptables code that I ran into in the beginning. Dedications First of all I would like to dedicate this document to my wonderful girlfriend Ninel. Second of all. Today. Kernel setup To run the pure basics of iptables you need to configure the following options into the kernel while doing make config or one of it's related commands: http://people. Preparations This chapter is aimed at getting you started and to help you understand the role netfilter and iptables play in Linux today. I would like to dedicate this work to all of the incredibly hard working Linux developers and maintainers.org/andreasson/iptables-tutorial/iptables-tutorial. The iptables package also makes use of kernel space facilities which can be configured into the kernel during make configure . I wish I could make you just as happy as you make me. I'd recommend everyone who uses ipchains or even older ipfwadm etc to upgrade unless they're happy with what their current code is capable of and if it does what they need it to. tells the client about it.9 Página 131 About the author I'm someone with too many old computers on my hands. which assigns ports on the server. It is people like those who makes this wonderful operating system possible.unix-fu. sitting with my own LAN and wanting them all to be connected to the Internet. She has supported me more than I ever can support her to any degree.Iptables Tutorial 1. The new iptables is a good upgrade from the old ipchains in this regard. This chapter should hopefully get you set up and finished to go with your experimentation and installation of a firewall which should hopefully run smoothly in the future.html 21:25:51 10/06/2002 . at the same time having it fairly secure.1. Before. Where to get iptables The iptables userspace package can be downloaded from the netfilter homepage. The necessary pieces will be discussed a bit further down in this document. but this would be a problem with things like passive FTP or outgoing DCC in IRC. and then lets the client connect.

if we use the target MARK we could mark a packet and then depending on if this packet is marked further on in the table. this option compiles the helper. In other words. It adds the whole iptables identification framework to kernel. If you need to firewall machines on a LAN you most definitely should mark this option. Every Ethernet adapter has it's own MAC address. this is most definitely required if for anything in this tutorial to work at all. The above will only add some of the pure basics in iptables.firewall. For example.html 21:25:51 10/06/2002 .9 kernel and a brief explanation : CONFIG_IP_NF_CONNTRACK .txt. This module can also be used to avoid certain Denial of Service attacks. An example would be tcpdump or snort.This option is required if you want do any kind of filtering.Iptables Tutorial 1. we can match based on this mark. ie.firewall. For example.unix-fu. PPP and SLIP interfaces. this module is required by the rc. This option is the actual match MARK.txt to work. Connection tracking is used by. masquerading or NAT. it just adds the framework to the kernel. among other things.4. that adds the possibility to control how many packets per minute that's supposed to be matched with a certain rule.This module allows us to match packets with a whole range of destination ports or source ports. And of course you need to add the proper drivers for your interfaces to work properly. -m limit --limit 3/ minute would match a maximum of 3 packets per minute. Here we will show you the options available in a basic 2. and further down we will describe the actual target MARK.This option is required if you're going to use your computer as a firewall or gateway to the internet.This module isn't exactly required but it's used in the example rc.This allows us to use a MARK match.This module is needed to make connection tracking. Ethernet adapter. CONFIG_IP_NF_MATCH_MULTIPORT . Normally this wouldn't be possible.9 Página 132 CONFIG_PACKET .With this match we can match packets based on their TOS field. TOS stands for Type Of Service.This allows us to match packets based on MAC addresses. TOS can also be set by certain rules in the mangle table and via the ip/ tc commands. This option provides the LIMIT match.1. You won't be able to do anything to be pretty honest. you need to set up the proper configuration options in your kernel. Without this you won't be able to do anything at all with iptables. If you don't add this module you won't be able to FTP through a firewall or gateway properly.org/andreasson/iptables-tutorial/iptables-tutorial. If you want to use the more advanced options in IPTables. CONFIG_IP_NF_MATCH_MAC . http://people. NAT and Masquerading. CONFIG_NETFILTER . CONFIG_IP_NF_MATCH_MARK . Since FTP connections are quite hard to do connection tracking on in normal cases conntrack needs a so called helper.This option allows applications and programs that needs to work directly to certain network devices. but with this match it is.This module is required if you want to do connection tracking on FTP connections. For example. CONFIG_IP_NF_MATCH_LIMIT . CONFIG_IP_NF_IPTABLES . I assume you'll want this since you're reading this at all. CONFIG_IP_NF_MATCH_TOS . We don't use this option in the rc.txt example or anywhere else.firewall. We could for instance block packets based on what MAC address used and block a certain computer pretty well since the MAC address don't change. CONFIG_IP_NF_FTP .

This option will add the possibility for us to do matching based on the owner of a socket.html 21:25:51 10/06/2002 . This module is used extensively in the rc.txt example. This module was originally just written as an example on what could be done with the new iptables. CONFIG_IP_NF_MATCH_UNCLEAN .firewall.unix-fu. Mind you that TCP connections are always reset or refused with a TCP RST packet.1. With this option we can do port forwarding. FORWARD and OUTPUT chains. Note that this match is still experimental and might not work perfectly in all cases.firewall. in it's different forms. but mostly is. we remap them to go to our local box instead.This allows packets to be bounced back to the sender of the packet. Note that this match is still experimental and might not work for everyone. if we've already seen trafic in two directions in a TCP connection. CONFIG_IP_NF_MATCH_OWNER . For example. we have the possibility to make a transparent proxy this way.This option adds the possibility for us to match TCP packets based on their MSS field. This module is required if you plan to do any kind of filtering on packets that you receive and send. CONFIG_IP_NF_TARGET_REDIRECT . if we use DHCP. or NAT. CONFIG_IP_NF_TARGET_REJECT . but will work without us knowing the IP in advance.This module will add the possibility for us to match IP. and most definitely on your network if you do not have the ability to add unique IP addresses as specified above. PPP. but we never know if they are legitimate or not. we can allow only the user root to have Internet access. In other words. For example. In the filter table you'll find the INPUT.This target allows us to specify that an ICMP error message should be sent in reply to incoming packets instead of plainly dropping them dead to the floor. UDP and ICMP packets that looks strange or are invalid.This module allows network address translation. CONFIG_IP_NF_NAT . unless you are able to provide unique IP addresses for all hosts. For instance if we don't know what IP we have to the Internet this would be the preferred way of getting the IP instead of using DNAT or SNAT. Masquerading gives a slightly higher load on the computer than NAT does. CONFIG_IP_NF_TARGET_MASQUERADE . if we set up a MIRROR target on destination port HTTP on our INPUT chain and someone tries to access this port we would plainly bounce his packets back to himself and finally he would see his own homepage. For example. this option is required for the example rc.txt to work properly. TCP.9 Página 133 CONFIG_IP_NF_MATCH_TCPMSS . we need to use this target instead of SNAT.This is one of the biggest news in comparison to ipchains. With this module we can do stateful matching on packets.This module adds the MASQUERADE target. We could for example drop these packets. SLIP or some other connection that dynamically assigns us an IP.This target is useful together with proxies for example. masquerading etc. this packet will be counted as ESTABLISHED. Hence. CONFIG_IP_NF_TARGET_MIRROR . http://people. Note that this option is is not required for firewalling and masquerading of a LAN.org/andreasson/iptables-tutorial/iptables-tutorial. Instead of letting a packet pass right through. In other words.Iptables Tutorial 1. CONFIG_IP_NF_MATCH_STATE . CONFIG_IP_NF_FILTER .This module will add the basic filter table which will enable you to do basic filtering.

As you can see. to Linus Torvalds being unable to keep up or not wanting to let the patch in to the mainstream kernel yet since it is still experimental.unix-fu.2 kernels to 2.Iptables Tutorial 1. we'll be able to handle what the authors of netfilter themself call "criminally braindead ISPs or servers" in the kernel configuration help. Do absolutely not look at this as a real long term solution. for the rc.6. This may be for various reasons such as the patch not being stable yet.This option can be used to overcome Internet Service Providers and servers who block ICMP Fragmentation Needed packets.firewall. etcetera. look at the example firewall scripts section. This way. small mails getting through while larger mails don't get through. These are only the options available in a vanilla Linux 2.org/andreasson/iptables-tutorial/iptables-tutorial. POM fixes are additions that are supposed to be added in the kernel in the future but has not quite reached the kernel yet. Do not look at this as any real long term solution for solving migration from Linux 2. We can then use the TCPMSS target to overcome this by clamping our MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit).4.This adds the LOG target to iptables and the functionality of it. ssh works but scp dies after handshake.1. I have briefly explained what kind of extra behaviours you can expect from each module here. I suggest you look at the patch-o-matic functions in netfilter userland which will add heaps of other options in the kernel.4 kernels since it may well be gone with kernel 2. These functions should be added in the future. This can result in webpages not getting through. CONFIG_IP_NF_COMPAT_IPCHAINS . CONFIG_IP_NF_TARGET_TCPMSS .html 21:25:51 10/06/2002 .Adds a compatibility mode with the old ipchains.9 kernel. This could be useful for forensics or debugging a script you're writing. there is a heap of options.9 Página 134 CONFIG_IP_NF_TARGET_LOG . You will need the following options compiled into your kernel. but has not quite made it in yet. If you need help with the options that the other scripts needs. If you would like to get a look at more options.txt script to work.Compatibility mode with old ipfwadm. We can use this module to log certain packets to syslogd and hense see the packet further on. or as modules. CONFIG_PACKET CONFIG_NETFILTER CONFIG_CONNTRACK CONFIG_IP_NF_FTP CONFIG_IP_NF_IRC CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT http://people. CONFIG_IP_NF_COMPAT_IPFWADM .

To do this step we do something like this from the root of the iptables package: make pending-patches KERNEL_DIR=/usr/src/linux/ The variable KERNEL_DIR should point to the actual place that your kernel source is located at.1 it is disabled per default.3 package and a vanilla 2. userland setup First of all.unix-fu.html 21:25:51 10/06/2002 . For more information read the iptables-1. In the other example scripts I will explain what requirements they have in their respective section. Some of these are highly experimental and may not be a very good idea to install. http://people.3. and other distributions further on in this chapter Compiling the userland applications First of all unpack the iptables package.1. For now.2. Unpack as usual. lets try to stay focused on the main script which you should be studying now.1. we have used the iptables 1.9 kernel. there are some even more experimental patches further along.3.tar.txt script. Here.org/andreasson/iptables-tutorial/iptables-tutorial. there are heaps of extremely interesting matches and targets in this installation step so don't be afraid of at least looking at them.tar.(this can also be accomplished with the tar -xjvf iptables-1. which should do pretty much the same as the first command. one of these are Red Hat 7. in Red Hat 7.firewall. We will check closer on how to enable it on this. After this. Normally this should be /usr/src/linux/ but this may vary. This compilation goes quite a lot hand in hand with the kernel configuration and compilation so you are aware of this.4.Iptables Tutorial 1. there is the option to install extra modules and options etcetera to the kernel. However.The step described here will only check patches that are pending for inclusion to the kernel.bz2. let's look at how we compile the iptables package. However.3. this may not work with older versions of tar).2. However.bz2 | tar -xvf .2.2. using bzip2 -cd iptables-1.9 Página 135 CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_TARGET_MASQUERADE The above will be required at the very least for the rc. and most probably you will know yourself where the kernel source is available. Certain distributions comes with the iptables package preinstalled. which may only be available when you do some other steps.3/INSTALL file which contains pretty good information on compiling and getting the program to run.2. Hopefully the package should now be unpacked properly into a directory named iptables-1.

To do this. To be able to install all of the patch-o-matic stuff you will need to run the following command: make patch-o-matic KERNEL_DIR=/usr/src/linux/ Don't forget to read the help for each patch thoroughly before doing anything. you're on your own. After this you are finished doing the patch-o-matic parts of installation. you would issue the following command to install them: make install KERNEL_DIR=/usr/src/linux/ Hopefully everything should work in the program now. There is a few things that might go wrong with the installation of iptables so don't panic if it won't work. because that's what these commands actually do. One way to install these are by doing the following: make most-of-pom KERNEL_DIR=/usr/src/linux/ The above command would ask about installing parts of what in netfilter world is called patch-o-matic. Don't forget to configure the kernel again since the new patches probably are not added to the configured options and so on. Some patches will destroy other patches while others may destroy your kernel if used together with some patches from patch-omatic etc. but is a bit further away from actually getting there. They ask you before anything is changed in the kernel source.Iptables Tutorial 1. it is in other words not necessary to do the above. but still skip the most extreme patches that might cause havoc in your kernel. If everything has worked smoothly. if not. To compile iptables you issue a simple command that looks like this: make KERNEL_DIR=/usr/src/linux/ The userland application should now compile properly. you're ready to install the binaries by now.unix-fu.html 21:25:51 10/06/2002 . Note that we say ask. Continue by compiling the iptables userland application. there are some really interesting things in the patch-o-matic that you may want to look at so there's nothing bad in just running the commands and see what they contain. though.org/andreasson/iptables-tutorial/iptables-tutorial.1.9 Página 136 This only asks about certain patches that are just about to enter the kernel anyways. try to think logically about it and find out what's wrong or get someone to help you. you may either compile a new kernel making use of the new patches that you have added to the source. However. or possibly try the netfilter mailing list who might help you with your problems. To use any of the changes in the iptables userland applications you should definitely recompile and reinstall your kernel by now if you haven't done so http://people. You may wait with the kernel compilation until after the compilation of the userland program iptables if you feel like it. There might be more patches and additions that the developers of netfilter are about to add to the kernel. You may totally ignore the above steps if you don't want to patch your kernel.

9 Página 137 before. Now the service won't be started in the future. This is used if you automatically boot into Xwindows. For more information about installing the userland applications from source. To make iptables run in these runlevels we would do the following commands: chkconfig --level 235 iptables on http://people. they have disabled the whole thing by using the backwards compatible ipchains module.Iptables Tutorial 1. We would then issue the following command to stop the ipchains service: service ipchains stop Finally. however. By changing this to K we tell it to Kill the service instead. 5. to stop the service from actually running right now we need to run another command.1 comes preinstalled with a 2. The default Red Hat 7.html 21:25:51 10/06/2002 .4.1 Red Hat 7. let's take a brief look at how to turn the module off and how to install iptables instead.1. Multiuser without NFS or the same as 3 if there is no networking.x kernel that has netfilter and iptables compiled in. to start the iptables service. The following command should do it: chkconfig --level 0123456 ipchains off By doing this we move all the soft links that points to the real script to K92ipchains. Normally this would be in runlevel 2.1 installation today comes with an utterly old version of the userspace applications so you might want to compile a new version of the applications as well as install a new and homecompiled kernel before fully exploiting iptables. So. 3 and 5. To do this. However. or to not run it if it was not previously started. Annoying to say the least.org/andreasson/iptables-tutorial/iptables-tutorial. It also contains all the basic userland programs and configuration files that is needed to run it. The first letter which per default would be S tells the initscripts to start the script. and a lot of people are asking different mailing lists why iptables don't work.d/ directory-structure. Full multiuser mode. Installation on Red Hat 7. ie. These runlevels are used for the following things: 2. the normal runlevel to run in. we need to know which runlevels we want it to run in. This is the service command which can be used to work on currently running services. First of all. First of all you will need to turn off the ipchains modules so it won't start in the future. you will need to change some filenames in the /etc/rc. check the INSTALL file in the source which contains excellent information on the subject of installation. 3.unix-fu. X11.

When all of these steps are finished we can deinstall the currently installed ipchains and iptables packages. This file is automatically used by the iptables rc.1 box. This would have the bad effect that the rules would be deleted if you updated the iptables package by RPM. there is two common ways. First of all. Do not intermix this and the previous set up instruction since they may heavily damage eachother and render each and one useless. the iptables rc. such as iptables-save > /etc/sysconfig/ iptables which would save the ruleset to the file /etc/sysconfig/iptables. It's not unusual that the new and the old package get's mixed up since the rpm based installation installs the package in non-standard places and won't get overwritten by the installation for the new iptables package. when you need to fix a screwed up box. don't forget to edit a the stop) section either which tells the script what to do when the computer is going down for example. First we will describe the possibility of doing the set up by cut and paste to the iptables init. make and write a ruleset in a file. you add them under the start) section. or directly with iptables. if you add the rules under the start) section don't forget to stop the start() function from running in the start) section. 3 and 5. This step is only necessary if you will install iptables from the source package. When you reboot the computer in the future. etc: http://people. Note that this set up may be automatically erased if you have. Red Hat Network automatically updating your packages. why keep ipchains lying around when it is of no use? That is done the same way as with the old iptables binaries.d script to restore the ruleset in the future. The second way of doing the set up would require the following steps to be taken.d/init. Level 1 is for single user mode. and don't forget to experiment a bit.html 21:25:51 10/06/2002 . The other way to save the script would be to use service iptables save which would save the script automatically to this file. You could either use it normally.d/iptables script. To activate the iptables service.9 Página 138 The above commands would in other words make the iptables service run in runlevel 2. don't forget to check out the restart section and condrestart. for example. The other way would be to load the ruleset and then save them with the iptables-save command and then have it loaded automatically by the rc. or in the start() function.unix-fu. It may also be erased by updating from the iptables RPM package. Level 4 should be unused.org/andreasson/iptables-tutorial/iptables-tutorial. We do this since we don't want the system to mix up the new iptables userland application with the old preinstalled iptables applications.d script will use the command iptablesrestore to restore the ruleset from the save-file /etc/sysconfig/iptables. When you find a set up that works without problems or bugs as you can see. However.Iptables Tutorial 1. use the iptables-save command. so you should not really need to activate it for those runlevels. do as follows: rpm -e iptables And of course. Also. there is no rules in the iptables script. To add rules to an Red Hat 7. To do the deinstallation. that will meet your requirements. Also. To add rules that should be run when the computer starts the service. If you'd like the iptables service to run in some other runlevel you would have to issue the same command in those.d scripts.1. and level 6 is for shutting the computer down. ie. or when we are entering a runlevel that don't require iptables to run. we just run the following command: service iptables start Of course.d script. none of the other runlevels should be used. Note. First of all. you chould edit the /etc/rc.

Normally we would write a rule something like this: iptables [-t table] command [match] [target/jump] There is nothing that says that the target instruction must be last in the line. for example to insert a rule or to add a rule to the end of the chain. One thing to think about though.unix-fu. you would do this normally to get a better readability. It is not required to put the table specification at this location. It could be set pretty much anywhere in the rule. however. http://people. Hence. libraries or include files etc should be lying around any more. however. This tells the iptables command what to do. you could insert the table specification where [table] is specified. How a rule is built This chapter will discuss in legth how to build your rules. None of the old binaries. if you read someone elses script you'll most likely recognise the way of writing a rule and understand it quickly. or directly after the table specification. instruction. we perform the target.Iptables Tutorial 1.9 Página 139 rpm -e ipchains After all this is done you are finished to update the iptables package from source according to the source installation instructions. the command should always be first. If all the criterias.html 21:25:51 10/06/2002 . We will also discuss the basic matches that str available and how to use them as well as the different targets and how we can make new targets to use (ie. it is not necessary to specify it explicitly all the time since iptables per default uses the filter table to implement your commands on. We use this first variable to tell the program what to do. We could specify what IP address the packet must come from. Each line you write that's inserted to a chain should be considered a rule.org/andreasson/iptables-tutorial/iptables-tutorial. either. The match is the part which we send to the kernel that says what a packet must look like to be matched. or which network interface the packet must come from etc. Also. or to delete a rule. A rule could be described as the pure rules the firewall will follow when blocking different connections and packets in each chain. If you want to use another table than the standard table. we have used this way of writing rules since it is the most usual way of writing them. new subchains). Basics As we've already explained each rule is a line that the kernel looks at to find out what to do with a packet. There is a heap of different matches that we can use that we will look closer at further on in this chapter. it is more or less standard to put the table specification at the beginning of the commandline. However. or jump. or matches. We will enter this a bit further on.1. are met.

on the firewall) before they get to the routing decision. or we could tell kernel to send a specified reply to be sent back.1. OUTPUT is used for changing and altering locally generated packets before they enter the routing decision. As with the rest of the content in this section.org/andreasson/iptables-tutorial/iptables-tutorial. Note that mangle can not be used for any kind of Network Address Translation or Masquerading. We could change different packets and how their headers look among other things. Tables The -t option specifies which table to use.9 Página 140 Finally we have the target of the packet. we'll look closer at them further on in the chapter. The filter table should be used for filtering packets generally. we could DROP. LOG. Tables Table nat Explanation The nat table is used mainly for Network Address Translation. There are three chain built in to this table. The rest of the packets in the stream will in other words not go through this table again. If all the matches are met for a packet we tell the kernel to perform this action on the packet. The OUTPUT chain is used for altering locally generated packets (ie. but a mark for the packet is set in kernelspace which other rules or programs might use further on in the firewall to filter or do advanced routing on with tc as an example. Examples of this would be to change the TTL. The first one is named FORWARD and is used on all non-locally generated packets that are not destined for our localhost (the firewall. the filter table is used. The PREROUTING chain is used to alter packets as soon as they get in to the firewall. For example. This table is used mainly for mangling packets. Note that OUTPUT is currently broken. ACCEPT or REJECT packets without problems as in the other tables. Note that the MARK is not really a change to the packet. PREROUTING is used for altering packets just as they enter the firewall and before they hit the routing decision. which must be part of this table. the nat table was made for these kinds of operations. Finally we have the POSTROUTING chain which is used to alter packets just as they are about to leave the firewall. The rest of the packets in the same stream are automatically NAT'ed or Masqueraded etc.unix-fu.Iptables Tutorial 1. in case they are supposed to have those actions taken on them. in other words). Per default. as we will discuss more in length further on. the PREROUTING and OUTPUT chains. The table consists of two built in chains. Packets in a stream only traverse this table once. but instead they will automatically have the same actions taken to them as the first packet in the stream. INPUT is used on all packets that are destined for our local host (the firewall) and OUTPUT is finally used for all locally generated packets. 21:25:51 10/06/2002 mangle filter http://people.html . TOS or MARK. The first packet of a stream is allowed. We could tell the kernel to drop this packet dead and do no further processing. we presume. We could tell the kernel to send the packet to another chain that we create ourself. This is one reason why you should not do any filtering in this table. The following options are available to the -t command: Table 1.

If you do not understand their usage you may well fall into a pit once someone finds the hole you have unknowingly placed in the firewall yourself.9 Página 141 The listing above has hopefully explained the basics about the three different tables that are available.168. and hence it would be the http://people. The rule will will in other words always be put last in the ruleset in comparison to previously added rules. -D. Commands Command Example Explanation -A.1. and you should know what to use each chain for. They should be used for totally different things. --replace iptables -R INPUT 1 -s 192. iptables -D INPUT 1 This command deletes a rule in a chain. This could be done in two ways.. and hence be checked last. The command tells iptables what to do with the rest of the commandline that we send to the program. This command appends the rule to the end of the chain. -R. and the top rule is number 1. This might be good while experimenting with iptables mainly. --append iptables -A INPUT .org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . the above example would be inserted at place 1 in the INPUT chain. If you use the second way..0. but instead of totally deleting the entry.1 -j DROP This command replaces the old entry at the specified line. the rules are numbered from the top of each chain. --delete iptables -D INPUT --dport 80 -j DROP. Normally we want to either add or delete something to some table or another. they must match totally to the entry in the chain. In other words. --insert iptables -I INPUT 1 --dport 80 -j ACCEPT Insert a rule somewhere in a chain. The following commands are available to iptables: Table 2. either by specifying a rule to match with the -D option (as in the first example) or by specifying the rule number that we want to match. it will replace it with a new entry. The rule is inserted at the actual number that we give. unless you append or insert more rules later on. If you use the first way of deleting rules. We will discuss the tables and chains more in the Traversing of tables and chains chapter.unix-fu. -I. It works in the same way as the --delete command. Commands In this section we will bring up all the different commands and what can be done with them.Iptables Tutorial 1.

the chains will first be listed. ACCEPT and REJECT (There might be more. see the Tables section). -L. --policy iptables -P INPUT DROP This command tells the kernel to set a specified default target. and will then delete all rules in all chains within the specified table. If you have used the -v option with the -L command. etcetera. The command can be used without options. In other words.Iptables Tutorial 1. --list iptables -L INPUT This command lists all the entries in the specified chain. This option works the same as -L except that -Z won't list the rules. If -L and -Z is used together (which is legal). -F. use the -Z option. In the above case. and then the packet counters are zeroised. It's also legal to not specify any chain at all. -X. -N. you would have to replace or delete all rules referring to the chain before actually deleting the chain.html 21:25:51 10/06/2002 . for example the -n and -v options. --delete-chain iptables -X allowed This command deletes the specified chain from the table. --zero iptables -Z INPUT This command tells the program to zero all counters in a specific chain or in all chains. the command would list all the chains in the specified table (To specify a table. or policy. on a chain. Note that there must be no target of the same name previously to creating it. --flush iptables -F INPUT This command flushes the specified chain from all rules and is equivalent to deleting each rule one by one but is quite a bit faster. you have probably seen the packet counter in the beginning of each field.unix-fu. --rename-chain iptables -E allowed disallowed http://people. there must be no rules that are referring to the chain that is to be deleted. All packets that don't match any rule will then be forced to use the policy of the chain. In the last case. all chains that are not built in will be deleted from the specified table. In the above example we create a chain called allowed. mail me if so) -E. we would list all the entries in the INPUT chain. For this command to work.org/andreasson/iptables-tutorial/iptables-tutorial. -Z. The exact output is affected by other options sent to the program.9 Página 142 absolutely first rule in the chain from now on.1. --new-chain iptables -N allowed This command tells the kernel to create a new chain by the specified name in the specified table. -P. To zero this packet counter. If this command is used without any options. Legal targets are: DROP.

the program will output detailed information on what happens to the rules and if it was inserted correctly etcetera. you could use the -x option described later. This option is only applicable to the --list command. These counters uses the K (x1000). use the -v option and to get the help message. --replace This command shows a verbose output and is mainly used together with the --list command. rule options and TOS masks.Iptables Tutorial 1.000. change the name of the chain from allowed to disallowed. A command should always be specified. to the second name.9 Página 143 The -E command tells iptables to rename the first name of a chain.000) multipliers.000) and G (x1.html 21:25:51 10/06/2002 . M (x1. In the example above we would. use the -h option. Options Option Commands used with Explanation -v. --numeric --list This option tells iptables to output numerical values. unless you just want to list the built-in help for iptables or get the version of the command. If used together with the --list command it makes the output from the command include the interface address. in other words.000. --delete or --replace commands. --insert. in other words. Here comes a few options that can be used together with a few different commands.000. just a cosmetic change to the table. Instead we will get an exact output of how many packets and bytes that has matched the rule in question from the packets and bytes counters. If this option is used with the --append. Note that this option is only usable in the --list command and isn't really relevant for any of the other commands. --insert. network names or application names. --verbose --list. This option overrides the default of resolving all numerics to hosts and names if possible. To get the version. -n.org/andreasson/iptables-tutorial/iptables-tutorial. in other words. Note that this will not affect the actual way the table will work. It is. The --list command will also include a bytes and packet counter for each rule if the --verbose option is set. The output from --list will in other words not contain the K. --exact --list This option expands the numerics. --append. Also note that we do not tell you any options here that is only used to affect rules and matches. --line-numbers --list http://people. To overcome this and to get exact output.1.unix-fu. Note that we tell you with which commands the options can be used and what effect they will have. Table 3. M or G multipliers. IP addresses and port numbers will be printed by using their numerical values and not hostnames. --delete. As usual. -x. The matches and targets are instead looked upon in a later section of this chapter.

Finally we have special matches such as the state. No special parameters are in other words needed to load these matches at all. since it can be used to match specific protocols. owner and limit matches and so on. This option can be used with all commands. I have also added the --protocol match here. --protocol is in itself a match. The following matches are always available. It could be used if your modprobe command is not somewhere in the searchpath etc. -c. We can then use the option to initialize the packets and bytes counters of the rule.9 Página 144 The --line-numbers command is used to output line numbers together with the --list command. We have UDP matches which can only be applied to UDP packets and ICMP matches which can only be used on ICMP packets. This option only works with the --list command. Then we have the TCP matches which can only be applied to TCP packets.html 21:25:51 10/06/2002 .Iptables Tutorial 1. Matches This section will talk a bit more about the matches. which would tell the kernel to set the packet counter to 20 and byte counter to 4000. Each rule is numbered together with this option and it might be easier to know which rule has which number when you're going to insert rules. --append. I've chosen to split down the matches into five different subcategories here. For example. These final matches has in turn been split down to even more subcategories even though they might not necessarily be different matches at all.1.unix-fu. --replace This option is used when creating a rule in some way or modifying it. Generic matches Command Example http://people. if we want to use an TCP match. even though it is needed to use some protocol specific matches. --set-counters --insert. I hope this is a reasonable breakdown and that all people out there can understand this breakdown. In such cases it might be necessary to specify this option so the program knows what to do in case a needed module is not loaded.org/andreasson/iptables-tutorial/iptables-tutorial. Generic matches This section will deal with Generic matches. A generic match is a kind of match that is always available whatever kind of protocol we are working on or whatever match extensions we have loaded. First of all we have the generic matches which are generic and can be used in all rules. we need to use the --protocol match and send TCP as an option to the match. Table 4. The syntax would be something like --set-counters 20 4000. too. --modprobe All The --modprobe option is used to tell iptables which command to use when probing for modules to the kernel. However.

This means that we could for example add /24 to use a 255. we can add a netmask either in the exact netmask form.0. The main form can be used to match single IP addresses such as 192. We could also invert the whole match with an ! sign. 192.168.0 or like 192.0.255. The default behaviour of this match. or in the number of ones (1's) counted from the left side of the netmask bits.0/ 255. It would then look like either 192. This list can vary a bit at the same time since it uses the /etc/protocols if it can not recognise the protocol itself. Examples of protocols are TCP.0. The + string can also be used at the end of an interface.0.168. First of all the protocol match can take one of the three aforementioned protocols.168. --src.0). as well as ALL.255. such as udp.255.255. -s.168. FORWARD and PREROUTING chains and will render an error message when used anywhere else.168.168.1 The --destination match is used to match packets based on their destination address or addresses. This match can also be inversed with the ! sign. Note that this option is only legal in the INPUT.168.0. UDP and ICMP.org/andreasson/iptables-tutorial/iptables-tutorial.0/24 we would match all packets with a source address not coming from within the 192. We could also inverse the match with an ! just as before. and eth+ would in other words match all ethernet devices. The line http://people. --dst. The line would then look something like.255.1.168. --in-interface iptables -A INPUT -i eth0 This match is used to match based on which interface the packet came in on. One way is to do it with an regular netmask in the 255.1.255. and the other way is to only specify the number of ones (1's) on the left side of the network mask. If we would in other words use a match in the form of --source ! 192. We could then match whole IP ranges.x range.168. is to assume a string value of +. -d.0 netmask.255 form (ie. -i. --source iptables -A INPUT -s 192.0/24 and both would be equivalent to each other.1.1.tcp which would match all UDP and TCP packets.0. Finally. A single + would in other words tell the kernel to match all packets without considering which interface it came in on.0. --protocol Explanation iptables -A INPUT -p tcp This match is used to check for certain protocols.x range. in case the match is not specified. --destination iptables -A INPUT -d 192.168. except that it matches based on where the packets are going. This would match all packets in the 192. which means to match all of the previous protocols.0.168. The protocol may also take a numeric value. It could be used with a netmask in a bits form.html 21:25:51 10/06/2002 . The command may also take a comma delimited list of protocols. The + value is used to match a string of letters and numbers.1 This is the source match which is used to match packets based on their source IP address. If this match is given the numeric value of zero (0).0. such as our local networks or network segments behind the firewall. such as 255 which would mean the RAW IP protocol. just as before. it means ALL protocols. To match an IP range. which in turn is the default behaviour in case the --protocol match is not used.1.255. It works pretty much the same as the --source match and has the same syntax. The default is to match all IP addresses.0/24. so -protocol ! tcp would mean to match the ICMP and UDP protocols.255. We can also invert the meaning of this option with the help of the ! sign.1 IP address. --destination ! 192. 192.unix-fu. for example.1 would in other words match all packets except those not destined to the 192. the program knows about all the protocols in the /etc/protocols file as we already explained.168.Iptables Tutorial 1.9 Página 145 -p.0/255.

in opposite of the --in-interface match. We also match all packets that has not been fragmented during the transfer. fragments.html 21:25:51 10/06/2002 . nor ICMP types. The TCP based matches contain a set of different matches that are available for only TCP packets. http://people. regardless of where the packet is going. it works pretty much the same as the --ininterface match. Also. These are TCP matches. Implicit matches are loaded automatically when we tell iptables that this rule will match for example TCP packets with the --protocol match. When this match is inversed.9 Página 146 would then have a syntax looking something like -i ! eth0. and hence this match was created. What this means is that we match all the first fragments of a fragmented packets. among other things. --out-interface iptables -A FORWARD -o eth0 The --out-interface match is used to match packets depending on which interface they are leaving on. and not the second. -f. after the TCP match section. This option can also be used in conjunction with the ! sign. -o. just as the UDP and ICMP matches are loaded implicitly. FORWARD and POSTROUTING chains. To inverse the meaning of the match. and so on. except eth0. There is also explicitly loaded matches that you must load explicitly with the -m or -match option which we will go through later on in the next section. which would mean to match all incoming interfaces.unix-fu. and UDP based matches contain another set of matches that are available only for UDP packets. and the same thing for ICMP packets. in case you use connection tracking you will not see any defragmented packets since they are dealt with before hitting any chain or table in iptables. Such fragments of packets will not be matched by other rules when they look like this. --fragment iptables -A INPUT -f This match is used to match the second and third part of a fragmented packet.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.1. like this ! -f. there is no way to tell the source or destination ports of the fragments. To use these matches you need to specify --protocol tcp on the command line before trying to use these matches. These matches are loaded implicitly in a sense. fragmented packets might in rather special cases be used to compile attacks against computers. UDP matches and ICMP matches. you can use the ! sign in exactly the same sense as in the --ininterface match. third. The reason for this is that in the case of fragmented packets. Other than this. Note that the --protocol tcp match must be to the left of the protocol specific matches. in this case the ! sign must precede the match. however. the default behaviour if this match is left out is to match all devices. we match all head fragments and/or unfragmented packets. There are currently three types of implicit matches that are loaded automatically for three different protocols. As a secondary note. The other matches will be looked over in the continuation of this section. Also note that there are defragmentation options within the kernel that can be used which are really good. TCP matches These matches are protocol specific and are only available when working with TCP packets and streams. Implicit matches This section will describe the matches that are loaded implicitly. The + extension is understood so you can match all eth devices with eth+ and so on. Note that this match is only available in the OUTPUT. Of course.

--dport.unix-fu. PSH http://people. It uses exactly the same syntax as the --source-port match. It does also reverse high and low ports in a port range specification if the high port went into the first spot and the low port into the last spot. ACK. The match will also assume the values of 0 or 65535 if the high or low port is left out in a port range specification. --source-port :80 would then match port 0 through 80. For more information about this. iptables automatically reverses the inversion.Iptables Tutorial 1. Both lists should be comma-delimited. TCP matches Match Example Explanation --sport. And if the last port specification is omitted.FIN SYN This match is used to match depending on the TCP flags in a packet.ACK. The inversion could also be used together with a port range and would then look like --source-port ! 22:80.org/andreasson/iptables-tutorial/iptables-tutorial. In other words. or turned on. port 65535 is assumed. however.html 21:25:51 10/06/2002 . exactly the same as -source-port in syntax. If you specify the port by port number. --destination-port iptables -A INPUT -p tcp --dport 22 This match is used to match TCP packets depending on its destination port. If we omit the first port specification. If we inversed the port specification in the port range so the highest port would be first and the lowest would be last. this could make as much as 10 seconds if you are running a large ruleset consisting of 1000 rules or so). as well as inversions. This match can either take a service name or a port number. The --source-port match can also be used to match a whole range of ports in this fashion --source-port 22:80 for example. This example would match all source ports between 22 and 80. First of all the match takes a list of flags to compare (a mask) and second it takes list of flags that should be set to 1. the entry of the rule will be slightly faster since iptables don't have to check up the service name. If you are writing a ruleset consisting of a 200 rules or more. We could also invert a match by adding a ! sign like --source-port ! 22 which would mean that we want to match all ports but port 22. the port 0 is assumed to be the one we mean. look at the multiport match extension. it could be a little bit harder to read in case you specify the numeric value.1. it would be understood just the same as --source-port 22:80. which in turn would mean that we want to match all ports but port 22 through 80.9 Página 147 Table 5. the service name must be in the / etc/services file since iptables uses this file to look up the service name in. If we would write --source-port 22: we would in turn get a port specification that tells us to match all ports from port 22 through port 65535. Note that this match does not handle multiple separated ports and port ranges. It understands port and port range specifications. If a source port definition looked like -source-port 80:22. For more information about this. --tcp-flags iptables -p tcp --tcp-flags SYN. you should definitely do this by port numbers since you will be able to notice the difference(On a slow box. Note that this match does not handle multiple separated ports and port ranges. URG. If you specify a service name. look at the multiport match extension. RST. FIN. The match knows about the SYN. --source-port iptables -A INPUT -p tcp --sport 22 The --source-port match is used to match packets based on their source port.

they are simply lost (Not taking ICMP error messaging etcetera into account). hack a legit service and then make a program or such make the connect to you instead of setting up an open port on your host). --source-port iptables -A INPUT -p udp --sport 53 http://people. and hence there is no such thing as different flags to set in the packet to give data on what the datagram is supposed to do. --syn iptables -p tcp --syn The --syn match is more or less an old relic from the ipchains days and is still there out of compatibility reasons.unix-fu. This would tell the match to match all packet with the FIN or the ACK bits set. Such packets are used to request new TCP connections from a server mainly. If you block these packets. such as open or closing a connection. This match can also be inverted with the ! sign in this. UDP packets do not require any kind of acknowledgement either. ALL means to use all flags and NONE means to use no flags for the option it is set. This match is used to match packets if they have the SYN bit set and the ACK and FIN bits unset. way. and for ease of traversing from one to the other. Table 6. you will not have blocked the outgoing connections which a lot of exploits today uses (for example. These matches are implicitly loaded when you specify the --protocol UDP match and will be available after this specification. Note that the state machine will work on all kinds of packets even though UDP or ICMP packets are counted as connectionless protocols.9 Página 148 flags but it also recognizes the words ALL and NONE. in other words packets in an already established connection. you should have effectively blocked all incoming connection attempts. Also note that the comma delimitation should not include spaces.ACK. ALL and NONE is pretty much self describing. This means that there is quite a lot less matches to work with on a UDP packet than there is on TCP packets.Iptables Tutorial 1.FIN SYN match. There will be more about the state machine in a future chapter. If they are lost. ! --syn. UDP matches Match Example Explanation --sport. however.html 21:25:51 10/06/2002 . This option can also be inverted with the ! sign. This command would in other words be exactly the same as the --tcp-flags SYN. or if they are just simply supposed to send data. UDP matches This section describes matches that will only work together with UDP packets. Note that UDP packets are not connection oriented.1. --tcp-option iptables -p tcp --tcp-option 16 This match is used to match packets depending on their TCP options. The state machine works pretty much the same on UDP packets as on TCP packets. The correct syntax could be seen in the example above.org/andreasson/iptables-tutorial/iptables-tutorial. --tcp-flags ALL NONE would in other words mean to check all of the TCP flags and match if none of the flags are set.

The match is used to match packets based on their UDP destination port. --dport. It is used to perform matches on packets based on their source UDP ports. If the high port is placed before the low port. add a ! sign in this. It has support for port ranges. For more information about this. Note that this match does not handle multiple separated ports and port ranges. single ports and port inversions with the same syntax. If the high port comes before the low port. Table 7. but more of a protocol beside the IP protocol that helps handling errors. For more information about this. single ports and inversions.9 Página 149 This match works exactly the same as its TCP counterpart. to invert this we could do --destination-port ! 53. This would match all ports but port 80. ICMP matches These are the ICMP matches.1. Note that all the generic matches can also be used. port 0 is assumed. If the first value is omitted. ICMP is not a protocol subordinated to the IP protocol.For a complete listing of ICMP types. To invert the port match. port 0 is assumed. To match a single port we do --destination-port 53. The match handles port ranges. --destination-port iptables -A INPUT -p udp --dport 53 The same goes for this match as for the UDP version of --source-port. port 65535 is assumed. The ICMP protocol is mainly used for error reporting and for connection controlling and such features. The first would match all UDP packets going to port 53 while the second would match packets but those going to the destination port 53. There is only one ICMP specific match available for ICMP packets. --source-port ! 53 fashion. and hopefully this should suffice. the match can understand service names as long as they are available in the /etc/services file.org/andreasson/iptables-tutorial/iptables-tutorial. The main feature of this protocol is the type header which tells us what the packet is to do. Single UDP port matches look as in the example above. Note that this match does not handle multiple ports and port ranges. so we can know source and destination adress too. ICMP matches Match Example Explanation --icmp-type http://people. This example would match all packets destined for UDP port 22 through 80. port 65535 is assumed. look at the multiport match extension. the ports switch place with eachother automatically. If the first port is omitted. we would do --destination-port 22:80 for example.html 21:25:51 10/06/2002 . but contains differences. look at the multiport match extension. see the ICMP types appendix. This match is implicitly loaded when we use the --protocol ICMP match and we get access to it automatically. Of course. If the last port is omitted.unix-fu. These packets are even worse than UDP packets in the sense that they are connectionless. To make a UDP port range you could do 22:80 which would match UDP ports 22 through 80. among other things. To specify a port range. If the second port is omitted.Iptables Tutorial 1. it is exactly the same as the equivalent TCP match. we would get an ICMP host unreachable in return. One example is if we try to access an unaccessible IP adress. but will work with UDP packets instead. they automatically switch place so the low port winds up before the high port. The headers of a ICMP packet are very similar to those of the IP headers.

FORWARD and INPUT chains and nowhere else. and others again may be "dangerous" for a simple host since they may. while explicitly loaded matches will not be loaded automatically in any case and it is up to you to activate them before using them. we would have to write -m state to the left of the actual match using the state matches. for example. do a iptables --protocol icmp --help. If we would like to use the state matches for example. or was created for testing/experimental use or plainly to show examples of what could be accomplished with iptables. MAC match options Match Example Explanation --mac-source iptables -A INPUT --mac-source 00:00:00:00:00:01 This match is used to match packets based on their MAC source address.unix-fu. Some of these matches may be specific to some protocols.html 21:25:51 10/06/2002 . Numerical values are specified in RFC 792.9 Página 150 iptables -A INPUT -p icmp --icmp-type 8 This match is used to specify the ICMP type to match.1. Explicit matches Explicit matches are matches that must be specifically loaded with the -m or --match option. Note that some ICMP types are obsolete.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. This in turn means that all these matches may not always be useful. redirect packets to the wrong places. To find a complete listing of the ICMP name values. this match will only be possible to use on ethernet based networks. This match can also be inverted with the ! sign in this. --icmp-type ! 8. For example. however. or check the ICMP types appendix. you could use this to match all packets http://people. The difference between implicitly loaded matches and explicitly loaded ones is that the implicitly loaded matches will automatically be loaded when you. match TCP packets. fashion. MAC match Table 8. This match is also only valid in the PREROUTING. else it will not be legal. Limit match The limit match extension must be loaded explicitly with the -m limit option. The MAC address specified must be in the form XX:XX:XX:XX:XX:XX. This match is excellent to use to do limited logging of specific rules etcetera. among other things. This would in other words reverse the meaning of the match so all packets except packets from this MAC address would be matched. Note that since MAC addresses are only used on ethernet type networks. ICMP types can be specified either by their numeric values or by their names. they should mostly be useful since it all depends on your imagination and your needs. The match may be reversed with an ! sign and would look like --mac-source ! 00:00:00:00:00:01.

This is its main usage.53. This tells the limit match how many times to let this match run per timeunit (ie /minute). Multiport match options Match Example Explanation --source-port iptables -A INPUT -p tcp -m multiport --source-port 22. It tells iptables the maximum initial number of packets to match.unix-fu. --limit-burst iptables -A INPUT -m limit --limit-burst 5 This is the setting for the burst limit of the limit match. The limit match may also be inversed by adding a ! flag in front of the limit match explicit loading. This number gets recharged by one every time the limit specified is not reached. A maximum of 15 separate ports may be specified. but there are more usages. is that when we add this match we limit how many times a certain rule may be matched in a certain timeframe. (If anyone got a good/better and simpler explanation than this.html 21:25:51 10/06/2002 . Limit match options Match Example Explanation --limit iptables -A INPUT -m limit --limit 3/hour This sets the maximum average matching rate of the limit match. This match may only be used in http://people. The default value here is 3 per hour. What this means. or 3/hour. of course.Iptables Tutorial 1. which would sometimes mean you would have to make several rules looking exactly the same just to match different ports. as you can see in the example. The default value is 5. up to this number. it would then look like -m ! limit. Multiport match The multiport match extension can be used to specify more destination ports and port ranges than one.1. The ports must be comma delimited. This means that all packets will be matched after they have broken the limit. send me a mail and I'll try to make this more understandable). Table 9.9 Página 151 that goes over the edge of a certain chain. Table 10. The following time specifiers are currently recognised: /second /minute / hour /day. and get limited logging of this. This match is specified with a number and an optional time specifier.80.org/andreasson/iptables-tutorial/iptables-tutorial.110 This match matches multiple source ports.

hence there can be a maximum of 65535 different marks. it is logically ANDed with the mark specified before the actual comparison.org/andreasson/iptables-tutorial/iptables-tutorial. Table 11. If this mark field matches the mark match it is a match.9 Página 152 conjunction with the -p tcp or -p udp matches. It has a maximum specification of 15 ports and may only be used in conjunction with -p tcp and -p udp. this is why people still refer to FWMARK in advanced routing areas. The mark specification would then look like. This was previously done with the FWMARK target in ipchains. Mark match The mark match extension is used to match packets based on the marks they have set. The mark field is currently set to an unsigned integer. If a mask is specified.110 This match extension can be used to match packets based both on their destination port and their source port. the actual computer itself. In other words.110 This match is used to match multiple destination ports.53. there is only one way of setting a mark in Linux. port 80 to port 80 and if you have specified port 80 to the --port match. with or without the packet.80. All packets traveling through netfilter gets a special mark field associated with them. http://people. except that it matches destination ports. Marks can be set with the MARK target which we will discuss a bit more later on in the next section. --destination-port iptables -A INPUT -p tcp -m multiport --destination-port 22.unix-fu. They may be used by different kernel routines for such tasks as traffic shaping and filtering. --mark 1/1. namely the MARK target in iptables. The mark field is an unsigned integer. Mark match options Match Example Explanation --mark iptables -t mangle -A INPUT -m mark --mark 1 This match is used to match packets that have previously been marked. Note that this means that it will only match packets that comes from. It works the same way as the --source-port and --destination-port matches above. --port iptables -A INPUT -p tcp -m multiport --port 22. You may also use a mask with the mark. A mark is a special field only maintained within the kernel that is associated with the packets as they travel through the computer. It can take a maximum of 15 ports specified to it in one argument.53. you are probably not going to run into this limit in quite some time. As of today.1. It can only be used in conjunction with -p tcp and -p udp. Note that this mark field does not in any way travel outside. for example.Iptables Tutorial 1.html 21:25:51 10/06/2002 . hence the limit of 65535 possible marks to use within your ruleset. It is mainly an enhanced version of the normal --sourceport match. It works exactly the same way as the source port match mentioned just above. for example.80.

If anyone have an idea for the usage of this match.html 21:25:51 10/06/2002 . or as described above to only allow "httpgroup" to be able to create packets going out on the HTTP port. It is pretty much impossible to find out any information about who sent a packet on the other end. for obvious reasons. This match only works within the OUTPUT chain as it looks today. or we could write a small script that grabs the PID from a ps output for a specific daemon and then adds a rule for it. please give me a note of it and of other possible uses. This extension was originally written as an example on what iptables might be used for. --sid-owner iptables -A OUTPUT -m owner --sid-owner 100 This match is used to match packets based on their Session ID and the Session ID used by the program in question. --gid-owner iptables -A OUTPUT -m owner --gid-owner 0 This match is used to match all packets based on their Group ID (GID). Owner match options Match Example Explanation --uid-owner iptables -A OUTPUT -m owner --uid-owner 500 This packet match will match if the packet was created by the given User ID (UID). Table 12. or if we where an intermediate hop to the real destination. http://people.org/andreasson/iptables-tutorial/iptables-tutorial. This means that we match all packets based on what group the user creating the packets are in.Iptables Tutorial 1. This match is a bit harder to use. hence. but one example would be to only allow PID 94 to send packets on the HTTP port. (If anyone has actually used this match for a production server. Notorious packets of that sort is different ICMP responses among other things.1. --pid-owner iptables -A OUTPUT -m owner --pid-owner 78 This match is used to match packets based on their Process ID (PID) and which PID created the packets. never match. One possible use would be to block any other user than root to open new connections outside your firewall. I would love to hear what they used it for and how they did it). ICMP responses will.unix-fu. This could be used to block all but the users part of the "network" group from getting out onto the internet. Even within the OUTPUT chain it is not very reliable since certain packets may not have an owner.9 Página 153 Owner match The owner match extension is used to match packets based on who created them. This could be used to match outgoing packets based on who created them. or another possible use could be to block everyone but the httpuser from creating packets from HTTP.

Finally.org/andreasson/iptables-tutorial/iptables-tutorial. ESTABLISHED means that the packet is part of an already established connection that has seen packets in both directions and is fully valid.ESTABLISHED This match option tells the state match what states the packets must be in to be matched. However. You will then have access to one new match. RELATED means that the packet is starting a new connection and is associated with an already established connection. NEW and RELATED. INVALID means that the packet is associated with no known stream or connection and that it may contain faulty data or headers. This could for example mean an FTP data transfer.Iptables Tutorial 1. there may be times where this could be useful. This allows us to know in what state the connection is. Note that this option is regarded as experimental and may not work at all times. State matches Match Example Explanation --state iptables -A INPUT -m state --state RELATED. or that it is associated with a connection that has not seen packets in both directions.html 21:25:51 10/06/2002 . There is currently 4 states that can be used. In all cases. or an ICMP error associated with an TCP or UDP connection for example.9 Página 154 State match The state match extension is used in conjunction with the connection tracking code in the kernel and allows access to the connection tracking state of the packets. INVALID. This could be used to DROP connections and to check for bad streams etcetera. This concept will be more deeply introduced in a future chapter since it is such a large area. hence. Note that the NEW state does not look for SYN bits in TCP packets trying to start a new connection and should. TOS match http://people. and works for pretty much all protocols. For more information on how this could be used. however you should be aware that this may break legal connections too. This match needs to be loaded explicitly by adding a -m state statement to the rule. Unclean match The unclean match takes no options and requires no more than explicit loading when you want to use it. NEW means that the packet has or will start a new connection. not be considered very good in cases where we have only one firewall and no load balancing between different firewalls. ESTABLISHED.unix-fu. Table 13.1. nor will it take care of all unclean packages or problems. read in the future chapter on the state machine. such as packets with bad headers or checksums and so on. including stateless protocols such as ICMP and UDP. there will be a default timeout for the connection and it will then be dropped from the connection tracking database. This match tries to match packets which seems malformed or unusual.

Most do not care at all. to mark packets for later usage together with the iproute2 and advanced routing functions in linux. TOS matches Match Example Explanation --tos iptables -A INPUT -p tcp -m tos --tos 0x16 This match is used as described above. SSH and FTP-control. Maximize-Reliability means to maximize the reliability of the connection and to use lines that are as reliable as possible. ie find the fastest route. The match takes an hex or numeric value as an option. Some good protocols that would use this would be RTSP (Real Time Stream Control Protocol) and other streaming video/radio protocols. it can match packets based on their TOS field and their value. Normal-Service would finally mean any normal protocol that has no special needs for their transfers. but it tells us if there is any specific requirements for this stream such as that it needs to be sent as fast as possible. or it needs to be able to send as much payload as possible).Iptables Tutorial 1.unix-fu. among other things. you need to add an -m ttl to the rule. TTL match The TTL match is used to match packets based on their TTL (Time To Live) field residing in the IP header. consists of 8 bits. or possibly one of the names given if you do an iptables -m tos -h. This match is only used to match packets based on their TTL. Maximize-Reliability 4 (0x04). Minimize-Cost 2 (0x02). Table 14. TOS stands for Type Of Service. Maximize-Throughput 8 (0x08). and Normal-Service 0 (0x00). Minimize-Delay means to minimize the delay for the packets. If the TTL reaches 0. an ICMP type 11 code 0 (TTL equals 0 during transit) or code 1 (TTL equals 0 during reassembly) is transmitted to the party sending the packet and telling about the problem. while others try their best to do something good with the packets in question and the data they provide. some good protocols that would fit with this TOS values would be BOOTP and TFTP. and what kind of content it has(not really. The TTL field contains 2 bits and is decremented once every time it is processed by an intermediate host between the client and host. This could be used for. This match is loaded explicitly by adding -m tos to the rule. Minimize-Delay means to minimize the delay until the packets gets through all the way to the client/server.1.org/andreasson/iptables-tutorial/iptables-tutorial. TOS is normally used to tell intermediate hosts the preceeding of the stream.9 Página 155 The TOS match can be used to match packets based on their TOS field. This is true here. example of standard protocols that this includes are telnet. At the time of writing it contained the following named values: Minimize-Delay 16 (0x10). as well as in all kinds of matches. a standard protocol would be FTP-data. and is located in the IP header.html 21:25:51 10/06/2002 . and not to change anything. TTL matches http://people. Maximize-Throughput means to find a path that allows as big throughput as possible. How different routers and people deal with these values depends. Table 15. To load this match.

such as both mangling the TTL and the TOS value of a specific packet/stream. When/If we reach the end of that chain. We could for example. As we have already explained before. Good examples of such rules are DROP and ACCEPT. see the Traversing of tables and chains chapter.9 Página 156 Command Example Explanation --ttl iptables -A OUTPUT -m ttl --ttl 60 This match option is used to specify which TTL value to match. however. Rules that are stopped.Iptables Tutorial 1. There is also a number of other actions we may want to take which we will describe further on in this section. This may be good in cases where we want to take two actions on the same packet. DNAT and SNAT targets. The jump specification is done exactly the same as the target definition except that it requires a chain within the same table to jump to. it is required that the chain has already been created.org/andreasson/iptables-tutorial/iptables-tutorial. we get dropped back to the INPUT chain and the packet starts traversing from the rule one step below where it jumped to the other chain (tcp_packets in this case). may take an action on the packet and then the packet will continue passing through the rest of the rules anyway. To jump to a specific chain. This target could be used for debugging your local network. However. would be to find hosts with bad TTL values set as default (may be due to badly implemented TCP/IP stack. We would then jump from the INPUT chain to the tcp_packets chain and start traversing that chain. a good example of this would be the LOG. a chain is created with the -N command. let's say we create a chain in the filter table called tcp_packets like this: iptables -N tcp_packets. The usage is pretty much limited. It takes an numeric value and matches based on this value. it will automatically be ACCEPT'ed in the superset chain also and it will not traverse any of the superset chains any further. or to find possible infestations of trojans etcetera.unix-fu. Targets may also end with different results one could say. For example. One example. as described above. However. the ACCEPT and DROP targets which we will deal with first of all targets. DROP or ACCEPT the packet depending on what we want to do. Targets/Jumps The target/jumps tells the rule what to do with a packet that is a perfect match with the match section of the rule. or due to a malconfiguration). Targets on the other hand specify an action to take on the packet in question. what TOS value to use etcetera) while others have options not http://people. If a packet is ACCEPT'ed within one of the subchains. Other targets. some targets will make the packet stop traversing the specific chain and superset chains as described above.html 21:25:51 10/06/2002 . Some targets will also take options that may be necessary (What address to do NAT to. There is a few basic targets. do note that the packet will traverse all other chains in the other tables in a normal fashion. for example hosts which seems to have problems connecting to hosts on the internet. For more information on table and chain traversing. let us have a brief look at how a jump is done.1. before we do that. will not pass through any of the rules further on in the chain or superset chains. Network Address Translationed and then be passed on to the other rules in the same chains. We could then add a jump target to it like this: iptables -A INPUT -p tcp -j tcp_packets. There is no inversion and there is no other specifics to this match. These packets may be logged. it is only your imagination which stops you.

1. nor any of the calling chains. A packet that matches a rule perfectly and then has this action taken on it will be blocked and no further processing will be done. masquerade to ports and so on). Also note that if a packet has the DROP action taken on them in a subchain. When a packet is perfectly matched and this target is set.Iptables Tutorial 1.html 21:25:51 10/06/2002 . If it is a subchain to another chain. that packets that was accepted in one chain will still travel through any subsequent chains within the other tables and may be dropped there. There is nothing special about this target whatsoever. it drops packets dead to the ground and refuses to process them anymore. A better solution would be to use the REJECT target in those cases. we specify it like -j ACCEPT.unix-fu. the packet will continue to travel through the above chains in the structure as if nothing had happened. QUEUE target Option Example Explanation Option Example Explanation RETURN target The RETURN target will make the current packet stop travelling through the chain where it hit the rule. but available in any case (log prefixes. it is accepted and will not continue traversing the chain where it was accepted in. and it does not require. to add options to the target. QUEUE target Table 16. such as filtered ports and so on. DROP target The DROP target does just what it says. especially when you want to block certain portscanners from getting to much information.org/andreasson/iptables-tutorial/iptables-tutorial. for example the INPUT chain. ACCEPT target This target takes no special options first of all. If the chain is the main chain. the packet will not be processed in any of the above chains in the structure either. Do note.9 Página 157 necessary. or have the possibility. the packet will http://people. Note that this action may be a bit bad in certain cases since it may leave dead sockets around on the server and client. The target will not send any kind of information in either direction. either to tell the client or the server as told previously. Let us have a look at what kinds of targets there are. We will try to answer all these questions as we go in the descriptions. To use this target.

and no more actions would be taken in this chain. or priorities as they are normally referred to: debug. warn and panic. The LOG target currently takes five options that may be interesting to use in case you have specific needs for more information.Iptables Tutorial 1. This is an excellent target to use while you are debugging your rulesets to see what packets go where and what rules are applied on what packets. which in this case would be the INPUT chain. crit. err. For example. alert. It would then be dropped to the default policy as previously described.conf for information about these kind of problems. LOG target options Option Example Explanation --log-level iptables -A FORWARD -p tcp -j LOG --log-level debug This is the option that we can use to tell iptables and syslog which log level to use. The packet will then start traversing the EXAMPLE_CHAIN.=info /var/log/iptables in your syslog. For a complete list of loglevels read the syslog. They are all listed below. or want to set different options to specific values. Also note that the ULOG target may be interesting in case you are getting heavy logs.conf.org/andreasson/iptables-tutorial/iptables-tutorial. since the ULOG target has support for logging directly to MySQL databases and such. All messages are logged through the kernel facility. warn. It will then jump back to the previous chain. notice. but instead a problem of your syslogd configuration which you may find in /etc/syslog.1. Table 17. lets say a packet enters the INPUT chain and then hits a rule that it matches and that gives it --jump EXAMPLE_CHAIN. in other words do not use error. Note that it is not a iptables or netfilter problem in case you get your logs to the consoles or likely. Read more in man syslog. The default policy is normally set to ACCEPT or DROP or something the like. This information may then be read with dmesg or syslogd and likely programs and applications. LOG target The LOG target is specially made to make it possible to log snippets of information about packets that may be illegal. and all of a sudden it matches a specific rule which has the --jump RETURN target set. In other words. Note that all three of these are deprecated. Normally there are the following log levels. The LOG target will log specific information such as most of the IP headers and other interesting information via the kernel logging facility.conf file http://people. Another example would be if the packet hit a --jump RETURN rule in the INPUT chain. error. warning. The keyword error is the same as err.html 21:25:51 10/06/2002 .unix-fu. Also note that it may be a really great idea to use the LOG target instead of the DROP target while you are testing a rule you are not 100% sure about on a production firewall since this may otherwise cause severe connectivity problems for your users. emerg and panic.conf manual. or for pure bughunting and errorfinding. warn is the same as warning and panic is the same as emerg.9 Página 158 have the default policy taken on it. setting kern. The priority defines the severity of the message being logged. info.

or by the world for that matter.conf manpages as well as other HOWTO's etcetera. etcetera. The TCP Sequence number are special numbers that identify each packet and where it fits into a TCP sequence and how the stream should be reassembled. These may be valuable when trying to debug what may go wrong and what has gone wrong. The prefix may be up to 29 letters long.1. for example. If this is what you want. --log-tcp-options iptables -A FORWARD -p tcp -j LOG --log-tcp-options The --log-tcp-options option will log the different options from the TCP packets header.html 21:25:51 10/06/2002 . check out the LARTC HOWTO. would make all messages appear in the /var/log/iptables file. and will not work outside there. This option takes no variable fields or anything like that. This target is only valid in the mangle table. you will be better off with the TOS target which will mangle the TOS value in the IP header. --log-prefix iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets" This option tells iptables to prefix all log messages with a specific prefix which may then be very good to use together with.unix-fu. you may not set a MARK for a package and then expect the MARK to still be there on another computer. These logging messages may be valuable when trying to debug or finding out specific culprits and what goes wrong. Note that there may be other messages here as well from other parts of the kernel that uses the info priority.9 Página 159 and then letting all your LOG messages in iptables use log level info. which may contain logging messages from iptables. including whitespace and those kind of symbols.Iptables Tutorial 1. grep and other tools to distinguish specific problems and outputs from specific rules. but instead works on the IP options. --log-tcp-sequence iptables -A INPUT -p tcp -j LOG --log-tcp-sequence This option will log the TCP Sequence numbers together with the log message. For more information on logging I recommend you to read the syslog and syslog. MARK target The MARK target is used to set netfilter mark values that are associated with specific packets. Note that this option is a security risk if the log is readable by any users. The MARK values may be used in conjunction with the advanced routing capabilities in Linux to send different packets through different routes and to tell them to use different queue disciplines (qdisc). just as most of the LOG options. Note that the mark value is not set within the actual package. --log-ip-options iptables -A FORWARD -p tcp -j LOG --log-ip-options The --log-ip-options option will log most of the IP packet header options. just the same as the previous option. but is an value that is associated within the kernel with the packet. Any log that is. http://people.org/andreasson/iptables-tutorial/iptables-tutorial. For more information on advanced routing. In other words. This works exactly thesame as the --log-tcp-options option.

or on all packets from a specific host and then do advanced routing on that host. Finally. The --set-mark match takes an integer value. the target will first of all send the specified reply. which would also be the only chains where it would make any sense to put this target in.Iptables Tutorial 1. which in turn may take a huge set of variables. The REJECT target is as of today only valid in the INPUT. There is also an option called echo-reply. we may set mark 2 to a specific stream of packets.1. icmp-host-unreachable. there is one more option called tcp-reset which may only be used together with the TCP protocol. and you may get some more information by looking in the appendix ICMP types. and then the packet is dropped dead to the ground. else they won't work. Once we get a packet that matches a specific rule and we specify this target. Most of them are fairly easy to understand if you have a basic knowledge of TCP/IP. icmp-proto-unreachable. icmp-net-prohibited and icmphost-prohibited.unix-fu. For example. just the same as with the DROP target. The default error message is to send an port-unreachable to the host.org/andreasson/iptables-tutorial/iptables-tutorial. the http://people. FORWARD. icmp-portunreachable. but this option may only be used in conjunction with rules which would match ICMP ping packets.9 Página 160 Table 18. There currently is only one option which controls the nature of how this target works. There are currently the following reject types that can be used: icmp-net-unreachable.html 21:25:51 10/06/2002 . limiting or unlimiting their network speed etcetera. but it also sends back an error message to the host sending the packet that was blocked. REJECT target The REJECT target works basically the same as the DROP target. REJECT target Option Example Explanation --reject-with iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset This option tells the REJECT target what response to send to the host that sent the packet that we found to be a match. All of the above are ICMP error messages and may be set as you wish. FORWARD and OUTPUT chain or subchains of those chains. Table 19. Note that the chains that uses the REJECT target may only be called upon by the INPUT. MARK target options Option Example Explanation --set-mark iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2 The --set-mark option is required to set a mark. and OUTPUT chains.

html 21:25:51 10/06/2002 . or in hex 0x00-0xFF. As stated previously. there is most definitely a good use if you have a large WAN or LAN with several routers and actually have the possibility to give packets different routes and preference depending on their TOS value. At best the routers will do nothing with the TOS field. There are currently a lot of routers on the internet which does a pretty bad job at this so it may be a bit useless as of now to do any TOS mangling before sending the packets on to the internet. the value may be 0-255. Table 20. you should hence set the TOS field which was developed for this. TOS target Option Example Explanation --set-tos iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10 The --set-tos option tells the TOS mangler what TOS value to set on packets that are matched. and they will not even look at them.2 or below) of iptables provided a broken implementation of this target which would not fix the packet checksum upon mangling. At worst. they will look at the TOS field and do the wrong thing based on the information. hex value 0x08). TCP RST are used to close open connections gracefully. which in turn most probably would be mangled and the connection would never work. either in hex or in decimal value. however.2. For more information about the TCP RST read RFC 793 . Maximize-Throughput (decimal value 8. Minimize-Cost (decimal value 2. hex value 0x04). The TOS field consists of 8 bits which are used to route packets. The TOS target only takes one option as described below. The default value on most packets http://people. If you feel a need to propagate routing information on how to do routing for a specific packet or stream. at least within your own network. MaximizeReliability (decimal value 4. Note that this target is only valid within the mangle table and can not be used outside it. Note that most of these values will never be used by anyone on the internet so you may be better of by using the named values available (which should be more or less standardized). These values are Minimize-Delay (decimal value 16. hex value 0x10).Iptables Tutorial 1. which won't accept your mail otherwise. and hence rendered the packets bad and in need of retransmission. As noted before. and can not be propagated with the packet.org/andreasson/iptables-tutorial/iptables-tutorial. the MARK target which sets a MARK associated with a specific packet is only available within the kernel. this is mainly useful for blocking ident probes which frequently occur when sending mail to broken mail hosts. Also note that if you handle several separate firewalls and routers.Transmission Control Protocol. hex value 0x00). The option takes a numeric value. Also note that some old versions (1.1. As stated in the iptables man page.unix-fu. This is one of the few fields that can be used within iproute2 and its subsystem to route packets.9 Página 161 tcp-reset option will tell REJECT to send an TCP RST packet in reply to the sending host. hex 0x02) or Normal-Service (decimal value 0. As the TOS value consists of 8 bits. this is the only way to propagate routing information between these routers and firewalls within the actual packet. TOS target The TOS target is used to set the Type of Service field within the IP header.

The MIRROR target is used to invert the source and destination fields in the IP header. The SNAT target does all the translation needed to do this kind of work. Note that the MIRROR target is only valid within the INPUT. no further processing of rules in the POSTROUTING chain will be commenced on the packets in the same stream. For example. The SNAT target is only valid within the nat table.org/andreasson/iptables-tutorial/iptables-tutorial. since our local networks should use the IANA specified IP addresses which are allocated for LAN networks. within the POSTROUTING chain. the outside world would not know where to send reply packets. noone on the internet would know that they where actually from us. also. This listing is complete as of iptables 1.com. use the actual names instead of the actual hex values to set up the TOS value. and any user-defined chains which are only called from those chains. the MIRROR target would make so computer B got the webpage at yahoo. of course. FORWARD and PREROUTING chains. One thing would for example be to send a spoofed packet to a host that uses the MIRRORcommand with a TTL of 255. If we forwarded these packets as is. and then set an SNAT rule which would translate all packets from our local network to the source IP of our own internet connection.2.com back (since this is where he came from). Lets say we set up a MIRROR target for port 80 at computer A. We could then turn on ip forwarding in the kernel. The packet will then bounce back and forth a huge set of times. and see to it that the packet is spoofed so it looks as if it comes from another host that uses the MIRROR command. If computer B would be coming from yahoo. The result of this target is really simple. whichever we want to call them. Also note that the outgoing packets created by the MIRROR target is not seen by any of the normal chains in the filter. Not bad for a cracker in other words to send 1500 bytes of data. If there is only 1 hop. do an iptables -j TOS -h. which means that this target will rewrite the Source IP address in the IP header of the packet. and eat up 380 kbyte of your connection. this is good when we want several computers to share an internet connection. the packet will jump back and forth 240-255 times. and you should be warned of using this since it may result in really bad loops. which would be our firewall. and tried to access the HTTP server at computer A.html 21:25:51 10/06/2002 . and then to retransmit the packet. depending on how many hops there is between them.5 and should hopefully be so for another period of time. and it should generally be recommended since the values behind the names may be changed if you are unlucky. This results in some really funny things. letting all packets leaving our LAN look as if they came from a single host. http://people. and I would be quite sure that someone has had a good laugh at some cracker or another that has cracked his own box via this target by now. then all future packets in the same connection will also be SNAT'ed and. or 0. among other things. Note that you can.Iptables Tutorial 1. NAT or mangle tables to avoid loops and other problems. MIRROR target The MIRROR target is an experimental demonstration target only.9 Página 162 are Normal-Service. Without doing this.unix-fu. hence resulting in a bad kind of Denial of Service. SNAT target The SNAT target is used to do Source Network Address Translation. If the first packet in a connection is mangled in this fashion. Note that this is a best case scenario for the cracker or scriptkiddie. This is in other words the only place that you may do SNAT in. For a complete listing of the "descriptive values".1. However. this does not make the target free of any likely problems.

All other ports will be mapped to 1024 or above. 194.155-194. and all subsequent packets in the same stream will be translated. and this is the target of the rule. If no port range is specified. and then routed on to the correct device. The source IP would then be set randomly for each stream that we open. when you have an host running your webserver inside a LAN.50. Table 22.50. DNAT target The DNAT target is used to do Destination Network Address Translation.236. All the source ports would then be mapped to the ports specified. iptables will always try to not make any port alterations if it is possible.unix-fu. iptables will map one of them to another port.org/andreasson/iptables-tutorial/iptables-tutorial.50. on to the real webserver within the LAN. iptables will always try to maintain the source ports used by the actual workstation making the connection. Note that the DNAT target is only available within the PREROUTING and OUTPUT chains in the nat table. :102432000 or something alike.1. As previously stated.160 as described in the example above. for example. DNAT target http://people. If we want to balance between several IP addresses we could use an range of IP addresses separated by a hyphen. but if two hosts tries to use the same ports. then all source ports below 512 will be mapped to other ports below 512 if needed. Note that chains containing DNAT targets may not be used from any other chains. so if a client tries to make contact with an HTTP server outside the firewall. You could then tell the firewall to forward all packets going to its own HTTP port.9 Página 163 Table 21. There may also be an range of ports specified that should only be used by SNAT. takes one IP address to which we should transform all the source IP addresses in the IP header. Hence. but no real IP to give it that will work on the internet. host or network. We may also specify a whole range of destination IP addresses.236.Iptables Tutorial 1. it will not be mapped to the FTP control port. This target can be extremely useful.50. and the DNAT mechanism will choose the destination IP address at random for each stream. Note that this has nothing to do with destination ports. SNAT target Option Example Explanation --to-source iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 194.155194. at it simplest.160:1024-32000 The --to-source option is used to specify which source the packets should use.236. which means that it is used to rewrite the Destination IP address of a packet. it would then look like.html 21:25:51 10/06/2002 . we will be able to deal with a kind of load balancing by doing this. and any of the chains called upon from any of those listed chains. Those between source ports 512 and 1023 will be mapped to ports below 1024.236. the packet. such as the POSTROUTING chain. This option. This would hence look as within the example above. If a packet is matched. for example. and a single stream would always use the same IP address for packets within that stream.

1.10 Explanation The --to-destination option tells the DNAT mechanism which Destination IP to set in the IP header. This means that you should only use the MASQUERADE target with dynamically assigned IP connections. as described previously. but it does not require any -to-source option. it means that we set the IP address used on a specific network interface instead of the --to-source option. Note that the MASQUERADE target is only valid within the POSTROUTING chain in the nat table. MASQUERADE target http://people. and it is more or less idiotic to keep the entry around.html 21:25:51 10/06/2002 . it is not favorable since it will add extra overhead. If we would have used the SNAT target. dialup connections. and there may be inconsistencies in the future which will thwart your existing scripts and render them "unusable". and the IP address is automatically grabbed from the information about the specific interface.23. which is optional. however.168. Table 23.168.Iptables Tutorial 1.1. which we don't know the actual address of at all times.168.168. It is still possible to use the MASQUERADE target instead of SNAT even though you do have an static IP. for example. The reason for this is that the MASQUERADE target was made to work with. The above example would send on all packets destined for IP address 15. the syntax is pretty much the same for the DNAT target. This is in general the correct behaviour when dealing with dialup lines that are probable to be assigned a different IP every time it is up'ed. within that stream. and where to send packets that are matched. as for the SNAT target even though they do two totally different things. the connection is lost anyways.45.168.1. If you have a static IP connection. MASQUERADE target The MASQUERADE target is used basically the same as the SNAT target. This is done by adding. which gets dynamic IP addresses when connecting to the network in question. an :80 statement to the IP addresses to which we want to DNAT the packets. As you can see. or like --todestination 192. which is extremely good if we. for example. or DHCP connections.9 Página 164 --to-destination Option iptables -t nat -A PREROUTING -p tcp -d 15. we may have been left with a lot of old connection tracking data.45. We could also have specified only one IP address.1. that a single stream will always use the same host. in which case we would always be connected to the same host. The MASQUERADE target also has the effect that connections are forgotten when an interface goes down.67 to a range of LAN IP's.org/andreasson/iptables-tutorial/iptables-tutorial. which would be lying around for days.1-192. and that each stream will randomly be given an IP address that it will always be Destinated for.unix-fu.1. swallowing up worthful connection tracking memory. In case we are assigned a different IP. for example. A rule could then look like --to-destination 192. namely 192.1 through 10.1:80-100 if we wanted to specify a port range. just as the SNAT target.1. Note.67 --dport 80 -j DNAT --to-destination Example 192.1:80 for example.23. When you masquerade a connection. kill a specific interface. Do note that port specifications are only valid for rules that specify the TCP or UDP protocols with the --protocol option. you should instead use the SNAT target. Also note that we may add an port or port range to which the traffic would be redirected to. The MASQUERADE target takes on option specified below.

REDIRECT target The REDIRECT target is used to redirect packets and streams to the machine itself. as described below. since it wouldn't make any sense anywhere else. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid. This alters the default SNAT port-selection as described in the SNAT target section. In other words. and who actively pursue this.html 21:25:51 10/06/2002 . If we would want to specify an port range. for example. The REDIRECT target takes only one option. Without the --to-ports option.unix-fu. Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. as above. TTL target The TTL target is used to modify the Time To Live field in the IP header. will effectively http://people. One useful application of this is to change all Time To Live values to the same value on all outgoing packets. on our own host. where the LAN hosts do not know about the proxy at all.1. or something alike. The REDIRECT target is extremely good to use when we want. Locally generated packets are mapped to the 127. or port range.Iptables Tutorial 1. --to-ports 8080 in case we only want to specify one port. the lower port range delimiter and the upper port range delimiter separated with a hyphen. It is also valid within user-defined chains that are only called from those chains. we would do it like --toports 8080-8090. to use. The --to-ports option is only valid if the rule match section specifies the TCP or UDP protocols with the --protocol match. Table 24.1 address. transparent proxying. which tells the REDIRECT target to redirect the packets to the ports 8080 through 8090. One reason for doing this is if you have a bully ISP which don't allow you to have more than one machine connected to the same internet connection. Setting all TTL values to the same value. Either you can Explanation specify a single port like --to-ports 1025 or you may specify a port range as --to-ports 1024-3000.9 Página 165 --to-ports Option iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000 Example The --to-ports option is used to set the source port or ports to use on outgoing packets. the destination port is never altered.0.0. This is specified. Note that this option is only available in rules specifying the TCP or UDP protocol with the -protocol matcher. and nowhere else. this rewrites the destination address to our own host for packets that are forwarded.org/andreasson/iptables-tutorial/iptables-tutorial. In other words. REDIRECT target Option Example Explanation --to-ports iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 The --to-ports option specifies the destination port.

It takes 3 options as of writing this. It's not too long. This means that we should raise the TTL value with the value specified in the --ttlinc option. hence the packet will be decremented by 4 steps. In other words. but at the same time. Table 25. --ttl-dec iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-dec 1 The --ttl-dec option tells the TTL target to decrement the Time To Live value by the amount specified after the --ttl-decoption. This may be used to make our firewall a bit more stealthy to traceroutes among other things.txt script. see the ttl-inc.9 Página 166 make it a little bit harder for them to notify that you are doing this. as for the previous example of the --ttl-dec option. all of them described below in the table. The TTL target is only valid within the mangle table. IF ANYONE HAS A GOOD USAGE FOR THIS OPTION. where the network code will automatically decrement the TTL value by 1. since the packet may start bouncing back and forth between two misconfigured routers. Traceroutes are a loved and hated thing. a packet entering with a TTL of 53 would leave the host with TTL 56. A good value would be around 64 somewhere. Do not set this value too high. For a good example on how this could be used. Note that the same thing goes here.1. NOTIFY ME --ttl-inc iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-inc 1 The --ttl-inc option tells the TTL target to increment the Time To Live value with the value specified to the --ttl-inc option. We may then reset the TTL value for all outgoing packets to a standardized value. since they provide excellent information on problems with connections and where it happens. we effectively make the firewall hidden from traceroutes. from 53 to 49 in other words. TTL target Option Example Explanation --ttl-set iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-set 64 The --ttl-set option tells the TTL target which TTL value to set on the packet in question. read the ip-sysctl. For more information on how to set the default value used in Linux. the packet would leave our host with a TTL value of 49. and nowhere else.txt. By setting the TTL one value higher for all incoming packets. http://people.Iptables Tutorial 1. which it always does. if the TTL for an incoming packet was 53 and we had set -ttl-dec 3.org/andreasson/iptables-tutorial/iptables-tutorial. and the higher the TTL.unix-fu. it gives the hacker/cracker some good information about your upstreams if they have targeted you. The reason for this is that the networking code will automatically decrement the TTL value by 1. the more bandwidth will be eaten unnecessary in such a case. since it may affect your network and it is a bit immoral to set this value to high. which you may find within the Other resources and links appendix. such as 64 as specified in Linux kernel.html 21:25:51 10/06/2002 . and it is not too short. and if we specified --ttl-inc 4.

the packet information is multicasted together with the whole packet through a netlink socket. so the whole packet will be copied to userspace. ULOG target Option Example Explanation --ulog-nlgroup iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2 The --ulog-nlgroup option tells the ULOG target which netlink group to send the packet to. which are simply specified as 1-32. The default value here is 1 because of backwards compatibility. This target enables us to log information to MySQL databases. plus some leading data within the actual packet. --ulog-qthreshold iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10 The --ulog-qthreshold option tells the ULOG target how many packets to queue inside the kernel before actually sending the data to userspace. making it much simpler to search for specific packets. --ulog-prefix iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: " The --ulog-prefix option works just the same as the prefix value for the standard LOG target. The default netlink groupd used is 1. the userspace daemon did not know how to handle multipart messages previously. Table 26. One or more userspace processes may then subscribe to various multicast groups and receive the packet. if we set the threshold to 10 as above. we would copy 100 bytes of the whole packet to userspace. we would simply write --ulog-nlgroup 5.Iptables Tutorial 1. --ulog-cprange iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100 The --ulog-cprange option tells the ULOG target how many bytes of the packet to send to the userspace daemon of ULOG. and is definitely most useful to distinguish different logmessages and where they came from. and then transmit it outside to the userspace as one single netlink multipart message. and other databases. If we specify 100 as above. the kernel would first accumulate 10 packets inside the kernel. the whole packet will be copied to userspace. This is in other words a more complete and more sophisticated logging facility that is only used by iptables and netfilter so far.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. which would include the whole header hopefully.1. If we specify 0. It can be 32 characters long.9 Página 167 ULOG target The ULOG target is used to provide userspace logging of matching packets. regardless of the packets size. If a packet is matched and the ULOG target is set. and to group log entries etcetera. This option prefixes all log entries with a userspecified log prefix.unix-fu. If we would like to reach netlink group 5. http://people. There are 32 netlink groups. For example. The default value is 0. and it contains much better facilities for logging packets.

Then the packet starts to go through a series of steps in the kernel before it is either sent to the correct application (locally). This chain is used for Destination Network Address Translation mainly. ie. filter FORWARD The packet got routed onto the FORWARD chain. General When a packet first enters the firewall. avoid doing filtering here since certain packets might pass this chain without ever hitting it. In this example. This is extremely valuable information later on when you write your own specific rules. or forwarded to another host or whatever happens to it. only forwarded packets go through here. Also we will speak about in which order the tables are traversed. With this we mainly mean the different routing decisions and so on. we do all the filtering here.unix-fu. ie. We will also look at which points certain other parts that also are kernel dependant gets in the picture. it hits the hardware and then get's passed on to the proper device driver in the kernel. changing TOS and so on.1. is the packet destined for our localhost or to be forwarded and where.org/andreasson/iptables-tutorial/iptables-tutorial. we're assuming that the packet is destined for another host on another network. Forwarded packets Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire(ie. This is especially needed if you want to write rules with iptables that chould change how different packets get routed. Note that all traffic that's forwarded goes through here (not only in one direction). eth0) This chain is normally used for mangling packets. The packet goes through the different steps in the following fashion: Table 1. so you need to think about it when writing your ruleset. This is also where Masquerading is done.9 Página 168 Traversing of tables and chains This chapter will talk about how packets traverse the the different chains and in which order. good examples of this is DNAT and SNAT and of course the TOS bits. internet) Comes in on the interface(ie. Source Network Address Translation is done further on.Iptables Tutorial 1. Routing decision. This chain should first and foremost be used for Source Network Address Translation.html . Avoid filtering in this chain since it will be passed through in certain cases. 21:25:51 10/06/2002 5 6 7 nat POSTROUTING http://people.

but if you continue to dig in it. no matter what interface and so on it came from. or anywhere else in case it is malformed. It would pass through the following steps before actually being delivered to our application to receive it: Table 2. Now. it is suggested that you do not filter in this chain since it can have sideeffects.1. Note that all incoming packets destined for this host passes through this chain.unix-fu. This chain is used for Destination Network Address Translation mainly. 21:25:51 10/06/2002 http://people. Most probably the only thing that's really logical about the traversing of tables and chains in your eyes in the beginning. eth0) This chain is normally used for mangling packets. Finally we look at the outgoing packets from our own localhost and what steps they go through. changing TOS and so on.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. As you can see.9 Página 169 8 9 Goes out on the outgoing interface (ie. LAN). however. Out on the wire again (ie. ie. there's quite a lot of steps to pass through. we are mainly interested in the iptables aspect of this lot. eth1). server/client program) This is where we mangle packets. Local process/application (ie. I think. let us have a look at a packet that is destined for our own localhost. Destination localhost Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire (ie. Avoid filtering in this chain since it will be passed through in certain cases. Internet) Comes in on the interface(ie. Routing decision. Table 3. filter INPUT This is where we do filtering for all incoming traffic destined for our localhost. The packet can be stopped at any of the iptables chains. FORWARD is always passed by all packets that are forwarded over this firewall/ router. Quite logical. I think it gets clearer with time. is the packet destined for our localhost or to be forwarded and where. server/client program) 5 6 7 Note that this time the packet was passed through the INPUT chain instead of the FORWARD chain. Do note that there is no specific chains or tables for different interfaces or anything like that.html . Source localhost Step 1 2 Mangle OUTPUT Table Chain Comment Local process/application (ie. ie.

Nat POSTROUTING This is where we do Source Network Address Translation as described earlier.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . eth0) On the wire (ie.1. This is where we decide where the packet should go.Iptables Tutorial 1. It is suggested that you don't do filtering here since it can have sideeffects. Internet) 7 8 We have now seen how the different chains are traversed in three separate scenarios. could someone tell me when this will be fixed? Please? This is where we filter packets going out from localhost. it would look something like this: http://people.9 Página 170 3 4 5 6 Nat Filter OUTPUT OUTPUT This is currently broken. and certain packets might slip through even though you set a default policy of DROP. If we would figure out a good map of all this. Goes out on some interface (ie.unix-fu. Routing decision.

txt script. All comments welcome. you could use the rc.html 21:25:51 10/06/2002 . This test script should give you the necessary rules to test how the tables and chains are traversed. If you feel that you want more information.unix-fu. this might still be wrong or it might change in the future. http://people.1.Iptables Tutorial 1.9 Página 171 Hopefully you got a clearer picture of how the packets traverses the built in chains now.test-iptables.org/andreasson/iptables-tutorial/iptables-tutorial.

Target's that only valid in the mangle table: TOS TTL MARK The TOS target is used to set and/or change the Type of Service field in the packet. as we have said before. Don't set this in other words for packets going to the internet unless you want to do routing decisions on it with iproute2. they act faulty on what they get. and sometimes. it should only be used to translate packets source field or destination field.unix-fu. We could also do bandwidth limiting and Class Based Queuing based on these marks. In other words. or if they don't have any. you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) fields and so on. nor will any DNAT.html 21:25:51 10/06/2002 . In other words. Note that this has not been perfected and is not really implemented on the internet and most of the routers don't care about the value in this field.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. Nat table This table should only be used for NAT (Network Address Translation) on different packets. This could be used for setting up policies on the network regarding how a packet should be routed and so on. Note that. The actual targets that does these kind of things are: http://people. We could tell packets to only have a specific TTL and so on. It is strongly adviced that you don't use this table to do any filtering in. One good reason for this could be that we don't want to give ourself away to nosy Internet Service Providers.9 Página 172 Mangle table This table should as we've already noted mainly be used for mangling packets. After this. The MARK target is used to set special mark values to the packet. only the first packet in a stream will hit this chain. SNAT or Masquerading work in this table. and takes this as one of many signs of multiple computers connected to a single connection. and there are some Internet Service Providers known to look for a single host generating many different TTL values.1. the rest of the packets will automatically have the same action taken on them as the first packet. The TTL target is used to change the TTL (Time To Live) field of the packet. Some Internet Service Providers does not like users running multiple computers on one single connection. These marks could then be recognised by the iproute2 programs to do different routing on the packet depending on what mark they have.

it automatically checks for the IP address to use. this is where we (should) do the main filtering. SNAT (Source Network Address Translation) is mainly used for changing the source address of packets.x netmask for example. however. of course. but is not suggested since it may not work perfectly together with your network setup. Filter table The filter table is. it will very likely run quite smooth with just a few fixes to it. http://people. as you already know. We will not go into deeper discussion about this table though. A good example when this is very good is when we have a firewall that we know the outside IP address of. As long as you have a very basic setup however. We can match packets and filter them however we want. but need to change our local networks IP numbers to the same of the IP of our firewall. the targets discussed previously in this chapter are only usable in their respective tables. This should be used to get a basic idea on how to solve different problems and what you may need to think about before actually putting your scripts into work. This is mainly done to hide our local networks or DMZ. etcetera. The firewall will with this target automatically SNAT and De-SNAT the packets. however. The MASQUERADE target will on the other hand work properly with Dynamic IP addresses that you may be provided when you connect to the Internet with. Of course we may do filtering earlier too. The reason for this is that each time that the MASQUERADE target gets hit by a packet. We have used one of the basic setups and dug deeper into how it works and what we do in it. this is the place that was designed for it. instead of doing as the SNAT target does and just use an IP address submitted while the rule was parsed. hence making it possible to make connections from the LAN to the Internet. and there is nothing special to this chain or special packets that might slip through because they are malformed. etc.Iptables Tutorial 1. This is the place that we actually take action against packets and look at what they contain and DROP/ACCEPT depending on their payload. In other words. we change the destination address of the packet and reroute it to some other host. for example PPP. mainly used for filtering packets. Almost all targets are usable in this chain.firewall file This chapter will deal with an example firewall setup and how the script file could look.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.1. If you're network uses 192. the packets would never get back from the Internet because these networks are regulated to be used in LAN's by IANA.unix-fu. but the MASQUERADE target takes a little bit more overhead to compute. It could be used as is with some changes to the variables.x. rc.168. The MASQUERADE target is used in exactly the same way as SNAT.9 Página 173 DNAT SNAT MASQUERADE The DNAT (Destination Network Address Translation) target is mainly used in cases such as when you have one IP and want to redirect accesses to the firewall to some other host on a DMZ for example. SLIP or DHCP.

Instead of looking for comments.firewall Ok.firewall. and then you return here to get the nitty gritty about the whole script.txt. Also. I suggest you read through the script file to get a basic hum about how it looks.0. hence these sections are empty. Also. then you could always create a mix of the different scripts.txt (also included in the Example scripts codebaseappendix) is fairly large but not a lot of comments in it. read on since this script will introduce a lot of interesting stuff anyways). your IP address will always change.1. Mainly. many distributions put the actual application in another location such as /usr/sbin/iptables and so on. You should at least be if you have come this far.9 Página 174 note that there might be more efficient ways of making the ruleset. ppp0. however you will with 99% certainty not change any of the values within this section since you will almost always use the 127. just below the Localhost configuration.0. eth1. which are necessary. however. This may vary a bit. This script does not contain any special configuration options for DHCP or PPPoE. explanation of rc. We do provide it.firewall. This could be eth0.DHCP. Also. This should always be changed since it contains the information that is vital to your actual configuration. as you may see there is a Localhost configuration section. the script has been written for readability so that everyone can understand it without having to know too much BASH scripting before reading this example rc. hence it is available here.html 21:25:51 10/06/2002 . which will point the script to the exact location of the iptables application. and the default location when compiling the iptables package by hand is /usr/ local/sbin/iptables. you need to specify the IP address of the physical interface connected to the LAN as well as the IP range which the LAN uses and the interface that the box is connected to the LAN through. etcetera just to name a few possible device names. the $INET_IFACE variable should point to the actual device used for your internet connection.1 IP address and the interface will amost certainly be named lo. If you need these parts.txt is the configuration section. however. they are however left there so you can spot the differences between the scripts in a more efficient way. This example rc. so you have everything set up and are ready to check out an example configuration script. you will find a brief section that pertains to the iptables. this section only consists of the $IPTABLES variable. For example. http://people.firewall Configuration options The first section you should note within the example rc. For example. or (hold yourself) create your own from scratch.unix-fu. The $INET_IP should always be a fully valid IP address. The same goes for all sections that are empty. The Local Area Network section contains most of the configuration options for your LAN. then you should probably look closer at the rc.org/andreasson/iptables-tutorial/iptables-tutorial.firewall. tr0. However.Iptables Tutorial 1. if you got one (if not.

you may be able to receive files over DCC. we load these modules as follows: /sbin/insmod ipt_LOG /sbin/insmod ipt_REJECT /sbin/insmod ipt_MASQUERADE Next is the option to load ipt_owner module. however. Connection tracking helpers are special modules that tells the kernel how to properly track the specific connections. it will work flawlessly since the sender will (most probably) give you the correct address to connect to. FTP is a complex protocol by definition. However. As of this writing. Without these helpers. You could also disallow all users but your own user and root to connect from your box to the Internet. We may also load extra modules for the state matching code here. For example. if one of your hosts NAT'ed boxes connect to a FTP server on the internet. The same thing applies for DCC file transfers (sends) and chats. Since this local network address is not valid outside your own network. This is due to how the DCC starts a connection. All modules that extend the state matching code and connection tracking code are called ip_conntrack_* and ip_nat_*. In other words. First off. you could allow only root to do FTP and HTTP connections to redhat and DROP all the others. For a long explanation of these conntrack and nat modules. Always avoid loading modules that you do not need. Without the helpers.323 conntrack helpers within the patch-o-matic. There are also H. and if possible try to avoid having modules lying around at all unless you will be using them. since it will take some extra effort to make additional rules this way. and tells the FTP server to connect to that IP address. I will not use that module in this example but basically.9 Página 175 Initial loading of extra modules First. This is for security reasons. the whole connection will be broken. it will send its own local network IP address within the payload of the packet. but not be able to send files. for example. the DCC connection will look as if it wants the receiver to connect to some host on the receivers own local network. look at the Owner match section within the How a rule is built chapter. For more information about the ipt_owner match.html 21:25:51 10/06/2002 . if you want to have support for the LOG. etcetera. but you will be a bit more secure to bouncing hacker attacks and attacks where the hacker will only use your host as an intermediate host. REJECT and MASQUERADE targets and don't have this compiled statically into your kernel. the kernel would not know what to look for when it tries to track specific connections. you tell the receiver that you want to send a file and where he should connect to.org/andreasson/iptables-tutorial/iptables-tutorial. there is only the option to load modules which add support for the FTP and IRC protocols. and it sends connection information within the actual payload of the packet. The FTP NAT helpers do all of the translations within these connections so the FTP server will actually know where to connect. Now.1. which could for example be used to only allow certain users to make certain connections. which in turn requires some translation to be done. the FTP server will not know what to do with it and hence the connection will break down. Without these so called helpers. The NAT helpers on the other hand. Creating these kind of connections requires the IP address and ports to be sent within the IRC protocol. So. as well as http://people. some FTP and IRC stuff will work no doubt. might be boring for others. we see to it that the module dependencies files are up to date by issuing an /sbin/depmod -a command.Iptables Tutorial 1. For example. the other way around.unix-fu. After this we load the modules that we will require for this script. are extensions of the connection tracking helpers that tells the kernel what to look for in specific packets and how to translate these so the connections will actually work. some other things will not work. read the Common problems and questionmarks appendix.

This may give malicious people a small timeframe to actually get through our firewall. however. They are used the same way as the conntrack modules. do not turn these on before actually knowing what they mean. For a better explanation on how this is done. you need to use the patch-o-matic and compile your own kernel.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. proc set up At this point we start the IP forwarding by echoing a 1 to /proc/sys/net/ipv4/ ip_forward in this fashion: echo "1" > /proc/sys/net/ipv4/ip_forward It may be worth a thought where and when we turn on the IP forwarding. read the Preparations chapter. There is a good but rather brief document about the proc system available within the kernel. Note that you need to load the ip_nat_irc and ip_nat_ftp if you want Network Adress Translation to work properly on any of the FTP and IRC protocols.html 21:25:51 10/06/2002 . In other words. PPP or DHCP you may enable the next option. In case you need dynamic IP support.firewall. ip_dynaddr by doing the following : echo "1" > /proc/sys/net/ipv4/ip_dynaddr If there is any other options you might need to turn on you should follow that style. and all others contained within this tutorial. I have chosen to turn it on here to maintain consistency with the script breakdown currently user. however. The rc. You will also need to load the ip_conntrack_irc and ip_conntrack_ftp modules before actually loading the NAT modules. this option should really be turned on after creating all firewall rules. Also. Displacement of rules to different chains http://people. In this script and all others within the tutorial. To be able to use these helpers. iptables rulesets). These may be a good starters to look at. in case there are possible additional links added to other and better resources of information. but it will make it possible for the computer to do NAT on these two protocols. which is also available within the Other resources and links appendix.9 Página 176 some other conntrack helpers. it may be worth looking at that appendix in the future. for example if you use SLIP. we turn it on before actually creating any kind of IP filters (ie. This will lead to a brief period of time where the firewall will accept forwarding any kind of traffic for everything between a millisecond to a minute depending on what script we are running and on what box. there's other documentations on how to do these things and this is out of the scope of this documentation. do contain a small section of non-required proc settings.1.txt script.unix-fu.

1. However.txt script. We will not discuss any specific details yet.9 Página 177 This section will briefly describe my choices within the tutorial regarding user specified chains and some choices specific to the rc. This will effectively kill all connections and all packets that we do not explicitly allow inside our network or our firewall. Hopefully. Based upon this picture. we want to allow all kind of traffic from the local network to the internet. Also. With these pictures and explanations. this will remind you a little bit of how the specific tables and chains are traversed in a real live example. PPP and SLIP and others). Some of the paths I have chosen to go here may be wrong from one or another of aspect. UDP and TCP rules.Iptables Tutorial 1. This example is also based upon the assumption that we have a static IP to the internet (as opposed to DHCP. In the case of this scenario.firewall. the Internet is most definitely not a trusted network and hence we want to block them from getting to our local network. Instead of letting a TCP packet traverse ICMP. this script has as a main priority to only allow traffic that we explicitly want to allow. this section contains a brief look back to the Traversing of tables and chainschapter. http://people.unix-fu. This way we do not get too much overhead out of it all. let's make clear what our goals are. we want to set default policies within the chains to DROP. Based upon these general assumptions. I wish to explain and clarify the goals of this script. The following picture will try to explain the basics of how an incoming packet traverses netfilter. we also want to allow the firewall to act as a server for certain services on the internet. and we trust our local network fully and hence we will not block any of the traffic from the local network. I have displaced all the different user-chains in the fashion I have to save as much CPU as possible but at the same time put the main weight on security and readability. we would also like to let our local network do connections to the internet. I simply match all TCP packets and then let the TCP packets traverse an user specified chain. one firewall and an Internet connection connected to the firewall. but instead further on in the chapter. This whole example script is based upon the assumption that we are looking at a scenario containing one local network. I hope to point these aspects and possible problems out to you when and where they occur. let's look at what we need to do and what we do not need to do.html 21:25:51 10/06/2002 . To do this. Also.org/andreasson/iptables-tutorial/iptables-tutorial. This is a really trivial picture in comparison to the one in the Traversing of tables and chains chapter where we discussed the whole traversal of chains and tables in depth. In this case. Since the local network is fully trusted.

for example TCP. of course. Also. This chain we choose to call the "allowed" chain. These packets. Since noone on the Internet should be allowed to contact our local network computers.0/8 address range is reserved for local networks and hence we would normally not want to allow packets from such a address range since they would with 90% certainty be spoofed. All of these protocols are available on the actual firewall. we also trust the local network fully. FTP. we do not want to allow specific packets or packet headers in specific conjunctions. we want to split the rules down into subchains. we could not see any specific needs for extra checks before allowing the ICMP packets through if we agree with the type and code of the ICMP packet. we make the ruleset less timeconsuming for each packet. http://people. we may be a bit low on funds perhaps. and reduce redundancy within the network. and the loopback device and IP address are also trusted. For a closer discussion of this. As for our firewall. or we just want to offer a few services to people on the internet. For instance. Therefore. Also. we must note that certain Internet Service Providers actually use these address ranges within their own networks. before we implement this. we have decided to allow HTTP. All TCP packets traverse a specific chain named tcp_packets. As for ICMP packets. and because of that we specifically allow all traffic from our local network to the internet. as well as the fact we want to traverse as few rules as possible. For the same reason. and should contain a few extra checks before finally accepting the packet. we will want to block all traffic from the Internet to our local network except already established and related connections. we add a rule which lets all established and related traffic through at the top of the INPUT chain. However. we have the UDP packets which needs to be dealt with.Iptables Tutorial 1. All of this is done within the PREROUTING chain.1. so we would like to create one more subchain for all packets that are accepted for using valid port numbers to the firewall. SSH and IDENTD access to the actual firewall. By traversing less rules. which is created last in this script. we want the local network to be able to connect to the internet. our packets will hopefully only need to traverse as few rules as possible. and hence we accept the directly. We trust our local network to the fullest. we send to the udp_packets chain which handles all incoming UDP packets.unix-fu. In this script. Because of this. we want to do some extra checking on the TCP packets. the 10. which in turn will allow all return traffic from the Internet to our local network.org/andreasson/iptables-tutorial/iptables-tutorial. and we need to allow the return traffic through the OUTPUT chain. nor do we want to allow some IP ranges to reach the firewall from the Internet. UDP or ICMP.0. To do this. However. we want to add special rules to allow all traffic from the local network as well as the loopback network interface. Finally. we will need to NAT all packets since none of the local computers have real IP addresses. read the Common problems and questionmarks chapter. we choose to split the different packets down by their protocol family.0. and hence it should be allowed through the INPUT chain.9 Página 178 First of all. which will contain rules for all TCP ports and protocols that we want to allow. By doing this. This means that we will also have to do some filtering within the FORWARD chain since we will otherwise allow outsiders full access to our local network.html 21:25:51 10/06/2002 . When we decided on how to create this chain. Since we have an FTP server running on the server. these will traverse the icmp_packets chain.

However. we set all the default policies on the different chains with a quite simple command. and if they are of an allowed type we should accept them immediately without any further checking. we want to allow certain specific protocols to make contact with the firewall itself. now you got a small picture on how the packet traverses the different chains and how they belong together. we create the different special chains that we want to use with the -N command. Since we are running on a relatively small network. INPUT chain http://people.unix-fu.1. we have the firewalls OUTPUT chain. Since we actually trust the firewall quite a lot.org/andreasson/iptables-tutorial/iptables-tutorial. and hence we only want to allow traffic from the IP addresses assigned to the firewall itself. we allow pretty much all traffic leaving the firewall.9 Página 179 All incoming UDP packets should be sent to this chain. Finally. We would most likely implement this by adding rules that ACCEPT all packets leaving the firewall in case they come from one of the IP addresses assigned to the firewall. Incoming packets on eth0. will be redirected to the chain icmp_packets.Iptables Tutorial 1. It is now about time that we take care of setting up all the rules and chains that we wish to create and to use. of TCP type. nor do we do any blocking of specific protocols. tcp_packets. Setting up the different chains used So. this box is also used as a secondary workstation and to give some extra levy for this. will be redirected to tcp_packets and incoming packets of UDP type from eth0 go to udpincoming_packets chain. After this. We do not do any specific user blocking. such as speak freely and ICQ. of ICMP type. The chains we will use are icmp_packets. we do not want people to use this box to spoof packets leaving the firewall itself. iptables -P <chain name> <policy> The default policy is used every time the packets don't match a rule in the chain. First of all. udpincoming_packets and the allowed chain for tcp_packets. and if not they will be dropped by the default policy in the OUTPUT chain. as well as all of the rulesets within the chains. The new chains are created and set up with no rules inside of them.html 21:25:51 10/06/2002 . You should also have a clear picture of the goals of this script.

we create the chain the same way as all the others. The default policy was set quite some time back. and it will work much better on slow machines which might otherwise drop packets at high loads.html 21:25:51 10/06/2002 . it is most likely to be the first packet in a new connection so. if the connection is against an allowed port. In this case this pretty much means everything that hasn't seen traffic in both directions. except to portscan people http://people. we check if the packet is a SYN packet. something that some might consider a security problem. Either it might be a packet that we just dont want to allow or it might be someone who's doing something bad to us. ie. In either case we want to know about it so it can be dealt with. These packets could be allowed under certain circumstances but in 99% of the cases we wouldn't want these packets to get through. which would normally be 127.1 and ACCEPT all incoming traffic from there. Finally. The TCP allowed chain If a packet comes in on eth0 and is of TCP type. then we. which was previously described.1.Iptables Tutorial 1. and a reply to this SYN packet.168. or they are trying to start the connection with a non SYN packet.0. Though. we didn't reply to the SYN packet. First of all we match all ICMP packets in the INPUT chain that come on the incoming interface $INET_IFACE.9 Página 180 The INPUT chain as I've written it uses mostly other chains to do the hard work. we allow broadcast traffic from our LAN.0. If you want to fully understand this. Everything that hasn't yet been caught will be DROP'ed by the default policy on the INPUT chain. and after this all UDP packets get sent to udpincoming_packets chain. The last rule in this chain will DROP everything else. do the same for everything to $LAN_IP. we log them to our logs and then we DROP them. the connection then must be in state ESTABLISHED. and send those to the icmp_packets. we allow this. Before we hit the default policy of the INPUT chain. it travels through the tcp_packets chain.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial. This way we don't get too much load from the iptables. we log it so we might be able to find out about possible problems and or bugs. you need to look at the Appendices regarding state NEW and non-SYN packets getting through other rules. We do certain checks for bad packets here. or finally it might be a problem in our firewall not allowing traffic that should be allowed. of course. we don't log more than 3 packets per minute as to not getting flooded with crap all over the log files. I allow everything that comes from my own Internet IP that is either ESTABLISHED or RELATED to some connection. we check for everything that comes from our $LOCALHOST_IP.0. Then we check if the packet comes from an ESTABLISHED or RELATED connection. and since we've got a SYN packet. and after this. There is no practical use of not starting a connection with a SYN packet. also we set a prefix to all log entries so we know where it came from. These applications will not work properly without it. if it does. some applications depend on it such as Samba etc. After this. which in my case is eth0. Hence. we want to do some final checks on it to see if we actually do want to allow it or not. First of all. which in my case would be 192. again of course. If it is a SYN packet. as you might remember. An ESTABLISHED connection is a connection that has seen traffic in both directions. allow it. Also. After that.0/24. we do the same match for TCP packets on the $INET_IFACE and send those to the tcp_packets chain.

this is actually the default behaviour but I'm using it for brevity in here. then the packet will be targeted for the allowed http://people. Echo Replies is what you get for example when you ping another host. in other words all sources addresses. I might be wrong in blocking some of these ICMP types for you. Time Exceeded. and it gets down to 0 at the first hop on the way out. hence. For more information on ICMP types and their usage. see the appendix ICMP types. As a side-note. is allowed in the case where we might want to traceroute some host or if a packet gets its Time To Live set to 0. and a Time Exceeded is sent back from the first gateway en route to the host we're trying to traceroute.1. Here we check what kind of ICMP types to allow. -A tcp_packets tells iptables in which chain to add the new rule.0 with netmask 0. There is no currently available TCP/IP implementation that supports opening a TCP connection with something else than a SYN packet to my knowledge.0. but in my case. we will be unable to ping other hosts. and the host is unreachable. so for example if we send a HTTP request. when you traceroute someone. If all the criteria are matched. we then redirect it to the icmp_packets chain as explained before. in other words if the packet is destined for port 21 they also match. Destination Unreachable is used if a certain host is unreachable. we will get a reply about this. This specifies what ports that are allowed to use on the firewall from the Internet.0. Postel. then TTL = 2 and the second gateway sends Time Exceeded. everything works perfectly while blocking all the other ICMP types that I don't allow. If a packet of ICMP type comes in on eth0 on the INPUT chain.Internet Control Message Protocol by J.0. Redirect and Time Exceeded.unix-fu. I only allow incoming ICMP Echo Replies. As it is now.0. Destination unreachable. --dport 21 means destination port 21.Iptables Tutorial 1. -p TCP tells it to match TCP packets and -s 0/0 matches all source addresses from 0. Though. and so on until we get an actual reply from the host we finally want to get to. hence we send each and one of them on to allowed chain. DROP the crap since it's 99% sure to be a portscan. there is still more checks to do.9 Página 181 pretty much. i suggest reading the following documents and reports : The Internet Control Message Protocol ICMP RFC 792 . if we don't allow this.org/andreasson/iptables-tutorial/iptables-tutorial. The reason that I allow these ICMP packets are as follows. The ICMP chain This is where we decide what ICMP types to allow. The TCP chain So now we reach TCP connections. you start out with TTL = 1. For example. This way we won't have to wait until the browser's timeouts kicks in after some 60 seconds or more. the rule will be added to the end of the chain.html 21:25:51 10/06/2002 . which we described previously. the last gateway that was unable to find the route to the host replies with a Destination Unreachable telling us that it was unable to find it. For a complete listing of all ICMP types.0.

I ACCEPT incoming UDP packets from port 53. hence we allow DNS. or even better. hopefully. And finally we allow port 113.txt file. If it doesn't match any of the rules. of course. If we don't want to allow FTP at all. Though. As it is now. in other words your web server. Port 4000 is the ICQ protocol.0. which is used for certain real-time `multimedia' applications like speak freely which you can use to talk to other people in real-time by using speakers and a microphone.0. which is what we use to do DNS lookups.0.org/andreasson/iptables-tutorial/iptables-tutorial. The UDP chain If we do get a UDP packet on the INPUT chain.html 21:25:51 10/06/2002 . loaded. most of you probably don't use this protocol. Firewalls should always be kept to a bare minimum and not more. Note that you are dealing with a firewall. etc to work properly. its quite self explanatory how to do that by now=). Port 80 is HTTP. Port 22 is SSH. If you feel like adding more open ports with this script.unix-fu.0. in other words everything again. which is IDENTD and might be necessary for some protocols like IRC. which is NTP or network time protocol. and that way we allow PASSIVE and PORT connections since the ip_conntrack_ftp module is. a headset. If they have a source port of 53 also. As it is now. This protocol is used to set your computer clock to the same time as certain other time servers which have very accurate clocks. I'm allowing it per default since I know there are some who actually do. which is used to control FTP connections and later on I also allow all RELATED connections. they will be passed back to the original chain that sent the packet to the tcp_packets chain. This should be an extremely well known protocol that is used by the Mirabilis application named ICQ. We don't want this behaviour.1. we send them on to udpincoming_packets where we once again do a match for the UDP protocol with -p UDP and then match everything with a source address of 0. well. we can unload the ip_conntrack_ftp module and delete the $IPTABLES -A tcp_packets -p TCP -s 0/ 0 --dport 21 -j allowed line from the rc.Iptables Tutorial 1.firewall.9 Página 182 chain.0 and netmask 0. much better than allowing telnet on port 23. We currently also allow port 2074. There is at least 5 different ICQ clones for Linux and it's one of the most widely used chat programs in the world. http://people. I allow TCP port 21. if you want to allow anyone from the outside to use a shell on your box at all. delete it if you don't want to run a web server on your site. It is always a bad idea to give others than yourself any kind of access to these kind of boxes. or FTP control port. I personally also allow port 123.0. I doubt there is any further need to explain what it is. without this we wouldn't be able to do domain name lookups and we would be reversed to only use IP's. we ACCEPT them directly.

we drop them quicker than hell since these IP's are reserved especially for local intranets and definitely shouldn't be used on the Internet. we first of all ACCEPT all packets coming from our LAN with the following line: /usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT So everything from our Localnet's interface gets ACCEPT'ed whatever the circumstances.org/andreasson/iptables-tutorial/iptables-tutorial.x or 172.txt example file. As it is now. such as in case we get packets from the Internet interface that claim to have a source IP of 192.x. we allow the packets coming back from that site that's either ESTABLISHED or RELATED but nothing else. 10.html 21:25:51 10/06/2002 . As it looks now. Starting the Network Address Translation http://people. Also we log them with debug level. And after this we log everything and drop it. Last of all we log everything that gets dropped.168. and prefix them with a short line that is possible to grep for in the logfiles. We finally hit the default policy of the FORWARD chain that says to DROP everything. we might drop that too.16. Finally we DROP the packet in the default policy. if we get an packet from $LAN_IFACE that claims to not come from an IP address in the range which we know that our LAN is on.Iptables Tutorial 1. among other things since this chain is only traversed by the first packet in a stream.9 Página 183 OUTPUT chain Since i know that there's pretty much no one but me using this box which is partially used as a Firewall and a workstation currently. I allow pretty much everything that goes out from it that has a source address $LOCALHOST_IP. we'll sure as hell want to know about it for some reason or another. We log maximally 3 log entries per minute as to not flood our own logs. This might be used in the opposite direction. Note that this chain should not be used for any filtering or such.x. First of all we check for obviously spoofed IP addresses. After this we allow everything in a state ESTABLISHED or RELATED from everywhere.x. If it does get dropped. PREROUTING chain of the nat table The PREROUTING chain is pretty much what it says.x. Everything else might be spoofed in some fashion.1. it does network adress translation on packets before they actually hit the routing tables that sends them onwards to the INPUT or FORWARD chains in the filter table. in such case. if we open a connection from our LAN to something on the Internet. or it's a weird packet that's spoofed. in other words.firewall. Either it's a nasty error.x. even though I doubt anyone that I know would do it on my box. FORWARD chain Even though I haven't actually set up a certain section in the rc.unix-fu. $LAN_IP or $STATIC_IP. too.x. it should be used for network adress translation. I would like to comment on the few lines in there anyways. we don't do that though.

The next thing we do is to ACCEPT all packets from anywhere that are ESTABLISHED and/or RELATED to some connection.1. and since it comes from eth1 we ACCEPT it. correct? At least to me.9 Página 184 So.Iptables Tutorial 1. We also set a prefix to the log with the --log-prefix and set the log level with the --log-level. In other words. in other cases it might be packets that definitely shouldn't get through and you want to be notified about this.html 21:25:51 10/06/2002 . First of all we add a rule to the nat table. It is in other words up to you to make these scripts suitable for your needs. The -t option tells us which table to use. we first send a packet from our local box behind eth1. our final mission would be to get the MASQUERADEing up. in this case nat while the -A command tells us that we want to Add a new rule to an existing chain named POSTROUTING and -o $INET_IFACE tells us to match all outgoing packets on INET_IFACE (or eth0.firewall. then when the Internet box replies. there are specific variables added to these example scripts that may be used to automatically configure these settings. All packets that are being forwarded on our box traverse the FORWARD chain in the filter table. These scripts are not in any way perfect. it gets caught by this rule since the connection has seen packets in both directions. in the POSTROUTING chain that will masquerade all packets going out on our interface connected to the Internet. or logging facility what kind of importance this log entry has. The rest of this tutorial should most probably be helpful in making this feat.txt script structure All scripts written for this tutorial has been written after a specific structure. mainly to make them easier to configure. Example scripts The objective of this chapter is to give a fairly brief and short explanation of each script available with this tutorial.unix-fu. and to provide an overlook of the scripts and what services they provide. This chapter should hopefully http://people. This is good if someone starts to flood you with crap stuff that otherwise would generate many megabytes of logs. but also to improve the readability a bit. These settings are widely used within the example scripts. isn't it? The next step we take is to ACCEPT all packets traversing the FORWARD chain in the default table filter that come from the input interface eth1 which is my interface connecting to the internal network. So all packets that match this rule will be masqueraded to look as it came from your Internet interface. Log level tells the syslogd. This means we get maximally 3 log entries per minute from this specific line. The last thing we do is to log all traffic that gets dropped over the border. For me this would be eth0. The reason for this is that they should be fairly conformative to each other and to make it easier to find the differences between the scripts.org/andreasson/iptables-tutorial/iptables-tutorial. In some cases these might be packets that should have gotten through but didn't. This structure should be fairly well documented in this brief chapter. The first section of this tutorial deals with the actual structure that I have established in each script so we may find our way within the script a bit easier. per default settings in this script) and finally we target the packet for MASQUERADE'ing. Simple. it'll have to wait for another 1 minute for the next log entry. However. and the burst is also set to 3 so if we get 3 log entries in 2 seconds. and hits the default policy. rc. and they may not fit your exact intentions perfectly. We allow this rule to be matched a maximum of 3 times per minute with a burst limit of 3.

If it does not fit in anywhere. This could be skipped if we do not have any Internet connection.9 Página 185 give a short understanding to why all the scripts has been written as they have. This is most likely. or small corporate network. Note that there may be more subsections than those listed here. Hopefully. hence this section will almost always be available. 2. LAN . If they differ in some way it is probably an error on my part. 3. but only such that pertains to our Internet connection. 5. Other .Iptables Tutorial 1.If there is any LAN available behind the firewall. they should first of all be fitted into the correct subsection (If it pertains to the Internet connection. DMZ .If there are possibly any special DHCP requirements with this specific script. do note that this may not be the best structure for your scripts. These variables are highly unlikely to change. In most scripts and situations this should only require one variable which tells us where the iptables binary is located. but we have put most of it into variables anyway.1. The structure This is the structure that all scripts in this tutorial should follow. Configuration . Even though this is the structure I have chosen. 4.unix-fu. we will add specific options for those here. and why I have chosen to maintain this structure. we will add the DHCP specific configuration options here. 1. etcetera). it should be subsectioned there.If there are any other specific options and variables. PPPoE . unless it is specifically explained why I have broken this structure. http://people. DHCP . Most scripts lacks this section. we will add options pertaining to that in this section. Internet . will not have one. and if there are any special circumstances that raises the chances that he is using a PPPoE connection.If there is any reason to it.html 21:25:51 10/06/2002 . mainly because any normal home network.First of all we have the configuration options which the rest of the script should use.This is the configuration section which pertains to the Internet connection.org/andreasson/iptables-tutorial/iptables-tutorial. 1. we will add a DMZ zone configuration at this point.If there are a possibility that the user that wants to use this specific script. 2. Localhost . there should be no reason to change these variables. 1. Configuration options should pretty much always be the first thing in any shell-script. it should be subsectioned directly to the configuration options somewhere. 6.This section contains iptables specific configuration. iptables . It is only a structure that I have chosen to use since it fits the need of being easy to read and follow the best according to my logic.These options pertain to our localhost.

if not.This section should contain the required modules. 3. The first part should contain the required modules. This list will contain far from all of the proc configurations or nodes. while the second part should contain the non-required modules.At this point we create all the user specified chains that we want to use later on within this table. 2. but far from all of them. since they are not actually necessary to get the script to work. it is up to you. I have also chosen to set the chains and their rulespecifications in the same order as they are output by the iptables -L command.This section contains modules that are not required for normal operations.Iptables Tutorial 1.html 21:25:51 10/06/2002 . they should be commented out per default. and possibly special modules that adds to the security or adds special services to the administrator or clients. and specifically ACCEPT services and streams that I want to allow inside.This section should contain all of the required proc configurations for the script in question to work.This section should take care of any special configuration needed in the proc filesystem. 1. Non-required modules . they will be listed as such. Module loading . It could possibly also contain configurations that raises security. proc configuration . All user specified chains are created before we do anything to the system builtin chains. 2.First of all we go through the filter table and its content. http://people. 2.Set up all the default policies for the systemchains.9 Página 186 2. or add certain services or possibilities. 1. 4. First of all we should set up all the policies in the table. Normally I will set DROP policies on the chains in the filter table. If some of these options are required. Required proc configuration . This should normally be noted in such cases within the example scripts.This section should contain non-required proc configurations that may prove useful. and possibly which adds special services or possibilities for the administrator or clients.1. All of these modules should be commented out per default. Note that some modules that may raise security. All of them should be commented out. Set policies . may have been added even though they are not required. I have chosen to split all the rules down after table and then chain names. This way we will get rid of all ports that we do not want to let people use. Required modules . Filter table . Create user specified chains . Most of the useful proc configurations will be listed here. We will not be able to use these chains in the systemchains anyways if they are not already created so we could as well get to it as soon as possible.By now the scripts should most probably be ready to insert the ruleset. and if you want to add the service it provides. and listed under the non-required proc configurations. Non-required proc configuration . 1.org/andreasson/iptables-tutorial/iptables-tutorial.This section of the scripts should maintain a list of modules. 1.unix-fu. rules set up .

There is no reason for you to stay with this structure. we add the rules dealing with the OUTPUT chain. Create content in user specified chains . The same thing goes here as for the user specified chains in the filter table. I look upon the nat table as a sort of layer that lies just outside the filter table and kind of surrounds it. 5. At this point we start following the output from the iptables -L command as you may see. but not too far from reality.After creating the user specified chains we may as well enter all the rules within these chains. just in case. 3. when the NAT has been turned on.Last of all in the filter table. Create content in user specified chains .Iptables Tutorial 1. You may as well put this later on in your script.First of all we set up all the default policies within the nat table.html 21:25:51 10/06/2002 . We add this material here since I do not see any reason not to.When we have come this far. This is done after the filter table because of a number of reasons within these scripts. I will be satisfied with the default policy set from the beginning. Normally I do not have any of these. OUTPUT chain . 4.org/andreasson/iptables-tutorial/iptables-tutorial. Note that the user specified chains must be created before they can actually be used within the systemchains. but I have added this section anyways.At this point we create any user specified chains that we want within the nat table. which could possibly lead to packets getting through the firewall at just the wrong timepoint (ie. while the nat table acts as a layer lying around the filter table. Set policies . FORWARD chain . Nothing special about this decision. but none of the filter rules has been run). Create user specified chains . This may be wrong in some perspectives. however.unix-fu.1. The only reason I have to enter this data at this point already is that may as well put it close to the creation of the user specified chains. 6. do try to avoid mixing up data from different tables and chains since it will become much harder to read such rulesets and to fix possible problems. At this point we should add all rules within the INPUT chain. http://people. 3. I let these chains be set to ACCEPT since there is no reason not to do so. and finally the mangle table lies around the nat table as a second layer. we do not have a lot of things left to do within the filter table so we get onto the INPUT chain.9 Página 187 3. There should hopefully not be too much to do at this point.After the filter table we take care of the nat table. namely the ACCEPT policy. This table should not be used for filtering anyways. it is totally up to you. 1. 2. INPUT chain .At this point we go on to add the rules within the FORWARD chain. The filter table would hence be the core. and we should not let packets be dropped here since there are some really nasty things that may happen in such cases due to our own presumptions. First of all we do not want to turn the whole forwarding mechanism and NAT function on at a too early stage. Normally.By now it should be time to add all the rules to the user specified chains in the nat table. nat table . Also.

html 21:25:51 10/06/2002 . 3. POSTROUTING chain . PREROUTING . unless they have specific needs. Normally I will not use this table at all.Iptables Tutorial 1. 4.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. 6.The POSTROUTING chain should be fairly well used by the scripts I have written since most of them depend upon the fact that you have one or more local networks that we want to firewall against the Internet. 7. As it looks now. In most scripts this feature is not used. this section was added just in case someone. However. http://people. The same thing goes here as for the nat table pretty much. mangle table .The OUTPUT chain is barely used at all in any of the scripts. FORWARD chain . Create user specified chains . INPUT chain . I have neither created any chains here since it is fairly unusable without any data to use within it. I have not set any policies in any of the scripts in the mangle table one way or the other.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. or I. Within some scripts we have this turned on by default since the sole purpose of those scripts are to provide such services.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.The PREROUTING chain is used to do DNAT on packets in case we have any need for it. 5.unix-fu. Mainly we will try to use the SNAT target. Since I have barely used the mangle table at all in the scripts.1.Set the default policies within the chain. 1. 6. such as masking all boxes to use the exact same TTL or to change TOS fields etcetera.org/andreasson/iptables-tutorial/iptables-tutorial. 2. or at the very least commented out. since it should normally not be used for anyone. with a few exceptions where I have added a few examples of what it may be used for. would have the need for it in the future. and hence you should avoid it all together. 5. Set policies . but I have been unable to find any good reasons to use this chain so far. and you are encouraged not to do so either.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. send me a line and I will add it to the tutorial. If anyone has a reason to use this chain. OUTPUT chain . 5. reason being that we do not want to open up big holes to our local network without knowing about it.9 Página 188 4. but in certain cases we are forced to use the MASQUERADE target instead. it is not broken.Create all the user specified chains.If you have any user specified chains within this table. you may att this point add the rules that you want within them here. OUTPUT chain .The last table to do anything about is the mangle table. Create content in userspecified chains . The table was not made for filtering. PREROUTING chain . I have in other words chosen to leave these parts of the scripts more or less blank.

At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. where you have one LAN and one Internet Connection. http://people. PPP.DHCP. Do note that these descriptions are extremely brief. Hopefully this should explain more in detail how each script is structured and why they are structured in such a way. please take a closer look at the rc. and should mainly just be seen as a brief explanation to what and why the scripts has been split down as they have.org/andreasson/iptables-tutorial/iptables-tutorial.1.firewall file chapter should explain every detail in the script most thoroughly. The rc. SLIPor some other protocol that assigns you an IP automatically. Mainly it was written for a dual homed network.txt script is the main core on which the rest of the scripts are based upon. and hence don't use DHCP. POSTROUTING chain .firewall. For example. If you are looking for a script that will work with those setups.Iptables Tutorial 1.firewall.9 Página 189 8.html 21:25:51 10/06/2002 .unix-fu. rc.firewall. This script also makes the assumption that you have a static IP to the Internet. There is nothing that says that this is the only and best way to go.txt The rc.txt script.

another one if you have a whole subnet is to create a subnetwork.0/24 and consists of the De-Militarized Zone which we will do 1-to-1 NAT to. the packet will be destined for the actual DNS internal network IP. The other one uses IP range 192. There are several ways to get this to work. but it will not tell you exactly what you need to do since it is out of the scope of the tutorial. one De-Militarized Zone and one Internet Connection. then we use DNAT.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial. The De-Militarized Zone is in this case 1-to-1 NAT'ed and requires you to do some IP aliasing on your firewall.168. this tutorial will give you the tools to actually accomplish the firewalling and NAT'ing part. ie.Iptables Tutorial 1. which stands for Destination Network Adress Translation. giving the firewall one IP both internally and externally. If the packet would not have been translated. One uses IP range 192. if someone from the internet sends a packet to our DNS_IP. Do note that this will "steal" two IP's for you.DMZ.9 Página 190 rc.DMZ. We will show a short example of how the DNAT code looks: http://people.html 21:25:51 10/06/2002 . one for the broadcast address and one for the network address. the DNS wouldn't have answered the packet. to send the packet on to our DNS on the DMZ network. one is to set 1-to-1 NAT.firewall. You could then set the IP's to the DMZ'ed boxes as you wish. and not to our external DNS IP.txt The rc. This is pretty much up to you to decide and to implement. When the DNS sees our packet.168.1.txt script was written for those people out there that has one Trusted Internal Network. You need to have two internal networks with this script as you can see from the picture. you must make the box recognise packets for more than one IP.0.0/24 and consists of a Trusted Internal Network.1. For example.firewall.

html 21:25:51 10/06/2002 .txt. mail me since it is probably a fault on my side.firewall.firewall. The reason is that this won't work together with a dynamic IP connection.org/andreasson/iptables-tutorial/iptables-tutorial. this script no longer uses the STATIC_IP variable. in other words the IP of the DNS on our DMZ network. PPP and SLIP connections to connect to the internet. I've had some people mail me and ask about the problem so this script will be a good solution for you.Iptables Tutorial 1. which is the main change to the original rc. Then we look for TCP protocol on our $INET_IFACE with destination IP that matches our $DNS_IP.unix-fu.firewall.txt The rc. however. in other words Destination NAT. and is directed to port 53. it automatically gets un-DNAT'ed.txt script. that hasn't been gone through in the rest of the tutorial. This is how basic DNAT works. rc.9 Página 191 $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP First of all.DHCP. When the reply to the DNAT'ed packet is sent through the firewall. By now you should have enough understanding of how everything works to be able to understand this script pretty well without any huge complications. http://people.firewall. However. After that we specify where we want the packet to go with the --to-destination option and give it the value of $DMZ_DNS_IP. The actual changes needed to be done to the original script is minimal.1.DHCP. If there is something you don't understand. DNAT can only be performed in the PREROUTING chain of the nat table. If we actually get such a packet we give a target of DNAT.txt script is pretty much identical to the original rc. which is the TCP port for zone transfers between DNS's. This script will allow people who uses DHCP.

org iptables site which has a huge collection of scripts available to download. and if so ACCEPT them. However. then try to access that IP. upon bootup of the internet connection. In case we filter based on interface and IP. 2. If the script is run from within a script which in turn is executed by. it is rather harsh to add and erase rules all the time. This also applies in a sense to the case where we got a static IP. or write one. As you may read from above. A good way to do this. it may be a good idea to grab a script. For a good site. I would definitely advise you to use that script if at all possible since this script is more open to attacks from the outside.firewall. 1. we would get a real hard trouble. We can no longer filter in the INPUT chain depending on.txt script. There is some more things to think about though. Also. there are serious drawbacks with this approach. In other words -d $STATIC_IP has been changed to -i $INET_IFACE. Instead of using this variable the script now does it's main filtering on the variable INET_IFACE. One great example is if we are running an HTTP on our firewall. The NAT'ed box would ask the DNS for the IP of the HTTP server. for example. there is the possibility to add something like this to your scripts: INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` The above would automatically grab the IP address of the $INET_IFACE variable. which contains static links back to the same host. You will find a link to the linuxguruz. We could for example make a script that grabs the IP from ifconfig and adds it to a variable. If we go to the main page. check out the linuxguruz. if you get rid of the NEW not SYN rules for example. but it is questionable.org site from the Other resources and links appendix.Iptables Tutorial 1. the PPP daemon. It is possible to get by.1. This script might be a bit less secure than the rc. for example. it will hang all currently active connections due to the NEW not SYN rules (see the State NEW packets but no SYN bit set section). as described in the following list. without hurting the already existing ones.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. If you got rules that are static and always want to be around. how would you do it without erasing your already active rules blocking the LAN? http://people. that handles dynamic IP in a better sense. grep the correct line which contains the IP address and then cuts it down to a manageable IP address. if you want to block hosts on your LAN to connect to the firewall. This is pretty much the only changes made and that's all that's needed really. This in turn forces us to filter only based on interfaces in such cases where the internal machines must access the internet adressable IP. which could be some dyndns solution. but in such cases it could be gotten around by adding rules which checks the LAN interface packets for our INET_IP. the NAT'ed box would be unable to get to the HTTP because the INPUT chain would DROP the packets flat to the ground.9 Página 192 The main changes done to the script consists of erasing the STATIC_IP variable as I already said and deleting all referenses to this variable. --in-interface $LAN_IFACE --dst $INET_IP. For example. but at the same time operate a script from the PPP daemon. would e to use for example the ip-up scripts provided with pppd and some other programs.

UTIN. This script will hopefully give you some clues as to what you can do with your firewall to strengthen it up. The only things we actually allow is POP3. We also don't trust the internal users to access the firewall more than we trust users on the Internet. If the script is kept simple.txt script.firewall.1.unix-fu. we don't trust anyone on any networks we are connected to.org/andreasson/iptables-tutorial/iptables-tutorial.firewall.Iptables Tutorial 1. rc.html 21:25:51 10/06/2002 . HTTP and FTP access to the internet. as seen above which in turn could lead to security compromises.test-iptables. but a large part of the hacks and cracks that a company gets hit by is a matter of people from their own staff perpetrating the hit.9 Página 193 3. In other words.txt http://people. not even our own employees. it is easier to spot problems. This script follows the golden rule to not trust anyone. but it does give a few hints at what we would normally let through etc. It's not very different from the original rc.UTIN. This is a sad fact.txt The rc.txt script will in contrast to the other scripts block the LAN that is sitting behind us. rc.firewall. It may get unnecessarily complicated. We also disallow people on our LAN to do anything but specific tasks on the Internet. and to keep order in it.

internet And tail -n 0 -f /var/log/messages while doing the first command. In other words. When all of this is done. When this step is done.the. I will not do that since this is a tutorial and should be used as a place to fetch ideas mainly and it shouldn't be filled up with shell scripts and strange syntax.9 Página 194 The rc.test-iptables. and hence we only care about opening the whole thing up and reset it to default values. we consider the script done. It will work for mostly everyone though who has all the basic set up and all the basic tables loaded into kernel. For example.flush-iptables.firewall start and the script starts. This way.html 21:25:51 10/06/2002 .txt script will reset and flush all your tables and chains. POSTROUTING and OUTPUT chains of the nat table. Adding shell script syntax and other things makes the script harder to read as far as I am concerned and the tutorial was written with readability in mind and will continue being so. The script starts by setting the default policies to ACCEPT on the INPUT.unix-fu. OUTPUT and FORWARD chains of the filter table. such as turning on ip_forwarding.firewall script using redhat Linux syntax where you type something like rc. This script was written for testing purposes only. After this we flush all chains first in the filter table and then in the NAT table. you will get information on which chain was traversed and in which order. This way we know there is no redundant rules lying around anywhere. we jump down to the next section where we erase all the user specified chains in the NAT and filter tables.org/andreasson/iptables-tutorial/iptables-tutorial. You may consider adding rules to flush your MANGLE table if you use it. This should show you all the different chains used and in which order.txt The rc.txt script can be used to test all the different chains. This script is intended for actually setting up and troubleshooting your firewall. and setting up masquerading etcetera. Certain people has mailed me asking from me to put this script into the original rc. We do this first so we won't have to bother about closed connections and packets not getting through. rc.Iptables Tutorial 1. run this script and then do: ping -c 1 host. All it really does is set some LOG targets which will log ping reply's and ping requests.on. One final word on this issue.1.txt script should not really be called a script in itself. Detailed explanations of special commands http://people. but it might need some tweaking depending on your configuration. However. The rc.flush-iptables. unless the log entries are swapped around for some reason.flush-iptables. After this we reset the default policies of the PREROUTING. it's not a good idea to have rules like this that logs everything of one sort since your log partitions might get filled up quickly and it would be an effective Denial of Service attack against you and might lead to real attacks on you that would be unlogged after the initial Denial of Service attack.

ie 192.html 21:25:51 10/06/2002 . this will not change http://people. To see the table you can run the following command: cat /proc/net/conntrack | less The above command will show all currently tracked connections even though it might be a bit hard to understand everything. in this case you might want to run the -F option. iptables will find the erroneous line and erase it for you. though. it erases the first instance it finds matching your rule. iptables -F INPUT will erase the whole INPUT chain. If this is not the wanted behaviour you might try to use the -D option as iptables -D INPUT 10 which will erase the 10th rule in the INPUT chain. it will translate all the different ports according to the /etc/services file as well as DNS all the IP addresses to get DNS records instead. so you don't have to reboot. This table contains all the different connections currently tracked and serves as a basic table so we always know what state a connection currently is in. This table can not be edited and even if it was possible.0/16 is a private range though and should not resolve to anything and the command will seem to hang while resolving the IP. For example. there are actually commands to flush them. which we have discussed briefly previously in the How a rule is built chapter. The later can be a bit of a problem though.1. I've actually gotten this question a couple times by now so I thought I'd answer it right here.org/andreasson/iptables-tutorial/iptables-tutorial.168. To get around this problem we would do something like the following: iptables -L -n Another thing that might be interesting is to see a few statistics about each policy.unix-fu. If you added a rule in error. it will try to resolve LAN IP addresses.Iptables Tutorial 1. There is also instances where you want to flush a whole chain. in case you've got multiple lines looking exactly the same in the chain. and translate everything possible to a more readable form.9 Página 195 Listing your active ruleset To list your currently active ruleset you run a special option to the iptables command. you might just change the -A parameter to -D in the line you added in error. For example. For example. Updating and flushing your tables If at some point you screw up your iptables. it would be a bad idea.168. 192. This would look like the following: iptables -L This command should list your currently active ruleset. We could get this by adding the verbose flag.0.1.1. it might be interesting to know what connections are currently in the conntrack table. It would then look something like this: iptables -L -n -v There is also a few files that might be interesting to look at in the /proc filesystem. rule and chain. For example. to something useful.

This RFC contains information regarding the FTP protocol and Active and Passive FTP and how they work. Postel and J. but not the ip_conntrack_irc and ip_nat_irc modules and then do: /usr/local/sbin/iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT To allow Passive FTP but not DCC.9 Página 196 the default policy. so if this is set to DROP you'll block the whole INPUT chain if used as above. For more information about Active and Passive FTP. you would load the ip_conntrack_ftp and ip_nat_ftp modules. State NEW packets but no SYN bit set http://people. Reynolds. As you can understand from this document. Just compile the ip_conntrack_irc. it is rather simple to add the few lines needed to erase those but I have not added those here since the mangle table is not used in my rc.firewall. but not allow DCC send functions with the new state matching code. well. during Active FTP the client sends the server an IP address and random port to use and then the server connects to this port on the client. If you for example want to allow Passive FTP.txt file properly. if you want to let people run IRC from your local network which is using a NAT'ed or masqueraded connection to the internet. One thing though. telling the client what address to connect to and what port to use. that is what the ip_nat_ftp module does.4. You may ask yourself how. Without these modules they can't recognize these kinds of connections. In case your client sits behind a Network Address Translationing system (iptables). I have made a small script (available as an appendix as well) that will flush and reset your iptables that you might consider using while setting up your rc. if you start mucking around in the mangle table. ie.org/andreasson/iptables-tutorial/iptables-tutorial.txt script so far. then the packets data section needs to be NAT'ed too. but not the ip_conntrack_ftp and ip_nat_ftp modules.x kernels. The client tells the server that it wants to send or receive data and the server replies. ip_conntrack_ftp and ip_nat_ftp code as modules and not statically into the kernel. you'd just load the ip_conntrack_irc and ip_nat_irc modules. What these modules do is that they add support to the connection tracking machine and the NAT machine so they can distinguish and modify a Passive FTP connection or a DCC send connection. In Passive FTP. do as how you set it to DROP.unix-fu. Do note that the ip_nat_* modules are only needed in case you need and want to do Network Adress Translation on the connections.firewall. the proceeding is reversed.1. ip_nat_irc. but not DCC send.html 21:25:51 10/06/2002 . this script will not erase those. read RFC 959 . for example iptables -P INPUT ACCEPT.File Transfer Protocol by J. Common problems and questionmarks Passive FTP but no DCC This is one of the really nice parts about the new iptables support in the 2. you can for example allow Passive FTP connections. To reset the chain policy. its quite simple once you get to think of it. If you would want to do the reverse.Iptables Tutorial 1.

This feature makes it possible to have two or more firewalls. then load the NEW not SYN packet rules. the packet will match to the rules and be logged and afterwards dropped to the ground. Start the connection tracking modules. At this point the faulty Microsoft implementation sends another packet which is considered as state NEW but lacks the SYN bit and hence gets matched by the above rules. The above rules will lead to certain conditions where packets generated by microsoft products gets labeled as a state NEW and hence get logged and dropped. OUTPUT and FORWARD chain: $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP The above rules will take care of this problem. In this case. It will however not lead to broken connections to my knowledge. a huge warning is in it's place for this kind of behaviour on your firewall. packets with the SYN bit unset will get through your firewall.Iptables Tutorial 1. or if you are worried anyways. also there will be no SYN bits set since it is not actually the first packet in the connection. the person previously connected through the LAN will be more or less killed. To put it simple.unix-fu. for instance. If someone is currently connected to the firewall. including me). This feature is there because in certain cases we want to consider that a packet may be part of an already ESTABLISHED connection on. Another way to get this problem is to run the rc. another firewall. and the modules are loaded and unloaded each time you run the script.firewall. lets say from the LAN.This does however lead to the fact that state NEW will allow pretty much any kind of TCP connection. Finally. Internet Service Providers who use assigned http://people. In other words.1.html 21:25:51 10/06/2002 .9 Página 197 There is a certain feature in iptables that is not so well documented and may therefore be overlooked by a lot of people(yes. don't worry to much about this rule. The firewalling of the subnet could then be taken over by our secondary firewall. the connection tracking code will not recognise this connection as a legal connection since it has not seen packets in any direction on this connection before. the telnet client or daemon tries to send something.txt script from a telnet connection from a host not on the actual firewall. and for one of the firewalls to go down without any loss of data. If you use state NEW. The matter is that when a connection gets closed and the final FIN/ACK has been sent and the state machine of netfilter has closed this connection and it is no longer in the conntrack table. Note that there is some troubles with the above rules and bad Microsoft TCP/IP implementations. This only applies when you are running with the conntrack and nat codebases as modules. set the --log-headers option to the rule and log the headers too and you'll get a better look at what the packet looks like. you connect with telnet or some other stream connection. Hence.org/andreasson/iptables-tutorial/iptables-tutorial. In other words. and you have the script set to be activated when running a PPP connection. regardless if this is the initial 3-way handshake or not. This is a badly documented behaviour of the netfilter/iptables project and should definitely be more highlighted. To take care of this problem we add the following rules to our firewalls INPUT. when you start the PPP connection. There is one more known problem with these rules.

the swedish Internet Service Provider and phone monopoly Telia uses this approach for example on their DNS servers.x range to us. because of spoofing possibilities. ICMP types This is a complete listing of all ICMP types: Table 1. ICMP types TYPE CODE Description 0 3 3 3 3 3 3 3 3 3 3 3 0 0 1 2 3 4 5 6 7 8 9 10 Echo Reply Network Unreachable Host Unreachable Protocol Unreachable Port Unreachable Fragmentation needed but no frag.1.x.x. These IP address ranges are not assigned for you to use for dumb stuff like this.html 21:25:51 10/06/2002 . do not allow connections from any IP addresses in the 10.unix-fu. in this script. or you could just comment out that part of the script.x. but you are not supposed to force us to open up ourself just because of some whince of yours. or your own home network. Certain stupid Internet Service Providers use IP addresses assigned by IANA for their local networks on which you connect to. For large corporate sites it is more than ok. at least not to my knowledge. For example.x IP address range. bit set Source routing failed Destination network unknown Destination host unknown Source host isolated (obsolete) Destination network administratively prohibited Destination host administratively prohibited Query x x x x x x x x x x x x Error http://people.0. Well. You might just insert an ACCEPT rule above the spoof section to allow traffic from those DNS servers. which uses the 10.x.1/32 -j ACCEPT I would like to take my moment to bitch at these Internet Service Providers. here is unfortunately an example where you actually might have to lift a bit on those rules.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1.0.9 Página 198 IP addresses I have added this since a friend of mine told me something I have totally forgotten. The problem you will most probably run into is that we. This is how it might look: /usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10.

http://people.unix-fu.Iptables Tutorial 1. etc : ip-sysctl. A little bit short but a good reference for the IP networking controls and what they do to the kernel.txt .html 21:25:51 10/06/2002 .9 Página 199 3 3 3 3 3 4 5 5 5 5 8 9 10 11 11 12 12 13 14 15 16 17 18 11 12 13 14 15 0 0 1 2 3 0 0 0 0 1 0 1 0 Network unreachable for TOS Host unreachable for TOS Communication administratively prohibited by filtering Host precedence violation Precedence cutoff in effect Source quench Redirect for network Redirect for host Redirect for TOS and network Redirect for TOS and host Echo request Router advertisement Route sollicitation TTL equals 0 during transit TTL equals 0 during reassembly IP header bad (catchall error) Required options missing Timestamp request (obsolete) Timestamp reply (obsolete) x x x x x x x x x x x x x x x x 0 0 0 0 Information request (obsolete) Information reply (obsolete) Address mask request Address mask reply Other resources and links Here is a list of links to resources and where I have gotten information from.14 kernel.4.1.from the 2.org/andreasson/iptables-tutorial/iptables-tutorial.

filewatcher. Also maintains a list of different iptables scripts for different purposes.html .html .Excellent information about the CBQ.Excellent linkpage with links to most of the pages on the internet about iptables and netfilter.org/netfilter-faq.linuxguruz. http://www. http://netfilter. http://netfilter.filewatcher.html 21:25:51 10/06/2002 . tc and the ip commands in Linux. Rusty Russell.islandsoft.filewatcher.Excellent discussion on automatic hardening of iptables and how to make small changes that will make your computer automatically add hostile sites to a special banlist in iptables. http://netfilter. Always have it at hand. And of course the iptables source.from the 2.4. This was also written by Rusty Russell. http://www. http://www.The iptables 1.org/unreliable-guides/NAT-HOWTO/index.docum. Excellent documentation about basic packet filtering with iptables written by one of the core developers of iptables and netfilter.org/unreliable-guides/packet-filtering-HOWTO/index. Excellent documentation about Network Address Translation in iptables and netfilter written by one of the core developers.14 kernel.filewatcher.8 .html .The official netfilter Frequently Asked Questions.4 man page. http://netfilter.org/mailman/listinfo/netfilter .org .9 Página 200 ip_dynaddr. Extremely useful in case you have questions about something not covered in this document or any of the other links here. One of the few documentations on how to write code in the netfilter and iptables userspace and kernel space codebase.net/veerapen. http://netfilter.samba.Rusty Russells Unreliable Netfilter Hacking HOWTO.html .Rusty Russells Unreliable Guide to Network Address Translation.Rusty Russells Unreliable Guide to packet filtering. It is a must for everyone wanting to set up iptables and netfilter in linux. Maintained by Stef Coene. http://lists.org/unreliable-guides/netfilter-hacking-HOWTO/index.The official netfilter mailing-list.filewatcher. http://people.unix-fu. Also a good place to stat at when wondering what iptables and netfilter is about. One of the few sites that has any information at all about these programs.org/ .The official netfilter and iptables site.org/iptables/ .2.html .Iptables Tutorial 1.1.org/andreasson/iptables-tutorial/iptables-tutorial. documentation and individuals who helped me. iptables. This is an HTML'ized version of the man page which is an excellent reference when reading/writing iptables rulesets.txt . A really short reference to the ip_dynaddr settings available via sysctl and the proc filesystem.

Marc Boucher. Galen Johnson. Thomas Smets. For hinting me about strange ISP's and so on that uses reserved networks on the Internet. Mitch Landers. Both for making me realize I was thinking wrong about how packets traverse the basic NAT and filters tables and in which order they show up.unix-fu. Anders 'DeZENT' Johansson.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Version 1. Janne Johansson.html 21:25:51 10/06/2002 .). Togan Muftuoglu.9 (21 March 2002) http://www. Frode E. Also thanks for checking the tutorial for errors etc. History Version 1.firewall rules and giving great inspiration while i was to rewrite the ruleset and being the one who introduced the multiple table traversing into the same file.com/workshops/linux/iptables-tutorial/ http://people. I know I suck at graphics.Iptables Tutorial 1. Michiel Brandenburg. For helping me out with some of the state matching code and getting it to work. and you're better than most I know who do graphics.9 Página 201 Acknowledgements I would like to thank the following people for their help on this document: Fabrice Marie. sorry for not mentioning everyone. Jeremy `Spliffy' Smith. Also a huge thanks for updating the tutorial to DocBook format with make files etc. For giving me hints at stuff that might screw up for people and for trying it out and checking for errors in what I've written. For greatly improving the rc.8 (5 March 2002) http://www. Myles Uyema. Alexander W. And of course everyone else I talked to and asked for comments on this file.boingworld. Kent `Artech' Stahre.1. Jason Lam and Evan Nemerson Version 1. For helping me out with the graphics.org/andreasson/iptables-tutorial/iptables-tutorial. For helping me out on some aspects on using the state matching code. Kelly Ashe. Jelle Kalf.boingworld.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Contributors: Vince Herried.1. Chapman Brad.1. Peter Horst. Neil Jolly.1.boingworld.7 (4 February 2002) http://www. or at least on the internet for you. For major updates to my horrible grammar and spelling. Nyboe. Janssen.

unix-fu. Steve Hnizdur.9 (9 September 2001) http://people.unix-fu.1.org/andreasson/iptables-tutorial/iptables-tutorial. Dave Wreski. Phil Schultz.org/andreasson/ By: Oskar Andreasson Contributors: Fabrice Marie. Doug Monroe. Jacco van Koll and Dave Wreski Version 1. Erik Sjölund.1. Jan Labanowski. Jensen.5 (14 November 2001) http://people.9 Página 202 By: Oskar Andreasson Contributors: Parimi Ravi.unix-fu.1 (26 September 2001) http://people.0 (15 September 2001) http://people.unix-fu.unix-fu.org/andreasson By: Oskar Andreasson Version 1. N.unix-fu.1.0. Bill Dossett.unix-fu.1. Chris Pluta and Kurt Lieber Version 1.7 (23 August 2001) http://people.html 21:25:51 10/06/2002 .org/andreasson By: Oskar Andreasson Version 1. Göran Båge.org/andreasson By: Oskar Andreasson Version 1. Vasoo Veerapen.0.org/andreasson/ By: Oskar Andreasson Contributors: Jim Ramsey.unix-fu.6 (7 December 2001) http://people.Iptables Tutorial 1. Branco. Phil Schultz.Emile Akabi-Davis and Jelle Kalf Version 1.org/andreasson By: Oskar Andreasson Contributors: Joni Chu.1.org/andreasson By: Oskar Andreasson Version 1. Jasper Aikema.org/andreasson By: Oskar Andreasson Contributors: Stig W.2 (29 September 2001) http://people. Adam Mansbridge.1. Aladdin and Rusty Russell.0.4 (6 November 2001) http://people. Version 1.8 (7 September 2001) http://people. Steven McClintoc. Chris Martin. Merijn Schering and Kurt Lieber Version 1. Rodrigo R. Kurt Lieber.unix-fu.unix-fu.org/andreasson By: Oskar Andreasson Contributors: Dave Richardson Version 1.3 (9 October 2001) http://people. Chris Tallon.1.1. Jonas Pasche.

while not being considered responsible for modifications made by others. Suite 330. We have designed this License in order to use it for manuals for free software.1. It complements the GNU General Public License. 1.6 http://people.org/andreasson/iptables-tutorial/iptables-tutorial. 59 Temple Place.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie GNU Free Documentation License Version 1.unix-fu. but changing it is not allowed. But this License is not limited to software manuals. We recommend this License principally for works whose purpose is instruction or reference.unix-fu. textbook.Iptables Tutorial 1.0. with or without modifying it. Boston. or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it. because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does.org/andreasson By: Oskar Andreasson Version 1. this License preserves for the author and publisher a way to get credit for their work. which is a copyleft license designed for free software. regardless of subject matter or whether it is published as a printed book. Inc. APPLICABILITY AND DEFINITIONS http://people.unix-fu. This License is a kind of "copyleft". it can be used for any textual work. 0. MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document. Secondarily.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie Version 1.9 Página 203 http://people.0.unix-fu. which means that derivative works of the document must themselves be free in the same sense. either commercially or noncommercially.1. PREAMBLE The purpose of this License is to make a manual.5 http://people. March 2000 Copyright (C) 2000 Free Software Foundation.html 21:25:51 10/06/2002 .

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. ethical or political position regarding them. either copied verbatim. and is addressed as "you". Examples of suitable formats for Transparent copies include plain ASCII without markup. Opaque formats include PostScript. commercial. The "Cover Texts" are certain short passages of text that are listed. proprietary formats that can be read and edited only by proprietary word processors. A copy that is not "Transparent" is called "Opaque". A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. legibly. A "Transparent" copy of the Document means a machine-readable copy. the title page itself.1.) The relationship could be a matter of historical connection with the subject or with related matters. as Front-Cover Texts or Back-Cover Texts. For works in formats which do not have any title page as such. philosophical. or of legal. refers to any such manual or work. whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor. the material this License requires to appear in the title page. and the license notice saying this License applies to the Document are reproduced in all copies. for a printed book. The "Document". and standard-conforming simple HTML designed for human modification. SGML or XML for which the DTD and/or processing tools are not generally available. in the notice that says that the Document is released under this License. and the machine-generated HTML produced by some word processors for output purposes only. 2. SGML or XML using a publicly available DTD. Any member of the public is a licensee. if the Document is in part a textbook of mathematics.org/andreasson/iptables-tutorial/iptables-tutorial. VERBATIM COPYING You may copy and distribute the Document in any medium.9 Página 204 This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Title Page" means. "Title Page" means the text near the most prominent appearance of the work's title. (For example. preceding the beginning of the body of the text. either commercially or noncommercially. or with modifications and/or translated into another language. Texinfo input format. The "Invariant Sections" are certain Secondary Sections whose titles are designated. plus such following pages as are needed to hold. as being those of Invariant Sections. You may not use technical measures to obstruct or control the reading or further copying of the http://people. and that you add no other conditions whatsoever to those of this License.unix-fu. a Secondary Section may not explain any mathematics. represented in a format whose specification is available to the general public. provided that this License. the copyright notices. and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters.html 21:25:51 10/06/2002 . PDF.Iptables Tutorial 1. A "Modified Version" of the Document means any work containing the Document or a portion of it. below. in the notice that says that the Document is released under this License. LaTeX input format.

clearly and legibly. The front cover must present the full title with all words of the title equally prominent and visible. However. In addition. be listed in the History section of the Document). you must enclose the copies in covers that carry. as long as they preserve the title of the Document and satisfy these conditions. you should put the first ones listed (as many as fit reasonably) on the actual cover. 4. If you publish or distribute Opaque copies of the Document numbering more than 100. you must either include a machine-readable Transparent copy along with each Opaque copy. if there were any. if any) a title distinct from that of the Document. to give them a chance to provide you with an updated version of the Document. all these Cover Texts: Front-Cover Texts on the front cover. and you may publicly display copies. you may accept compensation in exchange for copies. You may also lend copies. thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it.1. under the same conditions stated above.Iptables Tutorial 1. when you begin distribution of Opaque copies in quantity. which the general network-using public has access to download anonymously at no charge using public-standard network protocols.html 21:25:51 10/06/2002 . Both covers must also clearly and legibly identify you as the publisher of these copies. If you use the latter option.9 Página 205 copies you make or distribute. that you contact the authors of the Document well before redistributing any large number of copies. Copying with changes limited to the covers. provided that you release the Modified Version under precisely this License. you must take reasonably prudent steps. If you distribute a large enough number of copies you must also follow the conditions in section 3. You may use the same title as a previous version if the original publisher of that version gives permission. to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. and from those of previous versions (which should. COPYING IN QUANTITY If you publish printed copies of the Document numbering more than 100.org/andreasson/iptables-tutorial/iptables-tutorial. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above. It is requested. You may add other material on the covers in addition. you must do these things in the Modified Version: A. and the Document's license notice requires Cover Texts.unix-fu. 3. can be treated as verbatim copying in other respects. http://people. If the required texts for either cover are too voluminous to fit legibly. or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document. Use in the Title Page (and on the covers. and Back-Cover Texts on the back cover. with the Modified Version filling the role of the Document. free of added material. but not required. and continue the rest onto adjacent pages.

or if the original publisher of the version it refers to gives permission. Delete any section entitled "Endorsements". and likewise the network locations given in the Document for previous versions it was based on. L. add their titles to the list of Invariant Sections in the Modified Version's license notice. immediately after the copyright notices. F. Include an unaltered copy of this License. year. if it has less than five). year. http://people. N. These titles must be distinct from any other section titles. given in the Document for public access to a Transparent copy of the Document. C. Preserve the section entitled "History". E. authors. Such a section may not be included in the Modified Version. Include. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. I. together with at least five of the principal authors of the Document (all of its principal authors. if any. a license notice giving the public permission to use the Modified Version under the terms of this License. Preserve the network location. In any section entitled "Acknowledgements" or "Dedications". in the form shown in the Addendum below. M. If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document. Preserve all the Invariant Sections of the Document. new authors. G. unaltered in their text and in their titles. These may be placed in the "History" section. then add an item describing the Modified Version as stated in the previous sentence. as authors. and publisher of the Modified Version as given on the Title Page. you may at your option designate some or all of these sections as invariant. To do this. State on the Title page the name of the publisher of the Modified Version. preserve the section's title.Iptables Tutorial 1. J. create one stating the title. as the publisher.1. Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section. You may omit a network location for a work that was published at least four years before the Document itself. H. D. one or more persons or entities responsible for authorship of the modifications in the Modified Version.html 21:25:51 10/06/2002 .unix-fu. List on the Title Page. and publisher of the Document as given on its Title Page. K. and add to it an item stating at least the title. If there is no section entitled "History" in the Document. Section numbers or the equivalent are not considered part of the section titles. and its title. and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.org/andreasson/iptables-tutorial/iptables-tutorial. Preserve all the copyright notices of the Document. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.9 Página 206 B.

provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. and a passage of up to 25 words as a Back-Cover Text.Iptables Tutorial 1.9 Página 207 You may add a section entitled "Endorsements". and replace the individual copies of this License in the various documents with a single copy that is included in the collection. You may extract a single document from such a collection. provided it contains nothing but endorsements of your Modified Version by various parties--for example. statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. If there are multiple Invariant Sections with the same name but different contents. You may add a passage of up to five words as a Front-Cover Text. and any sections entitled "Dedications". forming one section entitled "History". If the Document already includes a cover text for the same cover. 5. You must delete all sections entitled "Endorsements. and distribute it individually under this License. but you may replace the old one. previously added by you or by arrangement made by the same entity you are acting on behalf of.unix-fu. you must combine any sections entitled "History" in the various original documents. In the combination. under the terms defined in section 4 above for modified versions. the name of the original author or publisher of that section if known. make the title of each such section unique by adding at the end of it.1. you may not add another. The combined work need only contain one copy of this License. http://people. provided you insert a copy of this License into the extracted document. and multiple identical Invariant Sections may be replaced with a single copy. or else a unique number. and list them all as Invariant Sections of your combined work in its license notice. COMBINING DOCUMENTS You may combine the Document with other documents released under this License. and follow this License in all other respects regarding verbatim copying of that document.org/andreasson/iptables-tutorial/iptables-tutorial. unmodified. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. on explicit permission from the previous publisher that added the old one. likewise combine any sections entitled "Acknowledgements".html 21:25:51 10/06/2002 . Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. to the end of the list of Cover Texts in the Modified Version. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. provided that you include in the combination all of the Invariant Sections of all of the original documents." 6. COLLECTIONS OF DOCUMENTS You may make a collection consisting of the Document and other documents released under this License. in parentheses.

Iptables Tutorial 1.html 21:25:51 10/06/2002 . In case of a disagreement between the translation and the original English version of this License. 9. revised versions of the GNU Free Documentation License from time to time. Such a compilation is called an "aggregate". 8. does not as a whole count as a Modified Version of the Document. but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. modify. Replacing Invariant Sections with translations requires special permission from their copyright holders.unix-fu. the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. sublicense or distribute the Document is void. TERMINATION You may not copy. FUTURE REVISIONS OF THIS LICENSE The Free Software Foundation may publish new. on account of their being thus compiled. then if the Document is less than one quarter of the entire aggregate. Otherwise they must appear on covers around the whole aggregate. if they are not themselves derivative works of the Document. 10. and will automatically terminate your rights under this License.gnu. in or on a volume of a storage or distribution medium. the original English version will prevail.org/andreasson/iptables-tutorial/iptables-tutorial. but may differ in detail to address new problems or concerns. provided no compilation copyright is claimed for the compilation.1. If the Cover Text requirement of section 3 is applicable to these copies of the Document. TRANSLATION Translation is considered a kind of modification. http://people. and this License does not apply to the other self-contained works thus compiled with the Document.org/copyleft/. Such new versions will be similar in spirit to the present version. from you under this License will not have their licenses terminated so long as such parties remain in full compliance. modify. AGGREGATION WITH INDEPENDENT WORKS A compilation of the Document or its derivatives with other separate and independent documents or works.9 Página 208 7. or distribute the Document except as expressly provided for under this License. You may include a translation of this License provided that you also include the original English version of this License. or rights. Any other attempt to copy. parties who have received copies. so you may distribute translations of the Document under the terms of section 4. See http://www. sublicense. However.

Permission is granted to copy. GNU General Public License Version 2.html 21:25:51 10/06/2002 . write "with no Invariant Sections" instead of saying which ones are invariant. distribute and/or modify this document under the terms of the GNU Free Documentation License.unix-fu. A copy of the license is included in the section entitled "GNU Free Documentation License". MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document. you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. to permit their use in free software. write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST". such as the GNU General Public License.org/andreasson/iptables-tutorial/iptables-tutorial. the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. How to use this License for your documents To use this License in a document you have written.1. 1991 Free Software Foundation. Suite 330. include a copy of the License in the document and put the following copyright and license notices just after the title page: Copyright (c) YEAR YOUR NAME. we recommend releasing these examples in parallel under your choice of free software license. but changing it is not allowed. Version 1. Preamble The licenses for most software are designed to take away your freedom to share and change it.1 or any later version published by the Free Software Foundation. By contrast. 0. with the Front-Cover Texts being LIST. you may choose any version ever published (not as a draft) by the Free Software Foundation. June 1991 Copyright (C) 1989. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to http://people. If the Document specifies that a particular numbered version of this License "or any later version" applies to it. If you have no Invariant Sections. likewise for Back-Cover Texts.9 Página 209 Each version of the License is given a distinguishing version number.Iptables Tutorial 1. If your document contains nontrivial examples of program code. Boston. with the Invariant Sections being LIST THEIR TITLES. If you have no Front-Cover Texts. If the Document does not specify a version number of this License. Inc. and with the Back-Cover Texts being LIST. 59 Temple Place.

translation is included without limitation in the term "modification". we are referring to freedom. and that you know you can do these things.) Each licensee is addressed as "you". in effect making the program proprietary. The precise terms and conditions for copying. 1. If the software is modified by someone else and passed on. These restrictions translate to certain responsibilities for you if you distribute copies of the software. too. We protect your rights with two steps: (1) copyright the software.org/andreasson/iptables-tutorial/iptables-tutorial. TERMS AND CONDITIONS FOR COPYING. To prevent this. for each author's protection and ours. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead. whether gratis or for a fee.9 Página 210 using it. too. When we speak of free software. any free program is threatened constantly by software patents. To protect your rights. DISTRIBUTION AND MODIFICATION 1. Activities other than copying. (Hereinafter. You must make sure that they. below.html 21:25:51 10/06/2002 . Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish). that you receive source code or can get it if you want it. And you must show them these terms so they know their rights. we want its recipients to know that what they have is not the original. we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. or if you modify it. Also. they are outside its scope. not price. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.1. we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. distribution and modification follow. distribute and/or modify the software.Iptables Tutorial 1. receive or can get the source code. we want to make certain that everyone understands that there is no warranty for this free software. and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say. if you distribute copies of such a program. and (2) offer you this license which gives you legal permission to copy. For example. so that any problems introduced by others will not reflect on the original authors' reputations. and the output from the Program is covered only if its contents constitute a work based on the Program (independent of http://people. distribution and modification are not covered by this License. The act of running the Program is not restricted.) You can apply it to your programs. The "Program". We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses. you must give the recipients all the rights that you have. that you can change the software or use pieces of it in new free programs. a work containing the Program or a portion of it. refers to any such program or work. Finally.unix-fu. either verbatim or with modifications and/or translated into another language.

it is not the intent of this section to claim rights or contest your rights to work written entirely by you. 3.9 Página 211 having been made by running the Program). and its terms. and copy and distribute such modifications or work under the terms of Section 1 above. mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. You may copy and distribute verbatim copies of the Program's source code as you receive it.1. and you may at your option offer warranty protection in exchange for a fee. you must cause it. You may modify your copy or copies of the Program or any portion of it. You may copy and distribute the Program (or a work based on it. thus forming a work based on the Program. your work based on the Program is not required to print an announcement. If identifiable sections of that work are not derived from the Program. If the modified program normally reads commands interactively when run.html 21:25:51 10/06/2002 .) These requirements apply to the modified work as a whole. do not apply to those sections when you distribute them as separate works. and thus to each and every part regardless of who wrote it. whose permissions for other licensees extend to the entire whole. and telling the user how to view a copy of this License.unix-fu. Thus. 4. the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. the distribution of the whole must be on the terms of this License. and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy. rather. 5.org/andreasson/iptables-tutorial/iptables-tutorial. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. then this License. provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty. 2. provided that you also meet all of these conditions: 1. But when you distribute the same sections as part of a whole which is a work based on the Program. 3.Iptables Tutorial 1. and can be reasonably considered independent and separate works in themselves. (Exception: if the Program itself is interactive but does not normally print such an announcement. that in whole or in part contains or is derived from the Program or any part thereof. keep intact all the notices that refer to this License and to the absence of any warranty. saying that you provide a warranty) and that users may redistribute the program under these conditions. In addition. to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else. Whether that is true depends on what the Program does. under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: http://people. You must cause any work that you distribute or publish. to be licensed as a whole at no charge to all third parties under the terms of this License. in any medium. when started running for such interactive use in the most ordinary way.

sublicense or distribute the Program is void. plus the scripts used to control compilation and installation of the executable. even though third parties are not compelled to copy the source along with the object code. the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler. valid for at least three years. and so on) of the operating system on which the executable runs. The source code for a work means the preferred form of the work for making modifications to it. kernel. You are not responsible for enforcing compliance by third parties to this License. However. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. to give any third party. Accompany it with the complete corresponding machine-readable source code. 8.unix-fu. in accord with Subsection b above. and will automatically terminate your rights under this License. If distribution of executable or object code is made by offering access to copy from a designated place. from you under this License will not have their licenses terminated so long as such parties remain in full compliance. or distribute the Program except as expressly provided under this License. they do not excuse you from http://people.9 Página 212 A. C. However. nothing else grants you permission to modify or distribute the Program or its derivative works. sublicense. or. B. modify.org/andreasson/iptables-tutorial/iptables-tutorial. for a charge no more than your cost of physically performing source distribution. as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues). you indicate your acceptance of this License to do so. 9. Therefore. However. 10. the recipient automatically receives a license from the original licensor to copy. to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. You are not required to accept this License.) 6.html 21:25:51 10/06/2002 . distributing or modifying the Program or works based on it. If. plus any associated interface definition files. then offering equivalent access to copy the source code from the same place counts as distribution of the source code.Iptables Tutorial 1. parties who have received copies.1. You may not copy. and all its terms and conditions for copying. Accompany it with a written offer. conditions are imposed on you (whether by court order. These actions are prohibited by law if you do not accept this License. complete source code means all the source code for all modules it contains. or. modify. by modifying or distributing the Program (or any work based on the Program). Each time you redistribute the Program (or any work based on the Program). For an executable work. unless that component itself accompanies the executable. 7. as a special exception. agreement or otherwise) that contradict the conditions of this License. distribute or modify the Program subject to these terms and conditions. which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. since you have not signed it. a complete machine-readable copy of the corresponding source code. or rights. Any attempt otherwise to copy. Accompany it with the information you received as to the offer to distribute corresponding source code.

you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. write to the Free Software Foundation. If the Program does not specify a version number of this License. it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. For example. we sometimes make exceptions for this. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations. 11. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT http://people. 12. 14. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different. if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you. you may choose any version ever published by the Free Software Foundation. so that distribution is permitted only in or among countries not thus excluded. Each version is given a distinguishing version number. the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time.html 21:25:51 10/06/2002 . TO THE EXTENT PERMITTED BY APPLICABLE LAW. this License incorporates the limitation as if written in the body of this License. If the Program specifies a version number of this License which applies to it and "any later version". NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE. which is implemented by public license practices. this section has the sole purpose of protecting the integrity of the free software distribution system. then as a consequence you may not distribute the Program at all. 13. THERE IS NO WARRANTY FOR THE PROGRAM. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims. the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. write to the author to ask for permission. but may differ in detail to address new problems or concerns.org/andreasson/iptables-tutorial/iptables-tutorial. In such case. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. Such new versions will be similar in spirit to the present version.unix-fu. If any portion of this section is held invalid or unenforceable under any particular circumstance.Iptables Tutorial 1.1.9 Página 213 the conditions of this License. then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. For software which is copyrighted by the Free Software Foundation. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system.

MA 02111-1307 USA http://people. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty. Boston. either version 2 of the License. 59 Temple Place. OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE. EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. and you want it to be of the greatest possible use to the public. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER. To do so. EITHER EXPRESSED OR IMPLIED.9 Página 214 HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND.. SPECIAL. you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. This program is distributed in the hope that it will be useful. Suite 330. INCLUDING ANY GENERAL. if not.html 21:25:51 10/06/2002 . 16. You should have received a copy of the GNU General Public License along with this program. Inc. INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS). or (at your option) any later version. SHOULD THE PROGRAM PROVE DEFECTIVE.> Copyright (C) <year> <name of author> This program is free software. How to Apply These Terms to Your New Programs If you develop a new program. REPAIR OR CORRECTION.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial. INCLUDING. attach the following notices to the program. BE LIABLE TO YOU FOR DAMAGES. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. but WITHOUT ANY WARRANTY. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. END OF TERMS AND CONDITIONS 2.1. YOU ASSUME THE COST OF ALL NECESSARY SERVICING. <one line to give the program's name and a brief idea of what it does. See the GNU General Public License for more details.unix-fu. and each file should have at least the "copyright" line and a pointer to where the full notice is found. BUT NOT LIMITED TO. write to the Free Software Foundation.

Initial SIMPLE IP Firewall script for Linux 2.9 Página 215 Also add information on how to contact you by electronic and paper mail.4. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.org/andreasson/iptables-tutorial/iptables-tutorial. <signature of Ty Coon>.unix-fu.firewall . http://people. use the GNU Library General Public License instead of this License. This is free software. type `show c' for details. Inc. Here is a sample. President of Vice This General Public License does not permit incorporating your program into proprietary programs. you may consider it more useful to permit linking proprietary applications with the library.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. and you are welcome to redistribute it under certain conditions. the commands you use may be called something other than `show w' and `show c'. If the program is interactive.html 21:25:51 10/06/2002 . they could even be mouse-clicks or menu items--whatever suits your program. for details type `show w'. See the # GNU General Public License for more details. Of course. Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY.1. if necessary. 1 April 1989 Ty Coon. version 2 of the License. You should also get your employer (if you work as a programmer) or your school.Iptables Tutorial 1. make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69. Example scripts codebase Example rc.net> # # This program is free software. # # This program is distributed in the hope that it will be useful. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License.firewall script #!/bin/sh # # rc. hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. to sign a "copyright disclaimer" for the program. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. if any.. alter the names: Yoyodyne. If your program is a subroutine library. If this is what you want to do. # but WITHOUT ANY WARRANTY.

# # # 1.9 Página 216 # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. if not. write to the Free Software Foundation.0.unix-fu. # # your LAN's IP range and localhost IP.2 PPPoE # # # 1.0 # LAN_IP="192.255.236. /24 means to only use the first 24 # bits of the 32 bit IP adress.2 Local Area Network configuration.2" LAN_IP_RANGE="192.155" INET_IFACE="eth0" # # 1.1 DHCP # # # 1.255. Configuration options. Suite 330.255.html 21:25:51 10/06/2002 .4 Localhost Configuration..50.1. # # # 1.0. Boston.1. # LO_IFACE="lo" LO_IP="127. the same as netmask 255. 59 Temple # Place.Iptables Tutorial 1.0.168.org/andreasson/iptables-tutorial/iptables-tutorial.168. Inc. MA 02111-1307 USA # ########################################################################### # # 1. # INET_IP="194.0/16" LAN_BCAST_ADRESS="192.255" LAN_IFACE="eth1" # # 1.3 DMZ Configuration.1 Internet Configuration.168.1.0.1" http://people.

# ########################################################################### # # 2.html 21:25:51 10/06/2002 . # http://people.9 Página 217 # # 1.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. /proc set up.6 Other Configuration.unix-fu. Module loading. # IPTABLES="/usr/sbin/iptables" # # 1.org/andreasson/iptables-tutorial/iptables-tutorial.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2. # # # Needed to initially load modules # /sbin/depmod -a # # 2.Iptables Tutorial 1.5 IPTables Configuration.1.

1.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.9 Página 218 # # 3.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP. rules set up.1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4. # ###### # 4.1.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.html 21:25:51 10/06/2002 . TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets http://people.Iptables Tutorial 1.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.1 Filter table # # # 4.

9 Página 219 $IPTABLES -N udpincoming_packets # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1.1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT http://people.unix-fu.1.html 21:25:51 10/06/2002 .

9 Página 220 # # 4.unix-fu.RELATED \ -j ACCEPT # # Log weird packets that don't match the above.org/andreasson/iptables-tutorial/iptables-tutorial.1.4 INPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward http://people.Iptables Tutorial 1.html 21:25:51 10/06/2002 .1. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.1.

2 nat table # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.1.2.1 Set policies # # # 4.Iptables Tutorial 1. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that don't match the above.2 Create user specified chains # http://people.6 OUTPUT chain # # # Bad TCP packets we don't want.2. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.9 Página 221 # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.1.html 21:25:51 10/06/2002 .unix-fu.RELATED -j ACCEPT # # Log weird packets that don't match the above.

6 OUTPUT chain # ###### # 4.org/andreasson/iptables-tutorial/iptables-tutorial.1 Set policies # # # 4.3.Iptables Tutorial 1.3.3.2 Create user specified chains # # # 4.6 FORWARD chain # http://people.4 PREROUTING chain # # # 4.3.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.3 mangle table # # # 4.9 Página 222 # # 4.2.4 PREROUTING chain # # # 4.5 INPUT chain # # # 4.2.2.1.html 21:25:51 10/06/2002 .3 Create content in user specified chains # # # 4.2.3 Create content in user specified chains # # # 4.3.3.unix-fu.

152" HTTP_IP="194.unix-fu.8 POSTROUTING chain # Example rc. Inc.firewall script #!/bin/sh # # rc.153" DNS_IP="194.1 Internet Configuration. 59 Temple # Place. version 2 of the License.firewall . See the # GNU General Public License for more details.DMZ.9 Página 223 # # 4.236. Suite 330.DMZ.1. if not.html 21:25:51 10/06/2002 . # # This program is distributed in the hope that it will be useful.50.50.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.4. # INET_IP="194. MA 02111-1307 USA # ########################################################################### # # 1. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.Iptables Tutorial 1.7 OUTPUT chain # # # 4. # # # 1. write to the Free Software Foundation..net> # # This program is free software.DMZ IP Firewall script for Linux 2.3.org/andreasson/iptables-tutorial/iptables-tutorial.50. Boston.3. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.154" INET_IFACE="eth0" http://people.236.236. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Configuration options. # but WITHOUT ANY WARRANTY.

Iptables Tutorial 1.1.9

Página 224

# # 1.1.1 DHCP # # # 1.1.2 PPPoE # # # 1.2 Local Area Network configuration. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # LAN_IP="192.168.0.2" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth1" # # 1.3 DMZ Configuration. # DMZ_HTTP_IP="192.168.1.2" DMZ_DNS_IP="192.168.1.3" DMZ_IP="192.168.1.1" DMZ_IFACE="eth2" # # 1.4 Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 IPTables Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. # ########################################################################### # # 2. Module loading. http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 225

# # # Needed to initially load modules # /sbin/depmod -a

# # 2.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 226

#echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. rules set up. # ###### # 4.1 Filter table # # # 4.1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP, TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 227

# # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # 4.1.4 INPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Packets from the Internet to this box # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # # Packets from LAN, DMZ or LOCALHOST # # # From DMZ Interface to DMZ firewall IP # $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT # # From LAN Interface to LAN firewall IP # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 228

# # From Localhost interface to Localhost IP # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # # All established and related packets incoming from the internet to the # firewall # $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \ -j ACCEPT # # Logging rule # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.1.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

# # DMZ section # # General rules # $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \ --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT # # HTTP server # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

1.1.6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Allow ourself to send packets not spoofed everywhere # $IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT http://people.Iptables Tutorial 1.html 21:25:51 10/06/2002 .9 Página 229 $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ --dport 80 -j allowed $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ -j icmp_packets # # DNS server # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j allowed $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ -j icmp_packets # # LAN section # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.RELATED -j ACCEPT # # LOG all packets reaching here # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu.

Iptables Tutorial 1.1.9

Página 230

# # Logging rule # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.2 nat table # # # 4.2.1 Set policies # # # 4.2.2 Create user specified chains # # # 4.2.3 Create content in user specified chains # # # 4.2.4 PREROUTING chain # # # Enable IP Destination NAT for DMZ zone # $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \ -j DNAT --to-destination $DMZ_HTTP_IP $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP $IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP # # 4.2.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 231

# # 4.2.6 OUTPUT chain # ###### # 4.3 mangle table # # # 4.3.1 Set policies # # # 4.3.2 Create user specified chains # # # 4.3.3 Create content in user specified chains # # # 4.3.4 PREROUTING chain # # # 4.3.5 INPUT chain # # # 4.3.6 FORWARD chain # # # 4.3.7 OUTPUT chain # # # 4.3.8 POSTROUTING chain #

Example rc.UTIN.firewall script
#!/bin/sh # # rc.firewall - UTIN Firewall script for Linux 2.4.x and iptables # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 232

# Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from; if not, write to the Free Software Foundation, Inc., 59 Temple # Place, Suite 330, Boston, MA 02111-1307 USA # ########################################################################### # # 1. Configuration options. # # # 1.1 Internet Configuration. # INET_IP="194.236.50.155" INET_IFACE="eth0" # # 1.1.1 DHCP # # # 1.1.2 PPPoE # # # 1.2 Local Area Network configuration. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # LAN_IP="192.168.0.2" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth1"

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 233

# # 1.3 DMZ Configuration. # # # 1.4 Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 IPTables Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. # ########################################################################### # # 2. Module loading. # # # Needed to initially load modules # /sbin/depmod -a # # 2.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.2 Non-Required modules #

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 234

#/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr

########################################################################### # # 4. rules set up. # ###### # 4.1 Filter table # # # 4.1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Create userspecified chains # # # Create chain for bad tcp packets http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

9 Página 235 # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed http://people.1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.Iptables Tutorial 1.html 21:25:51 10/06/2002 .unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.1.

5 FORWARD chain # http://people. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.html 21:25:51 10/06/2002 . # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from anywhere # $IPTABLES -A INPUT -p ICMP -j icmp_packets $IPTABLES -A INPUT -p TCP -j tcp_packets $IPTABLES -A INPUT -p UDP -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.1.1.org/andreasson/iptables-tutorial/iptables-tutorial.4 INPUT chain # # # Bad TCP packets we don't want.1.9 Página 236 # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.Iptables Tutorial 1.unix-fu.RELATED \ -j ACCEPT # # Log weird packets that don't match the above.

org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1.1.2 nat table http://people.9 Página 237 # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward between interfaces.1.RELATED -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that don't match the above.html 21:25:51 10/06/2002 . # $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.6 OUTPUT chain # # # Bad TCP packets we don't want.unix-fu. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.

unix-fu.3.2 Create user specified chains # # # 4.3 Create content in user specified chains # # # 4.2.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.2.9 Página 238 # # # 4.1 Set policies # # # 4.html 21:25:51 10/06/2002 .3 mangle table # # # 4.2 Create user specified chains # # # 4.1 Set policies # # # 4.2.Iptables Tutorial 1.3.4 PREROUTING chain # # # 4.1.2.3.6 OUTPUT chain # ###### # 4.2.3 Create content in user specified chains # # http://people.2.org/andreasson/iptables-tutorial/iptables-tutorial.

firewall script #!/bin/sh # # rc.unix-fu. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. version 2 of the License.6 FORWARD chain # # # 4.firewall .. See the # GNU General Public License for more details.net> # # This program is free software.Iptables Tutorial 1. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.9 Página 239 # 4. Inc.1.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.DHCP. Boston. # but WITHOUT ANY WARRANTY. write to the Free Software Foundation.3. # http://people.3. Suite 330.4. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.3.4 PREROUTING chain # # # 4.3. # # This program is distributed in the hope that it will be useful. if not.5 INPUT chain # # # 4.7 OUTPUT chain # # # 4.3.8 POSTROUTING chain # Example rc.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 .DHCP IP Firewall script for Linux 2. MA 02111-1307 USA # ########################################################################### # # 1. Configuration options. 59 Temple # Place.

1.1. If you get DHCP # over the Internet set this variable to yes. # INET_IFACE="eth0" # # 1.1.22.255. /24 means to only use the first 24 # bits of the 32 bit IP adress.168.org/andreasson/iptables-tutorial/iptables-tutorial. # # If you have problem with your PPPoE connection.90.2 Local Area Network configuration. This option will set a # rule in the PREROUTING chain of the mangle table which will clamp # (resize) all routed packets to PMTU (Path Maximum Transmit Unit).Iptables Tutorial 1.1 Internet Configuration.unix-fu. # # your LAN's IP range and localhost IP.255. # DHCP="no" DHCP_SERVER="195. # # Note that it is better to set this up in the PPPoE package itself. such as large mails not # getting through while small mail get through properly etc.0 # LAN_IP="192.65" # # 1.1 DHCP # # # Information pertaining to DHCP over the Internet.0. # PPPOE_PMTU="no" # # 1. and set up the proper IP # adress for the DHCP server in the DHCP_SERVER variable. the same as netmask 255. # # Set DHCP variable to no if you don't get IP from DHCP.2" LAN_IP_RANGE="192. since # the PPPoE configuration option will give less overhead.html 21:25:51 10/06/2002 . if needed.0/16" http://people.2 PPPoE # # Configuration options pertaining to PPPoE.9 Página 240 # # 1.168.0. you may set # this option to "yes" which may fix the problem.

1 Required modules # /sbin/modprobe ip_conntrack /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_MASQUERADE http://people.html 21:25:51 10/06/2002 . # # # 1.255" LAN_IFACE="eth1" # # 1.org/andreasson/iptables-tutorial/iptables-tutorial. # LO_IFACE="lo" LO_IP="127. # ########################################################################### # # 2.1" # # 1.unix-fu.9 Página 241 LAN_BCAST_ADRESS="192.6 Other Configuration.0.1.0.Iptables Tutorial 1. # # # Needed to initially load modules # /sbin/depmod -a # # 2.4 Localhost Configuration.5 IPTables Configuration.3 DMZ Configuration.255. # IPTABLES="/usr/sbin/iptables" # # 1.168. Module loading.

# # # 3.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . # ###### # 4.1.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3.9 Página 242 # # 2. rules set up.1.Iptables Tutorial 1.1.2 Create userspecified chains # http://people.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.1 Filter table # # # 4.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4. /proc set up.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.

3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.9 Página 243 # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.Iptables Tutorial 1.html 21:25:51 10/06/2002 .RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed http://people.org/andreasson/iptables-tutorial/iptables-tutorial.1.unix-fu. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.1.

RELATED -j ACCEPT # # Log weird packets that don't match the above.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 .Iptables Tutorial 1. http://people.4 INPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \ --state ESTABLISHED.9 Página 244 $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT if [ $DHCP == "yes" ] . then $IPTABLES -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \ --dport 68 -j ACCEPT fi # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.1.unix-fu.1.

9 Página 245 # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.unix-fu.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.1.Iptables Tutorial 1. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # # Log weird packets that don't match the above.html 21:25:51 10/06/2002 . # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.1.1.6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow. http://people.RELATED -j ACCEPT # # Log weird packets that don't match the above.

RST SYN \ -j TCPMSS --clamp-mss-to-pmtu fi $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE # # 4.6 OUTPUT chain # ###### # 4. then $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN.3 Create content in user specified chains # # # 4.Iptables Tutorial 1.2.3.2 nat table # # # 4.1.2.html 21:25:51 10/06/2002 .2.9 Página 246 # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.2.1 Set policies # # # 4.2 Create user specified chains http://people.org/andreasson/iptables-tutorial/iptables-tutorial.3.4 PREROUTING chain # # # 4.1 Set policies # # # 4.2 Create user specified chains # # # 4.unix-fu.5 POSTROUTING chain # if [ $PPPOE_PMTU == "yes" ] .2.3 mangle table # # # 4.2.

9 Página 247 # # # 4.7 OUTPUT chain # # # 4. # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.1.Resets iptables to default values.5 INPUT chain # # # 4.4 PREROUTING chain # # # 4.net> # # This program is free software.3.6 FORWARD chain # # # 4.3.flush-iptables script #!/bin/sh # # rc. version 2 of the License.3 Create content in user specified chains # # # 4.html 21:25:51 10/06/2002 . you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.3.3.org/andreasson/iptables-tutorial/iptables-tutorial.3.unix-fu.3.8 POSTROUTING chain # Example rc. # http://people.flush-iptables .Iptables Tutorial 1.

without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. write to the Free Software Foundation. MA 02111-1307 USA # # Configurations # IPTABLES="/usr/sbin/iptables" # # reset the default policies in the filter table. # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # # erase all chains that's not default in filter and nat table. # but WITHOUT ANY WARRANTY.Iptables Tutorial 1. # $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT # # reset the default policies in the nat table.9 Página 248 # This program is distributed in the hope that it will be useful.html 21:25:51 10/06/2002 .unix-fu. Inc. Suite 330. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. # $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X http://people.org/andreasson/iptables-tutorial/iptables-tutorial. 59 Temple # Place. See the # GNU General Public License for more details. # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # reset the default policies in the mangle table. # $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT # # flush all the rules in the filter and nat tables.1.. Boston. if not.

# # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.unix-fu. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. version 2 of the License.1. Boston.html 21:25:51 10/06/2002 . all chains except OUTPUT which don't work. Suite 330.Iptables Tutorial 1. MA 02111-1307 USA # # # Filter table.test-iptables script #!/bin/bash # # rc. # # This program is distributed in the hope that it will be useful. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. 59 Temple # Place. See the # GNU General Public License for more details..test script for iptables chains and tables. # iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat PREROUTING:" http://people. # but WITHOUT ANY WARRANTY. Inc. if not. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. all chains # iptables -t filter -A INPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter FORWARD:" iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter FORWARD:" # # NAT table.net> # # This program is free software. write to the Free Software Foundation.org/andreasson/iptables-tutorial/iptables-tutorial.test-iptables .9 Página 249 Example rc.

Iptables Tutorial 1.html 21:25:51 10/06/2002 . http://people.9 Página 250 iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat PREROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat OUTPUT:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat OUTPUT:" # # Mangle table. all chains # iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle OUTPUT:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle OUTPUT:" Done.unix-fu.1.org/andreasson/iptables-tutorial/iptables-tutorial.

Sign up to vote on this title
UsefulNot useful