P. 1
eBook IpTables Tutorial

eBook IpTables Tutorial

|Views: 15|Likes:
Published by bernh_a

More info:

Published by: bernh_a on Aug 27, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

08/27/2011

pdf

text

original

Sections

Iptables Tutorial 1.1.

9

Página 1

Iptables Tutorial 1.1.9
Oskar Andreasson
blueflux@koffein.net

Copyright © 2001 by Oskar Andreasson

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1; with the Invariant Sections being "Introduction" and all subsections, with the Front-Cover Texts being "Original Author: Oskar Andreasson", and with no BackCover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". All scripts in this tutorial are covered by the GNU General Public License. The scripts are free source; you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation, version 2 of the License. These scripts are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License within this tutorial, under the section entitled "GNU General Public License"; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Table of Contents Introduction Why this document was written How it was written About the author Dedications Preparations Where to get iptables Kernel setup 1 userland setup Compiling the userland applications http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 2

Installation on Red Hat 7.1 How a rule is built Basics Tables Commands Matches Generic matches Implicit matches Explicit matches Targets/Jumps ACCEPT target DROP target QUEUE target RETURN target LOG target MARK target REJECT target TOS target MIRROR target SNAT target DNAT target MASQUERADE target REDIRECT target TTL target ULOG target Traversing of tables and chains General Mangle table 1 Nat table 2 Filter table rc.firewall file example rc.firewall explanation of rc.firewall Configuration options http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 3

Initial loading of extra modules proc set up Displacement of rules to different chains Setting up the different chains used INPUT chain The TCP allowed chain The ICMP chain The TCP chain The UDP chain OUTPUT chain FORWARD chain PREROUTING chain of the nat table Starting the Network Address Translation Example scripts rc.firewall.txt script structure The structure rc.firewall.txt rc.DMZ.firewall.txt rc.DHCP.firewall.txt 10. rc.UTIN.firewall.txt rc.test-iptables.txt rc.flush-iptables.txt Detailed explanations of special commands Listing your active ruleset Updating and flushing your tables Common problems and questionmarks Passive FTP but no DCC State NEW packets but no SYN bit set Internet Service Providers who use assigned IP addresses ICMP types Other resources and links Acknowledgements History GNU Free Documentation License 0. PREAMBLE 1. APPLICABILITY AND DEFINITIONS 2. VERBATIM COPYING http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 4

3. COPYING IN QUANTITY 4. MODIFICATIONS 1. 5. COMBINING DOCUMENTS 6. COLLECTIONS OF DOCUMENTS 7. AGGREGATION WITH INDEPENDENT WORKS 8. TRANSLATION 9. TERMINATION 10. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents GNU General Public License 0. Preamble 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. 2. How to Apply These Terms to Your New Programs Example scripts codebase Example rc.firewall script Example rc.DMZ.firewall script Example rc.UTIN.firewall script Example rc.DHCP.firewall script Example rc.flush-iptables script Example rc.test-iptables script

Introduction Why this document was written
Well, I found a big empty space in the HOWTO's out there lacking in information about the iptables and netfilter functions in the new Linux 2.4.x kernels. Among other things, I'm going to try to answer questions that some might have about the new possibilities like state matching. Is it possible to allow passive FTP to your server, but not allow outgoing DCC from IRC as an example? I will build this all up from an example rc.firewall.txt file that you can use in your /etc/rc.d/ scripts. Yes, this file was originally based upon the masquerading HOWTO for those of you who recognize it. Also, there's a small script that I wrote just in case you screw up as much as I did during the configuration available as rc.flush-iptables.txt.

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 5

How it was written
I've placed questions to Marc Boucher and others from the core netfilter team. A big thanks going out to them for their work and for their help on this tutorial that I wrote and maintain for boingworld.com. This document will guide you through the setup process step by step, hopefully make you understand some more about the iptables package. I will base most of the stuff here on the example rc.firewall file since I find that example to be a good way to learn how to use iptables. I have decided to just follow the basic chains and from there go down into each and one of the chains traversed in each due order. This tutorial has turned a little bit harder to follow this way but at the same time it is more logical. Whenever you find something that's hard to understand, just consult this tutorial.

About the author
I'm someone with too many old computers on my hands, sitting with my own LAN and wanting them all to be connected to the Internet, at the same time having it fairly secure. The new iptables is a good upgrade from the old ipchains in this regard. Before, you could make a fairly secure network by dropping all incoming packages not destined to certain ports, but this would be a problem with things like passive FTP or outgoing DCC in IRC, which assigns ports on the server, tells the client about it, and then lets the client connect. There was some child diseases in the iptables code that I ran into in the beginning, and in some respects I found the code not quite ready for release in full production. Today, I'd recommend everyone who uses ipchains or even older ipfwadm etc to upgrade unless they're happy with what their current code is capable of and if it does what they need it to.

Dedications
First of all I would like to dedicate this document to my wonderful girlfriend Ninel. She has supported me more than I ever can support her to any degree. I wish I could make you just as happy as you make me. Second of all, I would like to dedicate this work to all of the incredibly hard working Linux developers and maintainers. It is people like those who makes this wonderful operating system possible.

Preparations
This chapter is aimed at getting you started and to help you understand the role netfilter and iptables play in Linux today. This chapter should hopefully get you set up and finished to go with your experimentation and installation of a firewall which should hopefully run smoothly in the future.

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

this is most definitely required if for anything in this tutorial to work at all. -m limit --limit 3/minute would match a maximum of 3 packets per minute.txt to work. Here we will show you the options available in a basic 2. If you need to firewall machines on a LAN you most definitely should mark this option.This module isn't exactly required but it's used in the example rc.Iptables Tutorial 1. among other things. I assume you'll want this since you're reading this at all. Kernel setup To run the pure basics of iptables you need to configure the following options into the kernel while doing make config or one of it's related commands: CONFIG_PACKET . you need to set up the proper configuration options in your kernel. The necessary pieces will be discussed a bit further down in this document. ie. http://people.1. This module can also be used to avoid certain Denial of Service attacks. It adds the whole iptables identification framework to kernel. Without this you won't be able to do anything at all with iptables. If you want to use the more advanced options in IPTables. this option compiles the helper.This module is required if you want to do connection tracking on FTP connections. this module is required by the rc. CONFIG_IP_NF_FTP . CONFIG_IP_NF_IPTABLES . NAT and Masquerading.9 Página 6 Where to get iptables The iptables userspace package can be downloaded from the netfilter homepage. PPP and SLIP interfaces.This module is needed to make connection tracking. it just adds the framework to the kernel. If you don't add this module you won't be able to FTP through a firewall or gateway properly.This option is required if you want do any kind of filtering. that adds the possibility to control how many packets per minute that's supposed to be matched with a certain rule. For example. For example. In other words. The above will only add some of the pure basics in iptables.4. And of course you need to add the proper drivers for your interfaces to work properly.org/andreasson/iptables-tutorial/iptables-tutorial.9 kernel and a brief explanation : CONFIG_IP_NF_CONNTRACK .This option is required if you're going to use your computer as a firewall or gateway to the internet. This option provides the LIMIT match. CONFIG_IP_NF_MATCH_LIMIT . An example would be tcpdump or snort.firewall.txt.This option allows applications and programs that needs to work directly to certain network devices.html 21:25:51 10/06/2002 . masquerading or NAT.unix-fu. CONFIG_NETFILTER . The iptables package also makes use of kernel space facilities which can be configured into the kernel during make configure. You won't be able to do anything to be pretty honest. Connection tracking is used by.firewall. Since FTP connections are quite hard to do connection tracking on in normal cases conntrack needs a so called helper. Ethernet adapter.

This allows us to use a MARK match. We don't use this option in the rc. if we use the target MARK we could mark a packet and then depending on if this packet is marked further on in the table.html 21:25:51 10/06/2002 . TOS can also be set by certain rules in the mangle table and via the ip/tc commands. Note that this match is still experimental and might not work perfectly in all cases.org/andreasson/iptables-tutorial/iptables-tutorial. We could for instance block packets based on what MAC address used and block a certain computer pretty well since the MAC address don't change. CONFIG_IP_NF_TARGET_REJECT . CONFIG_IP_NF_MATCH_MARK . if we've already seen trafic in two directions in a TCP connection.firewall. CONFIG_IP_NF_MATCH_TCPMSS . For example. This module was originally just written as an example on what could be done with the new iptables. FORWARD and OUTPUT chains. if we set up a MIRROR target on destination port HTTP on our INPUT chain and someone tries to access this port we would plainly bounce his packets back to himself and finally he would see his own homepage. this packet will be counted as ESTABLISHED.9 Página 7 CONFIG_IP_NF_MATCH_MAC .This option will add the possibility for us to do matching based on the owner of a socket. For example. CONFIG_IP_NF_TARGET_MIRROR . We could for example drop these packets. Mind you that TCP connections are always reset or refused with a TCP RST packet. but we never know if they are legitimate or not. This option is the actual match MARK. For example.Iptables Tutorial 1. TCP.This module allows us to match packets with a whole range of destination ports or source ports. UDP and ICMP packets that looks strange or are invalid.This is one of the biggest news in comparison to ipchains. we can allow only the user root to have Internet access. CONFIG_IP_NF_MATCH_MULTIPORT . This module is used extensively in the rc.This option adds the possibility for us to match TCP packets based on their MSS field. CONFIG_IP_NF_MATCH_STATE .This allows us to match packets based on MAC addresses. we can match based on this mark. and further down we will describe the actual target MARK. This module is required if you plan to do any kind of filtering on packets that you receive and send.firewall. Note that this match is still experimental and might not work for everyone. but with this match it is. Normally this wouldn't be possible.This module will add the basic filter table which will enable you to do basic filtering. In the filter table you'll find the INPUT. CONFIG_IP_NF_MATCH_TOS . With this module we can do stateful matching on packets.txt example or anywhere else. CONFIG_IP_NF_MATCH_UNCLEAN .txt example.This target allows us to specify that an ICMP error message should be sent in reply to incoming packets instead of plainly dropping them dead to the floor. TOS stands for Type Of Service. For example.1.With this match we can match packets based on their TOS field. CONFIG_IP_NF_FILTER . Every Ethernet adapter has it's own MAC address.This module will add the possibility for us to match IP. http://people.unix-fu. CONFIG_IP_NF_MATCH_OWNER .This allows packets to be bounced back to the sender of the packet.

we remap them to go to our local box instead. and most definitely on your network if you do not have the ability to add unique IP addresses as specified above.9 Página 8 CONFIG_IP_NF_NAT . we have the possibility to make a transparent proxy this way. SLIP or some other connection that dynamically assigns us an IP. In other words. unless you are able to provide unique IP addresses for all hosts.4. With this option we can do port forwarding.Adds a compatibility mode with the old ipchains. Do absolutely not look at this as a real long term solution.txt script to work. These are only the options available in a vanilla Linux 2. CONFIG_IP_NF_TARGET_REDIRECT . CONFIG_IP_NF_COMPAT_IPCHAINS . for the rc.html 21:25:51 10/06/2002 . Instead of letting a packet pass right through. This can result in webpages not getting through. CONFIG_IP_NF_TARGET_LOG . Do not look at this as any real long term solution for solving migration from Linux 2. CONFIG_IP_NF_TARGET_MASQUERADE .2 kernels to 2. As you can see. For instance if we don't know what IP we have to the Internet this would be the preferred way of getting the IP instead of using DNAT or SNAT. this option is required for the example rc. I have briefly explained what kind of extra behaviours you can expect from each module here. POM fixes are additions that are supposed to be added in the kernel in the future but has not quite reached the kernel yet. or as modules. but mostly is. You will need the following options compiled into your kernel. Hence.org/andreasson/iptables-tutorial/iptables-tutorial. I suggest you look at the patch-o-matic functions in netfilter userland which will add heaps of other options in the kernel. or NAT. we need to use this target instead of SNAT.This module allows network address translation.This target is useful together with proxies for example. We can use this module to log certain packets to syslogd and hense see the packet further on. Masquerading gives a slightly higher load on the computer than NAT does. CONFIG_IP_NF_TARGET_TCPMSS .This option can be used to overcome Internet Service Providers and servers who block ICMP Fragmentation Needed packets.unix-fu. PPP. This could be useful for forensics or debugging a script you're writing. In other words.9 kernel. but will work without us knowing the IP in advance.1. Note that this option is is not required for firewalling and masquerading of a LAN.txt to work properly.6. we'll be able to handle what the authors of netfilter themself call "criminally braindead ISPs or servers" in the kernel configuration help. CONFIG_IP_NF_COMPAT_IPFWADM . http://people.firewall. This may be for various reasons such as the patch not being stable yet. but has not quite made it in yet.This adds the LOG target to iptables and the functionality of it.4 kernels since it may well be gone with kernel 2. ssh works but scp dies after handshake.firewall. We can then use the TCPMSS target to overcome this by clamping our MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit). small mails getting through while larger mails don't get through. there is a heap of options. etcetera.Compatibility mode with old ipfwadm. to Linus Torvalds being unable to keep up or not wanting to let the patch in to the mainstream kernel yet since it is still experimental. These functions should be added in the future. If you need help with the options that the other scripts needs.Iptables Tutorial 1. This way. masquerading etc. in it's different forms. If you would like to get a look at more options. if we use DHCP. look at the example firewall scripts section.This module adds the MASQUERADE target.

html 21:25:51 10/06/2002 . For now.org/andreasson/iptables-tutorial/iptables-tutorial.bz2.3/INSTALL file which contains pretty good information on compiling and getting the program to run.txt script. Here.unix-fu. http://people. which should do pretty much the same as the first command.2.9 kernel.(this can also be accomplished with the tar -xjvf iptables-1.3 package and a vanilla 2. using bzip2 -cd iptables-1. In the other example scripts I will explain what requirements they have in their respective section.4. in Red Hat 7.1 it is disabled per default.firewall.9 Página 9 CONFIG_PACKET CONFIG_NETFILTER CONFIG_CONNTRACK CONFIG_IP_NF_FTP CONFIG_IP_NF_IRC CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_TARGET_MASQUERADE The above will be required at the very least for the rc.tar. We will check closer on how to enable it on this. this may not work with older versions of tar).Iptables Tutorial 1. one of these are Red Hat 7. we have used the iptables 1.tar.2. lets try to stay focused on the main script which you should be studying now. Unpack as usual.2.bz2 | tar -xvf . and other distributions further on in this chapter Compiling the userland applications First of all unpack the iptables package.3.3.2. However. Certain distributions comes with the iptables package preinstalled. For more information read the iptables-1. let's look at how we compile the iptables package. Hopefully the package should now be unpacked properly into a directory named iptables-1.1. This compilation goes quite a lot hand in hand with the kernel configuration and compilation so you are aware of this.2.3. userland setup First of all. However.1.

unix-fu. Don't forget to configure the kernel again since the new patches probably are not added to the configured options and so on. You may totally ignore the above steps if you don't want to patch your kernel. However. there is the option to install extra modules and options etcetera to the kernel. This only asks about certain patches that are just about to enter the kernel anyways. Normally this should be /usr/src/linux/ but this may vary. Note that we say ask.org/andreasson/iptables-tutorial/iptables-tutorial. you may either compile a new kernel making use of the new patches that you have added to the source. but is a bit further away from actually getting there.html 21:25:51 10/06/2002 . though.The step described here will only check patches that are pending for inclusion to the kernel. and most probably you will know yourself where the kernel source is available. http://people.9 Página 10 After this. Some patches will destroy other patches while others may destroy your kernel if used together with some patches from patch-o-matic etc. there are some really interesting things in the patch-o-matic that you may want to look at so there's nothing bad in just running the commands and see what they contain. They ask you before anything is changed in the kernel source. To be able to install all of the patch-o-matic stuff you will need to run the following command: make patch-o-matic KERNEL_DIR=/usr/src/linux/ Don't forget to read the help for each patch thoroughly before doing anything. There might be more patches and additions that the developers of netfilter are about to add to the kernel. which may only be available when you do some other steps. You may wait with the kernel compilation until after the compilation of the userland program iptables if you feel like it. there are some even more experimental patches further along. After this you are finished doing the patch-o-matic parts of installation. it is in other words not necessary to do the above. To do this step we do something like this from the root of the iptables package: make pending-patches KERNEL_DIR=/usr/src/linux/ The variable KERNEL_DIR should point to the actual place that your kernel source is located at.1. However.Iptables Tutorial 1. Some of these are highly experimental and may not be a very good idea to install. but still skip the most extreme patches that might cause havoc in your kernel. because that's what these commands actually do. there are heaps of extremely interesting matches and targets in this installation step so don't be afraid of at least looking at them. One way to install these are by doing the following: make most-of-pom KERNEL_DIR=/usr/src/linux/ The above command would ask about installing parts of what in netfilter world is called patch-omatic.

org/andreasson/iptables-tutorial/iptables-tutorial. if not. you would issue the following command to install them: make install KERNEL_DIR=/usr/src/linux/ Hopefully everything should work in the program now. or possibly try the netfilter mailing list who might help you with your problems. We would then issue http://people. To do this.1 Red Hat 7. So. Now the service won't be started in the future. However. First of all you will need to turn off the ipchains modules so it won't start in the future. There is a few things that might go wrong with the installation of iptables so don't panic if it won't work. By changing this to K we tell it to Kill the service instead.1 installation today comes with an utterly old version of the userspace applications so you might want to compile a new version of the applications as well as install a new and homecompiled kernel before fully exploiting iptables. To compile iptables you issue a simple command that looks like this: make KERNEL_DIR=/usr/src/linux/ The userland application should now compile properly. however.9 Página 11 Continue by compiling the iptables userland application.d/ directory-structure.unix-fu. The first letter which per default would be S tells the initscripts to start the script. It also contains all the basic userland programs and configuration files that is needed to run it. you're ready to install the binaries by now.html 21:25:51 10/06/2002 . The following command should do it: chkconfig --level 0123456 ipchains off By doing this we move all the soft links that points to the real script to K92ipchains. For more information about installing the userland applications from source. you will need to change some filenames in the /etc/rc.1 comes preinstalled with a 2. they have disabled the whole thing by using the backwards compatible ipchains module. check the INSTALL file in the source which contains excellent information on the subject of installation. or to not run it if it was not previously started. Installation on Red Hat 7.1. Annoying to say the least.Iptables Tutorial 1. To use any of the changes in the iptables userland applications you should definitely recompile and reinstall your kernel by now if you haven't done so before. If everything has worked smoothly.x kernel that has netfilter and iptables compiled in.4. to stop the service from actually running right now we need to run another command. try to think logically about it and find out what's wrong or get someone to help you. let's take a brief look at how to turn the module off and how to install iptables instead. and a lot of people are asking different mailing lists why iptables don't work. you're on your own. To do this. The default Red Hat 7. This is the service command which can be used to work on currently running services.

html 21:25:51 10/06/2002 . the normal runlevel to run in. To add rules that should be run when the computer starts the service. 5. It may also be erased by updating from the iptables RPM package. However. Level 4 should be unused. you add them under the start) section. ie. there is no rules in the iptables script. for example.9 Página 12 the following command to stop the ipchains service: service ipchains stop Finally. To make iptables run in these runlevels we would do the following commands: chkconfig --level 235 iptables on The above commands would in other words make the iptables service run in runlevel 2.d scripts. The second way of doing the set up would require the following steps to be taken. To add rules to an Red Hat 7. and level 6 is for shutting the computer down. These runlevels are used for the following things: 2.d script to restore the ruleset in the future. X11. This file is automatically used by the iptables rc. Note. such as iptables-save > /etc/ sysconfig/iptables which would save the ruleset to the file /etc/sysconfig/iptables. To activate the iptables service. make and write a ruleset in a file. we need to know which runlevels we want it to run in. don't forget to edit a the stop) section either which tells the script what to do when the computer is going down for example.Iptables Tutorial 1.1 box. or in the start() function. The other way to save the script would be to use service iptables save which would save the script http://people. 3. First of all. you chould edit the /etc/rc. use the iptables-save command. When you find a set up that works without problems or bugs as you can see.1. This is used if you automatically boot into Xwindows. First of all. You could either use it normally. The other way would be to load the ruleset and then save them with the iptables-save command and then have it loaded automatically by the rc.d/iptables script. First we will describe the possibility of doing the set up by cut and paste to the iptables init.d/init. ie. 3 and 5.unix-fu.d script. if you add the rules under the start) section don't forget to stop the start() function from running in the start) section. This would have the bad effect that the rules would be deleted if you updated the iptables package by RPM. we just run the following command: service iptables start Of course. Level 1 is for single user mode. that will meet your requirements. Note that this set up may be automatically erased if you have. Full multiuser mode. or directly with iptables.org/andreasson/iptables-tutorial/iptables-tutorial. Also. when you need to fix a screwed up box. If you'd like the iptables service to run in some other runlevel you would have to issue the same command in those. First of all. and don't forget to experiment a bit. don't forget to check out the restart section and condrestart. Multiuser without NFS or the same as 3 if there is no networking. none of the other runlevels should be used. Red Hat Network automatically updating your packages. Normally this would be in runlevel 2. there is two common ways. Also. so you should not really need to activate it for those runlevels. or when we are entering a runlevel that don't require iptables to run. 3 and 5. to start the iptables service.

When you reboot the computer in the future. if you read someone elses script you'll most likely recognise the way of writing a rule and understand it quickly. we have used this way of writing rules since it is the most usual way of writing them. the iptables rc.1. are met. It's not unusual that the new and the old package get's mixed up since the rpm based installation installs the package in non-standard places and won't get overwritten by the installation for the new iptables package. or matches. you would do this normally to get a better readability. This step is only necessary if you will install iptables from the source package. new subchains). To do the deinstallation.html 21:25:51 10/06/2002 .Iptables Tutorial 1. Normally we would write a rule something like this: iptables [-t table] command [match] [target/jump] There is nothing that says that the target instruction must be last in the line. instruction. Do not intermix this and the previous set up instruction since they may heavily damage eachother and render each and one useless. why keep ipchains lying around when it is of no use? That is done the same way as with the old iptables binaries. however. Hence.9 Página 13 automatically to this file.org/andreasson/iptables-tutorial/iptables-tutorial. If all the criterias. A rule could be described as the pure rules the firewall will follow when blocking different connections and packets in each chain. How a rule is built This chapter will discuss in legth how to build your rules. we perform the target. libraries or include files etc should be lying around any more. or jump.d script will use the command iptables-restore to restore the ruleset from the save-file /etc/sysconfig/ iptables. Each line you write that's inserted to a chain should be considered a rule. We do this since we don't want the system to mix up the new iptables userland application with the old preinstalled iptables applications. http://people. Also. do as follows: rpm -e iptables And of course. When all of these steps are finished we can deinstall the currently installed ipchains and iptables packages. etc: rpm -e ipchains After all this is done you are finished to update the iptables package from source according to the source installation instructions. We will also discuss the basic matches that str available and how to use them as well as the different targets and how we can make new targets to use (ie.unix-fu. None of the old binaries. Basics As we've already explained each rule is a line that the kernel looks at to find out what to do with a packet.

The following options are available to the -t command: Table 1. Per default. As with the rest of the content in this section. however. which must be part of this table. We could specify what IP address the packet must come from. or to delete a rule.unix-fu. Tables The -t option specifies which table to use. We will enter this a bit further on. on the firewall) before they get to the routing decision. you could insert the table specification where [table] is specified. it is more or less standard to put the table specification at the beginning of the commandline. as we will discuss more in length further on. The match is the part which we send to the kernel that says what a packet must look like to be matched. or we could tell kernel to send a specified reply to be sent back.org/andreasson/iptables-tutorial/iptables-tutorial. the command should always be first.1. We could tell the kernel to drop this packet dead and do no further processing. it is not necessary to specify it explicitly all the time since iptables per default uses the filter table to implement your commands on. This tells the iptables command what to do. Packets in a stream only traverse this table once. Finally we have the target of the packet. There is a heap of different matches that we can use that we will look closer at further on in this chapter. the filter table is used. One thing to think about though. The first packet of a stream is allowed. Tables Table nat Explanation The nat table is used mainly for Network Address Translation. either. This is one reason why you should not do any filtering in this table. The rest of the packets in the stream will in other words not go through this table again. It is not required to put the table specification at this location. Note that OUTPUT is currently broken. but instead they will automatically have the same actions taken to them as the first packet in the stream.html 21:25:51 10/06/2002 . in case they are supposed to have those actions taken on them. or which network interface the packet must come from etc. we presume. we'll look closer at them further on in the chapter. We use this first variable to tell the program what to do. We could tell the kernel to send the packet to another chain that we create ourself. Finally we have the POSTROUTING chain which is used to alter packets just as they are about to leave the firewall.9 Página 14 If you want to use another table than the standard table. It could be set pretty much anywhere in the rule. or directly after the table specification. The PREROUTING chain is used to alter packets as soon as they get in to the firewall. If all the matches are met for a packet we tell the kernel to perform this action on the packet. The rest of the packets in the same stream are automatically NAT'ed or Masqueraded etc. The OUTPUT chain is used for altering locally generated packets (ie.Iptables Tutorial 1. However. for example to insert a rule or to add a rule to the end of the chain. http://people.

html 21:25:51 10/06/2002 . The table consists of two built in chains.unix-fu. There are three chain built in to this table.Iptables Tutorial 1. If you do not understand their usage you may well fall into a pit once someone finds the hole you have unknowingly placed in the firewall yourself. Note that mangle can not be used for any kind of Network Address Translation or Masquerading. --append iptables -A INPUT .. The first one is named FORWARD and is used on all non-locally generated packets that are not destined for our localhost (the firewall. LOG. and you should know what to use each chain for. Examples of this would be to change the TTL. The command tells iptables what to do with the rest of the commandline that we send to the program. INPUT is used on all packets that are destined for our local host (the firewall) and OUTPUT is finally used for all locally generated packets. Normally we want to either add or delete something to some table or another. ACCEPT or REJECT packets without problems as in the other tables. They should be used for totally different things. TOS or MARK. This command appends the rule to the end of the chain. For example. The rule will will in other words always be put last in the ruleset in comparison to previously added rules. the PREROUTING and OUTPUT chains. OUTPUT is used for changing and altering locally generated packets before they enter the routing decision. Note that the MARK is not really a change to the packet. but a mark for the packet is set in kernelspace which other rules or programs might use further on in the firewall to filter or do advanced routing on with tc as an example. and hence be checked last. http://people. We could change different packets and how their headers look among other things. PREROUTING is used for altering packets just as they enter the firewall and before they hit the routing decision.9 Página 15 mangle This table is used mainly for mangling packets. The following commands are available to iptables: Table 2. Commands Command Example Explanation -A. we could DROP. We will discuss the tables and chains more in the Traversing of tables and chains chapter. Commands In this section we will bring up all the different commands and what can be done with them. unless you append or insert more rules later on. The filter table should be used for filtering packets generally.org/andreasson/iptables-tutorial/iptables-tutorial. in other words).1. filter The listing above has hopefully explained the basics about the three different tables that are available. the nat table was made for these kinds of operations..

The exact output is affected by other options sent to the program. -I. etcetera. --list iptables -L INPUT This command lists all the entries in the specified chain. use the -Z option. -L. If -L and -Z is used together (which is legal).unix-fu.html 21:25:51 10/06/2002 . --flush iptables -F INPUT This command flushes the specified chain from all rules and is equivalent to deleting each rule one by one but is quite a bit faster.9 Página 16 -D. it will replace it with a new entry. they must match totally to the entry in the chain. -N. The command can be used without options.0. If you use the first way of deleting rules. and then the packet counters are zeroised. --zero iptables -Z INPUT This command tells the program to zero all counters in a specific chain or in all chains. we would list all the entries in the INPUT chain. see the Tables section). and hence it would be the absolutely first rule in the chain from now on. If you use the second way. the chains will first be listed. the above example would be inserted at place 1 in the INPUT chain.168. but instead of totally deleting the entry. In the last case.Iptables Tutorial 1.1 -j DROP This command replaces the old entry at the specified line. In the above case. the command would list all the chains in the specified table (To specify a table. In other words. -F. The rule is inserted at the actual number that we give. and will then delete all rules in all chains within the specified table. --delete iptables -D INPUT --dport 80 -j DROP. This option works the same as -L except that -Z won't list the rules. -Z. This could be done in two ways. If you have used the -v option with the -L command. iptables -D INPUT 1 This command deletes a rule in a chain. -R. you have probably seen the packet counter in the beginning of each field. --new-chain iptables -N allowed http://people. either by specifying a rule to match with the -D option (as in the first example) or by specifying the rule number that we want to match. for example the -n and -v options.org/andreasson/iptables-tutorial/iptables-tutorial. --insert iptables -I INPUT 1 --dport 80 -j ACCEPT Insert a rule somewhere in a chain. --replace iptables -R INPUT 1 -s 192. It's also legal to not specify any chain at all. the rules are numbered from the top of each chain. It works in the same way as the --delete command.1. This might be good while experimenting with iptables mainly. To zero this packet counter. and the top rule is number 1.

in other words. Table 3. Note that this will not affect the actual way the table will work. These counters uses the K (x1000). -P. In other words.1. As usual.9 Página 17 This command tells the kernel to create a new chain by the specified name in the specified table. A command should always be specified. unless you just want to list the built-in help for iptables or get the version of the command. in other words. In the above example we create a chain called allowed. M (x1. all chains that are not built in will be deleted from the specified table.org/andreasson/iptables-tutorial/iptables-tutorial. you would have to replace or delete all rules referring to the chain before actually deleting the chain. Note that we tell you with which commands the options can be used and what effect they will have. on a chain. --replace This command shows a verbose output and is mainly used together with the --list command. The --list command will also include a bytes and packet counter for each rule if the --verbose option is set. change the name of the chain from allowed to disallowed. just a cosmetic change to the table.000. The matches and targets are instead looked upon in a later section of this chapter.000. Here comes a few options that can be used together with a few different commands. ACCEPT and REJECT (There might be more. Also note that we do not tell you any options here that is only used to affect rules and matches. --verbose --list. -X. If used together with the --list command it makes the output from the command include the interface address. or policy. Legal targets are: DROP. It is. to the second name. Options Option Commands used with Explanation -v. In the example above we would.000. mail me if so) -E. --policy iptables -P INPUT DROP This command tells the kernel to set a specified default target. --delete-chain iptables -X allowed This command deletes the specified chain from the table. use the -v option and to get the help message. To overcome this and to get exact output.unix-fu. in other words.000) multipliers. use the -h option. --append. For this command to work. To get the version. there must be no rules that are referring to the chain that is to be deleted.Iptables Tutorial 1. All packets that don't match any rule will then be forced to use the policy of the chain. Note that there must be no target of the same name previously to creating it. you http://people. --rename-chain iptables -E allowed disallowed The -E command tells iptables to rename the first name of a chain.html 21:25:51 10/06/2002 . --delete. If this command is used without any options. --insert. rule options and TOS masks.000) and G (x1.

Each rule is numbered together with this option and it might be easier to know which rule has which number when you're going to insert rules. We can then use the option to initialize the packets and bytes counters of the rule. -n. --modprobe All The --modprobe option is used to tell iptables which command to use when probing for modules to the kernel.org/andreasson/iptables-tutorial/iptables-tutorial. If this option is used with the --append. Matches This section will talk a bit more about the matches. -x. I've chosen to split down the matches into five different subcategories here. --exact --list This option expands the numerics.9 Página 18 could use the -x option described later. network names or application names. Note that this option is only usable in the -list command and isn't really relevant for any of the other commands. This option overrides the default of resolving all numerics to hosts and names if possible. First of all we have the generic matches which are generic and can be used in all rules.1. It could be used if your modprobe command is not somewhere in the searchpath etc. --replace This option is used when creating a rule in some way or modifying it. In such cases it might be necessary to specify this option so the program knows what to do in case a needed module is not loaded. This option is only applicable to the --list command.Iptables Tutorial 1. --insert.html 21:25:51 10/06/2002 . -c. --delete or --replace commands. The syntax would be something like --setcounters 20 4000. which would tell the kernel to set the packet counter to 20 and byte counter to 4000. --append. --line-numbers --list The --line-numbers command is used to output line numbers together with the --list command. Then we have the TCP matches which can only be applied to TCP packets. We have UDP matches which can only be applied to UDP packets and ICMP matches which can only be http://people. --numeric --list This option tells iptables to output numerical values.unix-fu. --set-counters --insert. the program will output detailed information on what happens to the rules and if it was inserted correctly etcetera. This option only works with the --list command. Instead we will get an exact output of how many packets and bytes that has matched the rule in question from the packets and bytes counters. This option can be used with all commands. The output from --list will in other words not contain the K. M or G multipliers. IP addresses and port numbers will be printed by using their numerical values and not hostnames.

1.tcp which would match all UDP and TCP packets.255. such as 255 which would mean the RAW IP protocol.168. Examples of protocols are TCP. Finally. if we want to use an TCP match.1. The protocol may also take a numeric value. I have also added the -protocol match here.9 Página 19 used on ICMP packets. If we would in other words use a match in the form of --source ! http://people. These final matches has in turn been split down to even more subcategories even though they might not necessarily be different matches at all. It could be used with a netmask in a bits form.0. so --protocol ! tcp would mean to match the ICMP and UDP protocols. we need to use the --protocol match and send TCP as an option to the match.168.1 This is the source match which is used to match packets based on their source IP address. Finally we have special matches such as the state. and the other way is to only specify the number of ones (1's) on the left side of the network mask.0. Generic matches This section will deal with Generic matches.Iptables Tutorial 1. such as our local networks or network segments behind the firewall.255. The line would then look something like. Table 4. 192. One way is to do it with an regular netmask in the 255. We could then match whole IP ranges. The command may also take a comma delimited list of protocols.0/255. This match can also be inversed with the ! sign. First of all the protocol match can take one of the three aforementioned protocols. since it can be used to match specific protocols. --src. However. This list can vary a bit at the same time since it uses the /etc/protocols if it can not recognise the protocol itself.0.255 form (ie. We could also inverse the match with an ! just as before. The main form can be used to match single IP addresses such as 192. This would match all packets in the 192. Generic matches Command Example Explanation -p. for example. UDP and ICMP.unix-fu.168. the program knows about all the protocols in the /etc/protocols file as we already explained. too.168. A generic match is a kind of match that is always available whatever kind of protocol we are working on or whatever match extensions we have loaded. --protocol iptables -A INPUT -p tcp This match is used to check for certain protocols. such as udp. which means to match all of the previous protocols. The following matches are always available.org/andreasson/iptables-tutorial/iptables-tutorial. If this match is given the numeric value of zero (0).0 netmask.255.255. I hope this is a reasonable breakdown and that all people out there can understand this breakdown.255. 192. owner and limit matches and so on. No special parameters are in other words needed to load these matches at all. --protocol is in itself a match. as well as ALL.0/24.168. even though it is needed to use some protocol specific matches.1.html 21:25:51 10/06/2002 . -s. --source iptables -A INPUT -s 192.x range.0). For example. it means ALL protocols. which in turn is the default behaviour in case the --protocol match is not used.255.1. This means that we could for example add /24 to use a 255.

To inverse the meaning of the match. The default is to match all IP addresses.168. Such fragments of packets will not be matched by other rules when they look like this.0/24 and both would be equivalent to each other.1 The --destination match is used to match packets based on their destination address or addresses. --out-interface iptables -A FORWARD -o eth0 The --out-interface match is used to match packets depending on which interface they are leaving on. or in the number of ones (1's) counted from the left side of the netmask bits. Note that this option is only legal in the INPUT.1. -d. third.0. The line would then have a syntax looking something like -i ! eth0. and so on. Of course. Other than this.168.255. except that it matches based on where the packets are going. FORWARD and POSTROUTING chains.html 21:25:51 10/06/2002 . --in-interface iptables -A INPUT -i eth0 This match is used to match based on which interface the packet came in on.168.0/255. This option can also be used in conjunction with the ! sign. -f. it works pretty much the same as the --in-interface match. nor ICMP types. we match all head fragments and/or unfragmented packets. -i. in case the match is not specified. Also. The + value is used to match a string of letters and numbers.1. It would then look like either 192. --dst.1 IP address. and eth+ would in other words match all ethernet devices. --destination ! 192.0. http://people. The default behaviour of this match. We could also invert the whole match with an ! sign. --fragment iptables -A INPUT -f This match is used to match the second and third part of a fragmented packet. is to assume a string value of +.Iptables Tutorial 1. however. We also match all packets that has not been fragmented during the transfer. there is no way to tell the source or destination ports of the fragments. fragmented packets might in rather special cases be used to compile attacks against computers. FORWARD and PREROUTING chains and will render an error message when used anywhere else.0.1 would in other words match all packets except those not destined to the 192. It works pretty much the same as the --source match and has the same syntax. --destination iptables -A INPUT -d 192.168. Note that this match is only available in the OUTPUT. which would mean to match all incoming interfaces.168.unix-fu. just as before. we can add a netmask either in the exact netmask form.0. When this match is inversed. among other things. except eth0.org/andreasson/iptables-tutorial/iptables-tutorial. in opposite of the --in-interface match.0 or like 192. and not the second. To match an IP range.x range. fragments. -o. you can use the ! sign in exactly the same sense as in the --in-interface match. regardless of where the packet is going.0. the default behaviour if this match is left out is to match all devices.168. We can also invert the meaning of this option with the help of the ! sign.255.168. The + extension is understood so you can match all eth devices with eth+ and so on. What this means is that we match all the first fragments of a fragmented packets. A single + would in other words tell the kernel to match all packets without considering which interface it came in on. The reason for this is that in the case of fragmented packets. in this case the ! sign must precede the match. like this ! -f.9 Página 20 192. and hence this match was created.0. The + string can also be used at the end of an interface.0/24 we would match all packets with a source address not coming from within the 192.

Implicit matches are loaded automatically when we tell iptables that this rule will match for example TCP packets with the -protocol match. This match can either take a service name or a port number. And if the last port specification is omitted. TCP matches These matches are protocol specific and are only available when working with TCP packets and streams.html 21:25:51 10/06/2002 . UDP matches and ICMP matches. This example would match all source ports between 22 and 80. the service name must be in the /etc/services file since iptables uses this file to look up the service name in. --source-port :80 would then match port 0 through 80. If we omit the first port specification. These are TCP matches. If you are writing a ruleset consisting of a 200 rules or more. Note that the --protocol tcp match must be to the left of the protocol specific matches. To use these matches you need to specify --protocol tcp on the command line before trying to use these matches. TCP matches Match Example Explanation --sport.1. If we would write --source-port 22: we would in turn get a port specification that tells us to match all ports from http://people.9 Página 21 Also note that there are defragmentation options within the kernel that can be used which are really good.Iptables Tutorial 1. this could make as much as 10 seconds if you are running a large ruleset consisting of 1000 rules or so). Table 5. the entry of the rule will be slightly faster since iptables don't have to check up the service name.unix-fu. There are currently three types of implicit matches that are loaded automatically for three different protocols. Implicit matches This section will describe the matches that are loaded implicitly. port 65535 is assumed. however. in case you use connection tracking you will not see any defragmented packets since they are dealt with before hitting any chain or table in iptables. The TCP based matches contain a set of different matches that are available for only TCP packets. If you specify a service name. after the TCP match section. These matches are loaded implicitly in a sense. it could be a little bit harder to read in case you specify the numeric value. The --source-port match can also be used to match a whole range of ports in this fashion --source-port 22:80 for example. --source-port iptables -A INPUT -p tcp --sport 22 The --source-port match is used to match packets based on their source port. just as the UDP and ICMP matches are loaded implicitly. the port 0 is assumed to be the one we mean. If you specify the port by port number. As a secondary note. you should definitely do this by port numbers since you will be able to notice the difference(On a slow box. The other matches will be looked over in the continuation of this section. and the same thing for ICMP packets. and UDP based matches contain another set of matches that are available only for UDP packets.org/andreasson/iptables-tutorial/iptables-tutorial. There is also explicitly loaded matches that you must load explicitly with the m or --match option which we will go through later on in the next section.

For more information about this.Iptables Tutorial 1.html 21:25:51 10/06/2002 .ACK. --tcp-flags iptables -p tcp --tcp-flags SYN. It does also reverse high and low ports in a port range specification if the high port went into the first spot and the low port into the last spot.FIN SYN match. --syn iptables -p tcp --syn The --syn match is more or less an old relic from the ipchains days and is still there out of compatibility reasons. it would be understood just the same as --sourceport 22:80. iptables automatically reverses the inversion. FIN.FIN SYN This match is used to match depending on the TCP flags in a packet. It understands port and port range specifications. Also note that the comma delimitation should not include spaces. First of all the match takes a list of flags to compare (a mask) and second it takes list of flags that should be set to 1. RST. however. URG. PSH flags but it also recognizes the words ALL and NONE. If a source port definition looked like --source-port 80:22. This would tell the match to match all packet with the FIN or the ACK bits set. ! --syn. This command would in other words be exactly the same as the --tcp-flags SYN. you should have effectively blocked all incoming connection attempts. and for ease of traversing from one to the other.ACK. you will not have blocked the outgoing connections which a lot of exploits today uses (for example. look at the multiport match extension. The match knows about the SYN. The inversion could also be used together with a port range and would then look like --source-port ! 22:80. ALL and NONE is pretty much self describing. http://people. If you block these packets.org/andreasson/iptables-tutorial/iptables-tutorial. Note that this match does not handle multiple separated ports and port ranges. in other words packets in an already established connection. Note that this match does not handle multiple separated ports and port ranges. ACK. In other words. The match will also assume the values of 0 or 65535 if the high or low port is left out in a port range specification. look at the multiport match extension. If we inversed the port specification in the port range so the highest port would be first and the lowest would be last.9 Página 22 port 22 through port 65535. as well as inversions. This match is used to match packets if they have the SYN bit set and the ACK and FIN bits unset. --dport. Such packets are used to request new TCP connections from a server mainly. or turned on. For more information about this. It uses exactly the same syntax as the --source-port match. This option can also be inverted with the ! sign. We could also invert a match by adding a ! sign like --source-port ! 22 which would mean that we want to match all ports but port 22. -tcp-flags ALL NONE would in other words mean to check all of the TCP flags and match if none of the flags are set.1. The correct syntax could be seen in the example above. This match can also be inverted with the ! sign in this. exactly the same as --source-port in syntax. which in turn would mean that we want to match all ports but port 22 through 80. --destination-port iptables -A INPUT -p tcp --dport 22 This match is used to match TCP packets depending on its destination port. --tcp-option iptables -p tcp --tcp-option 16 This match is used to match packets depending on their TCP options. Both lists should be comma-delimited. ALL means to use all flags and NONE means to use no flags for the option it is set. way.unix-fu. hack a legit service and then make a program or such make the connect to you instead of setting up an open port on your host).

they automatically switch place so the low port winds up before the high port. This would match all ports but port 80. To make a UDP port range you could do 22:80 which would match UDP ports 22 through 80. If the high port comes before the low port. it is exactly the same as the equivalent TCP match. If the first port is omitted. the ports switch place with eachother automatically. If the last port is omitted.9 Página 23 UDP matches This section describes matches that will only work together with UDP packets. If the first value is omitted. Note that the state machine will work on all kinds of packets even though UDP or ICMP packets are counted as connectionless protocols. To match a single port we do --destination-port 53. For more information about this. If they are lost. to invert this we could do --destination-port ! 53. This means that there is quite a lot less matches to work with on a UDP packet than there is on TCP packets. There will be more about the state machine in a future chapter. Note that UDP packets are not connection oriented. If the second port is omitted.html 21:25:51 10/06/2002 . The match is used to match packets based on their UDP destination port. The match handles port ranges. It has support for port ranges. --source-port iptables -A INPUT -p udp --sport 53 This match works exactly the same as its TCP counterpart. For more http://people.Iptables Tutorial 1. but will work with UDP packets instead.org/andreasson/iptables-tutorial/iptables-tutorial. UDP packets do not require any kind of acknowledgement either. such as open or closing a connection. single ports and port inversions with the same syntax. and hence there is no such thing as different flags to set in the packet to give data on what the datagram is supposed to do. Note that this match does not handle multiple ports and port ranges. If the high port is placed before the low port. It is used to perform matches on packets based on their source UDP ports. To invert the port match.1. Of course. or if they are just simply supposed to send data. port 65535 is assumed. --destination-port iptables -A INPUT -p udp --dport 53 The same goes for this match as for the UDP version of --source-port. To specify a port range. they are simply lost (Not taking ICMP error messaging etcetera into account).unix-fu. Single UDP port matches look as in the example above. The state machine works pretty much the same on UDP packets as on TCP packets. look at the multiport match extension. These matches are implicitly loaded when you specify the --protocol UDP match and will be available after this specification. --dport. add a ! sign in this. single ports and inversions. port 65535 is assumed. UDP matches Match Example Explanation --sport. --source-port ! 53 fashion. The first would match all UDP packets going to port 53 while the second would match packets but those going to the destination port 53. This example would match all packets destined for UDP port 22 through 80. Table 6. port 0 is assumed. the match can understand service names as long as they are available in the /etc/services file. Note that this match does not handle multiple separated ports and port ranges. port 0 is assumed. we would do --destination-port 22:80 for example.

For a complete listing of ICMP types. look at the multiport match extension. we would get an ICMP host unreachable in return.9 Página 24 information about this. among other things. One example is if we try to access an unaccessible IP adress. There is only one ICMP specific match available for ICMP packets. for example. match TCP packets. If we would like to use the state matches for example. ICMP types can be specified either by their numeric values or by their names. Note that some ICMP types are obsolete. ICMP matches These are the ICMP matches. http://people.1. This match is implicitly loaded when we use the --protocol ICMP match and we get access to it automatically. The difference between implicitly loaded matches and explicitly loaded ones is that the implicitly loaded matches will automatically be loaded when you. Table 7. or was created for testing/experimental use or plainly to show examples of what could be accomplished with iptables. but more of a protocol beside the IP protocol that helps handling errors.unix-fu. however. see the ICMP types appendix. This match can also be inverted with the ! sign in this. Explicit matches Explicit matches are matches that must be specifically loaded with the -m or --match option. These packets are even worse than UDP packets in the sense that they are connectionless. The ICMP protocol is mainly used for error reporting and for connection controlling and such features. or check the ICMP types appendix. To find a complete listing of the ICMP name values. redirect packets to the wrong places. The main feature of this protocol is the type header which tells us what the packet is to do. do a iptables --protocol icmp --help. --icmp-type ! 8. Note that all the generic matches can also be used. The headers of a ICMP packet are very similar to those of the IP headers. we would have to write -m state to the left of the actual match using the state matches. and others again may be "dangerous" for a simple host since they may.html 21:25:51 10/06/2002 . fashion.org/andreasson/iptables-tutorial/iptables-tutorial. but contains differences. and hopefully this should suffice. ICMP is not a protocol subordinated to the IP protocol. Some of these matches may be specific to some protocols. so we can know source and destination adress too. they should mostly be useful since it all depends on your imagination and your needs. among other things. ICMP matches Match Example Explanation --icmp-type iptables -A INPUT -p icmp --icmp-type 8 This match is used to specify the ICMP type to match. This in turn means that all these matches may not always be useful.Iptables Tutorial 1. Numerical values are specified in RFC 792. while explicitly loaded matches will not be loaded automatically in any case and it is up to you to activate them before using them.

For example. it would then look like -m ! limit.html 21:25:51 10/06/2002 . FORWARD and INPUT chains and nowhere else. you could use this to match all packets that goes over the edge of a certain chain.1. or 3/hour. and get limited logging of this. This means that all packets will be matched after they have broken the limit. The default value here is 3 per hour. What this means. of course. This is its main usage. is that when we add this match we limit how many times a certain rule may be matched in a certain timeframe. This would in other words reverse the meaning of the match so all packets except packets from this MAC address would be matched. Note that since MAC addresses are only used on ethernet type networks. The match may be reversed with an ! sign and would look like --mac-source ! 00:00:00:00:00:01. Limit match options Match Example Explanation --limit iptables -A INPUT -m limit --limit 3/hour This sets the maximum average matching rate of the limit match. This tells the limit match how many times to let this match run per timeunit (ie /minute). The limit match may also be inversed by adding a ! flag in front of the limit match explicit loading.unix-fu. but there are more usages. The MAC address specified must be in the form XX:XX:XX:XX:XX:XX. else it will not be legal. --limit-burst http://people. This match is excellent to use to do limited logging of specific rules etcetera. This match is specified with a number and an optional time specifier.9 Página 25 MAC match Table 8.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. Limit match The limit match extension must be loaded explicitly with the -m limit option. Table 9. MAC match options Match Example Explanation --mac-source iptables -A INPUT --mac-source 00:00:00:00:00:01 This match is used to match packets based on their MAC source address. This match is also only valid in the PREROUTING. this match will only be possible to use on ethernet based networks. The following time specifiers are currently recognised: / second /minute /hour /day.

which would sometimes mean you would have to make several rules looking exactly the same just to match different ports. Multiport match The multiport match extension can be used to specify more destination ports and port ranges than one. --destination-port iptables -A INPUT -p tcp -m multiport --destination-port 22.Iptables Tutorial 1.80. as you can see in the example.53. A mark is a special field only maintained within the kernel that is associated with the packets as they travel through http://people.1.53. It tells iptables the maximum initial number of packets to match. Note that this means that it will only match packets that comes from.9 Página 26 iptables -A INPUT -m limit --limit-burst 5 This is the setting for the burst limit of the limit match. send me a mail and I'll try to make this more understandable). (If anyone got a good/better and simpler explanation than this. up to this number. Mark match The mark match extension is used to match packets based on the marks they have set. except that it matches destination ports. It works exactly the same way as the source port match mentioned just above.110 This match matches multiple source ports.80. A maximum of 15 separate ports may be specified. This number gets recharged by one every time the limit specified is not reached. --port iptables -A INPUT -p tcp -m multiport --port 22.html 21:25:51 10/06/2002 .unix-fu. Table 10. Multiport match options Match Example Explanation --source-port iptables -A INPUT -p tcp -m multiport --source-port 22.110 This match extension can be used to match packets based both on their destination port and their source port. The ports must be comma delimited. It can only be used in conjunction with -p tcp and -p udp.org/andreasson/iptables-tutorial/iptables-tutorial. It is mainly an enhanced version of the normal -source-port match. It has a maximum specification of 15 ports and may only be used in conjunction with -p tcp and -p udp. port 80 to port 80 and if you have specified port 80 to the --port match. for example. It works the same way as the --source-port and --destination-port matches above. It can take a maximum of 15 ports specified to it in one argument.110 This match is used to match multiple destination ports. This match may only be used in conjunction with the -p tcp or -p udp matches.80.53. The default value is 5.

Mark match options Match Example Explanation --mark iptables -t mangle -A INPUT -m mark --mark 1 This match is used to match packets that have previously been marked. Owner match options Match Example Explanation --uid-owner iptables -A OUTPUT -m owner --uid-owner 500 http://people. Table 11. This match only works within the OUTPUT chain as it looks today. it is logically ANDed with the mark specified before the actual comparison. this is why people still refer to FWMARK in advanced routing areas.org/andreasson/iptables-tutorial/iptables-tutorial. The mark specification would then look like. ICMP responses will. --mark 1/1. Owner match The owner match extension is used to match packets based on who created them. The mark field is an unsigned integer. Notorious packets of that sort is different ICMP responses among other things. or if we where an intermediate hop to the real destination. This was previously done with the FWMARK target in ipchains. If this mark field matches the mark match it is a match.unix-fu. for obvious reasons. All packets traveling through netfilter gets a special mark field associated with them. Table 12. you are probably not going to run into this limit in quite some time. Even within the OUTPUT chain it is not very reliable since certain packets may not have an owner. This extension was originally written as an example on what iptables might be used for. there is only one way of setting a mark in Linux. hence.Iptables Tutorial 1. for example.1. namely the MARK target in iptables.html 21:25:51 10/06/2002 . You may also use a mask with the mark. hence the limit of 65535 possible marks to use within your ruleset. never match. with or without the packet. In other words.9 Página 27 the computer. As of today. It is pretty much impossible to find out any information about who sent a packet on the other end. The mark field is currently set to an unsigned integer. hence there can be a maximum of 65535 different marks. They may be used by different kernel routines for such tasks as traffic shaping and filtering. Note that this mark field does not in any way travel outside. If a mask is specified. the actual computer itself. Marks can be set with the MARK target which we will discuss a bit more later on in the next section.

--pid-owner iptables -A OUTPUT -m owner --pid-owner 78 This match is used to match packets based on their Process ID (PID) and which PID created the packets. This concept will be more deeply introduced in a future chapter since it is such a large area. In all cases.9 Página 28 This packet match will match if the packet was created by the given User ID (UID). State matches Match Example Explanation --state iptables -A INPUT -m state --state RELATED. --sid-owner iptables -A OUTPUT -m owner --sid-owner 100 This match is used to match packets based on their Session ID and the Session ID used by the program in question. or as described above to only allow "httpgroup" to be able to create packets going out on the HTTP port. This allows us to know in what state the connection is. including stateless protocols such as ICMP and UDP. One possible use would be to block any other user than root to open new connections outside your firewall. You will then have access to one new match. please give me a note of it and of other possible uses. Table 13.html 21:25:51 10/06/2002 . State match The state match extension is used in conjunction with the connection tracking code in the kernel and allows access to the connection tracking state of the packets.org/andreasson/iptables-tutorial/iptables-tutorial. or we could write a small script that grabs the PID from a ps output for a specific daemon and then adds a rule for it. I would love to hear what they used it for and how they did it). This means that we match all packets based on what group the user creating the packets are in.1. there will be a default timeout for the connection and it will then be dropped from the connection tracking database.Iptables Tutorial 1. This match needs to be loaded explicitly by adding a -m state statement to the rule.ESTABLISHED http://people. or another possible use could be to block everyone but the httpuser from creating packets from HTTP. but one example would be to only allow PID 94 to send packets on the HTTP port. If anyone have an idea for the usage of this match. This could be used to block all but the users part of the "network" group from getting out onto the internet.unix-fu. and works for pretty much all protocols. --gid-owner iptables -A OUTPUT -m owner --gid-owner 0 This match is used to match all packets based on their Group ID (GID). (If anyone has actually used this match for a production server. This match is a bit harder to use. This could be used to match outgoing packets based on who created them.

Table 14. among other things. Note that the NEW state does not look for SYN bits in TCP packets trying to start a new connection and should. while others try their best to do something good with the packets in question and the data they provide. and is located in the IP header.unix-fu. ESTABLISHED.1. INVALID means that the packet is associated with no known stream or connection and that it may contain faulty data or headers. This match is loaded explicitly by adding -m tos to the rule. consists of 8 bits. TOS is normally used to tell intermediate hosts the preceeding of the stream. to mark packets for later usage together with the iproute2 and advanced routing functions in linux. or it needs to be able to send as much payload as possible). such as packets with bad headers or checksums and so on. NEW and RELATED.html 21:25:51 10/06/2002 . RELATED means that the packet is starting a new connection and is associated with an already established connection.org/andreasson/iptables-tutorial/iptables-tutorial. or that it is associated with a connection that has not seen packets in both directions.9 Página 29 This match option tells the state match what states the packets must be in to be matched. TOS stands for Type Of Service. Unclean match The unclean match takes no options and requires no more than explicit loading when you want to use it. however you should be aware that this may break legal connections too. hence. nor will it take care of all unclean packages or problems. This could for example mean an FTP data transfer. Finally. How different routers and people deal with these values depends.Iptables Tutorial 1. and what kind of content it has(not really. ESTABLISHED means that the packet is part of an already established connection that has seen packets in both directions and is fully valid. INVALID. The match takes an hex or numeric value as an http://people. but it tells us if there is any specific requirements for this stream such as that it needs to be sent as fast as possible. This match tries to match packets which seems malformed or unusual. not be considered very good in cases where we have only one firewall and no load balancing between different firewalls. This could be used to DROP connections and to check for bad streams etcetera. TOS match The TOS match can be used to match packets based on their TOS field. read in the future chapter on the state machine. or an ICMP error associated with an TCP or UDP connection for example. TOS matches Match Example Explanation --tos iptables -A INPUT -p tcp -m tos --tos 0x16 This match is used as described above. There is currently 4 states that can be used. NEW means that the packet has or will start a new connection. there may be times where this could be useful. Note that this option is regarded as experimental and may not work at all times. Most do not care at all. it can match packets based on their TOS field and their value. For more information on how this could be used. This could be used for. However.

If the TTL reaches 0. would be to find hosts with bad TTL values set as default (may be due to badly implemented TCP/IP stack. or possibly one of the names given if you do an iptables -m tos -h.org/andreasson/iptables-tutorial/iptables-tutorial. There is a few basic targets. a standard protocol would be FTP-data. This is true here. This target could be used for debugging your local network. you need to add an -m ttl to the rule. Some good protocols that would use this would be RTSP (Real Time Stream Control Protocol) and other streaming video/radio protocols.Iptables Tutorial 1. TTL match The TTL match is used to match packets based on their TTL (Time To Live) field residing in the IP header. or due to a malconfiguration). example of standard protocols that this includes are telnet. for example hosts which seems to have problems connecting to hosts on the internet. TTL matches Command Example Explanation --ttl iptables -A OUTPUT -m ttl --ttl 60 This match option is used to specify which TTL value to match. it is only your imagination which stops you.9 Página 30 option. Minimize-Delay means to minimize the delay until the packets gets through all the way to the client/server. Normal-Service would finally mean any normal protocol that has no special needs for their transfers. and not to change anything. an ICMP type 11 code 0 (TTL equals 0 during transit) or code 1 (TTL equals 0 during reassembly) is transmitted to the party sending the packet and telling about the problem. as well as in all kinds of matches. or to find possible infestations of trojans etcetera. Maximize-Reliability means to maximize the reliability of the connection and to use lines that are as reliable as possible. This match is only used to match packets based on their TTL.unix-fu. as described above. One example. and Normal-Service 0 (0x00).1. Maximize-Reliability 4 (0x04). some good protocols that would fit with this TOS values would be BOOTP and TFTP. Minimize-Delay means to minimize the delay for the packets. MinimizeCost 2 (0x02). SSH and FTP-control. however. The TTL field contains 2 bits and is decremented once every time it is processed by an intermediate host between the client and host. It takes an numeric value and matches based on this value. ie find the fastest route. To load this match. Maximize-Throughput means to find a path that allows as big throughput as possible.html 21:25:51 10/06/2002 . the ACCEPT and DROP targets which we will deal with first http://people. Table 15. At the time of writing it contained the following named values: Minimize-Delay 16 (0x10). The usage is pretty much limited. MaximizeThroughput 8 (0x08). Targets/Jumps The target/jumps tells the rule what to do with a packet that is a perfect match with the match section of the rule. There is no inversion and there is no other specifics to this match.

To jump to a specific chain. we specify it like -j ACCEPT. There is nothing special about this target whatsoever. When/If we reach the end of that chain. Targets on the other hand specify an action to take on the packet in question. see the Traversing of tables and chains chapter. may take an action on the packet and then the packet will continue passing through the rest of the rules anyway. DROP or ACCEPT the packet depending on what we want to do. do note that the packet will traverse all other chains in the other tables in a normal fashion. nor any of the calling chains. We could for example. to add options to the target.Iptables Tutorial 1. A packet that matches a rule perfectly and then has this action taken on it will be blocked and no further processing will be done.1. Good examples of such rules are DROP and ACCEPT. some targets will make the packet stop traversing the specific chain and superset chains as described above. The jump specification is done exactly the same as the target definition except that it requires a chain within the same table to jump to. or have the possibility. For example. and it does not require. Rules that are stopped. Some targets will also take options that may be necessary (What address to do NAT to. we get dropped back to the INPUT chain and the packet starts traversing from the rule one step below where it jumped to the other chain (tcp_packets in this case). DROP target The DROP target does just what it says. We could then add a jump target to it like this: iptables -A INPUT -p tcp -j tcp_packets. let us have a brief look at how a jump is done. especially when you want to block certain portscanners from getting to http://people. However. There is also a number of other actions we may want to take which we will describe further on in this section. DNAT and SNAT targets. before we do that. but available in any case (log prefixes. We will try to answer all these questions as we go in the descriptions. it will automatically be ACCEPT'ed in the superset chain also and it will not traverse any of the superset chains any further.html 21:25:51 10/06/2002 . what TOS value to use etcetera) while others have options not necessary. Other targets. a good example of this would be the LOG. Do note. it is required that the chain has already been created.unix-fu. Targets may also end with different results one could say. To use this target. a chain is created with the -N command. A better solution would be to use the REJECT target in those cases. As we have already explained before. it is accepted and will not continue traversing the chain where it was accepted in. Note that this action may be a bit bad in certain cases since it may leave dead sockets around on the server and client. it drops packets dead to the ground and refuses to process them anymore. If a packet is ACCEPT'ed within one of the subchains. Network Address Translationed and then be passed on to the other rules in the same chains. such as both mangling the TTL and the TOS value of a specific packet/stream. masquerade to ports and so on). These packets may be logged. For more information on table and chain traversing. This may be good in cases where we want to take two actions on the same packet. ACCEPT target This target takes no special options first of all.9 Página 31 of all targets. We would then jump from the INPUT chain to the tcp_packets chain and start traversing that chain. will not pass through any of the rules further on in the chain or superset chains. Let us have a look at what kinds of targets there are. When a packet is perfectly matched and this target is set.org/andreasson/iptables-tutorial/iptables-tutorial. let's say we create a chain in the filter table called tcp_packets like this: iptables -N tcp_packets. that packets that was accepted in one chain will still travel through any subsequent chains within the other tables and may be dropped there. However.

such as filtered ports and so on. The LOG target will log specific information such as most of the IP headers and other interesting information via the kernel logging facility. QUEUE target Table 16. If it is a subchain to another chain. It would then be dropped to the default policy as previously described. the packet will not be processed in any of the above chains in the structure either. The target will not send any kind of information in either direction.Iptables Tutorial 1. lets say a packet enters the INPUT chain and then hits a rule that it matches and that gives it --jump EXAMPLE_CHAIN.html 21:25:51 10/06/2002 . The packet will then start traversing the EXAMPLE_CHAIN. LOG target The LOG target is specially made to make it possible to log snippets of information about packets that may be illegal.unix-fu. and all of a sudden it matches a specific rule which has the --jump RETURN target set. and no more actions would be taken in this chain. This information may then be read with dmesg or syslogd and likely programs and applications. which in this case would be the INPUT chain. Also note that if a packet has the DROP action taken on them in a subchain.9 Página 32 much information. Another example would be if the packet hit a --jump RETURN rule in the INPUT chain. either to tell the client or the server as told previously. This is an excellent target to use while you are debugging your rulesets to see what packets go where and what rules are applied on what packets. or for pure bughunting and errorfinding. For example. Also note that the http://people. the packet will continue to travel through the above chains in the structure as if nothing had happened. It will then jump back to the previous chain. QUEUE target Option Example Explanation Option Example Explanation RETURN target The RETURN target will make the current packet stop travelling through the chain where it hit the rule. If the chain is the main chain. The default policy is normally set to ACCEPT or DROP or something the like.org/andreasson/iptables-tutorial/iptables-tutorial. the packet will have the default policy taken on it. Also note that it may be a really great idea to use the LOG target instead of the DROP target while you are testing a rule you are not 100% sure about on a production firewall since this may otherwise cause severe connectivity problems for your users.1. for example the INPUT chain.

All messages are logged through the kernel facility. alert.conf manpages as well as other HOWTO's etcetera. or by the world for that matter. error. The TCP Sequence number are special numbers that identify each packet and where it fits into a TCP sequence and how the stream should be reassembled. In other words. Note that this option is a security risk if the log is readable by any users. Any log that is. for example. --log-tcp-sequence iptables -A INPUT -p tcp -j LOG --log-tcp-sequence This option will log the TCP Sequence numbers together with the log message.Iptables Tutorial 1.1. The LOG target currently takes five options that may be interesting to use in case you have specific needs for more information.org/andreasson/iptables-tutorial/iptables-tutorial. Note that it is not a iptables or netfilter problem in case you get your logs to the consoles or likely. The prefix may be up to 29 letters long. http://people. Normally there are the following log levels. would make all messages appear in the /var/log/iptables file. --log-prefix iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets" This option tells iptables to prefix all log messages with a specific prefix which may then be very good to use together with. notice. Note that all three of these are deprecated. emerg and panic. Table 17. but instead a problem of your syslogd configuration which you may find in /etc/syslog.conf.conf manual.conf for information about these kind of problems. warn. in other words do not use error. info. For more information on logging I recommend you to read the syslog and syslog. Note that there may be other messages here as well from other parts of the kernel that uses the info priority.html 21:25:51 10/06/2002 . crit. For a complete list of loglevels read the syslog.=info /var/log/iptables in your syslog. including whitespace and those kind of symbols. err. setting kern.conf file and then letting all your LOG messages in iptables use log level info. or priorities as they are normally referred to: debug.unix-fu. warning. Read more in man syslog. which may contain logging messages from iptables. The keyword error is the same as err. warn is the same as warning and panic is the same as emerg. or want to set different options to specific values. LOG target options Option Example Explanation --log-level iptables -A FORWARD -p tcp -j LOG --log-level debug This is the option that we can use to tell iptables and syslog which log level to use. since the ULOG target has support for logging directly to MySQL databases and such. grep and other tools to distinguish specific problems and outputs from specific rules. The priority defines the severity of the message being logged.9 Página 33 ULOG target may be interesting in case you are getting heavy logs. They are all listed below. warn and panic.

org/andreasson/iptables-tutorial/iptables-tutorial. The MARK values may be used in conjunction with the advanced routing capabilities in Linux to send different packets through different routes and to tell them to use different queue disciplines (qdisc). just as most of the LOG options.Iptables Tutorial 1. For example. The REJECT target is as of today only valid in the INPUT. In other words. check out the LARTC HOWTO. This target is only valid in the mangle table. but instead works on the IP options.html 21:25:51 10/06/2002 . but is an value that is associated within the kernel with the packet. These logging messages may be valuable when trying to debug or finding out specific culprits and what goes wrong. MARK target options Option Example Explanation --set-mark iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2 The --set-mark option is required to set a mark. and will not work outside there. These may be valuable when trying to debug what may go wrong and what has gone wrong. you will be better off with the TOS target which will mangle the TOS value in the IP header.unix-fu. etcetera. limiting or unlimiting their network speed etcetera. Table 18. you may not set a MARK for a package and then expect the MARK to still be there on another computer. The --set-mark match takes an integer value. we may set mark 2 to a specific stream of packets. This option takes no variable fields or anything like that. which would also http://people. Note that the mark value is not set within the actual package. or on all packets from a specific host and then do advanced routing on that host. If this is what you want. MARK target The MARK target is used to set netfilter mark values that are associated with specific packets. REJECT target The REJECT target works basically the same as the DROP target. For more information on advanced routing. --log-ip-options iptables -A FORWARD -p tcp -j LOG --log-ip-options The --log-ip-options option will log most of the IP packet header options.1. just the same as the previous option. FORWARD and OUTPUT chain or subchains of those chains. but it also sends back an error message to the host sending the packet that was blocked. This works exactly thesame as the --log-tcp-options option.9 Página 34 --log-tcp-options iptables -A FORWARD -p tcp -j LOG --log-tcp-options The --log-tcp-options option will log the different options from the TCP packets header.

There are currently the following reject types that can be used: icmp-net-unreachable. Finally. All of the above are ICMP error messages and may be set as you wish. At best the routers will do nothing with the TOS field. and they will not even look at them. As noted before. Most of them are fairly easy to understand if you have a basic knowledge of TCP/IP. TOS target The TOS target is used to set the Type of Service field within the IP header. they will look at the TOS field and do the wrong thing based on the information.Iptables Tutorial 1. but this option may only be used in conjunction with rules which would match ICMP ping packets. icmp-portunreachable. As stated previously. As stated in the iptables man page. icmp-proto-unreachable. icmp-net-prohibited and icmp-host-prohibited. REJECT target Option Example Explanation --reject-with iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset This option tells the REJECT target what response to send to the host that sent the packet that we found to be a match. however. There is also an option called echo-reply. For more information about the TCP RST read RFC 793 . icmp-host-unreachable. else they won't work. you should hence set the TOS field which was developed for this. this is mainly useful for blocking ident probes which frequently occur when sending mail to broken mail hosts. there is one more option called tcp-reset which may only be used together with the TCP protocol. just the same as with the DROP target. Table 19.unix-fu. and then the packet is dropped dead to the ground. This is one of the few fields that can be used within iproute2 and its subsystem to route packets. there is most definitely a good use if you http://people. TCP RST are used to close open connections gracefully. the target will first of all send the specified reply. Note that the chains that uses the REJECT target may only be called upon by the INPUT. If you feel a need to propagate routing information on how to do routing for a specific packet or stream. There currently is only one option which controls the nature of how this target works. the tcp-reset option will tell REJECT to send an TCP RST packet in reply to the sending host.9 Página 35 be the only chains where it would make any sense to put this target in. and can not be propagated with the packet. and you may get some more information by looking in the appendix ICMP types. At worst.1.org/andreasson/iptables-tutorial/iptables-tutorial. The TOS field consists of 8 bits which are used to route packets. There are currently a lot of routers on the internet which does a pretty bad job at this so it may be a bit useless as of now to do any TOS mangling before sending the packets on to the internet.html 21:25:51 10/06/2002 . Once we get a packet that matches a specific rule and we specify this target. FORWARD. The default error message is to send an port-unreachable to the host. Also note that if you handle several separate firewalls and routers.Transmission Control Protocol. the MARK target which sets a MARK associated with a specific packet is only available within the kernel. which in turn may take a huge set of variables. which won't accept your mail otherwise. and OUTPUT chains. this is the only way to propagate routing information between these routers and firewalls within the actual packet.

2. or in hex 0x00-0xFF. TOS target Option Example Explanation --set-tos iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10 The --set-tos option tells the TOS mangler what TOS value to set on packets that are matched.2 or below) of iptables provided a broken implementation of this target which would not fix the packet checksum upon mangling. the value may be 0-255.html 21:25:51 10/06/2002 . Note that this target is only valid within the mangle table and can not be used outside it. hex 0x02) or Normal-Service (decimal value 0. either in hex or in decimal value. Lets say we set up a MIRROR target for port 80 at computer A. The TOS target only takes one option as described below.1. These values are Minimize-Delay (decimal value 16.com. Minimize-Cost (decimal value 2. Maximize-Throughput (decimal value 8. MIRROR target The MIRROR target is an experimental demonstration target only. MaximizeReliability (decimal value 4. As the TOS value consists of 8 bits. hex value 0x10). For a complete listing of the "descriptive values". among other things. The default value on most packets are Normal-Service. This listing is complete as of iptables 1. The MIRROR target is used to invert the source and destination fields in the IP header. Table 20. and it should generally be recommended since the values behind the names may be changed if you are unlucky. or 0. hex value 0x00). use the actual names instead of the actual hex values to set up the TOS value.Iptables Tutorial 1. at least within your own network. Note that you can. and you should be warned of using this since it may result in really bad loops. hence resulting in a bad kind of Denial of Service. Also note that some old versions (1.5 and should hopefully be so for another period of time. If computer B would be coming from yahoo. the MIRROR target would make so computer B got the webpage at yahoo. and I would be quite sure that someone has had a good laugh at some cracker or another that has cracked his own box via this target by now. which in turn most probably would be mangled and the connection would never work. do an iptables -j TOS -h. and then to retransmit the packet. Note that most of these values will never be used by anyone on the internet so you may be better of by using the named values available (which should be more or less standardized). of course. The option takes a numeric value.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial. hex value 0x08). http://people. and hence rendered the packets bad and in need of retransmission.2.com back (since this is where he came from). This results in some really funny things. hex value 0x04). The result of this target is really simple. and tried to access the HTTP server at computer A.9 Página 36 have a large WAN or LAN with several routers and actually have the possibility to give packets different routes and preference depending on their TOS value.

50. and see to it that the packet is spoofed so it looks as if it comes from another host that uses the MIRROR command. One thing would for example be to send a spoofed packet to a host that uses the MIRRORcommand with a TTL of 255. for example. the packet will jump back and forth 240-255 times. This is in other words the only place that you may do SNAT in. The packet will then bounce back and forth a huge set of times.50.160 as http://people.50. which would be our firewall. SNAT target The SNAT target is used to do Source Network Address Translation.Iptables Tutorial 1. FORWARD and PREROUTING chains. takes one IP address to which we should transform all the source IP addresses in the IP header. since our local networks should use the IANA specified IP addresses which are allocated for LAN networks. depending on how many hops there is between them. If there is only 1 hop. letting all packets leaving our LAN look as if they came from a single host. also. noone on the internet would know that they where actually from us. However. 194.236.236. this is good when we want several computers to share an internet connection. within the POSTROUTING chain. If the first packet in a connection is mangled in this fashion. Note that this is a best case scenario for the cracker or scriptkiddie. no further processing of rules in the POSTROUTING chain will be commenced on the packets in the same stream. This option. The SNAT target does all the translation needed to do this kind of work. We could then turn on ip forwarding in the kernel.236. it would then look like. If we forwarded these packets as is. Not bad for a cracker in other words to send 1500 bytes of data.50.org/andreasson/iptables-tutorial/iptables-tutorial. which means that this target will rewrite the Source IP address in the IP header of the packet. For example.1.155194. If we want to balance between several IP addresses we could use an range of IP addresses separated by a hyphen. and any user-defined chains which are only called from those chains. at it simplest.236.unix-fu. then all future packets in the same connection will also be SNAT'ed and. Also note that the outgoing packets created by the MIRROR target is not seen by any of the normal chains in the filter. NAT or mangle tables to avoid loops and other problems. SNAT target Option Example Explanation --to-source iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 194. Table 21. Without doing this.155-194. and eat up 380 kbyte of your connection.html 21:25:51 10/06/2002 . this does not make the target free of any likely problems. the outside world would not know where to send reply packets.160:1024-32000 The --to-source option is used to specify which source the packets should use. The SNAT target is only valid within the nat table.9 Página 37 Note that the MIRROR target is only valid within the INPUT. and then set an SNAT rule which would translate all packets from our local network to the source IP of our own internet connection. whichever we want to call them.

If no port range is specified. then all source ports below 512 will be mapped to other ports below 512 if needed. Note that the DNAT target is only available within the PREROUTING and OUTPUT chains in the nat table.1 through 10.unix-fu. Also note that we may add an port or port range to which the traffic would be redirected to.html 21:25:51 10/06/2002 . in which case we would always be connected to the same host. There may also be an range of ports specified that should only be used by SNAT. so if a client tries to make contact with an HTTP server outside the firewall. We may also specify a whole range of destination IP addresses. that a single stream will always use the same host.1.168. such as the POSTROUTING chain. on to the real webserver within the LAN. This is done by adding. it will not be mapped to the FTP control port. Hence. The source IP would then be set randomly for each stream that we open.10 The --to-destination option tells the DNAT mechanism which Destination IP to set in the IP header. and a single stream would always use the same IP address for packets within that stream. as described previously. All the source ports would then be mapped to the ports specified. but no real IP to give it that will work on the internet. and then routed on to the correct device. namely 192.45. and that each stream will randomly be given an IP address that it will always be Destinated for. Note that this has nothing to do with destination ports.9 Página 38 described in the example above. We could also have specified only one IP address.45. This target can be extremely useful. Those between source ports 512 and 1023 will be mapped to ports below 1024.Iptables Tutorial 1.23.1. for example. we will be able to deal with a kind of load balancing by doing this. and any of the chains called upon from any of those listed chains. Note. You could then tell the firewall to forward all packets going to its own HTTP port. within that stream. The above example would send on all packets destined for IP address 15.1. the packet. :1024-32000 or something alike. when you have an host running your webserver inside a LAN. and where to send packets that are matched.67 --dport 80 -j DNAT --to-destination 192. and this is the target of the rule.67 to a range of LAN IP's. for example. All other ports will be mapped to 1024 or above. This would hence look as within the example above. and all subsequent packets in the same stream will be translated.23.1-192. host or network. but if two hosts tries to use the same ports. If a packet is matched. iptables will map one of them to another port. iptables will always try to not make any port alterations if it is possible. As previously stated. DNAT target Option Example Explanation --to-destination iptables -t nat -A PREROUTING -p tcp -d 15. an :80 statement to the IP addresses to which we want to http://people.org/andreasson/iptables-tutorial/iptables-tutorial. which means that it is used to rewrite the Destination IP address of a packet.168. DNAT target The DNAT target is used to do Destination Network Address Translation. iptables will always try to maintain the source ports used by the actual workstation making the connection. Table 22. Note that chains containing DNAT targets may not be used from any other chains.168.1. and the DNAT mechanism will choose the destination IP address at random for each stream.

it is not favorable since it will add extra overhead. This means that you should only use the MASQUERADE target with dynamically assigned IP connections. the lower port range delimiter and the upper port range delimiter separated with a hyphen. Table 23. or DHCP connections. A rule could then look like --to-destination 192.168. If you have a static IP connection. or like --to-destination 192.9 Página 39 DNAT the packets. If we would have used the SNAT target.1. however. MASQUERADE target Option Example Explanation --to-ports iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000 The --to-ports option is used to set the source port or ports to use on outgoing packets. dialup connections.Iptables Tutorial 1. Do note that port specifications are only valid for rules that specify the TCP or UDP protocols with the --protocol option. which is optional. swallowing up worthful connection tracking memory.168. The reason for this is that the MASQUERADE target was made to work with.1. In other words. for example. which we don't know the actual address of at all times. As you can see. you should instead use the SNAT target. the syntax is pretty much the same for the DNAT target. which gets dynamic IP addresses when connecting to the network in question. kill a specific interface. When you masquerade a connection. which would be lying around for days. The --to-ports option is only valid if the rule match section specifies the TCP or UDP protocols with http://people. as for the SNAT target even though they do two totally different things. The MASQUERADE target also has the effect that connections are forgotten when an interface goes down.org/andreasson/iptables-tutorial/iptables-tutorial. and there may be inconsistencies in the future which will thwart your existing scripts and render them "unusable". The MASQUERADE target takes on option specified below. This alters the default SNAT port-selection as described in the SNAT target section. and it is more or less idiotic to keep the entry around. MASQUERADE target The MASQUERADE target is used basically the same as the SNAT target.html 21:25:51 10/06/2002 . which is extremely good if we. it means that we set the IP address used on a specific network interface instead of the --to-source option.unix-fu.1. Either you can specify a single port like --to-ports 1025 or you may specify a port range as --to-ports 10243000. just as the SNAT target. but it does not require any --to-source option. and the IP address is automatically grabbed from the information about the specific interface. It is still possible to use the MASQUERADE target instead of SNAT even though you do have an static IP. we may have been left with a lot of old connection tracking data. for example. the connection is lost anyways. This is in general the correct behaviour when dealing with dialup lines that are probable to be assigned a different IP every time it is up'ed. Note that the MASQUERADE target is only valid within the POSTROUTING chain in the nat table.1:80 for example. In case we are assigned a different IP.1:80-100 if we wanted to specify a port range.

0.Iptables Tutorial 1. REDIRECT target The REDIRECT target is used to redirect packets and streams to the machine itself. This is specified.html 21:25:51 10/06/2002 . for example. to use. Setting all TTL values to the same value. Locally generated packets are mapped to the 127. or something alike. The TTL target is only valid within the mangle table. Note that this option is only available in rules specifying the TCP or UDP protocol with the --protocol matcher. as described below. It is also valid within user-defined chains that are only called from those chains. One reason for doing this is if you have a bully ISP which don't allow you to have more than one machine connected to the same internet connection. It takes 3 options as of writing this.9 Página 40 the --protocol match. the destination port is never altered. One useful application of this is to change all Time To Live values to the same value on all outgoing packets. this rewrites the destination address to our own host for packets that are forwarded. Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. since it wouldn't make any sense anywhere else.txt. For more information on how to set the default value used in Linux. We may then reset the TTL value for all outgoing packets to a standardized value.0. as above.1. where the LAN hosts do not know about the proxy at all. read the ip-sysctl. The REDIRECT target is extremely good to use when we want. and nowhere else. or port range. If we would want to specify an port range. and who actively pursue this. will effectively make it a little bit harder for them to notify that you are doing this. which you may find within the Other resources and links appendix. The REDIRECT target takes only one option. which tells the REDIRECT target to redirect the packets to the ports 8080 through 8090. Table 24. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid. all of them described below in the table. transparent proxying. such as 64 as specified in Linux kernel. --to-ports 8080 in case we only want to specify one port. and nowhere else. REDIRECT target Option Example Explanation --to-ports iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 The --to-ports option specifies the destination port. http://people. we would do it like --toports 8080-8090. on our own host.1 address. TTL target The TTL target is used to modify the Time To Live field in the IP header.unix-fu. In other words.org/andreasson/iptables-tutorial/iptables-tutorial. Without the --to-ports option.

The reason for this is that the networking code will automatically decrement the TTL value by 1. For a good example on how this could be used. Do not set this value too high.1. but at the same time. the packet would leave our host with a TTL value of 49.Iptables Tutorial 1.txt script. ULOG target The ULOG target is used to provide userspace logging of matching packets.html 21:25:51 10/06/2002 . IF ANYONE HAS A GOOD USAGE FOR THIS OPTION. since the packet may start bouncing back and forth between two misconfigured routers. This is in other words a more complete and more sophisticated logging facility that is only used by iptables and netfilter so far. NOTIFY ME --ttl-inc iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-inc 1 The --ttl-inc option tells the TTL target to increment the Time To Live value with the value specified to the --ttl-inc option.org/andreasson/iptables-tutorial/iptables-tutorial. In other words. and it is not too short. if the TTL for an incoming packet was 53 and we had set --ttl-dec 3. and if we specified --ttl-inc 4. hence the packet will be decremented by 4 steps. This means that we should raise the TTL value with the value specified in the -ttl-inc option. and the higher the TTL. it gives the hacker/cracker some good information about your upstreams if they have targeted you. see the ttl-inc. which it always does. since they provide excellent information on problems with connections and where it happens. the packet information is multicasted together with the whole packet through a netlink socket.unix-fu. This may be used to make our firewall a bit more stealthy to traceroutes among other things. where the network code will automatically decrement the TTL value by 1. we effectively make the firewall hidden from traceroutes. --ttl-dec iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-dec 1 The --ttl-dec option tells the TTL target to decrement the Time To Live value by the amount specified after the --ttl-decoption. It's not too long.9 Página 41 Table 25. from 53 to 49 in other words. Traceroutes are a loved and hated thing. since it may affect your network and it is a bit immoral to set this value to high. a packet entering with a TTL of 53 would leave the host with TTL 56. the more bandwidth will be eaten unnecessary in such a case. TTL target Option Example Explanation --ttl-set iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-set 64 The --ttl-set option tells the TTL target which TTL value to set on the packet in question. By setting the TTL one value higher for all incoming packets. as for the previous example of the --ttl-dec option. and it contains much better facilities for logging http://people. If a packet is matched and the ULOG target is set. One or more userspace processes may then subscribe to various multicast groups and receive the packet. A good value would be around 64 somewhere. Note that the same thing goes here.

and to group log entries etcetera. and then transmit it outside to the userspace as one single netlink multipart message.Iptables Tutorial 1. The default value is 0. It can be 32 characters long. and is definitely most useful to distinguish different logmessages and where they came from.9 Página 42 packets. we would simply write --ulog-nlgroup 5. the kernel would first accumulate 10 packets inside the kernel. For example. If we would like to reach netlink group 5. With this we mainly mean the different routing decisions and http://people. the userspace daemon did not know how to handle multipart messages previously. This is extremely valuable information later on when you write your own specific rules.org/andreasson/iptables-tutorial/iptables-tutorial. and other databases. if we set the threshold to 10 as above. The default netlink groupd used is 1. Traversing of tables and chains This chapter will talk about how packets traverse the the different chains and in which order. If we specify 100 as above. making it much simpler to search for specific packets.1. plus some leading data within the actual packet. Table 26. This option prefixes all log entries with a userspecified log prefix. we would copy 100 bytes of the whole packet to userspace. If we specify 0. ULOG target Option Example Explanation --ulog-nlgroup iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2 The --ulog-nlgroup option tells the ULOG target which netlink group to send the packet to. --ulog-prefix iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: " The --ulog-prefix option works just the same as the prefix value for the standard LOG target. which are simply specified as 1-32. We will also look at which points certain other parts that also are kernel dependant gets in the picture. so the whole packet will be copied to userspace. The default value here is 1 because of backwards compatibility. the whole packet will be copied to userspace. Also we will speak about in which order the tables are traversed. This target enables us to log information to MySQL databases. regardless of the packets size. --ulog-cprange iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100 The --ulog-cprange option tells the ULOG target how many bytes of the packet to send to the userspace daemon of ULOG.html 21:25:51 10/06/2002 . --ulog-qthreshold iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10 The --ulog-qthreshold option tells the ULOG target how many packets to queue inside the kernel before actually sending the data to userspace. which would include the whole header hopefully.unix-fu. There are 32 netlink groups.

html 21:25:51 10/06/2002 . internet) Comes in on the interface(ie. we do all the filtering here. Source Network Address Translation is done further on. Note that all traffic that's forwarded goes through here (not only in one direction). eth1). eth0) This chain is normally used for mangling packets. avoid doing filtering here since certain packets might pass this chain without ever hitting it. This chain should first and foremost be used for Source Network Address Translation. General When a packet first enters the firewall.1. Out on the wire again (ie.unix-fu. LAN). ie. or anywhere else in case it is malformed. only forwarded packets go through here.org/andreasson/iptables-tutorial/iptables-tutorial. filter FORWARD The packet got routed onto the FORWARD chain. In this example. This is also where Masquerading is done. The packet can be stopped at any of the iptables chains. there's quite a lot of steps to pass through. The packet goes through the different steps in the following fashion: Table 1. or forwarded to another host or whatever happens to it. Avoid filtering in this chain since it will be passed through in certain cases. This chain is used for Destination Network Address Translation mainly. we're assuming that the packet is destined for another host on another network.9 Página 43 so on. Do note that there is no specific chains or tables for different interfaces or http://people. Routing decision. 5 6 7 nat POSTROUTING 8 9 As you can see. Forwarded packets Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire(ie. so you need to think about it when writing your ruleset. however. changing TOS and so on. This is especially needed if you want to write rules with iptables that chould change how different packets get routed. is the packet destined for our localhost or to be forwarded and where. Then the packet starts to go through a series of steps in the kernel before it is either sent to the correct application (locally).Iptables Tutorial 1. we are mainly interested in the iptables aspect of this lot. it hits the hardware and then get's passed on to the proper device driver in the kernel. ie. good examples of this is DNAT and SNAT and of course the TOS bits. Goes out on the outgoing interface (ie.

is the packet destined for our localhost or to be forwarded and where. Destination localhost Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire (ie.unix-fu. Table 3. Finally we look at the outgoing packets from our own localhost and what steps they go through. Local process/application (ie. changing TOS and so on.html 21:25:51 10/06/2002 . I think. server/client program) 5 6 7 Note that this time the packet was passed through the INPUT chain instead of the FORWARD chain. 3 4 Nat Filter OUTPUT OUTPUT http://people. could someone tell me when this will be fixed? Please? This is where we filter packets going out from localhost. filter INPUT This is where we do filtering for all incoming traffic destined for our localhost. server/client program) This is where we mangle packets. It would pass through the following steps before actually being delivered to our application to receive it: Table 2. Internet) Comes in on the interface(ie. This chain is used for Destination Network Address Translation mainly.org/andreasson/iptables-tutorial/iptables-tutorial. it is suggested that you do not filter in this chain since it can have sideeffects. Routing decision. Source localhost Step 1 2 Mangle OUTPUT Table Chain Comment Local process/application (ie. I think it gets clearer with time. but if you continue to dig in it. let us have a look at a packet that is destined for our own localhost. This is currently broken. Quite logical. ie. Most probably the only thing that's really logical about the traversing of tables and chains in your eyes in the beginning. Avoid filtering in this chain since it will be passed through in certain cases. Note that all incoming packets destined for this host passes through this chain. Now. ie.9 Página 44 anything like that. no matter what interface and so on it came from.Iptables Tutorial 1.1. eth0) This chain is normally used for mangling packets. FORWARD is always passed by all packets that are forwarded over this firewall/ router.

If we would figure out a good map of all this. This is where we decide where the packet should go.9 Página 45 5 6 Nat POSTROUTING Routing decision. and certain packets might slip through even though you set a default policy of DROP.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. It is suggested that you don't do filtering here since it can have sideeffects. it would look something like this: http://people. Internet) 7 8 We have now seen how the different chains are traversed in three separate scenarios.unix-fu.Iptables Tutorial 1. Goes out on some interface (ie. This is where we do Source Network Address Translation as described earlier. eth0) On the wire (ie.1.

txt script.unix-fu.1. If you feel that you want more information.9 Página 46 Hopefully you got a clearer picture of how the packets traverses the built in chains now. This test script should give you the necessary rules to test how the tables and chains are traversed.html 21:25:51 10/06/2002 .test-iptables. All comments welcome. this might still be wrong or it might change in the future.org/andreasson/iptables-tutorial/iptables-tutorial. you could use the rc.Iptables Tutorial 1. http://people.

1. One good reason for this could be that we don't want to give ourself away to nosy Internet Service Providers.Iptables Tutorial 1. only the first packet in a stream will hit this chain. It is strongly adviced that you don't use this table to do any filtering in. the rest of the packets http://people. Don't set this in other words for packets going to the internet unless you want to do routing decisions on it with iproute2. This could be used for setting up policies on the network regarding how a packet should be routed and so on. SNAT or Masquerading work in this table. nor will any DNAT. Nat table This table should only be used for NAT (Network Address Translation) on different packets. and there are some Internet Service Providers known to look for a single host generating many different TTL values. We could also do bandwidth limiting and Class Based Queuing based on these marks. In other words. In other words. or if they don't have any. they act faulty on what they get. After this. Note that this has not been perfected and is not really implemented on the internet and most of the routers don't care about the value in this field.html 21:25:51 10/06/2002 . These marks could then be recognised by the iproute2 programs to do different routing on the packet depending on what mark they have. Some Internet Service Providers does not like users running multiple computers on one single connection.unix-fu. We could tell packets to only have a specific TTL and so on.org/andreasson/iptables-tutorial/iptables-tutorial. Note that. and sometimes. Target's that only valid in the mangle table: TOS TTL MARK The TOS target is used to set and/or change the Type of Service field in the packet.9 Página 47 Mangle table This table should as we've already noted mainly be used for mangling packets. you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) fields and so on. The MARK target is used to set special mark values to the packet. The TTL target is used to change the TTL (Time To Live) field of the packet. as we have said before. and takes this as one of many signs of multiple computers connected to a single connection. it should only be used to translate packets source field or destination field.

Filter table The filter table is. etcetera. it automatically checks for the IP address to use. Almost all targets are usable in this chain. Of course we may do filtering earlier too. This should be used to get a basic idea on how to solve different problems and what you may need to think about before http://people. A good example when this is very good is when we have a firewall that we know the outside IP address of. however. SLIP or DHCP. We have used one of the basic setups and dug deeper into how it works and what we do in it. for example PPP.9 Página 48 will automatically have the same action taken on them as the first packet. but the MASQUERADE target takes a little bit more overhead to compute. We can match packets and filter them however we want. The MASQUERADE target will on the other hand work properly with Dynamic IP addresses that you may be provided when you connect to the Internet with.x. If you're network uses 192. The actual targets that does these kind of things are: DNAT SNAT MASQUERADE The DNAT (Destination Network Address Translation) target is mainly used in cases such as when you have one IP and want to redirect accesses to the firewall to some other host on a DMZ for example. instead of doing as the SNAT target does and just use an IP address submitted while the rule was parsed. This is mainly done to hide our local networks or DMZ.1. of course. SNAT (Source Network Address Translation) is mainly used for changing the source address of packets. hence making it possible to make connections from the LAN to the Internet. but need to change our local networks IP numbers to the same of the IP of our firewall. we change the destination address of the packet and reroute it to some other host. The firewall will with this target automatically SNAT and De-SNAT the packets.html 21:25:51 10/06/2002 . as you already know.Iptables Tutorial 1. and there is nothing special to this chain or special packets that might slip through because they are malformed.168. rc.firewall file This chapter will deal with an example firewall setup and how the script file could look. mainly used for filtering packets. the packets would never get back from the Internet because these networks are regulated to be used in LAN's by IANA.org/andreasson/iptables-tutorial/iptables-tutorial. The MASQUERADE target is used in exactly the same way as SNAT. In other words. The reason for this is that each time that the MASQUERADE target gets hit by a packet. We will not go into deeper discussion about this table though. the targets discussed previously in this chapter are only usable in their respective tables. however.unix-fu. this is where we (should) do the main filtering. etc. This is the place that we actually take action against packets and look at what they contain and DROP/ACCEPT depending on their payload. this is the place that was designed for it.x netmask for example.

they are however left there so you can spot the differences between the scripts in a more efficient way. Also. Mainly. This script does not contain any special configuration options for DHCP or PPPoE. hence these sections are empty. the $INET_IFACE variable should point to the actual device used for your internet connection.html 21:25:51 10/06/2002 . As long as you have a very basic setup however.firewall Ok. so you have everything set up and are ready to check out an example configuration script. Also. Instead of looking for comments. however you will with 99% certainty not change any of the values within this section since you will almost always use the 127.1.org/andreasson/iptables-tutorial/iptables-tutorial.firewall. eth1. note that there might be more efficient ways of making the ruleset.txt (also included in the Example scripts codebaseappendix) is fairly large but not a lot of comments in it. however. This could be eth0. but is not suggested since it may not work perfectly together with your network setup.firewall.DHCP.Iptables Tutorial 1. This should always be changed since it contains the information that is vital to your actual configuration. I suggest you read through the script file to get a basic hum about how it looks. this section only consists of the $IPTABLES variable. you will find a brief section that pertains to the iptables. as you may see there is a Localhost configuration section.txt is the configuration section.unix-fu. If you need these parts. This example rc. We do provide it. For example. if you got one (if not. or (hold yourself) create your own from scratch. You should at least be if you have come this far. explanation of rc. read on since this script will introduce a lot of interesting stuff anyways).0. The $INET_IP should always be a fully valid IP address. just below the Localhost configuration.1 IP address and the interface will amost certainly be named lo. then you should probably look closer at the rc. however. It could be used as is with some changes to the variables. which are necessary. which will point the script to the exact location of the http://people. The same goes for all sections that are empty.txt. etcetera just to name a few possible device names. hence it is available here. you need to specify the IP address of the physical interface connected to the LAN as well as the IP range which the LAN uses and the interface that the box is connected to the LAN through. then you could always create a mix of the different scripts. Also. For example.9 Página 49 actually putting your scripts into work. and then you return here to get the nitty gritty about the whole script. it will very likely run quite smooth with just a few fixes to it.firewall. ppp0. tr0.firewall Configuration options The first section you should note within the example rc. your IP address will always change. The Local Area Network section contains most of the configuration options for your LAN.0. the script has been written for readability so that everyone can understand it without having to know too much BASH scripting before reading this example rc.

but you will be a bit more secure to bouncing hacker attacks and attacks where the hacker will only use your host as an intermediate host. which in turn requires some translation to be done. and if possible try to avoid having modules lying around at all unless you will be using them. if you want to have support for the LOG. The FTP NAT helpers do all of the translations within these connections so the FTP server will actually know where to connect. and tells the FTP server to connect to that IP address. FTP is a complex protocol by definition. This is for security reasons. which could for example be used to only allow certain users to make certain connections. etcetera.html 21:25:51 10/06/2002 .Iptables Tutorial 1. but not be able to send files. you could allow only root to do FTP and HTTP connections to redhat and DROP all the others. the FTP server will not know what to do with it and hence the connection will break down. look at the Owner match section within the How a rule is built chapter. For example. I will not use that module in this example but basically. Always avoid loading modules that you do not need. So. Creating these kind of connections requires the IP address and ports to be sent within the IRC protocol. many distributions put the actual application in another location such as /usr/sbin/iptables and so on. The NAT helpers on the other hand. After this we load the modules that we will require for this script. Now. For example. some other things will not work. since it will take some extra effort to make additional rules this way. REJECT and MASQUERADE targets and don't have this compiled statically into your kernel. might be boring for others. Since this local network address is not valid outside your own network. you tell the receiver that you want to send a file and where he should connect to. Without these helpers. First off.1. Connection tracking helpers are special modules that tells the kernel how to properly track the specific connections. Without the helpers. For more information about the ipt_owner match. Without these so called helpers. We may also load extra modules for the state matching code here. if one of your hosts NAT'ed boxes connect to a FTP server on the internet. you may be able to receive files over DCC. This may vary a bit. the DCC connection will look as if it wants the receiver to connect to some host on the receivers own local network. we load these modules as follows: /sbin/insmod ipt_LOG /sbin/insmod ipt_REJECT /sbin/insmod ipt_MASQUERADE Next is the option to load ipt_owner module. some FTP and IRC stuff will work no doubt. are extensions of the connection tracking helpers that tells the kernel what to look for in specific packets and how to translate these so the connections will actually work.9 Página 50 iptables application.unix-fu. and the default location when compiling the iptables package by hand is /usr/local/sbin/iptables. However. Initial loading of extra modules First. the kernel would not know what to look for when it tries to track specific connections. for example. and it sends connection information within the actual payload of the packet. however. the whole connection will be http://people. This is due to how the DCC starts a connection. All modules that extend the state matching code and connection tracking code are called ip_conntrack_* and ip_nat_*. we see to it that the module dependencies files are up to date by issuing an /sbin/depmod -a command. In other words. The same thing applies for DCC file transfers (sends) and chats. You could also disallow all users but your own user and root to connect from your box to the Internet.org/andreasson/iptables-tutorial/iptables-tutorial. it will send its own local network IP address within the payload of the packet.

However. I have chosen to turn it on here to maintain consistency with the script breakdown currently user. PPP or DHCP you may enable the next option. You will also need to load the ip_conntrack_irc and ip_conntrack_ftp modules before actually loading the NAT modules.org/andreasson/iptables-tutorial/iptables-tutorial. you need to use the patch-omatic and compile your own kernel. For a better explanation on how this is done. This will lead to a brief period of time where the firewall will accept forwarding any kind of traffic for everything between a millisecond to a minute depending on what script we are running and on what box. the other way around.9 Página 51 broken.1. In other words.323 conntrack helpers within the patch-o-matic. read the Preparations chapter. Note that you need to load the ip_nat_irc and ip_nat_ftp if you want Network Adress Translation to work properly on any of the FTP and IRC protocols. for example if you use SLIP. In case you need dynamic IP support. which is also available within the Other resources and links appendix. there's other documentations on how to do these things and this is out of the scope of this documentation. as well as some other conntrack helpers. They are used the same way as the conntrack modules. it will work flawlessly since the sender will (most probably) give you the correct address to connect to. in case there are possible additional links added to other and better resources of information. Also. As of this writing.Iptables Tutorial 1. iptables rulesets). this option should really be turned on after creating all firewall rules.html 21:25:51 10/06/2002 . it may be worth looking at that appendix in the future. but it will make it possible for the computer to do NAT on these two protocols. In this script and all others within the tutorial. proc set up At this point we start the IP forwarding by echoing a 1 to /proc/sys/net/ipv4/ ip_forward in this fashion: echo "1" > /proc/sys/net/ipv4/ip_forward It may be worth a thought where and when we turn on the IP forwarding. read the Common problems and questionmarks appendix. There is a good but rather brief document about the proc system available within the kernel. however. http://people. there is only the option to load modules which add support for the FTP and IRC protocols. we turn it on before actually creating any kind of IP filters (ie. There are also H. For a long explanation of these conntrack and nat modules. To be able to use these helpers.unix-fu. ip_dynaddr by doing the following : echo "1" > /proc/sys/net/ipv4/ip_dynaddr If there is any other options you might need to turn on you should follow that style. This may give malicious people a small timeframe to actually get through our firewall.

The following picture will try to explain the basics of how an incoming packet traverses netfilter. this will remind you a little bit of how the specific tables and chains are traversed in a real live example. Since the local network is fully trusted. do not turn these on before actually knowing what they mean.firewall. Based upon this picture. In the case of this scenario. This whole example script is based upon the assumption that we are looking at a scenario containing one local network.9 Página 52 The rc. I have displaced all the different user-chains in the fashion I have to save as much CPU as possible but at the same time put the main weight on security and readability. I hope to point these aspects and possible problems out to you when and where they occur. With these pictures and explanations. we want to set default policies within the chains to DROP.txt script. This example is also based upon the assumption that we have a static IP to the internet (as opposed to DHCP. this script has as a main priority to only allow traffic that we explicitly want to allow.1. I simply match all TCP packets and then let the TCP packets traverse an user specified chain. PPP and SLIP and others).txt script. this section contains a brief look back to the Traversing of tables and chains chapter. however. This is a really trivial picture in comparison to the one in the Traversing of tables and chains chapter where we discussed the whole traversal of chains and tables in depth.Iptables Tutorial 1. but instead further on in the chapter. Hopefully. and we trust our local network fully and hence we will not block any of the traffic from the local network.firewall.unix-fu.html 21:25:51 10/06/2002 . UDP and TCP rules. However. Also. Some of the paths I have chosen to go here may be wrong from one or another of aspect. Instead of letting a TCP packet traverse ICMP. These may be a good starters to look at. Also. I wish to explain and clarify the goals of this script. and all others contained within this tutorial. we would also like to let our local network do connections to the internet. one firewall and an Internet connection connected to the firewall. Displacement of rules to different chains This section will briefly describe my choices within the tutorial regarding user specified chains and some choices specific to the rc. This way we do not get too much overhead out of it all. let's make clear what our goals are. the Internet is most definitely not a trusted network and hence we want to block http://people. This will effectively kill all connections and all packets that we do not explicitly allow inside our network or our firewall. In this case. To do this. We will not discuss any specific details yet. we want to allow all kind of traffic from the local network to the internet. do contain a small section of non-required proc settings.org/andreasson/iptables-tutorial/iptables-tutorial. we also want to allow the firewall to act as a server for certain services on the internet.

read the Common problems and questionmarks chapter.0. We trust our local network to the fullest. we want to split the rules down into subchains. All of these protocols are available on the actual firewall. FTP. we add a rule which lets all established and related traffic through at the top of the INPUT chain. Based upon these general assumptions. we want to add special rules to allow all traffic from the local network as well as the loopback network interface. http://people. we will want to block all traffic from the Internet to our local network except already established and related connections. we want the local network to be able to connect to the internet. However. Since we have an FTP server running on the server. This means that we will also have to do some filtering within the FORWARD chain since we will otherwise allow outsiders full access to our local network. and reduce redundancy within the network. Because of this. we may be a bit low on funds perhaps. or we just want to offer a few services to people on the internet. our packets will hopefully only need to traverse as few rules as possible.html 21:25:51 10/06/2002 . we have decided to allow HTTP. First of all. For instance. Also. which is created last in this script.9 Página 53 them from getting to our local network. we do not want to allow specific packets or packet headers in specific conjunctions. As for our firewall. By traversing less rules. By doing this. SSH and IDENTD access to the actual firewall.org/andreasson/iptables-tutorial/iptables-tutorial. However.0.unix-fu. nor do we want to allow some IP ranges to reach the firewall from the Internet. let's look at what we need to do and what we do not need to do. which in turn will allow all return traffic from the Internet to our local network. of course. For a closer discussion of this. and the loopback device and IP address are also trusted. before we implement this. For the same reason. we must note that certain Internet Service Providers actually use these address ranges within their own networks.0/8 address range is reserved for local networks and hence we would normally not want to allow packets from such a address range since they would with 90% certainty be spoofed. and because of that we specifically allow all traffic from our local network to the internet. Since noone on the Internet should be allowed to contact our local network computers. All of this is done within the PREROUTING chain. we will need to NAT all packets since none of the local computers have real IP addresses.Iptables Tutorial 1. we make the ruleset less timeconsuming for each packet. To do this. and hence it should be allowed through the INPUT chain.1. and we need to allow the return traffic through the OUTPUT chain. as well as the fact we want to traverse as few rules as possible. Therefore. the 10. we also trust the local network fully.

and if not they will be dropped by the default policy in the OUTPUT chain. for example TCP. we choose to split the different packets down by their protocol family. we have the UDP packets which needs to be dealt with. Since we are running on a relatively small network. Setting up the different chains used So. and hence we accept the directly.9 Página 54 In this script. these will traverse the icmp_packets chain. as well as all of the rulesets within the chains. When we decided on how to create this chain. First of all. However. nor do we do any blocking of specific protocols.1. which will contain rules for all TCP ports and protocols that we want to allow. and if they are of an allowed type we should accept them immediately without any further checking. we send to the udp_packets chain which handles all incoming UDP packets. As for ICMP packets. we want to do some extra checking on the TCP packets. UDP or ICMP. we want to allow certain specific protocols to make contact with the firewall itself. Finally. this box is also used as a secondary workstation and to give some extra levy for this. You should also have a clear picture of the goals of this script.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. We do not do any specific user blocking. All incoming UDP packets should be sent to this chain. we set all the default policies on the different chains with a quite simple command. we have the firewalls OUTPUT chain. It is now about time that we take care of setting up all the rules and chains that we wish to create and to use. Since we actually trust the firewall quite a lot. This chain we choose to call the "allowed" chain. These packets. now you got a small picture on how the packet traverses the different chains and how they belong together. and hence we only want to allow traffic from the IP addresses assigned to the firewall itself.Iptables Tutorial 1. we do not want people to use this box to spoof packets leaving the firewall itself. and should contain a few extra checks before finally accepting the packet. such as speak freely and ICQ. iptables -P <chain name> <policy> http://people.unix-fu. we allow pretty much all traffic leaving the firewall. All TCP packets traverse a specific chain named tcp_packets. we could not see any specific needs for extra checks before allowing the ICMP packets through if we agree with the type and code of the ICMP packet. Finally. so we would like to create one more subchain for all packets that are accepted for using valid port numbers to the firewall. We would most likely implement this by adding rules that ACCEPT all packets leaving the firewall in case they come from one of the IP addresses assigned to the firewall. Also.

some applications depend on it such as Samba etc. and after this.168. of ICMP type. we don't log more than 3 packets per minute as to not getting flooded with crap all over the log files. The chains we will use are icmp_packets.9 Página 55 The default policy is used every time the packets don't match a rule in the chain. or finally it might be a problem in our firewall not allowing traffic that should be allowed. of TCP type.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. will be redirected to tcp_packets and incoming packets of UDP type from eth0 go to udpincoming_packets chain. which would normally be 127. Though. we log them to our logs and then we DROP them.html 21:25:51 10/06/2002 . Either it might be a packet that we just dont want to allow or it might be someone who's doing something bad to us. Hence.0. The new chains are created and set up with no rules inside of them. which in my case would be 192. First of all we match all ICMP packets in the INPUT chain that come on the incoming interface $INET_IFACE. tcp_packets. and send those to the icmp_packets. If you want to fully understand this.0. After this. if the connection is against an allowed port. These packets could be allowed under certain circumstances but in 99% of the cases we wouldn't want these packets to get through. also we set a prefix to all log entries so we know where it came from.unix-fu. Incoming packets on eth0.1 and ACCEPT all incoming traffic from there. I allow everything that comes from my own Internet IP that is either ESTABLISHED or RELATED to some connection.0/24. will be redirected to the chain icmp_packets. udpincoming_packets and the allowed chain for tcp_packets. After this. we check for everything that comes from our $LOCALHOST_IP. Also. we do the same match for TCP packets on the $INET_IFACE and send those to the tcp_packets chain. we allow broadcast traffic from our LAN. do the same for everything to $LAN_IP. The default policy was set quite some time back. Before we hit the default policy of the INPUT chain. as you might remember.1. we create the different special chains that we want to use with the -N command. and it will work much better on slow machines which might otherwise drop packets at high loads. INPUT chain The INPUT chain as I've written it uses mostly other chains to do the hard work. something that some might consider a security problem. which was previously described. you need to look at the Appendices regarding state NEW and non-SYN packets getting through other rules. These applications will not work properly without it. and after this all UDP packets get sent to udpincoming_packets chain. it travels through the tcp_packets chain.0. which in my case is eth0. we log it so we might be able to find out about possible problems and or bugs. Finally. In either case we want to know about it so it can be dealt with. This way we don't get too much load from the iptables. The TCP allowed chain If a packet comes in on eth0 and is of TCP type. we want to do some final checks on it to see if we actually do http://people. Everything that hasn't yet been caught will be DROP'ed by the default policy on the INPUT chain. We do certain checks for bad packets here.

we create the chain the same way as all the others. hence. I only allow incoming ICMP Echo Replies.html 21:25:51 10/06/2002 . if it does. so for example if we send a HTTP request. After that. There is no currently available TCP/IP implementation that supports opening a TCP connection with something else than a SYN packet to my knowledge. and a Time Exceeded is sent back from the first gateway en route to the host we're trying to traceroute.1. we will get a reply about this. we allow this. and the host is unreachable. DROP the crap since it's 99% sure to be a portscan. Echo Replies is what you get for example when you ping another host.unix-fu. Postel. ie. I might be wrong in blocking some of these ICMP types for you. and a reply to this SYN packet. The last rule in this chain will DROP everything else. but in my case.org/andreasson/iptables-tutorial/iptables-tutorial. http://people. except to portscan people pretty much. when you traceroute someone. the connection then must be in state ESTABLISHED. For example.Iptables Tutorial 1. see the appendix ICMP types. The ICMP chain This is where we decide what ICMP types to allow. First of all. Destination unreachable. Then we check if the packet comes from an ESTABLISHED or RELATED connection. we didn't reply to the SYN packet. we then redirect it to the icmp_packets chain as explained before. and it gets down to 0 at the first hop on the way out. allow it. For more information on ICMP types and their usage. i suggest reading the following documents and reports : The Internet Control Message Protocol ICMP RFC 792 . we will be unable to ping other hosts. Here we check what kind of ICMP types to allow. There is no practical use of not starting a connection with a SYN packet. we check if the packet is a SYN packet. is allowed in the case where we might want to traceroute some host or if a packet gets its Time To Live set to 0. it is most likely to be the first packet in a new connection so. As it is now. An ESTABLISHED connection is a connection that has seen traffic in both directions. As a side-note. the last gateway that was unable to find the route to the host replies with a Destination Unreachable telling us that it was unable to find it. If a packet of ICMP type comes in on eth0 on the INPUT chain. or they are trying to start the connection with a non SYN packet. In this case this pretty much means everything that hasn't seen traffic in both directions. everything works perfectly while blocking all the other ICMP types that I don't allow. of course. Destination Unreachable is used if a certain host is unreachable. Redirect and Time Exceeded. then TTL = 2 and the second gateway sends Time Exceeded. then we.Internet Control Message Protocol by J. and so on until we get an actual reply from the host we finally want to get to.9 Página 56 want to allow it or not. This way we won't have to wait until the browser's timeouts kicks in after some 60 seconds or more. If it is a SYN packet. you start out with TTL = 1. For a complete listing of all ICMP types. Time Exceeded. if we don't allow this. The reason that I allow these ICMP packets are as follows. again of course. and since we've got a SYN packet.

I allow TCP port 21. Note that you are dealing with a firewall. in other words everything again. And finally we allow port 113. we ACCEPT them directly.0. Port 80 is HTTP.9 Página 57 The TCP chain So now we reach TCP connections.html 21:25:51 10/06/2002 . we can unload the ip_conntrack_ftp module and delete the $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed line from the rc. in other words if the packet is destined for port 21 they also match. if you want to allow anyone from the outside to use a shell on your box at all.unix-fu. this is actually the default behaviour but I'm using it for brevity in here. It is always a bad idea to give others than yourself any kind of access to these kind of boxes.0.0. Firewalls should always be kept to a bare minimum and not more.1. If it doesn't match any of the rules. which is IDENTD and might be necessary for some protocols like IRC. which we described previously. well. and that way we allow PASSIVE and PORT connections since the ip_conntrack_ftp module is. We don't want this behaviour. I personally also allow port 123. As it is now.txt file. loaded. delete it if you don't want to run a web server on your site. then the packet will be targeted for the allowed chain. of course. its quite self explanatory how to do that by now=). which is what we use to do DNS lookups. If we don't want to allow FTP at all. If you feel like adding more open ports with this script. in other words your web server.org/andreasson/iptables-tutorial/iptables-tutorial.0 and netmask 0.0. I ACCEPT incoming UDP packets from port 53. Port 22 is SSH. hence we allow DNS. there is still more checks to do. The UDP chain If we do get a UDP packet on the INPUT chain.0 with netmask 0. we send them on to udpincoming_packets where we once again do a match for the UDP protocol with -p UDP and then match everything with a source address of 0. If all the criteria are matched. the rule will be added to the end of the chain. without this we wouldn't be able to do domain name lookups and we would be reversed to only use IP's.Iptables Tutorial 1. --dport 21 means destination port 21.firewall. -A tcp_packets tells iptables in which chain to add the new rule.0. hopefully.0. they will be passed back to the original chain that sent the packet to the tcp_packets chain. As it is now. in other words all sources addresses. http://people. which is used to control FTP connections and later on I also allow all RELATED connections. much better than allowing telnet on port 23. hence we send each and one of them on to allowed chain. or FTP control port. This specifies what ports that are allowed to use on the firewall from the Internet.0. Though. If they have a source port of 53 also. which is NTP or network time protocol.0. -p TCP tells it to match TCP packets and -s 0/0 matches all source addresses from 0. etc to work properly.0. This protocol is used to set your computer clock to the same time as certain other time servers which have very accurate clocks.0.

or it's a weird packet that's spoofed. I doubt there is any further need to explain what it is. Finally we DROP the packet in the default policy.firewall.9 Página 58 Though. And after this we log everything and drop it.txt example file.unix-fu. We currently also allow port 2074. We log maximally 3 log entries per minute as to not flood our own logs. among other things since this chain is only traversed by the first packet in a stream. and prefix them with a short line that is possible to grep for in the logfiles. Port 4000 is the ICQ protocol. we allow the packets coming back from that site that's either ESTABLISHED or RELATED but nothing else.1. There is at least 5 different ICQ clones for Linux and it's one of the most widely used chat programs in the world. Either it's a nasty error. Note that this chain should not be used for any filtering or such. or even better. PREROUTING chain of the nat table The PREROUTING chain is pretty much what it says. we first of all ACCEPT all packets coming from our LAN with the following line: /usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT So everything from our Localnet's interface gets ACCEPT'ed whatever the circumstances. FORWARD chain Even though I haven't actually set up a certain section in the rc. As it is now. in other words. http://people. which is used for certain real-time `multimedia' applications like speak freely which you can use to talk to other people in real-time by using speakers and a microphone. This should be an extremely well known protocol that is used by the Mirabilis application named ICQ. $LAN_IP or $STATIC_IP. even though I doubt anyone that I know would do it on my box. We finally hit the default policy of the FORWARD chain that says to DROP everything. it does network adress translation on packets before they actually hit the routing tables that sends them onwards to the INPUT or FORWARD chains in the filter table. If it does get dropped. Everything else might be spoofed in some fashion. it should be used for network adress translation. I'm allowing it per default since I know there are some who actually do. most of you probably don't use this protocol. Last of all we log everything that gets dropped. After this we allow everything in a state ESTABLISHED or RELATED from everywhere. a headset.org/andreasson/iptables-tutorial/iptables-tutorial. we'll sure as hell want to know about it for some reason or another. OUTPUT chain Since i know that there's pretty much no one but me using this box which is partially used as a Firewall and a workstation currently.html 21:25:51 10/06/2002 . if we open a connection from our LAN to something on the Internet.Iptables Tutorial 1. Also we log them with debug level. I would like to comment on the few lines in there anyways. I allow pretty much everything that goes out from it that has a source address $LOCALHOST_IP.

in such case. then when the Internet box replies. First of all we add a rule to the nat table. 10. we drop them quicker than hell since these IP's are reserved especially for local intranets and definitely shouldn't be used on the Internet. and they may not fit your exact intentions perfectly. We also set a prefix to the log with the --log-prefix and set the log level with the --log-level.x. our final mission would be to get the MASQUERADEing up. we don't do that though. The rest of this tutorial should most probably be http://people. This means we get maximally 3 log entries per minute from this specific line. Log level tells the syslogd. it'll have to wait for another 1 minute for the next log entry. and since it comes from eth1 we ACCEPT it.x. The next thing we do is to ACCEPT all packets from anywhere that are ESTABLISHED and/or RELATED to some connection. but also to improve the readability a bit. if we get an packet from $LAN_IFACE that claims to not come from an IP address in the range which we know that our LAN is on. we first send a packet from our local box behind eth1. and hits the default policy.x.org/andreasson/iptables-tutorial/iptables-tutorial. The -t option tells us which table to use. In some cases these might be packets that should have gotten through but didn't. mainly to make them easier to configure.x. in this case nat while the A command tells us that we want to Add a new rule to an existing chain named POSTROUTING and -o $INET_IFACE tells us to match all outgoing packets on INET_IFACE (or eth0.html 21:25:51 10/06/2002 . or logging facility what kind of importance this log entry has. and the burst is also set to 3 so if we get 3 log entries in 2 seconds.16. However. This is good if someone starts to flood you with crap stuff that otherwise would generate many megabytes of logs. too.9 Página 59 First of all we check for obviously spoofed IP addresses. Example scripts The objective of this chapter is to give a fairly brief and short explanation of each script available with this tutorial. Simple.x. As it looks now. The last thing we do is to log all traffic that gets dropped over the border. such as in case we get packets from the Internet interface that claim to have a source IP of 192. there are specific variables added to these example scripts that may be used to automatically configure these settings.Iptables Tutorial 1. For me this would be eth0. In other words.168. isn't it? The next step we take is to ACCEPT all packets traversing the FORWARD chain in the default table filter that come from the input interface eth1 which is my interface connecting to the internal network. We allow this rule to be matched a maximum of 3 times per minute with a burst limit of 3. This might be used in the opposite direction. per default settings in this script) and finally we target the packet for MASQUERADE'ing. So all packets that match this rule will be masqueraded to look as it came from your Internet interface. in the POSTROUTING chain that will masquerade all packets going out on our interface connected to the Internet. correct? At least to me. we might drop that too. in other cases it might be packets that definitely shouldn't get through and you want to be notified about this.unix-fu. These settings are widely used within the example scripts. and to provide an overlook of the scripts and what services they provide. it gets caught by this rule since the connection has seen packets in both directions. It is in other words up to you to make these scripts suitable for your needs.x. Starting the Network Address Translation So.x or 172. All packets that are being forwarded on our box traverse the FORWARD chain in the filter table. These scripts are not in any way perfect.1.

If there is any LAN available behind the firewall. These variables are highly unlikely to change.html 21:25:51 10/06/2002 . mainly because any normal home network. 2. unless it is specifically explained why I have broken this structure. Configuration . LAN . 1.If there are possibly any special DHCP requirements with this specific script.unix-fu. 1.txt script structure All scripts written for this tutorial has been written after a specific structure. Configuration options should pretty much always be the first thing in any shell-script. or small corporate network. rc. The structure This is the structure that all scripts in this tutorial should follow. PPPoE .If there are a possibility that the user that wants to use this specific script. and why I have chosen to maintain this structure. The reason for this is that they should be fairly conformative to each other and to make it easier to find the differences between the scripts. The first section of this tutorial deals with the actual structure that I have established in each script so we may find our way within the script a bit easier. but we have put most of it into variables anyway.firewall. and if there are any special circumstances that raises the chances that he is using a PPPoE connection. will not have one.Iptables Tutorial 1. there should be no reason to change these variables. This is most likely. Hopefully. If they differ in some way it is probably an error on my part. DHCP .9 Página 60 helpful in making this feat. but only such that pertains to our Internet connection.This is the configuration section which pertains to the Internet connection. This structure should be fairly well documented in this brief chapter. http://people.org/andreasson/iptables-tutorial/iptables-tutorial. Note that there may be more subsections than those listed here. DMZ .If there is any reason to it. 1. hence this section will almost always be available. 4. Internet .First of all we have the configuration options which the rest of the script should use. Most scripts lacks this section.These options pertain to our localhost. 3. Localhost . we will add options pertaining to that in this section. It is only a structure that I have chosen to use since it fits the need of being easy to read and follow the best according to my logic. we will add specific options for those here. This could be skipped if we do not have any Internet connection. we will add a DMZ zone configuration at this point. This chapter should hopefully give a short understanding to why all the scripts has been written as they have. Even though this is the structure I have chosen. 2.1. we will add the DHCP specific configuration options here. do note that this may not be the best structure for your scripts.

This section should contain the required modules.1. I have also chosen to set the chains and their rulespecifications in the same order as they are output by the iptables -L command. All user specified chains are created before we do anything to the system builtin chains. Non-required modules . Module loading .This section contains modules that are not required for normal operations. 1.This section contains iptables specific configuration.9 Página 61 5. If it does not fit in anywhere. since they are not actually necessary to get the script to work.If there are any other specific options and variables. etcetera). they will be listed as such. it should be subsectioned directly to the configuration options somewhere.By now the scripts should most probably be ready to insert the ruleset. The first part should contain the required modules. or add certain services or possibilities. Note that some modules that may raise security. All of them should be commented out. they should first of all be fitted into the correct subsection (If it pertains to the Internet connection. 2. and possibly which adds special services or possibilities for the administrator or clients. they should be commented out per default. All of these modules should be commented out per default. This should normally be noted in such cases within the example scripts. 5. 4. Required modules . http://people. 2. it should be subsectioned there. Other . it is up to you.Iptables Tutorial 1. 1. and if you want to add the service it provides. In most scripts and situations this should only require one variable which tells us where the iptables binary is located.unix-fu. Required proc configuration . If some of these options are required. may have been added even though they are not required.This section should contain all of the required proc configurations for the script in question to work. and possibly special modules that adds to the security or adds special services to the administrator or clients. if not. Most of the useful proc configurations will be listed here. and listed under the non-required proc configurations.This section should take care of any special configuration needed in the proc filesystem. while the second part should contain the non-required modules. This list will contain far from all of the proc configurations or nodes. iptables .This section of the scripts should maintain a list of modules.This section should contain non-required proc configurations that may prove useful.org/andreasson/iptables-tutorial/iptables-tutorial. proc configuration . Non-required proc configuration . It could possibly also contain configurations that raises security. rules set up .html 21:25:51 10/06/2002 . 6. 3. I have chosen to split all the rules down after table and then chain names. but far from all of them.

This is done after the filter table because of a number of reasons within these scripts. while the nat table acts as a layer lying around the filter table. 1. OUTPUT chain . At this point we should add all rules within the INPUT chain. Normally I will set DROP policies on the chains in the filter table. which could possibly lead to packets getting through the firewall at just the wrong timepoint (ie. You may as well put this later on in your script. First of all we do not want to turn the whole forwarding mechanism and NAT function on at a too early stage. This way we will get rid of all ports that we do not want to let people use. Create content in user specified chains . Also. Nothing special about this decision.At this point we create all the user specified chains that we want to use later on within this table. when the NAT has been turned on.Set up all the default policies for the systemchains. There is no reason for you to stay with this structure. 2. Filter table .After creating the user specified chains we may as well enter all the rules within these chains.html 21:25:51 10/06/2002 . and specifically ACCEPT services and streams that I want to allow inside.After the filter table we take care of the nat table. namely the ACCEPT policy.At this point we go on to add the rules within the FORWARD chain.First of all we set up all the default policies within the nat table.When we have come this far. we do not have a lot of things left to do within the filter table so we get onto the INPUT chain. 1. nat table . however. but not too far from reality. it is totally up to you. This table should not be used for filtering anyways. The only reason I have to enter this data at this point already is that may as well put it close to the creation of the user specified chains. do try to avoid mixing up data from different tables and chains since it will become much harder to read such rulesets and to fix possible problems. INPUT chain .Iptables Tutorial 1. 6. I look upon the nat table as a sort of layer that lies just outside the filter table and kind of surrounds it. and finally the mangle table lies around the nat table as a second layer. but none of the filter rules has been run). This may be wrong in some perspectives. Normally. First of all we should set up all the policies in the table. 3. Create user specified chains .Last of all in the filter table. At this point we start following the output from the iptables -L command as you may see. FORWARD chain . we add the rules dealing with the OUTPUT chain.org/andreasson/iptables-tutorial/iptables-tutorial. There should hopefully not be too much to do at this point. Set policies . Set policies .9 Página 62 1. We will not be able to use these chains in the systemchains anyways if they are not already created so we could as well get to it as soon as possible.First of all we go through the filter table and its content. 2. 5.unix-fu. The filter table would hence be the core. and we http://people. I will be satisfied with the default policy set from the beginning. 4.1.

If anyone has a reason to use this chain. but in certain cases we are forced to use the MASQUERADE target instead. send me a line and I will add it to the tutorial. As it looks now. Since I have barely used the mangle table at all in the scripts.1. Create user specified chains .html 21:25:51 10/06/2002 . mangle table . Set policies .The last table to do anything about is the mangle table. 1. PREROUTING chain . Create user specified chains . 3.The PREROUTING chain is used to do DNAT on packets in case we have any need for it. 5. it is not broken. 4. unless they have specific needs. http://people. In most scripts this feature is not used. Within some scripts we have this turned on by default since the sole purpose of those scripts are to provide such services.The POSTROUTING chain should be fairly well used by the scripts I have written since most of them depend upon the fact that you have one or more local networks that we want to firewall against the Internet.Iptables Tutorial 1. since it should normally not be used for anyone. We add this material here since I do not see any reason not to. just in case. this section was added just in case someone. Create content in user specified chains . Note that the user specified chains must be created before they can actually be used within the systemchains. 6.Create all the user specified chains. The same thing goes here as for the nat table pretty much. and you are encouraged not to do so either.Set the default policies within the chain. I have in other words chosen to leave these parts of the scripts more or less blank.unix-fu.9 Página 63 should not let packets be dropped here since there are some really nasty things that may happen in such cases due to our own presumptions. and hence you should avoid it all together.By now it should be time to add all the rules to the user specified chains in the nat table. 2. However. The table was not made for filtering. The same thing goes here as for the user specified chains in the filter table. such as masking all boxes to use the exact same TTL or to change TOS fields etcetera. I have not set any policies in any of the scripts in the mangle table one way or the other. Normally I do not have any of these. but I have added this section anyways.At this point we create any user specified chains that we want within the nat table. would have the need for it in the future. or at the very least commented out. Mainly we will try to use the SNAT target.org/andreasson/iptables-tutorial/iptables-tutorial. 7. 4. I let these chains be set to ACCEPT since there is no reason not to do so.The OUTPUT chain is barely used at all in any of the scripts. or I. POSTROUTING chain . Normally I will not use this table at all. with a few exceptions where I have added a few examples of what it may be used for. but I have been unable to find any good reasons to use this chain so far. I have neither created any chains here since it is fairly unusable without any data to use within it. OUTPUT chain . reason being that we do not want to open up big holes to our local network without knowing about it.

INPUT chain .html 21:25:51 10/06/2002 . 7.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. 8.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.9 Página 64 3. 6. Do note that these descriptions are extremely brief.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. rc.1. 4. POSTROUTING chain . 5.Iptables Tutorial 1.If you have any user specified chains within this table. OUTPUT chain . Hopefully this should explain more in detail how each script is structured and why they are structured in such a way.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. Create content in userspecified chains .txt http://people. PREROUTING .org/andreasson/iptables-tutorial/iptables-tutorial.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. you may att this point add the rules that you want within them here.firewall. FORWARD chain . and should mainly just be seen as a brief explanation to what and why the scripts has been split down as they have.unix-fu. There is nothing that says that this is the only and best way to go.

SLIPor some other protocol that assigns you an IP automatically. and hence don't use DHCP.txt script is the main core on which the rest of the scripts are based upon. If you are looking for a script that will work with those setups.DHCP.1. PPP. This script also makes the assumption that you have a static IP to the Internet.firewall file chapter should explain every detail in the script most thoroughly. where you have one LAN and one Internet Connection. The rc.txt script.firewall. rc.DMZ.9 Página 65 The rc. For example.firewall. please take a closer look at the rc.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.firewall.Iptables Tutorial 1.unix-fu. Mainly it was written for a dual homed network.txt http://people.

one for the broadcast address and one for the network address. and not to our external DNS IP. but it will not tell you exactly what you need to do since it is out of the scope of the tutorial.0/24 and consists of a Trusted Internal Network. giving the firewall one IP both internally and externally. then we use DNAT. the packet will be destined for the actual DNS internal network IP. The other one uses IP range 192. one is to set 1-to-1 NAT.org/andreasson/iptables-tutorial/iptables-tutorial. We will show a short example of how the DNAT code looks: $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP http://people. For example. You need to have two internal networks with this script as you can see from the picture. If the packet would not have been translated. One uses IP range 192. which stands for Destination Network Adress Translation.168. you must make the box recognise packets for more than one IP.Iptables Tutorial 1. one De-Militarized Zone and one Internet Connection. the DNS wouldn't have answered the packet.html 21:25:51 10/06/2002 . There are several ways to get this to work. another one if you have a whole subnet is to create a subnetwork. this tutorial will give you the tools to actually accomplish the firewalling and NAT'ing part.0. This is pretty much up to you to decide and to implement.0/24 and consists of the De-Militarized Zone which we will do 1-to-1 NAT to. The De-Militarized Zone is in this case 1-to-1 NAT'ed and requires you to do some IP aliasing on your firewall.1. You could then set the IP's to the DMZ'ed boxes as you wish.txt script was written for those people out there that has one Trusted Internal Network.DMZ.9 Página 66 The rc. Do note that this will "steal" two IP's for you.unix-fu.168. ie.firewall. When the DNS sees our packet. to send the packet on to our DNS on the DMZ network.1. if someone from the internet sends a packet to our DNS_IP.

This script will allow people who uses DHCP. in other words Destination NAT. mail me since it is probably a fault on my side.firewall. I've had some people mail me and ask about the problem so this script will be a good solution for you.txt script is pretty much identical to the original rc.txt The rc.unix-fu. The main changes done to the script consists of erasing the STATIC_IP variable as I already said and deleting all referenses to this variable.txt. Instead of using this variable the script now does it's main http://people. which is the main change to the original rc.9 Página 67 First of all. it automatically gets un-DNAT'ed. By now you should have enough understanding of how everything works to be able to understand this script pretty well without any huge complications. If there is something you don't understand.firewall.Iptables Tutorial 1.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. However.firewall. that hasn't been gone through in the rest of the tutorial.firewall. The reason is that this won't work together with a dynamic IP connection.DHCP. PPP and SLIP connections to connect to the internet. however. Then we look for TCP protocol on our $INET_IFACE with destination IP that matches our $DNS_IP. DNAT can only be performed in the PREROUTING chain of the nat table. in other words the IP of the DNS on our DMZ network. When the reply to the DNAT'ed packet is sent through the firewall.DHCP. and is directed to port 53. If we actually get such a packet we give a target of DNAT. which is the TCP port for zone transfers between DNS's. this script no longer uses the STATIC_IP variable. This is how basic DNAT works.txt script. After that we specify where we want the packet to go with the --to-destination option and give it the value of $DMZ_DNS_IP.1. rc. The actual changes needed to be done to the original script is minimal.

1.1. but at the same time operate a script from the PPP daemon. but it is questionable.org iptables site which has a huge collection of scripts available to download. http://people. for example. It is possible to get by.txt script. grep the correct line which contains the IP address and then cuts it down to a manageable IP address. which contains static links back to the same host. without hurting the already existing ones. if you want to block hosts on your LAN to connect to the firewall. This is pretty much the only changes made and that's all that's needed really. If we go to the main page. it is rather harsh to add and erase rules all the time. we would get a real hard trouble. However.html 21:25:51 10/06/2002 . This also applies in a sense to the case where we got a static IP.org site from the Other resources and links appendix. there are serious drawbacks with this approach. it is easier to spot problems. The NAT'ed box would ask the DNS for the IP of the HTTP server. One great example is if we are running an HTTP on our firewall. which could be some dyndns solution. As you may read from above. We can no longer filter in the INPUT chain depending on. --in-interface $LAN_IFACE --dst $INET_IP. as seen above which in turn could lead to security compromises.org/andreasson/iptables-tutorial/iptables-tutorial.firewall. and if so ACCEPT them. and to keep order in it. If the script is kept simple. but in such cases it could be gotten around by adding rules which checks the LAN interface packets for our INET_IP. There is some more things to think about though. A good way to do this.Iptables Tutorial 1. or write one. would e to use for example the ip-up scripts provided with pppd and some other programs. there is the possibility to add something like this to your scripts: INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` The above would automatically grab the IP address of the $INET_IFACE variable. how would you do it without erasing your already active rules blocking the LAN? 3. I would definitely advise you to use that script if at all possible since this script is more open to attacks from the outside. We could for example make a script that grabs the IP from ifconfig and adds it to a variable. the NAT'ed box would be unable to get to the HTTP because the INPUT chain would DROP the packets flat to the ground. If you got rules that are static and always want to be around.9 Página 68 filtering on the variable INET_IFACE. for example. In other words -d $STATIC_IP has been changed to -i $INET_IFACE. For a good site. upon bootup of the internet connection.unix-fu. 2. check out the linuxguruz. as described in the following list. In case we filter based on interface and IP. then try to access that IP. For example. This in turn forces us to filter only based on interfaces in such cases where the internal machines must access the internet adressable IP. Also. it will hang all currently active connections due to the NEW not SYN rules (see the State NEW packets but no SYN bit set section). You will find a link to the linuxguruz. It may get unnecessarily complicated. If the script is run from within a script which in turn is executed by. the PPP daemon. that handles dynamic IP in a better sense. This script might be a bit less secure than the rc. if you get rid of the NEW not SYN rules for example. it may be a good idea to grab a script.

The only things we actually allow is POP3. and setting up masquerading etcetera. It's not very different from the original rc. This is a sad fact.txt script.txt script can be used to test all the different chains.txt script will in contrast to the other scripts block the LAN that is sitting behind us.test-iptables.html 21:25:51 10/06/2002 . not even our own employees. In other words.test-iptables.9 Página 69 rc.Iptables Tutorial 1.txt The rc.unix-fu.UTIN.org/andreasson/iptables-tutorial/iptables-tutorial. It will work for mostly everyone though who has all the basic set up and all the basic tables loaded into kernel.firewall.firewall.UTIN. We also don't trust the internal users to access the firewall more than we trust users on the Internet.firewall. we don't trust anyone on any networks we are connected to. We also disallow people on our LAN to do anything but specific tasks on the Internet. but a large part of the hacks and cracks that a company gets hit by is a matter of people from their own staff perpetrating the hit.1.txt The rc. but it might need some tweaking depending on your configuration. All it really does is set some LOG targets which will log ping reply's http://people. but it does give a few hints at what we would normally let through etc. This script follows the golden rule to not trust anyone. This script will hopefully give you some clues as to what you can do with your firewall to strengthen it up. such as turning on ip_forwarding. HTTP and FTP access to the internet. rc.

OUTPUT and FORWARD chains of the filter table.org/andreasson/iptables-tutorial/iptables-tutorial. we jump down to the next section where we erase all the user specified chains in the NAT and filter tables.9 Página 70 and ping requests. This way. After this we flush all chains first in the filter table and then in the NAT table.flush-iptables.html 21:25:51 10/06/2002 . When this step is done. Certain people has mailed me asking from me to put this script into the original rc.the. For example.on. we consider the script done.flush-iptables.Iptables Tutorial 1. which we have discussed briefly previously in the How a rule is built chapter. run this script and then do: ping -c 1 host. This should show you all the different chains used and in which order. This way we know there is no redundant rules lying around anywhere. In other words.firewall script using redhat Linux syntax where you type something like rc. The rc. POSTROUTING and OUTPUT chains of the nat table.unix-fu. and hence we only care about opening the whole thing up and reset it to default values.txt script will reset and flush all your tables and chains. it's not a good idea to have rules like this that logs everything of one sort since your log partitions might get filled up quickly and it would be an effective Denial of Service attack against you and might lead to real attacks on you that would be unlogged after the initial Denial of Service attack.internet And tail -n 0 -f /var/log/messages while doing the first command. When all of this is done. We do this first so we won't have to bother about closed connections and packets not getting through. You may consider adding rules to flush your MANGLE table if you use it. After this we reset the default policies of the PREROUTING. This would look like the following: http://people. Adding shell script syntax and other things makes the script harder to read as far as I am concerned and the tutorial was written with readability in mind and will continue being so. This script was written for testing purposes only.flush-iptables.firewall start and the script starts. This script is intended for actually setting up and troubleshooting your firewall. The script starts by setting the default policies to ACCEPT on the INPUT.txt The rc. you will get information on which chain was traversed and in which order. Detailed explanations of special commands Listing your active ruleset To list your currently active ruleset you run a special option to the iptables command. unless the log entries are swapped around for some reason. One final word on this issue.1.txt script should not really be called a script in itself. I will not do that since this is a tutorial and should be used as a place to fetch ideas mainly and it shouldn't be filled up with shell scripts and strange syntax. However. rc.

168. It would then look something like this: iptables -L -n -v There is also a few files that might be interesting to look at in the /proc filesystem. you might just change the -A parameter to -D in the line you added in error. and translate everything possible to a more readable form.0. ie 192. iptables -F INPUT will erase the whole INPUT chain. do as how you set it to DROP. To reset the chain policy. For example.9 Página 71 iptables -L This command should list your currently active ruleset. so if this is set to DROP you'll block the whole INPUT chain if used as above. this will not change the default policy. in case you've got multiple lines looking exactly the same in the chain.1. Updating and flushing your tables If at some point you screw up your iptables. For example. This table can not be edited and even if it was possible. I've actually gotten this question a couple times by now so I thought I'd answer it right here. to something useful.org/andreasson/iptables-tutorial/iptables-tutorial. in this case you might want to run the -F option. This table contains all the different connections currently tracked and serves as a basic table so we always know what state a connection currently is in. If this is not the wanted behaviour you might try to use the -D option as iptables -D INPUT 10 which will erase the 10th rule in the INPUT chain. There is also instances where you want to flush a whole chain. To get around this problem we would do something like the following: iptables -L -n Another thing that might be interesting is to see a few statistics about each policy. We could get this by adding the verbose flag. iptables will find the erroneous line and erase it for you. for example iptables -P INPUT ACCEPT. For example. it might be interesting to know what connections are currently in the conntrack table. so you don't have to reboot. If you added a rule in error. it is rather simple to add http://people. The later can be a bit of a problem though.firewall. if you start mucking around in the mangle table.Iptables Tutorial 1. though. One thing though. this script will not erase those. it will translate all the different ports according to the /etc/ services file as well as DNS all the IP addresses to get DNS records instead.txt file properly. 192. it erases the first instance it finds matching your rule. I have made a small script (available as an appendix as well) that will flush and reset your iptables that you might consider using while setting up your rc. it will try to resolve LAN IP addresses. it would be a bad idea.0/16 is a private range though and should not resolve to anything and the command will seem to hang while resolving the IP. For example.unix-fu.1. To see the table you can run the following command: cat /proc/net/conntrack | less The above command will show all currently tracked connections even though it might be a bit hard to understand everything.html 21:25:51 10/06/2002 .1. rule and chain.168. there are actually commands to flush them.

If you use state NEW. What these modules do is that they add support to the connection tracking machine and the NAT machine so they can distinguish and modify a Passive FTP connection or a DCC send connection. As you can understand from this document.9 Página 72 the few lines needed to erase those but I have not added those here since the mangle table is not used in my rc. that is what the ip_nat_ftp module does. but not DCC send. you would load the ip_conntrack_ftp and ip_nat_ftp modules. This feature makes it possible to have two or more firewalls. This feature is there because in certain cases we want to consider that a packet may be part of an already ESTABLISHED connection on.x kernels. In case your client sits behind a Network Address Translationing system (iptables). well. State NEW packets but no SYN bit set There is a certain feature in iptables that is not so well documented and may therefore be overlooked by a lot of people(yes. If you for example want to allow Passive FTP. ip_nat_irc. for instance. packets with the SYN bit unset will get through your firewall. you'd just load the ip_conntrack_irc and ip_nat_irc modules. and for one of the firewalls to go down without any http://people. during Active FTP the client sends the server an IP address and random port to use and then the server connects to this port on the client. Common problems and questionmarks Passive FTP but no DCC This is one of the really nice parts about the new iptables support in the 2. ip_conntrack_ftp and ip_nat_ftp code as modules and not statically into the kernel. but not allow DCC send functions with the new state matching code. In Passive FTP. if you want to let people run IRC from your local network which is using a NAT'ed or masqueraded connection to the internet.txt script so far.4.Iptables Tutorial 1. then the packets data section needs to be NAT'ed too. its quite simple once you get to think of it. Without these modules they can't recognize these kinds of connections. but not the ip_conntrack_ftp and ip_nat_ftp modules.html 21:25:51 10/06/2002 . Reynolds. read RFC 959 .org/andreasson/iptables-tutorial/iptables-tutorial. If you would want to do the reverse. Just compile the ip_conntrack_irc. but not the ip_conntrack_irc and ip_nat_irc modules and then do: /usr/local/sbin/iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT To allow Passive FTP but not DCC.firewall. The client tells the server that it wants to send or receive data and the server replies. Postel and J. You may ask yourself how. including me). another firewall.File Transfer Protocol by J. ie. you can for example allow Passive FTP connections.1. This RFC contains information regarding the FTP protocol and Active and Passive FTP and how they work. the proceeding is reversed. For more information about Active and Passive FTP.unix-fu. Do note that the ip_nat_* modules are only needed in case you need and want to do Network Adress Translation on the connections. telling the client what address to connect to and what port to use.

or if you are worried anyways. which uses the 10. then load the NEW not SYN packet rules. Finally. In other words.unix-fu. Hence. This only applies when you are running with the conntrack and nat codebases as modules.x. the packet will match to the rules and be logged and afterwards dropped to the ground. set the --log-headers option to the rule and log the headers too and you'll get a better look at what the packet looks like. For example. To put it simple. you connect with telnet or some other stream connection. The above rules will lead to certain conditions where packets generated by microsoft products gets labeled as a state NEW and hence get logged and dropped. and you have the script set to be activated when running a PPP connection. In other words. and the modules are loaded and unloaded each time you run the script.x. regardless if this is the initial 3-way handshake or not. the swedish Internet Service Provider and phone monopoly Telia uses this approach for example on their DNS servers. when you start the PPP connection. also there will be no SYN bits set since it is not actually the first packet in the connection.x IP address range. At this point the faulty Microsoft implementation sends another packet which is considered as state NEW but lacks the SYN bit and hence gets matched by the above rules. Note that there is some troubles with the above rules and bad Microsoft TCP/IP implementations. To take care of this problem we add the following rules to our firewalls INPUT. There is one more known problem with these rules. don't worry to much about this rule. a huge warning is in it's place for this kind of behaviour on your firewall. In this case. It will however not lead to broken connections to my knowledge. If someone is currently connected to the firewall.html 21:25:51 10/06/2002 .firewall.txt script from a telnet connection from a host not on the actual firewall. The matter is that when a connection gets closed and the final FIN/ACK has been sent and the state machine of netfilter has closed this connection and it is no longer in the conntrack table.This does however lead to the fact that state NEW will allow pretty much any kind of TCP connection.9 Página 73 loss of data. Another way to get this problem is to run the rc. the person previously connected through the LAN will be more or less killed.1. Start the connection tracking modules. The problem http://people. the connection tracking code will not recognise this connection as a legal connection since it has not seen packets in any direction on this connection before.org/andreasson/iptables-tutorial/iptables-tutorial. Internet Service Providers who use assigned IP addresses I have added this since a friend of mine told me something I have totally forgotten. OUTPUT and FORWARD chain: $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP The above rules will take care of this problem. This is a badly documented behaviour of the netfilter/iptables project and should definitely be more highlighted. the telnet client or daemon tries to send something. lets say from the LAN.Iptables Tutorial 1. The firewalling of the subnet could then be taken over by our secondary firewall. Certain stupid Internet Service Providers use IP addresses assigned by IANA for their local networks on which you connect to.

0. ICMP types TYPE CODE Description 0 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Echo Reply Network Unreachable Host Unreachable Protocol Unreachable Port Unreachable Fragmentation needed but no frag.html 21:25:51 10/06/2002 . You might just insert an ACCEPT rule above the spoof section to allow traffic from those DNS servers.1. or you could just comment out that part of the script.1/32 -j ACCEPT I would like to take my moment to bitch at these Internet Service Providers. ICMP types This is a complete listing of all ICMP types: Table 1. This is how it might look: /usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10. or your own home network. These IP address ranges are not assigned for you to use for dumb stuff like this. here is unfortunately an example where you actually might have to lift a bit on those rules. bit set Source routing failed Destination network unknown Destination host unknown Source host isolated (obsolete) Destination network administratively prohibited Destination host administratively prohibited Network unreachable for TOS Host unreachable for TOS Communication administratively prohibited by filtering Host precedence violation Query x x x x x x x x x x x x x x x x Error http://people.org/andreasson/iptables-tutorial/iptables-tutorial. but you are not supposed to force us to open up ourself just because of some whince of yours.x. in this script. because of spoofing possibilities. at least not to my knowledge.Iptables Tutorial 1. Well.9 Página 74 you will most probably run into is that we.0. do not allow connections from any IP addresses in the 10.x. For large corporate sites it is more than ok.unix-fu.x range to us.

9 Página 75 3 4 5 5 5 5 8 9 10 11 11 12 12 13 14 15 16 17 18 15 0 0 1 2 3 0 0 0 0 1 0 1 0 Precedence cutoff in effect Source quench Redirect for network Redirect for host Redirect for TOS and network Redirect for TOS and host Echo request Router advertisement Route sollicitation TTL equals 0 during transit TTL equals 0 during reassembly IP header bad (catchall error) Required options missing Timestamp request (obsolete) Timestamp reply (obsolete) x x x x x x x x x x x x 0 0 0 0 Information request (obsolete) Information reply (obsolete) Address mask request Address mask reply Other resources and links Here is a list of links to resources and where I have gotten information from.org/ .2.4. iptables.Iptables Tutorial 1. It is a must for everyone wanting to set up iptables and netfilter in linux.from the 2.4 man page.from the 2. ip_dynaddr. etc : ip-sysctl.org/andreasson/iptables-tutorial/iptables-tutorial.14 kernel. Always have it at hand.The iptables 1.unix-fu.4. http://people. A little bit short but a good reference for the IP networking controls and what they do to the kernel.The official netfilter and iptables site.1.html 21:25:51 10/06/2002 . A really short reference to the ip_dynaddr settings available via sysctl and the proc filesystem. This is an HTML'ized version of the man page which is an excellent reference when reading/writing iptables rulesets.txt .txt .8 .14 kernel.filewatcher. http://netfilter.

Excellent information about the CBQ. One of the few sites that has any information at all about these programs. For helping me out on some aspects on using the state matching code. Rusty Russell.Rusty Russells Unreliable Guide to Network Address Translation.Rusty Russells Unreliable Netfilter Hacking HOWTO. One of the few documentations on how to write code in the netfilter and iptables userspace and kernel space codebase. http://netfilter. http://netfilter. Marc Boucher. http://lists. documentation and individuals who helped me. Excellent documentation about basic packet filtering with iptables written by one of the core developers of iptables and netfilter.org/unreliable-guides/NAT-HOWTO/index.html . For major updates to my horrible grammar and spelling.filewatcher. Also a good place to stat at when wondering what iptables and netfilter is about.html .Iptables Tutorial 1.filewatcher.filewatcher. Extremely useful in case you have questions about something not covered in this document or any of the other links here.The official netfilter Frequently Asked Questions.filewatcher. tc and the ip commands in Linux. http://www.org/iptables/ .Rusty Russells Unreliable Guide to packet filtering.9 Página 76 http://netfilter.1.unix-fu. Also maintains a list of different iptables scripts for different purposes.linuxguruz. Maintained by Stef Coene.org/mailman/listinfo/netfilter .org/unreliable-guides/packet-filtering-HOWTO/index.html .samba.Excellent linkpage with links to most of the pages on the internet about iptables and netfilter.islandsoft.org/andreasson/iptables-tutorial/iptables-tutorial. And of course the iptables source. This was also written by Rusty Russell.Excellent discussion on automatic hardening of iptables and how to make small changes that will make your computer automatically add hostile sites to a special banlist in iptables.The official netfilter mailing-list.net/veerapen. http://netfilter. Also a huge thanks for updating the tutorial to DocBook format with make files etc.org/netfilter-faq.html . http://www.docum. Acknowledgements I would like to thank the following people for their help on this document: Fabrice Marie. Excellent documentation about Network Address Translation in iptables and netfilter written by one of the core developers. http://people.html . http://www.org/unreliable-guides/netfilter-hacking-HOWTO/index.html 21:25:51 10/06/2002 .org .

1. Chapman Brad. History Version 1. Myles Uyema. Jeremy `Spliffy' Smith. Phil Schultz. For greatly improving the rc.firewall rules and giving great inspiration while i was to rewrite the ruleset and being the one who introduced the multiple table traversing into the same file. Dave Wreski. Bill Dossett.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Contributors: Parimi Ravi. Kelly Ashe. Michiel Brandenburg. Adam Mansbridge. Version 1.1. Göran Båge. Phil Schultz.unix-fu.9 Página 77 Frode E. and you're better than most I know who do graphics.8 (5 March 2002) http://www.).com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Version 1. Both for making me realize I was thinking wrong about how packets traverse the basic NAT and filters tables and in which order they show up. For helping me out with the graphics.6 (7 December 2001) http://people.boingworld. For giving me hints at stuff that might screw up for people and for trying it out and checking for errors in what I've written.9 (21 March 2002) http://www. or at least on the internet for you.Iptables Tutorial 1. Peter Horst. Doug Monroe. Also thanks for checking the tutorial for errors etc.html 21:25:51 10/06/2002 . Jelle Kalf. Anders 'DeZENT' Johansson. Thomas Smets. Vasoo Veerapen. Galen Johnson.org/andreasson/ By: Oskar Andreasson Contributors: Jim Ramsey.1. Neil Jolly. Jasper http://people. Steven McClintoc. Erik Sjölund.1. sorry for not mentioning everyone.7 (4 February 2002) http://www. Jason Lam and Evan Nemerson Version 1. Janne Johansson. And of course everyone else I talked to and asked for comments on this file. Kent `Artech' Stahre. For helping me out with some of the state matching code and getting it to work. For hinting me about strange ISP's and so on that uses reserved networks on the Internet. Janssen.boingworld.boingworld. Mitch Landers.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Contributors: Vince Herried.unix-fu. Nyboe. Aladdin and Rusty Russell. I know I suck at graphics. Togan Muftuoglu.org/andreasson/iptables-tutorial/iptables-tutorial.1. Alexander W.

8 (7 September 2001) http://people.unix-fu.7 (23 August 2001) http://people.9 Página 78 Aikema.1.org/andreasson By: Oskar Andreasson Version 1.1.Emile Akabi-Davis and Jelle Kalf Version 1.unix-fu.1.org/andreasson By: Oskar Andreasson Version 1. Chris Pluta and Kurt Lieber Version 1. Chris Tallon.unix-fu.unix-fu.unix-fu.unix-fu.org/andreasson By: Oskar Andreasson Version 1.5 http://people.1. Branco.org/andreasson By: Oskar Andreasson Contributors: Joni Chu. Jonas Pasche.org/andreasson/ By: Oskar Andreasson Contributors: Fabrice Marie.0.1.1 (26 September 2001) http://people.0 (15 September 2001) http://people.org/andreasson By: Oskar Andreasson Contributors: Stig W. Jan Labanowski.0.unix-fu.0.org/andreasson/iptables-tutorial/iptables-tutorial.9 (9 September 2001) http://people.html 21:25:51 10/06/2002 .4 (6 November 2001) http://people.3 (9 October 2001) http://people.org/andreasson By: Oskar Andreasson Contributors: Dave Richardson Version 1.unix-fu.6 http://people. Merijn Schering and Kurt Lieber Version 1.5 (14 November 2001) http://people.1.unix-fu.unix-fu. Jensen.0.unix-fu. Rodrigo R.1.0.org/andreasson By: Oskar Andreasson Version 1.org/andreasson By: Oskar Andreasson Version 1. Steve Hnizdur. Jacco van Koll and Dave Wreski Version 1.2 (29 September 2001) http://people.Iptables Tutorial 1.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie Version 1. Kurt Lieber. Chris Martin. N.

below. Secondarily. because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. March 2000 Copyright (C) 2000 Free Software Foundation. but changing it is not allowed.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie GNU Free Documentation License Version 1. Boston. or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it. http://people.unix-fu. and is addressed as "you". We recommend this License principally for works whose purpose is instruction or reference. 59 Temple Place. or with modifications and/or translated into another language. refers to any such manual or work. regardless of subject matter or whether it is published as a printed book.1. Inc. either copied verbatim.org/andreasson/iptables-tutorial/iptables-tutorial. It complements the GNU General Public License. MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document.html 21:25:51 10/06/2002 .1. which is a copyleft license designed for free software. this License preserves for the author and publisher a way to get credit for their work. it can be used for any textual work. We have designed this License in order to use it for manuals for free software. This License is a kind of "copyleft". textbook. Any member of the public is a licensee. either commercially or noncommercially. 1. with or without modifying it.Iptables Tutorial 1.unix-fu. while not being considered responsible for modifications made by others. A "Modified Version" of the Document means any work containing the Document or a portion of it.9 Página 79 http://people. But this License is not limited to software manuals. Suite 330. APPLICABILITY AND DEFINITIONS This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. PREAMBLE The purpose of this License is to make a manual. The "Document". 0. which means that derivative works of the document must themselves be free in the same sense.

A "Transparent" copy of the Document means a machine-readable copy. represented in a format whose specification is available to the general public. legibly. A copy that is not "Transparent" is called "Opaque". whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor. philosophical.html 21:25:51 10/06/2002 . the title page itself. However. you may accept compensation in exchange for copies. either commercially or noncommercially. preceding the beginning of the body of the text.Iptables Tutorial 1. and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. and standardconforming simple HTML designed for human modification. For works in formats which do not have any title page as such. in the notice that says that the Document is released under this License. the copyright notices. proprietary formats that can be read and edited only by proprietary word processors. 2. SGML or XML for which the DTD and/or processing tools are not generally available. The "Invariant Sections" are certain Secondary Sections whose titles are designated. SGML or XML using a publicly available DTD. and you may publicly display copies. Examples of suitable formats for Transparent copies include plain ASCII without markup.unix-fu. plus such following pages as are needed to hold.9 Página 80 (For example. PDF. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. VERBATIM COPYING You may copy and distribute the Document in any medium. The "Cover Texts" are certain short passages of text that are listed. as being those of Invariant Sections. if the Document is in part a textbook of mathematics. You may also lend copies.) The relationship could be a matter of historical connection with the subject or with related matters. a Secondary Section may not explain any mathematics. LaTeX input format. for a printed book. The "Title Page" means. or of legal.org/andreasson/iptables-tutorial/iptables-tutorial. in the notice that says that the Document is released under this License. as Front-Cover Texts or BackCover Texts. "Title Page" means the text near the most prominent appearance of the work's title. provided that this License. ethical or political position regarding them. If you distribute a large enough number of copies you must also follow the conditions in section 3. the material this License requires to appear in the title page. and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. under the same conditions stated above. Texinfo input format. and the license notice saying this License applies to the Document are reproduced in all copies. Opaque formats include PostScript. commercial. and the machine-generated HTML produced by some word processors for output purposes only.1. http://people.

In addition. and Back-Cover Texts on the back cover. all these Cover Texts: Front-Cover Texts on the front cover. you must do these things in the Modified Version: A. one or more persons or entities responsible for authorship of the modifications in the Modified Version. If the required texts for either cover are too voluminous to fit legibly. free of added material. if any) a title distinct from that of the Document. can be treated as verbatim copying in other respects.html 21:25:51 10/06/2002 . Both covers must also clearly and legibly identify you as the publisher of these copies. B. Copying with changes limited to the covers. if it has less than five). you must take reasonably prudent steps. or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above. together with at least five of the principal authors of the Document (all of its principal authors. Use in the Title Page (and on the covers. You may add other material on the covers in addition. if there were any. You may use the same title as a previous version if the original publisher of that version gives permission. provided that you release the Modified Version under precisely this License. thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it.9 Página 81 3.1. as long as they preserve the title of the Document and satisfy these conditions. you should put the first ones listed (as many as fit reasonably) on the actual cover. COPYING IN QUANTITY If you publish printed copies of the Document numbering more than 100. to give them a chance to provide you with an updated version of the Document.unix-fu. you must either include a machine-readable Transparent copy along with each Opaque copy. It is requested. List on the Title Page. as authors. with the Modified Version filling the role of the Document. http://people. clearly and legibly. when you begin distribution of Opaque copies in quantity. The front cover must present the full title with all words of the title equally prominent and visible. to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. that you contact the authors of the Document well before redistributing any large number of copies.Iptables Tutorial 1. If you publish or distribute Opaque copies of the Document numbering more than 100. be listed in the History section of the Document). If you use the latter option. 4.org/andreasson/iptables-tutorial/iptables-tutorial. and from those of previous versions (which should. but not required. which the general network-using public has access to download anonymously at no charge using public-standard network protocols. you must enclose the copies in covers that carry. and the Document's license notice requires Cover Texts. and continue the rest onto adjacent pages.

create one stating the title. if any. authors. and likewise the network locations given in the Document for previous versions it was based on. If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document. and publisher of the Modified Version as given on the Title Page. Include. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. J. you may at your option designate some or all of these sections as invariant. in the form shown in the Addendum below. These may be placed in the "History" section. year. If there is no section entitled "History" in the Document. add their titles to the list of Invariant Sections in the Modified Version's license notice. E. preserve the section's title. immediately after the copyright notices. These titles must be distinct from any other section titles. then add an item describing the Modified Version as stated in the previous sentence.Iptables Tutorial 1. provided it contains nothing but endorsements of your Modified Version by various parties--for example. http://people.1. State on the Title page the name of the publisher of the Modified Version. Preserve all the copyright notices of the Document. Delete any section entitled "Endorsements". Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section. Section numbers or the equivalent are not considered part of the section titles. statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.org/andreasson/iptables-tutorial/iptables-tutorial. and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. given in the Document for public access to a Transparent copy of the Document. G. H. and publisher of the Document as given on its Title Page. Include an unaltered copy of this License. Preserve all the Invariant Sections of the Document. year. L. or if the original publisher of the version it refers to gives permission. In any section entitled "Acknowledgements" or "Dedications". K. unaltered in their text and in their titles. D. Preserve the section entitled "History". and its title. as the publisher. F. N.html 21:25:51 10/06/2002 . M. You may omit a network location for a work that was published at least four years before the Document itself. You may add a section entitled "Endorsements". and add to it an item stating at least the title. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice. I.9 Página 82 C.unix-fu. a license notice giving the public permission to use the Modified Version under the terms of this License. To do this. Such a section may not be included in the Modified Version. new authors. Preserve the network location.

Iptables Tutorial 1.1.9

Página 83

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

5. COMBINING DOCUMENTS
You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."

6. COLLECTIONS OF DOCUMENTS
You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

7. AGGREGATION WITH INDEPENDENT
http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 84

WORKS
A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.

8. TRANSLATION
Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.

9. TERMINATION
You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

10. FUTURE REVISIONS OF THIS LICENSE
The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/. Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 85

following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.

How to use this License for your documents
To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page: Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. A copy of the license is included in the section entitled "GNU Free Documentation License". If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts. If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.

GNU General Public License
Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

0. Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 86

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow.

1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 87

having been made by running the Program). Whether that is true depends on what the Program does. 3. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 4. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: 1. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. 2. You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. 3. If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 5. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Accompany it with the information you received as to the offer to distribute corresponding source code. distributing or modifying the Program or works based on it. Therefore.1. You may not copy. sublicense or distribute the Program is void. even though third parties are not compelled to copy the source along with the object code. If distribution of executable or object code is made by offering access to copy from a designated place. A. a complete machine-readable copy of the corresponding source code. Accompany it with the complete corresponding machine-readable source code. modify. the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler. and will automatically terminate your rights under this License. or. or distribute the Program except as expressly provided under this License. unless that component itself accompanies the executable. These actions are prohibited by law if you do not accept this License.org/andreasson/iptables-tutorial/iptables-tutorial. 8.9 Página 88 one of the following: 6. distribute or modify the Program subject to these terms and conditions. However. parties who have received copies. which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. http://people. sublicense. 7. and all its terms and conditions for copying. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer. to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. as a special exception. valid for at least three years. Any attempt otherwise to copy. C. B. However. kernel. you indicate your acceptance of this License to do so. complete source code means all the source code for all modules it contains.unix-fu. plus any associated interface definition files. and so on) of the operating system on which the executable runs. from you under this License will not have their licenses terminated so long as such parties remain in full compliance. or. since you have not signed it. to give any third party. 9. or rights. You are not required to accept this License. Accompany it with a written offer. However. by modifying or distributing the Program (or any work based on the Program). then offering equivalent access to copy the source code from the same place counts as distribution of the source code. modify. plus the scripts used to control compilation and installation of the executable. You are not responsible for enforcing compliance by third parties to this License.html 21:25:51 10/06/2002 . Each time you redistribute the Program (or any work based on the Program). For an executable work. You may not impose any further restrictions on the recipients' exercise of the rights granted herein.) The source code for a work means the preferred form of the work for making modifications to it. for a charge no more than your cost of physically performing source distribution. nothing else grants you permission to modify or distribute the Program or its derivative works. the recipient automatically receives a license from the original licensor to copy.Iptables Tutorial 1. in accord with Subsection b above.

they do not excuse you from the conditions of this License.1. For example. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. If the Program specifies a version number of this License which applies to it and "any later version". Such new versions will be similar in spirit to the present version. but may differ in detail to address new problems or concerns.unix-fu. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations. you may choose any version ever published by the Free Software Foundation. this License incorporates the limitation as if written in the body of this License. In such case.9 Página 89 10. write to the author to ask for permission. the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries. we sometimes make exceptions for this. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims. then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.org/andreasson/iptables-tutorial/iptables-tutorial. the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. so that distribution is permitted only in or among countries not thus excluded. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. 12. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system. write to the Free Software Foundation. If any portion of this section is held invalid or unenforceable under any particular circumstance. conditions are imposed on you (whether by court order. Each version is given a distinguishing version number.html 21:25:51 10/06/2002 . which is implemented by public license practices. this section has the sole purpose of protecting the integrity of the free software distribution system.Iptables Tutorial 1. it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. For software which is copyrighted by the Free Software Foundation. If the Program does not specify a version number of this License. If. 11. then as a consequence you may not distribute the Program at all. agreement or otherwise) that contradict the conditions of this License. as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues). http://people. if a patent license would not permit royaltyfree redistribution of the Program by all those who receive copies directly or indirectly through you. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces.

1. INCLUDING. http://people. OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE. 14. YOU ASSUME THE COST OF ALL NECESSARY SERVICING. BE LIABLE TO YOU FOR DAMAGES. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.html 21:25:51 10/06/2002 . EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. and each file should have at least the "copyright" line and a pointer to where the full notice is found.Iptables Tutorial 1. To do so. <one line to give the program's name and a brief idea of what it does. BUT NOT LIMITED TO. attach the following notices to the program. INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS).> Copyright (C) <year> <name of author> This program is free software. EITHER EXPRESSED OR IMPLIED. TO THE EXTENT PERMITTED BY APPLICABLE LAW.unix-fu. NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE. THERE IS NO WARRANTY FOR THE PROGRAM.org/andreasson/iptables-tutorial/iptables-tutorial. END OF TERMS AND CONDITIONS 2. INCLUDING ANY GENERAL. How to Apply These Terms to Your New Programs If you develop a new program.9 Página 90 13. you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. or (at your option) any later version. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND. either version 2 of the License. the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. REPAIR OR CORRECTION. and you want it to be of the greatest possible use to the public. SPECIAL. SHOULD THE PROGRAM PROVE DEFECTIVE. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.

Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY. alter the names: Yoyodyne. <signature of Ty Coon>. Inc. You should have received a copy of the GNU General Public License along with this program. if any.Initial SIMPLE IP Firewall script for Linux 2. they could even be mouse-clicks or menu items--whatever suits your program. and you are welcome to redistribute it under certain conditions. for details type `show w'. without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. President of Vice This General Public License does not permit incorporating your program into proprietary programs. hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker.unix-fu. Example scripts codebase Example rc.. If the program is interactive. if not. Suite 330. Of course.firewall .html 21:25:51 10/06/2002 . Inc. use the GNU Library General Public License instead of this License. This is free software. MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. if necessary.firewall script #!/bin/sh # # rc.org/andreasson/iptables-tutorial/iptables-tutorial.1. 59 Temple Place. but WITHOUT ANY WARRANTY.. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Here is a sample. See the GNU General Public License for more details. type `show c' for details. the commands you use may be called something other than `show w' and `show c'. to sign a "copyright disclaimer" for the program. You should also get your employer (if you work as a programmer) or your school.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.4. 1 April 1989 Ty Coon. Boston.net> # http://people. make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69. If your program is a subroutine library. write to the Free Software Foundation.Iptables Tutorial 1. you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do.9 Página 91 This program is distributed in the hope that it will be useful.

without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.0/16" LAN_BCAST_ADRESS="192.unix-fu.155" INET_IFACE="eth0" # # 1.255.0.2 Local Area Network configuration.Iptables Tutorial 1. if not. version 2 of the License.2" LAN_IP_RANGE="192.3 DMZ Configuration.9 Página 92 # This program is free software.0 # LAN_IP="192.. http://people. 59 Temple # Place. MA 02111-1307 USA # ########################################################################### # # 1.236. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. # # # 1. # INET_IP="194.168. # but WITHOUT ANY WARRANTY. See the # GNU General Public License for more details.168.org/andreasson/iptables-tutorial/iptables-tutorial.2 PPPoE # # # 1. Suite 330. Inc.255.1 Internet Configuration.50. # # your LAN's IP range and localhost IP. write to the Free Software Foundation.1. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.168.html 21:25:51 10/06/2002 .0.1.255. # # This program is distributed in the hope that it will be useful.255" LAN_IFACE="eth1" # # 1.1 DHCP # # # 1. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.1. Configuration options. Boston.

1.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.Iptables Tutorial 1. # IPTABLES="/usr/sbin/iptables" # # 1. # # # Needed to initially load modules # /sbin/depmod -a # # 2.0.html 21:25:51 10/06/2002 .1" # # 1.4 Localhost Configuration. # ########################################################################### # # 2. # LO_IFACE="lo" LO_IP="127.0.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT http://people.org/andreasson/iptables-tutorial/iptables-tutorial. Module loading.6 Other Configuration.5 IPTables Configuration.9 Página 93 # # # 1.unix-fu.

html 21:25:51 10/06/2002 . rules set up. # ###### # 4. /proc set up.unix-fu.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets http://people.1.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.1 Filter table # # # 4.1.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.Iptables Tutorial 1.9 Página 94 #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. # # # 3.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.org/andreasson/iptables-tutorial/iptables-tutorial.

TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.unix-fu.html 21:25:51 10/06/2002 .9 Página 95 # # Create separate chains for ICMP.1.Iptables Tutorial 1.1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.org/andreasson/iptables-tutorial/iptables-tutorial.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports http://people.

unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.1.9 Página 96 # # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.RELATED \ -j ACCEPT # # Log weird packets that don't match the above.Iptables Tutorial 1.1.5 FORWARD chain # http://people.html 21:25:51 10/06/2002 . # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet.1.4 INPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.

1.9 Página 97 # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.6 OUTPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that don't match the above.Iptables Tutorial 1.RELATED -j ACCEPT # # Log weird packets that don't match the above.html 21:25:51 10/06/2002 .2 nat table # http://people.org/andreasson/iptables-tutorial/iptables-tutorial.1.unix-fu.

4 PREROUTING chain # http://people.1 Set policies # # # 4.html 21:25:51 10/06/2002 .2.3.3.2.2.3 Create content in user specified chains # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.4 PREROUTING chain # # # 4.3 mangle table # # # 4.3.2 Create user specified chains # # # 4.2 Create user specified chains # # # 4.9 Página 98 # # 4.2.6 OUTPUT chain # ###### # 4.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.2.1 Set policies # # # 4.3.3 Create content in user specified chains # # # 4.unix-fu.2.1.Iptables Tutorial 1.

9 Página 99 # # 4. if not.3. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. 59 Temple # Place. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. # # This program is distributed in the hope that it will be useful. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details.Iptables Tutorial 1.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. MA 02111-1307 USA # ########################################################################### # # 1.firewall script #!/bin/sh # # rc. write to the Free Software Foundation. # but WITHOUT ANY WARRANTY..DMZ.html 21:25:51 10/06/2002 .4.8 POSTROUTING chain # Example rc.6 FORWARD chain # # # 4.DMZ. Suite 330.DMZ IP Firewall script for Linux 2.net> # # This program is free software. version 2 of the License. Inc. Configuration options.5 INPUT chain # # # 4.3.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu.7 OUTPUT chain # # # 4. # # http://people.1.3. Boston.3.firewall .

168.2 Local Area Network configuration.0/16" LAN_BCAST_ADRESS="192. the same as netmask 255.236. # LO_IFACE="lo" LO_IP="127.1" DMZ_IFACE="eth2" # # 1.2" DMZ_DNS_IP="192. # DMZ_HTTP_IP="192.0.org/andreasson/iptables-tutorial/iptables-tutorial.255.3 DMZ Configuration.236.255.236.0 # LAN_IP="192. # # your LAN's IP range and localhost IP.1.html 21:25:51 10/06/2002 .0.168.2 PPPoE # # # 1.1. # INET_IP="194.152" HTTP_IP="194.0.4 Localhost Configuration.1.168.1 Internet Configuration. # IPTABLES="/usr/sbin/iptables" http://people.1.153" DNS_IP="194.168.Iptables Tutorial 1.50.50.1.1 DHCP # # # 1.3" DMZ_IP="192.168.168.50.255.5 IPTables Configuration.unix-fu.1. /24 means to only use the first 24 # bits of the 32 bit IP adress.9 Página 100 # 1.154" INET_IFACE="eth0" # # 1.2" LAN_IP_RANGE="192.0.1" # # 1.255" LAN_IFACE="eth1" # # 1.

/proc set up.6 Other Configuration.9 Página 101 # # 1.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.1 Required proc configuration # http://people. # # # Needed to initially load modules # /sbin/depmod -a # # 2. # ########################################################################### # # 2.Iptables Tutorial 1.html 21:25:51 10/06/2002 .1. Module loading.org/andreasson/iptables-tutorial/iptables-tutorial.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3.unix-fu. # # # 3.

2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.org/andreasson/iptables-tutorial/iptables-tutorial.1.unix-fu.3 Create content in userspecified chains # http://people. # ###### # 4.1.Iptables Tutorial 1.9 Página 102 echo "1" > /proc/sys/net/ipv4/ip_forward # # 3. rules set up.1.1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1 Filter table # # # 4. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.html 21:25:51 10/06/2002 .

org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 .unix-fu.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # 4.4 INPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Packets from the Internet to this box # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # # Packets from LAN.1.9 Página 103 # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.Iptables Tutorial 1.1. DMZ or LOCALHOST # # # From DMZ Interface to DMZ firewall IP # http://people.

5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # DMZ section # # General rules # $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT http://people.9 Página 104 $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT # # From LAN Interface to LAN firewall IP # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT # # From Localhost interface to Localhost IP # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # # All established and related packets incoming from the internet to the # firewall # $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.1.unix-fu.1.html 21:25:51 10/06/2002 .RELATED \ -j ACCEPT # # Logging rule # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.

6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets http://people.org/andreasson/iptables-tutorial/iptables-tutorial.1.unix-fu.RELATED -j ACCEPT # # LOG all packets reaching here # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.9 Página 105 $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \ --state ESTABLISHED.RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT # # HTTP server # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ --dport 80 -j allowed $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ -j icmp_packets # # DNS server # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j allowed $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ -j icmp_packets # # LAN section # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.html 21:25:51 10/06/2002 .1.Iptables Tutorial 1.

1.2 nat table # # # 4.2.4 PREROUTING chain # # # Enable IP Destination NAT for DMZ zone # $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \ -j DNAT --to-destination $DMZ_HTTP_IP $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP $IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP # # 4.unix-fu.2.html 21:25:51 10/06/2002 .2 Create user specified chains # # # 4.2.org/andreasson/iptables-tutorial/iptables-tutorial.5 POSTROUTING chain # http://people.2.1 Set policies # # # 4.9 Página 106 # # Allow ourself to send packets not spoofed everywhere # $IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT # # Logging rule # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.Iptables Tutorial 1.3 Create content in user specified chains # # # 4.2.

6 FORWARD chain # # # 4.9 Página 107 # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.5 INPUT chain # # # 4.8 POSTROUTING chain # http://people.unix-fu.3.3.org/andreasson/iptables-tutorial/iptables-tutorial.2 Create user specified chains # # # 4.3.3 mangle table # # # 4.html 21:25:51 10/06/2002 .3 Create content in user specified chains # # # 4.3.Iptables Tutorial 1.3.2.3.4 PREROUTING chain # # # 4.7 OUTPUT chain # # # 4.1.3.3.6 OUTPUT chain # ###### # 4.1 Set policies # # # 4.

if not.2 Local Area Network configuration.html 21:25:51 10/06/2002 .9 Página 108 Example rc. MA 02111-1307 USA # ########################################################################### # # 1.1. Inc.UTIN Firewall script for Linux 2.1 Internet Configuration. Suite 330.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. See the # GNU General Public License for more details. # INET_IP="194.2 PPPoE # # # 1.UTIN. # but WITHOUT ANY WARRANTY.155" INET_IFACE="eth0" # # 1.Iptables Tutorial 1. Boston. # # This program is distributed in the hope that it will be useful.net> # # This program is free software. # # your LAN's IP range and localhost IP.firewall script #!/bin/sh # # rc. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. /24 means to only use the first 24 http://people. 59 Temple # Place.1. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.1.1 DHCP # # # 1.unix-fu. # # # 1..firewall .236.50. Configuration options.4. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. version 2 of the License.org/andreasson/iptables-tutorial/iptables-tutorial. write to the Free Software Foundation.

Iptables Tutorial 1. # # # Needed to initially load modules # /sbin/depmod -a # # 2.5 IPTables Configuration.0.168.0.html 21:25:51 10/06/2002 .255" LAN_IFACE="eth1" # # 1.0/16" LAN_BCAST_ADRESS="192.255.org/andreasson/iptables-tutorial/iptables-tutorial.1" # # 1.0.0 # LAN_IP="192. # IPTABLES="/usr/sbin/iptables" # # 1. # # # 1.unix-fu.255.0.3 DMZ Configuration. # ########################################################################### # # 2.6 Other Configuration.1.168.9 Página 109 # bits of the 32 bit IP adress.4 Localhost Configuration.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat http://people.168.2" LAN_IP_RANGE="192. Module loading.255. the same as netmask 255. # LO_IFACE="lo" LO_IP="127.

9 Página 110 /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2. # ###### # 4.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP http://people.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.org/andreasson/iptables-tutorial/iptables-tutorial.1.Iptables Tutorial 1.1.1 Filter table # # # 4. # # # 3. /proc set up.unix-fu.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. rules set up.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.html 21:25:51 10/06/2002 .

1.Iptables Tutorial 1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.9 Página 111 $IPTABLES -P FORWARD DROP # # 4.1.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT http://people.html 21:25:51 10/06/2002 .1.org/andreasson/iptables-tutorial/iptables-tutorial.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.unix-fu.

org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from anywhere # $IPTABLES -A INPUT -p ICMP -j icmp_packets $IPTABLES -A INPUT -p TCP -j tcp_packets $IPTABLES -A INPUT -p UDP -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED. # http://people.Iptables Tutorial 1.html 21:25:51 10/06/2002 .RELATED \ -j ACCEPT # # Log weird packets that don't match the above.9 Página 112 # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.4 INPUT chain # # # Bad TCP packets we don't want.1.1.

1.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward between interfaces.unix-fu.9 Página 113 $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.org/andreasson/iptables-tutorial/iptables-tutorial. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # http://people.Iptables Tutorial 1. # $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.1. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.1.RELATED -j ACCEPT # # Log weird packets that don't match the above.6 OUTPUT chain # # # Bad TCP packets we don't want.html 21:25:51 10/06/2002 .

2.2 nat table # # # 4.3 mangle table # # # 4. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.2 Create user specified chains # # # 4.2.Iptables Tutorial 1.3 Create content in user specified chains # # # 4.6 OUTPUT chain # ###### # 4.org/andreasson/iptables-tutorial/iptables-tutorial.1 Set policies # # # 4.3.2.1.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.1 Set policies # # http://people.9 Página 114 # Log weird packets that don't match the above.unix-fu.2.2.4 PREROUTING chain # # # 4.2.html 21:25:51 10/06/2002 .

3.3.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.firewall script #!/bin/sh # # rc.DHCP IP Firewall script for Linux 2.3.net> # # This program is free software.3.3 Create content in user specified chains # # # 4. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it http://people.org/andreasson/iptables-tutorial/iptables-tutorial. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.DHCP.4. See the # GNU General Public License for more details.4 PREROUTING chain # # # 4.unix-fu.firewall .3.html 21:25:51 10/06/2002 .9 Página 115 # 4.1.Iptables Tutorial 1. # # This program is distributed in the hope that it will be useful.6 FORWARD chain # # # 4.8 POSTROUTING chain # Example rc.3. version 2 of the License.5 INPUT chain # # # 4.3. # but WITHOUT ANY WARRANTY.7 OUTPUT chain # # # 4. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.2 Create user specified chains # # # 4.

Iptables Tutorial 1.1.9

Página 116

# from; if not, write to the Free Software Foundation, Inc., 59 Temple # Place, Suite 330, Boston, MA 02111-1307 USA # ########################################################################### # # 1. Configuration options. # # # 1.1 Internet Configuration. # INET_IFACE="eth0" # # 1.1.1 DHCP # # # Information pertaining to DHCP over the Internet, if needed. # # Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP # over the Internet set this variable to yes, and set up the proper IP # adress for the DHCP server in the DHCP_SERVER variable. # DHCP="no" DHCP_SERVER="195.22.90.65" # # 1.1.2 PPPoE # # Configuration options pertaining to PPPoE. # # If you have problem with your PPPoE connection, such as large mails not # getting through while small mail get through properly etc, you may set # this option to "yes" which may fix the problem. This option will set a # rule in the PREROUTING chain of the mangle table which will clamp # (resize) all routed packets to PMTU (Path Maximum Transmit Unit). # # Note that it is better to set this up in the PPPoE package itself, since # the PPPoE configuration option will give less overhead. # PPPOE_PMTU="no" # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 117

# 1.2 Local Area Network configuration. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # LAN_IP="192.168.0.2" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth1" # # 1.3 DMZ Configuration. # # # 1.4 Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 IPTables Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. #

########################################################################### # # 2. Module loading. # # # Needed to initially load modules # /sbin/depmod -a # # 2.1 Required modules # /sbin/modprobe ip_conntrack http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 118

/sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_MASQUERADE # # 2.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc

########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. rules set up. # ###### # 4.1 Filter table # # # 4.1.1 Set policies # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 119

$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP, TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 120

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT if [ $DHCP == "yes" ] ; then $IPTABLES -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \ --dport 68 -j ACCEPT fi # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.1.4 INPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

9 Página 121 $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \ --state ESTABLISHED.1.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.1.html 21:25:51 10/06/2002 .unix-fu.1. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.Iptables Tutorial 1.RELATED -j ACCEPT # # Log weird packets that don't match the above.RELATED -j ACCEPT # # Log weird packets that don't match the above.6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow. http://people.org/andreasson/iptables-tutorial/iptables-tutorial.

2 nat table # # # 4.2.1.2.3 mangle table http://people.2. then $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN.2.6 OUTPUT chain # ###### # 4.2 Create user specified chains # # # 4.5 POSTROUTING chain # if [ $PPPOE_PMTU == "yes" ] .RST SYN \ -j TCPMSS --clamp-mss-to-pmtu fi $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE # # 4.2.9 Página 122 # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # # Log weird packets that don't match the above.1 Set policies # # # 4.html 21:25:51 10/06/2002 .4 PREROUTING chain # # # 4. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.Iptables Tutorial 1.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.3 Create content in user specified chains # # # 4.2.

3.1 Set policies # # # 4.9 Página 123 # # # 4.1.3.3.3 Create content in user specified chains # # # 4.3.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.3.6 FORWARD chain # # # 4.3.flush-iptables script #!/bin/sh # http://people.7 OUTPUT chain # # # 4.3.unix-fu.3.2 Create user specified chains # # # 4.4 PREROUTING chain # # # 4.5 INPUT chain # # # 4.html 21:25:51 10/06/2002 .8 POSTROUTING chain # Example rc.

. Inc. # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F http://people.Iptables Tutorial 1. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # reset the default policies in the mangle table.unix-fu. See the # GNU General Public License for more details.Resets iptables to default values.flush-iptables . # # This program is distributed in the hope that it will be useful.html 21:25:51 10/06/2002 .1. Suite 330. # $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT # # flush all the rules in the filter and nat tables. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.net> # # This program is free software. write to the Free Software Foundation. # $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT # # reset the default policies in the nat table.9 Página 124 # rc. 59 Temple # Place. if not. # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. Boston. # but WITHOUT ANY WARRANTY.org/andreasson/iptables-tutorial/iptables-tutorial. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. MA 02111-1307 USA # # Configurations # IPTABLES="/usr/sbin/iptables" # # reset the default policies in the filter table. version 2 of the License.

test-iptables .unix-fu.net> # # This program is free software. # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.html 21:25:51 10/06/2002 . Suite 330. version 2 of the License.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial. Boston. all chains # iptables -t filter -A INPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter FORWARD:" http://people. write to the Free Software Foundation. See the # GNU General Public License for more details..9 Página 125 # # erase all chains that's not default in filter and nat table. # but WITHOUT ANY WARRANTY.test-iptables script #!/bin/bash # # rc. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. Inc. 59 Temple # Place. MA 02111-1307 USA # # # Filter table. if not. # $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X Example rc. # # This program is distributed in the hope that it will be useful.test script for iptables chains and tables. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.1. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.

1. all chains except OUTPUT which don't work.net Copyright © 2001 by Oskar Andreasson http://people.Iptables Tutorial 1.unix-fu.9 Página 126 iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter FORWARD:" # # NAT table.org/andreasson/iptables-tutorial/iptables-tutorial.9 Oskar Andreasson blueflux@koffein. Iptables Tutorial 1.html 21:25:51 10/06/2002 .1. # iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat PREROUTING:" iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat PREROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat OUTPUT:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat OUTPUT:" # # Mangle table. all chains # iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle OUTPUT:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle OUTPUT:" Done.

Iptables Tutorial 1. you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation. write to the Free Software Foundation. with the Front-Cover Texts being "Original Author: Oskar Andreasson". if not.1. Suite 330. without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. under the section entitled "GNU General Public License". MA 02111-1307 USA Table of Contents Introduction Why this document was written How it was written About the author Dedications Preparations Where to get iptables Kernel setup 1 userland setup Compiling the userland applications Installation on Red Hat 7. Boston.unix-fu. All scripts in this tutorial are covered by the GNU General Public License. but WITHOUT ANY WARRANTY. The scripts are free source.. A copy of the license is included in the section entitled "GNU Free Documentation License".1.org/andreasson/iptables-tutorial/iptables-tutorial. version 2 of the License. distribute and/or modify this document under the terms of the GNU Free Documentation License. Inc. See the GNU General Public License for more details. with the Invariant Sections being "Introduction" and all subsections. These scripts are distributed in the hope that they will be useful.9 Página 127 Permission is granted to copy. You should have received a copy of the GNU General Public License within this tutorial. 59 Temple Place.1 How a rule is built Basics Tables Commands Matches Generic matches Implicit matches Explicit matches http://people. Version 1. and with no BackCover Texts.html 21:25:51 10/06/2002 .

firewall file example rc.9 Página 128 Targets/Jumps ACCEPT target DROP target QUEUE target RETURN target LOG target MARK target REJECT target TOS target MIRROR target SNAT target DNAT target MASQUERADE target REDIRECT target TTL target ULOG target Traversing of tables and chains General Mangle table 1 Nat table 2 Filter table rc.Iptables Tutorial 1.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.1.firewall explanation of rc.firewall Configuration options Initial loading of extra modules proc set up Displacement of rules to different chains Setting up the different chains used INPUT chain The TCP allowed chain The ICMP chain The TCP chain The UDP chain OUTPUT chain FORWARD chain PREROUTING chain of the nat table Starting the Network Address Translation http://people.unix-fu.

DMZ. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents GNU General Public License http://people.UTIN.txt rc.txt script structure The structure rc. COMBINING DOCUMENTS 6. TERMINATION 10.1.txt rc.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.flush-iptables.firewall.DHCP.firewall.txt 10. APPLICABILITY AND DEFINITIONS 2. rc. VERBATIM COPYING 3.html 21:25:51 10/06/2002 .txt rc.9 Página 129 Example scripts rc. TRANSLATION 9.firewall.firewall.txt rc. 5.test-iptables.txt Detailed explanations of special commands Listing your active ruleset Updating and flushing your tables Common problems and questionmarks Passive FTP but no DCC State NEW packets but no SYN bit set Internet Service Providers who use assigned IP addresses ICMP types Other resources and links Acknowledgements History GNU Free Documentation License 0. AGGREGATION WITH INDEPENDENT WORKS 8. COPYING IN QUANTITY 4. COLLECTIONS OF DOCUMENTS 7. MODIFICATIONS 1.firewall.unix-fu. PREAMBLE 1.

html 21:25:51 10/06/2002 . This tutorial has turned a little bit harder to follow this way but at the same time it is more logical. How to Apply These Terms to Your New Programs Example scripts codebase Example rc.firewall script Example rc. just consult this tutorial.firewall script Example rc. Whenever you find something that's hard to understand. DISTRIBUTION AND MODIFICATION 1. this file was originally based upon the masquerading HOWTO for those of you who recognize it. How it was written I've placed questions to Marc Boucher and others from the core netfilter team.firewall. This document will guide you through the setup process step by step.firewall script Example rc. TERMS AND CONDITIONS FOR COPYING. Among other things.d/ scripts. http://people.Iptables Tutorial 1.UTIN.x kernels.9 Página 130 0. but not allow outgoing DCC from IRC as an example? I will build this all up from an example rc. hopefully make you understand some more about the iptables package. Preamble 1.txt file that you can use in your /etc/rc.txt. 2. I found a big empty space in the HOWTO's out there lacking in information about the iptables and netfilter functions in the new Linux 2. Also. Yes. A big thanks going out to them for their work and for their help on this tutorial that I wrote and maintain for boingworld.4.org/andreasson/iptables-tutorial/iptables-tutorial.com. I'm going to try to answer questions that some might have about the new possibilities like state matching.DMZ.firewall file since I find that example to be a good way to learn how to use iptables.firewall script Example rc.DHCP. there's a small script that I wrote just in case you screw up as much as I did during the configuration available as rc. I will base most of the stuff here on the example rc.flush-iptables script Example rc.unix-fu. Is it possible to allow passive FTP to your server.flush-iptables.1. I have decided to just follow the basic chains and from there go down into each and one of the chains traversed in each due order.test-iptables script Introduction Why this document was written Well.

She has supported me more than I ever can support her to any degree. sitting with my own LAN and wanting them all to be connected to the Internet. you could make a fairly secure network by dropping all incoming packages not destined to certain ports. The iptables package also makes use of kernel space facilities which can be configured into the kernel during make configure . tells the client about it. Second of all. Preparations This chapter is aimed at getting you started and to help you understand the role netfilter and iptables play in Linux today. The necessary pieces will be discussed a bit further down in this document. but this would be a problem with things like passive FTP or outgoing DCC in IRC. which assigns ports on the server.9 Página 131 About the author I'm someone with too many old computers on my hands.1.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. This chapter should hopefully get you set up and finished to go with your experimentation and installation of a firewall which should hopefully run smoothly in the future. There was some child diseases in the iptables code that I ran into in the beginning. I would like to dedicate this work to all of the incredibly hard working Linux developers and maintainers. It is people like those who makes this wonderful operating system possible.Iptables Tutorial 1.html 21:25:51 10/06/2002 . and in some respects I found the code not quite ready for release in full production. Before. at the same time having it fairly secure. Kernel setup To run the pure basics of iptables you need to configure the following options into the kernel while doing make config or one of it's related commands: http://people. The new iptables is a good upgrade from the old ipchains in this regard. Dedications First of all I would like to dedicate this document to my wonderful girlfriend Ninel. and then lets the client connect. I wish I could make you just as happy as you make me. Today. I'd recommend everyone who uses ipchains or even older ipfwadm etc to upgrade unless they're happy with what their current code is capable of and if it does what they need it to. Where to get iptables The iptables userspace package can be downloaded from the netfilter homepage.

And of course you need to add the proper drivers for your interfaces to work properly.firewall. TOS stands for Type Of Service. this module is required by the rc. If you need to firewall machines on a LAN you most definitely should mark this option.org/andreasson/iptables-tutorial/iptables-tutorial. I assume you'll want this since you're reading this at all. For example.html 21:25:51 10/06/2002 .This option allows applications and programs that needs to work directly to certain network devices.txt to work. Here we will show you the options available in a basic 2. If you don't add this module you won't be able to FTP through a firewall or gateway properly. CONFIG_IP_NF_IPTABLES . For example. If you want to use the more advanced options in IPTables. NAT and Masquerading.With this match we can match packets based on their TOS field. that adds the possibility to control how many packets per minute that's supposed to be matched with a certain rule. It adds the whole iptables identification framework to kernel. The above will only add some of the pure basics in iptables.txt. In other words. Without this you won't be able to do anything at all with iptables.This module is required if you want to do connection tracking on FTP connections.This option is required if you're going to use your computer as a firewall or gateway to the internet. if we use the target MARK we could mark a packet and then depending on if this packet is marked further on in the table.1. this option compiles the helper. ie. An example would be tcpdump or snort. We don't use this option in the rc.9 kernel and a brief explanation : CONFIG_IP_NF_CONNTRACK . CONFIG_IP_NF_FTP .This option is required if you want do any kind of filtering. CONFIG_IP_NF_MATCH_MAC . CONFIG_NETFILTER . You won't be able to do anything to be pretty honest. CONFIG_IP_NF_MATCH_MARK . Since FTP connections are quite hard to do connection tracking on in normal cases conntrack needs a so called helper.This module isn't exactly required but it's used in the example rc.unix-fu. this is most definitely required if for anything in this tutorial to work at all.txt example or anywhere else. For example. TOS can also be set by certain rules in the mangle table and via the ip/ tc commands. it just adds the framework to the kernel.4. we can match based on this mark. This option provides the LIMIT match. This option is the actual match MARK.firewall.This allows us to match packets based on MAC addresses. among other things. Normally this wouldn't be possible. CONFIG_IP_NF_MATCH_MULTIPORT . you need to set up the proper configuration options in your kernel. Ethernet adapter.firewall.Iptables Tutorial 1. but with this match it is. CONFIG_IP_NF_MATCH_TOS . Every Ethernet adapter has it's own MAC address. CONFIG_IP_NF_MATCH_LIMIT .This allows us to use a MARK match.9 Página 132 CONFIG_PACKET . PPP and SLIP interfaces. -m limit --limit 3/ minute would match a maximum of 3 packets per minute. and further down we will describe the actual target MARK. masquerading or NAT. http://people. We could for instance block packets based on what MAC address used and block a certain computer pretty well since the MAC address don't change. This module can also be used to avoid certain Denial of Service attacks.This module allows us to match packets with a whole range of destination ports or source ports.This module is needed to make connection tracking. Connection tracking is used by.

Note that this match is still experimental and might not work perfectly in all cases. CONFIG_IP_NF_NAT . CONFIG_IP_NF_TARGET_MASQUERADE .This module will add the possibility for us to match IP. but mostly is.Iptables Tutorial 1. CONFIG_IP_NF_TARGET_REJECT . SLIP or some other connection that dynamically assigns us an IP. or NAT. in it's different forms. but we never know if they are legitimate or not. Note that this match is still experimental and might not work for everyone. Mind you that TCP connections are always reset or refused with a TCP RST packet. In the filter table you'll find the INPUT. if we use DHCP. CONFIG_IP_NF_FILTER .This allows packets to be bounced back to the sender of the packet. FORWARD and OUTPUT chains. Instead of letting a packet pass right through. if we've already seen trafic in two directions in a TCP connection. Note that this option is is not required for firewalling and masquerading of a LAN. masquerading etc. For instance if we don't know what IP we have to the Internet this would be the preferred way of getting the IP instead of using DNAT or SNAT. We could for example drop these packets. For example.9 Página 133 CONFIG_IP_NF_MATCH_TCPMSS .This is one of the biggest news in comparison to ipchains. Masquerading gives a slightly higher load on the computer than NAT does.firewall. In other words. CONFIG_IP_NF_TARGET_MIRROR . http://people. CONFIG_IP_NF_MATCH_STATE .This module adds the MASQUERADE target.firewall. and most definitely on your network if you do not have the ability to add unique IP addresses as specified above. we need to use this target instead of SNAT. we remap them to go to our local box instead.This module allows network address translation.txt example.This target allows us to specify that an ICMP error message should be sent in reply to incoming packets instead of plainly dropping them dead to the floor.html 21:25:51 10/06/2002 . CONFIG_IP_NF_MATCH_OWNER . but will work without us knowing the IP in advance. This module was originally just written as an example on what could be done with the new iptables. This module is required if you plan to do any kind of filtering on packets that you receive and send. With this module we can do stateful matching on packets. PPP.This option will add the possibility for us to do matching based on the owner of a socket. we can allow only the user root to have Internet access.This module will add the basic filter table which will enable you to do basic filtering.unix-fu. this option is required for the example rc.1. unless you are able to provide unique IP addresses for all hosts. we have the possibility to make a transparent proxy this way.This option adds the possibility for us to match TCP packets based on their MSS field. TCP. For example. CONFIG_IP_NF_MATCH_UNCLEAN . CONFIG_IP_NF_TARGET_REDIRECT .org/andreasson/iptables-tutorial/iptables-tutorial. With this option we can do port forwarding. UDP and ICMP packets that looks strange or are invalid.txt to work properly. In other words. this packet will be counted as ESTABLISHED. if we set up a MIRROR target on destination port HTTP on our INPUT chain and someone tries to access this port we would plainly bounce his packets back to himself and finally he would see his own homepage. This module is used extensively in the rc. For example.This target is useful together with proxies for example. Hence.

This adds the LOG target to iptables and the functionality of it.unix-fu.6. These functions should be added in the future. for the rc. ssh works but scp dies after handshake. or as modules. I suggest you look at the patch-o-matic functions in netfilter userland which will add heaps of other options in the kernel. to Linus Torvalds being unable to keep up or not wanting to let the patch in to the mainstream kernel yet since it is still experimental. Do not look at this as any real long term solution for solving migration from Linux 2. This may be for various reasons such as the patch not being stable yet. This can result in webpages not getting through.9 Página 134 CONFIG_IP_NF_TARGET_LOG . We can then use the TCPMSS target to overcome this by clamping our MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit). etcetera. If you would like to get a look at more options.2 kernels to 2. As you can see. we'll be able to handle what the authors of netfilter themself call "criminally braindead ISPs or servers" in the kernel configuration help.9 kernel.Iptables Tutorial 1. CONFIG_PACKET CONFIG_NETFILTER CONFIG_CONNTRACK CONFIG_IP_NF_FTP CONFIG_IP_NF_IRC CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT http://people.html 21:25:51 10/06/2002 . look at the example firewall scripts section. POM fixes are additions that are supposed to be added in the kernel in the future but has not quite reached the kernel yet. there is a heap of options.This option can be used to overcome Internet Service Providers and servers who block ICMP Fragmentation Needed packets. We can use this module to log certain packets to syslogd and hense see the packet further on.Compatibility mode with old ipfwadm. This could be useful for forensics or debugging a script you're writing.txt script to work.org/andreasson/iptables-tutorial/iptables-tutorial. I have briefly explained what kind of extra behaviours you can expect from each module here.1. CONFIG_IP_NF_TARGET_TCPMSS . This way. Do absolutely not look at this as a real long term solution. but has not quite made it in yet. If you need help with the options that the other scripts needs. You will need the following options compiled into your kernel.Adds a compatibility mode with the old ipchains.4. CONFIG_IP_NF_COMPAT_IPFWADM . CONFIG_IP_NF_COMPAT_IPCHAINS . small mails getting through while larger mails don't get through.4 kernels since it may well be gone with kernel 2.firewall. These are only the options available in a vanilla Linux 2.

2. For more information read the iptables-1.4. For now.1. http://people. and other distributions further on in this chapter Compiling the userland applications First of all unpack the iptables package.3 package and a vanilla 2.2. However. To do this step we do something like this from the root of the iptables package: make pending-patches KERNEL_DIR=/usr/src/linux/ The variable KERNEL_DIR should point to the actual place that your kernel source is located at. there are some even more experimental patches further along.3. This compilation goes quite a lot hand in hand with the kernel configuration and compilation so you are aware of this. one of these are Red Hat 7. which may only be available when you do some other steps.firewall. We will check closer on how to enable it on this.2.org/andreasson/iptables-tutorial/iptables-tutorial.(this can also be accomplished with the tar -xjvf iptables-1. Normally this should be /usr/src/linux/ but this may vary.2.9 kernel. userland setup First of all.3. However.tar.1 it is disabled per default.bz2.2. In the other example scripts I will explain what requirements they have in their respective section.Iptables Tutorial 1. this may not work with older versions of tar). Here. Unpack as usual. we have used the iptables 1. Certain distributions comes with the iptables package preinstalled. there is the option to install extra modules and options etcetera to the kernel.The step described here will only check patches that are pending for inclusion to the kernel. let's look at how we compile the iptables package. there are heaps of extremely interesting matches and targets in this installation step so don't be afraid of at least looking at them. Hopefully the package should now be unpacked properly into a directory named iptables-1.1. using bzip2 -cd iptables-1.3.tar. However.3/INSTALL file which contains pretty good information on compiling and getting the program to run. Some of these are highly experimental and may not be a very good idea to install. which should do pretty much the same as the first command. lets try to stay focused on the main script which you should be studying now.9 Página 135 CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_TARGET_MASQUERADE The above will be required at the very least for the rc. and most probably you will know yourself where the kernel source is available. After this. in Red Hat 7.txt script.unix-fu.html 21:25:51 10/06/2002 .bz2 | tar -xvf .

1. you're on your own. though. you may either compile a new kernel making use of the new patches that you have added to the source. Some patches will destroy other patches while others may destroy your kernel if used together with some patches from patch-omatic etc. To do this. Continue by compiling the iptables userland application. To compile iptables you issue a simple command that looks like this: make KERNEL_DIR=/usr/src/linux/ The userland application should now compile properly. You may wait with the kernel compilation until after the compilation of the userland program iptables if you feel like it. Don't forget to configure the kernel again since the new patches probably are not added to the configured options and so on. There might be more patches and additions that the developers of netfilter are about to add to the kernel.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial. However.9 Página 136 This only asks about certain patches that are just about to enter the kernel anyways. you would issue the following command to install them: make install KERNEL_DIR=/usr/src/linux/ Hopefully everything should work in the program now.html 21:25:51 10/06/2002 . you're ready to install the binaries by now. Note that we say ask. if not. After this you are finished doing the patch-o-matic parts of installation. To use any of the changes in the iptables userland applications you should definitely recompile and reinstall your kernel by now if you haven't done so http://people. but still skip the most extreme patches that might cause havoc in your kernel.unix-fu. To be able to install all of the patch-o-matic stuff you will need to run the following command: make patch-o-matic KERNEL_DIR=/usr/src/linux/ Don't forget to read the help for each patch thoroughly before doing anything. because that's what these commands actually do. There is a few things that might go wrong with the installation of iptables so don't panic if it won't work. there are some really interesting things in the patch-o-matic that you may want to look at so there's nothing bad in just running the commands and see what they contain. or possibly try the netfilter mailing list who might help you with your problems. One way to install these are by doing the following: make most-of-pom KERNEL_DIR=/usr/src/linux/ The above command would ask about installing parts of what in netfilter world is called patch-o-matic. try to think logically about it and find out what's wrong or get someone to help you. but is a bit further away from actually getting there. If everything has worked smoothly. it is in other words not necessary to do the above. They ask you before anything is changed in the kernel source. You may totally ignore the above steps if you don't want to patch your kernel.

Now the service won't be started in the future.9 Página 137 before.1.4. X11. The first letter which per default would be S tells the initscripts to start the script. For more information about installing the userland applications from source. The following command should do it: chkconfig --level 0123456 ipchains off By doing this we move all the soft links that points to the real script to K92ipchains.org/andreasson/iptables-tutorial/iptables-tutorial. we need to know which runlevels we want it to run in. the normal runlevel to run in. to start the iptables service. The default Red Hat 7. This is the service command which can be used to work on currently running services.x kernel that has netfilter and iptables compiled in. 5.unix-fu. This is used if you automatically boot into Xwindows.1 Red Hat 7. To do this.Iptables Tutorial 1. to stop the service from actually running right now we need to run another command. By changing this to K we tell it to Kill the service instead. It also contains all the basic userland programs and configuration files that is needed to run it.1 installation today comes with an utterly old version of the userspace applications so you might want to compile a new version of the applications as well as install a new and homecompiled kernel before fully exploiting iptables. So. Normally this would be in runlevel 2. ie. or to not run it if it was not previously started. Annoying to say the least. Multiuser without NFS or the same as 3 if there is no networking. they have disabled the whole thing by using the backwards compatible ipchains module. however. We would then issue the following command to stop the ipchains service: service ipchains stop Finally. Installation on Red Hat 7. you will need to change some filenames in the /etc/rc.d/ directory-structure. These runlevels are used for the following things: 2. To make iptables run in these runlevels we would do the following commands: chkconfig --level 235 iptables on http://people. First of all. 3 and 5.html 21:25:51 10/06/2002 . First of all you will need to turn off the ipchains modules so it won't start in the future. 3. Full multiuser mode. check the INSTALL file in the source which contains excellent information on the subject of installation. let's take a brief look at how to turn the module off and how to install iptables instead. and a lot of people are asking different mailing lists why iptables don't work. However.1 comes preinstalled with a 2.

It's not unusual that the new and the old package get's mixed up since the rpm based installation installs the package in non-standard places and won't get overwritten by the installation for the new iptables package.1 box. Note that this set up may be automatically erased if you have. The other way would be to load the ruleset and then save them with the iptables-save command and then have it loaded automatically by the rc.Iptables Tutorial 1. that will meet your requirements. Also. The other way to save the script would be to use service iptables save which would save the script automatically to this file. or when we are entering a runlevel that don't require iptables to run.org/andreasson/iptables-tutorial/iptables-tutorial. you chould edit the /etc/rc.d/iptables script.d/init. Note. don't forget to check out the restart section and condrestart. use the iptables-save command. When you reboot the computer in the future. such as iptables-save > /etc/sysconfig/ iptables which would save the ruleset to the file /etc/sysconfig/iptables. for example. Red Hat Network automatically updating your packages. To activate the iptables service.1. when you need to fix a screwed up box. and don't forget to experiment a bit. Level 4 should be unused. You could either use it normally. 3 and 5. do as follows: rpm -e iptables And of course.unix-fu. Level 1 is for single user mode. none of the other runlevels should be used. there is two common ways. make and write a ruleset in a file. This step is only necessary if you will install iptables from the source package. why keep ipchains lying around when it is of no use? That is done the same way as with the old iptables binaries. We do this since we don't want the system to mix up the new iptables userland application with the old preinstalled iptables applications. To add rules that should be run when the computer starts the service. don't forget to edit a the stop) section either which tells the script what to do when the computer is going down for example. you add them under the start) section. First of all.9 Página 138 The above commands would in other words make the iptables service run in runlevel 2. or in the start() function. When you find a set up that works without problems or bugs as you can see. the iptables rc. ie. so you should not really need to activate it for those runlevels. First we will describe the possibility of doing the set up by cut and paste to the iptables init. However. The second way of doing the set up would require the following steps to be taken. or directly with iptables. It may also be erased by updating from the iptables RPM package.d scripts.html 21:25:51 10/06/2002 .d script will use the command iptablesrestore to restore the ruleset from the save-file /etc/sysconfig/iptables. there is no rules in the iptables script. This file is automatically used by the iptables rc. Also. and level 6 is for shutting the computer down. To add rules to an Red Hat 7. etc: http://people. we just run the following command: service iptables start Of course. When all of these steps are finished we can deinstall the currently installed ipchains and iptables packages. if you add the rules under the start) section don't forget to stop the start() function from running in the start) section. This would have the bad effect that the rules would be deleted if you updated the iptables package by RPM. If you'd like the iptables service to run in some other runlevel you would have to issue the same command in those. To do the deinstallation.d script to restore the ruleset in the future. Do not intermix this and the previous set up instruction since they may heavily damage eachother and render each and one useless. First of all.d script.

http://people. Also. Normally we would write a rule something like this: iptables [-t table] command [match] [target/jump] There is nothing that says that the target instruction must be last in the line. you would do this normally to get a better readability.1. It is not required to put the table specification at this location. There is a heap of different matches that we can use that we will look closer at further on in this chapter. libraries or include files etc should be lying around any more. We could specify what IP address the packet must come from. We use this first variable to tell the program what to do. instruction. it is not necessary to specify it explicitly all the time since iptables per default uses the filter table to implement your commands on. However. If you want to use another table than the standard table. Hence. The match is the part which we send to the kernel that says what a packet must look like to be matched. or directly after the table specification. we perform the target. the command should always be first. Basics As we've already explained each rule is a line that the kernel looks at to find out what to do with a packet. or matches. This tells the iptables command what to do. It could be set pretty much anywhere in the rule. are met. however.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 139 rpm -e ipchains After all this is done you are finished to update the iptables package from source according to the source installation instructions. None of the old binaries. We will enter this a bit further on. new subchains). Each line you write that's inserted to a chain should be considered a rule. How a rule is built This chapter will discuss in legth how to build your rules. or jump. either. or which network interface the packet must come from etc.unix-fu. We will also discuss the basic matches that str available and how to use them as well as the different targets and how we can make new targets to use (ie.html 21:25:51 10/06/2002 . we have used this way of writing rules since it is the most usual way of writing them. for example to insert a rule or to add a rule to the end of the chain. however. it is more or less standard to put the table specification at the beginning of the commandline. One thing to think about though. or to delete a rule. A rule could be described as the pure rules the firewall will follow when blocking different connections and packets in each chain. If all the criterias.Iptables Tutorial 1. you could insert the table specification where [table] is specified. if you read someone elses script you'll most likely recognise the way of writing a rule and understand it quickly.

Tables Table nat Explanation The nat table is used mainly for Network Address Translation.1. The following options are available to the -t command: Table 1. If all the matches are met for a packet we tell the kernel to perform this action on the packet. There are three chain built in to this table. The rest of the packets in the stream will in other words not go through this table again. We could tell the kernel to drop this packet dead and do no further processing. The rest of the packets in the same stream are automatically NAT'ed or Masqueraded etc.Iptables Tutorial 1. the PREROUTING and OUTPUT chains. TOS or MARK. PREROUTING is used for altering packets just as they enter the firewall and before they hit the routing decision. Finally we have the POSTROUTING chain which is used to alter packets just as they are about to leave the firewall.unix-fu. Note that the MARK is not really a change to the packet. but instead they will automatically have the same actions taken to them as the first packet in the stream. INPUT is used on all packets that are destined for our local host (the firewall) and OUTPUT is finally used for all locally generated packets.9 Página 140 Finally we have the target of the packet. ACCEPT or REJECT packets without problems as in the other tables. Packets in a stream only traverse this table once.org/andreasson/iptables-tutorial/iptables-tutorial. This table is used mainly for mangling packets. As with the rest of the content in this section. 21:25:51 10/06/2002 mangle filter http://people. Tables The -t option specifies which table to use. we could DROP. Per default. The filter table should be used for filtering packets generally. the nat table was made for these kinds of operations.html . We could tell the kernel to send the packet to another chain that we create ourself. but a mark for the packet is set in kernelspace which other rules or programs might use further on in the firewall to filter or do advanced routing on with tc as an example. Examples of this would be to change the TTL. on the firewall) before they get to the routing decision. we'll look closer at them further on in the chapter. The PREROUTING chain is used to alter packets as soon as they get in to the firewall. The first one is named FORWARD and is used on all non-locally generated packets that are not destined for our localhost (the firewall. OUTPUT is used for changing and altering locally generated packets before they enter the routing decision. we presume. as we will discuss more in length further on. The first packet of a stream is allowed. the filter table is used. Note that mangle can not be used for any kind of Network Address Translation or Masquerading. in case they are supposed to have those actions taken on them. We could change different packets and how their headers look among other things. The table consists of two built in chains. in other words). which must be part of this table. LOG. or we could tell kernel to send a specified reply to be sent back. The OUTPUT chain is used for altering locally generated packets (ie. This is one reason why you should not do any filtering in this table. For example. Note that OUTPUT is currently broken.

This command appends the rule to the end of the chain. -D.. unless you append or insert more rules later on.unix-fu. Commands In this section we will bring up all the different commands and what can be done with them. --append iptables -A INPUT . This might be good while experimenting with iptables mainly. and hence it would be the http://people. Normally we want to either add or delete something to some table or another. either by specifying a rule to match with the -D option (as in the first example) or by specifying the rule number that we want to match. --replace iptables -R INPUT 1 -s 192. Commands Command Example Explanation -A. but instead of totally deleting the entry.168. The following commands are available to iptables: Table 2. -R. iptables -D INPUT 1 This command deletes a rule in a chain. and hence be checked last.. They should be used for totally different things.Iptables Tutorial 1. This could be done in two ways. The rule is inserted at the actual number that we give. and the top rule is number 1. We will discuss the tables and chains more in the Traversing of tables and chains chapter.1 -j DROP This command replaces the old entry at the specified line. the rules are numbered from the top of each chain.1. It works in the same way as the --delete command. it will replace it with a new entry. and you should know what to use each chain for.9 Página 141 The listing above has hopefully explained the basics about the three different tables that are available. If you use the first way of deleting rules. --insert iptables -I INPUT 1 --dport 80 -j ACCEPT Insert a rule somewhere in a chain. -I. If you do not understand their usage you may well fall into a pit once someone finds the hole you have unknowingly placed in the firewall yourself. In other words. --delete iptables -D INPUT --dport 80 -j DROP.html 21:25:51 10/06/2002 . The rule will will in other words always be put last in the ruleset in comparison to previously added rules. If you use the second way. they must match totally to the entry in the chain. The command tells iptables what to do with the rest of the commandline that we send to the program.0.org/andreasson/iptables-tutorial/iptables-tutorial. the above example would be inserted at place 1 in the INPUT chain.

the command would list all the chains in the specified table (To specify a table. -F. ACCEPT and REJECT (There might be more. --rename-chain iptables -E allowed disallowed http://people. All packets that don't match any rule will then be forced to use the policy of the chain. Legal targets are: DROP.1. --zero iptables -Z INPUT This command tells the program to zero all counters in a specific chain or in all chains. It's also legal to not specify any chain at all. -P. -L. In the above example we create a chain called allowed. the chains will first be listed. -X. there must be no rules that are referring to the chain that is to be deleted. all chains that are not built in will be deleted from the specified table. or policy. Note that there must be no target of the same name previously to creating it.html 21:25:51 10/06/2002 . you would have to replace or delete all rules referring to the chain before actually deleting the chain.Iptables Tutorial 1. and will then delete all rules in all chains within the specified table.9 Página 142 absolutely first rule in the chain from now on. we would list all the entries in the INPUT chain. -N. -Z. on a chain. In the last case. see the Tables section). etcetera. and then the packet counters are zeroised. use the -Z option. you have probably seen the packet counter in the beginning of each field. --list iptables -L INPUT This command lists all the entries in the specified chain. The exact output is affected by other options sent to the program. In the above case. To zero this packet counter. If you have used the -v option with the -L command. If -L and -Z is used together (which is legal). --delete-chain iptables -X allowed This command deletes the specified chain from the table. --flush iptables -F INPUT This command flushes the specified chain from all rules and is equivalent to deleting each rule one by one but is quite a bit faster. The command can be used without options. --new-chain iptables -N allowed This command tells the kernel to create a new chain by the specified name in the specified table. In other words.unix-fu. mail me if so) -E. --policy iptables -P INPUT DROP This command tells the kernel to set a specified default target. for example the -n and -v options. For this command to work. If this command is used without any options.org/andreasson/iptables-tutorial/iptables-tutorial. This option works the same as -L except that -Z won't list the rules.

000. Note that this will not affect the actual way the table will work. --delete or --replace commands. to the second name.000. --exact --list This option expands the numerics.9 Página 143 The -E command tells iptables to rename the first name of a chain. IP addresses and port numbers will be printed by using their numerical values and not hostnames.000) and G (x1. unless you just want to list the built-in help for iptables or get the version of the command. Note that this option is only usable in the --list command and isn't really relevant for any of the other commands.Iptables Tutorial 1. The --list command will also include a bytes and packet counter for each rule if the --verbose option is set. --line-numbers --list http://people. Also note that we do not tell you any options here that is only used to affect rules and matches.000) multipliers. --numeric --list This option tells iptables to output numerical values. To overcome this and to get exact output. Options Option Commands used with Explanation -v. change the name of the chain from allowed to disallowed. rule options and TOS masks. -x. -n.unix-fu.000. in other words. If used together with the --list command it makes the output from the command include the interface address.html 21:25:51 10/06/2002 . This option is only applicable to the --list command. use the -v option and to get the help message. Instead we will get an exact output of how many packets and bytes that has matched the rule in question from the packets and bytes counters. The output from --list will in other words not contain the K. you could use the -x option described later. --append. --replace This command shows a verbose output and is mainly used together with the --list command. Note that we tell you with which commands the options can be used and what effect they will have. --delete. To get the version. In the example above we would. If this option is used with the --append.1. These counters uses the K (x1000). The matches and targets are instead looked upon in a later section of this chapter. --verbose --list. As usual. use the -h option. --insert. Table 3. network names or application names.org/andreasson/iptables-tutorial/iptables-tutorial. A command should always be specified. the program will output detailed information on what happens to the rules and if it was inserted correctly etcetera. --insert. This option overrides the default of resolving all numerics to hosts and names if possible. Here comes a few options that can be used together with a few different commands. in other words. M or G multipliers. It is. M (x1. in other words. just a cosmetic change to the table.

This option can be used with all commands. Generic matches Command Example http://people.html 21:25:51 10/06/2002 . A generic match is a kind of match that is always available whatever kind of protocol we are working on or whatever match extensions we have loaded. The following matches are always available. even though it is needed to use some protocol specific matches. Each rule is numbered together with this option and it might be easier to know which rule has which number when you're going to insert rules. The syntax would be something like --set-counters 20 4000. I hope this is a reasonable breakdown and that all people out there can understand this breakdown. Generic matches This section will deal with Generic matches. --append.9 Página 144 The --line-numbers command is used to output line numbers together with the --list command. Matches This section will talk a bit more about the matches. First of all we have the generic matches which are generic and can be used in all rules. However. --protocol is in itself a match. owner and limit matches and so on.org/andreasson/iptables-tutorial/iptables-tutorial. --replace This option is used when creating a rule in some way or modifying it. Then we have the TCP matches which can only be applied to TCP packets. We can then use the option to initialize the packets and bytes counters of the rule. No special parameters are in other words needed to load these matches at all. We have UDP matches which can only be applied to UDP packets and ICMP matches which can only be used on ICMP packets. Finally we have special matches such as the state. too. In such cases it might be necessary to specify this option so the program knows what to do in case a needed module is not loaded. -c. It could be used if your modprobe command is not somewhere in the searchpath etc. which would tell the kernel to set the packet counter to 20 and byte counter to 4000. This option only works with the --list command. we need to use the --protocol match and send TCP as an option to the match. since it can be used to match specific protocols.unix-fu. These final matches has in turn been split down to even more subcategories even though they might not necessarily be different matches at all. Table 4. --modprobe All The --modprobe option is used to tell iptables which command to use when probing for modules to the kernel.1. I have also added the --protocol match here. if we want to use an TCP match.Iptables Tutorial 1. For example. --set-counters --insert. I've chosen to split down the matches into five different subcategories here.

FORWARD and PREROUTING chains and will render an error message when used anywhere else.168.0.Iptables Tutorial 1. It could be used with a netmask in a bits form.0). If this match is given the numeric value of zero (0). If we would in other words use a match in the form of --source ! 192.x range.255. First of all the protocol match can take one of the three aforementioned protocols.255. One way is to do it with an regular netmask in the 255.0 netmask. We could also invert the whole match with an ! sign.0.0/24 and both would be equivalent to each other. This would match all packets in the 192. Finally.0/ 255.tcp which would match all UDP and TCP packets. The default behaviour of this match.1.255. it means ALL protocols. -s. --destination iptables -A INPUT -d 192.168. The + value is used to match a string of letters and numbers.168. Examples of protocols are TCP. The command may also take a comma delimited list of protocols.1 The --destination match is used to match packets based on their destination address or addresses.0/24 we would match all packets with a source address not coming from within the 192.168.0. --in-interface iptables -A INPUT -i eth0 This match is used to match based on which interface the packet came in on.255. 192.0. which in turn is the default behaviour in case the --protocol match is not used.org/andreasson/iptables-tutorial/iptables-tutorial.0 or like 192.1 would in other words match all packets except those not destined to the 192. The line http://people. so -protocol ! tcp would mean to match the ICMP and UDP protocols. such as udp.9 Página 145 -p.255.1 IP address. It works pretty much the same as the --source match and has the same syntax. -i. UDP and ICMP.0. This list can vary a bit at the same time since it uses the /etc/protocols if it can not recognise the protocol itself. except that it matches based on where the packets are going. The default is to match all IP addresses. Note that this option is only legal in the INPUT.0. as well as ALL.255.168.1. We could also inverse the match with an ! just as before. and eth+ would in other words match all ethernet devices. such as our local networks or network segments behind the firewall.0. This means that we could for example add /24 to use a 255.html 21:25:51 10/06/2002 . such as 255 which would mean the RAW IP protocol.0/24. in case the match is not specified. We can also invert the meaning of this option with the help of the ! sign.168. is to assume a string value of +. The + string can also be used at the end of an interface.1.255. for example.0.1. The protocol may also take a numeric value. This match can also be inversed with the ! sign.168. and the other way is to only specify the number of ones (1's) on the left side of the network mask. The main form can be used to match single IP addresses such as 192.x range. --dst. --destination ! 192. just as before. We could then match whole IP ranges.168. we can add a netmask either in the exact netmask form. -d. --source iptables -A INPUT -s 192. --src. It would then look like either 192.168.1 This is the source match which is used to match packets based on their source IP address. The line would then look something like.0/255.0.1. --protocol Explanation iptables -A INPUT -p tcp This match is used to check for certain protocols. which means to match all of the previous protocols. or in the number of ones (1's) counted from the left side of the netmask bits. A single + would in other words tell the kernel to match all packets without considering which interface it came in on.255. To match an IP range.unix-fu.168.168. 192. the program knows about all the protocols in the /etc/protocols file as we already explained.168.255 form (ie.

except eth0. Implicit matches This section will describe the matches that are loaded implicitly.Iptables Tutorial 1. There are currently three types of implicit matches that are loaded automatically for three different protocols. among other things. third. Note that this match is only available in the OUTPUT. we match all head fragments and/or unfragmented packets. nor ICMP types. after the TCP match section. TCP matches These matches are protocol specific and are only available when working with TCP packets and streams. --out-interface iptables -A FORWARD -o eth0 The --out-interface match is used to match packets depending on which interface they are leaving on. Other than this.org/andreasson/iptables-tutorial/iptables-tutorial. These matches are loaded implicitly in a sense. however. Of course. and hence this match was created. Note that the --protocol tcp match must be to the left of the protocol specific matches. To use these matches you need to specify --protocol tcp on the command line before trying to use these matches. -f. it works pretty much the same as the --ininterface match. http://people. like this ! -f. which would mean to match all incoming interfaces. fragments. there is no way to tell the source or destination ports of the fragments. The other matches will be looked over in the continuation of this section. -o. regardless of where the packet is going. you can use the ! sign in exactly the same sense as in the --ininterface match. These are TCP matches. and UDP based matches contain another set of matches that are available only for UDP packets. just as the UDP and ICMP matches are loaded implicitly. Also. and not the second. Implicit matches are loaded automatically when we tell iptables that this rule will match for example TCP packets with the --protocol match. The TCP based matches contain a set of different matches that are available for only TCP packets. fragmented packets might in rather special cases be used to compile attacks against computers.html 21:25:51 10/06/2002 . When this match is inversed. in case you use connection tracking you will not see any defragmented packets since they are dealt with before hitting any chain or table in iptables. and the same thing for ICMP packets.9 Página 146 would then have a syntax looking something like -i ! eth0. To inverse the meaning of the match. in opposite of the --in-interface match. FORWARD and POSTROUTING chains. and so on. in this case the ! sign must precede the match. --fragment iptables -A INPUT -f This match is used to match the second and third part of a fragmented packet. The reason for this is that in the case of fragmented packets. As a secondary note. There is also explicitly loaded matches that you must load explicitly with the -m or -match option which we will go through later on in the next section.1. the default behaviour if this match is left out is to match all devices. Also note that there are defragmentation options within the kernel that can be used which are really good. This option can also be used in conjunction with the ! sign. What this means is that we match all the first fragments of a fragmented packets. UDP matches and ICMP matches.unix-fu. We also match all packets that has not been fragmented during the transfer. The + extension is understood so you can match all eth devices with eth+ and so on. Such fragments of packets will not be matched by other rules when they look like this.

If we omit the first port specification. Note that this match does not handle multiple separated ports and port ranges. or turned on.html 21:25:51 10/06/2002 . If we inversed the port specification in the port range so the highest port would be first and the lowest would be last. If a source port definition looked like -source-port 80:22. port 65535 is assumed. PSH http://people.ACK. It does also reverse high and low ports in a port range specification if the high port went into the first spot and the low port into the last spot. The --source-port match can also be used to match a whole range of ports in this fashion --source-port 22:80 for example.1. The match knows about the SYN. the entry of the rule will be slightly faster since iptables don't have to check up the service name.FIN SYN This match is used to match depending on the TCP flags in a packet. FIN. ACK. If you specify a service name. --source-port iptables -A INPUT -p tcp --sport 22 The --source-port match is used to match packets based on their source port. exactly the same as -source-port in syntax. If you are writing a ruleset consisting of a 200 rules or more. it would be understood just the same as --source-port 22:80. It understands port and port range specifications. as well as inversions. First of all the match takes a list of flags to compare (a mask) and second it takes list of flags that should be set to 1.Iptables Tutorial 1. iptables automatically reverses the inversion. the service name must be in the / etc/services file since iptables uses this file to look up the service name in. If you specify the port by port number. This example would match all source ports between 22 and 80. look at the multiport match extension.9 Página 147 Table 5. If we would write --source-port 22: we would in turn get a port specification that tells us to match all ports from port 22 through port 65535. TCP matches Match Example Explanation --sport. which in turn would mean that we want to match all ports but port 22 through 80. the port 0 is assumed to be the one we mean. it could be a little bit harder to read in case you specify the numeric value.org/andreasson/iptables-tutorial/iptables-tutorial. For more information about this. In other words. URG. Both lists should be comma-delimited. --dport. And if the last port specification is omitted. --source-port :80 would then match port 0 through 80. however. RST. Note that this match does not handle multiple separated ports and port ranges. you should definitely do this by port numbers since you will be able to notice the difference(On a slow box.unix-fu. For more information about this. --tcp-flags iptables -p tcp --tcp-flags SYN. This match can either take a service name or a port number. The inversion could also be used together with a port range and would then look like --source-port ! 22:80. The match will also assume the values of 0 or 65535 if the high or low port is left out in a port range specification. this could make as much as 10 seconds if you are running a large ruleset consisting of 1000 rules or so). --destination-port iptables -A INPUT -p tcp --dport 22 This match is used to match TCP packets depending on its destination port. look at the multiport match extension. We could also invert a match by adding a ! sign like --source-port ! 22 which would mean that we want to match all ports but port 22. It uses exactly the same syntax as the --source-port match.

If you block these packets. you will not have blocked the outgoing connections which a lot of exploits today uses (for example. These matches are implicitly loaded when you specify the --protocol UDP match and will be available after this specification. ! --syn. such as open or closing a connection. This match is used to match packets if they have the SYN bit set and the ACK and FIN bits unset.1. ALL and NONE is pretty much self describing.html 21:25:51 10/06/2002 . If they are lost. --tcp-option iptables -p tcp --tcp-option 16 This match is used to match packets depending on their TCP options. they are simply lost (Not taking ICMP error messaging etcetera into account). This command would in other words be exactly the same as the --tcp-flags SYN. you should have effectively blocked all incoming connection attempts. or if they are just simply supposed to send data.ACK.unix-fu. and for ease of traversing from one to the other. and hence there is no such thing as different flags to set in the packet to give data on what the datagram is supposed to do. The correct syntax could be seen in the example above. however.Iptables Tutorial 1. UDP matches This section describes matches that will only work together with UDP packets. hack a legit service and then make a program or such make the connect to you instead of setting up an open port on your host). This option can also be inverted with the ! sign.FIN SYN match. Table 6. This match can also be inverted with the ! sign in this. ALL means to use all flags and NONE means to use no flags for the option it is set. Note that the state machine will work on all kinds of packets even though UDP or ICMP packets are counted as connectionless protocols. --source-port iptables -A INPUT -p udp --sport 53 http://people. UDP matches Match Example Explanation --sport. UDP packets do not require any kind of acknowledgement either. This means that there is quite a lot less matches to work with on a UDP packet than there is on TCP packets. --tcp-flags ALL NONE would in other words mean to check all of the TCP flags and match if none of the flags are set. Also note that the comma delimitation should not include spaces. Note that UDP packets are not connection oriented.org/andreasson/iptables-tutorial/iptables-tutorial. The state machine works pretty much the same on UDP packets as on TCP packets. way.9 Página 148 flags but it also recognizes the words ALL and NONE. in other words packets in an already established connection. There will be more about the state machine in a future chapter. Such packets are used to request new TCP connections from a server mainly. This would tell the match to match all packet with the FIN or the ACK bits set. --syn iptables -p tcp --syn The --syn match is more or less an old relic from the ipchains days and is still there out of compatibility reasons.

ICMP matches These are the ICMP matches. If the first port is omitted. If the second port is omitted.html 21:25:51 10/06/2002 . To invert the port match.unix-fu. the ports switch place with eachother automatically. --source-port ! 53 fashion. For more information about this. This would match all ports but port 80. but will work with UDP packets instead. To match a single port we do --destination-port 53. but contains differences. The headers of a ICMP packet are very similar to those of the IP headers. among other things. The match handles port ranges. the match can understand service names as long as they are available in the /etc/services file. The ICMP protocol is mainly used for error reporting and for connection controlling and such features.Iptables Tutorial 1. ICMP matches Match Example Explanation --icmp-type http://people. to invert this we could do --destination-port ! 53. One example is if we try to access an unaccessible IP adress. This example would match all packets destined for UDP port 22 through 80. Single UDP port matches look as in the example above. If the high port comes before the low port. Table 7. If the first value is omitted. This match is implicitly loaded when we use the --protocol ICMP match and we get access to it automatically. For more information about this.9 Página 149 This match works exactly the same as its TCP counterpart. port 0 is assumed. ICMP is not a protocol subordinated to the IP protocol. It has support for port ranges. There is only one ICMP specific match available for ICMP packets. we would get an ICMP host unreachable in return. The first would match all UDP packets going to port 53 while the second would match packets but those going to the destination port 53. look at the multiport match extension. single ports and port inversions with the same syntax. port 0 is assumed. Note that this match does not handle multiple ports and port ranges. look at the multiport match extension. Note that all the generic matches can also be used.1. add a ! sign in this. The match is used to match packets based on their UDP destination port. but more of a protocol beside the IP protocol that helps handling errors. These packets are even worse than UDP packets in the sense that they are connectionless. and hopefully this should suffice.org/andreasson/iptables-tutorial/iptables-tutorial. --destination-port iptables -A INPUT -p udp --dport 53 The same goes for this match as for the UDP version of --source-port. If the high port is placed before the low port.For a complete listing of ICMP types. they automatically switch place so the low port winds up before the high port. Of course. see the ICMP types appendix. we would do --destination-port 22:80 for example. If the last port is omitted. It is used to perform matches on packets based on their source UDP ports. To specify a port range. To make a UDP port range you could do 22:80 which would match UDP ports 22 through 80. --dport. Note that this match does not handle multiple separated ports and port ranges. port 65535 is assumed. it is exactly the same as the equivalent TCP match. port 65535 is assumed. so we can know source and destination adress too. The main feature of this protocol is the type header which tells us what the packet is to do. single ports and inversions.

org/andreasson/iptables-tutorial/iptables-tutorial. Numerical values are specified in RFC 792. The difference between implicitly loaded matches and explicitly loaded ones is that the implicitly loaded matches will automatically be loaded when you. For example. This match can also be inverted with the ! sign in this. we would have to write -m state to the left of the actual match using the state matches.html 21:25:51 10/06/2002 .1. this match will only be possible to use on ethernet based networks. MAC match options Match Example Explanation --mac-source iptables -A INPUT --mac-source 00:00:00:00:00:01 This match is used to match packets based on their MAC source address. and others again may be "dangerous" for a simple host since they may. This would in other words reverse the meaning of the match so all packets except packets from this MAC address would be matched. --icmp-type ! 8. This match is also only valid in the PREROUTING. The MAC address specified must be in the form XX:XX:XX:XX:XX:XX. fashion.9 Página 150 iptables -A INPUT -p icmp --icmp-type 8 This match is used to specify the ICMP type to match.unix-fu. If we would like to use the state matches for example. Note that since MAC addresses are only used on ethernet type networks. for example. FORWARD and INPUT chains and nowhere else. do a iptables --protocol icmp --help. you could use this to match all packets http://people. while explicitly loaded matches will not be loaded automatically in any case and it is up to you to activate them before using them. they should mostly be useful since it all depends on your imagination and your needs. To find a complete listing of the ICMP name values. This in turn means that all these matches may not always be useful. redirect packets to the wrong places. The match may be reversed with an ! sign and would look like --mac-source ! 00:00:00:00:00:01. among other things.Iptables Tutorial 1. or was created for testing/experimental use or plainly to show examples of what could be accomplished with iptables. Explicit matches Explicit matches are matches that must be specifically loaded with the -m or --match option. match TCP packets. Note that some ICMP types are obsolete. Some of these matches may be specific to some protocols. or check the ICMP types appendix. MAC match Table 8. ICMP types can be specified either by their numeric values or by their names. Limit match The limit match extension must be loaded explicitly with the -m limit option. This match is excellent to use to do limited logging of specific rules etcetera. else it will not be legal. however.

Iptables Tutorial 1. A maximum of 15 separate ports may be specified. Multiport match options Match Example Explanation --source-port iptables -A INPUT -p tcp -m multiport --source-port 22. This match is specified with a number and an optional time specifier. --limit-burst iptables -A INPUT -m limit --limit-burst 5 This is the setting for the burst limit of the limit match. Limit match options Match Example Explanation --limit iptables -A INPUT -m limit --limit 3/hour This sets the maximum average matching rate of the limit match. is that when we add this match we limit how many times a certain rule may be matched in a certain timeframe.80. This means that all packets will be matched after they have broken the limit. up to this number. which would sometimes mean you would have to make several rules looking exactly the same just to match different ports. Table 10. This tells the limit match how many times to let this match run per timeunit (ie /minute). The limit match may also be inversed by adding a ! flag in front of the limit match explicit loading. of course.110 This match matches multiple source ports.53. or 3/hour. (If anyone got a good/better and simpler explanation than this. This match may only be used in http://people. The default value here is 3 per hour. The default value is 5. This number gets recharged by one every time the limit specified is not reached. as you can see in the example.html 21:25:51 10/06/2002 . and get limited logging of this.9 Página 151 that goes over the edge of a certain chain. Multiport match The multiport match extension can be used to specify more destination ports and port ranges than one.unix-fu. The following time specifiers are currently recognised: /second /minute / hour /day. Table 9. The ports must be comma delimited.1.org/andreasson/iptables-tutorial/iptables-tutorial. This is its main usage. It tells iptables the maximum initial number of packets to match. send me a mail and I'll try to make this more understandable). What this means. but there are more usages. it would then look like -m ! limit.

This was previously done with the FWMARK target in ipchains.110 This match extension can be used to match packets based both on their destination port and their source port. port 80 to port 80 and if you have specified port 80 to the --port match. it is logically ANDed with the mark specified before the actual comparison. Marks can be set with the MARK target which we will discuss a bit more later on in the next section. The mark field is currently set to an unsigned integer. A mark is a special field only maintained within the kernel that is associated with the packets as they travel through the computer. namely the MARK target in iptables. As of today. Note that this means that it will only match packets that comes from. hence there can be a maximum of 65535 different marks. The mark field is an unsigned integer. It can only be used in conjunction with -p tcp and -p udp.unix-fu. If a mask is specified. with or without the packet. there is only one way of setting a mark in Linux. Note that this mark field does not in any way travel outside. It works the same way as the --source-port and --destination-port matches above. They may be used by different kernel routines for such tasks as traffic shaping and filtering. It is mainly an enhanced version of the normal --sourceport match. --mark 1/1. http://people.110 This match is used to match multiple destination ports. It can take a maximum of 15 ports specified to it in one argument. --port iptables -A INPUT -p tcp -m multiport --port 22. except that it matches destination ports.Iptables Tutorial 1.80. Mark match The mark match extension is used to match packets based on the marks they have set. the actual computer itself.9 Página 152 conjunction with the -p tcp or -p udp matches.org/andreasson/iptables-tutorial/iptables-tutorial. Mark match options Match Example Explanation --mark iptables -t mangle -A INPUT -m mark --mark 1 This match is used to match packets that have previously been marked. Table 11. --destination-port iptables -A INPUT -p tcp -m multiport --destination-port 22. you are probably not going to run into this limit in quite some time. this is why people still refer to FWMARK in advanced routing areas. If this mark field matches the mark match it is a match. All packets traveling through netfilter gets a special mark field associated with them. The mark specification would then look like. hence the limit of 65535 possible marks to use within your ruleset. In other words. for example.53. You may also use a mask with the mark.html 21:25:51 10/06/2002 .1.80. It works exactly the same way as the source port match mentioned just above. It has a maximum specification of 15 ports and may only be used in conjunction with -p tcp and -p udp.53. for example.

I would love to hear what they used it for and how they did it). This could be used to match outgoing packets based on who created them. --sid-owner iptables -A OUTPUT -m owner --sid-owner 100 This match is used to match packets based on their Session ID and the Session ID used by the program in question. --gid-owner iptables -A OUTPUT -m owner --gid-owner 0 This match is used to match all packets based on their Group ID (GID). This means that we match all packets based on what group the user creating the packets are in. or another possible use could be to block everyone but the httpuser from creating packets from HTTP. Owner match options Match Example Explanation --uid-owner iptables -A OUTPUT -m owner --uid-owner 500 This packet match will match if the packet was created by the given User ID (UID).org/andreasson/iptables-tutorial/iptables-tutorial. ICMP responses will. please give me a note of it and of other possible uses. One possible use would be to block any other user than root to open new connections outside your firewall. but one example would be to only allow PID 94 to send packets on the HTTP port. or as described above to only allow "httpgroup" to be able to create packets going out on the HTTP port. http://people. It is pretty much impossible to find out any information about who sent a packet on the other end. --pid-owner iptables -A OUTPUT -m owner --pid-owner 78 This match is used to match packets based on their Process ID (PID) and which PID created the packets. Table 12. Even within the OUTPUT chain it is not very reliable since certain packets may not have an owner. or if we where an intermediate hop to the real destination.html 21:25:51 10/06/2002 . This extension was originally written as an example on what iptables might be used for.9 Página 153 Owner match The owner match extension is used to match packets based on who created them.unix-fu. This match only works within the OUTPUT chain as it looks today. or we could write a small script that grabs the PID from a ps output for a specific daemon and then adds a rule for it. Notorious packets of that sort is different ICMP responses among other things. (If anyone has actually used this match for a production server. never match. If anyone have an idea for the usage of this match. hence.Iptables Tutorial 1. This could be used to block all but the users part of the "network" group from getting out onto the internet. for obvious reasons.1. This match is a bit harder to use.

This match needs to be loaded explicitly by adding a -m state statement to the rule. such as packets with bad headers or checksums and so on. or an ICMP error associated with an TCP or UDP connection for example.1. Note that the NEW state does not look for SYN bits in TCP packets trying to start a new connection and should.9 Página 154 State match The state match extension is used in conjunction with the connection tracking code in the kernel and allows access to the connection tracking state of the packets. There is currently 4 states that can be used. Note that this option is regarded as experimental and may not work at all times. ESTABLISHED means that the packet is part of an already established connection that has seen packets in both directions and is fully valid.Iptables Tutorial 1. INVALID. read in the future chapter on the state machine. Table 13. This match tries to match packets which seems malformed or unusual. however you should be aware that this may break legal connections too.html 21:25:51 10/06/2002 . For more information on how this could be used.unix-fu. or that it is associated with a connection that has not seen packets in both directions. RELATED means that the packet is starting a new connection and is associated with an already established connection. Finally. INVALID means that the packet is associated with no known stream or connection and that it may contain faulty data or headers. This could be used to DROP connections and to check for bad streams etcetera. In all cases.ESTABLISHED This match option tells the state match what states the packets must be in to be matched. there may be times where this could be useful. However. ESTABLISHED. hence. nor will it take care of all unclean packages or problems. This could for example mean an FTP data transfer. including stateless protocols such as ICMP and UDP. there will be a default timeout for the connection and it will then be dropped from the connection tracking database. NEW means that the packet has or will start a new connection. and works for pretty much all protocols. You will then have access to one new match.org/andreasson/iptables-tutorial/iptables-tutorial. State matches Match Example Explanation --state iptables -A INPUT -m state --state RELATED. TOS match http://people. This allows us to know in what state the connection is. Unclean match The unclean match takes no options and requires no more than explicit loading when you want to use it. NEW and RELATED. This concept will be more deeply introduced in a future chapter since it is such a large area. not be considered very good in cases where we have only one firewall and no load balancing between different firewalls.

and Normal-Service 0 (0x00). Table 14. while others try their best to do something good with the packets in question and the data they provide. but it tells us if there is any specific requirements for this stream such as that it needs to be sent as fast as possible. This match is only used to match packets based on their TTL. a standard protocol would be FTP-data. This is true here. Most do not care at all. as well as in all kinds of matches. some good protocols that would fit with this TOS values would be BOOTP and TFTP. consists of 8 bits.1. Maximize-Throughput 8 (0x08). or possibly one of the names given if you do an iptables -m tos -h. Maximize-Reliability 4 (0x04).html 21:25:51 10/06/2002 . Minimize-Delay means to minimize the delay until the packets gets through all the way to the client/server. SSH and FTP-control. At the time of writing it contained the following named values: Minimize-Delay 16 (0x10). and what kind of content it has(not really. To load this match. among other things. TTL match The TTL match is used to match packets based on their TTL (Time To Live) field residing in the IP header. TOS matches Match Example Explanation --tos iptables -A INPUT -p tcp -m tos --tos 0x16 This match is used as described above. you need to add an -m ttl to the rule. How different routers and people deal with these values depends. This match is loaded explicitly by adding -m tos to the rule. This could be used for.9 Página 155 The TOS match can be used to match packets based on their TOS field.unix-fu. Table 15. an ICMP type 11 code 0 (TTL equals 0 during transit) or code 1 (TTL equals 0 during reassembly) is transmitted to the party sending the packet and telling about the problem. and not to change anything. TOS stands for Type Of Service. TTL matches http://people. and is located in the IP header. Normal-Service would finally mean any normal protocol that has no special needs for their transfers. ie find the fastest route. it can match packets based on their TOS field and their value. example of standard protocols that this includes are telnet. or it needs to be able to send as much payload as possible). TOS is normally used to tell intermediate hosts the preceeding of the stream. Some good protocols that would use this would be RTSP (Real Time Stream Control Protocol) and other streaming video/radio protocols. Minimize-Delay means to minimize the delay for the packets. If the TTL reaches 0. Maximize-Throughput means to find a path that allows as big throughput as possible. The match takes an hex or numeric value as an option. Minimize-Cost 2 (0x02).Iptables Tutorial 1. The TTL field contains 2 bits and is decremented once every time it is processed by an intermediate host between the client and host.org/andreasson/iptables-tutorial/iptables-tutorial. to mark packets for later usage together with the iproute2 and advanced routing functions in linux. Maximize-Reliability means to maximize the reliability of the connection and to use lines that are as reliable as possible.

see the Traversing of tables and chains chapter. a good example of this would be the LOG. The usage is pretty much limited. it is required that the chain has already been created. DNAT and SNAT targets. it will automatically be ACCEPT'ed in the superset chain also and it will not traverse any of the superset chains any further. do note that the packet will traverse all other chains in the other tables in a normal fashion.org/andreasson/iptables-tutorial/iptables-tutorial.1. such as both mangling the TTL and the TOS value of a specific packet/stream. This target could be used for debugging your local network. As we have already explained before. There is no inversion and there is no other specifics to this match. will not pass through any of the rules further on in the chain or superset chains. When/If we reach the end of that chain. what TOS value to use etcetera) while others have options not http://people. Network Address Translationed and then be passed on to the other rules in the same chains. This may be good in cases where we want to take two actions on the same packet. a chain is created with the -N command. These packets may be logged. For example. Targets/Jumps The target/jumps tells the rule what to do with a packet that is a perfect match with the match section of the rule. as described above. the ACCEPT and DROP targets which we will deal with first of all targets. Targets may also end with different results one could say. we get dropped back to the INPUT chain and the packet starts traversing from the rule one step below where it jumped to the other chain (tcp_packets in this case). There is a few basic targets. let's say we create a chain in the filter table called tcp_packets like this: iptables -N tcp_packets. However. may take an action on the packet and then the packet will continue passing through the rest of the rules anyway. before we do that. for example hosts which seems to have problems connecting to hosts on the internet. Some targets will also take options that may be necessary (What address to do NAT to.9 Página 156 Command Example Explanation --ttl iptables -A OUTPUT -m ttl --ttl 60 This match option is used to specify which TTL value to match. would be to find hosts with bad TTL values set as default (may be due to badly implemented TCP/IP stack. Other targets. For more information on table and chain traversing. One example. it is only your imagination which stops you. or due to a malconfiguration). To jump to a specific chain. Good examples of such rules are DROP and ACCEPT. If a packet is ACCEPT'ed within one of the subchains.html 21:25:51 10/06/2002 . DROP or ACCEPT the packet depending on what we want to do. Targets on the other hand specify an action to take on the packet in question. We could then add a jump target to it like this: iptables -A INPUT -p tcp -j tcp_packets.Iptables Tutorial 1. It takes an numeric value and matches based on this value. There is also a number of other actions we may want to take which we will describe further on in this section.unix-fu. However. or to find possible infestations of trojans etcetera. let us have a brief look at how a jump is done. Rules that are stopped. We would then jump from the INPUT chain to the tcp_packets chain and start traversing that chain. some targets will make the packet stop traversing the specific chain and superset chains as described above. We could for example. The jump specification is done exactly the same as the target definition except that it requires a chain within the same table to jump to. however.

masquerade to ports and so on). such as filtered ports and so on. it is accepted and will not continue traversing the chain where it was accepted in.1. The target will not send any kind of information in either direction. QUEUE target Option Example Explanation Option Example Explanation RETURN target The RETURN target will make the current packet stop travelling through the chain where it hit the rule.Iptables Tutorial 1. Do note. and it does not require.unix-fu. either to tell the client or the server as told previously. nor any of the calling chains. DROP target The DROP target does just what it says. the packet will http://people.9 Página 157 necessary. A packet that matches a rule perfectly and then has this action taken on it will be blocked and no further processing will be done. To use this target. but available in any case (log prefixes. we specify it like -j ACCEPT. Let us have a look at what kinds of targets there are. QUEUE target Table 16. that packets that was accepted in one chain will still travel through any subsequent chains within the other tables and may be dropped there. A better solution would be to use the REJECT target in those cases. the packet will not be processed in any of the above chains in the structure either. to add options to the target. If the chain is the main chain. for example the INPUT chain. ACCEPT target This target takes no special options first of all. especially when you want to block certain portscanners from getting to much information. When a packet is perfectly matched and this target is set.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. Note that this action may be a bit bad in certain cases since it may leave dead sockets around on the server and client. or have the possibility. We will try to answer all these questions as we go in the descriptions. There is nothing special about this target whatsoever. Also note that if a packet has the DROP action taken on them in a subchain. If it is a subchain to another chain. the packet will continue to travel through the above chains in the structure as if nothing had happened. it drops packets dead to the ground and refuses to process them anymore.

It would then be dropped to the default policy as previously described. warn is the same as warning and panic is the same as emerg. or priorities as they are normally referred to: debug. since the ULOG target has support for logging directly to MySQL databases and such. For example. setting kern.html 21:25:51 10/06/2002 . warn and panic.conf for information about these kind of problems. LOG target The LOG target is specially made to make it possible to log snippets of information about packets that may be illegal. Also note that the ULOG target may be interesting in case you are getting heavy logs. It will then jump back to the previous chain. and all of a sudden it matches a specific rule which has the --jump RETURN target set. warning. For a complete list of loglevels read the syslog. which in this case would be the INPUT chain. Note that it is not a iptables or netfilter problem in case you get your logs to the consoles or likely. The priority defines the severity of the message being logged. info. The keyword error is the same as err.conf manual. The default policy is normally set to ACCEPT or DROP or something the like. This is an excellent target to use while you are debugging your rulesets to see what packets go where and what rules are applied on what packets.unix-fu. alert.conf file http://people.1.org/andreasson/iptables-tutorial/iptables-tutorial. and no more actions would be taken in this chain. Note that all three of these are deprecated. In other words.Iptables Tutorial 1. or for pure bughunting and errorfinding. Also note that it may be a really great idea to use the LOG target instead of the DROP target while you are testing a rule you are not 100% sure about on a production firewall since this may otherwise cause severe connectivity problems for your users. Normally there are the following log levels. Read more in man syslog. but instead a problem of your syslogd configuration which you may find in /etc/syslog. The LOG target will log specific information such as most of the IP headers and other interesting information via the kernel logging facility. in other words do not use error. err. notice.9 Página 158 have the default policy taken on it. Another example would be if the packet hit a --jump RETURN rule in the INPUT chain. LOG target options Option Example Explanation --log-level iptables -A FORWARD -p tcp -j LOG --log-level debug This is the option that we can use to tell iptables and syslog which log level to use.=info /var/log/iptables in your syslog. The packet will then start traversing the EXAMPLE_CHAIN. lets say a packet enters the INPUT chain and then hits a rule that it matches and that gives it --jump EXAMPLE_CHAIN. emerg and panic. They are all listed below. This information may then be read with dmesg or syslogd and likely programs and applications. error. All messages are logged through the kernel facility. The LOG target currently takes five options that may be interesting to use in case you have specific needs for more information.conf. or want to set different options to specific values. crit. warn. Table 17.

would make all messages appear in the /var/log/iptables file. but is an value that is associated within the kernel with the packet. This target is only valid in the mangle table.9 Página 159 and then letting all your LOG messages in iptables use log level info.1. These may be valuable when trying to debug what may go wrong and what has gone wrong. The MARK values may be used in conjunction with the advanced routing capabilities in Linux to send different packets through different routes and to tell them to use different queue disciplines (qdisc). you may not set a MARK for a package and then expect the MARK to still be there on another computer. --log-tcp-sequence iptables -A INPUT -p tcp -j LOG --log-tcp-sequence This option will log the TCP Sequence numbers together with the log message. For more information on logging I recommend you to read the syslog and syslog. The TCP Sequence number are special numbers that identify each packet and where it fits into a TCP sequence and how the stream should be reassembled. These logging messages may be valuable when trying to debug or finding out specific culprits and what goes wrong. just as most of the LOG options.unix-fu. --log-tcp-options iptables -A FORWARD -p tcp -j LOG --log-tcp-options The --log-tcp-options option will log the different options from the TCP packets header. MARK target The MARK target is used to set netfilter mark values that are associated with specific packets. --log-ip-options iptables -A FORWARD -p tcp -j LOG --log-ip-options The --log-ip-options option will log most of the IP packet header options. Any log that is. you will be better off with the TOS target which will mangle the TOS value in the IP header. The prefix may be up to 29 letters long. which may contain logging messages from iptables.Iptables Tutorial 1. In other words. etcetera. or by the world for that matter. Note that this option is a security risk if the log is readable by any users. Note that the mark value is not set within the actual package. for example. This works exactly thesame as the --log-tcp-options option. --log-prefix iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets" This option tells iptables to prefix all log messages with a specific prefix which may then be very good to use together with. This option takes no variable fields or anything like that.html 21:25:51 10/06/2002 . including whitespace and those kind of symbols. http://people.conf manpages as well as other HOWTO's etcetera. For more information on advanced routing. Note that there may be other messages here as well from other parts of the kernel that uses the info priority. but instead works on the IP options. If this is what you want. grep and other tools to distinguish specific problems and outputs from specific rules.org/andreasson/iptables-tutorial/iptables-tutorial. just the same as the previous option. and will not work outside there. check out the LARTC HOWTO.

1. The default error message is to send an port-unreachable to the host. but it also sends back an error message to the host sending the packet that was blocked. All of the above are ICMP error messages and may be set as you wish. icmp-portunreachable. and then the packet is dropped dead to the ground. which would also be the only chains where it would make any sense to put this target in. There is also an option called echo-reply. there is one more option called tcp-reset which may only be used together with the TCP protocol.html 21:25:51 10/06/2002 . and you may get some more information by looking in the appendix ICMP types. For example.org/andreasson/iptables-tutorial/iptables-tutorial. or on all packets from a specific host and then do advanced routing on that host. else they won't work. limiting or unlimiting their network speed etcetera. MARK target options Option Example Explanation --set-mark iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2 The --set-mark option is required to set a mark. There are currently the following reject types that can be used: icmp-net-unreachable. Once we get a packet that matches a specific rule and we specify this target.Iptables Tutorial 1. icmp-host-unreachable. the target will first of all send the specified reply. the http://people.unix-fu. The REJECT target is as of today only valid in the INPUT. Most of them are fairly easy to understand if you have a basic knowledge of TCP/IP. There currently is only one option which controls the nature of how this target works. icmp-proto-unreachable. but this option may only be used in conjunction with rules which would match ICMP ping packets.9 Página 160 Table 18. REJECT target The REJECT target works basically the same as the DROP target. FORWARD. The --set-mark match takes an integer value. which in turn may take a huge set of variables. Table 19. FORWARD and OUTPUT chain or subchains of those chains. Finally. and OUTPUT chains. we may set mark 2 to a specific stream of packets. Note that the chains that uses the REJECT target may only be called upon by the INPUT. REJECT target Option Example Explanation --reject-with iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset This option tells the REJECT target what response to send to the host that sent the packet that we found to be a match. icmp-net-prohibited and icmphost-prohibited. just the same as with the DROP target.

the value may be 0-255. Note that this target is only valid within the mangle table and can not be used outside it. As the TOS value consists of 8 bits. The TOS target only takes one option as described below. Note that most of these values will never be used by anyone on the internet so you may be better of by using the named values available (which should be more or less standardized). MaximizeReliability (decimal value 4. This is one of the few fields that can be used within iproute2 and its subsystem to route packets.Iptables Tutorial 1. hex value 0x04). As noted before. Maximize-Throughput (decimal value 8.2 or below) of iptables provided a broken implementation of this target which would not fix the packet checksum upon mangling. There are currently a lot of routers on the internet which does a pretty bad job at this so it may be a bit useless as of now to do any TOS mangling before sending the packets on to the internet. Minimize-Cost (decimal value 2. however. TCP RST are used to close open connections gracefully. this is mainly useful for blocking ident probes which frequently occur when sending mail to broken mail hosts. and they will not even look at them. which in turn most probably would be mangled and the connection would never work. you should hence set the TOS field which was developed for this. hex value 0x10). TOS target Option Example Explanation --set-tos iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10 The --set-tos option tells the TOS mangler what TOS value to set on packets that are matched. they will look at the TOS field and do the wrong thing based on the information.9 Página 161 tcp-reset option will tell REJECT to send an TCP RST packet in reply to the sending host. The TOS field consists of 8 bits which are used to route packets. As stated previously. At best the routers will do nothing with the TOS field. at least within your own network. hex 0x02) or Normal-Service (decimal value 0.unix-fu.1. and hence rendered the packets bad and in need of retransmission. Also note that some old versions (1. For more information about the TCP RST read RFC 793 . or in hex 0x00-0xFF. At worst. As stated in the iptables man page. TOS target The TOS target is used to set the Type of Service field within the IP header. Table 20. The default value on most packets http://people.html 21:25:51 10/06/2002 .Transmission Control Protocol. hex value 0x00).org/andreasson/iptables-tutorial/iptables-tutorial. The option takes a numeric value. this is the only way to propagate routing information between these routers and firewalls within the actual packet. there is most definitely a good use if you have a large WAN or LAN with several routers and actually have the possibility to give packets different routes and preference depending on their TOS value.2. and can not be propagated with the packet. These values are Minimize-Delay (decimal value 16. hex value 0x08). the MARK target which sets a MARK associated with a specific packet is only available within the kernel. which won't accept your mail otherwise. Also note that if you handle several separate firewalls and routers. either in hex or in decimal value. If you feel a need to propagate routing information on how to do routing for a specific packet or stream.

the MIRROR target would make so computer B got the webpage at yahoo. NAT or mangle tables to avoid loops and other problems.1.Iptables Tutorial 1. If the first packet in a connection is mangled in this fashion.html 21:25:51 10/06/2002 . This results in some really funny things. then all future packets in the same connection will also be SNAT'ed and. letting all packets leaving our LAN look as if they came from a single host. SNAT target The SNAT target is used to do Source Network Address Translation. or 0. The SNAT target does all the translation needed to do this kind of work. this is good when we want several computers to share an internet connection. The SNAT target is only valid within the nat table.com back (since this is where he came from). For a complete listing of the "descriptive values". depending on how many hops there is between them. within the POSTROUTING chain. http://people. If computer B would be coming from yahoo. The packet will then bounce back and forth a huge set of times. The MIRROR target is used to invert the source and destination fields in the IP header. The result of this target is really simple. Also note that the outgoing packets created by the MIRROR target is not seen by any of the normal chains in the filter. and any user-defined chains which are only called from those chains. However. do an iptables -j TOS -h. One thing would for example be to send a spoofed packet to a host that uses the MIRRORcommand with a TTL of 255. Not bad for a cracker in other words to send 1500 bytes of data. and it should generally be recommended since the values behind the names may be changed if you are unlucky. If we forwarded these packets as is. among other things. If there is only 1 hop. whichever we want to call them. also. which means that this target will rewrite the Source IP address in the IP header of the packet. hence resulting in a bad kind of Denial of Service. This listing is complete as of iptables 1. since our local networks should use the IANA specified IP addresses which are allocated for LAN networks.unix-fu. FORWARD and PREROUTING chains. and see to it that the packet is spoofed so it looks as if it comes from another host that uses the MIRROR command.2. This is in other words the only place that you may do SNAT in. no further processing of rules in the POSTROUTING chain will be commenced on the packets in the same stream.9 Página 162 are Normal-Service. and eat up 380 kbyte of your connection.org/andreasson/iptables-tutorial/iptables-tutorial. and you should be warned of using this since it may result in really bad loops. noone on the internet would know that they where actually from us.5 and should hopefully be so for another period of time. and then to retransmit the packet. which would be our firewall. and then set an SNAT rule which would translate all packets from our local network to the source IP of our own internet connection. and tried to access the HTTP server at computer A. We could then turn on ip forwarding in the kernel.com. Note that you can. Note that the MIRROR target is only valid within the INPUT. Without doing this. the packet will jump back and forth 240-255 times. this does not make the target free of any likely problems. use the actual names instead of the actual hex values to set up the TOS value. MIRROR target The MIRROR target is an experimental demonstration target only. Lets say we set up a MIRROR target for port 80 at computer A. of course. For example. and I would be quite sure that someone has had a good laugh at some cracker or another that has cracked his own box via this target by now. the outside world would not know where to send reply packets. Note that this is a best case scenario for the cracker or scriptkiddie.

iptables will always try to not make any port alterations if it is possible. If we want to balance between several IP addresses we could use an range of IP addresses separated by a hyphen. DNAT target http://people. The source IP would then be set randomly for each stream that we open.org/andreasson/iptables-tutorial/iptables-tutorial. so if a client tries to make contact with an HTTP server outside the firewall. the packet. If a packet is matched. for example. DNAT target The DNAT target is used to do Destination Network Address Translation.155-194. but if two hosts tries to use the same ports.50. This target can be extremely useful. it would then look like. when you have an host running your webserver inside a LAN. it will not be mapped to the FTP control port. All the source ports would then be mapped to the ports specified.50. and a single stream would always use the same IP address for packets within that stream. host or network. but no real IP to give it that will work on the internet. Those between source ports 512 and 1023 will be mapped to ports below 1024.236.9 Página 163 Table 21.html 21:25:51 10/06/2002 . Table 22. As previously stated. and then routed on to the correct device. on to the real webserver within the LAN. iptables will always try to maintain the source ports used by the actual workstation making the connection. we will be able to deal with a kind of load balancing by doing this. takes one IP address to which we should transform all the source IP addresses in the IP header. such as the POSTROUTING chain. Note that the DNAT target is only available within the PREROUTING and OUTPUT chains in the nat table. for example.50.236.Iptables Tutorial 1. This would hence look as within the example above. We may also specify a whole range of destination IP addresses. If no port range is specified. Hence.unix-fu. Note that this has nothing to do with destination ports.160:1024-32000 The --to-source option is used to specify which source the packets should use. then all source ports below 512 will be mapped to other ports below 512 if needed. Note that chains containing DNAT targets may not be used from any other chains.160 as described in the example above. which means that it is used to rewrite the Destination IP address of a packet. at it simplest. and all subsequent packets in the same stream will be translated. and the DNAT mechanism will choose the destination IP address at random for each stream. All other ports will be mapped to 1024 or above. 194. and this is the target of the rule.50.1. iptables will map one of them to another port. :102432000 or something alike.236. There may also be an range of ports specified that should only be used by SNAT. This option. and any of the chains called upon from any of those listed chains.155194.236. You could then tell the firewall to forward all packets going to its own HTTP port. SNAT target Option Example Explanation --to-source iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 194.

67 --dport 80 -j DNAT --to-destination Example 192.23.1-192.168. that a single stream will always use the same host.1. which we don't know the actual address of at all times.html 21:25:51 10/06/2002 . the connection is lost anyways. This is done by adding. and that each stream will randomly be given an IP address that it will always be Destinated for. it is not favorable since it will add extra overhead.45. for example. which is optional. and the IP address is automatically grabbed from the information about the specific interface. Also note that we may add an port or port range to which the traffic would be redirected to. As you can see. kill a specific interface. an :80 statement to the IP addresses to which we want to DNAT the packets. MASQUERADE target http://people. This is in general the correct behaviour when dealing with dialup lines that are probable to be assigned a different IP every time it is up'ed.168. as described previously.10 Explanation The --to-destination option tells the DNAT mechanism which Destination IP to set in the IP header. Note.9 Página 164 --to-destination Option iptables -t nat -A PREROUTING -p tcp -d 15. When you masquerade a connection.1 through 10. The reason for this is that the MASQUERADE target was made to work with. you should instead use the SNAT target. namely 192. MASQUERADE target The MASQUERADE target is used basically the same as the SNAT target. just as the SNAT target. we may have been left with a lot of old connection tracking data.23. and there may be inconsistencies in the future which will thwart your existing scripts and render them "unusable". for example. dialup connections. which gets dynamic IP addresses when connecting to the network in question. and where to send packets that are matched. This means that you should only use the MASQUERADE target with dynamically assigned IP connections. which would be lying around for days.168. A rule could then look like --to-destination 192.unix-fu.45.168. We could also have specified only one IP address. for example. If you have a static IP connection. The MASQUERADE target also has the effect that connections are forgotten when an interface goes down.1. within that stream. in which case we would always be connected to the same host. It is still possible to use the MASQUERADE target instead of SNAT even though you do have an static IP.1:80-100 if we wanted to specify a port range.org/andreasson/iptables-tutorial/iptables-tutorial.168. and it is more or less idiotic to keep the entry around.1:80 for example. Note that the MASQUERADE target is only valid within the POSTROUTING chain in the nat table.67 to a range of LAN IP's. or like --todestination 192. swallowing up worthful connection tracking memory. but it does not require any -to-source option.1. The above example would send on all packets destined for IP address 15. Do note that port specifications are only valid for rules that specify the TCP or UDP protocols with the --protocol option. If we would have used the SNAT target. Table 23. or DHCP connections. it means that we set the IP address used on a specific network interface instead of the --to-source option. The MASQUERADE target takes on option specified below. however.1.1.Iptables Tutorial 1. as for the SNAT target even though they do two totally different things. In case we are assigned a different IP. which is extremely good if we. the syntax is pretty much the same for the DNAT target.1.

Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. will effectively http://people.1. as above. Note that this option is only available in rules specifying the TCP or UDP protocol with the -protocol matcher. Table 24.0. transparent proxying. where the LAN hosts do not know about the proxy at all.unix-fu. or something alike.org/andreasson/iptables-tutorial/iptables-tutorial. we would do it like --toports 8080-8090. the destination port is never altered. this rewrites the destination address to our own host for packets that are forwarded. One reason for doing this is if you have a bully ISP which don't allow you to have more than one machine connected to the same internet connection.Iptables Tutorial 1.9 Página 165 --to-ports Option iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000 Example The --to-ports option is used to set the source port or ports to use on outgoing packets. the lower port range delimiter and the upper port range delimiter separated with a hyphen.0. In other words. In other words. on our own host. --to-ports 8080 in case we only want to specify one port. Setting all TTL values to the same value.1 address. Without the --to-ports option. or port range. as described below. This alters the default SNAT port-selection as described in the SNAT target section. since it wouldn't make any sense anywhere else. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid. REDIRECT target The REDIRECT target is used to redirect packets and streams to the machine itself. and who actively pursue this. which tells the REDIRECT target to redirect the packets to the ports 8080 through 8090. The REDIRECT target takes only one option. to use. TTL target The TTL target is used to modify the Time To Live field in the IP header. for example. One useful application of this is to change all Time To Live values to the same value on all outgoing packets.html 21:25:51 10/06/2002 . This is specified. Either you can Explanation specify a single port like --to-ports 1025 or you may specify a port range as --to-ports 1024-3000. The REDIRECT target is extremely good to use when we want. and nowhere else. Locally generated packets are mapped to the 127. It is also valid within user-defined chains that are only called from those chains. If we would want to specify an port range. The --to-ports option is only valid if the rule match section specifies the TCP or UDP protocols with the --protocol match. REDIRECT target Option Example Explanation --to-ports iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 The --to-ports option specifies the destination port.

we effectively make the firewall hidden from traceroutes. We may then reset the TTL value for all outgoing packets to a standardized value. if the TTL for an incoming packet was 53 and we had set -ttl-dec 3. see the ttl-inc. By setting the TTL one value higher for all incoming packets. For more information on how to set the default value used in Linux. NOTIFY ME --ttl-inc iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-inc 1 The --ttl-inc option tells the TTL target to increment the Time To Live value with the value specified to the --ttl-inc option. and if we specified --ttl-inc 4. a packet entering with a TTL of 53 would leave the host with TTL 56. --ttl-dec iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-dec 1 The --ttl-dec option tells the TTL target to decrement the Time To Live value by the amount specified after the --ttl-decoption. where the network code will automatically decrement the TTL value by 1.org/andreasson/iptables-tutorial/iptables-tutorial. read the ip-sysctl. since it may affect your network and it is a bit immoral to set this value to high. Traceroutes are a loved and hated thing. hence the packet will be decremented by 4 steps. but at the same time. Table 25. This means that we should raise the TTL value with the value specified in the --ttlinc option. The reason for this is that the networking code will automatically decrement the TTL value by 1. as for the previous example of the --ttl-dec option.html 21:25:51 10/06/2002 . It's not too long. For a good example on how this could be used. which you may find within the Other resources and links appendix. and nowhere else. IF ANYONE HAS A GOOD USAGE FOR THIS OPTION. such as 64 as specified in Linux kernel.unix-fu. It takes 3 options as of writing this. and it is not too short. since they provide excellent information on problems with connections and where it happens. and the higher the TTL. Note that the same thing goes here. http://people. A good value would be around 64 somewhere.1. The TTL target is only valid within the mangle table. the more bandwidth will be eaten unnecessary in such a case. Do not set this value too high. which it always does. TTL target Option Example Explanation --ttl-set iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-set 64 The --ttl-set option tells the TTL target which TTL value to set on the packet in question. it gives the hacker/cracker some good information about your upstreams if they have targeted you.9 Página 166 make it a little bit harder for them to notify that you are doing this.txt. since the packet may start bouncing back and forth between two misconfigured routers. This may be used to make our firewall a bit more stealthy to traceroutes among other things. all of them described below in the table. from 53 to 49 in other words.txt script. the packet would leave our host with a TTL value of 49. In other words.Iptables Tutorial 1.

If we specify 100 as above. There are 32 netlink groups. which are simply specified as 1-32. the whole packet will be copied to userspace. the packet information is multicasted together with the whole packet through a netlink socket.9 Página 167 ULOG target The ULOG target is used to provide userspace logging of matching packets. if we set the threshold to 10 as above. so the whole packet will be copied to userspace. --ulog-prefix iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: " The --ulog-prefix option works just the same as the prefix value for the standard LOG target. ULOG target Option Example Explanation --ulog-nlgroup iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2 The --ulog-nlgroup option tells the ULOG target which netlink group to send the packet to. making it much simpler to search for specific packets. For example. --ulog-cprange iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100 The --ulog-cprange option tells the ULOG target how many bytes of the packet to send to the userspace daemon of ULOG. The default value here is 1 because of backwards compatibility. and it contains much better facilities for logging packets. One or more userspace processes may then subscribe to various multicast groups and receive the packet.unix-fu. and then transmit it outside to the userspace as one single netlink multipart message. and other databases. This is in other words a more complete and more sophisticated logging facility that is only used by iptables and netfilter so far. --ulog-qthreshold iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10 The --ulog-qthreshold option tells the ULOG target how many packets to queue inside the kernel before actually sending the data to userspace. and is definitely most useful to distinguish different logmessages and where they came from. regardless of the packets size. and to group log entries etcetera. we would copy 100 bytes of the whole packet to userspace. Table 26. This option prefixes all log entries with a userspecified log prefix. which would include the whole header hopefully.Iptables Tutorial 1. http://people. The default value is 0. If we would like to reach netlink group 5. It can be 32 characters long. plus some leading data within the actual packet. we would simply write --ulog-nlgroup 5. If a packet is matched and the ULOG target is set.html 21:25:51 10/06/2002 . the userspace daemon did not know how to handle multipart messages previously.org/andreasson/iptables-tutorial/iptables-tutorial. This target enables us to log information to MySQL databases. If we specify 0. The default netlink groupd used is 1. the kernel would first accumulate 10 packets inside the kernel.1.

Note that all traffic that's forwarded goes through here (not only in one direction).Iptables Tutorial 1. we do all the filtering here. good examples of this is DNAT and SNAT and of course the TOS bits. With this we mainly mean the different routing decisions and so on. we're assuming that the packet is destined for another host on another network. ie.org/andreasson/iptables-tutorial/iptables-tutorial. This is extremely valuable information later on when you write your own specific rules. is the packet destined for our localhost or to be forwarded and where. In this example. changing TOS and so on. Forwarded packets Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire(ie.unix-fu. so you need to think about it when writing your ruleset. 21:25:51 10/06/2002 5 6 7 nat POSTROUTING http://people. We will also look at which points certain other parts that also are kernel dependant gets in the picture. This is also where Masquerading is done. The packet goes through the different steps in the following fashion: Table 1. Avoid filtering in this chain since it will be passed through in certain cases. Routing decision. This is especially needed if you want to write rules with iptables that chould change how different packets get routed. avoid doing filtering here since certain packets might pass this chain without ever hitting it. This chain is used for Destination Network Address Translation mainly. This chain should first and foremost be used for Source Network Address Translation. it hits the hardware and then get's passed on to the proper device driver in the kernel. eth0) This chain is normally used for mangling packets. or forwarded to another host or whatever happens to it. filter FORWARD The packet got routed onto the FORWARD chain. Then the packet starts to go through a series of steps in the kernel before it is either sent to the correct application (locally). Also we will speak about in which order the tables are traversed.1. internet) Comes in on the interface(ie.html . General When a packet first enters the firewall. ie. only forwarded packets go through here.9 Página 168 Traversing of tables and chains This chapter will talk about how packets traverse the the different chains and in which order. Source Network Address Translation is done further on.

there's quite a lot of steps to pass through. FORWARD is always passed by all packets that are forwarded over this firewall/ router. Internet) Comes in on the interface(ie. no matter what interface and so on it came from. Out on the wire again (ie.org/andreasson/iptables-tutorial/iptables-tutorial. This chain is used for Destination Network Address Translation mainly. however. Routing decision. I think. LAN). Most probably the only thing that's really logical about the traversing of tables and chains in your eyes in the beginning. changing TOS and so on. but if you continue to dig in it.html . filter INPUT This is where we do filtering for all incoming traffic destined for our localhost. Table 3. Finally we look at the outgoing packets from our own localhost and what steps they go through. ie. it is suggested that you do not filter in this chain since it can have sideeffects. As you can see.9 Página 169 8 9 Goes out on the outgoing interface (ie. or anywhere else in case it is malformed. is the packet destined for our localhost or to be forwarded and where. server/client program) This is where we mangle packets. The packet can be stopped at any of the iptables chains. ie. Avoid filtering in this chain since it will be passed through in certain cases. Quite logical. eth0) This chain is normally used for mangling packets.Iptables Tutorial 1. Now. eth1). 21:25:51 10/06/2002 http://people.unix-fu. Do note that there is no specific chains or tables for different interfaces or anything like that. let us have a look at a packet that is destined for our own localhost.1. I think it gets clearer with time. Note that all incoming packets destined for this host passes through this chain. Local process/application (ie. Destination localhost Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire (ie. It would pass through the following steps before actually being delivered to our application to receive it: Table 2. server/client program) 5 6 7 Note that this time the packet was passed through the INPUT chain instead of the FORWARD chain. Source localhost Step 1 2 Mangle OUTPUT Table Chain Comment Local process/application (ie. we are mainly interested in the iptables aspect of this lot.

eth0) On the wire (ie. could someone tell me when this will be fixed? Please? This is where we filter packets going out from localhost.html 21:25:51 10/06/2002 . and certain packets might slip through even though you set a default policy of DROP. If we would figure out a good map of all this. Goes out on some interface (ie. Internet) 7 8 We have now seen how the different chains are traversed in three separate scenarios. Nat POSTROUTING This is where we do Source Network Address Translation as described earlier. Routing decision. This is where we decide where the packet should go. It is suggested that you don't do filtering here since it can have sideeffects.9 Página 170 3 4 5 6 Nat Filter OUTPUT OUTPUT This is currently broken.Iptables Tutorial 1.1. it would look something like this: http://people.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu.

http://people.html 21:25:51 10/06/2002 . this might still be wrong or it might change in the future. If you feel that you want more information.Iptables Tutorial 1. This test script should give you the necessary rules to test how the tables and chains are traversed.1.9 Página 171 Hopefully you got a clearer picture of how the packets traverses the built in chains now. All comments welcome.test-iptables. you could use the rc.org/andreasson/iptables-tutorial/iptables-tutorial.txt script.unix-fu.

In other words.html 21:25:51 10/06/2002 . only the first packet in a stream will hit this chain.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. The actual targets that does these kind of things are: http://people. and sometimes. One good reason for this could be that we don't want to give ourself away to nosy Internet Service Providers. and takes this as one of many signs of multiple computers connected to a single connection. Don't set this in other words for packets going to the internet unless you want to do routing decisions on it with iproute2.9 Página 172 Mangle table This table should as we've already noted mainly be used for mangling packets. In other words. Target's that only valid in the mangle table: TOS TTL MARK The TOS target is used to set and/or change the Type of Service field in the packet. they act faulty on what they get. The TTL target is used to change the TTL (Time To Live) field of the packet. These marks could then be recognised by the iproute2 programs to do different routing on the packet depending on what mark they have.1. the rest of the packets will automatically have the same action taken on them as the first packet. We could tell packets to only have a specific TTL and so on. The MARK target is used to set special mark values to the packet. nor will any DNAT. it should only be used to translate packets source field or destination field. Nat table This table should only be used for NAT (Network Address Translation) on different packets. After this. This could be used for setting up policies on the network regarding how a packet should be routed and so on. you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) fields and so on. SNAT or Masquerading work in this table. as we have said before. Note that this has not been perfected and is not really implemented on the internet and most of the routers don't care about the value in this field. Note that. Some Internet Service Providers does not like users running multiple computers on one single connection.Iptables Tutorial 1. We could also do bandwidth limiting and Class Based Queuing based on these marks. and there are some Internet Service Providers known to look for a single host generating many different TTL values. It is strongly adviced that you don't use this table to do any filtering in. or if they don't have any.

SNAT (Source Network Address Translation) is mainly used for changing the source address of packets. We will not go into deeper discussion about this table though. SLIP or DHCP. The MASQUERADE target will on the other hand work properly with Dynamic IP addresses that you may be provided when you connect to the Internet with. http://people.firewall file This chapter will deal with an example firewall setup and how the script file could look. If you're network uses 192. It could be used as is with some changes to the variables. but the MASQUERADE target takes a little bit more overhead to compute. however. Filter table The filter table is. mainly used for filtering packets. the targets discussed previously in this chapter are only usable in their respective tables. This is the place that we actually take action against packets and look at what they contain and DROP/ACCEPT depending on their payload. but need to change our local networks IP numbers to the same of the IP of our firewall. but is not suggested since it may not work perfectly together with your network setup. we change the destination address of the packet and reroute it to some other host. We can match packets and filter them however we want. The MASQUERADE target is used in exactly the same way as SNAT. hence making it possible to make connections from the LAN to the Internet. however. of course. this is the place that was designed for it. it automatically checks for the IP address to use. this is where we (should) do the main filtering.unix-fu.1. We have used one of the basic setups and dug deeper into how it works and what we do in it. and there is nothing special to this chain or special packets that might slip through because they are malformed. it will very likely run quite smooth with just a few fixes to it. This is mainly done to hide our local networks or DMZ. instead of doing as the SNAT target does and just use an IP address submitted while the rule was parsed.9 Página 173 DNAT SNAT MASQUERADE The DNAT (Destination Network Address Translation) target is mainly used in cases such as when you have one IP and want to redirect accesses to the firewall to some other host on a DMZ for example. In other words. The reason for this is that each time that the MASQUERADE target gets hit by a packet.org/andreasson/iptables-tutorial/iptables-tutorial. Almost all targets are usable in this chain. etc.x. rc.html 21:25:51 10/06/2002 . the packets would never get back from the Internet because these networks are regulated to be used in LAN's by IANA. as you already know. Of course we may do filtering earlier too.168. This should be used to get a basic idea on how to solve different problems and what you may need to think about before actually putting your scripts into work. The firewall will with this target automatically SNAT and De-SNAT the packets. As long as you have a very basic setup however. for example PPP. etcetera.x netmask for example. A good example when this is very good is when we have a firewall that we know the outside IP address of.Iptables Tutorial 1.

however.DHCP. This may vary a bit.9 Página 174 note that there might be more efficient ways of making the ruleset. For example. this section only consists of the $IPTABLES variable. This script does not contain any special configuration options for DHCP or PPPoE. you need to specify the IP address of the physical interface connected to the LAN as well as the IP range which the LAN uses and the interface that the box is connected to the LAN through. and the default location when compiling the iptables package by hand is /usr/ local/sbin/iptables. however. they are however left there so you can spot the differences between the scripts in a more efficient way. The same goes for all sections that are empty.txt is the configuration section. as you may see there is a Localhost configuration section. The $INET_IP should always be a fully valid IP address.html 21:25:51 10/06/2002 . which will point the script to the exact location of the iptables application. hence these sections are empty. The Local Area Network section contains most of the configuration options for your LAN.firewall Ok. ppp0. etcetera just to name a few possible device names. eth1. then you could always create a mix of the different scripts. or (hold yourself) create your own from scratch. the script has been written for readability so that everyone can understand it without having to know too much BASH scripting before reading this example rc.firewall. Also. which are necessary. I suggest you read through the script file to get a basic hum about how it looks. many distributions put the actual application in another location such as /usr/sbin/iptables and so on.unix-fu. http://people. Instead of looking for comments. explanation of rc.Iptables Tutorial 1. You should at least be if you have come this far. Mainly. the $INET_IFACE variable should point to the actual device used for your internet connection. just below the Localhost configuration. If you need these parts.0.1. however you will with 99% certainty not change any of the values within this section since you will almost always use the 127.txt. then you should probably look closer at the rc.firewall. if you got one (if not. and then you return here to get the nitty gritty about the whole script. Also. your IP address will always change. read on since this script will introduce a lot of interesting stuff anyways). We do provide it.0.1 IP address and the interface will amost certainly be named lo. Also.txt (also included in the Example scripts codebaseappendix) is fairly large but not a lot of comments in it. This could be eth0. hence it is available here.firewall Configuration options The first section you should note within the example rc. so you have everything set up and are ready to check out an example configuration script. tr0.firewall. This example rc. you will find a brief section that pertains to the iptables. However. For example.org/andreasson/iptables-tutorial/iptables-tutorial. This should always be changed since it contains the information that is vital to your actual configuration.

For more information about the ipt_owner match. The NAT helpers on the other hand. etcetera. You could also disallow all users but your own user and root to connect from your box to the Internet. For example. Since this local network address is not valid outside your own network. Creating these kind of connections requires the IP address and ports to be sent within the IRC protocol. if you want to have support for the LOG. The FTP NAT helpers do all of the translations within these connections so the FTP server will actually know where to connect.9 Página 175 Initial loading of extra modules First.unix-fu. The same thing applies for DCC file transfers (sends) and chats. the FTP server will not know what to do with it and hence the connection will break down. We may also load extra modules for the state matching code here. the whole connection will be broken. Without the helpers. Without these helpers. However. we load these modules as follows: /sbin/insmod ipt_LOG /sbin/insmod ipt_REJECT /sbin/insmod ipt_MASQUERADE Next is the option to load ipt_owner module. since it will take some extra effort to make additional rules this way. REJECT and MASQUERADE targets and don't have this compiled statically into your kernel. This is due to how the DCC starts a connection. Without these so called helpers. This is for security reasons. for example. you could allow only root to do FTP and HTTP connections to redhat and DROP all the others. we see to it that the module dependencies files are up to date by issuing an /sbin/depmod -a command. For a long explanation of these conntrack and nat modules. which could for example be used to only allow certain users to make certain connections. there is only the option to load modules which add support for the FTP and IRC protocols. As of this writing.1. some FTP and IRC stuff will work no doubt. but not be able to send files. and it sends connection information within the actual payload of the packet. read the Common problems and questionmarks appendix. First off. however. might be boring for others. but you will be a bit more secure to bouncing hacker attacks and attacks where the hacker will only use your host as an intermediate host. the DCC connection will look as if it wants the receiver to connect to some host on the receivers own local network. look at the Owner match section within the How a rule is built chapter.html 21:25:51 10/06/2002 . There are also H. some other things will not work.org/andreasson/iptables-tutorial/iptables-tutorial. which in turn requires some translation to be done. and if possible try to avoid having modules lying around at all unless you will be using them. I will not use that module in this example but basically. as well as http://people. Always avoid loading modules that you do not need. Connection tracking helpers are special modules that tells the kernel how to properly track the specific connections. Now. you may be able to receive files over DCC. the other way around. For example. All modules that extend the state matching code and connection tracking code are called ip_conntrack_* and ip_nat_*. you tell the receiver that you want to send a file and where he should connect to. After this we load the modules that we will require for this script. are extensions of the connection tracking helpers that tells the kernel what to look for in specific packets and how to translate these so the connections will actually work. the kernel would not know what to look for when it tries to track specific connections. if one of your hosts NAT'ed boxes connect to a FTP server on the internet. In other words. it will work flawlessly since the sender will (most probably) give you the correct address to connect to. it will send its own local network IP address within the payload of the packet.Iptables Tutorial 1. So.323 conntrack helpers within the patch-o-matic. and tells the FTP server to connect to that IP address. FTP is a complex protocol by definition.

This will lead to a brief period of time where the firewall will accept forwarding any kind of traffic for everything between a millisecond to a minute depending on what script we are running and on what box. This may give malicious people a small timeframe to actually get through our firewall. it may be worth looking at that appendix in the future. but it will make it possible for the computer to do NAT on these two protocols. proc set up At this point we start the IP forwarding by echoing a 1 to /proc/sys/net/ipv4/ ip_forward in this fashion: echo "1" > /proc/sys/net/ipv4/ip_forward It may be worth a thought where and when we turn on the IP forwarding.org/andreasson/iptables-tutorial/iptables-tutorial. In this script and all others within the tutorial. for example if you use SLIP.unix-fu. do contain a small section of non-required proc settings. we turn it on before actually creating any kind of IP filters (ie. this option should really be turned on after creating all firewall rules. ip_dynaddr by doing the following : echo "1" > /proc/sys/net/ipv4/ip_dynaddr If there is any other options you might need to turn on you should follow that style. in case there are possible additional links added to other and better resources of information.1. You will also need to load the ip_conntrack_irc and ip_conntrack_ftp modules before actually loading the NAT modules. however.9 Página 176 some other conntrack helpers. Displacement of rules to different chains http://people. These may be a good starters to look at. read the Preparations chapter. there's other documentations on how to do these things and this is out of the scope of this documentation. In other words.html 21:25:51 10/06/2002 . Note that you need to load the ip_nat_irc and ip_nat_ftp if you want Network Adress Translation to work properly on any of the FTP and IRC protocols. do not turn these on before actually knowing what they mean.firewall. To be able to use these helpers. They are used the same way as the conntrack modules. I have chosen to turn it on here to maintain consistency with the script breakdown currently user. and all others contained within this tutorial. which is also available within the Other resources and links appendix.txt script. In case you need dynamic IP support. PPP or DHCP you may enable the next option. The rc. however. iptables rulesets).Iptables Tutorial 1. For a better explanation on how this is done. There is a good but rather brief document about the proc system available within the kernel. Also. you need to use the patch-o-matic and compile your own kernel.

let's make clear what our goals are. However. but instead further on in the chapter. This will effectively kill all connections and all packets that we do not explicitly allow inside our network or our firewall.9 Página 177 This section will briefly describe my choices within the tutorial regarding user specified chains and some choices specific to the rc. the Internet is most definitely not a trusted network and hence we want to block them from getting to our local network. This is a really trivial picture in comparison to the one in the Traversing of tables and chains chapter where we discussed the whole traversal of chains and tables in depth. I have displaced all the different user-chains in the fashion I have to save as much CPU as possible but at the same time put the main weight on security and readability.txt script. With these pictures and explanations. In this case.firewall.Iptables Tutorial 1. Hopefully.unix-fu. this script has as a main priority to only allow traffic that we explicitly want to allow. we want to allow all kind of traffic from the local network to the internet. I simply match all TCP packets and then let the TCP packets traverse an user specified chain. Some of the paths I have chosen to go here may be wrong from one or another of aspect. PPP and SLIP and others).html 21:25:51 10/06/2002 . This way we do not get too much overhead out of it all. and we trust our local network fully and hence we will not block any of the traffic from the local network. one firewall and an Internet connection connected to the firewall. This example is also based upon the assumption that we have a static IP to the internet (as opposed to DHCP. The following picture will try to explain the basics of how an incoming packet traverses netfilter. Since the local network is fully trusted. this will remind you a little bit of how the specific tables and chains are traversed in a real live example. this section contains a brief look back to the Traversing of tables and chainschapter. Instead of letting a TCP packet traverse ICMP. I wish to explain and clarify the goals of this script. we want to set default policies within the chains to DROP.org/andreasson/iptables-tutorial/iptables-tutorial. UDP and TCP rules. Based upon these general assumptions. Also. We will not discuss any specific details yet. we would also like to let our local network do connections to the internet. I hope to point these aspects and possible problems out to you when and where they occur. In the case of this scenario. Also. http://people. let's look at what we need to do and what we do not need to do. we also want to allow the firewall to act as a server for certain services on the internet. Based upon this picture.1. This whole example script is based upon the assumption that we are looking at a scenario containing one local network. To do this.

we have decided to allow HTTP. However. However. In this script. Finally. UDP or ICMP. we want to split the rules down into subchains. we want to do some extra checking on the TCP packets. we want to add special rules to allow all traffic from the local network as well as the loopback network interface. Also.1. before we implement this. we will need to NAT all packets since none of the local computers have real IP addresses. and hence it should be allowed through the INPUT chain. we choose to split the different packets down by their protocol family. These packets. SSH and IDENTD access to the actual firewall. these will traverse the icmp_packets chain. FTP.9 Página 178 First of all.html 21:25:51 10/06/2002 . nor do we want to allow some IP ranges to reach the firewall from the Internet. which will contain rules for all TCP ports and protocols that we want to allow.0/8 address range is reserved for local networks and hence we would normally not want to allow packets from such a address range since they would with 90% certainty be spoofed. for example TCP. and hence we accept the directly.0. Also. For a closer discussion of this. and the loopback device and IP address are also trusted. we want the local network to be able to connect to the internet. We trust our local network to the fullest. of course. as well as the fact we want to traverse as few rules as possible. our packets will hopefully only need to traverse as few rules as possible. we may be a bit low on funds perhaps. By doing this. which is created last in this script. This means that we will also have to do some filtering within the FORWARD chain since we will otherwise allow outsiders full access to our local network. To do this. Since we have an FTP server running on the server. we could not see any specific needs for extra checks before allowing the ICMP packets through if we agree with the type and code of the ICMP packet. All TCP packets traverse a specific chain named tcp_packets. As for our firewall. and because of that we specifically allow all traffic from our local network to the internet. All of this is done within the PREROUTING chain. This chain we choose to call the "allowed" chain. When we decided on how to create this chain. and should contain a few extra checks before finally accepting the packet. For the same reason. so we would like to create one more subchain for all packets that are accepted for using valid port numbers to the firewall. http://people. we also trust the local network fully. Because of this. read the Common problems and questionmarks chapter.unix-fu. Since noone on the Internet should be allowed to contact our local network computers. For instance. Therefore. we will want to block all traffic from the Internet to our local network except already established and related connections. and we need to allow the return traffic through the OUTPUT chain. which in turn will allow all return traffic from the Internet to our local network. By traversing less rules. we make the ruleset less timeconsuming for each packet.org/andreasson/iptables-tutorial/iptables-tutorial. we add a rule which lets all established and related traffic through at the top of the INPUT chain. All of these protocols are available on the actual firewall. or we just want to offer a few services to people on the internet. and reduce redundancy within the network. As for ICMP packets.0. we have the UDP packets which needs to be dealt with. we do not want to allow specific packets or packet headers in specific conjunctions.Iptables Tutorial 1. we send to the udp_packets chain which handles all incoming UDP packets. we must note that certain Internet Service Providers actually use these address ranges within their own networks. the 10.

and if not they will be dropped by the default policy in the OUTPUT chain. Since we actually trust the firewall quite a lot. as well as all of the rulesets within the chains. now you got a small picture on how the packet traverses the different chains and how they belong together. we allow pretty much all traffic leaving the firewall. such as speak freely and ICQ. Finally. However. iptables -P <chain name> <policy> The default policy is used every time the packets don't match a rule in the chain.org/andreasson/iptables-tutorial/iptables-tutorial. The new chains are created and set up with no rules inside of them.html 21:25:51 10/06/2002 . INPUT chain http://people. We would most likely implement this by adding rules that ACCEPT all packets leaving the firewall in case they come from one of the IP addresses assigned to the firewall. We do not do any specific user blocking. It is now about time that we take care of setting up all the rules and chains that we wish to create and to use. The chains we will use are icmp_packets. nor do we do any blocking of specific protocols. You should also have a clear picture of the goals of this script. and if they are of an allowed type we should accept them immediately without any further checking. and hence we only want to allow traffic from the IP addresses assigned to the firewall itself.1. tcp_packets. this box is also used as a secondary workstation and to give some extra levy for this. udpincoming_packets and the allowed chain for tcp_packets. we want to allow certain specific protocols to make contact with the firewall itself. we have the firewalls OUTPUT chain. we create the different special chains that we want to use with the -N command.unix-fu. After this.9 Página 179 All incoming UDP packets should be sent to this chain. Since we are running on a relatively small network. of TCP type. Incoming packets on eth0. First of all. will be redirected to tcp_packets and incoming packets of UDP type from eth0 go to udpincoming_packets chain. will be redirected to the chain icmp_packets. Setting up the different chains used So. we do not want people to use this box to spoof packets leaving the firewall itself. of ICMP type. we set all the default policies on the different chains with a quite simple command.Iptables Tutorial 1.

After this. except to portscan people http://people. some applications depend on it such as Samba etc. then we. First of all we match all ICMP packets in the INPUT chain that come on the incoming interface $INET_IFACE. something that some might consider a security problem.html 21:25:51 10/06/2002 . Before we hit the default policy of the INPUT chain. we allow broadcast traffic from our LAN. and send those to the icmp_packets. and after this all UDP packets get sent to udpincoming_packets chain. I allow everything that comes from my own Internet IP that is either ESTABLISHED or RELATED to some connection. Hence. we didn't reply to the SYN packet. which was previously described. which in my case would be 192. as you might remember. or finally it might be a problem in our firewall not allowing traffic that should be allowed. we create the chain the same way as all the others. The TCP allowed chain If a packet comes in on eth0 and is of TCP type.0. Then we check if the packet comes from an ESTABLISHED or RELATED connection. we check for everything that comes from our $LOCALHOST_IP. we log them to our logs and then we DROP them. After that. allow it. which would normally be 127. and since we've got a SYN packet. Though. Finally. of course.org/andreasson/iptables-tutorial/iptables-tutorial. In this case this pretty much means everything that hasn't seen traffic in both directions.0. or they are trying to start the connection with a non SYN packet. Also. Everything that hasn't yet been caught will be DROP'ed by the default policy on the INPUT chain. we allow this. If you want to fully understand this. if it does. it travels through the tcp_packets chain. also we set a prefix to all log entries so we know where it came from. In either case we want to know about it so it can be dealt with.0/24. we want to do some final checks on it to see if we actually do want to allow it or not. Either it might be a packet that we just dont want to allow or it might be someone who's doing something bad to us. The default policy was set quite some time back.1 and ACCEPT all incoming traffic from there. We do certain checks for bad packets here. and it will work much better on slow machines which might otherwise drop packets at high loads. These applications will not work properly without it. it is most likely to be the first packet in a new connection so. These packets could be allowed under certain circumstances but in 99% of the cases we wouldn't want these packets to get through. we log it so we might be able to find out about possible problems and or bugs. and after this.1. ie. again of course. you need to look at the Appendices regarding state NEW and non-SYN packets getting through other rules.unix-fu.0. we check if the packet is a SYN packet. which in my case is eth0. First of all. If it is a SYN packet. we don't log more than 3 packets per minute as to not getting flooded with crap all over the log files. the connection then must be in state ESTABLISHED. This way we don't get too much load from the iptables. do the same for everything to $LAN_IP.168. if the connection is against an allowed port. An ESTABLISHED connection is a connection that has seen traffic in both directions. and a reply to this SYN packet. The last rule in this chain will DROP everything else.9 Página 180 The INPUT chain as I've written it uses mostly other chains to do the hard work.Iptables Tutorial 1. There is no practical use of not starting a connection with a SYN packet. we do the same match for TCP packets on the $INET_IFACE and send those to the tcp_packets chain.

I might be wrong in blocking some of these ICMP types for you. and a Time Exceeded is sent back from the first gateway en route to the host we're trying to traceroute. The ICMP chain This is where we decide what ICMP types to allow. -p TCP tells it to match TCP packets and -s 0/0 matches all source addresses from 0.1. is allowed in the case where we might want to traceroute some host or if a packet gets its Time To Live set to 0.9 Página 181 pretty much. For more information on ICMP types and their usage. For a complete listing of all ICMP types. If all the criteria are matched. but in my case. we will be unable to ping other hosts. If a packet of ICMP type comes in on eth0 on the INPUT chain. This way we won't have to wait until the browser's timeouts kicks in after some 60 seconds or more. As a side-note. there is still more checks to do. Postel. For example.0. The TCP chain So now we reach TCP connections. in other words all sources addresses. in other words if the packet is destined for port 21 they also match. which we described previously. Redirect and Time Exceeded.0. everything works perfectly while blocking all the other ICMP types that I don't allow. see the appendix ICMP types. if we don't allow this. and the host is unreachable. As it is now. This specifies what ports that are allowed to use on the firewall from the Internet. Though.0.html 21:25:51 10/06/2002 .Iptables Tutorial 1. The reason that I allow these ICMP packets are as follows. when you traceroute someone.org/andreasson/iptables-tutorial/iptables-tutorial. Here we check what kind of ICMP types to allow. and so on until we get an actual reply from the host we finally want to get to. Time Exceeded. the rule will be added to the end of the chain. then the packet will be targeted for the allowed http://people.Internet Control Message Protocol by J. you start out with TTL = 1. the last gateway that was unable to find the route to the host replies with a Destination Unreachable telling us that it was unable to find it. Destination unreachable.0 with netmask 0. so for example if we send a HTTP request. hence we send each and one of them on to allowed chain. hence. DROP the crap since it's 99% sure to be a portscan. Destination Unreachable is used if a certain host is unreachable. we will get a reply about this. --dport 21 means destination port 21. Echo Replies is what you get for example when you ping another host. we then redirect it to the icmp_packets chain as explained before. and it gets down to 0 at the first hop on the way out. I only allow incoming ICMP Echo Replies. There is no currently available TCP/IP implementation that supports opening a TCP connection with something else than a SYN packet to my knowledge.0.unix-fu.0. this is actually the default behaviour but I'm using it for brevity in here. i suggest reading the following documents and reports : The Internet Control Message Protocol ICMP RFC 792 . then TTL = 2 and the second gateway sends Time Exceeded. -A tcp_packets tells iptables in which chain to add the new rule.

we send them on to udpincoming_packets where we once again do a match for the UDP protocol with -p UDP and then match everything with a source address of 0. if you want to allow anyone from the outside to use a shell on your box at all. we ACCEPT them directly.txt file.0. we can unload the ip_conntrack_ftp module and delete the $IPTABLES -A tcp_packets -p TCP -s 0/ 0 --dport 21 -j allowed line from the rc. This protocol is used to set your computer clock to the same time as certain other time servers which have very accurate clocks. As it is now. We don't want this behaviour. hopefully. And finally we allow port 113. As it is now. in other words everything again. they will be passed back to the original chain that sent the packet to the tcp_packets chain.html 21:25:51 10/06/2002 . There is at least 5 different ICQ clones for Linux and it's one of the most widely used chat programs in the world. Though. If we don't want to allow FTP at all. Firewalls should always be kept to a bare minimum and not more. in other words your web server.0 and netmask 0. If they have a source port of 53 also. http://people. much better than allowing telnet on port 23.0. or even better. I doubt there is any further need to explain what it is.9 Página 182 chain. I personally also allow port 123.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. Port 80 is HTTP. which is IDENTD and might be necessary for some protocols like IRC.firewall. I ACCEPT incoming UDP packets from port 53. a headset. of course. This should be an extremely well known protocol that is used by the Mirabilis application named ICQ. We currently also allow port 2074. hence we allow DNS. It is always a bad idea to give others than yourself any kind of access to these kind of boxes. which is what we use to do DNS lookups. well. I allow TCP port 21. If you feel like adding more open ports with this script. delete it if you don't want to run a web server on your site. Port 4000 is the ICQ protocol. which is used to control FTP connections and later on I also allow all RELATED connections. loaded.1. which is NTP or network time protocol. which is used for certain real-time `multimedia' applications like speak freely which you can use to talk to other people in real-time by using speakers and a microphone. If it doesn't match any of the rules. etc to work properly. its quite self explanatory how to do that by now=). without this we wouldn't be able to do domain name lookups and we would be reversed to only use IP's. Note that you are dealing with a firewall.unix-fu.0. The UDP chain If we do get a UDP packet on the INPUT chain. or FTP control port.0.0. Port 22 is SSH. I'm allowing it per default since I know there are some who actually do. most of you probably don't use this protocol. and that way we allow PASSIVE and PORT connections since the ip_conntrack_ftp module is.

x. among other things since this chain is only traversed by the first packet in a stream.1. in such case. After this we allow everything in a state ESTABLISHED or RELATED from everywhere. This might be used in the opposite direction.9 Página 183 OUTPUT chain Since i know that there's pretty much no one but me using this box which is partially used as a Firewall and a workstation currently.x or 172. PREROUTING chain of the nat table The PREROUTING chain is pretty much what it says. such as in case we get packets from the Internet interface that claim to have a source IP of 192.x. too.Iptables Tutorial 1. FORWARD chain Even though I haven't actually set up a certain section in the rc. we drop them quicker than hell since these IP's are reserved especially for local intranets and definitely shouldn't be used on the Internet. And after this we log everything and drop it. First of all we check for obviously spoofed IP addresses. I allow pretty much everything that goes out from it that has a source address $LOCALHOST_IP. and prefix them with a short line that is possible to grep for in the logfiles.txt example file. in other words. As it is now.168. we first of all ACCEPT all packets coming from our LAN with the following line: /usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT So everything from our Localnet's interface gets ACCEPT'ed whatever the circumstances.x. it does network adress translation on packets before they actually hit the routing tables that sends them onwards to the INPUT or FORWARD chains in the filter table. Starting the Network Address Translation http://people. if we open a connection from our LAN to something on the Internet. If it does get dropped. We log maximally 3 log entries per minute as to not flood our own logs. Also we log them with debug level. Finally we DROP the packet in the default policy. I would like to comment on the few lines in there anyways. it should be used for network adress translation. As it looks now.x. Everything else might be spoofed in some fashion. we allow the packets coming back from that site that's either ESTABLISHED or RELATED but nothing else.html 21:25:51 10/06/2002 . We finally hit the default policy of the FORWARD chain that says to DROP everything.unix-fu. even though I doubt anyone that I know would do it on my box. or it's a weird packet that's spoofed. we'll sure as hell want to know about it for some reason or another. $LAN_IP or $STATIC_IP. we don't do that though.x. we might drop that too.x.org/andreasson/iptables-tutorial/iptables-tutorial. if we get an packet from $LAN_IFACE that claims to not come from an IP address in the range which we know that our LAN is on.firewall. Either it's a nasty error.16. Last of all we log everything that gets dropped. 10. Note that this chain should not be used for any filtering or such.

These scripts are not in any way perfect. So all packets that match this rule will be masqueraded to look as it came from your Internet interface. For me this would be eth0. there are specific variables added to these example scripts that may be used to automatically configure these settings. per default settings in this script) and finally we target the packet for MASQUERADE'ing. isn't it? The next step we take is to ACCEPT all packets traversing the FORWARD chain in the default table filter that come from the input interface eth1 which is my interface connecting to the internal network. rc. We allow this rule to be matched a maximum of 3 times per minute with a burst limit of 3.unix-fu. and the burst is also set to 3 so if we get 3 log entries in 2 seconds. The first section of this tutorial deals with the actual structure that I have established in each script so we may find our way within the script a bit easier.1. The -t option tells us which table to use. and to provide an overlook of the scripts and what services they provide.txt script structure All scripts written for this tutorial has been written after a specific structure.firewall. In some cases these might be packets that should have gotten through but didn't. then when the Internet box replies. All packets that are being forwarded on our box traverse the FORWARD chain in the filter table. It is in other words up to you to make these scripts suitable for your needs. it'll have to wait for another 1 minute for the next log entry. but also to improve the readability a bit. However. This is good if someone starts to flood you with crap stuff that otherwise would generate many megabytes of logs. correct? At least to me. or logging facility what kind of importance this log entry has. First of all we add a rule to the nat table. in this case nat while the -A command tells us that we want to Add a new rule to an existing chain named POSTROUTING and -o $INET_IFACE tells us to match all outgoing packets on INET_IFACE (or eth0. our final mission would be to get the MASQUERADEing up. The last thing we do is to log all traffic that gets dropped over the border.9 Página 184 So. mainly to make them easier to configure. we first send a packet from our local box behind eth1. These settings are widely used within the example scripts. This chapter should hopefully http://people. it gets caught by this rule since the connection has seen packets in both directions. in other cases it might be packets that definitely shouldn't get through and you want to be notified about this. The next thing we do is to ACCEPT all packets from anywhere that are ESTABLISHED and/or RELATED to some connection. We also set a prefix to the log with the --log-prefix and set the log level with the --log-level. and hits the default policy. In other words.Iptables Tutorial 1.html 21:25:51 10/06/2002 . Example scripts The objective of this chapter is to give a fairly brief and short explanation of each script available with this tutorial. and they may not fit your exact intentions perfectly. The rest of this tutorial should most probably be helpful in making this feat. Simple. The reason for this is that they should be fairly conformative to each other and to make it easier to find the differences between the scripts. This means we get maximally 3 log entries per minute from this specific line. This structure should be fairly well documented in this brief chapter.org/andreasson/iptables-tutorial/iptables-tutorial. and since it comes from eth1 we ACCEPT it. Log level tells the syslogd. in the POSTROUTING chain that will masquerade all packets going out on our interface connected to the Internet.

3. etcetera). 1.These options pertain to our localhost. 1. they should first of all be fitted into the correct subsection (If it pertains to the Internet connection. The structure This is the structure that all scripts in this tutorial should follow. Most scripts lacks this section. unless it is specifically explained why I have broken this structure. This is most likely.unix-fu. Hopefully. but we have put most of it into variables anyway. 4. and if there are any special circumstances that raises the chances that he is using a PPPoE connection. 5. 6.org/andreasson/iptables-tutorial/iptables-tutorial. LAN . Configuration .If there is any LAN available behind the firewall.html 21:25:51 10/06/2002 . Other . do note that this may not be the best structure for your scripts. If they differ in some way it is probably an error on my part. Even though this is the structure I have chosen.If there are any other specific options and variables.Iptables Tutorial 1. It is only a structure that I have chosen to use since it fits the need of being easy to read and follow the best according to my logic.9 Página 185 give a short understanding to why all the scripts has been written as they have. it should be subsectioned directly to the configuration options somewhere. If it does not fit in anywhere.This section contains iptables specific configuration. and why I have chosen to maintain this structure. Internet . mainly because any normal home network. we will add options pertaining to that in this section. PPPoE .1. 2.If there are possibly any special DHCP requirements with this specific script. In most scripts and situations this should only require one variable which tells us where the iptables binary is located. DMZ . http://people. 2.If there are a possibility that the user that wants to use this specific script. This could be skipped if we do not have any Internet connection. hence this section will almost always be available. will not have one. Localhost . or small corporate network. Configuration options should pretty much always be the first thing in any shell-script. there should be no reason to change these variables. it should be subsectioned there. These variables are highly unlikely to change. we will add a DMZ zone configuration at this point.First of all we have the configuration options which the rest of the script should use.This is the configuration section which pertains to the Internet connection.If there is any reason to it. but only such that pertains to our Internet connection. we will add specific options for those here. 1. iptables . Note that there may be more subsections than those listed here. we will add the DHCP specific configuration options here. DHCP .

org/andreasson/iptables-tutorial/iptables-tutorial. and if you want to add the service it provides.1.This section should contain non-required proc configurations that may prove useful.html 21:25:51 10/06/2002 .This section should contain all of the required proc configurations for the script in question to work. 3. but far from all of them. they should be commented out per default. This should normally be noted in such cases within the example scripts. Normally I will set DROP policies on the chains in the filter table. First of all we should set up all the policies in the table.9 Página 186 2. 1. 2. while the second part should contain the non-required modules.This section of the scripts should maintain a list of modules. or add certain services or possibilities. Non-required proc configuration . Module loading . and possibly which adds special services or possibilities for the administrator or clients. All user specified chains are created before we do anything to the system builtin chains. they will be listed as such. Filter table . since they are not actually necessary to get the script to work.By now the scripts should most probably be ready to insert the ruleset. and possibly special modules that adds to the security or adds special services to the administrator or clients. Required proc configuration . Set policies . We will not be able to use these chains in the systemchains anyways if they are not already created so we could as well get to it as soon as possible. 2. 1. may have been added even though they are not required. I have also chosen to set the chains and their rulespecifications in the same order as they are output by the iptables -L command.unix-fu. All of these modules should be commented out per default.Iptables Tutorial 1. Note that some modules that may raise security. it is up to you. if not. Most of the useful proc configurations will be listed here. and specifically ACCEPT services and streams that I want to allow inside. This way we will get rid of all ports that we do not want to let people use. rules set up . Non-required modules . This list will contain far from all of the proc configurations or nodes.This section should contain the required modules. 1. I have chosen to split all the rules down after table and then chain names.First of all we go through the filter table and its content. The first part should contain the required modules. proc configuration . Create user specified chains .This section should take care of any special configuration needed in the proc filesystem. All of them should be commented out. 1. http://people. Required modules . It could possibly also contain configurations that raises security. 2. 4.Set up all the default policies for the systemchains. If some of these options are required. and listed under the non-required proc configurations.At this point we create all the user specified chains that we want to use later on within this table.This section contains modules that are not required for normal operations.

we do not have a lot of things left to do within the filter table so we get onto the INPUT chain.Last of all in the filter table. I let these chains be set to ACCEPT since there is no reason not to do so.org/andreasson/iptables-tutorial/iptables-tutorial. when the NAT has been turned on. just in case. Nothing special about this decision. nat table . it is totally up to you. At this point we should add all rules within the INPUT chain.Iptables Tutorial 1. 1. This table should not be used for filtering anyways. You may as well put this later on in your script.9 Página 187 3. INPUT chain . Set policies . OUTPUT chain . First of all we do not want to turn the whole forwarding mechanism and NAT function on at a too early stage. which could possibly lead to packets getting through the firewall at just the wrong timepoint (ie. At this point we start following the output from the iptables -L command as you may see. but I have added this section anyways.At this point we go on to add the rules within the FORWARD chain. Create user specified chains .unix-fu. do try to avoid mixing up data from different tables and chains since it will become much harder to read such rulesets and to fix possible problems. The same thing goes here as for the user specified chains in the filter table. I look upon the nat table as a sort of layer that lies just outside the filter table and kind of surrounds it. 3. and we should not let packets be dropped here since there are some really nasty things that may happen in such cases due to our own presumptions. 2. but none of the filter rules has been run). 5. There is no reason for you to stay with this structure. while the nat table acts as a layer lying around the filter table.When we have come this far. http://people. 4. 6. The only reason I have to enter this data at this point already is that may as well put it close to the creation of the user specified chains. We add this material here since I do not see any reason not to. Normally.html 21:25:51 10/06/2002 . Also.1. The filter table would hence be the core.At this point we create any user specified chains that we want within the nat table. Normally I do not have any of these. but not too far from reality. and finally the mangle table lies around the nat table as a second layer. This may be wrong in some perspectives.After the filter table we take care of the nat table.First of all we set up all the default policies within the nat table. I will be satisfied with the default policy set from the beginning. Create content in user specified chains . FORWARD chain . This is done after the filter table because of a number of reasons within these scripts.After creating the user specified chains we may as well enter all the rules within these chains. There should hopefully not be too much to do at this point.By now it should be time to add all the rules to the user specified chains in the nat table. namely the ACCEPT policy. however. we add the rules dealing with the OUTPUT chain. Note that the user specified chains must be created before they can actually be used within the systemchains. 3. Create content in user specified chains .

I have not set any policies in any of the scripts in the mangle table one way or the other. Set policies .The OUTPUT chain is barely used at all in any of the scripts.unix-fu. 3. and you are encouraged not to do so either. this section was added just in case someone.Iptables Tutorial 1.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. Create content in userspecified chains . POSTROUTING chain .The PREROUTING chain is used to do DNAT on packets in case we have any need for it. 5. 6. such as masking all boxes to use the exact same TTL or to change TOS fields etcetera. Create user specified chains . http://people. Within some scripts we have this turned on by default since the sole purpose of those scripts are to provide such services. PREROUTING chain . OUTPUT chain . The same thing goes here as for the nat table pretty much. FORWARD chain . you may att this point add the rules that you want within them here.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. As it looks now.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. and hence you should avoid it all together. mangle table .org/andreasson/iptables-tutorial/iptables-tutorial. Since I have barely used the mangle table at all in the scripts. Normally I will not use this table at all.Create all the user specified chains. If anyone has a reason to use this chain. OUTPUT chain . or I.The POSTROUTING chain should be fairly well used by the scripts I have written since most of them depend upon the fact that you have one or more local networks that we want to firewall against the Internet. send me a line and I will add it to the tutorial. 2. I have in other words chosen to leave these parts of the scripts more or less blank. but I have been unable to find any good reasons to use this chain so far.If you have any user specified chains within this table. but in certain cases we are forced to use the MASQUERADE target instead. with a few exceptions where I have added a few examples of what it may be used for. 1.The last table to do anything about is the mangle table. or at the very least commented out. it is not broken. In most scripts this feature is not used. 6.Set the default policies within the chain. would have the need for it in the future. 5. since it should normally not be used for anyone. 5.html 21:25:51 10/06/2002 .9 Página 188 4. I have neither created any chains here since it is fairly unusable without any data to use within it.1. 4. The table was not made for filtering. Mainly we will try to use the SNAT target. reason being that we do not want to open up big holes to our local network without knowing about it. However. unless they have specific needs. INPUT chain . 7. PREROUTING .At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.

DHCP.firewall. PPP.Iptables Tutorial 1. SLIPor some other protocol that assigns you an IP automatically.firewall file chapter should explain every detail in the script most thoroughly. http://people. The rc.1. There is nothing that says that this is the only and best way to go. where you have one LAN and one Internet Connection. and should mainly just be seen as a brief explanation to what and why the scripts has been split down as they have.firewall.unix-fu. rc. Do note that these descriptions are extremely brief. For example. POSTROUTING chain .txt The rc.org/andreasson/iptables-tutorial/iptables-tutorial. This script also makes the assumption that you have a static IP to the Internet.txt script. Hopefully this should explain more in detail how each script is structured and why they are structured in such a way.firewall. please take a closer look at the rc.9 Página 189 8.txt script is the main core on which the rest of the scripts are based upon. and hence don't use DHCP. Mainly it was written for a dual homed network.html 21:25:51 10/06/2002 . If you are looking for a script that will work with those setups.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.

Do note that this will "steal" two IP's for you. The De-Militarized Zone is in this case 1-to-1 NAT'ed and requires you to do some IP aliasing on your firewall. This is pretty much up to you to decide and to implement. ie. the packet will be destined for the actual DNS internal network IP. then we use DNAT. and not to our external DNS IP. One uses IP range 192. one De-Militarized Zone and one Internet Connection.txt script was written for those people out there that has one Trusted Internal Network. the DNS wouldn't have answered the packet.firewall. When the DNS sees our packet. you must make the box recognise packets for more than one IP. but it will not tell you exactly what you need to do since it is out of the scope of the tutorial. which stands for Destination Network Adress Translation.1.168. We will show a short example of how the DNAT code looks: http://people. if someone from the internet sends a packet to our DNS_IP.html 21:25:51 10/06/2002 .0.txt The rc.unix-fu.DMZ. to send the packet on to our DNS on the DMZ network.1. You need to have two internal networks with this script as you can see from the picture.org/andreasson/iptables-tutorial/iptables-tutorial.0/24 and consists of a Trusted Internal Network.Iptables Tutorial 1.9 Página 190 rc.firewall. You could then set the IP's to the DMZ'ed boxes as you wish. one for the broadcast address and one for the network address. another one if you have a whole subnet is to create a subnetwork. If the packet would not have been translated. giving the firewall one IP both internally and externally. There are several ways to get this to work.168.DMZ. The other one uses IP range 192. this tutorial will give you the tools to actually accomplish the firewalling and NAT'ing part.0/24 and consists of the De-Militarized Zone which we will do 1-to-1 NAT to. one is to set 1-to-1 NAT. For example.

This is how basic DNAT works. I've had some people mail me and ask about the problem so this script will be a good solution for you.DHCP. However. When the reply to the DNAT'ed packet is sent through the firewall. By now you should have enough understanding of how everything works to be able to understand this script pretty well without any huge complications.firewall. which is the main change to the original rc. Then we look for TCP protocol on our $INET_IFACE with destination IP that matches our $DNS_IP. in other words Destination NAT. it automatically gets un-DNAT'ed. this script no longer uses the STATIC_IP variable. in other words the IP of the DNS on our DMZ network.txt script. http://people. that hasn't been gone through in the rest of the tutorial. If there is something you don't understand.firewall. DNAT can only be performed in the PREROUTING chain of the nat table. The actual changes needed to be done to the original script is minimal. rc.txt. PPP and SLIP connections to connect to the internet.Iptables Tutorial 1. mail me since it is probably a fault on my side. which is the TCP port for zone transfers between DNS's.unix-fu.firewall. If we actually get such a packet we give a target of DNAT.txt script is pretty much identical to the original rc. After that we specify where we want the packet to go with the --to-destination option and give it the value of $DMZ_DNS_IP.9 Página 191 $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP First of all. This script will allow people who uses DHCP.org/andreasson/iptables-tutorial/iptables-tutorial. however.firewall. The reason is that this won't work together with a dynamic IP connection.html 21:25:51 10/06/2002 . and is directed to port 53.1.txt The rc.DHCP.

There is some more things to think about though. Instead of using this variable the script now does it's main filtering on the variable INET_IFACE. You will find a link to the linuxguruz. We could for example make a script that grabs the IP from ifconfig and adds it to a variable. I would definitely advise you to use that script if at all possible since this script is more open to attacks from the outside. This in turn forces us to filter only based on interfaces in such cases where the internal machines must access the internet adressable IP. We can no longer filter in the INPUT chain depending on. For example.Iptables Tutorial 1. This is pretty much the only changes made and that's all that's needed really. If the script is run from within a script which in turn is executed by.1. how would you do it without erasing your already active rules blocking the LAN? http://people. However. we would get a real hard trouble.txt script. as described in the following list. Also.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. there is the possibility to add something like this to your scripts: INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` The above would automatically grab the IP address of the $INET_IFACE variable. but it is questionable. It is possible to get by. if you get rid of the NEW not SYN rules for example. A good way to do this. which contains static links back to the same host. it is rather harsh to add and erase rules all the time.org iptables site which has a huge collection of scripts available to download. which could be some dyndns solution. but at the same time operate a script from the PPP daemon.org site from the Other resources and links appendix. then try to access that IP. but in such cases it could be gotten around by adding rules which checks the LAN interface packets for our INET_IP. As you may read from above. would e to use for example the ip-up scripts provided with pppd and some other programs. for example. For a good site. 1. In case we filter based on interface and IP. if you want to block hosts on your LAN to connect to the firewall. This also applies in a sense to the case where we got a static IP. One great example is if we are running an HTTP on our firewall. check out the linuxguruz. the NAT'ed box would be unable to get to the HTTP because the INPUT chain would DROP the packets flat to the ground. it may be a good idea to grab a script. that handles dynamic IP in a better sense.firewall. In other words -d $STATIC_IP has been changed to -i $INET_IFACE.html 21:25:51 10/06/2002 . there are serious drawbacks with this approach. the PPP daemon. or write one. grep the correct line which contains the IP address and then cuts it down to a manageable IP address. --in-interface $LAN_IFACE --dst $INET_IP. upon bootup of the internet connection. The NAT'ed box would ask the DNS for the IP of the HTTP server. and if so ACCEPT them. If you got rules that are static and always want to be around. 2. This script might be a bit less secure than the rc.9 Página 192 The main changes done to the script consists of erasing the STATIC_IP variable as I already said and deleting all referenses to this variable. without hurting the already existing ones. If we go to the main page. for example. it will hang all currently active connections due to the NEW not SYN rules (see the State NEW packets but no SYN bit set section).

This script will hopefully give you some clues as to what you can do with your firewall to strengthen it up.org/andreasson/iptables-tutorial/iptables-tutorial.1. The only things we actually allow is POP3. but a large part of the hacks and cracks that a company gets hit by is a matter of people from their own staff perpetrating the hit.Iptables Tutorial 1.UTIN. and to keep order in it. This script follows the golden rule to not trust anyone. In other words.txt script will in contrast to the other scripts block the LAN that is sitting behind us.firewall.txt http://people.test-iptables.txt The rc.unix-fu. as seen above which in turn could lead to security compromises. This is a sad fact. rc. It's not very different from the original rc.9 Página 193 3. not even our own employees. but it does give a few hints at what we would normally let through etc. We also don't trust the internal users to access the firewall more than we trust users on the Internet. HTTP and FTP access to the internet. If the script is kept simple. we don't trust anyone on any networks we are connected to. it is easier to spot problems.UTIN.html 21:25:51 10/06/2002 .firewall.txt script.firewall. rc. We also disallow people on our LAN to do anything but specific tasks on the Internet. It may get unnecessarily complicated.

rc. One final word on this issue.Iptables Tutorial 1. and setting up masquerading etcetera. Certain people has mailed me asking from me to put this script into the original rc. When all of this is done.firewall script using redhat Linux syntax where you type something like rc. After this we reset the default policies of the PREROUTING.1.html 21:25:51 10/06/2002 .on. we consider the script done.txt script should not really be called a script in itself. POSTROUTING and OUTPUT chains of the nat table.9 Página 194 The rc.flush-iptables. It will work for mostly everyone though who has all the basic set up and all the basic tables loaded into kernel. and hence we only care about opening the whole thing up and reset it to default values. Detailed explanations of special commands http://people. I will not do that since this is a tutorial and should be used as a place to fetch ideas mainly and it shouldn't be filled up with shell scripts and strange syntax. you will get information on which chain was traversed and in which order. This script is intended for actually setting up and troubleshooting your firewall. For example.firewall start and the script starts.txt script will reset and flush all your tables and chains. OUTPUT and FORWARD chains of the filter table. The rc. When this step is done. This way we know there is no redundant rules lying around anywhere.unix-fu. This should show you all the different chains used and in which order. The script starts by setting the default policies to ACCEPT on the INPUT.internet And tail -n 0 -f /var/log/messages while doing the first command. unless the log entries are swapped around for some reason. However. but it might need some tweaking depending on your configuration.flush-iptables.the. This way. All it really does is set some LOG targets which will log ping reply's and ping requests. This script was written for testing purposes only.flush-iptables. You may consider adding rules to flush your MANGLE table if you use it. we jump down to the next section where we erase all the user specified chains in the NAT and filter tables.org/andreasson/iptables-tutorial/iptables-tutorial.test-iptables. After this we flush all chains first in the filter table and then in the NAT table.txt script can be used to test all the different chains. In other words. such as turning on ip_forwarding. We do this first so we won't have to bother about closed connections and packets not getting through. Adding shell script syntax and other things makes the script harder to read as far as I am concerned and the tutorial was written with readability in mind and will continue being so. run this script and then do: ping -c 1 host.txt The rc. it's not a good idea to have rules like this that logs everything of one sort since your log partitions might get filled up quickly and it would be an effective Denial of Service attack against you and might lead to real attacks on you that would be unlogged after the initial Denial of Service attack.

If this is not the wanted behaviour you might try to use the -D option as iptables -D INPUT 10 which will erase the 10th rule in the INPUT chain. in this case you might want to run the -F option. Updating and flushing your tables If at some point you screw up your iptables.9 Página 195 Listing your active ruleset To list your currently active ruleset you run a special option to the iptables command. to something useful. iptables -F INPUT will erase the whole INPUT chain. For example. it erases the first instance it finds matching your rule. To see the table you can run the following command: cat /proc/net/conntrack | less The above command will show all currently tracked connections even though it might be a bit hard to understand everything. so you don't have to reboot.unix-fu. iptables will find the erroneous line and erase it for you. rule and chain. it will try to resolve LAN IP addresses. This table contains all the different connections currently tracked and serves as a basic table so we always know what state a connection currently is in. you might just change the -A parameter to -D in the line you added in error. it will translate all the different ports according to the /etc/services file as well as DNS all the IP addresses to get DNS records instead. this will not change http://people. It would then look something like this: iptables -L -n -v There is also a few files that might be interesting to look at in the /proc filesystem. it might be interesting to know what connections are currently in the conntrack table. ie 192.1. and translate everything possible to a more readable form. in case you've got multiple lines looking exactly the same in the chain.org/andreasson/iptables-tutorial/iptables-tutorial. The later can be a bit of a problem though.0/16 is a private range though and should not resolve to anything and the command will seem to hang while resolving the IP.1. For example.1. I've actually gotten this question a couple times by now so I thought I'd answer it right here.168. though.html 21:25:51 10/06/2002 . We could get this by adding the verbose flag. For example. 192. To get around this problem we would do something like the following: iptables -L -n Another thing that might be interesting is to see a few statistics about each policy. For example. which we have discussed briefly previously in the How a rule is built chapter. If you added a rule in error.168. There is also instances where you want to flush a whole chain. This table can not be edited and even if it was possible.0. it would be a bad idea. This would look like the following: iptables -L This command should list your currently active ruleset.Iptables Tutorial 1. there are actually commands to flush them.

but not DCC send.org/andreasson/iptables-tutorial/iptables-tutorial. if you want to let people run IRC from your local network which is using a NAT'ed or masqueraded connection to the internet.4.unix-fu. For more information about Active and Passive FTP. If you would want to do the reverse. for example iptables -P INPUT ACCEPT. In case your client sits behind a Network Address Translationing system (iptables). This RFC contains information regarding the FTP protocol and Active and Passive FTP and how they work.1. read RFC 959 . Just compile the ip_conntrack_irc. Reynolds. but not allow DCC send functions with the new state matching code. In Passive FTP. do as how you set it to DROP. Without these modules they can't recognize these kinds of connections. its quite simple once you get to think of it.9 Página 196 the default policy. One thing though. you would load the ip_conntrack_ftp and ip_nat_ftp modules. then the packets data section needs to be NAT'ed too. To reset the chain policy. What these modules do is that they add support to the connection tracking machine and the NAT machine so they can distinguish and modify a Passive FTP connection or a DCC send connection. You may ask yourself how. you can for example allow Passive FTP connections. that is what the ip_nat_ftp module does.html 21:25:51 10/06/2002 . the proceeding is reversed. this script will not erase those. during Active FTP the client sends the server an IP address and random port to use and then the server connects to this port on the client. ip_nat_irc. so if this is set to DROP you'll block the whole INPUT chain if used as above. but not the ip_conntrack_irc and ip_nat_irc modules and then do: /usr/local/sbin/iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT To allow Passive FTP but not DCC. Do note that the ip_nat_* modules are only needed in case you need and want to do Network Adress Translation on the connections. if you start mucking around in the mangle table. State NEW packets but no SYN bit set http://people.firewall.txt script so far. telling the client what address to connect to and what port to use. it is rather simple to add the few lines needed to erase those but I have not added those here since the mangle table is not used in my rc. well. but not the ip_conntrack_ftp and ip_nat_ftp modules. I have made a small script (available as an appendix as well) that will flush and reset your iptables that you might consider using while setting up your rc. Common problems and questionmarks Passive FTP but no DCC This is one of the really nice parts about the new iptables support in the 2.firewall. If you for example want to allow Passive FTP. The client tells the server that it wants to send or receive data and the server replies.txt file properly.Iptables Tutorial 1. ie.x kernels. you'd just load the ip_conntrack_irc and ip_nat_irc modules.File Transfer Protocol by J. ip_conntrack_ftp and ip_nat_ftp code as modules and not statically into the kernel. As you can understand from this document. Postel and J.

then load the NEW not SYN packet rules. This only applies when you are running with the conntrack and nat codebases as modules. and the modules are loaded and unloaded each time you run the script. There is one more known problem with these rules.Iptables Tutorial 1. lets say from the LAN. This feature makes it possible to have two or more firewalls.unix-fu. This is a badly documented behaviour of the netfilter/iptables project and should definitely be more highlighted.firewall.org/andreasson/iptables-tutorial/iptables-tutorial. OUTPUT and FORWARD chain: $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP The above rules will take care of this problem. don't worry to much about this rule. In other words. another firewall. the packet will match to the rules and be logged and afterwards dropped to the ground. you connect with telnet or some other stream connection. Note that there is some troubles with the above rules and bad Microsoft TCP/IP implementations. Hence.html 21:25:51 10/06/2002 . To take care of this problem we add the following rules to our firewalls INPUT. including me).txt script from a telnet connection from a host not on the actual firewall. The matter is that when a connection gets closed and the final FIN/ACK has been sent and the state machine of netfilter has closed this connection and it is no longer in the conntrack table. when you start the PPP connection. The above rules will lead to certain conditions where packets generated by microsoft products gets labeled as a state NEW and hence get logged and dropped.This does however lead to the fact that state NEW will allow pretty much any kind of TCP connection. regardless if this is the initial 3-way handshake or not. a huge warning is in it's place for this kind of behaviour on your firewall. the telnet client or daemon tries to send something. In other words. set the --log-headers option to the rule and log the headers too and you'll get a better look at what the packet looks like. also there will be no SYN bits set since it is not actually the first packet in the connection.9 Página 197 There is a certain feature in iptables that is not so well documented and may therefore be overlooked by a lot of people(yes. and for one of the firewalls to go down without any loss of data. The firewalling of the subnet could then be taken over by our secondary firewall. Internet Service Providers who use assigned http://people. If you use state NEW. the connection tracking code will not recognise this connection as a legal connection since it has not seen packets in any direction on this connection before. At this point the faulty Microsoft implementation sends another packet which is considered as state NEW but lacks the SYN bit and hence gets matched by the above rules. for instance. In this case. Finally. and you have the script set to be activated when running a PPP connection. Start the connection tracking modules. Another way to get this problem is to run the rc. the person previously connected through the LAN will be more or less killed. packets with the SYN bit unset will get through your firewall. or if you are worried anyways. This feature is there because in certain cases we want to consider that a packet may be part of an already ESTABLISHED connection on. It will however not lead to broken connections to my knowledge. If someone is currently connected to the firewall.1. To put it simple.

at least not to my knowledge. the swedish Internet Service Provider and phone monopoly Telia uses this approach for example on their DNS servers. here is unfortunately an example where you actually might have to lift a bit on those rules.9 Página 198 IP addresses I have added this since a friend of mine told me something I have totally forgotten.x range to us. or your own home network.1/32 -j ACCEPT I would like to take my moment to bitch at these Internet Service Providers.x. ICMP types This is a complete listing of all ICMP types: Table 1. in this script.x.x IP address range. This is how it might look: /usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10. do not allow connections from any IP addresses in the 10. For example.html 21:25:51 10/06/2002 .1. You might just insert an ACCEPT rule above the spoof section to allow traffic from those DNS servers. but you are not supposed to force us to open up ourself just because of some whince of yours. Well. Certain stupid Internet Service Providers use IP addresses assigned by IANA for their local networks on which you connect to. or you could just comment out that part of the script.org/andreasson/iptables-tutorial/iptables-tutorial.x. ICMP types TYPE CODE Description 0 3 3 3 3 3 3 3 3 3 3 3 0 0 1 2 3 4 5 6 7 8 9 10 Echo Reply Network Unreachable Host Unreachable Protocol Unreachable Port Unreachable Fragmentation needed but no frag.unix-fu. The problem you will most probably run into is that we. For large corporate sites it is more than ok. because of spoofing possibilities.x. bit set Source routing failed Destination network unknown Destination host unknown Source host isolated (obsolete) Destination network administratively prohibited Destination host administratively prohibited Query x x x x x x x x x x x x Error http://people.0.Iptables Tutorial 1. These IP address ranges are not assigned for you to use for dumb stuff like this. which uses the 10.0.

4.unix-fu. etc : ip-sysctl. A little bit short but a good reference for the IP networking controls and what they do to the kernel.1.9 Página 199 3 3 3 3 3 4 5 5 5 5 8 9 10 11 11 12 12 13 14 15 16 17 18 11 12 13 14 15 0 0 1 2 3 0 0 0 0 1 0 1 0 Network unreachable for TOS Host unreachable for TOS Communication administratively prohibited by filtering Host precedence violation Precedence cutoff in effect Source quench Redirect for network Redirect for host Redirect for TOS and network Redirect for TOS and host Echo request Router advertisement Route sollicitation TTL equals 0 during transit TTL equals 0 during reassembly IP header bad (catchall error) Required options missing Timestamp request (obsolete) Timestamp reply (obsolete) x x x x x x x x x x x x x x x x 0 0 0 0 Information request (obsolete) Information reply (obsolete) Address mask request Address mask reply Other resources and links Here is a list of links to resources and where I have gotten information from. http://people.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.from the 2.14 kernel.txt .html 21:25:51 10/06/2002 .

org/ . This was also written by Rusty Russell. One of the few documentations on how to write code in the netfilter and iptables userspace and kernel space codebase.The iptables 1. It is a must for everyone wanting to set up iptables and netfilter in linux.Excellent linkpage with links to most of the pages on the internet about iptables and netfilter. Excellent documentation about basic packet filtering with iptables written by one of the core developers of iptables and netfilter. http://netfilter.filewatcher.net/veerapen.The official netfilter mailing-list.filewatcher.html 21:25:51 10/06/2002 .linuxguruz. tc and the ip commands in Linux. http://netfilter. http://www. http://www.The official netfilter and iptables site.docum.html . A really short reference to the ip_dynaddr settings available via sysctl and the proc filesystem.Rusty Russells Unreliable Netfilter Hacking HOWTO.from the 2. http://netfilter.txt .html .8 .4. documentation and individuals who helped me.org/unreliable-guides/packet-filtering-HOWTO/index.org/netfilter-faq.html . Extremely useful in case you have questions about something not covered in this document or any of the other links here.9 Página 200 ip_dynaddr.2.org/andreasson/iptables-tutorial/iptables-tutorial. And of course the iptables source. One of the few sites that has any information at all about these programs. Also a good place to stat at when wondering what iptables and netfilter is about. http://www.The official netfilter Frequently Asked Questions.html .filewatcher.org .islandsoft.14 kernel. http://people.Iptables Tutorial 1.filewatcher. This is an HTML'ized version of the man page which is an excellent reference when reading/writing iptables rulesets.1. http://netfilter. http://netfilter. Always have it at hand.samba.unix-fu.filewatcher.org/mailman/listinfo/netfilter . iptables.Excellent information about the CBQ.Rusty Russells Unreliable Guide to Network Address Translation.Rusty Russells Unreliable Guide to packet filtering.html .org/unreliable-guides/netfilter-hacking-HOWTO/index. Also maintains a list of different iptables scripts for different purposes. http://lists.org/unreliable-guides/NAT-HOWTO/index. Excellent documentation about Network Address Translation in iptables and netfilter written by one of the core developers.4 man page.org/iptables/ . Maintained by Stef Coene. Rusty Russell.Excellent discussion on automatic hardening of iptables and how to make small changes that will make your computer automatically add hostile sites to a special banlist in iptables.

9 Página 201 Acknowledgements I would like to thank the following people for their help on this document: Fabrice Marie. History Version 1. or at least on the internet for you.boingworld. Anders 'DeZENT' Johansson. For helping me out with the graphics. For greatly improving the rc.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Version 1. Kent `Artech' Stahre. and you're better than most I know who do graphics. Also thanks for checking the tutorial for errors etc. sorry for not mentioning everyone. Janne Johansson.8 (5 March 2002) http://www. Galen Johnson.1.firewall rules and giving great inspiration while i was to rewrite the ruleset and being the one who introduced the multiple table traversing into the same file.unix-fu. I know I suck at graphics. Frode E.7 (4 February 2002) http://www. Neil Jolly. Nyboe. For hinting me about strange ISP's and so on that uses reserved networks on the Internet.boingworld.org/andreasson/iptables-tutorial/iptables-tutorial.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Contributors: Vince Herried. Both for making me realize I was thinking wrong about how packets traverse the basic NAT and filters tables and in which order they show up. Janssen.1. Marc Boucher. Jeremy `Spliffy' Smith. For major updates to my horrible grammar and spelling. Chapman Brad. Also a huge thanks for updating the tutorial to DocBook format with make files etc. For helping me out on some aspects on using the state matching code.1. Jelle Kalf. Michiel Brandenburg. Mitch Landers.Iptables Tutorial 1. Kelly Ashe. Peter Horst.html 21:25:51 10/06/2002 . Jason Lam and Evan Nemerson Version 1.).com/workshops/linux/iptables-tutorial/ http://people. For giving me hints at stuff that might screw up for people and for trying it out and checking for errors in what I've written. Togan Muftuoglu.boingworld. Thomas Smets.1.9 (21 March 2002) http://www. Alexander W. For helping me out with some of the state matching code and getting it to work. Myles Uyema. And of course everyone else I talked to and asked for comments on this file.

unix-fu. Merijn Schering and Kurt Lieber Version 1.unix-fu.Iptables Tutorial 1.unix-fu. Jasper Aikema. Kurt Lieber. Aladdin and Rusty Russell. Version 1.org/andreasson By: Oskar Andreasson Contributors: Dave Richardson Version 1.org/andreasson By: Oskar Andreasson Version 1.unix-fu. Jensen. Steven McClintoc. Branco.org/andreasson/ By: Oskar Andreasson Contributors: Fabrice Marie. Göran Båge.unix-fu.1. Rodrigo R. Phil Schultz.2 (29 September 2001) http://people.1.org/andreasson By: Oskar Andreasson Contributors: Stig W.9 Página 202 By: Oskar Andreasson Contributors: Parimi Ravi.unix-fu.org/andreasson By: Oskar Andreasson Version 1.5 (14 November 2001) http://people.0.html 21:25:51 10/06/2002 .org/andreasson By: Oskar Andreasson Version 1.org/andreasson By: Oskar Andreasson Version 1.unix-fu.unix-fu.org/andreasson/ By: Oskar Andreasson Contributors: Jim Ramsey. Steve Hnizdur.0.8 (7 September 2001) http://people. Dave Wreski. Doug Monroe. Phil Schultz.1.org/andreasson/iptables-tutorial/iptables-tutorial.org/andreasson By: Oskar Andreasson Contributors: Joni Chu. Vasoo Veerapen. Chris Tallon.6 (7 December 2001) http://people.0 (15 September 2001) http://people.unix-fu. Adam Mansbridge.3 (9 October 2001) http://people.9 (9 September 2001) http://people.1. Chris Pluta and Kurt Lieber Version 1.1 (26 September 2001) http://people. Chris Martin. N. Erik Sjölund. Jacco van Koll and Dave Wreski Version 1.unix-fu. Bill Dossett.7 (23 August 2001) http://people.1. Jan Labanowski.1.4 (6 November 2001) http://people.Emile Akabi-Davis and Jelle Kalf Version 1.0. Jonas Pasche.1.1.

which is a copyleft license designed for free software. Boston. MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document. 0. 59 Temple Place. 1. either commercially or noncommercially. But this License is not limited to software manuals. regardless of subject matter or whether it is published as a printed book.0. Secondarily. We recommend this License principally for works whose purpose is instruction or reference.org/andreasson By: Oskar Andreasson Version 1.1. textbook.5 http://people. it can be used for any textual work. with or without modifying it. PREAMBLE The purpose of this License is to make a manual. or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it. Suite 330.unix-fu. March 2000 Copyright (C) 2000 Free Software Foundation.html 21:25:51 10/06/2002 . We have designed this License in order to use it for manuals for free software.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie Version 1. because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does.0.9 Página 203 http://people. APPLICABILITY AND DEFINITIONS http://people. Inc. this License preserves for the author and publisher a way to get credit for their work.Iptables Tutorial 1.unix-fu. This License is a kind of "copyleft". It complements the GNU General Public License. while not being considered responsible for modifications made by others. but changing it is not allowed.unix-fu.1.unix-fu.6 http://people. which means that derivative works of the document must themselves be free in the same sense.org/andreasson/iptables-tutorial/iptables-tutorial.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie GNU Free Documentation License Version 1.

and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. and the machine-generated HTML produced by some word processors for output purposes only. or with modifications and/or translated into another language. The "Document".unix-fu. for a printed book.9 Página 204 This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. the title page itself. preceding the beginning of the body of the text. LaTeX input format. "Title Page" means the text near the most prominent appearance of the work's title. and is addressed as "you".1. SGML or XML using a publicly available DTD. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. The "Title Page" means.) The relationship could be a matter of historical connection with the subject or with related matters. and that you add no other conditions whatsoever to those of this License. philosophical. legibly. A "Transparent" copy of the Document means a machine-readable copy. The "Invariant Sections" are certain Secondary Sections whose titles are designated. proprietary formats that can be read and edited only by proprietary word processors. or of legal.Iptables Tutorial 1. provided that this License. You may not use technical measures to obstruct or control the reading or further copying of the http://people. commercial. A "Modified Version" of the Document means any work containing the Document or a portion of it. ethical or political position regarding them. whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. in the notice that says that the Document is released under this License. Any member of the public is a licensee. For works in formats which do not have any title page as such. (For example. in the notice that says that the Document is released under this License. below. plus such following pages as are needed to hold. if the Document is in part a textbook of mathematics. either copied verbatim. The "Cover Texts" are certain short passages of text that are listed. and the license notice saying this License applies to the Document are reproduced in all copies.html 21:25:51 10/06/2002 . Opaque formats include PostScript. refers to any such manual or work.org/andreasson/iptables-tutorial/iptables-tutorial. Examples of suitable formats for Transparent copies include plain ASCII without markup. as being those of Invariant Sections. VERBATIM COPYING You may copy and distribute the Document in any medium. A copy that is not "Transparent" is called "Opaque". as Front-Cover Texts or Back-Cover Texts. Texinfo input format. the copyright notices. PDF. and standard-conforming simple HTML designed for human modification. represented in a format whose specification is available to the general public. a Secondary Section may not explain any mathematics. either commercially or noncommercially. SGML or XML for which the DTD and/or processing tools are not generally available. the material this License requires to appear in the title page. 2.

If you use the latter option.org/andreasson/iptables-tutorial/iptables-tutorial. If you distribute a large enough number of copies you must also follow the conditions in section 3. Both covers must also clearly and legibly identify you as the publisher of these copies. that you contact the authors of the Document well before redistributing any large number of copies. 4. you may accept compensation in exchange for copies. when you begin distribution of Opaque copies in quantity. you must either include a machine-readable Transparent copy along with each Opaque copy. if there were any. but not required. all these Cover Texts: Front-Cover Texts on the front cover. You may add other material on the covers in addition. COPYING IN QUANTITY If you publish printed copies of the Document numbering more than 100.9 Página 205 copies you make or distribute. to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. You may also lend copies. However. and Back-Cover Texts on the back cover. If you publish or distribute Opaque copies of the Document numbering more than 100. free of added material.html 21:25:51 10/06/2002 . clearly and legibly. under the same conditions stated above. provided that you release the Modified Version under precisely this License. and the Document's license notice requires Cover Texts. as long as they preserve the title of the Document and satisfy these conditions. Use in the Title Page (and on the covers. you must enclose the copies in covers that carry. you should put the first ones listed (as many as fit reasonably) on the actual cover. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above. thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it.unix-fu. you must do these things in the Modified Version: A.1. If the required texts for either cover are too voluminous to fit legibly. and from those of previous versions (which should. You may use the same title as a previous version if the original publisher of that version gives permission. and continue the rest onto adjacent pages. be listed in the History section of the Document). http://people. In addition. The front cover must present the full title with all words of the title equally prominent and visible. which the general network-using public has access to download anonymously at no charge using public-standard network protocols. if any) a title distinct from that of the Document. or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document. It is requested. and you may publicly display copies. can be treated as verbatim copying in other respects. to give them a chance to provide you with an updated version of the Document. with the Modified Version filling the role of the Document.Iptables Tutorial 1. Copying with changes limited to the covers. 3. you must take reasonably prudent steps.

and publisher of the Modified Version as given on the Title Page. as authors. State on the Title page the name of the publisher of the Modified Version. Include an unaltered copy of this License. preserve the section's title. Preserve all the Invariant Sections of the Document. F. add their titles to the list of Invariant Sections in the Modified Version's license notice. and publisher of the Document as given on its Title Page. Preserve the network location. or if the original publisher of the version it refers to gives permission.Iptables Tutorial 1. immediately after the copyright notices. Include. http://people. and likewise the network locations given in the Document for previous versions it was based on. if it has less than five). Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section. and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. year. K. you may at your option designate some or all of these sections as invariant. D. H. and add to it an item stating at least the title. To do this. authors. If there is no section entitled "History" in the Document. Such a section may not be included in the Modified Version. E. J. given in the Document for public access to a Transparent copy of the Document. unaltered in their text and in their titles. as the publisher. create one stating the title. Preserve the section entitled "History". If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document. a license notice giving the public permission to use the Modified Version under the terms of this License. new authors. M. L. then add an item describing the Modified Version as stated in the previous sentence. year.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 .9 Página 206 B. one or more persons or entities responsible for authorship of the modifications in the Modified Version. N. G. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.unix-fu. if any. These titles must be distinct from any other section titles. List on the Title Page. Preserve all the copyright notices of the Document. together with at least five of the principal authors of the Document (all of its principal authors. and its title. You may omit a network location for a work that was published at least four years before the Document itself.1. In any section entitled "Acknowledgements" or "Dedications". in the form shown in the Addendum below. These may be placed in the "History" section. Delete any section entitled "Endorsements". Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice. I. C. Section numbers or the equivalent are not considered part of the section titles.

likewise combine any sections entitled "Acknowledgements". in parentheses. unmodified. on explicit permission from the previous publisher that added the old one. and replace the individual copies of this License in the various documents with a single copy that is included in the collection.unix-fu. You may extract a single document from such a collection. COLLECTIONS OF DOCUMENTS You may make a collection consisting of the Document and other documents released under this License. In the combination. you must combine any sections entitled "History" in the various original documents. and list them all as Invariant Sections of your combined work in its license notice. provided that you include in the combination all of the Invariant Sections of all of the original documents." 6.9 Página 207 You may add a section entitled "Endorsements". and distribute it individually under this License. and follow this License in all other respects regarding verbatim copying of that document. provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. to the end of the list of Cover Texts in the Modified Version. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. but you may replace the old one. and multiple identical Invariant Sections may be replaced with a single copy. 5. or else a unique number. previously added by you or by arrangement made by the same entity you are acting on behalf of. If the Document already includes a cover text for the same cover. COMBINING DOCUMENTS You may combine the Document with other documents released under this License. provided you insert a copy of this License into the extracted document. forming one section entitled "History".1.html 21:25:51 10/06/2002 . You may add a passage of up to five words as a Front-Cover Text. make the title of each such section unique by adding at the end of it. you may not add another. The combined work need only contain one copy of this License. the name of the original author or publisher of that section if known. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. and any sections entitled "Dedications".Iptables Tutorial 1. under the terms defined in section 4 above for modified versions. provided it contains nothing but endorsements of your Modified Version by various parties--for example. http://people. and a passage of up to 25 words as a Back-Cover Text. If there are multiple Invariant Sections with the same name but different contents.org/andreasson/iptables-tutorial/iptables-tutorial. You must delete all sections entitled "Endorsements. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

See http://www.Iptables Tutorial 1. http://people. the original English version will prevail. from you under this License will not have their licenses terminated so long as such parties remain in full compliance. modify. on account of their being thus compiled. sublicense.gnu. and will automatically terminate your rights under this License. FUTURE REVISIONS OF THIS LICENSE The Free Software Foundation may publish new. If the Cover Text requirement of section 3 is applicable to these copies of the Document. parties who have received copies. revised versions of the GNU Free Documentation License from time to time. Replacing Invariant Sections with translations requires special permission from their copyright holders. but may differ in detail to address new problems or concerns. and this License does not apply to the other self-contained works thus compiled with the Document. if they are not themselves derivative works of the Document. You may include a translation of this License provided that you also include the original English version of this License.9 Página 208 7.html 21:25:51 10/06/2002 . 10. does not as a whole count as a Modified Version of the Document. 8. so you may distribute translations of the Document under the terms of section 4.1. 9.org/andreasson/iptables-tutorial/iptables-tutorial. Any other attempt to copy. in or on a volume of a storage or distribution medium. TRANSLATION Translation is considered a kind of modification. or distribute the Document except as expressly provided for under this License. In case of a disagreement between the translation and the original English version of this License. provided no compilation copyright is claimed for the compilation. Such new versions will be similar in spirit to the present version. then if the Document is less than one quarter of the entire aggregate. However. or rights.unix-fu. sublicense or distribute the Document is void. but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate.org/copyleft/. modify. Otherwise they must appear on covers around the whole aggregate. AGGREGATION WITH INDEPENDENT WORKS A compilation of the Document or its derivatives with other separate and independent documents or works. Such a compilation is called an "aggregate". TERMINATION You may not copy.

distribute and/or modify this document under the terms of the GNU Free Documentation License. you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation.1. If the Document specifies that a particular numbered version of this License "or any later version" applies to it. we recommend releasing these examples in parallel under your choice of free software license. and with the Back-Cover Texts being LIST. How to use this License for your documents To use this License in a document you have written.Iptables Tutorial 1.unix-fu. MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document. Version 1. 59 Temple Place. If your document contains nontrivial examples of program code. By contrast. with the Front-Cover Texts being LIST. include a copy of the License in the document and put the following copyright and license notices just after the title page: Copyright (c) YEAR YOUR NAME. Boston. Preamble The licenses for most software are designed to take away your freedom to share and change it. 1991 Free Software Foundation. June 1991 Copyright (C) 1989. GNU General Public License Version 2. write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts. 0. but changing it is not allowed.org/andreasson/iptables-tutorial/iptables-tutorial.1 or any later version published by the Free Software Foundation. Permission is granted to copy.9 Página 209 Each version of the License is given a distinguishing version number. such as the GNU General Public License. Suite 330. write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST". to permit their use in free software. A copy of the license is included in the section entitled "GNU Free Documentation License". This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to http://people.html 21:25:51 10/06/2002 . If you have no Invariant Sections. Inc. you may choose any version ever published (not as a draft) by the Free Software Foundation. the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. If the Document does not specify a version number of this License. likewise for Back-Cover Texts. with the Invariant Sections being LIST THEIR TITLES.

we want to make certain that everyone understands that there is no warranty for this free software. we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. you must give the recipients all the rights that you have. The act of running the Program is not restricted. any free program is threatened constantly by software patents. that you receive source code or can get it if you want it. To protect your rights. Activities other than copying. and the output from the Program is covered only if its contents constitute a work based on the Program (independent of http://people. distribution and modification follow. You must make sure that they. below. Finally. When we speak of free software. in effect making the program proprietary. not price.Iptables Tutorial 1. And you must show them these terms so they know their rights. so that any problems introduced by others will not reflect on the original authors' reputations. Also. too. refers to any such program or work. and that you know you can do these things. We protect your rights with two steps: (1) copyright the software. receive or can get the source code.org/andreasson/iptables-tutorial/iptables-tutorial. To prevent this. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.unix-fu. if you distribute copies of such a program. or if you modify it. translation is included without limitation in the term "modification".1. for each author's protection and ours. These restrictions translate to certain responsibilities for you if you distribute copies of the software. a work containing the Program or a portion of it. that you can change the software or use pieces of it in new free programs. and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say. The precise terms and conditions for copying. TERMS AND CONDITIONS FOR COPYING. we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. 1. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead. either verbatim or with modifications and/or translated into another language. and (2) offer you this license which gives you legal permission to copy. whether gratis or for a fee. we want its recipients to know that what they have is not the original. too. The "Program". For example.) You can apply it to your programs. we are referring to freedom.) Each licensee is addressed as "you". distribute and/or modify the software.html 21:25:51 10/06/2002 . DISTRIBUTION AND MODIFICATION 1. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish). distribution and modification are not covered by this License. they are outside its scope. (Hereinafter.9 Página 210 using it. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses. If the software is modified by someone else and passed on.

You must cause any work that you distribute or publish. provided that you also meet all of these conditions: 1. You may modify your copy or copies of the Program or any portion of it.Iptables Tutorial 1.1. saying that you provide a warranty) and that users may redistribute the program under these conditions. when started running for such interactive use in the most ordinary way. You may copy and distribute verbatim copies of the Program's source code as you receive it. You may charge a fee for the physical act of transferring a copy. In addition. If identifiable sections of that work are not derived from the Program.) These requirements apply to the modified work as a whole. 2. Thus.9 Página 211 having been made by running the Program). then this License. that in whole or in part contains or is derived from the Program or any part thereof. and telling the user how to view a copy of this License. 4. to be licensed as a whole at no charge to all third parties under the terms of this License. you must cause it. and copy and distribute such modifications or work under the terms of Section 1 above. 5. 3. mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. If the modified program normally reads commands interactively when run. under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: http://people. and its terms. it is not the intent of this section to claim rights or contest your rights to work written entirely by you. the distribution of the whole must be on the terms of this License. and you may at your option offer warranty protection in exchange for a fee. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. rather. thus forming a work based on the Program. You may copy and distribute the Program (or a work based on it. whose permissions for other licensees extend to the entire whole.unix-fu. Whether that is true depends on what the Program does. and can be reasonably considered independent and separate works in themselves. 3.html 21:25:51 10/06/2002 . in any medium. (Exception: if the Program itself is interactive but does not normally print such an announcement. do not apply to those sections when you distribute them as separate works. and thus to each and every part regardless of who wrote it. keep intact all the notices that refer to this License and to the absence of any warranty. But when you distribute the same sections as part of a whole which is a work based on the Program. and give any other recipients of the Program a copy of this License along with the Program.org/andreasson/iptables-tutorial/iptables-tutorial. your work based on the Program is not required to print an announcement. provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty. to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else. the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

nothing else grants you permission to modify or distribute the Program or its derivative works. in accord with Subsection b above. distributing or modifying the Program or works based on it. for a charge no more than your cost of physically performing source distribution. modify.) 6. unless that component itself accompanies the executable. You are not responsible for enforcing compliance by third parties to this License. 7. plus the scripts used to control compilation and installation of the executable. These actions are prohibited by law if you do not accept this License. even though third parties are not compelled to copy the source along with the object code. You may not copy. as a special exception. 9. Accompany it with the complete corresponding machine-readable source code. as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues). 8. Accompany it with the information you received as to the offer to distribute corresponding source code. you indicate your acceptance of this License to do so. and will automatically terminate your rights under this License. You are not required to accept this License.Iptables Tutorial 1. complete source code means all the source code for all modules it contains.org/andreasson/iptables-tutorial/iptables-tutorial. or. a complete machine-readable copy of the corresponding source code. Each time you redistribute the Program (or any work based on the Program). by modifying or distributing the Program (or any work based on the Program). or. However. to give any third party. to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. sublicense or distribute the Program is void. sublicense. B. from you under this License will not have their licenses terminated so long as such parties remain in full compliance.9 Página 212 A. Therefore. parties who have received copies. since you have not signed it. or distribute the Program except as expressly provided under this License. which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. valid for at least three years.1. plus any associated interface definition files. the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler. agreement or otherwise) that contradict the conditions of this License. conditions are imposed on you (whether by court order. and all its terms and conditions for copying. Any attempt otherwise to copy. or rights. the recipient automatically receives a license from the original licensor to copy. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer. distribute or modify the Program subject to these terms and conditions.unix-fu. The source code for a work means the preferred form of the work for making modifications to it. However. then offering equivalent access to copy the source code from the same place counts as distribution of the source code. However. If distribution of executable or object code is made by offering access to copy from a designated place. kernel.html 21:25:51 10/06/2002 . and so on) of the operating system on which the executable runs. they do not excuse you from http://people. 10. modify. For an executable work. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. Accompany it with a written offer. C. If.

this License incorporates the limitation as if written in the body of this License. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system. THERE IS NO WARRANTY FOR THE PROGRAM. If the Program does not specify a version number of this License. then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. 11. you may choose any version ever published by the Free Software Foundation. you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE. the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. 12.1.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 213 the conditions of this License. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims. the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries.Iptables Tutorial 1. TO THE EXTENT PERMITTED BY APPLICABLE LAW. but may differ in detail to address new problems or concerns. If any portion of this section is held invalid or unenforceable under any particular circumstance. Such new versions will be similar in spirit to the present version. then as a consequence you may not distribute the Program at all. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. For software which is copyrighted by the Free Software Foundation. For example.unix-fu. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. which is implemented by public license practices. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT http://people. so that distribution is permitted only in or among countries not thus excluded. this section has the sole purpose of protecting the integrity of the free software distribution system. write to the author to ask for permission. write to the Free Software Foundation. If the Program specifies a version number of this License which applies to it and "any later version". Each version is given a distinguishing version number. 14.html 21:25:51 10/06/2002 . In such case. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different. 13. we sometimes make exceptions for this. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations. if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you.

How to Apply These Terms to Your New Programs If you develop a new program. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER.Iptables Tutorial 1. BE LIABLE TO YOU FOR DAMAGES. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.1. attach the following notices to the program. you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. YOU ASSUME THE COST OF ALL NECESSARY SERVICING. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty. REPAIR OR CORRECTION. See the GNU General Public License for more details. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. Inc. OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE. and each file should have at least the "copyright" line and a pointer to where the full notice is found.org/andreasson/iptables-tutorial/iptables-tutorial. without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. EITHER EXPRESSED OR IMPLIED. 16. To do so. and you want it to be of the greatest possible use to the public.html 21:25:51 10/06/2002 . EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS). Suite 330. END OF TERMS AND CONDITIONS 2.. MA 02111-1307 USA http://people. or (at your option) any later version. write to the Free Software Foundation. 59 Temple Place. SHOULD THE PROGRAM PROVE DEFECTIVE.9 Página 214 HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND. if not.unix-fu. INCLUDING ANY GENERAL.> Copyright (C) <year> <name of author> This program is free software. BUT NOT LIMITED TO. This program is distributed in the hope that it will be useful. SPECIAL. the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. <one line to give the program's name and a brief idea of what it does. INCLUDING. You should have received a copy of the GNU General Public License along with this program. but WITHOUT ANY WARRANTY. either version 2 of the License. Boston.

to sign a "copyright disclaimer" for the program.net> # # This program is free software. you may consider it more useful to permit linking proprietary applications with the library.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. # but WITHOUT ANY WARRANTY.unix-fu. Inc. <signature of Ty Coon>. Here is a sample. 1 April 1989 Ty Coon. type `show c' for details. version 2 of the License.. If this is what you want to do. http://people.4. alter the names: Yoyodyne. See the # GNU General Public License for more details. for details type `show w'. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. and you are welcome to redistribute it under certain conditions. if necessary.firewall .Iptables Tutorial 1.firewall script #!/bin/sh # # rc. make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69. Example scripts codebase Example rc. This is free software. You should also get your employer (if you work as a programmer) or your school.1.html 21:25:51 10/06/2002 . hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. If the program is interactive. Of course. the commands you use may be called something other than `show w' and `show c'. Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY.Initial SIMPLE IP Firewall script for Linux 2. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. they could even be mouse-clicks or menu items--whatever suits your program. use the GNU Library General Public License instead of this License. # # This program is distributed in the hope that it will be useful.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 215 Also add information on how to contact you by electronic and paper mail. President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library. if any.

0. # # # 1.0. /24 means to only use the first 24 # bits of the 32 bit IP adress.255.unix-fu.255.2 Local Area Network configuration. the same as netmask 255.0/16" LAN_BCAST_ADRESS="192.9 Página 216 # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. if not.Iptables Tutorial 1.2" LAN_IP_RANGE="192.255.1 DHCP # # # 1.168.168.2 PPPoE # # # 1.4 Localhost Configuration.236.html 21:25:51 10/06/2002 .1. # INET_IP="194. write to the Free Software Foundation.0 # LAN_IP="192. # # # 1. Suite 330.50. MA 02111-1307 USA # ########################################################################### # # 1.168.. # # your LAN's IP range and localhost IP.255" LAN_IFACE="eth1" # # 1. 59 Temple # Place.1" http://people.3 DMZ Configuration. # LO_IFACE="lo" LO_IP="127.1. Boston.1 Internet Configuration. Configuration options.155" INET_IFACE="eth0" # # 1. Inc.1.org/andreasson/iptables-tutorial/iptables-tutorial.0.0.

org/andreasson/iptables-tutorial/iptables-tutorial.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. # IPTABLES="/usr/sbin/iptables" # # 1. Module loading. # ########################################################################### # # 2.1. # http://people.Iptables Tutorial 1. /proc set up. # # # Needed to initially load modules # /sbin/depmod -a # # 2.unix-fu.html 21:25:51 10/06/2002 .6 Other Configuration.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.5 IPTables Configuration.9 Página 217 # # 1.

9 Página 218 # # 3.org/andreasson/iptables-tutorial/iptables-tutorial.1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.unix-fu.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.1.Iptables Tutorial 1. # ###### # 4.1.html 21:25:51 10/06/2002 .2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP. rules set up. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets http://people.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.1 Filter table # # # 4.

3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.1.Iptables Tutorial 1.1.9 Página 219 $IPTABLES -N udpincoming_packets # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 .unix-fu.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT http://people.

1. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet.org/andreasson/iptables-tutorial/iptables-tutorial.1.1. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward http://people.RELATED \ -j ACCEPT # # Log weird packets that don't match the above.9 Página 220 # # 4.Iptables Tutorial 1.html 21:25:51 10/06/2002 .unix-fu.4 INPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.

# $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that don't match the above.2.2.6 OUTPUT chain # # # Bad TCP packets we don't want.2 nat table # # # 4. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.1 Set policies # # # 4.RELATED -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.unix-fu. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.html 21:25:51 10/06/2002 .2 Create user specified chains # http://people.Iptables Tutorial 1.1.1.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 221 # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.

3.3.3.unix-fu.6 FORWARD chain # http://people.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.4 PREROUTING chain # # # 4.2.2.3.6 OUTPUT chain # ###### # 4.html 21:25:51 10/06/2002 .2.3 mangle table # # # 4.3 Create content in user specified chains # # # 4.3.4 PREROUTING chain # # # 4.2.3 Create content in user specified chains # # # 4.1 Set policies # # # 4.2 Create user specified chains # # # 4.9 Página 222 # # 4.1.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.5 INPUT chain # # # 4.3.

x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. # # # 1.154" INET_IFACE="eth0" http://people. MA 02111-1307 USA # ########################################################################### # # 1.7 OUTPUT chain # # # 4. Boston.50. # INET_IP="194. Configuration options.DMZ IP Firewall script for Linux 2. # but WITHOUT ANY WARRANTY.153" DNS_IP="194.DMZ. 59 Temple # Place.unix-fu.236. Suite 330. # # This program is distributed in the hope that it will be useful.3.50. write to the Free Software Foundation.firewall script #!/bin/sh # # rc.DMZ. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.236.net> # # This program is free software.8 POSTROUTING chain # Example rc.1.9 Página 223 # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.50.152" HTTP_IP="194. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.html 21:25:51 10/06/2002 . if not.Iptables Tutorial 1.236. version 2 of the License. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.3.4. See the # GNU General Public License for more details.1 Internet Configuration. Inc.firewall ..

Iptables Tutorial 1.1.9

Página 224

# # 1.1.1 DHCP # # # 1.1.2 PPPoE # # # 1.2 Local Area Network configuration. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # LAN_IP="192.168.0.2" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth1" # # 1.3 DMZ Configuration. # DMZ_HTTP_IP="192.168.1.2" DMZ_DNS_IP="192.168.1.3" DMZ_IP="192.168.1.1" DMZ_IFACE="eth2" # # 1.4 Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 IPTables Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. # ########################################################################### # # 2. Module loading. http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 225

# # # Needed to initially load modules # /sbin/depmod -a

# # 2.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 226

#echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. rules set up. # ###### # 4.1 Filter table # # # 4.1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP, TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 227

# # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # 4.1.4 INPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Packets from the Internet to this box # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # # Packets from LAN, DMZ or LOCALHOST # # # From DMZ Interface to DMZ firewall IP # $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT # # From LAN Interface to LAN firewall IP # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 228

# # From Localhost interface to Localhost IP # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # # All established and related packets incoming from the internet to the # firewall # $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \ -j ACCEPT # # Logging rule # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.1.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

# # DMZ section # # General rules # $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \ --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT # # HTTP server # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

html 21:25:51 10/06/2002 .1.6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Allow ourself to send packets not spoofed everywhere # $IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT http://people.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 229 $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ --dport 80 -j allowed $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ -j icmp_packets # # DNS server # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j allowed $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ -j icmp_packets # # LAN section # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.1.unix-fu.RELATED -j ACCEPT # # LOG all packets reaching here # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.

Iptables Tutorial 1.1.9

Página 230

# # Logging rule # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.2 nat table # # # 4.2.1 Set policies # # # 4.2.2 Create user specified chains # # # 4.2.3 Create content in user specified chains # # # 4.2.4 PREROUTING chain # # # Enable IP Destination NAT for DMZ zone # $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \ -j DNAT --to-destination $DMZ_HTTP_IP $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP $IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP # # 4.2.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 231

# # 4.2.6 OUTPUT chain # ###### # 4.3 mangle table # # # 4.3.1 Set policies # # # 4.3.2 Create user specified chains # # # 4.3.3 Create content in user specified chains # # # 4.3.4 PREROUTING chain # # # 4.3.5 INPUT chain # # # 4.3.6 FORWARD chain # # # 4.3.7 OUTPUT chain # # # 4.3.8 POSTROUTING chain #

Example rc.UTIN.firewall script
#!/bin/sh # # rc.firewall - UTIN Firewall script for Linux 2.4.x and iptables # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 232

# Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from; if not, write to the Free Software Foundation, Inc., 59 Temple # Place, Suite 330, Boston, MA 02111-1307 USA # ########################################################################### # # 1. Configuration options. # # # 1.1 Internet Configuration. # INET_IP="194.236.50.155" INET_IFACE="eth0" # # 1.1.1 DHCP # # # 1.1.2 PPPoE # # # 1.2 Local Area Network configuration. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # LAN_IP="192.168.0.2" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth1"

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 233

# # 1.3 DMZ Configuration. # # # 1.4 Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 IPTables Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. # ########################################################################### # # 2. Module loading. # # # Needed to initially load modules # /sbin/depmod -a # # 2.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.2 Non-Required modules #

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 234

#/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr

########################################################################### # # 4. rules set up. # ###### # 4.1 Filter table # # # 4.1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Create userspecified chains # # # Create chain for bad tcp packets http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.unix-fu.1.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 .RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed http://people.9 Página 235 # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.

4 INPUT chain # # # Bad TCP packets we don't want.1.unix-fu.1.5 FORWARD chain # http://people. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from anywhere # $IPTABLES -A INPUT -p ICMP -j icmp_packets $IPTABLES -A INPUT -p TCP -j tcp_packets $IPTABLES -A INPUT -p UDP -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.RELATED \ -j ACCEPT # # Log weird packets that don't match the above.html 21:25:51 10/06/2002 . # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.1.9 Página 236 # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.

1.RELATED -j ACCEPT # # Log weird packets that don't match the above.html 21:25:51 10/06/2002 .6 OUTPUT chain # # # Bad TCP packets we don't want.unix-fu. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that don't match the above.org/andreasson/iptables-tutorial/iptables-tutorial.1.9 Página 237 # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward between interfaces.Iptables Tutorial 1. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4. # $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.2 nat table http://people.

3.3.1 Set policies # # # 4.unix-fu.html 21:25:51 10/06/2002 .5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.3 Create content in user specified chains # # # 4.9 Página 238 # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.1.2.1 Set policies # # # 4.Iptables Tutorial 1.6 OUTPUT chain # ###### # 4.3 mangle table # # # 4.4 PREROUTING chain # # # 4.2.2.2.2 Create user specified chains # # # 4.3.3 Create content in user specified chains # # http://people.2 Create user specified chains # # # 4.2.2.

firewall script #!/bin/sh # # rc.3. MA 02111-1307 USA # ########################################################################### # # 1.3. Configuration options. Suite 330.Iptables Tutorial 1.3. version 2 of the License.unix-fu.4 PREROUTING chain # # # 4.9 Página 239 # 4.1.7 OUTPUT chain # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.DHCP. if not.DHCP IP Firewall script for Linux 2.net> # # This program is free software.4.3.firewall . # but WITHOUT ANY WARRANTY. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 59 Temple # Place.8 POSTROUTING chain # Example rc..3. Inc.5 INPUT chain # # # 4. write to the Free Software Foundation. # # This program is distributed in the hope that it will be useful.6 FORWARD chain # # # 4. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. See the # GNU General Public License for more details. Boston.html 21:25:51 10/06/2002 . you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. # http://people.

html 21:25:51 10/06/2002 . # # Set DHCP variable to no if you don't get IP from DHCP.2" LAN_IP_RANGE="192.90.168. and set up the proper IP # adress for the DHCP server in the DHCP_SERVER variable.0 # LAN_IP="192.unix-fu.1.0. # # your LAN's IP range and localhost IP. such as large mails not # getting through while small mail get through properly etc.0. # PPPOE_PMTU="no" # # 1.65" # # 1. If you get DHCP # over the Internet set this variable to yes.2 Local Area Network configuration. you may set # this option to "yes" which may fix the problem. # # If you have problem with your PPPoE connection. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.1.0/16" http://people.168.1 Internet Configuration. since # the PPPoE configuration option will give less overhead.22.2 PPPoE # # Configuration options pertaining to PPPoE.1 DHCP # # # Information pertaining to DHCP over the Internet.9 Página 240 # # 1. # # Note that it is better to set this up in the PPPoE package itself. # DHCP="no" DHCP_SERVER="195.255. This option will set a # rule in the PREROUTING chain of the mangle table which will clamp # (resize) all routed packets to PMTU (Path Maximum Transmit Unit).org/andreasson/iptables-tutorial/iptables-tutorial.1. # INET_IFACE="eth0" # # 1.255.Iptables Tutorial 1. if needed.

# # # Needed to initially load modules # /sbin/depmod -a # # 2.Iptables Tutorial 1. Module loading.1 Required modules # /sbin/modprobe ip_conntrack /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_MASQUERADE http://people.255.4 Localhost Configuration.0. # ########################################################################### # # 2. # # # 1.html 21:25:51 10/06/2002 .3 DMZ Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.168.0.1" # # 1.5 IPTables Configuration.1.9 Página 241 LAN_BCAST_ADRESS="192.org/andreasson/iptables-tutorial/iptables-tutorial.255" LAN_IFACE="eth1" # # 1. # LO_IFACE="lo" LO_IP="127.6 Other Configuration.unix-fu.

Iptables Tutorial 1. # ###### # 4.2 Create userspecified chains # http://people. rules set up.1 Filter table # # # 4.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1. # # # 3.org/andreasson/iptables-tutorial/iptables-tutorial. /proc set up.html 21:25:51 10/06/2002 .2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3.unix-fu.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.9 Página 242 # # 2.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.1.1.

3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.html 21:25:51 10/06/2002 .1.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed http://people.unix-fu. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.1.9 Página 243 # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.

4 INPUT chain # # # Bad TCP packets we don't want.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet. then $IPTABLES -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \ --dport 68 -j ACCEPT fi # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.RELATED -j ACCEPT # # Log weird packets that don't match the above.html 21:25:51 10/06/2002 .1.Iptables Tutorial 1.9 Página 244 $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT if [ $DHCP == "yes" ] . http://people.1. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \ --state ESTABLISHED.

unix-fu. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # # Log weird packets that don't match the above.1.html 21:25:51 10/06/2002 .1.1.Iptables Tutorial 1.6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.9 Página 245 # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.RELATED -j ACCEPT # # Log weird packets that don't match the above. http://people.

RST SYN \ -j TCPMSS --clamp-mss-to-pmtu fi $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.2.2 nat table # # # 4.1.html 21:25:51 10/06/2002 .3.unix-fu.2.6 OUTPUT chain # ###### # 4.2.2.2.5 POSTROUTING chain # if [ $PPPOE_PMTU == "yes" ] .3 mangle table # # # 4.Iptables Tutorial 1.2 Create user specified chains # # # 4.1 Set policies # # # 4.9 Página 246 # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.3.2 Create user specified chains http://people.2.3 Create content in user specified chains # # # 4.1 Set policies # # # 4. then $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN.4 PREROUTING chain # # # 4.

unix-fu.8 POSTROUTING chain # Example rc.9 Página 247 # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.3. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.3.7 OUTPUT chain # # # 4.3 Create content in user specified chains # # # 4.Resets iptables to default values.Iptables Tutorial 1.1.flush-iptables . version 2 of the License.5 INPUT chain # # # 4.4 PREROUTING chain # # # 4.net> # # This program is free software.6 FORWARD chain # # # 4. # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.3.3. # http://people.3.3.flush-iptables script #!/bin/sh # # rc.html 21:25:51 10/06/2002 .

# $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT # # flush all the rules in the filter and nat tables. # but WITHOUT ANY WARRANTY.html 21:25:51 10/06/2002 . # $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT # # reset the default policies in the nat table.unix-fu. Inc. Boston. # $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X http://people. if not. write to the Free Software Foundation. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.org/andreasson/iptables-tutorial/iptables-tutorial. 59 Temple # Place. MA 02111-1307 USA # # Configurations # IPTABLES="/usr/sbin/iptables" # # reset the default policies in the filter table. # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # reset the default policies in the mangle table.9 Página 248 # This program is distributed in the hope that it will be useful. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Suite 330.1. # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # # erase all chains that's not default in filter and nat table. See the # GNU General Public License for more details..Iptables Tutorial 1.

html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. write to the Free Software Foundation. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat PREROUTING:" http://people. version 2 of the License. See the # GNU General Public License for more details.test script for iptables chains and tables. 59 Temple # Place.net> # # This program is free software. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. if not. all chains # iptables -t filter -A INPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter FORWARD:" iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter FORWARD:" # # NAT table. all chains except OUTPUT which don't work.9 Página 249 Example rc. Boston.. # # This program is distributed in the hope that it will be useful. Inc.unix-fu. # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. Suite 330. MA 02111-1307 USA # # # Filter table.test-iptables script #!/bin/bash # # rc. # but WITHOUT ANY WARRANTY.test-iptables .1.Iptables Tutorial 1. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.

http://people.html 21:25:51 10/06/2002 .1.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 250 iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat PREROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat OUTPUT:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat OUTPUT:" # # Mangle table. all chains # iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle OUTPUT:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle OUTPUT:" Done.unix-fu.Iptables Tutorial 1.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->