Iptables Tutorial 1.1.

9

Página 1

Iptables Tutorial 1.1.9
Oskar Andreasson
blueflux@koffein.net

Copyright © 2001 by Oskar Andreasson

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1; with the Invariant Sections being "Introduction" and all subsections, with the Front-Cover Texts being "Original Author: Oskar Andreasson", and with no BackCover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". All scripts in this tutorial are covered by the GNU General Public License. The scripts are free source; you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation, version 2 of the License. These scripts are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License within this tutorial, under the section entitled "GNU General Public License"; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Table of Contents Introduction Why this document was written How it was written About the author Dedications Preparations Where to get iptables Kernel setup 1 userland setup Compiling the userland applications http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 2

Installation on Red Hat 7.1 How a rule is built Basics Tables Commands Matches Generic matches Implicit matches Explicit matches Targets/Jumps ACCEPT target DROP target QUEUE target RETURN target LOG target MARK target REJECT target TOS target MIRROR target SNAT target DNAT target MASQUERADE target REDIRECT target TTL target ULOG target Traversing of tables and chains General Mangle table 1 Nat table 2 Filter table rc.firewall file example rc.firewall explanation of rc.firewall Configuration options http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 3

Initial loading of extra modules proc set up Displacement of rules to different chains Setting up the different chains used INPUT chain The TCP allowed chain The ICMP chain The TCP chain The UDP chain OUTPUT chain FORWARD chain PREROUTING chain of the nat table Starting the Network Address Translation Example scripts rc.firewall.txt script structure The structure rc.firewall.txt rc.DMZ.firewall.txt rc.DHCP.firewall.txt 10. rc.UTIN.firewall.txt rc.test-iptables.txt rc.flush-iptables.txt Detailed explanations of special commands Listing your active ruleset Updating and flushing your tables Common problems and questionmarks Passive FTP but no DCC State NEW packets but no SYN bit set Internet Service Providers who use assigned IP addresses ICMP types Other resources and links Acknowledgements History GNU Free Documentation License 0. PREAMBLE 1. APPLICABILITY AND DEFINITIONS 2. VERBATIM COPYING http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 4

3. COPYING IN QUANTITY 4. MODIFICATIONS 1. 5. COMBINING DOCUMENTS 6. COLLECTIONS OF DOCUMENTS 7. AGGREGATION WITH INDEPENDENT WORKS 8. TRANSLATION 9. TERMINATION 10. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents GNU General Public License 0. Preamble 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. 2. How to Apply These Terms to Your New Programs Example scripts codebase Example rc.firewall script Example rc.DMZ.firewall script Example rc.UTIN.firewall script Example rc.DHCP.firewall script Example rc.flush-iptables script Example rc.test-iptables script

Introduction Why this document was written
Well, I found a big empty space in the HOWTO's out there lacking in information about the iptables and netfilter functions in the new Linux 2.4.x kernels. Among other things, I'm going to try to answer questions that some might have about the new possibilities like state matching. Is it possible to allow passive FTP to your server, but not allow outgoing DCC from IRC as an example? I will build this all up from an example rc.firewall.txt file that you can use in your /etc/rc.d/ scripts. Yes, this file was originally based upon the masquerading HOWTO for those of you who recognize it. Also, there's a small script that I wrote just in case you screw up as much as I did during the configuration available as rc.flush-iptables.txt.

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 5

How it was written
I've placed questions to Marc Boucher and others from the core netfilter team. A big thanks going out to them for their work and for their help on this tutorial that I wrote and maintain for boingworld.com. This document will guide you through the setup process step by step, hopefully make you understand some more about the iptables package. I will base most of the stuff here on the example rc.firewall file since I find that example to be a good way to learn how to use iptables. I have decided to just follow the basic chains and from there go down into each and one of the chains traversed in each due order. This tutorial has turned a little bit harder to follow this way but at the same time it is more logical. Whenever you find something that's hard to understand, just consult this tutorial.

About the author
I'm someone with too many old computers on my hands, sitting with my own LAN and wanting them all to be connected to the Internet, at the same time having it fairly secure. The new iptables is a good upgrade from the old ipchains in this regard. Before, you could make a fairly secure network by dropping all incoming packages not destined to certain ports, but this would be a problem with things like passive FTP or outgoing DCC in IRC, which assigns ports on the server, tells the client about it, and then lets the client connect. There was some child diseases in the iptables code that I ran into in the beginning, and in some respects I found the code not quite ready for release in full production. Today, I'd recommend everyone who uses ipchains or even older ipfwadm etc to upgrade unless they're happy with what their current code is capable of and if it does what they need it to.

Dedications
First of all I would like to dedicate this document to my wonderful girlfriend Ninel. She has supported me more than I ever can support her to any degree. I wish I could make you just as happy as you make me. Second of all, I would like to dedicate this work to all of the incredibly hard working Linux developers and maintainers. It is people like those who makes this wonderful operating system possible.

Preparations
This chapter is aimed at getting you started and to help you understand the role netfilter and iptables play in Linux today. This chapter should hopefully get you set up and finished to go with your experimentation and installation of a firewall which should hopefully run smoothly in the future.

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

An example would be tcpdump or snort. Kernel setup To run the pure basics of iptables you need to configure the following options into the kernel while doing make config or one of it's related commands: CONFIG_PACKET . And of course you need to add the proper drivers for your interfaces to work properly. http://people.9 kernel and a brief explanation : CONFIG_IP_NF_CONNTRACK . this is most definitely required if for anything in this tutorial to work at all. You won't be able to do anything to be pretty honest. -m limit --limit 3/minute would match a maximum of 3 packets per minute.Iptables Tutorial 1.txt.This module is required if you want to do connection tracking on FTP connections. masquerading or NAT.This option is required if you're going to use your computer as a firewall or gateway to the internet. you need to set up the proper configuration options in your kernel. CONFIG_IP_NF_IPTABLES . this module is required by the rc. it just adds the framework to the kernel.This module is needed to make connection tracking. The necessary pieces will be discussed a bit further down in this document. It adds the whole iptables identification framework to kernel. The iptables package also makes use of kernel space facilities which can be configured into the kernel during make configure. this option compiles the helper. Connection tracking is used by. among other things. Since FTP connections are quite hard to do connection tracking on in normal cases conntrack needs a so called helper.firewall. ie. For example. that adds the possibility to control how many packets per minute that's supposed to be matched with a certain rule. In other words. CONFIG_IP_NF_MATCH_LIMIT .This module isn't exactly required but it's used in the example rc. Here we will show you the options available in a basic 2. This option provides the LIMIT match. Ethernet adapter.This option is required if you want do any kind of filtering. The above will only add some of the pure basics in iptables. Without this you won't be able to do anything at all with iptables.This option allows applications and programs that needs to work directly to certain network devices.firewall.txt to work. This module can also be used to avoid certain Denial of Service attacks. NAT and Masquerading. PPP and SLIP interfaces.4.9 Página 6 Where to get iptables The iptables userspace package can be downloaded from the netfilter homepage. If you don't add this module you won't be able to FTP through a firewall or gateway properly.html 21:25:51 10/06/2002 . I assume you'll want this since you're reading this at all.unix-fu. If you need to firewall machines on a LAN you most definitely should mark this option. If you want to use the more advanced options in IPTables. For example. CONFIG_NETFILTER .1. CONFIG_IP_NF_FTP .org/andreasson/iptables-tutorial/iptables-tutorial.

We could for instance block packets based on what MAC address used and block a certain computer pretty well since the MAC address don't change. Note that this match is still experimental and might not work perfectly in all cases. This module was originally just written as an example on what could be done with the new iptables. TOS can also be set by certain rules in the mangle table and via the ip/tc commands.org/andreasson/iptables-tutorial/iptables-tutorial.This target allows us to specify that an ICMP error message should be sent in reply to incoming packets instead of plainly dropping them dead to the floor.This module allows us to match packets with a whole range of destination ports or source ports.Iptables Tutorial 1. if we set up a MIRROR target on destination port HTTP on our INPUT chain and someone tries to access this port we would plainly bounce his packets back to himself and finally he would see his own homepage. but we never know if they are legitimate or not.firewall.This option adds the possibility for us to match TCP packets based on their MSS field. CONFIG_IP_NF_MATCH_OWNER . CONFIG_IP_NF_MATCH_MULTIPORT . CONFIG_IP_NF_MATCH_MARK . Normally this wouldn't be possible. CONFIG_IP_NF_FILTER . http://people. CONFIG_IP_NF_MATCH_UNCLEAN .html 21:25:51 10/06/2002 .txt example.This option will add the possibility for us to do matching based on the owner of a socket. Mind you that TCP connections are always reset or refused with a TCP RST packet. CONFIG_IP_NF_TARGET_MIRROR . For example. and further down we will describe the actual target MARK. TCP.This allows packets to be bounced back to the sender of the packet. With this module we can do stateful matching on packets. we can allow only the user root to have Internet access. this packet will be counted as ESTABLISHED.This module will add the basic filter table which will enable you to do basic filtering. we can match based on this mark. CONFIG_IP_NF_MATCH_TCPMSS . TOS stands for Type Of Service. CONFIG_IP_NF_MATCH_TOS .9 Página 7 CONFIG_IP_NF_MATCH_MAC . CONFIG_IP_NF_TARGET_REJECT . This option is the actual match MARK. For example.1.This module will add the possibility for us to match IP. FORWARD and OUTPUT chains. We could for example drop these packets.This allows us to use a MARK match.This is one of the biggest news in comparison to ipchains. We don't use this option in the rc. For example. if we've already seen trafic in two directions in a TCP connection. but with this match it is. This module is used extensively in the rc.txt example or anywhere else.unix-fu. CONFIG_IP_NF_MATCH_STATE . Note that this match is still experimental and might not work for everyone.firewall. For example.With this match we can match packets based on their TOS field. UDP and ICMP packets that looks strange or are invalid. if we use the target MARK we could mark a packet and then depending on if this packet is marked further on in the table. Every Ethernet adapter has it's own MAC address.This allows us to match packets based on MAC addresses. In the filter table you'll find the INPUT. This module is required if you plan to do any kind of filtering on packets that you receive and send.

Adds a compatibility mode with the old ipchains.unix-fu.1. As you can see. unless you are able to provide unique IP addresses for all hosts.firewall.This target is useful together with proxies for example. I have briefly explained what kind of extra behaviours you can expect from each module here.txt to work properly. This can result in webpages not getting through.firewall. With this option we can do port forwarding. etcetera. but mostly is. This could be useful for forensics or debugging a script you're writing. we need to use this target instead of SNAT.This module allows network address translation. small mails getting through while larger mails don't get through. We can use this module to log certain packets to syslogd and hense see the packet further on. if we use DHCP. Instead of letting a packet pass right through.Compatibility mode with old ipfwadm. http://people. Do not look at this as any real long term solution for solving migration from Linux 2. there is a heap of options. This may be for various reasons such as the patch not being stable yet. I suggest you look at the patch-o-matic functions in netfilter userland which will add heaps of other options in the kernel. or NAT.This adds the LOG target to iptables and the functionality of it.6. These are only the options available in a vanilla Linux 2. If you need help with the options that the other scripts needs. CONFIG_IP_NF_TARGET_MASQUERADE . for the rc. CONFIG_IP_NF_COMPAT_IPCHAINS . If you would like to get a look at more options.4.txt script to work. CONFIG_IP_NF_TARGET_TCPMSS . These functions should be added in the future.This option can be used to overcome Internet Service Providers and servers who block ICMP Fragmentation Needed packets. we'll be able to handle what the authors of netfilter themself call "criminally braindead ISPs or servers" in the kernel configuration help. We can then use the TCPMSS target to overcome this by clamping our MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit). ssh works but scp dies after handshake.9 Página 8 CONFIG_IP_NF_NAT .This module adds the MASQUERADE target. For instance if we don't know what IP we have to the Internet this would be the preferred way of getting the IP instead of using DNAT or SNAT. CONFIG_IP_NF_TARGET_LOG .html 21:25:51 10/06/2002 . masquerading etc. Masquerading gives a slightly higher load on the computer than NAT does.org/andreasson/iptables-tutorial/iptables-tutorial. to Linus Torvalds being unable to keep up or not wanting to let the patch in to the mainstream kernel yet since it is still experimental. In other words.9 kernel.4 kernels since it may well be gone with kernel 2. CONFIG_IP_NF_COMPAT_IPFWADM . PPP. in it's different forms.Iptables Tutorial 1. we have the possibility to make a transparent proxy this way. Do absolutely not look at this as a real long term solution. Note that this option is is not required for firewalling and masquerading of a LAN. Hence. CONFIG_IP_NF_TARGET_REDIRECT . POM fixes are additions that are supposed to be added in the kernel in the future but has not quite reached the kernel yet. This way.2 kernels to 2. SLIP or some other connection that dynamically assigns us an IP. In other words. You will need the following options compiled into your kernel. or as modules. look at the example firewall scripts section. but has not quite made it in yet. we remap them to go to our local box instead. and most definitely on your network if you do not have the ability to add unique IP addresses as specified above. this option is required for the example rc. but will work without us knowing the IP in advance.

1 it is disabled per default. For more information read the iptables-1.2.txt script.3/INSTALL file which contains pretty good information on compiling and getting the program to run.9 kernel.unix-fu.2. userland setup First of all.bz2. using bzip2 -cd iptables-1.4. this may not work with older versions of tar). Hopefully the package should now be unpacked properly into a directory named iptables-1.Iptables Tutorial 1. lets try to stay focused on the main script which you should be studying now. let's look at how we compile the iptables package. in Red Hat 7.2.3. Here.firewall. We will check closer on how to enable it on this. However.tar. we have used the iptables 1.tar. one of these are Red Hat 7.(this can also be accomplished with the tar -xjvf iptables-1.2.2.9 Página 9 CONFIG_PACKET CONFIG_NETFILTER CONFIG_CONNTRACK CONFIG_IP_NF_FTP CONFIG_IP_NF_IRC CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_TARGET_MASQUERADE The above will be required at the very least for the rc.3.3.1. which should do pretty much the same as the first command.org/andreasson/iptables-tutorial/iptables-tutorial. For now. and other distributions further on in this chapter Compiling the userland applications First of all unpack the iptables package.bz2 | tar -xvf . This compilation goes quite a lot hand in hand with the kernel configuration and compilation so you are aware of this.html 21:25:51 10/06/2002 .3 package and a vanilla 2. However. http://people.1. Unpack as usual. In the other example scripts I will explain what requirements they have in their respective section. Certain distributions comes with the iptables package preinstalled.

However. but is a bit further away from actually getting there. there are some even more experimental patches further along. but still skip the most extreme patches that might cause havoc in your kernel. To be able to install all of the patch-o-matic stuff you will need to run the following command: make patch-o-matic KERNEL_DIR=/usr/src/linux/ Don't forget to read the help for each patch thoroughly before doing anything.html 21:25:51 10/06/2002 . Some patches will destroy other patches while others may destroy your kernel if used together with some patches from patch-o-matic etc. Some of these are highly experimental and may not be a very good idea to install. They ask you before anything is changed in the kernel source. You may totally ignore the above steps if you don't want to patch your kernel.org/andreasson/iptables-tutorial/iptables-tutorial. You may wait with the kernel compilation until after the compilation of the userland program iptables if you feel like it. there is the option to install extra modules and options etcetera to the kernel. because that's what these commands actually do. there are some really interesting things in the patch-o-matic that you may want to look at so there's nothing bad in just running the commands and see what they contain. This only asks about certain patches that are just about to enter the kernel anyways. there are heaps of extremely interesting matches and targets in this installation step so don't be afraid of at least looking at them. it is in other words not necessary to do the above.unix-fu. One way to install these are by doing the following: make most-of-pom KERNEL_DIR=/usr/src/linux/ The above command would ask about installing parts of what in netfilter world is called patch-omatic. Normally this should be /usr/src/linux/ but this may vary. Don't forget to configure the kernel again since the new patches probably are not added to the configured options and so on. There might be more patches and additions that the developers of netfilter are about to add to the kernel. After this you are finished doing the patch-o-matic parts of installation.Iptables Tutorial 1. To do this step we do something like this from the root of the iptables package: make pending-patches KERNEL_DIR=/usr/src/linux/ The variable KERNEL_DIR should point to the actual place that your kernel source is located at.1. and most probably you will know yourself where the kernel source is available. which may only be available when you do some other steps.9 Página 10 After this. http://people. However. you may either compile a new kernel making use of the new patches that you have added to the source.The step described here will only check patches that are pending for inclusion to the kernel. Note that we say ask. though.

However. To compile iptables you issue a simple command that looks like this: make KERNEL_DIR=/usr/src/linux/ The userland application should now compile properly.9 Página 11 Continue by compiling the iptables userland application.1 Red Hat 7. By changing this to K we tell it to Kill the service instead.Iptables Tutorial 1. To do this. To do this. if not.org/andreasson/iptables-tutorial/iptables-tutorial. If everything has worked smoothly.1.html 21:25:51 10/06/2002 . We would then issue http://people. let's take a brief look at how to turn the module off and how to install iptables instead. try to think logically about it and find out what's wrong or get someone to help you. they have disabled the whole thing by using the backwards compatible ipchains module. you would issue the following command to install them: make install KERNEL_DIR=/usr/src/linux/ Hopefully everything should work in the program now.1 comes preinstalled with a 2. Now the service won't be started in the future. The first letter which per default would be S tells the initscripts to start the script.d/ directory-structure. to stop the service from actually running right now we need to run another command.x kernel that has netfilter and iptables compiled in. So.4. check the INSTALL file in the source which contains excellent information on the subject of installation. you're ready to install the binaries by now. you will need to change some filenames in the /etc/rc. This is the service command which can be used to work on currently running services. and a lot of people are asking different mailing lists why iptables don't work. or to not run it if it was not previously started. you're on your own. however. First of all you will need to turn off the ipchains modules so it won't start in the future. It also contains all the basic userland programs and configuration files that is needed to run it. or possibly try the netfilter mailing list who might help you with your problems. Installation on Red Hat 7. The following command should do it: chkconfig --level 0123456 ipchains off By doing this we move all the soft links that points to the real script to K92ipchains.unix-fu. For more information about installing the userland applications from source. There is a few things that might go wrong with the installation of iptables so don't panic if it won't work. Annoying to say the least. To use any of the changes in the iptables userland applications you should definitely recompile and reinstall your kernel by now if you haven't done so before.1 installation today comes with an utterly old version of the userspace applications so you might want to compile a new version of the applications as well as install a new and homecompiled kernel before fully exploiting iptables. The default Red Hat 7.

use the iptables-save command. when you need to fix a screwed up box.d script to restore the ruleset in the future. we need to know which runlevels we want it to run in. However. Note that this set up may be automatically erased if you have. Level 1 is for single user mode. that will meet your requirements. If you'd like the iptables service to run in some other runlevel you would have to issue the same command in those. This would have the bad effect that the rules would be deleted if you updated the iptables package by RPM. First of all. don't forget to edit a the stop) section either which tells the script what to do when the computer is going down for example. First we will describe the possibility of doing the set up by cut and paste to the iptables init. or when we are entering a runlevel that don't require iptables to run. This is used if you automatically boot into Xwindows. The other way to save the script would be to use service iptables save which would save the script http://people. 3 and 5. To add rules to an Red Hat 7. To add rules that should be run when the computer starts the service.Iptables Tutorial 1. or in the start() function. or directly with iptables. The second way of doing the set up would require the following steps to be taken. you chould edit the /etc/rc. 3. Note. To make iptables run in these runlevels we would do the following commands: chkconfig --level 235 iptables on The above commands would in other words make the iptables service run in runlevel 2. X11.9 Página 12 the following command to stop the ipchains service: service ipchains stop Finally.html 21:25:51 10/06/2002 .d scripts.1 box.1. Also. so you should not really need to activate it for those runlevels. you add them under the start) section. Normally this would be in runlevel 2. Level 4 should be unused. we just run the following command: service iptables start Of course.org/andreasson/iptables-tutorial/iptables-tutorial. When you find a set up that works without problems or bugs as you can see. 3 and 5.unix-fu.d script. none of the other runlevels should be used. ie. First of all. there is no rules in the iptables script. Full multiuser mode. and don't forget to experiment a bit. These runlevels are used for the following things: 2. and level 6 is for shutting the computer down. for example. It may also be erased by updating from the iptables RPM package.d/iptables script. to start the iptables service. there is two common ways. You could either use it normally. 5. The other way would be to load the ruleset and then save them with the iptables-save command and then have it loaded automatically by the rc. To activate the iptables service. This file is automatically used by the iptables rc. ie. Also.d/init. don't forget to check out the restart section and condrestart. if you add the rules under the start) section don't forget to stop the start() function from running in the start) section. the normal runlevel to run in. Red Hat Network automatically updating your packages. First of all. make and write a ruleset in a file. Multiuser without NFS or the same as 3 if there is no networking. such as iptables-save > /etc/ sysconfig/iptables which would save the ruleset to the file /etc/sysconfig/iptables.

When you reboot the computer in the future. etc: rpm -e ipchains After all this is done you are finished to update the iptables package from source according to the source installation instructions. we have used this way of writing rules since it is the most usual way of writing them. A rule could be described as the pure rules the firewall will follow when blocking different connections and packets in each chain. This step is only necessary if you will install iptables from the source package. It's not unusual that the new and the old package get's mixed up since the rpm based installation installs the package in non-standard places and won't get overwritten by the installation for the new iptables package.1. do as follows: rpm -e iptables And of course. or matches. When all of these steps are finished we can deinstall the currently installed ipchains and iptables packages.Iptables Tutorial 1. however. Each line you write that's inserted to a chain should be considered a rule. We will also discuss the basic matches that str available and how to use them as well as the different targets and how we can make new targets to use (ie. we perform the target. if you read someone elses script you'll most likely recognise the way of writing a rule and understand it quickly. libraries or include files etc should be lying around any more. We do this since we don't want the system to mix up the new iptables userland application with the old preinstalled iptables applications. http://people. Hence. the iptables rc.9 Página 13 automatically to this file.d script will use the command iptables-restore to restore the ruleset from the save-file /etc/sysconfig/ iptables. Basics As we've already explained each rule is a line that the kernel looks at to find out what to do with a packet.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . or jump. you would do this normally to get a better readability.unix-fu. are met. instruction. If all the criterias. Also. why keep ipchains lying around when it is of no use? That is done the same way as with the old iptables binaries. How a rule is built This chapter will discuss in legth how to build your rules. To do the deinstallation. Do not intermix this and the previous set up instruction since they may heavily damage eachother and render each and one useless. Normally we would write a rule something like this: iptables [-t table] command [match] [target/jump] There is nothing that says that the target instruction must be last in the line. new subchains). None of the old binaries.

Note that OUTPUT is currently broken. This is one reason why you should not do any filtering in this table. the filter table is used.9 Página 14 If you want to use another table than the standard table. however.org/andreasson/iptables-tutorial/iptables-tutorial. The rest of the packets in the stream will in other words not go through this table again. Finally we have the POSTROUTING chain which is used to alter packets just as they are about to leave the firewall. The rest of the packets in the same stream are automatically NAT'ed or Masqueraded etc. There is a heap of different matches that we can use that we will look closer at further on in this chapter. As with the rest of the content in this section. Finally we have the target of the packet. http://people. Tables The -t option specifies which table to use. The OUTPUT chain is used for altering locally generated packets (ie. you could insert the table specification where [table] is specified. We could specify what IP address the packet must come from. or directly after the table specification. The match is the part which we send to the kernel that says what a packet must look like to be matched. It is not required to put the table specification at this location. it is more or less standard to put the table specification at the beginning of the commandline. The PREROUTING chain is used to alter packets as soon as they get in to the firewall. on the firewall) before they get to the routing decision. However. The first packet of a stream is allowed. or which network interface the packet must come from etc. We could tell the kernel to send the packet to another chain that we create ourself. in case they are supposed to have those actions taken on them. we'll look closer at them further on in the chapter.Iptables Tutorial 1. If all the matches are met for a packet we tell the kernel to perform this action on the packet. as we will discuss more in length further on. We could tell the kernel to drop this packet dead and do no further processing. One thing to think about though. or to delete a rule. We will enter this a bit further on. the command should always be first. which must be part of this table. either. we presume. We use this first variable to tell the program what to do. for example to insert a rule or to add a rule to the end of the chain.html 21:25:51 10/06/2002 . The following options are available to the -t command: Table 1. It could be set pretty much anywhere in the rule. it is not necessary to specify it explicitly all the time since iptables per default uses the filter table to implement your commands on. Tables Table nat Explanation The nat table is used mainly for Network Address Translation. but instead they will automatically have the same actions taken to them as the first packet in the stream. or we could tell kernel to send a specified reply to be sent back. Packets in a stream only traverse this table once.unix-fu. This tells the iptables command what to do. Per default.1.

org/andreasson/iptables-tutorial/iptables-tutorial. Examples of this would be to change the TTL. The filter table should be used for filtering packets generally.unix-fu. but a mark for the packet is set in kernelspace which other rules or programs might use further on in the firewall to filter or do advanced routing on with tc as an example. We will discuss the tables and chains more in the Traversing of tables and chains chapter. ACCEPT or REJECT packets without problems as in the other tables. the PREROUTING and OUTPUT chains. The following commands are available to iptables: Table 2. INPUT is used on all packets that are destined for our local host (the firewall) and OUTPUT is finally used for all locally generated packets. The command tells iptables what to do with the rest of the commandline that we send to the program. For example. filter The listing above has hopefully explained the basics about the three different tables that are available. and you should know what to use each chain for. This command appends the rule to the end of the chain. unless you append or insert more rules later on. We could change different packets and how their headers look among other things. If you do not understand their usage you may well fall into a pit once someone finds the hole you have unknowingly placed in the firewall yourself. Note that mangle can not be used for any kind of Network Address Translation or Masquerading. The table consists of two built in chains. LOG. The rule will will in other words always be put last in the ruleset in comparison to previously added rules.. OUTPUT is used for changing and altering locally generated packets before they enter the routing decision.9 Página 15 mangle This table is used mainly for mangling packets. in other words). the nat table was made for these kinds of operations. Commands In this section we will bring up all the different commands and what can be done with them.1. --append iptables -A INPUT .Iptables Tutorial 1. They should be used for totally different things. The first one is named FORWARD and is used on all non-locally generated packets that are not destined for our localhost (the firewall.. PREROUTING is used for altering packets just as they enter the firewall and before they hit the routing decision. TOS or MARK. Note that the MARK is not really a change to the packet. Normally we want to either add or delete something to some table or another.html 21:25:51 10/06/2002 . http://people. Commands Command Example Explanation -A. and hence be checked last. There are three chain built in to this table. we could DROP.

iptables -D INPUT 1 This command deletes a rule in a chain. It works in the same way as the --delete command. This might be good while experimenting with iptables mainly. the chains will first be listed. To zero this packet counter. In the above case. It's also legal to not specify any chain at all. --replace iptables -R INPUT 1 -s 192. If -L and -Z is used together (which is legal). --flush iptables -F INPUT This command flushes the specified chain from all rules and is equivalent to deleting each rule one by one but is quite a bit faster. This could be done in two ways. If you have used the -v option with the -L command. for example the -n and -v options. either by specifying a rule to match with the -D option (as in the first example) or by specifying the rule number that we want to match. -N. --delete iptables -D INPUT --dport 80 -j DROP. but instead of totally deleting the entry. we would list all the entries in the INPUT chain. --zero iptables -Z INPUT This command tells the program to zero all counters in a specific chain or in all chains. --insert iptables -I INPUT 1 --dport 80 -j ACCEPT Insert a rule somewhere in a chain.9 Página 16 -D. -R. the rules are numbered from the top of each chain. In the last case. If you use the second way. and then the packet counters are zeroised. it will replace it with a new entry.1. The exact output is affected by other options sent to the program. you have probably seen the packet counter in the beginning of each field. This option works the same as -L except that -Z won't list the rules. see the Tables section).1 -j DROP This command replaces the old entry at the specified line.Iptables Tutorial 1. -F. --list iptables -L INPUT This command lists all the entries in the specified chain. --new-chain iptables -N allowed http://people. and hence it would be the absolutely first rule in the chain from now on. and the top rule is number 1.unix-fu. -Z. -I. -L. the above example would be inserted at place 1 in the INPUT chain. In other words. and will then delete all rules in all chains within the specified table. The rule is inserted at the actual number that we give. use the -Z option. the command would list all the chains in the specified table (To specify a table. If you use the first way of deleting rules. The command can be used without options.168.html 21:25:51 10/06/2002 . etcetera.org/andreasson/iptables-tutorial/iptables-tutorial. they must match totally to the entry in the chain.0.

--policy iptables -P INPUT DROP This command tells the kernel to set a specified default target. change the name of the chain from allowed to disallowed. there must be no rules that are referring to the chain that is to be deleted. The matches and targets are instead looked upon in a later section of this chapter. It is. --insert. --append.org/andreasson/iptables-tutorial/iptables-tutorial. --rename-chain iptables -E allowed disallowed The -E command tells iptables to rename the first name of a chain. Note that this will not affect the actual way the table will work. These counters uses the K (x1000). rule options and TOS masks. mail me if so) -E. to the second name. If this command is used without any options. in other words. In other words. Note that there must be no target of the same name previously to creating it. In the example above we would. -X. Table 3. Note that we tell you with which commands the options can be used and what effect they will have. --verbose --list.unix-fu.000) multipliers. ACCEPT and REJECT (There might be more. all chains that are not built in will be deleted from the specified table. unless you just want to list the built-in help for iptables or get the version of the command. in other words. As usual. just a cosmetic change to the table. you would have to replace or delete all rules referring to the chain before actually deleting the chain. use the -h option. To overcome this and to get exact output. Legal targets are: DROP. you http://people. For this command to work. in other words. on a chain. The --list command will also include a bytes and packet counter for each rule if the --verbose option is set. Also note that we do not tell you any options here that is only used to affect rules and matches.Iptables Tutorial 1.000. M (x1.html 21:25:51 10/06/2002 . To get the version. In the above example we create a chain called allowed. If used together with the --list command it makes the output from the command include the interface address. Options Option Commands used with Explanation -v. All packets that don't match any rule will then be forced to use the policy of the chain.000) and G (x1. --delete.000. --delete-chain iptables -X allowed This command deletes the specified chain from the table.000.9 Página 17 This command tells the kernel to create a new chain by the specified name in the specified table. Here comes a few options that can be used together with a few different commands. -P. --replace This command shows a verbose output and is mainly used together with the --list command. or policy.1. use the -v option and to get the help message. A command should always be specified.

--set-counters --insert. --insert. which would tell the kernel to set the packet counter to 20 and byte counter to 4000. IP addresses and port numbers will be printed by using their numerical values and not hostnames. It could be used if your modprobe command is not somewhere in the searchpath etc. --exact --list This option expands the numerics. network names or application names. We have UDP matches which can only be applied to UDP packets and ICMP matches which can only be http://people.1. This option overrides the default of resolving all numerics to hosts and names if possible. The syntax would be something like --setcounters 20 4000. Instead we will get an exact output of how many packets and bytes that has matched the rule in question from the packets and bytes counters. I've chosen to split down the matches into five different subcategories here. Each rule is numbered together with this option and it might be easier to know which rule has which number when you're going to insert rules.html 21:25:51 10/06/2002 . Then we have the TCP matches which can only be applied to TCP packets. -n. --modprobe All The --modprobe option is used to tell iptables which command to use when probing for modules to the kernel. --append.unix-fu. The output from --list will in other words not contain the K. This option is only applicable to the --list command.Iptables Tutorial 1. --replace This option is used when creating a rule in some way or modifying it. the program will output detailed information on what happens to the rules and if it was inserted correctly etcetera. Note that this option is only usable in the -list command and isn't really relevant for any of the other commands. In such cases it might be necessary to specify this option so the program knows what to do in case a needed module is not loaded. -c. This option can be used with all commands. --line-numbers --list The --line-numbers command is used to output line numbers together with the --list command. -x. First of all we have the generic matches which are generic and can be used in all rules. --numeric --list This option tells iptables to output numerical values.9 Página 18 could use the -x option described later. This option only works with the --list command. M or G multipliers. If this option is used with the --append. Matches This section will talk a bit more about the matches. We can then use the option to initialize the packets and bytes counters of the rule.org/andreasson/iptables-tutorial/iptables-tutorial. --delete or --replace commands.

0/24. --source iptables -A INPUT -s 192. -s. The command may also take a comma delimited list of protocols. too. One way is to do it with an regular netmask in the 255.1 This is the source match which is used to match packets based on their source IP address. The main form can be used to match single IP addresses such as 192.0). The line would then look something like. No special parameters are in other words needed to load these matches at all.0/255. --src.1. It could be used with a netmask in a bits form. For example.255.168. such as 255 which would mean the RAW IP protocol.0. If this match is given the numeric value of zero (0). owner and limit matches and so on. the program knows about all the protocols in the /etc/protocols file as we already explained. 192.1. The following matches are always available. Generic matches Command Example Explanation -p.Iptables Tutorial 1. Table 4. we need to use the --protocol match and send TCP as an option to the match.168. We could then match whole IP ranges. since it can be used to match specific protocols.168. Finally we have special matches such as the state.0. 192. This match can also be inversed with the ! sign.1. I have also added the -protocol match here.255.0.255. A generic match is a kind of match that is always available whatever kind of protocol we are working on or whatever match extensions we have loaded.unix-fu. which in turn is the default behaviour in case the --protocol match is not used. such as our local networks or network segments behind the firewall.org/andreasson/iptables-tutorial/iptables-tutorial. --protocol iptables -A INPUT -p tcp This match is used to check for certain protocols. which means to match all of the previous protocols. This would match all packets in the 192.168. so --protocol ! tcp would mean to match the ICMP and UDP protocols.0 netmask. if we want to use an TCP match. as well as ALL.255. I hope this is a reasonable breakdown and that all people out there can understand this breakdown.1. The protocol may also take a numeric value. for example. These final matches has in turn been split down to even more subcategories even though they might not necessarily be different matches at all. This list can vary a bit at the same time since it uses the /etc/protocols if it can not recognise the protocol itself.255 form (ie.255. Finally. First of all the protocol match can take one of the three aforementioned protocols. such as udp. Examples of protocols are TCP. We could also inverse the match with an ! just as before.tcp which would match all UDP and TCP packets.168. it means ALL protocols.x range. This means that we could for example add /24 to use a 255. --protocol is in itself a match. even though it is needed to use some protocol specific matches. and the other way is to only specify the number of ones (1's) on the left side of the network mask. If we would in other words use a match in the form of --source ! http://people. However.9 Página 19 used on ICMP packets. Generic matches This section will deal with Generic matches. UDP and ICMP.html 21:25:51 10/06/2002 .255.

0. in case the match is not specified. --fragment iptables -A INPUT -f This match is used to match the second and third part of a fragmented packet.0/24 we would match all packets with a source address not coming from within the 192. We could also invert the whole match with an ! sign.168.html 21:25:51 10/06/2002 . The reason for this is that in the case of fragmented packets.255. you can use the ! sign in exactly the same sense as in the --in-interface match. http://people.0. What this means is that we match all the first fragments of a fragmented packets.168. third. We also match all packets that has not been fragmented during the transfer. --in-interface iptables -A INPUT -i eth0 This match is used to match based on which interface the packet came in on. like this ! -f.1. The default is to match all IP addresses. When this match is inversed.168. in opposite of the --in-interface match. To inverse the meaning of the match. there is no way to tell the source or destination ports of the fragments.255.0 or like 192. or in the number of ones (1's) counted from the left side of the netmask bits. Note that this option is only legal in the INPUT. Of course.0. A single + would in other words tell the kernel to match all packets without considering which interface it came in on. Also. This option can also be used in conjunction with the ! sign. The + value is used to match a string of letters and numbers. The line would then have a syntax looking something like -i ! eth0. just as before.9 Página 20 192. FORWARD and PREROUTING chains and will render an error message when used anywhere else. in this case the ! sign must precede the match. The + extension is understood so you can match all eth devices with eth+ and so on. we can add a netmask either in the exact netmask form. It works pretty much the same as the --source match and has the same syntax. and so on. nor ICMP types. We can also invert the meaning of this option with the help of the ! sign. regardless of where the packet is going. which would mean to match all incoming interfaces. we match all head fragments and/or unfragmented packets. -f. It would then look like either 192. -o.1 The --destination match is used to match packets based on their destination address or addresses.org/andreasson/iptables-tutorial/iptables-tutorial. -d. and hence this match was created. however. --out-interface iptables -A FORWARD -o eth0 The --out-interface match is used to match packets depending on which interface they are leaving on. except eth0.0.0. Note that this match is only available in the OUTPUT. fragmented packets might in rather special cases be used to compile attacks against computers. among other things. Such fragments of packets will not be matched by other rules when they look like this.0/255.168.0/24 and both would be equivalent to each other. The + string can also be used at the end of an interface. --destination ! 192. --dst. Other than this. The default behaviour of this match.1 IP address.168. FORWARD and POSTROUTING chains.168. -i. and not the second.Iptables Tutorial 1.0. the default behaviour if this match is left out is to match all devices.unix-fu.1 would in other words match all packets except those not destined to the 192. --destination iptables -A INPUT -d 192. it works pretty much the same as the --in-interface match. To match an IP range. is to assume a string value of +.x range. except that it matches based on where the packets are going. fragments.1. and eth+ would in other words match all ethernet devices.168.

The TCP based matches contain a set of different matches that are available for only TCP packets. port 65535 is assumed.9 Página 21 Also note that there are defragmentation options within the kernel that can be used which are really good.unix-fu. This match can either take a service name or a port number. in case you use connection tracking you will not see any defragmented packets since they are dealt with before hitting any chain or table in iptables. If you specify a service name. the port 0 is assumed to be the one we mean. There is also explicitly loaded matches that you must load explicitly with the m or --match option which we will go through later on in the next section. These matches are loaded implicitly in a sense. The other matches will be looked over in the continuation of this section. The --source-port match can also be used to match a whole range of ports in this fashion --source-port 22:80 for example.org/andreasson/iptables-tutorial/iptables-tutorial. This example would match all source ports between 22 and 80. and UDP based matches contain another set of matches that are available only for UDP packets. Note that the --protocol tcp match must be to the left of the protocol specific matches. the entry of the rule will be slightly faster since iptables don't have to check up the service name. --source-port iptables -A INPUT -p tcp --sport 22 The --source-port match is used to match packets based on their source port. These are TCP matches. however. it could be a little bit harder to read in case you specify the numeric value. If we would write --source-port 22: we would in turn get a port specification that tells us to match all ports from http://people.1. To use these matches you need to specify --protocol tcp on the command line before trying to use these matches. If you specify the port by port number.Iptables Tutorial 1. after the TCP match section.html 21:25:51 10/06/2002 . Implicit matches This section will describe the matches that are loaded implicitly. TCP matches These matches are protocol specific and are only available when working with TCP packets and streams. If we omit the first port specification. If you are writing a ruleset consisting of a 200 rules or more. the service name must be in the /etc/services file since iptables uses this file to look up the service name in. There are currently three types of implicit matches that are loaded automatically for three different protocols. Implicit matches are loaded automatically when we tell iptables that this rule will match for example TCP packets with the -protocol match. TCP matches Match Example Explanation --sport. Table 5. just as the UDP and ICMP matches are loaded implicitly. And if the last port specification is omitted. --source-port :80 would then match port 0 through 80. UDP matches and ICMP matches. this could make as much as 10 seconds if you are running a large ruleset consisting of 1000 rules or so). As a secondary note. you should definitely do this by port numbers since you will be able to notice the difference(On a slow box. and the same thing for ICMP packets.

in other words packets in an already established connection. look at the multiport match extension. In other words. This match is used to match packets if they have the SYN bit set and the ACK and FIN bits unset. it would be understood just the same as --sourceport 22:80. Such packets are used to request new TCP connections from a server mainly.Iptables Tutorial 1. The inversion could also be used together with a port range and would then look like --source-port ! 22:80. and for ease of traversing from one to the other. Also note that the comma delimitation should not include spaces. Both lists should be comma-delimited. exactly the same as --source-port in syntax. The correct syntax could be seen in the example above. This option can also be inverted with the ! sign. --tcp-option iptables -p tcp --tcp-option 16 This match is used to match packets depending on their TCP options. ALL and NONE is pretty much self describing. This would tell the match to match all packet with the FIN or the ACK bits set. --syn iptables -p tcp --syn The --syn match is more or less an old relic from the ipchains days and is still there out of compatibility reasons. RST. If a source port definition looked like --source-port 80:22. you should have effectively blocked all incoming connection attempts. --dport. It understands port and port range specifications. If we inversed the port specification in the port range so the highest port would be first and the lowest would be last.ACK. FIN.ACK. http://people. hack a legit service and then make a program or such make the connect to you instead of setting up an open port on your host). URG. ! --syn. way. For more information about this. -tcp-flags ALL NONE would in other words mean to check all of the TCP flags and match if none of the flags are set.1. Note that this match does not handle multiple separated ports and port ranges. which in turn would mean that we want to match all ports but port 22 through 80. We could also invert a match by adding a ! sign like --source-port ! 22 which would mean that we want to match all ports but port 22. Note that this match does not handle multiple separated ports and port ranges. For more information about this. This match can also be inverted with the ! sign in this.9 Página 22 port 22 through port 65535. as well as inversions. This command would in other words be exactly the same as the --tcp-flags SYN. It does also reverse high and low ports in a port range specification if the high port went into the first spot and the low port into the last spot. iptables automatically reverses the inversion. --destination-port iptables -A INPUT -p tcp --dport 22 This match is used to match TCP packets depending on its destination port. look at the multiport match extension. ALL means to use all flags and NONE means to use no flags for the option it is set. ACK. you will not have blocked the outgoing connections which a lot of exploits today uses (for example. It uses exactly the same syntax as the --source-port match. or turned on. PSH flags but it also recognizes the words ALL and NONE. The match will also assume the values of 0 or 65535 if the high or low port is left out in a port range specification. First of all the match takes a list of flags to compare (a mask) and second it takes list of flags that should be set to 1. however. The match knows about the SYN.unix-fu.FIN SYN match.html 21:25:51 10/06/2002 . If you block these packets.org/andreasson/iptables-tutorial/iptables-tutorial. --tcp-flags iptables -p tcp --tcp-flags SYN.FIN SYN This match is used to match depending on the TCP flags in a packet.

the match can understand service names as long as they are available in the /etc/services file. Note that UDP packets are not connection oriented. Note that the state machine will work on all kinds of packets even though UDP or ICMP packets are counted as connectionless protocols. To invert the port match. If the high port comes before the low port. Single UDP port matches look as in the example above. This example would match all packets destined for UDP port 22 through 80. to invert this we could do --destination-port ! 53. It is used to perform matches on packets based on their source UDP ports. Note that this match does not handle multiple ports and port ranges. To specify a port range. If the first value is omitted.html 21:25:51 10/06/2002 . This would match all ports but port 80.1. --destination-port iptables -A INPUT -p udp --dport 53 The same goes for this match as for the UDP version of --source-port. If the last port is omitted. they are simply lost (Not taking ICMP error messaging etcetera into account). If the high port is placed before the low port. --source-port ! 53 fashion. If the first port is omitted. --dport.org/andreasson/iptables-tutorial/iptables-tutorial. port 0 is assumed. Of course. port 65535 is assumed. For more http://people. To match a single port we do --destination-port 53. The match is used to match packets based on their UDP destination port. such as open or closing a connection. For more information about this. port 0 is assumed. add a ! sign in this. If the second port is omitted. UDP packets do not require any kind of acknowledgement either. single ports and port inversions with the same syntax. single ports and inversions. It has support for port ranges. UDP matches Match Example Explanation --sport.unix-fu. --source-port iptables -A INPUT -p udp --sport 53 This match works exactly the same as its TCP counterpart. There will be more about the state machine in a future chapter. but will work with UDP packets instead. the ports switch place with eachother automatically. they automatically switch place so the low port winds up before the high port.9 Página 23 UDP matches This section describes matches that will only work together with UDP packets. If they are lost. or if they are just simply supposed to send data.Iptables Tutorial 1. To make a UDP port range you could do 22:80 which would match UDP ports 22 through 80. This means that there is quite a lot less matches to work with on a UDP packet than there is on TCP packets. and hence there is no such thing as different flags to set in the packet to give data on what the datagram is supposed to do. Table 6. look at the multiport match extension. The match handles port ranges. port 65535 is assumed. it is exactly the same as the equivalent TCP match. Note that this match does not handle multiple separated ports and port ranges. The first would match all UDP packets going to port 53 while the second would match packets but those going to the destination port 53. The state machine works pretty much the same on UDP packets as on TCP packets. we would do --destination-port 22:80 for example. These matches are implicitly loaded when you specify the --protocol UDP match and will be available after this specification.

ICMP types can be specified either by their numeric values or by their names. The main feature of this protocol is the type header which tells us what the packet is to do.org/andreasson/iptables-tutorial/iptables-tutorial. among other things.html 21:25:51 10/06/2002 . and hopefully this should suffice. redirect packets to the wrong places. Some of these matches may be specific to some protocols.Iptables Tutorial 1. The ICMP protocol is mainly used for error reporting and for connection controlling and such features. ICMP matches Match Example Explanation --icmp-type iptables -A INPUT -p icmp --icmp-type 8 This match is used to specify the ICMP type to match. and others again may be "dangerous" for a simple host since they may. --icmp-type ! 8. One example is if we try to access an unaccessible IP adress. look at the multiport match extension. The headers of a ICMP packet are very similar to those of the IP headers. Explicit matches Explicit matches are matches that must be specifically loaded with the -m or --match option. while explicitly loaded matches will not be loaded automatically in any case and it is up to you to activate them before using them. or check the ICMP types appendix. The difference between implicitly loaded matches and explicitly loaded ones is that the implicitly loaded matches will automatically be loaded when you. If we would like to use the state matches for example. but contains differences. Table 7. This in turn means that all these matches may not always be useful. however. but more of a protocol beside the IP protocol that helps handling errors. we would have to write -m state to the left of the actual match using the state matches. do a iptables --protocol icmp --help. see the ICMP types appendix. There is only one ICMP specific match available for ICMP packets. This match can also be inverted with the ! sign in this. ICMP is not a protocol subordinated to the IP protocol. To find a complete listing of the ICMP name values. Numerical values are specified in RFC 792.unix-fu. Note that some ICMP types are obsolete. This match is implicitly loaded when we use the --protocol ICMP match and we get access to it automatically. we would get an ICMP host unreachable in return.1. they should mostly be useful since it all depends on your imagination and your needs. among other things. http://people. These packets are even worse than UDP packets in the sense that they are connectionless.For a complete listing of ICMP types. match TCP packets. or was created for testing/experimental use or plainly to show examples of what could be accomplished with iptables. for example. so we can know source and destination adress too. ICMP matches These are the ICMP matches. Note that all the generic matches can also be used. fashion.9 Página 24 information about this.

Note that since MAC addresses are only used on ethernet type networks. The match may be reversed with an ! sign and would look like --mac-source ! 00:00:00:00:00:01. MAC match options Match Example Explanation --mac-source iptables -A INPUT --mac-source 00:00:00:00:00:01 This match is used to match packets based on their MAC source address. The limit match may also be inversed by adding a ! flag in front of the limit match explicit loading. Limit match options Match Example Explanation --limit iptables -A INPUT -m limit --limit 3/hour This sets the maximum average matching rate of the limit match.Iptables Tutorial 1.9 Página 25 MAC match Table 8. you could use this to match all packets that goes over the edge of a certain chain.unix-fu. For example. of course. FORWARD and INPUT chains and nowhere else. This match is specified with a number and an optional time specifier. This tells the limit match how many times to let this match run per timeunit (ie /minute).html 21:25:51 10/06/2002 . This would in other words reverse the meaning of the match so all packets except packets from this MAC address would be matched. The MAC address specified must be in the form XX:XX:XX:XX:XX:XX.1. this match will only be possible to use on ethernet based networks. This is its main usage. This means that all packets will be matched after they have broken the limit. This match is excellent to use to do limited logging of specific rules etcetera. else it will not be legal. Limit match The limit match extension must be loaded explicitly with the -m limit option. The following time specifiers are currently recognised: / second /minute /hour /day. is that when we add this match we limit how many times a certain rule may be matched in a certain timeframe. Table 9. This match is also only valid in the PREROUTING. but there are more usages. What this means.org/andreasson/iptables-tutorial/iptables-tutorial. --limit-burst http://people. The default value here is 3 per hour. and get limited logging of this. or 3/hour. it would then look like -m ! limit.

org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . This match may only be used in conjunction with the -p tcp or -p udp matches. port 80 to port 80 and if you have specified port 80 to the --port match. It can take a maximum of 15 ports specified to it in one argument. Table 10. Mark match The mark match extension is used to match packets based on the marks they have set. Multiport match options Match Example Explanation --source-port iptables -A INPUT -p tcp -m multiport --source-port 22.110 This match extension can be used to match packets based both on their destination port and their source port. It tells iptables the maximum initial number of packets to match.unix-fu. --destination-port iptables -A INPUT -p tcp -m multiport --destination-port 22. The ports must be comma delimited.53. (If anyone got a good/better and simpler explanation than this.110 This match matches multiple source ports. --port iptables -A INPUT -p tcp -m multiport --port 22. The default value is 5. Note that this means that it will only match packets that comes from. which would sometimes mean you would have to make several rules looking exactly the same just to match different ports. It is mainly an enhanced version of the normal -source-port match. It works exactly the same way as the source port match mentioned just above. It has a maximum specification of 15 ports and may only be used in conjunction with -p tcp and -p udp.80. Multiport match The multiport match extension can be used to specify more destination ports and port ranges than one.110 This match is used to match multiple destination ports. This number gets recharged by one every time the limit specified is not reached. except that it matches destination ports. as you can see in the example.9 Página 26 iptables -A INPUT -m limit --limit-burst 5 This is the setting for the burst limit of the limit match.80.53.53.Iptables Tutorial 1. send me a mail and I'll try to make this more understandable). A mark is a special field only maintained within the kernel that is associated with the packets as they travel through http://people.80. up to this number.1. A maximum of 15 separate ports may be specified. It works the same way as the --source-port and --destination-port matches above. It can only be used in conjunction with -p tcp and -p udp. for example.

Owner match The owner match extension is used to match packets based on who created them. This match only works within the OUTPUT chain as it looks today. with or without the packet. Table 11. ICMP responses will. The mark field is currently set to an unsigned integer.html 21:25:51 10/06/2002 . The mark specification would then look like. you are probably not going to run into this limit in quite some time. for example.unix-fu. Marks can be set with the MARK target which we will discuss a bit more later on in the next section. hence the limit of 65535 possible marks to use within your ruleset. It is pretty much impossible to find out any information about who sent a packet on the other end. Note that this mark field does not in any way travel outside. All packets traveling through netfilter gets a special mark field associated with them. If this mark field matches the mark match it is a match. Mark match options Match Example Explanation --mark iptables -t mangle -A INPUT -m mark --mark 1 This match is used to match packets that have previously been marked. You may also use a mask with the mark.org/andreasson/iptables-tutorial/iptables-tutorial. hence there can be a maximum of 65535 different marks. The mark field is an unsigned integer. Owner match options Match Example Explanation --uid-owner iptables -A OUTPUT -m owner --uid-owner 500 http://people. Even within the OUTPUT chain it is not very reliable since certain packets may not have an owner. As of today. namely the MARK target in iptables. If a mask is specified. for obvious reasons. This was previously done with the FWMARK target in ipchains.9 Página 27 the computer.1. This extension was originally written as an example on what iptables might be used for. --mark 1/1. Table 12. there is only one way of setting a mark in Linux. Notorious packets of that sort is different ICMP responses among other things. this is why people still refer to FWMARK in advanced routing areas.Iptables Tutorial 1. In other words. They may be used by different kernel routines for such tasks as traffic shaping and filtering. the actual computer itself. it is logically ANDed with the mark specified before the actual comparison. hence. never match. or if we where an intermediate hop to the real destination.

or as described above to only allow "httpgroup" to be able to create packets going out on the HTTP port. Table 13. but one example would be to only allow PID 94 to send packets on the HTTP port. This could be used to match outgoing packets based on who created them. and works for pretty much all protocols. One possible use would be to block any other user than root to open new connections outside your firewall.9 Página 28 This packet match will match if the packet was created by the given User ID (UID). This allows us to know in what state the connection is. (If anyone has actually used this match for a production server. or we could write a small script that grabs the PID from a ps output for a specific daemon and then adds a rule for it. In all cases.Iptables Tutorial 1. --pid-owner iptables -A OUTPUT -m owner --pid-owner 78 This match is used to match packets based on their Process ID (PID) and which PID created the packets. please give me a note of it and of other possible uses. This concept will be more deeply introduced in a future chapter since it is such a large area. State matches Match Example Explanation --state iptables -A INPUT -m state --state RELATED. This match needs to be loaded explicitly by adding a -m state statement to the rule.1. If anyone have an idea for the usage of this match.html 21:25:51 10/06/2002 . This means that we match all packets based on what group the user creating the packets are in.unix-fu. or another possible use could be to block everyone but the httpuser from creating packets from HTTP. --gid-owner iptables -A OUTPUT -m owner --gid-owner 0 This match is used to match all packets based on their Group ID (GID). including stateless protocols such as ICMP and UDP. there will be a default timeout for the connection and it will then be dropped from the connection tracking database. This match is a bit harder to use. --sid-owner iptables -A OUTPUT -m owner --sid-owner 100 This match is used to match packets based on their Session ID and the Session ID used by the program in question. This could be used to block all but the users part of the "network" group from getting out onto the internet. State match The state match extension is used in conjunction with the connection tracking code in the kernel and allows access to the connection tracking state of the packets. I would love to hear what they used it for and how they did it). You will then have access to one new match.org/andreasson/iptables-tutorial/iptables-tutorial.ESTABLISHED http://people.

Finally. Note that this option is regarded as experimental and may not work at all times. INVALID. Table 14. nor will it take care of all unclean packages or problems. This match tries to match packets which seems malformed or unusual. while others try their best to do something good with the packets in question and the data they provide. RELATED means that the packet is starting a new connection and is associated with an already established connection. but it tells us if there is any specific requirements for this stream such as that it needs to be sent as fast as possible. consists of 8 bits.9 Página 29 This match option tells the state match what states the packets must be in to be matched. to mark packets for later usage together with the iproute2 and advanced routing functions in linux. or that it is associated with a connection that has not seen packets in both directions. TOS matches Match Example Explanation --tos iptables -A INPUT -p tcp -m tos --tos 0x16 This match is used as described above. INVALID means that the packet is associated with no known stream or connection and that it may contain faulty data or headers. There is currently 4 states that can be used. Unclean match The unclean match takes no options and requires no more than explicit loading when you want to use it. and what kind of content it has(not really. NEW and RELATED.html 21:25:51 10/06/2002 . it can match packets based on their TOS field and their value. and is located in the IP header. there may be times where this could be useful. not be considered very good in cases where we have only one firewall and no load balancing between different firewalls. read in the future chapter on the state machine. TOS match The TOS match can be used to match packets based on their TOS field. or an ICMP error associated with an TCP or UDP connection for example.1. Most do not care at all. TOS is normally used to tell intermediate hosts the preceeding of the stream. How different routers and people deal with these values depends. Note that the NEW state does not look for SYN bits in TCP packets trying to start a new connection and should. ESTABLISHED.unix-fu. however you should be aware that this may break legal connections too.Iptables Tutorial 1. This could for example mean an FTP data transfer. However. hence. This could be used for. This could be used to DROP connections and to check for bad streams etcetera. or it needs to be able to send as much payload as possible).org/andreasson/iptables-tutorial/iptables-tutorial. This match is loaded explicitly by adding -m tos to the rule. ESTABLISHED means that the packet is part of an already established connection that has seen packets in both directions and is fully valid. such as packets with bad headers or checksums and so on. among other things. The match takes an hex or numeric value as an http://people. NEW means that the packet has or will start a new connection. For more information on how this could be used. TOS stands for Type Of Service.

There is a few basic targets. There is no inversion and there is no other specifics to this match. Targets/Jumps The target/jumps tells the rule what to do with a packet that is a perfect match with the match section of the rule. TTL matches Command Example Explanation --ttl iptables -A OUTPUT -m ttl --ttl 60 This match option is used to specify which TTL value to match. Some good protocols that would use this would be RTSP (Real Time Stream Control Protocol) and other streaming video/radio protocols.9 Página 30 option. Normal-Service would finally mean any normal protocol that has no special needs for their transfers. The usage is pretty much limited. SSH and FTP-control. If the TTL reaches 0.Iptables Tutorial 1.unix-fu. some good protocols that would fit with this TOS values would be BOOTP and TFTP. Table 15. To load this match. This match is only used to match packets based on their TTL. The TTL field contains 2 bits and is decremented once every time it is processed by an intermediate host between the client and host. Maximize-Reliability 4 (0x04). however. an ICMP type 11 code 0 (TTL equals 0 during transit) or code 1 (TTL equals 0 during reassembly) is transmitted to the party sending the packet and telling about the problem. and Normal-Service 0 (0x00). Minimize-Delay means to minimize the delay until the packets gets through all the way to the client/server. for example hosts which seems to have problems connecting to hosts on the internet. or to find possible infestations of trojans etcetera. and not to change anything. MaximizeThroughput 8 (0x08).html 21:25:51 10/06/2002 . or due to a malconfiguration). One example. you need to add an -m ttl to the rule.org/andreasson/iptables-tutorial/iptables-tutorial. ie find the fastest route. a standard protocol would be FTP-data. At the time of writing it contained the following named values: Minimize-Delay 16 (0x10). Maximize-Throughput means to find a path that allows as big throughput as possible. This target could be used for debugging your local network.1. as described above. It takes an numeric value and matches based on this value. as well as in all kinds of matches. Minimize-Delay means to minimize the delay for the packets. MinimizeCost 2 (0x02). would be to find hosts with bad TTL values set as default (may be due to badly implemented TCP/IP stack. This is true here. TTL match The TTL match is used to match packets based on their TTL (Time To Live) field residing in the IP header. Maximize-Reliability means to maximize the reliability of the connection and to use lines that are as reliable as possible. the ACCEPT and DROP targets which we will deal with first http://people. example of standard protocols that this includes are telnet. or possibly one of the names given if you do an iptables -m tos -h. it is only your imagination which stops you.

it drops packets dead to the ground and refuses to process them anymore. Some targets will also take options that may be necessary (What address to do NAT to. before we do that. Note that this action may be a bit bad in certain cases since it may leave dead sockets around on the server and client. and it does not require. These packets may be logged. The jump specification is done exactly the same as the target definition except that it requires a chain within the same table to jump to. it will automatically be ACCEPT'ed in the superset chain also and it will not traverse any of the superset chains any further. that packets that was accepted in one chain will still travel through any subsequent chains within the other tables and may be dropped there. do note that the packet will traverse all other chains in the other tables in a normal fashion. This may be good in cases where we want to take two actions on the same packet. We would then jump from the INPUT chain to the tcp_packets chain and start traversing that chain. let us have a brief look at how a jump is done. Good examples of such rules are DROP and ACCEPT. some targets will make the packet stop traversing the specific chain and superset chains as described above. such as both mangling the TTL and the TOS value of a specific packet/stream. For more information on table and chain traversing. DROP or ACCEPT the packet depending on what we want to do.html 21:25:51 10/06/2002 . what TOS value to use etcetera) while others have options not necessary.Iptables Tutorial 1. To use this target.org/andreasson/iptables-tutorial/iptables-tutorial. masquerade to ports and so on). it is accepted and will not continue traversing the chain where it was accepted in. A better solution would be to use the REJECT target in those cases. Do note.1. However.unix-fu. we get dropped back to the INPUT chain and the packet starts traversing from the rule one step below where it jumped to the other chain (tcp_packets in this case). Rules that are stopped. DNAT and SNAT targets. When/If we reach the end of that chain. We will try to answer all these questions as we go in the descriptions. DROP target The DROP target does just what it says. For example. to add options to the target. Targets on the other hand specify an action to take on the packet in question. a good example of this would be the LOG. especially when you want to block certain portscanners from getting to http://people. see the Traversing of tables and chains chapter. We could then add a jump target to it like this: iptables -A INPUT -p tcp -j tcp_packets. There is also a number of other actions we may want to take which we will describe further on in this section. Network Address Translationed and then be passed on to the other rules in the same chains. nor any of the calling chains. a chain is created with the -N command. or have the possibility. but available in any case (log prefixes. it is required that the chain has already been created. Let us have a look at what kinds of targets there are. We could for example. let's say we create a chain in the filter table called tcp_packets like this: iptables -N tcp_packets. Other targets. However. ACCEPT target This target takes no special options first of all.9 Página 31 of all targets. may take an action on the packet and then the packet will continue passing through the rest of the rules anyway. Targets may also end with different results one could say. If a packet is ACCEPT'ed within one of the subchains. will not pass through any of the rules further on in the chain or superset chains. A packet that matches a rule perfectly and then has this action taken on it will be blocked and no further processing will be done. To jump to a specific chain. When a packet is perfectly matched and this target is set. As we have already explained before. There is nothing special about this target whatsoever. we specify it like -j ACCEPT.

such as filtered ports and so on. and all of a sudden it matches a specific rule which has the --jump RETURN target set. This is an excellent target to use while you are debugging your rulesets to see what packets go where and what rules are applied on what packets. the packet will not be processed in any of the above chains in the structure either. which in this case would be the INPUT chain. The default policy is normally set to ACCEPT or DROP or something the like. and no more actions would be taken in this chain. the packet will have the default policy taken on it. for example the INPUT chain. This information may then be read with dmesg or syslogd and likely programs and applications. QUEUE target Option Example Explanation Option Example Explanation RETURN target The RETURN target will make the current packet stop travelling through the chain where it hit the rule. The LOG target will log specific information such as most of the IP headers and other interesting information via the kernel logging facility. LOG target The LOG target is specially made to make it possible to log snippets of information about packets that may be illegal. QUEUE target Table 16. Also note that if a packet has the DROP action taken on them in a subchain. the packet will continue to travel through the above chains in the structure as if nothing had happened. It will then jump back to the previous chain. It would then be dropped to the default policy as previously described.1. lets say a packet enters the INPUT chain and then hits a rule that it matches and that gives it --jump EXAMPLE_CHAIN.unix-fu. The target will not send any kind of information in either direction. Another example would be if the packet hit a --jump RETURN rule in the INPUT chain. Also note that the http://people. If it is a subchain to another chain. If the chain is the main chain. either to tell the client or the server as told previously.Iptables Tutorial 1.9 Página 32 much information. Also note that it may be a really great idea to use the LOG target instead of the DROP target while you are testing a rule you are not 100% sure about on a production firewall since this may otherwise cause severe connectivity problems for your users. For example. The packet will then start traversing the EXAMPLE_CHAIN.org/andreasson/iptables-tutorial/iptables-tutorial. or for pure bughunting and errorfinding.html 21:25:51 10/06/2002 .

--log-prefix iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets" This option tells iptables to prefix all log messages with a specific prefix which may then be very good to use together with. including whitespace and those kind of symbols. The priority defines the severity of the message being logged. warn. warning. for example. or by the world for that matter. setting kern. LOG target options Option Example Explanation --log-level iptables -A FORWARD -p tcp -j LOG --log-level debug This is the option that we can use to tell iptables and syslog which log level to use.=info /var/log/iptables in your syslog. They are all listed below. Normally there are the following log levels. Note that it is not a iptables or netfilter problem in case you get your logs to the consoles or likely. Note that there may be other messages here as well from other parts of the kernel that uses the info priority. emerg and panic. Note that all three of these are deprecated. which may contain logging messages from iptables.conf for information about these kind of problems.org/andreasson/iptables-tutorial/iptables-tutorial. For a complete list of loglevels read the syslog. Any log that is. err. warn is the same as warning and panic is the same as emerg.unix-fu. Read more in man syslog. warn and panic. or priorities as they are normally referred to: debug.conf file and then letting all your LOG messages in iptables use log level info.html 21:25:51 10/06/2002 . since the ULOG target has support for logging directly to MySQL databases and such. but instead a problem of your syslogd configuration which you may find in /etc/syslog. notice. --log-tcp-sequence iptables -A INPUT -p tcp -j LOG --log-tcp-sequence This option will log the TCP Sequence numbers together with the log message. The LOG target currently takes five options that may be interesting to use in case you have specific needs for more information. In other words.conf.1. Note that this option is a security risk if the log is readable by any users.Iptables Tutorial 1. in other words do not use error. The keyword error is the same as err.conf manual. would make all messages appear in the /var/log/iptables file. grep and other tools to distinguish specific problems and outputs from specific rules. For more information on logging I recommend you to read the syslog and syslog. The prefix may be up to 29 letters long. The TCP Sequence number are special numbers that identify each packet and where it fits into a TCP sequence and how the stream should be reassembled. error.conf manpages as well as other HOWTO's etcetera.9 Página 33 ULOG target may be interesting in case you are getting heavy logs. info. http://people. or want to set different options to specific values. alert. All messages are logged through the kernel facility. Table 17. crit.

MARK target options Option Example Explanation --set-mark iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2 The --set-mark option is required to set a mark. which would also http://people. we may set mark 2 to a specific stream of packets. In other words.unix-fu. just as most of the LOG options. but it also sends back an error message to the host sending the packet that was blocked. etcetera. but instead works on the IP options. and will not work outside there. The --set-mark match takes an integer value. REJECT target The REJECT target works basically the same as the DROP target. This works exactly thesame as the --log-tcp-options option. For more information on advanced routing. check out the LARTC HOWTO. The REJECT target is as of today only valid in the INPUT. you may not set a MARK for a package and then expect the MARK to still be there on another computer. just the same as the previous option. you will be better off with the TOS target which will mangle the TOS value in the IP header.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.1. FORWARD and OUTPUT chain or subchains of those chains. This option takes no variable fields or anything like that. If this is what you want. Note that the mark value is not set within the actual package. limiting or unlimiting their network speed etcetera. MARK target The MARK target is used to set netfilter mark values that are associated with specific packets. These may be valuable when trying to debug what may go wrong and what has gone wrong. --log-ip-options iptables -A FORWARD -p tcp -j LOG --log-ip-options The --log-ip-options option will log most of the IP packet header options.html 21:25:51 10/06/2002 . These logging messages may be valuable when trying to debug or finding out specific culprits and what goes wrong. The MARK values may be used in conjunction with the advanced routing capabilities in Linux to send different packets through different routes and to tell them to use different queue disciplines (qdisc). Table 18.9 Página 34 --log-tcp-options iptables -A FORWARD -p tcp -j LOG --log-tcp-options The --log-tcp-options option will log the different options from the TCP packets header. For example. This target is only valid in the mangle table. or on all packets from a specific host and then do advanced routing on that host. but is an value that is associated within the kernel with the packet.

and then the packet is dropped dead to the ground. you should hence set the TOS field which was developed for this. As noted before.org/andreasson/iptables-tutorial/iptables-tutorial. Note that the chains that uses the REJECT target may only be called upon by the INPUT. There is also an option called echo-reply. For more information about the TCP RST read RFC 793 .html 21:25:51 10/06/2002 . REJECT target Option Example Explanation --reject-with iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset This option tells the REJECT target what response to send to the host that sent the packet that we found to be a match. TCP RST are used to close open connections gracefully. this is the only way to propagate routing information between these routers and firewalls within the actual packet. FORWARD. and you may get some more information by looking in the appendix ICMP types. There are currently the following reject types that can be used: icmp-net-unreachable. and they will not even look at them. The default error message is to send an port-unreachable to the host. Most of them are fairly easy to understand if you have a basic knowledge of TCP/IP. Once we get a packet that matches a specific rule and we specify this target. there is one more option called tcp-reset which may only be used together with the TCP protocol. If you feel a need to propagate routing information on how to do routing for a specific packet or stream. As stated in the iptables man page. the MARK target which sets a MARK associated with a specific packet is only available within the kernel. Table 19.1. which won't accept your mail otherwise. This is one of the few fields that can be used within iproute2 and its subsystem to route packets. The TOS field consists of 8 bits which are used to route packets. just the same as with the DROP target. There are currently a lot of routers on the internet which does a pretty bad job at this so it may be a bit useless as of now to do any TOS mangling before sending the packets on to the internet. this is mainly useful for blocking ident probes which frequently occur when sending mail to broken mail hosts. All of the above are ICMP error messages and may be set as you wish. Finally. icmp-net-prohibited and icmp-host-prohibited. There currently is only one option which controls the nature of how this target works. TOS target The TOS target is used to set the Type of Service field within the IP header. they will look at the TOS field and do the wrong thing based on the information. the target will first of all send the specified reply. Also note that if you handle several separate firewalls and routers. the tcp-reset option will tell REJECT to send an TCP RST packet in reply to the sending host. and can not be propagated with the packet. At worst. and OUTPUT chains. else they won't work. At best the routers will do nothing with the TOS field. however. but this option may only be used in conjunction with rules which would match ICMP ping packets.Iptables Tutorial 1. which in turn may take a huge set of variables. icmp-portunreachable. icmp-proto-unreachable. icmp-host-unreachable. As stated previously.Transmission Control Protocol.9 Página 35 be the only chains where it would make any sense to put this target in. there is most definitely a good use if you http://people.unix-fu.

Table 20.2. hex value 0x00). the value may be 0-255.org/andreasson/iptables-tutorial/iptables-tutorial. The TOS target only takes one option as described below. or in hex 0x00-0xFF.2. MaximizeReliability (decimal value 4. of course. For a complete listing of the "descriptive values".1. This listing is complete as of iptables 1. Note that this target is only valid within the mangle table and can not be used outside it. hex value 0x04). Maximize-Throughput (decimal value 8. at least within your own network. among other things.5 and should hopefully be so for another period of time. hex 0x02) or Normal-Service (decimal value 0. which in turn most probably would be mangled and the connection would never work. and it should generally be recommended since the values behind the names may be changed if you are unlucky. Also note that some old versions (1.2 or below) of iptables provided a broken implementation of this target which would not fix the packet checksum upon mangling. Lets say we set up a MIRROR target for port 80 at computer A. As the TOS value consists of 8 bits. The option takes a numeric value. The default value on most packets are Normal-Service. If computer B would be coming from yahoo. TOS target Option Example Explanation --set-tos iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10 The --set-tos option tells the TOS mangler what TOS value to set on packets that are matched. hex value 0x08). and you should be warned of using this since it may result in really bad loops. Note that most of these values will never be used by anyone on the internet so you may be better of by using the named values available (which should be more or less standardized).html 21:25:51 10/06/2002 .unix-fu. the MIRROR target would make so computer B got the webpage at yahoo. The result of this target is really simple. These values are Minimize-Delay (decimal value 16. and then to retransmit the packet.9 Página 36 have a large WAN or LAN with several routers and actually have the possibility to give packets different routes and preference depending on their TOS value. MIRROR target The MIRROR target is an experimental demonstration target only. hence resulting in a bad kind of Denial of Service. Note that you can. The MIRROR target is used to invert the source and destination fields in the IP header. use the actual names instead of the actual hex values to set up the TOS value. http://people. This results in some really funny things. hex value 0x10). do an iptables -j TOS -h.Iptables Tutorial 1. either in hex or in decimal value.com. Minimize-Cost (decimal value 2. and I would be quite sure that someone has had a good laugh at some cracker or another that has cracked his own box via this target by now.com back (since this is where he came from). or 0. and hence rendered the packets bad and in need of retransmission. and tried to access the HTTP server at computer A.

50. If we forwarded these packets as is. letting all packets leaving our LAN look as if they came from a single host.236. If the first packet in a connection is mangled in this fashion.unix-fu.155-194. The SNAT target does all the translation needed to do this kind of work. at it simplest. Without doing this. FORWARD and PREROUTING chains. for example.236. noone on the internet would know that they where actually from us.155194. and see to it that the packet is spoofed so it looks as if it comes from another host that uses the MIRROR command. no further processing of rules in the POSTROUTING chain will be commenced on the packets in the same stream. NAT or mangle tables to avoid loops and other problems.50.50. also. within the POSTROUTING chain. Also note that the outgoing packets created by the MIRROR target is not seen by any of the normal chains in the filter. However. If we want to balance between several IP addresses we could use an range of IP addresses separated by a hyphen.236.1.50. it would then look like. SNAT target Option Example Explanation --to-source iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 194. whichever we want to call them. One thing would for example be to send a spoofed packet to a host that uses the MIRRORcommand with a TTL of 255. If there is only 1 hop. the packet will jump back and forth 240-255 times.9 Página 37 Note that the MIRROR target is only valid within the INPUT. takes one IP address to which we should transform all the source IP addresses in the IP header. then all future packets in the same connection will also be SNAT'ed and. For example. and any user-defined chains which are only called from those chains. and eat up 380 kbyte of your connection.org/andreasson/iptables-tutorial/iptables-tutorial.160 as http://people.160:1024-32000 The --to-source option is used to specify which source the packets should use. the outside world would not know where to send reply packets. This option. since our local networks should use the IANA specified IP addresses which are allocated for LAN networks. SNAT target The SNAT target is used to do Source Network Address Translation.html 21:25:51 10/06/2002 . depending on how many hops there is between them. this is good when we want several computers to share an internet connection. This is in other words the only place that you may do SNAT in. this does not make the target free of any likely problems. and then set an SNAT rule which would translate all packets from our local network to the source IP of our own internet connection. Not bad for a cracker in other words to send 1500 bytes of data. Note that this is a best case scenario for the cracker or scriptkiddie. We could then turn on ip forwarding in the kernel. 194.236. Table 21.Iptables Tutorial 1. which would be our firewall. The SNAT target is only valid within the nat table. which means that this target will rewrite the Source IP address in the IP header of the packet. The packet will then bounce back and forth a huge set of times.

host or network. All other ports will be mapped to 1024 or above. within that stream.168.1.1. Note. All the source ports would then be mapped to the ports specified. and this is the target of the rule. as described previously. but if two hosts tries to use the same ports. in which case we would always be connected to the same host. Also note that we may add an port or port range to which the traffic would be redirected to.1.23. Note that chains containing DNAT targets may not be used from any other chains. when you have an host running your webserver inside a LAN. iptables will always try to maintain the source ports used by the actual workstation making the connection. This would hence look as within the example above. Note that this has nothing to do with destination ports. an :80 statement to the IP addresses to which we want to http://people. namely 192. Those between source ports 512 and 1023 will be mapped to ports below 1024. We may also specify a whole range of destination IP addresses. and a single stream would always use the same IP address for packets within that stream.html 21:25:51 10/06/2002 . on to the real webserver within the LAN. which means that it is used to rewrite the Destination IP address of a packet. and that each stream will randomly be given an IP address that it will always be Destinated for.45. and then routed on to the correct device.1 through 10.168.9 Página 38 described in the example above. You could then tell the firewall to forward all packets going to its own HTTP port. for example.unix-fu. the packet.Iptables Tutorial 1.1-192. and all subsequent packets in the same stream will be translated.67 to a range of LAN IP's. then all source ports below 512 will be mapped to other ports below 512 if needed. we will be able to deal with a kind of load balancing by doing this. iptables will map one of them to another port. If no port range is specified. The source IP would then be set randomly for each stream that we open. Note that the DNAT target is only available within the PREROUTING and OUTPUT chains in the nat table. :1024-32000 or something alike.23. such as the POSTROUTING chain. so if a client tries to make contact with an HTTP server outside the firewall. it will not be mapped to the FTP control port. If a packet is matched. As previously stated. DNAT target Option Example Explanation --to-destination iptables -t nat -A PREROUTING -p tcp -d 15. iptables will always try to not make any port alterations if it is possible.1. This target can be extremely useful. There may also be an range of ports specified that should only be used by SNAT.67 --dport 80 -j DNAT --to-destination 192.45. that a single stream will always use the same host.org/andreasson/iptables-tutorial/iptables-tutorial. and any of the chains called upon from any of those listed chains.10 The --to-destination option tells the DNAT mechanism which Destination IP to set in the IP header. This is done by adding. for example.168. and the DNAT mechanism will choose the destination IP address at random for each stream. but no real IP to give it that will work on the internet. Table 22. Hence. The above example would send on all packets destined for IP address 15. DNAT target The DNAT target is used to do Destination Network Address Translation. and where to send packets that are matched. We could also have specified only one IP address.

just as the SNAT target.html 21:25:51 10/06/2002 . and there may be inconsistencies in the future which will thwart your existing scripts and render them "unusable". If you have a static IP connection. we may have been left with a lot of old connection tracking data. When you masquerade a connection.org/andreasson/iptables-tutorial/iptables-tutorial. This is in general the correct behaviour when dealing with dialup lines that are probable to be assigned a different IP every time it is up'ed. it means that we set the IP address used on a specific network interface instead of the --to-source option.1:80 for example. swallowing up worthful connection tracking memory. The --to-ports option is only valid if the rule match section specifies the TCP or UDP protocols with http://people. Note that the MASQUERADE target is only valid within the POSTROUTING chain in the nat table. The reason for this is that the MASQUERADE target was made to work with. it is not favorable since it will add extra overhead. It is still possible to use the MASQUERADE target instead of SNAT even though you do have an static IP.1. Table 23. This alters the default SNAT port-selection as described in the SNAT target section. which is extremely good if we. which we don't know the actual address of at all times.1:80-100 if we wanted to specify a port range. you should instead use the SNAT target. A rule could then look like --to-destination 192.168.Iptables Tutorial 1. or like --to-destination 192. In case we are assigned a different IP.unix-fu. dialup connections. and the IP address is automatically grabbed from the information about the specific interface. but it does not require any --to-source option. As you can see. as for the SNAT target even though they do two totally different things.9 Página 39 DNAT the packets. for example. MASQUERADE target Option Example Explanation --to-ports iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000 The --to-ports option is used to set the source port or ports to use on outgoing packets. however. If we would have used the SNAT target.1. the syntax is pretty much the same for the DNAT target.1. the connection is lost anyways. which is optional. Either you can specify a single port like --to-ports 1025 or you may specify a port range as --to-ports 10243000. The MASQUERADE target takes on option specified below. This means that you should only use the MASQUERADE target with dynamically assigned IP connections. and it is more or less idiotic to keep the entry around. the lower port range delimiter and the upper port range delimiter separated with a hyphen. The MASQUERADE target also has the effect that connections are forgotten when an interface goes down. which would be lying around for days. which gets dynamic IP addresses when connecting to the network in question.168. or DHCP connections. MASQUERADE target The MASQUERADE target is used basically the same as the SNAT target. In other words. Do note that port specifications are only valid for rules that specify the TCP or UDP protocols with the --protocol option. kill a specific interface. for example.

and nowhere else. where the LAN hosts do not know about the proxy at all. Without the --to-ports option. will effectively make it a little bit harder for them to notify that you are doing this. This is specified.Iptables Tutorial 1.txt. this rewrites the destination address to our own host for packets that are forwarded. as described below.0. Locally generated packets are mapped to the 127.9 Página 40 the --protocol match. and who actively pursue this.1. --to-ports 8080 in case we only want to specify one port. and nowhere else. read the ip-sysctl. transparent proxying. One useful application of this is to change all Time To Live values to the same value on all outgoing packets. to use. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid. One reason for doing this is if you have a bully ISP which don't allow you to have more than one machine connected to the same internet connection. Table 24. The TTL target is only valid within the mangle table. http://people.html 21:25:51 10/06/2002 . Setting all TTL values to the same value. we would do it like --toports 8080-8090.org/andreasson/iptables-tutorial/iptables-tutorial. It is also valid within user-defined chains that are only called from those chains. The REDIRECT target is extremely good to use when we want. TTL target The TTL target is used to modify the Time To Live field in the IP header. or something alike. REDIRECT target The REDIRECT target is used to redirect packets and streams to the machine itself. Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. since it wouldn't make any sense anywhere else.0. Note that this option is only available in rules specifying the TCP or UDP protocol with the --protocol matcher. such as 64 as specified in Linux kernel. If we would want to specify an port range. the destination port is never altered.1 address. It takes 3 options as of writing this. or port range. The REDIRECT target takes only one option. as above.unix-fu. REDIRECT target Option Example Explanation --to-ports iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 The --to-ports option specifies the destination port. which tells the REDIRECT target to redirect the packets to the ports 8080 through 8090. For more information on how to set the default value used in Linux. all of them described below in the table. which you may find within the Other resources and links appendix. for example. on our own host. We may then reset the TTL value for all outgoing packets to a standardized value. In other words.

One or more userspace processes may then subscribe to various multicast groups and receive the packet. we effectively make the firewall hidden from traceroutes. since they provide excellent information on problems with connections and where it happens. This means that we should raise the TTL value with the value specified in the -ttl-inc option. since the packet may start bouncing back and forth between two misconfigured routers. from 53 to 49 in other words. ULOG target The ULOG target is used to provide userspace logging of matching packets. Note that the same thing goes here. A good value would be around 64 somewhere. and the higher the TTL. the packet would leave our host with a TTL value of 49. and it contains much better facilities for logging http://people. hence the packet will be decremented by 4 steps. In other words. IF ANYONE HAS A GOOD USAGE FOR THIS OPTION. For a good example on how this could be used. It's not too long. which it always does.org/andreasson/iptables-tutorial/iptables-tutorial. it gives the hacker/cracker some good information about your upstreams if they have targeted you. as for the previous example of the --ttl-dec option.9 Página 41 Table 25. NOTIFY ME --ttl-inc iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-inc 1 The --ttl-inc option tells the TTL target to increment the Time To Live value with the value specified to the --ttl-inc option. a packet entering with a TTL of 53 would leave the host with TTL 56. the packet information is multicasted together with the whole packet through a netlink socket. The reason for this is that the networking code will automatically decrement the TTL value by 1. the more bandwidth will be eaten unnecessary in such a case. but at the same time. see the ttl-inc.Iptables Tutorial 1.txt script. since it may affect your network and it is a bit immoral to set this value to high. Do not set this value too high. This may be used to make our firewall a bit more stealthy to traceroutes among other things. This is in other words a more complete and more sophisticated logging facility that is only used by iptables and netfilter so far. By setting the TTL one value higher for all incoming packets. --ttl-dec iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-dec 1 The --ttl-dec option tells the TTL target to decrement the Time To Live value by the amount specified after the --ttl-decoption.1. and if we specified --ttl-inc 4.html 21:25:51 10/06/2002 .unix-fu. TTL target Option Example Explanation --ttl-set iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-set 64 The --ttl-set option tells the TTL target which TTL value to set on the packet in question. Traceroutes are a loved and hated thing. and it is not too short. if the TTL for an incoming packet was 53 and we had set --ttl-dec 3. If a packet is matched and the ULOG target is set. where the network code will automatically decrement the TTL value by 1.

unix-fu. There are 32 netlink groups. and other databases. For example.1. the kernel would first accumulate 10 packets inside the kernel. which are simply specified as 1-32. We will also look at which points certain other parts that also are kernel dependant gets in the picture. If we specify 100 as above. The default value here is 1 because of backwards compatibility. regardless of the packets size. The default value is 0. --ulog-prefix iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: " The --ulog-prefix option works just the same as the prefix value for the standard LOG target. Table 26. Also we will speak about in which order the tables are traversed. This option prefixes all log entries with a userspecified log prefix. --ulog-qthreshold iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10 The --ulog-qthreshold option tells the ULOG target how many packets to queue inside the kernel before actually sending the data to userspace. If we specify 0. so the whole packet will be copied to userspace. The default netlink groupd used is 1. --ulog-cprange iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100 The --ulog-cprange option tells the ULOG target how many bytes of the packet to send to the userspace daemon of ULOG. ULOG target Option Example Explanation --ulog-nlgroup iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2 The --ulog-nlgroup option tells the ULOG target which netlink group to send the packet to. and then transmit it outside to the userspace as one single netlink multipart message. if we set the threshold to 10 as above.html 21:25:51 10/06/2002 . It can be 32 characters long.org/andreasson/iptables-tutorial/iptables-tutorial. Traversing of tables and chains This chapter will talk about how packets traverse the the different chains and in which order.9 Página 42 packets. and to group log entries etcetera. This target enables us to log information to MySQL databases. This is extremely valuable information later on when you write your own specific rules. we would copy 100 bytes of the whole packet to userspace. making it much simpler to search for specific packets. With this we mainly mean the different routing decisions and http://people.Iptables Tutorial 1. which would include the whole header hopefully. the userspace daemon did not know how to handle multipart messages previously. the whole packet will be copied to userspace. we would simply write --ulog-nlgroup 5. If we would like to reach netlink group 5. and is definitely most useful to distinguish different logmessages and where they came from. plus some leading data within the actual packet.

good examples of this is DNAT and SNAT and of course the TOS bits. so you need to think about it when writing your ruleset. we do all the filtering here. eth0) This chain is normally used for mangling packets.unix-fu. Source Network Address Translation is done further on.9 Página 43 so on. avoid doing filtering here since certain packets might pass this chain without ever hitting it. Note that all traffic that's forwarded goes through here (not only in one direction).html 21:25:51 10/06/2002 . Out on the wire again (ie.Iptables Tutorial 1. is the packet destined for our localhost or to be forwarded and where. eth1).org/andreasson/iptables-tutorial/iptables-tutorial. Forwarded packets Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire(ie. internet) Comes in on the interface(ie. however. we are mainly interested in the iptables aspect of this lot. there's quite a lot of steps to pass through. LAN). ie. This chain is used for Destination Network Address Translation mainly. we're assuming that the packet is destined for another host on another network. Avoid filtering in this chain since it will be passed through in certain cases. In this example. Then the packet starts to go through a series of steps in the kernel before it is either sent to the correct application (locally). only forwarded packets go through here. Goes out on the outgoing interface (ie. Routing decision. This is especially needed if you want to write rules with iptables that chould change how different packets get routed. ie. The packet goes through the different steps in the following fashion: Table 1. or forwarded to another host or whatever happens to it. filter FORWARD The packet got routed onto the FORWARD chain. changing TOS and so on.1. The packet can be stopped at any of the iptables chains. or anywhere else in case it is malformed. 5 6 7 nat POSTROUTING 8 9 As you can see. This is also where Masquerading is done. This chain should first and foremost be used for Source Network Address Translation. General When a packet first enters the firewall. it hits the hardware and then get's passed on to the proper device driver in the kernel. Do note that there is no specific chains or tables for different interfaces or http://people.

3 4 Nat Filter OUTPUT OUTPUT http://people. but if you continue to dig in it. Note that all incoming packets destined for this host passes through this chain. Source localhost Step 1 2 Mangle OUTPUT Table Chain Comment Local process/application (ie. Local process/application (ie. let us have a look at a packet that is destined for our own localhost. changing TOS and so on.9 Página 44 anything like that.1. I think. FORWARD is always passed by all packets that are forwarded over this firewall/ router. is the packet destined for our localhost or to be forwarded and where. Table 3. Finally we look at the outgoing packets from our own localhost and what steps they go through. Internet) Comes in on the interface(ie. I think it gets clearer with time.Iptables Tutorial 1. eth0) This chain is normally used for mangling packets. This is currently broken.unix-fu. server/client program) This is where we mangle packets.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . Most probably the only thing that's really logical about the traversing of tables and chains in your eyes in the beginning. Quite logical. It would pass through the following steps before actually being delivered to our application to receive it: Table 2. ie. Now. ie. Routing decision. server/client program) 5 6 7 Note that this time the packet was passed through the INPUT chain instead of the FORWARD chain. This chain is used for Destination Network Address Translation mainly. Avoid filtering in this chain since it will be passed through in certain cases. could someone tell me when this will be fixed? Please? This is where we filter packets going out from localhost. it is suggested that you do not filter in this chain since it can have sideeffects. filter INPUT This is where we do filtering for all incoming traffic destined for our localhost. no matter what interface and so on it came from. Destination localhost Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire (ie.

Iptables Tutorial 1. eth0) On the wire (ie. and certain packets might slip through even though you set a default policy of DROP. Internet) 7 8 We have now seen how the different chains are traversed in three separate scenarios.html 21:25:51 10/06/2002 . Goes out on some interface (ie.9 Página 45 5 6 Nat POSTROUTING Routing decision. It is suggested that you don't do filtering here since it can have sideeffects. This is where we decide where the packet should go. it would look something like this: http://people. This is where we do Source Network Address Translation as described earlier.org/andreasson/iptables-tutorial/iptables-tutorial.1.unix-fu. If we would figure out a good map of all this.

If you feel that you want more information. you could use the rc.html 21:25:51 10/06/2002 .txt script. This test script should give you the necessary rules to test how the tables and chains are traversed.unix-fu. this might still be wrong or it might change in the future.9 Página 46 Hopefully you got a clearer picture of how the packets traverses the built in chains now.test-iptables.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. http://people. All comments welcome.1.

and takes this as one of many signs of multiple computers connected to a single connection. it should only be used to translate packets source field or destination field. One good reason for this could be that we don't want to give ourself away to nosy Internet Service Providers. nor will any DNAT.html 21:25:51 10/06/2002 . Note that. In other words. or if they don't have any.unix-fu. SNAT or Masquerading work in this table. Note that this has not been perfected and is not really implemented on the internet and most of the routers don't care about the value in this field. In other words.9 Página 47 Mangle table This table should as we've already noted mainly be used for mangling packets. We could also do bandwidth limiting and Class Based Queuing based on these marks. they act faulty on what they get. The TTL target is used to change the TTL (Time To Live) field of the packet. These marks could then be recognised by the iproute2 programs to do different routing on the packet depending on what mark they have. It is strongly adviced that you don't use this table to do any filtering in. We could tell packets to only have a specific TTL and so on. and sometimes. as we have said before.Iptables Tutorial 1. and there are some Internet Service Providers known to look for a single host generating many different TTL values. the rest of the packets http://people. you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) fields and so on.org/andreasson/iptables-tutorial/iptables-tutorial. Target's that only valid in the mangle table: TOS TTL MARK The TOS target is used to set and/or change the Type of Service field in the packet. Nat table This table should only be used for NAT (Network Address Translation) on different packets. After this. Don't set this in other words for packets going to the internet unless you want to do routing decisions on it with iproute2. The MARK target is used to set special mark values to the packet. only the first packet in a stream will hit this chain. Some Internet Service Providers does not like users running multiple computers on one single connection. This could be used for setting up policies on the network regarding how a packet should be routed and so on.1.

the packets would never get back from the Internet because these networks are regulated to be used in LAN's by IANA. it automatically checks for the IP address to use.9 Página 48 will automatically have the same action taken on them as the first packet.x netmask for example. The reason for this is that each time that the MASQUERADE target gets hit by a packet. the targets discussed previously in this chapter are only usable in their respective tables. this is the place that was designed for it. but the MASQUERADE target takes a little bit more overhead to compute. This is the place that we actually take action against packets and look at what they contain and DROP/ACCEPT depending on their payload. we change the destination address of the packet and reroute it to some other host. The actual targets that does these kind of things are: DNAT SNAT MASQUERADE The DNAT (Destination Network Address Translation) target is mainly used in cases such as when you have one IP and want to redirect accesses to the firewall to some other host on a DMZ for example. for example PPP.Iptables Tutorial 1. We can match packets and filter them however we want. of course. this is where we (should) do the main filtering. We will not go into deeper discussion about this table though. This should be used to get a basic idea on how to solve different problems and what you may need to think about before http://people. In other words. This is mainly done to hide our local networks or DMZ.x. but need to change our local networks IP numbers to the same of the IP of our firewall. however. however.168. Of course we may do filtering earlier too. and there is nothing special to this chain or special packets that might slip through because they are malformed. rc.org/andreasson/iptables-tutorial/iptables-tutorial. Filter table The filter table is. A good example when this is very good is when we have a firewall that we know the outside IP address of.html 21:25:51 10/06/2002 . etcetera. SLIP or DHCP. SNAT (Source Network Address Translation) is mainly used for changing the source address of packets. as you already know. The MASQUERADE target is used in exactly the same way as SNAT. We have used one of the basic setups and dug deeper into how it works and what we do in it. The firewall will with this target automatically SNAT and De-SNAT the packets. hence making it possible to make connections from the LAN to the Internet. The MASQUERADE target will on the other hand work properly with Dynamic IP addresses that you may be provided when you connect to the Internet with. etc. If you're network uses 192.unix-fu. instead of doing as the SNAT target does and just use an IP address submitted while the rule was parsed. Almost all targets are usable in this chain. mainly used for filtering packets.firewall file This chapter will deal with an example firewall setup and how the script file could look.1.

as you may see there is a Localhost configuration section. then you should probably look closer at the rc. the $INET_IFACE variable should point to the actual device used for your internet connection. You should at least be if you have come this far. As long as you have a very basic setup however. If you need these parts. We do provide it.html 21:25:51 10/06/2002 .txt is the configuration section.DHCP. eth1.1 IP address and the interface will amost certainly be named lo.firewall. The $INET_IP should always be a fully valid IP address. which are necessary. the script has been written for readability so that everyone can understand it without having to know too much BASH scripting before reading this example rc.9 Página 49 actually putting your scripts into work. so you have everything set up and are ready to check out an example configuration script. however. etcetera just to name a few possible device names. This should always be changed since it contains the information that is vital to your actual configuration. ppp0. hence it is available here.0. note that there might be more efficient ways of making the ruleset. if you got one (if not. your IP address will always change. read on since this script will introduce a lot of interesting stuff anyways). and then you return here to get the nitty gritty about the whole script. however you will with 99% certainty not change any of the values within this section since you will almost always use the 127.firewall Ok. it will very likely run quite smooth with just a few fixes to it.Iptables Tutorial 1. this section only consists of the $IPTABLES variable. then you could always create a mix of the different scripts. just below the Localhost configuration. Mainly. Also.firewall. you will find a brief section that pertains to the iptables. tr0. but is not suggested since it may not work perfectly together with your network setup. Also. This could be eth0. which will point the script to the exact location of the http://people.unix-fu. This example rc. or (hold yourself) create your own from scratch.0. you need to specify the IP address of the physical interface connected to the LAN as well as the IP range which the LAN uses and the interface that the box is connected to the LAN through. hence these sections are empty.1.txt. they are however left there so you can spot the differences between the scripts in a more efficient way. For example.firewall. I suggest you read through the script file to get a basic hum about how it looks.org/andreasson/iptables-tutorial/iptables-tutorial. explanation of rc. This script does not contain any special configuration options for DHCP or PPPoE. For example. Also. It could be used as is with some changes to the variables.txt (also included in the Example scripts codebaseappendix) is fairly large but not a lot of comments in it. The Local Area Network section contains most of the configuration options for your LAN.firewall Configuration options The first section you should note within the example rc. Instead of looking for comments. The same goes for all sections that are empty. however.

if one of your hosts NAT'ed boxes connect to a FTP server on the internet. For example. First off.Iptables Tutorial 1. and it sends connection information within the actual payload of the packet. since it will take some extra effort to make additional rules this way. look at the Owner match section within the How a rule is built chapter.9 Página 50 iptables application. some other things will not work. The FTP NAT helpers do all of the translations within these connections so the FTP server will actually know where to connect. For more information about the ipt_owner match. many distributions put the actual application in another location such as /usr/sbin/iptables and so on. I will not use that module in this example but basically. the whole connection will be http://people. Always avoid loading modules that you do not need. We may also load extra modules for the state matching code here. the DCC connection will look as if it wants the receiver to connect to some host on the receivers own local network. Initial loading of extra modules First. FTP is a complex protocol by definition. might be boring for others. In other words. Creating these kind of connections requires the IP address and ports to be sent within the IRC protocol. and if possible try to avoid having modules lying around at all unless you will be using them. we load these modules as follows: /sbin/insmod ipt_LOG /sbin/insmod ipt_REJECT /sbin/insmod ipt_MASQUERADE Next is the option to load ipt_owner module. Without these helpers. This is due to how the DCC starts a connection. REJECT and MASQUERADE targets and don't have this compiled statically into your kernel. some FTP and IRC stuff will work no doubt.1. which in turn requires some translation to be done. and the default location when compiling the iptables package by hand is /usr/local/sbin/iptables. Now. and tells the FTP server to connect to that IP address. Without these so called helpers. we see to it that the module dependencies files are up to date by issuing an /sbin/depmod -a command. Connection tracking helpers are special modules that tells the kernel how to properly track the specific connections. Since this local network address is not valid outside your own network. but not be able to send files. you may be able to receive files over DCC. the kernel would not know what to look for when it tries to track specific connections. the FTP server will not know what to do with it and hence the connection will break down.org/andreasson/iptables-tutorial/iptables-tutorial. The same thing applies for DCC file transfers (sends) and chats. however. etcetera. The NAT helpers on the other hand. you tell the receiver that you want to send a file and where he should connect to. it will send its own local network IP address within the payload of the packet. if you want to have support for the LOG. for example. you could allow only root to do FTP and HTTP connections to redhat and DROP all the others. but you will be a bit more secure to bouncing hacker attacks and attacks where the hacker will only use your host as an intermediate host. You could also disallow all users but your own user and root to connect from your box to the Internet. After this we load the modules that we will require for this script. For example. This may vary a bit.unix-fu. All modules that extend the state matching code and connection tracking code are called ip_conntrack_* and ip_nat_*.html 21:25:51 10/06/2002 . So. This is for security reasons. which could for example be used to only allow certain users to make certain connections. However. Without the helpers. are extensions of the connection tracking helpers that tells the kernel what to look for in specific packets and how to translate these so the connections will actually work.

PPP or DHCP you may enable the next option. However. read the Common problems and questionmarks appendix. which is also available within the Other resources and links appendix. iptables rulesets). Also. This will lead to a brief period of time where the firewall will accept forwarding any kind of traffic for everything between a millisecond to a minute depending on what script we are running and on what box. In this script and all others within the tutorial. For a long explanation of these conntrack and nat modules.1. we turn it on before actually creating any kind of IP filters (ie. As of this writing.9 Página 51 broken.html 21:25:51 10/06/2002 .unix-fu. There is a good but rather brief document about the proc system available within the kernel. You will also need to load the ip_conntrack_irc and ip_conntrack_ftp modules before actually loading the NAT modules.323 conntrack helpers within the patch-o-matic. ip_dynaddr by doing the following : echo "1" > /proc/sys/net/ipv4/ip_dynaddr If there is any other options you might need to turn on you should follow that style. as well as some other conntrack helpers. To be able to use these helpers.org/andreasson/iptables-tutorial/iptables-tutorial. There are also H. it may be worth looking at that appendix in the future. I have chosen to turn it on here to maintain consistency with the script breakdown currently user. In case you need dynamic IP support. the other way around. Note that you need to load the ip_nat_irc and ip_nat_ftp if you want Network Adress Translation to work properly on any of the FTP and IRC protocols. there is only the option to load modules which add support for the FTP and IRC protocols.Iptables Tutorial 1. This may give malicious people a small timeframe to actually get through our firewall. They are used the same way as the conntrack modules. however. there's other documentations on how to do these things and this is out of the scope of this documentation. it will work flawlessly since the sender will (most probably) give you the correct address to connect to. for example if you use SLIP. this option should really be turned on after creating all firewall rules. For a better explanation on how this is done. read the Preparations chapter. http://people. in case there are possible additional links added to other and better resources of information. but it will make it possible for the computer to do NAT on these two protocols. proc set up At this point we start the IP forwarding by echoing a 1 to /proc/sys/net/ipv4/ ip_forward in this fashion: echo "1" > /proc/sys/net/ipv4/ip_forward It may be worth a thought where and when we turn on the IP forwarding. you need to use the patch-omatic and compile your own kernel. In other words.

I hope to point these aspects and possible problems out to you when and where they occur. and all others contained within this tutorial. do not turn these on before actually knowing what they mean. and we trust our local network fully and hence we will not block any of the traffic from the local network. we would also like to let our local network do connections to the internet. but instead further on in the chapter. I have displaced all the different user-chains in the fashion I have to save as much CPU as possible but at the same time put the main weight on security and readability. These may be a good starters to look at. Since the local network is fully trusted. The following picture will try to explain the basics of how an incoming packet traverses netfilter. however. This way we do not get too much overhead out of it all. I simply match all TCP packets and then let the TCP packets traverse an user specified chain. do contain a small section of non-required proc settings. This example is also based upon the assumption that we have a static IP to the internet (as opposed to DHCP. we also want to allow the firewall to act as a server for certain services on the internet. Based upon this picture. This is a really trivial picture in comparison to the one in the Traversing of tables and chains chapter where we discussed the whole traversal of chains and tables in depth. Some of the paths I have chosen to go here may be wrong from one or another of aspect. PPP and SLIP and others). This whole example script is based upon the assumption that we are looking at a scenario containing one local network.Iptables Tutorial 1.firewall.1. In the case of this scenario.org/andreasson/iptables-tutorial/iptables-tutorial. Also.txt script. this section contains a brief look back to the Traversing of tables and chains chapter. I wish to explain and clarify the goals of this script.html 21:25:51 10/06/2002 .unix-fu. the Internet is most definitely not a trusted network and hence we want to block http://people.firewall. we want to set default policies within the chains to DROP. In this case. Also. UDP and TCP rules. We will not discuss any specific details yet. one firewall and an Internet connection connected to the firewall. Displacement of rules to different chains This section will briefly describe my choices within the tutorial regarding user specified chains and some choices specific to the rc. This will effectively kill all connections and all packets that we do not explicitly allow inside our network or our firewall. To do this.txt script. this will remind you a little bit of how the specific tables and chains are traversed in a real live example. let's make clear what our goals are. With these pictures and explanations. we want to allow all kind of traffic from the local network to the internet. Hopefully. Instead of letting a TCP packet traverse ICMP.9 Página 52 The rc. However. this script has as a main priority to only allow traffic that we explicitly want to allow.

and reduce redundancy within the network. Since noone on the Internet should be allowed to contact our local network computers. Because of this. For a closer discussion of this.0. we have decided to allow HTTP. we will want to block all traffic from the Internet to our local network except already established and related connections. we want to split the rules down into subchains. which in turn will allow all return traffic from the Internet to our local network. before we implement this. Based upon these general assumptions. we may be a bit low on funds perhaps. and because of that we specifically allow all traffic from our local network to the internet. However. As for our firewall. the 10. we must note that certain Internet Service Providers actually use these address ranges within their own networks.org/andreasson/iptables-tutorial/iptables-tutorial. we make the ruleset less timeconsuming for each packet. let's look at what we need to do and what we do not need to do. read the Common problems and questionmarks chapter. we will need to NAT all packets since none of the local computers have real IP addresses. as well as the fact we want to traverse as few rules as possible.1. Since we have an FTP server running on the server. of course. For instance. We trust our local network to the fullest. However. Therefore. we do not want to allow specific packets or packet headers in specific conjunctions.Iptables Tutorial 1. and we need to allow the return traffic through the OUTPUT chain. we also trust the local network fully. http://people. SSH and IDENTD access to the actual firewall. nor do we want to allow some IP ranges to reach the firewall from the Internet. we add a rule which lets all established and related traffic through at the top of the INPUT chain. By traversing less rules. or we just want to offer a few services to people on the internet. our packets will hopefully only need to traverse as few rules as possible. This means that we will also have to do some filtering within the FORWARD chain since we will otherwise allow outsiders full access to our local network. and the loopback device and IP address are also trusted.html 21:25:51 10/06/2002 . All of these protocols are available on the actual firewall. FTP. First of all. we want to add special rules to allow all traffic from the local network as well as the loopback network interface. we want the local network to be able to connect to the internet. All of this is done within the PREROUTING chain.0. To do this. Also.unix-fu.9 Página 53 them from getting to our local network. and hence it should be allowed through the INPUT chain. For the same reason.0/8 address range is reserved for local networks and hence we would normally not want to allow packets from such a address range since they would with 90% certainty be spoofed. which is created last in this script. By doing this.

org/andreasson/iptables-tutorial/iptables-tutorial. You should also have a clear picture of the goals of this script. and if not they will be dropped by the default policy in the OUTPUT chain. It is now about time that we take care of setting up all the rules and chains that we wish to create and to use. Setting up the different chains used So. Since we are running on a relatively small network. All incoming UDP packets should be sent to this chain. First of all. As for ICMP packets. and should contain a few extra checks before finally accepting the packet. We do not do any specific user blocking. these will traverse the icmp_packets chain. we set all the default policies on the different chains with a quite simple command. UDP or ICMP. Finally. When we decided on how to create this chain. iptables -P <chain name> <policy> http://people. now you got a small picture on how the packet traverses the different chains and how they belong together.9 Página 54 In this script. such as speak freely and ICQ. This chain we choose to call the "allowed" chain. this box is also used as a secondary workstation and to give some extra levy for this. We would most likely implement this by adding rules that ACCEPT all packets leaving the firewall in case they come from one of the IP addresses assigned to the firewall.1. These packets. Since we actually trust the firewall quite a lot. we choose to split the different packets down by their protocol family.Iptables Tutorial 1. and hence we only want to allow traffic from the IP addresses assigned to the firewall itself. All TCP packets traverse a specific chain named tcp_packets.unix-fu. we allow pretty much all traffic leaving the firewall. Finally. we want to allow certain specific protocols to make contact with the firewall itself. Also. we send to the udp_packets chain which handles all incoming UDP packets. we have the firewalls OUTPUT chain. we could not see any specific needs for extra checks before allowing the ICMP packets through if we agree with the type and code of the ICMP packet. we want to do some extra checking on the TCP packets. However. which will contain rules for all TCP ports and protocols that we want to allow. as well as all of the rulesets within the chains. and hence we accept the directly. and if they are of an allowed type we should accept them immediately without any further checking.html 21:25:51 10/06/2002 . so we would like to create one more subchain for all packets that are accepted for using valid port numbers to the firewall. we do not want people to use this box to spoof packets leaving the firewall itself. we have the UDP packets which needs to be dealt with. nor do we do any blocking of specific protocols. for example TCP.

unix-fu. Either it might be a packet that we just dont want to allow or it might be someone who's doing something bad to us. we don't log more than 3 packets per minute as to not getting flooded with crap all over the log files. if the connection is against an allowed port. These applications will not work properly without it. The new chains are created and set up with no rules inside of them. we want to do some final checks on it to see if we actually do http://people. INPUT chain The INPUT chain as I've written it uses mostly other chains to do the hard work. some applications depend on it such as Samba etc. These packets could be allowed under certain circumstances but in 99% of the cases we wouldn't want these packets to get through. If you want to fully understand this. we log them to our logs and then we DROP them. it travels through the tcp_packets chain. and after this all UDP packets get sent to udpincoming_packets chain. do the same for everything to $LAN_IP. we do the same match for TCP packets on the $INET_IFACE and send those to the tcp_packets chain.1. which was previously described.0. The chains we will use are icmp_packets.0/24. Everything that hasn't yet been caught will be DROP'ed by the default policy on the INPUT chain. First of all we match all ICMP packets in the INPUT chain that come on the incoming interface $INET_IFACE. and after this. and it will work much better on slow machines which might otherwise drop packets at high loads. we log it so we might be able to find out about possible problems and or bugs. We do certain checks for bad packets here. The TCP allowed chain If a packet comes in on eth0 and is of TCP type. something that some might consider a security problem. This way we don't get too much load from the iptables. In either case we want to know about it so it can be dealt with. you need to look at the Appendices regarding state NEW and non-SYN packets getting through other rules. Before we hit the default policy of the INPUT chain. Incoming packets on eth0. will be redirected to tcp_packets and incoming packets of UDP type from eth0 go to udpincoming_packets chain. Finally. After this. tcp_packets.9 Página 55 The default policy is used every time the packets don't match a rule in the chain.168. of ICMP type. we create the different special chains that we want to use with the -N command. of TCP type. Hence.1 and ACCEPT all incoming traffic from there. udpincoming_packets and the allowed chain for tcp_packets. as you might remember. or finally it might be a problem in our firewall not allowing traffic that should be allowed.Iptables Tutorial 1. we check for everything that comes from our $LOCALHOST_IP.0. After this. will be redirected to the chain icmp_packets. which in my case is eth0. The default policy was set quite some time back. we allow broadcast traffic from our LAN.org/andreasson/iptables-tutorial/iptables-tutorial. Though. which would normally be 127.0. also we set a prefix to all log entries so we know where it came from. I allow everything that comes from my own Internet IP that is either ESTABLISHED or RELATED to some connection. which in my case would be 192. and send those to the icmp_packets. Also.html 21:25:51 10/06/2002 .

we check if the packet is a SYN packet. so for example if we send a HTTP request. see the appendix ICMP types. if it does. Redirect and Time Exceeded. hence. In this case this pretty much means everything that hasn't seen traffic in both directions.org/andreasson/iptables-tutorial/iptables-tutorial. DROP the crap since it's 99% sure to be a portscan. The ICMP chain This is where we decide what ICMP types to allow. when you traceroute someone. For a complete listing of all ICMP types. and so on until we get an actual reply from the host we finally want to get to. you start out with TTL = 1. then we. and the host is unreachable. we didn't reply to the SYN packet.unix-fu. we allow this. For more information on ICMP types and their usage. For example. and since we've got a SYN packet. we create the chain the same way as all the others. we will get a reply about this. If it is a SYN packet. then TTL = 2 and the second gateway sends Time Exceeded. we then redirect it to the icmp_packets chain as explained before. ie. but in my case. and a Time Exceeded is sent back from the first gateway en route to the host we're trying to traceroute. and it gets down to 0 at the first hop on the way out. everything works perfectly while blocking all the other ICMP types that I don't allow. the connection then must be in state ESTABLISHED. allow it. again of course. This way we won't have to wait until the browser's timeouts kicks in after some 60 seconds or more. There is no currently available TCP/IP implementation that supports opening a TCP connection with something else than a SYN packet to my knowledge.Iptables Tutorial 1. is allowed in the case where we might want to traceroute some host or if a packet gets its Time To Live set to 0. we will be unable to ping other hosts. the last gateway that was unable to find the route to the host replies with a Destination Unreachable telling us that it was unable to find it. The last rule in this chain will DROP everything else. I might be wrong in blocking some of these ICMP types for you. As it is now. and a reply to this SYN packet. Postel. i suggest reading the following documents and reports : The Internet Control Message Protocol ICMP RFC 792 . http://people. Then we check if the packet comes from an ESTABLISHED or RELATED connection. Time Exceeded. An ESTABLISHED connection is a connection that has seen traffic in both directions. As a side-note. There is no practical use of not starting a connection with a SYN packet. After that.1. except to portscan people pretty much. Destination Unreachable is used if a certain host is unreachable.Internet Control Message Protocol by J. If a packet of ICMP type comes in on eth0 on the INPUT chain. Echo Replies is what you get for example when you ping another host. of course. I only allow incoming ICMP Echo Replies. Destination unreachable. Here we check what kind of ICMP types to allow.html 21:25:51 10/06/2002 . or they are trying to start the connection with a non SYN packet.9 Página 56 want to allow it or not. The reason that I allow these ICMP packets are as follows. First of all. if we don't allow this. it is most likely to be the first packet in a new connection so.

which is used to control FTP connections and later on I also allow all RELATED connections. Port 22 is SSH. This protocol is used to set your computer clock to the same time as certain other time servers which have very accurate clocks.0.0.0. its quite self explanatory how to do that by now=). http://people.org/andreasson/iptables-tutorial/iptables-tutorial.0 and netmask 0. we ACCEPT them directly.0. in other words everything again. this is actually the default behaviour but I'm using it for brevity in here. hence we allow DNS.1. -A tcp_packets tells iptables in which chain to add the new rule.9 Página 57 The TCP chain So now we reach TCP connections. of course. Though. If it doesn't match any of the rules. Firewalls should always be kept to a bare minimum and not more. much better than allowing telnet on port 23. there is still more checks to do. loaded.0 with netmask 0. As it is now. The UDP chain If we do get a UDP packet on the INPUT chain. If they have a source port of 53 also. etc to work properly.0. which is IDENTD and might be necessary for some protocols like IRC.0. and that way we allow PASSIVE and PORT connections since the ip_conntrack_ftp module is.unix-fu. If you feel like adding more open ports with this script.firewall. or FTP control port. we send them on to udpincoming_packets where we once again do a match for the UDP protocol with -p UDP and then match everything with a source address of 0.0. hopefully. which we described previously. in other words all sources addresses. This specifies what ports that are allowed to use on the firewall from the Internet. then the packet will be targeted for the allowed chain. Note that you are dealing with a firewall.html 21:25:51 10/06/2002 . well. --dport 21 means destination port 21. in other words if the packet is destined for port 21 they also match. I personally also allow port 123. Port 80 is HTTP. We don't want this behaviour. If we don't want to allow FTP at all. delete it if you don't want to run a web server on your site.0. I allow TCP port 21. As it is now. And finally we allow port 113. we can unload the ip_conntrack_ftp module and delete the $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed line from the rc. without this we wouldn't be able to do domain name lookups and we would be reversed to only use IP's. which is what we use to do DNS lookups. It is always a bad idea to give others than yourself any kind of access to these kind of boxes. which is NTP or network time protocol. the rule will be added to the end of the chain. I ACCEPT incoming UDP packets from port 53. if you want to allow anyone from the outside to use a shell on your box at all.Iptables Tutorial 1.0. -p TCP tells it to match TCP packets and -s 0/0 matches all source addresses from 0.0. hence we send each and one of them on to allowed chain. in other words your web server.txt file. If all the criteria are matched. they will be passed back to the original chain that sent the packet to the tcp_packets chain.

This should be an extremely well known protocol that is used by the Mirabilis application named ICQ. or it's a weird packet that's spoofed. If it does get dropped. I'm allowing it per default since I know there are some who actually do. We currently also allow port 2074. I doubt there is any further need to explain what it is. in other words. or even better. we allow the packets coming back from that site that's either ESTABLISHED or RELATED but nothing else. I allow pretty much everything that goes out from it that has a source address $LOCALHOST_IP. Last of all we log everything that gets dropped. which is used for certain real-time `multimedia' applications like speak freely which you can use to talk to other people in real-time by using speakers and a microphone. We log maximally 3 log entries per minute as to not flood our own logs.txt example file. http://people. Note that this chain should not be used for any filtering or such.firewall. Also we log them with debug level. we first of all ACCEPT all packets coming from our LAN with the following line: /usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT So everything from our Localnet's interface gets ACCEPT'ed whatever the circumstances. among other things since this chain is only traversed by the first packet in a stream. it should be used for network adress translation. We finally hit the default policy of the FORWARD chain that says to DROP everything. Either it's a nasty error. FORWARD chain Even though I haven't actually set up a certain section in the rc. and prefix them with a short line that is possible to grep for in the logfiles.html 21:25:51 10/06/2002 . most of you probably don't use this protocol. As it is now. Port 4000 is the ICQ protocol. a headset.1.9 Página 58 Though. And after this we log everything and drop it. OUTPUT chain Since i know that there's pretty much no one but me using this box which is partially used as a Firewall and a workstation currently. $LAN_IP or $STATIC_IP. even though I doubt anyone that I know would do it on my box. I would like to comment on the few lines in there anyways. it does network adress translation on packets before they actually hit the routing tables that sends them onwards to the INPUT or FORWARD chains in the filter table.unix-fu.Iptables Tutorial 1. PREROUTING chain of the nat table The PREROUTING chain is pretty much what it says. There is at least 5 different ICQ clones for Linux and it's one of the most widely used chat programs in the world. we'll sure as hell want to know about it for some reason or another. Everything else might be spoofed in some fashion. if we open a connection from our LAN to something on the Internet.org/andreasson/iptables-tutorial/iptables-tutorial. After this we allow everything in a state ESTABLISHED or RELATED from everywhere. Finally we DROP the packet in the default policy.

This means we get maximally 3 log entries per minute from this specific line. but also to improve the readability a bit. For me this would be eth0. The -t option tells us which table to use. In other words. We also set a prefix to the log with the --log-prefix and set the log level with the --log-level. such as in case we get packets from the Internet interface that claim to have a source IP of 192. We allow this rule to be matched a maximum of 3 times per minute with a burst limit of 3. in this case nat while the A command tells us that we want to Add a new rule to an existing chain named POSTROUTING and -o $INET_IFACE tells us to match all outgoing packets on INET_IFACE (or eth0. per default settings in this script) and finally we target the packet for MASQUERADE'ing. 10.org/andreasson/iptables-tutorial/iptables-tutorial.x. This might be used in the opposite direction. Log level tells the syslogd. These settings are widely used within the example scripts. we don't do that though. The next thing we do is to ACCEPT all packets from anywhere that are ESTABLISHED and/or RELATED to some connection. it'll have to wait for another 1 minute for the next log entry. Simple. we first send a packet from our local box behind eth1.html 21:25:51 10/06/2002 . It is in other words up to you to make these scripts suitable for your needs.x. our final mission would be to get the MASQUERADEing up. Starting the Network Address Translation So. too. So all packets that match this rule will be masqueraded to look as it came from your Internet interface. and since it comes from eth1 we ACCEPT it. These scripts are not in any way perfect. However.9 Página 59 First of all we check for obviously spoofed IP addresses. in the POSTROUTING chain that will masquerade all packets going out on our interface connected to the Internet. and they may not fit your exact intentions perfectly. then when the Internet box replies.Iptables Tutorial 1.x.16. mainly to make them easier to configure.x. All packets that are being forwarded on our box traverse the FORWARD chain in the filter table. we drop them quicker than hell since these IP's are reserved especially for local intranets and definitely shouldn't be used on the Internet. if we get an packet from $LAN_IFACE that claims to not come from an IP address in the range which we know that our LAN is on.x or 172. it gets caught by this rule since the connection has seen packets in both directions. and to provide an overlook of the scripts and what services they provide.168.x. The rest of this tutorial should most probably be http://people. First of all we add a rule to the nat table. and hits the default policy. correct? At least to me. In some cases these might be packets that should have gotten through but didn't. This is good if someone starts to flood you with crap stuff that otherwise would generate many megabytes of logs. or logging facility what kind of importance this log entry has. in such case. The last thing we do is to log all traffic that gets dropped over the border. in other cases it might be packets that definitely shouldn't get through and you want to be notified about this. and the burst is also set to 3 so if we get 3 log entries in 2 seconds.1. isn't it? The next step we take is to ACCEPT all packets traversing the FORWARD chain in the default table filter that come from the input interface eth1 which is my interface connecting to the internal network. we might drop that too. As it looks now.unix-fu. there are specific variables added to these example scripts that may be used to automatically configure these settings.x. Example scripts The objective of this chapter is to give a fairly brief and short explanation of each script available with this tutorial.

we will add specific options for those here. This could be skipped if we do not have any Internet connection.txt script structure All scripts written for this tutorial has been written after a specific structure. we will add a DMZ zone configuration at this point. we will add options pertaining to that in this section. Internet . 4. 1. will not have one. Configuration options should pretty much always be the first thing in any shell-script. unless it is specifically explained why I have broken this structure.This is the configuration section which pertains to the Internet connection.9 Página 60 helpful in making this feat.unix-fu. Configuration . 1. PPPoE . do note that this may not be the best structure for your scripts. 3. These variables are highly unlikely to change.1. This chapter should hopefully give a short understanding to why all the scripts has been written as they have. Hopefully.If there are a possibility that the user that wants to use this specific script. This is most likely. It is only a structure that I have chosen to use since it fits the need of being easy to read and follow the best according to my logic. there should be no reason to change these variables. Localhost . or small corporate network. 2. 2.If there is any LAN available behind the firewall. The structure This is the structure that all scripts in this tutorial should follow. If they differ in some way it is probably an error on my part. DHCP . and why I have chosen to maintain this structure. mainly because any normal home network. DMZ .org/andreasson/iptables-tutorial/iptables-tutorial. but only such that pertains to our Internet connection. 1.firewall.These options pertain to our localhost. Note that there may be more subsections than those listed here. The reason for this is that they should be fairly conformative to each other and to make it easier to find the differences between the scripts. This structure should be fairly well documented in this brief chapter. http://people.If there are possibly any special DHCP requirements with this specific script. Most scripts lacks this section. The first section of this tutorial deals with the actual structure that I have established in each script so we may find our way within the script a bit easier. and if there are any special circumstances that raises the chances that he is using a PPPoE connection. hence this section will almost always be available. rc. LAN .First of all we have the configuration options which the rest of the script should use. Even though this is the structure I have chosen. we will add the DHCP specific configuration options here.If there is any reason to it. but we have put most of it into variables anyway.Iptables Tutorial 1.html 21:25:51 10/06/2002 .

Most of the useful proc configurations will be listed here. they should first of all be fitted into the correct subsection (If it pertains to the Internet connection. Module loading . proc configuration . Required modules .This section should contain all of the required proc configurations for the script in question to work. 4. The first part should contain the required modules. while the second part should contain the non-required modules. or add certain services or possibilities. it should be subsectioned directly to the configuration options somewhere.unix-fu. and if you want to add the service it provides. Non-required proc configuration .By now the scripts should most probably be ready to insert the ruleset. and possibly special modules that adds to the security or adds special services to the administrator or clients.org/andreasson/iptables-tutorial/iptables-tutorial.This section should contain the required modules. if not. 2.9 Página 61 5. it is up to you.This section contains iptables specific configuration.This section contains modules that are not required for normal operations. All user specified chains are created before we do anything to the system builtin chains.This section should take care of any special configuration needed in the proc filesystem. Required proc configuration . etcetera). If some of these options are required. 6. http://people.This section of the scripts should maintain a list of modules. I have chosen to split all the rules down after table and then chain names.If there are any other specific options and variables.1. This should normally be noted in such cases within the example scripts. This list will contain far from all of the proc configurations or nodes. In most scripts and situations this should only require one variable which tells us where the iptables binary is located. 5. It could possibly also contain configurations that raises security. iptables . Note that some modules that may raise security. 3. and possibly which adds special services or possibilities for the administrator or clients. Non-required modules . it should be subsectioned there. but far from all of them. I have also chosen to set the chains and their rulespecifications in the same order as they are output by the iptables -L command. may have been added even though they are not required.This section should contain non-required proc configurations that may prove useful. 1.Iptables Tutorial 1. 2. Other . rules set up . If it does not fit in anywhere. and listed under the non-required proc configurations. they should be commented out per default.html 21:25:51 10/06/2002 . they will be listed as such. since they are not actually necessary to get the script to work. 1. All of them should be commented out. All of these modules should be commented out per default.

Set up all the default policies for the systemchains.After creating the user specified chains we may as well enter all the rules within these chains. however. The only reason I have to enter this data at this point already is that may as well put it close to the creation of the user specified chains. and finally the mangle table lies around the nat table as a second layer. The filter table would hence be the core. while the nat table acts as a layer lying around the filter table. First of all we do not want to turn the whole forwarding mechanism and NAT function on at a too early stage. nat table .unix-fu.1. 5. This way we will get rid of all ports that we do not want to let people use.After the filter table we take care of the nat table. Create content in user specified chains . You may as well put this later on in your script. 6. Normally.9 Página 62 1. 1. but none of the filter rules has been run). 4. and we http://people. 2. it is totally up to you. Set policies . OUTPUT chain . 2.org/andreasson/iptables-tutorial/iptables-tutorial. There should hopefully not be too much to do at this point. We will not be able to use these chains in the systemchains anyways if they are not already created so we could as well get to it as soon as possible. we add the rules dealing with the OUTPUT chain. and specifically ACCEPT services and streams that I want to allow inside. but not too far from reality.First of all we go through the filter table and its content. There is no reason for you to stay with this structure. Nothing special about this decision. we do not have a lot of things left to do within the filter table so we get onto the INPUT chain. At this point we should add all rules within the INPUT chain. Create user specified chains . This may be wrong in some perspectives. when the NAT has been turned on. I look upon the nat table as a sort of layer that lies just outside the filter table and kind of surrounds it.Iptables Tutorial 1.When we have come this far.First of all we set up all the default policies within the nat table. Also. which could possibly lead to packets getting through the firewall at just the wrong timepoint (ie.Last of all in the filter table. This is done after the filter table because of a number of reasons within these scripts. First of all we should set up all the policies in the table.html 21:25:51 10/06/2002 . At this point we start following the output from the iptables -L command as you may see. This table should not be used for filtering anyways. INPUT chain .At this point we go on to add the rules within the FORWARD chain. FORWARD chain .At this point we create all the user specified chains that we want to use later on within this table. namely the ACCEPT policy. Set policies . Filter table . do try to avoid mixing up data from different tables and chains since it will become much harder to read such rulesets and to fix possible problems. 3. 1. I will be satisfied with the default policy set from the beginning. Normally I will set DROP policies on the chains in the filter table.

In most scripts this feature is not used.The OUTPUT chain is barely used at all in any of the scripts. As it looks now. send me a line and I will add it to the tutorial. The same thing goes here as for the user specified chains in the filter table.9 Página 63 should not let packets be dropped here since there are some really nasty things that may happen in such cases due to our own presumptions.At this point we create any user specified chains that we want within the nat table.unix-fu.The POSTROUTING chain should be fairly well used by the scripts I have written since most of them depend upon the fact that you have one or more local networks that we want to firewall against the Internet. I let these chains be set to ACCEPT since there is no reason not to do so. Create user specified chains . 7. The table was not made for filtering.html 21:25:51 10/06/2002 . However. and you are encouraged not to do so either.Iptables Tutorial 1.Create all the user specified chains.1. this section was added just in case someone. We add this material here since I do not see any reason not to. POSTROUTING chain . 5. 6. 4. such as masking all boxes to use the exact same TTL or to change TOS fields etcetera.By now it should be time to add all the rules to the user specified chains in the nat table. or I. would have the need for it in the future. Note that the user specified chains must be created before they can actually be used within the systemchains. Set policies . If anyone has a reason to use this chain. Within some scripts we have this turned on by default since the sole purpose of those scripts are to provide such services. reason being that we do not want to open up big holes to our local network without knowing about it.The last table to do anything about is the mangle table. Create content in user specified chains . 4. I have neither created any chains here since it is fairly unusable without any data to use within it. The same thing goes here as for the nat table pretty much. Since I have barely used the mangle table at all in the scripts. 3. I have not set any policies in any of the scripts in the mangle table one way or the other. 1. but in certain cases we are forced to use the MASQUERADE target instead. but I have added this section anyways.org/andreasson/iptables-tutorial/iptables-tutorial. and hence you should avoid it all together. or at the very least commented out. since it should normally not be used for anyone. Mainly we will try to use the SNAT target. mangle table . but I have been unable to find any good reasons to use this chain so far. Normally I will not use this table at all. I have in other words chosen to leave these parts of the scripts more or less blank. unless they have specific needs. with a few exceptions where I have added a few examples of what it may be used for. http://people. just in case. Create user specified chains . 2.The PREROUTING chain is used to do DNAT on packets in case we have any need for it.Set the default policies within the chain. it is not broken. Normally I do not have any of these. OUTPUT chain . PREROUTING chain .

FORWARD chain . and should mainly just be seen as a brief explanation to what and why the scripts has been split down as they have. 5. There is nothing that says that this is the only and best way to go. INPUT chain .At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. Create content in userspecified chains . OUTPUT chain . rc. you may att this point add the rules that you want within them here. 7.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.Iptables Tutorial 1.html 21:25:51 10/06/2002 .firewall.org/andreasson/iptables-tutorial/iptables-tutorial. 4. 6.If you have any user specified chains within this table.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.txt http://people.9 Página 64 3. Do note that these descriptions are extremely brief. Hopefully this should explain more in detail how each script is structured and why they are structured in such a way. POSTROUTING chain . PREROUTING . 8.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.1.unix-fu.

The rc. rc. This script also makes the assumption that you have a static IP to the Internet.org/andreasson/iptables-tutorial/iptables-tutorial.txt script is the main core on which the rest of the scripts are based upon. where you have one LAN and one Internet Connection. For example.txt script.unix-fu.firewall.1.firewall. and hence don't use DHCP. PPP.DMZ.9 Página 65 The rc. If you are looking for a script that will work with those setups.firewall.html 21:25:51 10/06/2002 .Iptables Tutorial 1. please take a closer look at the rc.txt http://people.firewall file chapter should explain every detail in the script most thoroughly. SLIPor some other protocol that assigns you an IP automatically.DHCP. Mainly it was written for a dual homed network.

you must make the box recognise packets for more than one IP. but it will not tell you exactly what you need to do since it is out of the scope of the tutorial.txt script was written for those people out there that has one Trusted Internal Network. one De-Militarized Zone and one Internet Connection. the DNS wouldn't have answered the packet.unix-fu.firewall. Do note that this will "steal" two IP's for you. and not to our external DNS IP. to send the packet on to our DNS on the DMZ network.9 Página 66 The rc. then we use DNAT. another one if you have a whole subnet is to create a subnetwork. if someone from the internet sends a packet to our DNS_IP.168. If the packet would not have been translated. We will show a short example of how the DNAT code looks: $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP http://people. You need to have two internal networks with this script as you can see from the picture.DMZ. The De-Militarized Zone is in this case 1-to-1 NAT'ed and requires you to do some IP aliasing on your firewall. which stands for Destination Network Adress Translation. The other one uses IP range 192. one for the broadcast address and one for the network address.1. For example. one is to set 1-to-1 NAT. One uses IP range 192. ie. this tutorial will give you the tools to actually accomplish the firewalling and NAT'ing part. the packet will be destined for the actual DNS internal network IP.0.org/andreasson/iptables-tutorial/iptables-tutorial.168.1.0/24 and consists of the De-Militarized Zone which we will do 1-to-1 NAT to. There are several ways to get this to work.html 21:25:51 10/06/2002 . giving the firewall one IP both internally and externally.Iptables Tutorial 1. You could then set the IP's to the DMZ'ed boxes as you wish. This is pretty much up to you to decide and to implement.0/24 and consists of a Trusted Internal Network. When the DNS sees our packet.

Instead of using this variable the script now does it's main http://people. which is the main change to the original rc.txt script. PPP and SLIP connections to connect to the internet.Iptables Tutorial 1.9 Página 67 First of all.firewall. After that we specify where we want the packet to go with the --to-destination option and give it the value of $DMZ_DNS_IP. If we actually get such a packet we give a target of DNAT. DNAT can only be performed in the PREROUTING chain of the nat table.txt script is pretty much identical to the original rc. however. The reason is that this won't work together with a dynamic IP connection. in other words the IP of the DNS on our DMZ network. and is directed to port 53. I've had some people mail me and ask about the problem so this script will be a good solution for you.firewall.org/andreasson/iptables-tutorial/iptables-tutorial. which is the TCP port for zone transfers between DNS's. The actual changes needed to be done to the original script is minimal.firewall. it automatically gets un-DNAT'ed. rc.txt The rc. this script no longer uses the STATIC_IP variable.DHCP.txt.unix-fu. in other words Destination NAT.DHCP. By now you should have enough understanding of how everything works to be able to understand this script pretty well without any huge complications. Then we look for TCP protocol on our $INET_IFACE with destination IP that matches our $DNS_IP.1. This is how basic DNAT works. The main changes done to the script consists of erasing the STATIC_IP variable as I already said and deleting all referenses to this variable.html 21:25:51 10/06/2002 . When the reply to the DNAT'ed packet is sent through the firewall. However. mail me since it is probably a fault on my side.firewall. that hasn't been gone through in the rest of the tutorial. This script will allow people who uses DHCP. If there is something you don't understand.

We can no longer filter in the INPUT chain depending on.9 Página 68 filtering on the variable INET_IFACE.org/andreasson/iptables-tutorial/iptables-tutorial. A good way to do this. upon bootup of the internet connection. the PPP daemon. If the script is run from within a script which in turn is executed by. or write one. if you want to block hosts on your LAN to connect to the firewall.unix-fu. Also. This is pretty much the only changes made and that's all that's needed really. You will find a link to the linuxguruz.txt script. For a good site. which contains static links back to the same host. for example. we would get a real hard trouble. One great example is if we are running an HTTP on our firewall. then try to access that IP. If the script is kept simple. For example. It may get unnecessarily complicated. I would definitely advise you to use that script if at all possible since this script is more open to attacks from the outside. as described in the following list. and if so ACCEPT them. but in such cases it could be gotten around by adding rules which checks the LAN interface packets for our INET_IP.org site from the Other resources and links appendix. how would you do it without erasing your already active rules blocking the LAN? 3. However. As you may read from above. but it is questionable. which could be some dyndns solution. This in turn forces us to filter only based on interfaces in such cases where the internal machines must access the internet adressable IP. In case we filter based on interface and IP. there is the possibility to add something like this to your scripts: INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` The above would automatically grab the IP address of the $INET_IFACE variable. but at the same time operate a script from the PPP daemon. that handles dynamic IP in a better sense.org iptables site which has a huge collection of scripts available to download. for example. if you get rid of the NEW not SYN rules for example. check out the linuxguruz. 1. We could for example make a script that grabs the IP from ifconfig and adds it to a variable. as seen above which in turn could lead to security compromises. If you got rules that are static and always want to be around. it will hang all currently active connections due to the NEW not SYN rules (see the State NEW packets but no SYN bit set section). and to keep order in it.html 21:25:51 10/06/2002 .firewall. If we go to the main page. the NAT'ed box would be unable to get to the HTTP because the INPUT chain would DROP the packets flat to the ground. 2. it is easier to spot problems. There is some more things to think about though.Iptables Tutorial 1. http://people. The NAT'ed box would ask the DNS for the IP of the HTTP server. It is possible to get by. there are serious drawbacks with this approach. would e to use for example the ip-up scripts provided with pppd and some other programs. without hurting the already existing ones. This script might be a bit less secure than the rc. it may be a good idea to grab a script. This also applies in a sense to the case where we got a static IP. it is rather harsh to add and erase rules all the time. In other words -d $STATIC_IP has been changed to -i $INET_IFACE. --in-interface $LAN_IFACE --dst $INET_IP.1. grep the correct line which contains the IP address and then cuts it down to a manageable IP address.

but a large part of the hacks and cracks that a company gets hit by is a matter of people from their own staff perpetrating the hit. We also disallow people on our LAN to do anything but specific tasks on the Internet. not even our own employees.UTIN. but it does give a few hints at what we would normally let through etc. The only things we actually allow is POP3.txt The rc.txt script can be used to test all the different chains. In other words.1.test-iptables. such as turning on ip_forwarding.Iptables Tutorial 1.firewall. rc.txt script. We also don't trust the internal users to access the firewall more than we trust users on the Internet. we don't trust anyone on any networks we are connected to. All it really does is set some LOG targets which will log ping reply's http://people.UTIN. It will work for mostly everyone though who has all the basic set up and all the basic tables loaded into kernel.firewall.org/andreasson/iptables-tutorial/iptables-tutorial. This is a sad fact.firewall.html 21:25:51 10/06/2002 . and setting up masquerading etcetera.test-iptables. but it might need some tweaking depending on your configuration. It's not very different from the original rc. HTTP and FTP access to the internet. This script will hopefully give you some clues as to what you can do with your firewall to strengthen it up.txt The rc.9 Página 69 rc.txt script will in contrast to the other scripts block the LAN that is sitting behind us.unix-fu. This script follows the golden rule to not trust anyone.

OUTPUT and FORWARD chains of the filter table. Adding shell script syntax and other things makes the script harder to read as far as I am concerned and the tutorial was written with readability in mind and will continue being so. I will not do that since this is a tutorial and should be used as a place to fetch ideas mainly and it shouldn't be filled up with shell scripts and strange syntax.flush-iptables. This way.firewall script using redhat Linux syntax where you type something like rc.unix-fu. This would look like the following: http://people.firewall start and the script starts. The script starts by setting the default policies to ACCEPT on the INPUT. POSTROUTING and OUTPUT chains of the nat table. We do this first so we won't have to bother about closed connections and packets not getting through.Iptables Tutorial 1. it's not a good idea to have rules like this that logs everything of one sort since your log partitions might get filled up quickly and it would be an effective Denial of Service attack against you and might lead to real attacks on you that would be unlogged after the initial Denial of Service attack. unless the log entries are swapped around for some reason. You may consider adding rules to flush your MANGLE table if you use it. we consider the script done.html 21:25:51 10/06/2002 . and hence we only care about opening the whole thing up and reset it to default values.9 Página 70 and ping requests.txt The rc.txt script should not really be called a script in itself.flush-iptables. After this we flush all chains first in the filter table and then in the NAT table.flush-iptables. Certain people has mailed me asking from me to put this script into the original rc. Detailed explanations of special commands Listing your active ruleset To list your currently active ruleset you run a special option to the iptables command.the. you will get information on which chain was traversed and in which order.1.internet And tail -n 0 -f /var/log/messages while doing the first command. we jump down to the next section where we erase all the user specified chains in the NAT and filter tables. For example. rc. However.on.txt script will reset and flush all your tables and chains. In other words. After this we reset the default policies of the PREROUTING. which we have discussed briefly previously in the How a rule is built chapter. When this step is done.org/andreasson/iptables-tutorial/iptables-tutorial. This script was written for testing purposes only. One final word on this issue. This way we know there is no redundant rules lying around anywhere. When all of this is done. This script is intended for actually setting up and troubleshooting your firewall. This should show you all the different chains used and in which order. run this script and then do: ping -c 1 host. The rc.

One thing though. It would then look something like this: iptables -L -n -v There is also a few files that might be interesting to look at in the /proc filesystem. there are actually commands to flush them. ie 192.Iptables Tutorial 1. it erases the first instance it finds matching your rule.html 21:25:51 10/06/2002 . If you added a rule in error. it is rather simple to add http://people.0/16 is a private range though and should not resolve to anything and the command will seem to hang while resolving the IP. I've actually gotten this question a couple times by now so I thought I'd answer it right here. iptables -F INPUT will erase the whole INPUT chain. and translate everything possible to a more readable form.9 Página 71 iptables -L This command should list your currently active ruleset. This table contains all the different connections currently tracked and serves as a basic table so we always know what state a connection currently is in. if you start mucking around in the mangle table. it will translate all the different ports according to the /etc/ services file as well as DNS all the IP addresses to get DNS records instead. for example iptables -P INPUT ACCEPT. do as how you set it to DROP. We could get this by adding the verbose flag.168. If this is not the wanted behaviour you might try to use the -D option as iptables -D INPUT 10 which will erase the 10th rule in the INPUT chain. For example. To see the table you can run the following command: cat /proc/net/conntrack | less The above command will show all currently tracked connections even though it might be a bit hard to understand everything. in this case you might want to run the -F option.firewall. The later can be a bit of a problem though. I have made a small script (available as an appendix as well) that will flush and reset your iptables that you might consider using while setting up your rc. it would be a bad idea.txt file properly.1. so you don't have to reboot.unix-fu. 192. it might be interesting to know what connections are currently in the conntrack table. For example. rule and chain. it will try to resolve LAN IP addresses. This table can not be edited and even if it was possible.org/andreasson/iptables-tutorial/iptables-tutorial. To get around this problem we would do something like the following: iptables -L -n Another thing that might be interesting is to see a few statistics about each policy. to something useful. you might just change the -A parameter to -D in the line you added in error. Updating and flushing your tables If at some point you screw up your iptables. To reset the chain policy.168. iptables will find the erroneous line and erase it for you. though. in case you've got multiple lines looking exactly the same in the chain.1. this script will not erase those. so if this is set to DROP you'll block the whole INPUT chain if used as above. For example. For example.1. There is also instances where you want to flush a whole chain. this will not change the default policy.0.

In case your client sits behind a Network Address Translationing system (iptables).html 21:25:51 10/06/2002 . but not the ip_conntrack_irc and ip_nat_irc modules and then do: /usr/local/sbin/iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT To allow Passive FTP but not DCC. and for one of the firewalls to go down without any http://people. but not DCC send. If you use state NEW. telling the client what address to connect to and what port to use. Do note that the ip_nat_* modules are only needed in case you need and want to do Network Adress Translation on the connections. Just compile the ip_conntrack_irc. including me). As you can understand from this document. If you for example want to allow Passive FTP. The client tells the server that it wants to send or receive data and the server replies. In Passive FTP. If you would want to do the reverse. you would load the ip_conntrack_ftp and ip_nat_ftp modules. For more information about Active and Passive FTP. another firewall.1.txt script so far. its quite simple once you get to think of it. then the packets data section needs to be NAT'ed too. ie. but not the ip_conntrack_ftp and ip_nat_ftp modules. ip_nat_irc. Without these modules they can't recognize these kinds of connections. well. packets with the SYN bit unset will get through your firewall. ip_conntrack_ftp and ip_nat_ftp code as modules and not statically into the kernel. if you want to let people run IRC from your local network which is using a NAT'ed or masqueraded connection to the internet.firewall. Reynolds. but not allow DCC send functions with the new state matching code. that is what the ip_nat_ftp module does.x kernels. you can for example allow Passive FTP connections. Postel and J. for instance. You may ask yourself how. read RFC 959 . This feature is there because in certain cases we want to consider that a packet may be part of an already ESTABLISHED connection on. the proceeding is reversed. during Active FTP the client sends the server an IP address and random port to use and then the server connects to this port on the client.unix-fu. This feature makes it possible to have two or more firewalls. Common problems and questionmarks Passive FTP but no DCC This is one of the really nice parts about the new iptables support in the 2. This RFC contains information regarding the FTP protocol and Active and Passive FTP and how they work.4. you'd just load the ip_conntrack_irc and ip_nat_irc modules. What these modules do is that they add support to the connection tracking machine and the NAT machine so they can distinguish and modify a Passive FTP connection or a DCC send connection.File Transfer Protocol by J.9 Página 72 the few lines needed to erase those but I have not added those here since the mangle table is not used in my rc.Iptables Tutorial 1. State NEW packets but no SYN bit set There is a certain feature in iptables that is not so well documented and may therefore be overlooked by a lot of people(yes.org/andreasson/iptables-tutorial/iptables-tutorial.

the swedish Internet Service Provider and phone monopoly Telia uses this approach for example on their DNS servers. This only applies when you are running with the conntrack and nat codebases as modules.firewall. The firewalling of the subnet could then be taken over by our secondary firewall. If someone is currently connected to the firewall.1. To put it simple. Start the connection tracking modules. when you start the PPP connection.org/andreasson/iptables-tutorial/iptables-tutorial. the packet will match to the rules and be logged and afterwards dropped to the ground. also there will be no SYN bits set since it is not actually the first packet in the connection. The above rules will lead to certain conditions where packets generated by microsoft products gets labeled as a state NEW and hence get logged and dropped. set the --log-headers option to the rule and log the headers too and you'll get a better look at what the packet looks like. The problem http://people. For example. Certain stupid Internet Service Providers use IP addresses assigned by IANA for their local networks on which you connect to. In this case. At this point the faulty Microsoft implementation sends another packet which is considered as state NEW but lacks the SYN bit and hence gets matched by the above rules. The matter is that when a connection gets closed and the final FIN/ACK has been sent and the state machine of netfilter has closed this connection and it is no longer in the conntrack table. Note that there is some troubles with the above rules and bad Microsoft TCP/IP implementations.9 Página 73 loss of data. It will however not lead to broken connections to my knowledge. In other words. OUTPUT and FORWARD chain: $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP The above rules will take care of this problem. regardless if this is the initial 3-way handshake or not. which uses the 10. a huge warning is in it's place for this kind of behaviour on your firewall. Internet Service Providers who use assigned IP addresses I have added this since a friend of mine told me something I have totally forgotten. then load the NEW not SYN packet rules. Another way to get this problem is to run the rc. or if you are worried anyways.html 21:25:51 10/06/2002 . the connection tracking code will not recognise this connection as a legal connection since it has not seen packets in any direction on this connection before. To take care of this problem we add the following rules to our firewalls INPUT. you connect with telnet or some other stream connection. Hence.x.x. This is a badly documented behaviour of the netfilter/iptables project and should definitely be more highlighted.This does however lead to the fact that state NEW will allow pretty much any kind of TCP connection. In other words. and you have the script set to be activated when running a PPP connection. the person previously connected through the LAN will be more or less killed. and the modules are loaded and unloaded each time you run the script.txt script from a telnet connection from a host not on the actual firewall. Finally.Iptables Tutorial 1.x IP address range. lets say from the LAN. don't worry to much about this rule. the telnet client or daemon tries to send something. There is one more known problem with these rules.unix-fu.

or you could just comment out that part of the script.1.Iptables Tutorial 1.0.9 Página 74 you will most probably run into is that we.html 21:25:51 10/06/2002 . here is unfortunately an example where you actually might have to lift a bit on those rules. in this script. ICMP types This is a complete listing of all ICMP types: Table 1. ICMP types TYPE CODE Description 0 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Echo Reply Network Unreachable Host Unreachable Protocol Unreachable Port Unreachable Fragmentation needed but no frag.org/andreasson/iptables-tutorial/iptables-tutorial. but you are not supposed to force us to open up ourself just because of some whince of yours. do not allow connections from any IP addresses in the 10. For large corporate sites it is more than ok. You might just insert an ACCEPT rule above the spoof section to allow traffic from those DNS servers. Well. because of spoofing possibilities.x range to us.x.0. These IP address ranges are not assigned for you to use for dumb stuff like this.x.unix-fu. or your own home network. at least not to my knowledge. This is how it might look: /usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10. bit set Source routing failed Destination network unknown Destination host unknown Source host isolated (obsolete) Destination network administratively prohibited Destination host administratively prohibited Network unreachable for TOS Host unreachable for TOS Communication administratively prohibited by filtering Host precedence violation Query x x x x x x x x x x x x x x x x Error http://people.1/32 -j ACCEPT I would like to take my moment to bitch at these Internet Service Providers.

It is a must for everyone wanting to set up iptables and netfilter in linux. This is an HTML'ized version of the man page which is an excellent reference when reading/writing iptables rulesets.txt .Iptables Tutorial 1.9 Página 75 3 4 5 5 5 5 8 9 10 11 11 12 12 13 14 15 16 17 18 15 0 0 1 2 3 0 0 0 0 1 0 1 0 Precedence cutoff in effect Source quench Redirect for network Redirect for host Redirect for TOS and network Redirect for TOS and host Echo request Router advertisement Route sollicitation TTL equals 0 during transit TTL equals 0 during reassembly IP header bad (catchall error) Required options missing Timestamp request (obsolete) Timestamp reply (obsolete) x x x x x x x x x x x x 0 0 0 0 Information request (obsolete) Information reply (obsolete) Address mask request Address mask reply Other resources and links Here is a list of links to resources and where I have gotten information from. iptables. http://netfilter. etc : ip-sysctl.14 kernel.4.4 man page. A really short reference to the ip_dynaddr settings available via sysctl and the proc filesystem.The official netfilter and iptables site.from the 2.14 kernel.1.filewatcher.org/ .The iptables 1. ip_dynaddr.txt . A little bit short but a good reference for the IP networking controls and what they do to the kernel.2.8 .unix-fu.4.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . Always have it at hand.from the 2. http://people.

org/unreliable-guides/netfilter-hacking-HOWTO/index.Iptables Tutorial 1. Excellent documentation about Network Address Translation in iptables and netfilter written by one of the core developers.Excellent discussion on automatic hardening of iptables and how to make small changes that will make your computer automatically add hostile sites to a special banlist in iptables. One of the few sites that has any information at all about these programs.org/iptables/ .org .The official netfilter mailing-list. Acknowledgements I would like to thank the following people for their help on this document: Fabrice Marie.unix-fu.Rusty Russells Unreliable Guide to packet filtering.Rusty Russells Unreliable Guide to Network Address Translation.html . Extremely useful in case you have questions about something not covered in this document or any of the other links here. For helping me out on some aspects on using the state matching code.html 21:25:51 10/06/2002 . For major updates to my horrible grammar and spelling.filewatcher.linuxguruz. Maintained by Stef Coene. http://netfilter.islandsoft. http://people. Excellent documentation about basic packet filtering with iptables written by one of the core developers of iptables and netfilter. http://netfilter. http://www.org/mailman/listinfo/netfilter .html .samba.filewatcher.Rusty Russells Unreliable Netfilter Hacking HOWTO. http://www.html . documentation and individuals who helped me. One of the few documentations on how to write code in the netfilter and iptables userspace and kernel space codebase. tc and the ip commands in Linux. Marc Boucher.Excellent information about the CBQ. And of course the iptables source.filewatcher.net/veerapen.9 Página 76 http://netfilter. http://www.org/netfilter-faq.html . http://netfilter. This was also written by Rusty Russell.html . Rusty Russell. Also maintains a list of different iptables scripts for different purposes.Excellent linkpage with links to most of the pages on the internet about iptables and netfilter.org/unreliable-guides/NAT-HOWTO/index. Also a good place to stat at when wondering what iptables and netfilter is about.The official netfilter Frequently Asked Questions.org/andreasson/iptables-tutorial/iptables-tutorial.org/unreliable-guides/packet-filtering-HOWTO/index.1.filewatcher. Also a huge thanks for updating the tutorial to DocBook format with make files etc.docum. http://lists.

Iptables Tutorial 1. Alexander W. Janssen.org/andreasson/ By: Oskar Andreasson Contributors: Jim Ramsey.6 (7 December 2001) http://people. And of course everyone else I talked to and asked for comments on this file. History Version 1. For hinting me about strange ISP's and so on that uses reserved networks on the Internet. For giving me hints at stuff that might screw up for people and for trying it out and checking for errors in what I've written. Galen Johnson.firewall rules and giving great inspiration while i was to rewrite the ruleset and being the one who introduced the multiple table traversing into the same file. Jasper http://people. Phil Schultz.boingworld. Steven McClintoc. Bill Dossett.1.unix-fu. Adam Mansbridge. Both for making me realize I was thinking wrong about how packets traverse the basic NAT and filters tables and in which order they show up. Aladdin and Rusty Russell. For helping me out with some of the state matching code and getting it to work.boingworld.7 (4 February 2002) http://www. Nyboe.9 Página 77 Frode E.1. Michiel Brandenburg. For helping me out with the graphics. Togan Muftuoglu. I know I suck at graphics. or at least on the internet for you. Neil Jolly. Janne Johansson.1. Also thanks for checking the tutorial for errors etc. Dave Wreski. Kelly Ashe. Göran Båge. Chapman Brad.). Version 1. Anders 'DeZENT' Johansson. Phil Schultz. Thomas Smets. Doug Monroe.1.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Contributors: Vince Herried. For greatly improving the rc. Myles Uyema. Erik Sjölund.8 (5 March 2002) http://www. Peter Horst. Mitch Landers. Jeremy `Spliffy' Smith.boingworld.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Version 1.1. and you're better than most I know who do graphics.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. Jason Lam and Evan Nemerson Version 1. Jelle Kalf. Vasoo Veerapen. Kent `Artech' Stahre. sorry for not mentioning everyone.html 21:25:51 10/06/2002 .com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Contributors: Parimi Ravi.9 (21 March 2002) http://www.

9 (9 September 2001) http://people.org/andreasson By: Oskar Andreasson Contributors: Dave Richardson Version 1.5 (14 November 2001) http://people. Jacco van Koll and Dave Wreski Version 1.unix-fu.org/andreasson By: Oskar Andreasson Contributors: Stig W.unix-fu.1.org/andreasson By: Oskar Andreasson Version 1.1.unix-fu. Chris Martin.8 (7 September 2001) http://people.org/andreasson By: Oskar Andreasson Version 1. Chris Pluta and Kurt Lieber Version 1.org/andreasson By: Oskar Andreasson Contributors: Joni Chu.org/andreasson By: Oskar Andreasson Version 1. Merijn Schering and Kurt Lieber Version 1.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie Version 1.org/andreasson By: Oskar Andreasson Version 1.2 (29 September 2001) http://people.0.1. Jonas Pasche. Chris Tallon.unix-fu.1.3 (9 October 2001) http://people.Emile Akabi-Davis and Jelle Kalf Version 1. Rodrigo R.unix-fu. Steve Hnizdur.unix-fu.0.4 (6 November 2001) http://people.0.1 (26 September 2001) http://people.9 Página 78 Aikema.org/andreasson/ By: Oskar Andreasson Contributors: Fabrice Marie.unix-fu.unix-fu. Jan Labanowski. Branco.unix-fu.7 (23 August 2001) http://people.org/andreasson/iptables-tutorial/iptables-tutorial.1.5 http://people. Jensen.1.6 http://people.org/andreasson By: Oskar Andreasson Version 1. Kurt Lieber.0.unix-fu.0 (15 September 2001) http://people. N.1.0.html 21:25:51 10/06/2002 .Iptables Tutorial 1.unix-fu.

1. 0.Iptables Tutorial 1. with or without modifying it. this License preserves for the author and publisher a way to get credit for their work. 1.9 Página 79 http://people. which is a copyleft license designed for free software. because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals. either copied verbatim. Secondarily. Suite 330. textbook. either commercially or noncommercially. Any member of the public is a licensee. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. http://people. Boston.unix-fu. regardless of subject matter or whether it is published as a printed book. it can be used for any textual work. refers to any such manual or work. but changing it is not allowed.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie GNU Free Documentation License Version 1.org/andreasson/iptables-tutorial/iptables-tutorial. while not being considered responsible for modifications made by others. This License is a kind of "copyleft". or with modifications and/or translated into another language. PREAMBLE The purpose of this License is to make a manual. MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document. or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it. We recommend this License principally for works whose purpose is instruction or reference. Inc.1. It complements the GNU General Public License. APPLICABILITY AND DEFINITIONS This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. A "Modified Version" of the Document means any work containing the Document or a portion of it. The "Document".html 21:25:51 10/06/2002 . 59 Temple Place. We have designed this License in order to use it for manuals for free software. which means that derivative works of the document must themselves be free in the same sense. and is addressed as "you". below. March 2000 Copyright (C) 2000 Free Software Foundation.unix-fu.

you may accept compensation in exchange for copies. or of legal. 2. for a printed book. philosophical. under the same conditions stated above. SGML or XML using a publicly available DTD. Opaque formats include PostScript. The "Title Page" means. preceding the beginning of the body of the text. the title page itself.Iptables Tutorial 1. as Front-Cover Texts or BackCover Texts. and the license notice saying this License applies to the Document are reproduced in all copies. If you distribute a large enough number of copies you must also follow the conditions in section 3. commercial. http://people. ethical or political position regarding them. proprietary formats that can be read and edited only by proprietary word processors. a Secondary Section may not explain any mathematics. and standardconforming simple HTML designed for human modification. LaTeX input format. in the notice that says that the Document is released under this License. A "Transparent" copy of the Document means a machine-readable copy. VERBATIM COPYING You may copy and distribute the Document in any medium. Texinfo input format. The "Invariant Sections" are certain Secondary Sections whose titles are designated.unix-fu. the material this License requires to appear in the title page. whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor. However. PDF. "Title Page" means the text near the most prominent appearance of the work's title. the copyright notices. The "Cover Texts" are certain short passages of text that are listed. legibly. and the machine-generated HTML produced by some word processors for output purposes only. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. in the notice that says that the Document is released under this License. Examples of suitable formats for Transparent copies include plain ASCII without markup. For works in formats which do not have any title page as such. You may also lend copies. and you may publicly display copies.1. provided that this License.org/andreasson/iptables-tutorial/iptables-tutorial.) The relationship could be a matter of historical connection with the subject or with related matters. if the Document is in part a textbook of mathematics. plus such following pages as are needed to hold. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. and that you add no other conditions whatsoever to those of this License. and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters.html 21:25:51 10/06/2002 . either commercially or noncommercially.9 Página 80 (For example. represented in a format whose specification is available to the general public. as being those of Invariant Sections. SGML or XML for which the DTD and/or processing tools are not generally available. A copy that is not "Transparent" is called "Opaque".

all these Cover Texts: Front-Cover Texts on the front cover.org/andreasson/iptables-tutorial/iptables-tutorial. which the general network-using public has access to download anonymously at no charge using public-standard network protocols. can be treated as verbatim copying in other respects. but not required. B. If you publish or distribute Opaque copies of the Document numbering more than 100. to give them a chance to provide you with an updated version of the Document. you must either include a machine-readable Transparent copy along with each Opaque copy. You may use the same title as a previous version if the original publisher of that version gives permission.html 21:25:51 10/06/2002 . List on the Title Page. 4. if any) a title distinct from that of the Document. with the Modified Version filling the role of the Document. you must enclose the copies in covers that carry. The front cover must present the full title with all words of the title equally prominent and visible. provided that you release the Modified Version under precisely this License. clearly and legibly. http://people. or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document. Use in the Title Page (and on the covers. you must take reasonably prudent steps. one or more persons or entities responsible for authorship of the modifications in the Modified Version. Copying with changes limited to the covers. and Back-Cover Texts on the back cover.unix-fu. that you contact the authors of the Document well before redistributing any large number of copies. and the Document's license notice requires Cover Texts. Both covers must also clearly and legibly identify you as the publisher of these copies. as authors. if it has less than five). you must do these things in the Modified Version: A. as long as they preserve the title of the Document and satisfy these conditions. to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.9 Página 81 3.1. If the required texts for either cover are too voluminous to fit legibly. and continue the rest onto adjacent pages. thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. COPYING IN QUANTITY If you publish printed copies of the Document numbering more than 100. be listed in the History section of the Document). you should put the first ones listed (as many as fit reasonably) on the actual cover. If you use the latter option. and from those of previous versions (which should. free of added material. In addition. when you begin distribution of Opaque copies in quantity. if there were any. You may add other material on the covers in addition. together with at least five of the principal authors of the Document (all of its principal authors.Iptables Tutorial 1. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above. It is requested.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document. add their titles to the list of Invariant Sections in the Modified Version's license notice. and add to it an item stating at least the title. If there is no section entitled "History" in the Document. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice. E. in the form shown in the Addendum below.html 21:25:51 10/06/2002 . N. M. You may add a section entitled "Endorsements". year. G.1. statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. D. F. a license notice giving the public permission to use the Modified Version under the terms of this License. State on the Title page the name of the publisher of the Modified Version. I. if any. You may omit a network location for a work that was published at least four years before the Document itself. year. These titles must be distinct from any other section titles. Preserve all the Invariant Sections of the Document. Include an unaltered copy of this License. and its title. as the publisher. In any section entitled "Acknowledgements" or "Dedications". J. unaltered in their text and in their titles. Delete any section entitled "Endorsements". Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section. http://people. Preserve the network location. authors. provided it contains nothing but endorsements of your Modified Version by various parties--for example. new authors. given in the Document for public access to a Transparent copy of the Document. preserve the section's title. Section numbers or the equivalent are not considered part of the section titles. L. you may at your option designate some or all of these sections as invariant. or if the original publisher of the version it refers to gives permission. and publisher of the Modified Version as given on the Title Page. Preserve all the copyright notices of the Document.unix-fu. create one stating the title. and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.Iptables Tutorial 1. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. To do this. and publisher of the Document as given on its Title Page. and likewise the network locations given in the Document for previous versions it was based on. K. Preserve the section entitled "History".org/andreasson/iptables-tutorial/iptables-tutorial. Include. Such a section may not be included in the Modified Version. immediately after the copyright notices. These may be placed in the "History" section. H. then add an item describing the Modified Version as stated in the previous sentence.9 Página 82 C.

Iptables Tutorial 1.1.9

Página 83

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

5. COMBINING DOCUMENTS
You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."

6. COLLECTIONS OF DOCUMENTS
You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

7. AGGREGATION WITH INDEPENDENT
http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 84

WORKS
A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.

8. TRANSLATION
Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.

9. TERMINATION
You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

10. FUTURE REVISIONS OF THIS LICENSE
The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/. Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 85

following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.

How to use this License for your documents
To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page: Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. A copy of the license is included in the section entitled "GNU Free Documentation License". If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts. If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.

GNU General Public License
Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

0. Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 86

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow.

1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 87

having been made by running the Program). Whether that is true depends on what the Program does. 3. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 4. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: 1. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. 2. You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. 3. If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 5. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

unless that component itself accompanies the executable. You are not responsible for enforcing compliance by third parties to this License. complete source code means all the source code for all modules it contains. Accompany it with the information you received as to the offer to distribute corresponding source code. the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler.html 21:25:51 10/06/2002 . modify.9 Página 88 one of the following: 6. since you have not signed it. to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. Each time you redistribute the Program (or any work based on the Program). However. sublicense or distribute the Program is void. in accord with Subsection b above. modify. 9.) The source code for a work means the preferred form of the work for making modifications to it. distributing or modifying the Program or works based on it.org/andreasson/iptables-tutorial/iptables-tutorial. However. or rights. B. distribute or modify the Program subject to these terms and conditions. A. For an executable work. You are not required to accept this License. for a charge no more than your cost of physically performing source distribution. a complete machine-readable copy of the corresponding source code. and so on) of the operating system on which the executable runs.unix-fu. the recipient automatically receives a license from the original licensor to copy. http://people. If distribution of executable or object code is made by offering access to copy from a designated place. as a special exception. even though third parties are not compelled to copy the source along with the object code. plus the scripts used to control compilation and installation of the executable. plus any associated interface definition files. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. by modifying or distributing the Program (or any work based on the Program). 7. parties who have received copies. which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. nothing else grants you permission to modify or distribute the Program or its derivative works. to give any third party. C. and will automatically terminate your rights under this License. Accompany it with the complete corresponding machine-readable source code. valid for at least three years. You may not copy. Any attempt otherwise to copy. or. then offering equivalent access to copy the source code from the same place counts as distribution of the source code. sublicense. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer. Therefore.1. kernel. Accompany it with a written offer. 8. or.Iptables Tutorial 1. However. These actions are prohibited by law if you do not accept this License. from you under this License will not have their licenses terminated so long as such parties remain in full compliance. or distribute the Program except as expressly provided under this License. and all its terms and conditions for copying. you indicate your acceptance of this License to do so.

so that distribution is permitted only in or among countries not thus excluded. Each version is given a distinguishing version number. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different. the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries. then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If. as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues). For example. you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. conditions are imposed on you (whether by court order.unix-fu. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces. Such new versions will be similar in spirit to the present version. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. this License incorporates the limitation as if written in the body of this License. If any portion of this section is held invalid or unenforceable under any particular circumstance.9 Página 89 10. it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. we sometimes make exceptions for this. this section has the sole purpose of protecting the integrity of the free software distribution system. For software which is copyrighted by the Free Software Foundation. write to the author to ask for permission.1. http://people. but may differ in detail to address new problems or concerns. write to the Free Software Foundation. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. then as a consequence you may not distribute the Program at all. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims. If the Program specifies a version number of this License which applies to it and "any later version". 12. If the Program does not specify a version number of this License. agreement or otherwise) that contradict the conditions of this License. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system.org/andreasson/iptables-tutorial/iptables-tutorial. which is implemented by public license practices.Iptables Tutorial 1. the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time.html 21:25:51 10/06/2002 . you may choose any version ever published by the Free Software Foundation. 11. they do not excuse you from the conditions of this License. if a patent license would not permit royaltyfree redistribution of the Program by all those who receive copies directly or indirectly through you. In such case.

9 Página 90 13. REPAIR OR CORRECTION. NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE.1. EITHER EXPRESSED OR IMPLIED. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty. END OF TERMS AND CONDITIONS 2. THERE IS NO WARRANTY FOR THE PROGRAM. YOU ASSUME THE COST OF ALL NECESSARY SERVICING. EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE.Iptables Tutorial 1. INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS). To do so. INCLUDING. and each file should have at least the "copyright" line and a pointer to where the full notice is found. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. TO THE EXTENT PERMITTED BY APPLICABLE LAW.org/andreasson/iptables-tutorial/iptables-tutorial. the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.html 21:25:51 10/06/2002 . BE LIABLE TO YOU FOR DAMAGES. attach the following notices to the program. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. and you want it to be of the greatest possible use to the public. INCLUDING ANY GENERAL. <one line to give the program's name and a brief idea of what it does. or (at your option) any later version. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER. http://people. SPECIAL. either version 2 of the License. How to Apply These Terms to Your New Programs If you develop a new program. 14.> Copyright (C) <year> <name of author> This program is free software.unix-fu. BUT NOT LIMITED TO. you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. SHOULD THE PROGRAM PROVE DEFECTIVE.

1. Suite 330.9 Página 91 This program is distributed in the hope that it will be useful.Iptables Tutorial 1.firewall script #!/bin/sh # # rc. Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY. 1 April 1989 Ty Coon. See the GNU General Public License for more details. alter the names: Yoyodyne. This is free software. You should have received a copy of the GNU General Public License along with this program. If your program is a subroutine library. and you are welcome to redistribute it under certain conditions. for details type `show w'. write to the Free Software Foundation.Initial SIMPLE IP Firewall script for Linux 2.4. MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school. type `show c' for details.. the commands you use may be called something other than `show w' and `show c'. Example scripts codebase Example rc. Boston. without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. use the GNU Library General Public License instead of this License. Inc. 59 Temple Place.unix-fu. If this is what you want to do. you may consider it more useful to permit linking proprietary applications with the library. they could even be mouse-clicks or menu items--whatever suits your program. Inc. if any. but WITHOUT ANY WARRANTY. <signature of Ty Coon>. if not. If the program is interactive.html 21:25:51 10/06/2002 .. Of course.firewall . The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. President of Vice This General Public License does not permit incorporating your program into proprietary programs.org/andreasson/iptables-tutorial/iptables-tutorial. Here is a sample.net> # http://people. make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69. to sign a "copyright disclaimer" for the program. if necessary. hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker.

Iptables Tutorial 1.2 Local Area Network configuration.9 Página 92 # This program is free software.1.3 DMZ Configuration.255" LAN_IFACE="eth1" # # 1. # # your LAN's IP range and localhost IP.html 21:25:51 10/06/2002 .168. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. /24 means to only use the first 24 # bits of the 32 bit IP adress.50.0 # LAN_IP="192.2 PPPoE # # # 1. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. Inc.1 Internet Configuration. the same as netmask 255.236.1. See the # GNU General Public License for more details.168. http://people. # # This program is distributed in the hope that it will be useful.168.0.255. write to the Free Software Foundation. # but WITHOUT ANY WARRANTY.255.unix-fu. Suite 330.1. 59 Temple # Place.0. # # # 1..255. version 2 of the License. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.2" LAN_IP_RANGE="192.155" INET_IFACE="eth0" # # 1. # INET_IP="194.org/andreasson/iptables-tutorial/iptables-tutorial.0/16" LAN_BCAST_ADRESS="192. Boston. if not.1 DHCP # # # 1. Configuration options. MA 02111-1307 USA # ########################################################################### # # 1.

9 Página 93 # # # 1.html 21:25:51 10/06/2002 .1" # # 1.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT http://people.Iptables Tutorial 1.5 IPTables Configuration.0.4 Localhost Configuration.0.6 Other Configuration. # # # Needed to initially load modules # /sbin/depmod -a # # 2.org/andreasson/iptables-tutorial/iptables-tutorial.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2. Module loading.unix-fu. # ########################################################################### # # 2. # IPTABLES="/usr/sbin/iptables" # # 1. # LO_IFACE="lo" LO_IP="127.1.

org/andreasson/iptables-tutorial/iptables-tutorial. # ###### # 4.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets http://people.9 Página 94 #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. # # # 3. rules set up. /proc set up.1.unix-fu.html 21:25:51 10/06/2002 .1 Filter table # # # 4.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.1.Iptables Tutorial 1.

org/andreasson/iptables-tutorial/iptables-tutorial.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.1.9 Página 95 # # Create separate chains for ICMP.1.html 21:25:51 10/06/2002 . TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.Iptables Tutorial 1.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports http://people.unix-fu.

1.html 21:25:51 10/06/2002 .5 FORWARD chain # http://people.Iptables Tutorial 1.1.4 INPUT chain # # # Bad TCP packets we don't want.9 Página 96 # # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.RELATED \ -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.org/andreasson/iptables-tutorial/iptables-tutorial.1. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet.unix-fu.

2 nat table # http://people.html 21:25:51 10/06/2002 . # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.org/andreasson/iptables-tutorial/iptables-tutorial.RELATED -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.Iptables Tutorial 1.1. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.unix-fu.9 Página 97 # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.1.6 OUTPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that don't match the above.

2.3.4 PREROUTING chain # # # 4.6 OUTPUT chain # ###### # 4.unix-fu.1 Set policies # # # 4.3.2.3 Create content in user specified chains # # # 4.3.html 21:25:51 10/06/2002 .9 Página 98 # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.2 Create user specified chains # # # 4.3 Create content in user specified chains # # # 4.2.2.3.1 Set policies # # # 4.2 Create user specified chains # # # 4.3 mangle table # # # 4.2.2.1.4 PREROUTING chain # http://people.Iptables Tutorial 1.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.

without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. write to the Free Software Foundation. version 2 of the License.net> # # This program is free software.firewall script #!/bin/sh # # rc. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. # # This program is distributed in the hope that it will be useful. 59 Temple # Place.1. Suite 330.8 POSTROUTING chain # Example rc.unix-fu.7 OUTPUT chain # # # 4. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.3. MA 02111-1307 USA # ########################################################################### # # 1.org/andreasson/iptables-tutorial/iptables-tutorial.. Boston. # but WITHOUT ANY WARRANTY.3. Configuration options.4.DMZ IP Firewall script for Linux 2.9 Página 99 # # 4.DMZ. if not.DMZ.Iptables Tutorial 1.html 21:25:51 10/06/2002 .3. See the # GNU General Public License for more details.firewall .5 INPUT chain # # # 4.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.3. Inc. # # http://people.6 FORWARD chain # # # 4.

1.236.2 Local Area Network configuration.0/16" LAN_BCAST_ADRESS="192.html 21:25:51 10/06/2002 .5 IPTables Configuration.0.168.1. /24 means to only use the first 24 # bits of the 32 bit IP adress.1 Internet Configuration.1.1" DMZ_IFACE="eth2" # # 1.1" # # 1.org/andreasson/iptables-tutorial/iptables-tutorial.3 DMZ Configuration. # INET_IP="194.0.168.2" DMZ_DNS_IP="192.168. the same as netmask 255. # LO_IFACE="lo" LO_IP="127.4 Localhost Configuration.1 DHCP # # # 1.2 PPPoE # # # 1.2" LAN_IP_RANGE="192.236.168.0.50.153" DNS_IP="194.50.0.255.168.168. # IPTABLES="/usr/sbin/iptables" http://people.50. # DMZ_HTTP_IP="192.152" HTTP_IP="194.1.9 Página 100 # 1.Iptables Tutorial 1.1.1.255.0 # LAN_IP="192.3" DMZ_IP="192. # # your LAN's IP range and localhost IP.236.unix-fu.255" LAN_IFACE="eth1" # # 1.154" INET_IFACE="eth0" # # 1.255.

html 21:25:51 10/06/2002 . # ########################################################################### # # 2.unix-fu.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2. /proc set up.Iptables Tutorial 1.9 Página 101 # # 1.1.6 Other Configuration.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3.1 Required proc configuration # http://people.org/andreasson/iptables-tutorial/iptables-tutorial. # # # Needed to initially load modules # /sbin/depmod -a # # 2. # # # 3. Module loading.

# ###### # 4.1. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.1. rules set up.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 102 echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.1 Filter table # # # 4.3 Create content in userspecified chains # http://people.html 21:25:51 10/06/2002 .1.1.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.Iptables Tutorial 1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.unix-fu.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.

RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # 4. DMZ or LOCALHOST # # # From DMZ Interface to DMZ firewall IP # http://people.org/andreasson/iptables-tutorial/iptables-tutorial.1.9 Página 103 # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.html 21:25:51 10/06/2002 .Iptables Tutorial 1.1.4 INPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Packets from the Internet to this box # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # # Packets from LAN.unix-fu.

RELATED \ -j ACCEPT # # Logging rule # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.9 Página 104 $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT # # From LAN Interface to LAN firewall IP # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT # # From Localhost interface to Localhost IP # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # # All established and related packets incoming from the internet to the # firewall # $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.1.1.unix-fu.html 21:25:51 10/06/2002 .5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # DMZ section # # General rules # $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT http://people.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1.

1.1.6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets http://people.9 Página 105 $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \ --state ESTABLISHED.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT # # HTTP server # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ --dport 80 -j allowed $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ -j icmp_packets # # DNS server # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j allowed $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ -j icmp_packets # # LAN section # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.html 21:25:51 10/06/2002 .RELATED -j ACCEPT # # LOG all packets reaching here # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.unix-fu.

2.2.2.2 nat table # # # 4.2.Iptables Tutorial 1.4 PREROUTING chain # # # Enable IP Destination NAT for DMZ zone # $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \ -j DNAT --to-destination $DMZ_HTTP_IP $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP $IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP # # 4.9 Página 106 # # Allow ourself to send packets not spoofed everywhere # $IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT # # Logging rule # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.html 21:25:51 10/06/2002 .1 Set policies # # # 4.5 POSTROUTING chain # http://people.2 Create user specified chains # # # 4.unix-fu.1.2.3 Create content in user specified chains # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.

3 mangle table # # # 4.3.3.2.1.9 Página 107 # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.3.5 INPUT chain # # # 4.7 OUTPUT chain # # # 4.4 PREROUTING chain # # # 4.8 POSTROUTING chain # http://people.1 Set policies # # # 4.3 Create content in user specified chains # # # 4.Iptables Tutorial 1.3.3.html 21:25:51 10/06/2002 .unix-fu.3.2 Create user specified chains # # # 4.3.3.6 FORWARD chain # # # 4.6 OUTPUT chain # ###### # 4.org/andreasson/iptables-tutorial/iptables-tutorial.

firewall . you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.2 PPPoE # # # 1.1.155" INET_IFACE="eth0" # # 1.Iptables Tutorial 1.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net> # # This program is free software.50. # # This program is distributed in the hope that it will be useful.org/andreasson/iptables-tutorial/iptables-tutorial.1 Internet Configuration.4. 59 Temple # Place. # # # 1.9 Página 108 Example rc. write to the Free Software Foundation. Suite 330.firewall script #!/bin/sh # # rc.1.2 Local Area Network configuration. Configuration options. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.html 21:25:51 10/06/2002 . /24 means to only use the first 24 http://people. # INET_IP="194. See the # GNU General Public License for more details.1 DHCP # # # 1.. # # your LAN's IP range and localhost IP. version 2 of the License. if not. Boston.236. MA 02111-1307 USA # ########################################################################### # # 1. # but WITHOUT ANY WARRANTY. Inc.1. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.UTIN Firewall script for Linux 2.unix-fu.UTIN.

0.255.1.unix-fu. # # # 1.Iptables Tutorial 1. # ########################################################################### # # 2.4 Localhost Configuration.html 21:25:51 10/06/2002 .6 Other Configuration.3 DMZ Configuration.255" LAN_IFACE="eth1" # # 1.255.168.org/andreasson/iptables-tutorial/iptables-tutorial.2" LAN_IP_RANGE="192.168. # LO_IFACE="lo" LO_IP="127. # # # Needed to initially load modules # /sbin/depmod -a # # 2. the same as netmask 255.0.5 IPTables Configuration.255.1" # # 1.9 Página 109 # bits of the 32 bit IP adress.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat http://people.0. Module loading.0 # LAN_IP="192.168.0/16" LAN_BCAST_ADRESS="192. # IPTABLES="/usr/sbin/iptables" # # 1.0.

1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.9 Página 110 /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. rules set up.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP http://people.Iptables Tutorial 1.1. /proc set up.1 Filter table # # # 4.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3.1.html 21:25:51 10/06/2002 . # ###### # 4. # # # 3.

1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.1.Iptables Tutorial 1.html 21:25:51 10/06/2002 .9 Página 111 $IPTABLES -P FORWARD DROP # # 4. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.unix-fu.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT http://people.org/andreasson/iptables-tutorial/iptables-tutorial.1.

unix-fu. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from anywhere # $IPTABLES -A INPUT -p ICMP -j icmp_packets $IPTABLES -A INPUT -p TCP -j tcp_packets $IPTABLES -A INPUT -p UDP -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.RELATED \ -j ACCEPT # # Log weird packets that don't match the above.1.9 Página 112 # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.Iptables Tutorial 1.1. # http://people.4 INPUT chain # # # Bad TCP packets we don't want.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.

# $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.1.RELATED -j ACCEPT # # Log weird packets that don't match the above.9 Página 113 $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.unix-fu.6 OUTPUT chain # # # Bad TCP packets we don't want.org/andreasson/iptables-tutorial/iptables-tutorial.1. # $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.1.html 21:25:51 10/06/2002 . # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # http://people.Iptables Tutorial 1.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward between interfaces.

2.2.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.4 PREROUTING chain # # # 4.Iptables Tutorial 1.2.9 Página 114 # Log weird packets that don't match the above.2.3 mangle table # # # 4.1.org/andreasson/iptables-tutorial/iptables-tutorial.2.1 Set policies # # # 4.1 Set policies # # http://people.2.6 OUTPUT chain # ###### # 4.3.3 Create content in user specified chains # # # 4.html 21:25:51 10/06/2002 .2 Create user specified chains # # # 4. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.unix-fu.2 nat table # # # 4.

2 Create user specified chains # # # 4.3 Create content in user specified chains # # # 4.DHCP.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.8 POSTROUTING chain # Example rc.3.firewall script #!/bin/sh # # rc.4.9 Página 115 # 4.3.3.unix-fu.1.DHCP IP Firewall script for Linux 2. # but WITHOUT ANY WARRANTY.firewall .5 INPUT chain # # # 4.3. # # This program is distributed in the hope that it will be useful.4 PREROUTING chain # # # 4. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it http://people.3. See the # GNU General Public License for more details.6 FORWARD chain # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.7 OUTPUT chain # # # 4.Iptables Tutorial 1.3.html 21:25:51 10/06/2002 .3. version 2 of the License.net> # # This program is free software. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.

Iptables Tutorial 1.1.9

Página 116

# from; if not, write to the Free Software Foundation, Inc., 59 Temple # Place, Suite 330, Boston, MA 02111-1307 USA # ########################################################################### # # 1. Configuration options. # # # 1.1 Internet Configuration. # INET_IFACE="eth0" # # 1.1.1 DHCP # # # Information pertaining to DHCP over the Internet, if needed. # # Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP # over the Internet set this variable to yes, and set up the proper IP # adress for the DHCP server in the DHCP_SERVER variable. # DHCP="no" DHCP_SERVER="195.22.90.65" # # 1.1.2 PPPoE # # Configuration options pertaining to PPPoE. # # If you have problem with your PPPoE connection, such as large mails not # getting through while small mail get through properly etc, you may set # this option to "yes" which may fix the problem. This option will set a # rule in the PREROUTING chain of the mangle table which will clamp # (resize) all routed packets to PMTU (Path Maximum Transmit Unit). # # Note that it is better to set this up in the PPPoE package itself, since # the PPPoE configuration option will give less overhead. # PPPOE_PMTU="no" # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 117

# 1.2 Local Area Network configuration. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # LAN_IP="192.168.0.2" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth1" # # 1.3 DMZ Configuration. # # # 1.4 Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 IPTables Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. #

########################################################################### # # 2. Module loading. # # # Needed to initially load modules # /sbin/depmod -a # # 2.1 Required modules # /sbin/modprobe ip_conntrack http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 118

/sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_MASQUERADE # # 2.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc

########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. rules set up. # ###### # 4.1 Filter table # # # 4.1.1 Set policies # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 119

$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP, TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 120

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT if [ $DHCP == "yes" ] ; then $IPTABLES -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \ --dport 68 -j ACCEPT fi # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.1.4 INPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

unix-fu.1. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.org/andreasson/iptables-tutorial/iptables-tutorial. http://people.9 Página 121 $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \ --state ESTABLISHED.1.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.1.RELATED -j ACCEPT # # Log weird packets that don't match the above.RELATED -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.html 21:25:51 10/06/2002 .6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.Iptables Tutorial 1.

html 21:25:51 10/06/2002 .9 Página 122 # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # # Log weird packets that don't match the above.Iptables Tutorial 1.2 nat table # # # 4.2. then $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN.org/andreasson/iptables-tutorial/iptables-tutorial.2.4 PREROUTING chain # # # 4.RST SYN \ -j TCPMSS --clamp-mss-to-pmtu fi $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE # # 4. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.2.3 mangle table http://people.3 Create content in user specified chains # # # 4.2.2 Create user specified chains # # # 4.5 POSTROUTING chain # if [ $PPPOE_PMTU == "yes" ] .2.2.6 OUTPUT chain # ###### # 4.1.1 Set policies # # # 4.unix-fu.

unix-fu.3.8 POSTROUTING chain # Example rc.2 Create user specified chains # # # 4.Iptables Tutorial 1.3.1.9 Página 123 # # # 4.6 FORWARD chain # # # 4.4 PREROUTING chain # # # 4.3.3.5 INPUT chain # # # 4.7 OUTPUT chain # # # 4.3.3.3 Create content in user specified chains # # # 4.flush-iptables script #!/bin/sh # http://people.html 21:25:51 10/06/2002 .3.org/andreasson/iptables-tutorial/iptables-tutorial.1 Set policies # # # 4.3.

59 Temple # Place. MA 02111-1307 USA # # Configurations # IPTABLES="/usr/sbin/iptables" # # reset the default policies in the filter table.flush-iptables .1. if not. # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. # $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT # # reset the default policies in the nat table. # $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT # # flush all the rules in the filter and nat tables.unix-fu.Iptables Tutorial 1. # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F http://people. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. Suite 330. See the # GNU General Public License for more details. # # This program is distributed in the hope that it will be useful.org/andreasson/iptables-tutorial/iptables-tutorial.net> # # This program is free software. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # reset the default policies in the mangle table. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. # but WITHOUT ANY WARRANTY. write to the Free Software Foundation. Boston.9 Página 124 # rc. version 2 of the License.html 21:25:51 10/06/2002 .Resets iptables to default values.. Inc.

write to the Free Software Foundation. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. MA 02111-1307 USA # # # Filter table.test-iptables .unix-fu. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. 59 Temple # Place.test-iptables script #!/bin/bash # # rc.Iptables Tutorial 1. # $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X Example rc.html 21:25:51 10/06/2002 .test script for iptables chains and tables.. Suite 330. all chains # iptables -t filter -A INPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter FORWARD:" http://people. Inc. # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.9 Página 125 # # erase all chains that's not default in filter and nat table. # but WITHOUT ANY WARRANTY.org/andreasson/iptables-tutorial/iptables-tutorial. version 2 of the License. See the # GNU General Public License for more details. if not. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.1.net> # # This program is free software. # # This program is distributed in the hope that it will be useful. Boston.

unix-fu.9 Página 126 iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter FORWARD:" # # NAT table. all chains # iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle OUTPUT:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle OUTPUT:" Done.html 21:25:51 10/06/2002 . all chains except OUTPUT which don't work.9 Oskar Andreasson blueflux@koffein.net Copyright © 2001 by Oskar Andreasson http://people.1. # iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat PREROUTING:" iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat PREROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat OUTPUT:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat OUTPUT:" # # Mangle table.1. Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1.

See the GNU General Public License for more details. without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Boston. write to the Free Software Foundation. but WITHOUT ANY WARRANTY. Suite 330. and with no BackCover Texts. if not. with the Front-Cover Texts being "Original Author: Oskar Andreasson". You should have received a copy of the GNU General Public License within this tutorial. you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation. with the Invariant Sections being "Introduction" and all subsections. The scripts are free source. These scripts are distributed in the hope that they will be useful. A copy of the license is included in the section entitled "GNU Free Documentation License". 59 Temple Place. distribute and/or modify this document under the terms of the GNU Free Documentation License.1.html 21:25:51 10/06/2002 .1 How a rule is built Basics Tables Commands Matches Generic matches Implicit matches Explicit matches http://people.unix-fu.1. MA 02111-1307 USA Table of Contents Introduction Why this document was written How it was written About the author Dedications Preparations Where to get iptables Kernel setup 1 userland setup Compiling the userland applications Installation on Red Hat 7. All scripts in this tutorial are covered by the GNU General Public License. version 2 of the License. under the section entitled "GNU General Public License"..org/andreasson/iptables-tutorial/iptables-tutorial. Inc.9 Página 127 Permission is granted to copy.Iptables Tutorial 1. Version 1.

html 21:25:51 10/06/2002 .firewall Configuration options Initial loading of extra modules proc set up Displacement of rules to different chains Setting up the different chains used INPUT chain The TCP allowed chain The ICMP chain The TCP chain The UDP chain OUTPUT chain FORWARD chain PREROUTING chain of the nat table Starting the Network Address Translation http://people.9 Página 128 Targets/Jumps ACCEPT target DROP target QUEUE target RETURN target LOG target MARK target REJECT target TOS target MIRROR target SNAT target DNAT target MASQUERADE target REDIRECT target TTL target ULOG target Traversing of tables and chains General Mangle table 1 Nat table 2 Filter table rc.Iptables Tutorial 1.1.org/andreasson/iptables-tutorial/iptables-tutorial.firewall file example rc.unix-fu.firewall explanation of rc.

AGGREGATION WITH INDEPENDENT WORKS 8. PREAMBLE 1.unix-fu.txt rc.DMZ.firewall. VERBATIM COPYING 3.test-iptables.txt script structure The structure rc. TERMINATION 10. rc. APPLICABILITY AND DEFINITIONS 2. COMBINING DOCUMENTS 6.org/andreasson/iptables-tutorial/iptables-tutorial. 5.9 Página 129 Example scripts rc.UTIN.firewall.txt Detailed explanations of special commands Listing your active ruleset Updating and flushing your tables Common problems and questionmarks Passive FTP but no DCC State NEW packets but no SYN bit set Internet Service Providers who use assigned IP addresses ICMP types Other resources and links Acknowledgements History GNU Free Documentation License 0. TRANSLATION 9.flush-iptables.txt rc. COPYING IN QUANTITY 4.firewall.DHCP.txt 10. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents GNU General Public License http://people.Iptables Tutorial 1.firewall.txt rc. MODIFICATIONS 1.firewall.html 21:25:51 10/06/2002 .txt rc.1. COLLECTIONS OF DOCUMENTS 7.

flush-iptables script Example rc. Is it possible to allow passive FTP to your server. TERMS AND CONDITIONS FOR COPYING.Iptables Tutorial 1. A big thanks going out to them for their work and for their help on this tutorial that I wrote and maintain for boingworld.test-iptables script Introduction Why this document was written Well. Whenever you find something that's hard to understand.txt.9 Página 130 0. 2.firewall file since I find that example to be a good way to learn how to use iptables. DISTRIBUTION AND MODIFICATION 1. this file was originally based upon the masquerading HOWTO for those of you who recognize it.4.org/andreasson/iptables-tutorial/iptables-tutorial. Yes.flush-iptables. just consult this tutorial.firewall script Example rc. I will base most of the stuff here on the example rc.html 21:25:51 10/06/2002 .UTIN.DHCP. Also.firewall script Example rc.firewall script Example rc. This tutorial has turned a little bit harder to follow this way but at the same time it is more logical. I'm going to try to answer questions that some might have about the new possibilities like state matching. This document will guide you through the setup process step by step. How to Apply These Terms to Your New Programs Example scripts codebase Example rc. hopefully make you understand some more about the iptables package.x kernels.com. How it was written I've placed questions to Marc Boucher and others from the core netfilter team.DMZ. there's a small script that I wrote just in case you screw up as much as I did during the configuration available as rc. Preamble 1. but not allow outgoing DCC from IRC as an example? I will build this all up from an example rc.txt file that you can use in your /etc/rc. I have decided to just follow the basic chains and from there go down into each and one of the chains traversed in each due order. Among other things.1. http://people. I found a big empty space in the HOWTO's out there lacking in information about the iptables and netfilter functions in the new Linux 2.d/ scripts.unix-fu.firewall script Example rc.firewall.

tells the client about it. and in some respects I found the code not quite ready for release in full production. I wish I could make you just as happy as you make me. Second of all. at the same time having it fairly secure.Iptables Tutorial 1.unix-fu. I'd recommend everyone who uses ipchains or even older ipfwadm etc to upgrade unless they're happy with what their current code is capable of and if it does what they need it to. you could make a fairly secure network by dropping all incoming packages not destined to certain ports. There was some child diseases in the iptables code that I ran into in the beginning. I would like to dedicate this work to all of the incredibly hard working Linux developers and maintainers. The iptables package also makes use of kernel space facilities which can be configured into the kernel during make configure . The new iptables is a good upgrade from the old ipchains in this regard. and then lets the client connect. Dedications First of all I would like to dedicate this document to my wonderful girlfriend Ninel. The necessary pieces will be discussed a bit further down in this document. She has supported me more than I ever can support her to any degree. Where to get iptables The iptables userspace package can be downloaded from the netfilter homepage. This chapter should hopefully get you set up and finished to go with your experimentation and installation of a firewall which should hopefully run smoothly in the future. It is people like those who makes this wonderful operating system possible. Today. Preparations This chapter is aimed at getting you started and to help you understand the role netfilter and iptables play in Linux today. Kernel setup To run the pure basics of iptables you need to configure the following options into the kernel while doing make config or one of it's related commands: http://people. sitting with my own LAN and wanting them all to be connected to the Internet.org/andreasson/iptables-tutorial/iptables-tutorial. Before. which assigns ports on the server.9 Página 131 About the author I'm someone with too many old computers on my hands. but this would be a problem with things like passive FTP or outgoing DCC in IRC.1.html 21:25:51 10/06/2002 .

This module is required if you want to do connection tracking on FTP connections.firewall.With this match we can match packets based on their TOS field.This module allows us to match packets with a whole range of destination ports or source ports. http://people. For example.txt example or anywhere else. If you don't add this module you won't be able to FTP through a firewall or gateway properly.This allows us to use a MARK match. If you want to use the more advanced options in IPTables. And of course you need to add the proper drivers for your interfaces to work properly. CONFIG_IP_NF_IPTABLES . We could for instance block packets based on what MAC address used and block a certain computer pretty well since the MAC address don't change. you need to set up the proper configuration options in your kernel. In other words.Iptables Tutorial 1. this is most definitely required if for anything in this tutorial to work at all.4. CONFIG_IP_NF_FTP . Normally this wouldn't be possible. It adds the whole iptables identification framework to kernel. among other things. CONFIG_IP_NF_MATCH_MAC . -m limit --limit 3/ minute would match a maximum of 3 packets per minute. Ethernet adapter.This module is needed to make connection tracking. it just adds the framework to the kernel.This option is required if you're going to use your computer as a firewall or gateway to the internet.txt to work. CONFIG_IP_NF_MATCH_MULTIPORT . if we use the target MARK we could mark a packet and then depending on if this packet is marked further on in the table. The above will only add some of the pure basics in iptables. we can match based on this mark. CONFIG_IP_NF_MATCH_TOS . and further down we will describe the actual target MARK. We don't use this option in the rc.firewall.This allows us to match packets based on MAC addresses.This module isn't exactly required but it's used in the example rc.unix-fu. CONFIG_IP_NF_MATCH_MARK .firewall. Every Ethernet adapter has it's own MAC address. but with this match it is.html 21:25:51 10/06/2002 . This module can also be used to avoid certain Denial of Service attacks.9 Página 132 CONFIG_PACKET .9 kernel and a brief explanation : CONFIG_IP_NF_CONNTRACK . Without this you won't be able to do anything at all with iptables. ie. Here we will show you the options available in a basic 2. that adds the possibility to control how many packets per minute that's supposed to be matched with a certain rule. I assume you'll want this since you're reading this at all.txt.This option allows applications and programs that needs to work directly to certain network devices. TOS stands for Type Of Service. NAT and Masquerading. This option is the actual match MARK. CONFIG_NETFILTER .This option is required if you want do any kind of filtering. Since FTP connections are quite hard to do connection tracking on in normal cases conntrack needs a so called helper.1. If you need to firewall machines on a LAN you most definitely should mark this option. masquerading or NAT. An example would be tcpdump or snort. CONFIG_IP_NF_MATCH_LIMIT . PPP and SLIP interfaces. TOS can also be set by certain rules in the mangle table and via the ip/ tc commands. You won't be able to do anything to be pretty honest. this module is required by the rc.org/andreasson/iptables-tutorial/iptables-tutorial. For example. This option provides the LIMIT match. Connection tracking is used by. For example. this option compiles the helper.

SLIP or some other connection that dynamically assigns us an IP.This option will add the possibility for us to do matching based on the owner of a socket. and most definitely on your network if you do not have the ability to add unique IP addresses as specified above.This module adds the MASQUERADE target. In the filter table you'll find the INPUT. we can allow only the user root to have Internet access.unix-fu. Note that this option is is not required for firewalling and masquerading of a LAN.This module allows network address translation. CONFIG_IP_NF_TARGET_MASQUERADE . masquerading etc. CONFIG_IP_NF_MATCH_UNCLEAN . or NAT. if we set up a MIRROR target on destination port HTTP on our INPUT chain and someone tries to access this port we would plainly bounce his packets back to himself and finally he would see his own homepage.This target is useful together with proxies for example. Instead of letting a packet pass right through.firewall. This module is used extensively in the rc. For example. We could for example drop these packets. http://people. this option is required for the example rc.txt to work properly. Hence. Mind you that TCP connections are always reset or refused with a TCP RST packet.9 Página 133 CONFIG_IP_NF_MATCH_TCPMSS . Masquerading gives a slightly higher load on the computer than NAT does.This module will add the possibility for us to match IP. CONFIG_IP_NF_FILTER . but mostly is. In other words. CONFIG_IP_NF_NAT . unless you are able to provide unique IP addresses for all hosts.This target allows us to specify that an ICMP error message should be sent in reply to incoming packets instead of plainly dropping them dead to the floor. if we've already seen trafic in two directions in a TCP connection. CONFIG_IP_NF_TARGET_MIRROR . Note that this match is still experimental and might not work for everyone. but we never know if they are legitimate or not. CONFIG_IP_NF_MATCH_OWNER . CONFIG_IP_NF_TARGET_REDIRECT . in it's different forms. but will work without us knowing the IP in advance. UDP and ICMP packets that looks strange or are invalid.This module will add the basic filter table which will enable you to do basic filtering. we have the possibility to make a transparent proxy this way. we remap them to go to our local box instead. CONFIG_IP_NF_TARGET_REJECT .org/andreasson/iptables-tutorial/iptables-tutorial. if we use DHCP. PPP.This option adds the possibility for us to match TCP packets based on their MSS field.1.This allows packets to be bounced back to the sender of the packet.txt example.This is one of the biggest news in comparison to ipchains.Iptables Tutorial 1. For instance if we don't know what IP we have to the Internet this would be the preferred way of getting the IP instead of using DNAT or SNAT. For example. this packet will be counted as ESTABLISHED. This module is required if you plan to do any kind of filtering on packets that you receive and send.firewall. we need to use this target instead of SNAT. With this module we can do stateful matching on packets. With this option we can do port forwarding. This module was originally just written as an example on what could be done with the new iptables. For example. FORWARD and OUTPUT chains.html 21:25:51 10/06/2002 . TCP. Note that this match is still experimental and might not work perfectly in all cases. In other words. CONFIG_IP_NF_MATCH_STATE .

Iptables Tutorial 1. This may be for various reasons such as the patch not being stable yet. We can then use the TCPMSS target to overcome this by clamping our MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit). These functions should be added in the future.html 21:25:51 10/06/2002 . CONFIG_IP_NF_COMPAT_IPCHAINS . we'll be able to handle what the authors of netfilter themself call "criminally braindead ISPs or servers" in the kernel configuration help.txt script to work. We can use this module to log certain packets to syslogd and hense see the packet further on. If you need help with the options that the other scripts needs. This way.Compatibility mode with old ipfwadm. etcetera. Do absolutely not look at this as a real long term solution.firewall. CONFIG_IP_NF_TARGET_TCPMSS .This adds the LOG target to iptables and the functionality of it. or as modules. If you would like to get a look at more options.unix-fu. look at the example firewall scripts section. I have briefly explained what kind of extra behaviours you can expect from each module here. for the rc. Do not look at this as any real long term solution for solving migration from Linux 2.4. These are only the options available in a vanilla Linux 2.4 kernels since it may well be gone with kernel 2. but has not quite made it in yet. This can result in webpages not getting through. This could be useful for forensics or debugging a script you're writing.1. ssh works but scp dies after handshake. As you can see. You will need the following options compiled into your kernel. to Linus Torvalds being unable to keep up or not wanting to let the patch in to the mainstream kernel yet since it is still experimental. CONFIG_PACKET CONFIG_NETFILTER CONFIG_CONNTRACK CONFIG_IP_NF_FTP CONFIG_IP_NF_IRC CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT http://people. POM fixes are additions that are supposed to be added in the kernel in the future but has not quite reached the kernel yet. CONFIG_IP_NF_COMPAT_IPFWADM . I suggest you look at the patch-o-matic functions in netfilter userland which will add heaps of other options in the kernel.6.Adds a compatibility mode with the old ipchains.9 Página 134 CONFIG_IP_NF_TARGET_LOG .2 kernels to 2.9 kernel.org/andreasson/iptables-tutorial/iptables-tutorial.This option can be used to overcome Internet Service Providers and servers who block ICMP Fragmentation Needed packets. there is a heap of options. small mails getting through while larger mails don't get through.

tar. Hopefully the package should now be unpacked properly into a directory named iptables-1. For more information read the iptables-1. However. http://people. This compilation goes quite a lot hand in hand with the kernel configuration and compilation so you are aware of this.The step described here will only check patches that are pending for inclusion to the kernel. Some of these are highly experimental and may not be a very good idea to install. and other distributions further on in this chapter Compiling the userland applications First of all unpack the iptables package. let's look at how we compile the iptables package.Iptables Tutorial 1. one of these are Red Hat 7. there are heaps of extremely interesting matches and targets in this installation step so don't be afraid of at least looking at them.1.(this can also be accomplished with the tar -xjvf iptables-1. However.3/INSTALL file which contains pretty good information on compiling and getting the program to run.bz2. which may only be available when you do some other steps. userland setup First of all.3.1. which should do pretty much the same as the first command.org/andreasson/iptables-tutorial/iptables-tutorial.2. this may not work with older versions of tar).2. and most probably you will know yourself where the kernel source is available.bz2 | tar -xvf . However. there is the option to install extra modules and options etcetera to the kernel.3.2.tar.txt script.html 21:25:51 10/06/2002 . we have used the iptables 1. Certain distributions comes with the iptables package preinstalled. there are some even more experimental patches further along.3.4. Here. Normally this should be /usr/src/linux/ but this may vary. In the other example scripts I will explain what requirements they have in their respective section.firewall.1 it is disabled per default.2.unix-fu. in Red Hat 7. We will check closer on how to enable it on this.9 Página 135 CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_TARGET_MASQUERADE The above will be required at the very least for the rc. Unpack as usual.3 package and a vanilla 2. lets try to stay focused on the main script which you should be studying now. After this. For now.9 kernel. To do this step we do something like this from the root of the iptables package: make pending-patches KERNEL_DIR=/usr/src/linux/ The variable KERNEL_DIR should point to the actual place that your kernel source is located at. using bzip2 -cd iptables-1.2.

You may totally ignore the above steps if you don't want to patch your kernel. To use any of the changes in the iptables userland applications you should definitely recompile and reinstall your kernel by now if you haven't done so http://people.org/andreasson/iptables-tutorial/iptables-tutorial. One way to install these are by doing the following: make most-of-pom KERNEL_DIR=/usr/src/linux/ The above command would ask about installing parts of what in netfilter world is called patch-o-matic. If everything has worked smoothly. you're on your own. but is a bit further away from actually getting there. To be able to install all of the patch-o-matic stuff you will need to run the following command: make patch-o-matic KERNEL_DIR=/usr/src/linux/ Don't forget to read the help for each patch thoroughly before doing anything. To compile iptables you issue a simple command that looks like this: make KERNEL_DIR=/usr/src/linux/ The userland application should now compile properly. You may wait with the kernel compilation until after the compilation of the userland program iptables if you feel like it. you would issue the following command to install them: make install KERNEL_DIR=/usr/src/linux/ Hopefully everything should work in the program now. it is in other words not necessary to do the above.html 21:25:51 10/06/2002 . though. Continue by compiling the iptables userland application.1. There is a few things that might go wrong with the installation of iptables so don't panic if it won't work.Iptables Tutorial 1. or possibly try the netfilter mailing list who might help you with your problems. try to think logically about it and find out what's wrong or get someone to help you. but still skip the most extreme patches that might cause havoc in your kernel. Some patches will destroy other patches while others may destroy your kernel if used together with some patches from patch-omatic etc. There might be more patches and additions that the developers of netfilter are about to add to the kernel. However. you may either compile a new kernel making use of the new patches that you have added to the source. Don't forget to configure the kernel again since the new patches probably are not added to the configured options and so on.unix-fu. because that's what these commands actually do. To do this. They ask you before anything is changed in the kernel source. there are some really interesting things in the patch-o-matic that you may want to look at so there's nothing bad in just running the commands and see what they contain.9 Página 136 This only asks about certain patches that are just about to enter the kernel anyways. Note that we say ask. you're ready to install the binaries by now. After this you are finished doing the patch-o-matic parts of installation. if not.

you will need to change some filenames in the /etc/rc. we need to know which runlevels we want it to run in. Installation on Red Hat 7. 3. The default Red Hat 7. check the INSTALL file in the source which contains excellent information on the subject of installation.d/ directory-structure. The first letter which per default would be S tells the initscripts to start the script. to stop the service from actually running right now we need to run another command. and a lot of people are asking different mailing lists why iptables don't work. ie. 3 and 5. To make iptables run in these runlevels we would do the following commands: chkconfig --level 235 iptables on http://people. So.1 installation today comes with an utterly old version of the userspace applications so you might want to compile a new version of the applications as well as install a new and homecompiled kernel before fully exploiting iptables.9 Página 137 before. These runlevels are used for the following things: 2. By changing this to K we tell it to Kill the service instead. First of all you will need to turn off the ipchains modules so it won't start in the future. to start the iptables service. they have disabled the whole thing by using the backwards compatible ipchains module. Now the service won't be started in the future. The following command should do it: chkconfig --level 0123456 ipchains off By doing this we move all the soft links that points to the real script to K92ipchains.1.1 comes preinstalled with a 2. To do this.html 21:25:51 10/06/2002 . X11. However.org/andreasson/iptables-tutorial/iptables-tutorial. or to not run it if it was not previously started. Annoying to say the least. let's take a brief look at how to turn the module off and how to install iptables instead.4. It also contains all the basic userland programs and configuration files that is needed to run it.Iptables Tutorial 1. however. Full multiuser mode. This is used if you automatically boot into Xwindows. Multiuser without NFS or the same as 3 if there is no networking. Normally this would be in runlevel 2. the normal runlevel to run in.1 Red Hat 7. This is the service command which can be used to work on currently running services.x kernel that has netfilter and iptables compiled in. First of all.unix-fu. For more information about installing the userland applications from source. 5. We would then issue the following command to stop the ipchains service: service ipchains stop Finally.

This step is only necessary if you will install iptables from the source package. for example. why keep ipchains lying around when it is of no use? That is done the same way as with the old iptables binaries.d/iptables script. if you add the rules under the start) section don't forget to stop the start() function from running in the start) section.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . The second way of doing the set up would require the following steps to be taken. and level 6 is for shutting the computer down.d/init. The other way would be to load the ruleset and then save them with the iptables-save command and then have it loaded automatically by the rc. This would have the bad effect that the rules would be deleted if you updated the iptables package by RPM. When you reboot the computer in the future. When you find a set up that works without problems or bugs as you can see.1. and don't forget to experiment a bit.unix-fu. ie. Also. do as follows: rpm -e iptables And of course.d script will use the command iptablesrestore to restore the ruleset from the save-file /etc/sysconfig/iptables. don't forget to edit a the stop) section either which tells the script what to do when the computer is going down for example.Iptables Tutorial 1. To add rules that should be run when the computer starts the service.d script. or when we are entering a runlevel that don't require iptables to run. Note. that will meet your requirements. there is two common ways. Red Hat Network automatically updating your packages. don't forget to check out the restart section and condrestart. when you need to fix a screwed up box.d scripts. you add them under the start) section. etc: http://people. the iptables rc. We do this since we don't want the system to mix up the new iptables userland application with the old preinstalled iptables applications. you chould edit the /etc/rc. make and write a ruleset in a file. When all of these steps are finished we can deinstall the currently installed ipchains and iptables packages.9 Página 138 The above commands would in other words make the iptables service run in runlevel 2. This file is automatically used by the iptables rc. none of the other runlevels should be used. To do the deinstallation. The other way to save the script would be to use service iptables save which would save the script automatically to this file. First of all. You could either use it normally. First of all. If you'd like the iptables service to run in some other runlevel you would have to issue the same command in those.d script to restore the ruleset in the future. there is no rules in the iptables script. or directly with iptables. It's not unusual that the new and the old package get's mixed up since the rpm based installation installs the package in non-standard places and won't get overwritten by the installation for the new iptables package. To add rules to an Red Hat 7.1 box. or in the start() function. It may also be erased by updating from the iptables RPM package. Do not intermix this and the previous set up instruction since they may heavily damage eachother and render each and one useless. First we will describe the possibility of doing the set up by cut and paste to the iptables init. use the iptables-save command. Note that this set up may be automatically erased if you have. such as iptables-save > /etc/sysconfig/ iptables which would save the ruleset to the file /etc/sysconfig/iptables. we just run the following command: service iptables start Of course. Also. Level 4 should be unused. 3 and 5. To activate the iptables service. However. Level 1 is for single user mode. so you should not really need to activate it for those runlevels.

None of the old binaries. It could be set pretty much anywhere in the rule.Iptables Tutorial 1. We could specify what IP address the packet must come from. or to delete a rule. How a rule is built This chapter will discuss in legth how to build your rules. if you read someone elses script you'll most likely recognise the way of writing a rule and understand it quickly. The match is the part which we send to the kernel that says what a packet must look like to be matched.9 Página 139 rpm -e ipchains After all this is done you are finished to update the iptables package from source according to the source installation instructions. are met. There is a heap of different matches that we can use that we will look closer at further on in this chapter. it is more or less standard to put the table specification at the beginning of the commandline. One thing to think about though. you could insert the table specification where [table] is specified. If all the criterias. or jump. either. However. We use this first variable to tell the program what to do. however.unix-fu. or matches. new subchains). however. for example to insert a rule or to add a rule to the end of the chain. we perform the target. We will also discuss the basic matches that str available and how to use them as well as the different targets and how we can make new targets to use (ie. we have used this way of writing rules since it is the most usual way of writing them. Basics As we've already explained each rule is a line that the kernel looks at to find out what to do with a packet. you would do this normally to get a better readability. A rule could be described as the pure rules the firewall will follow when blocking different connections and packets in each chain. or directly after the table specification. It is not required to put the table specification at this location. Normally we would write a rule something like this: iptables [-t table] command [match] [target/jump] There is nothing that says that the target instruction must be last in the line. or which network interface the packet must come from etc. the command should always be first. instruction.html 21:25:51 10/06/2002 . it is not necessary to specify it explicitly all the time since iptables per default uses the filter table to implement your commands on. Hence. libraries or include files etc should be lying around any more.1. If you want to use another table than the standard table. This tells the iptables command what to do. We will enter this a bit further on. http://people. Each line you write that's inserted to a chain should be considered a rule. Also.org/andreasson/iptables-tutorial/iptables-tutorial.

PREROUTING is used for altering packets just as they enter the firewall and before they hit the routing decision. 21:25:51 10/06/2002 mangle filter http://people. The table consists of two built in chains. The following options are available to the -t command: Table 1. The first packet of a stream is allowed. OUTPUT is used for changing and altering locally generated packets before they enter the routing decision. we presume.1. The rest of the packets in the same stream are automatically NAT'ed or Masqueraded etc. Packets in a stream only traverse this table once. As with the rest of the content in this section. Examples of this would be to change the TTL. on the firewall) before they get to the routing decision. Tables The -t option specifies which table to use. the nat table was made for these kinds of operations. Note that OUTPUT is currently broken. We could tell the kernel to send the packet to another chain that we create ourself.org/andreasson/iptables-tutorial/iptables-tutorial. This table is used mainly for mangling packets. Finally we have the POSTROUTING chain which is used to alter packets just as they are about to leave the firewall. The filter table should be used for filtering packets generally. the filter table is used. Note that mangle can not be used for any kind of Network Address Translation or Masquerading. ACCEPT or REJECT packets without problems as in the other tables. as we will discuss more in length further on. which must be part of this table. in case they are supposed to have those actions taken on them. Tables Table nat Explanation The nat table is used mainly for Network Address Translation. For example. We could change different packets and how their headers look among other things. There are three chain built in to this table.Iptables Tutorial 1. LOG. we'll look closer at them further on in the chapter. INPUT is used on all packets that are destined for our local host (the firewall) and OUTPUT is finally used for all locally generated packets. in other words). we could DROP.unix-fu.html . Per default. This is one reason why you should not do any filtering in this table. but a mark for the packet is set in kernelspace which other rules or programs might use further on in the firewall to filter or do advanced routing on with tc as an example. We could tell the kernel to drop this packet dead and do no further processing. but instead they will automatically have the same actions taken to them as the first packet in the stream. TOS or MARK. or we could tell kernel to send a specified reply to be sent back. The first one is named FORWARD and is used on all non-locally generated packets that are not destined for our localhost (the firewall. If all the matches are met for a packet we tell the kernel to perform this action on the packet. the PREROUTING and OUTPUT chains.9 Página 140 Finally we have the target of the packet. The PREROUTING chain is used to alter packets as soon as they get in to the firewall. The OUTPUT chain is used for altering locally generated packets (ie. Note that the MARK is not really a change to the packet. The rest of the packets in the stream will in other words not go through this table again.

The following commands are available to iptables: Table 2.. We will discuss the tables and chains more in the Traversing of tables and chains chapter.1. but instead of totally deleting the entry. If you use the first way of deleting rules.Iptables Tutorial 1. -D. It works in the same way as the --delete command. --append iptables -A INPUT .0. This could be done in two ways. The rule is inserted at the actual number that we give. In other words. iptables -D INPUT 1 This command deletes a rule in a chain.9 Página 141 The listing above has hopefully explained the basics about the three different tables that are available. --replace iptables -R INPUT 1 -s 192. they must match totally to the entry in the chain. This might be good while experimenting with iptables mainly. either by specifying a rule to match with the -D option (as in the first example) or by specifying the rule number that we want to match. Commands In this section we will bring up all the different commands and what can be done with them.168.html 21:25:51 10/06/2002 . the rules are numbered from the top of each chain. the above example would be inserted at place 1 in the INPUT chain. unless you append or insert more rules later on. This command appends the rule to the end of the chain. The rule will will in other words always be put last in the ruleset in comparison to previously added rules. --insert iptables -I INPUT 1 --dport 80 -j ACCEPT Insert a rule somewhere in a chain.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial. --delete iptables -D INPUT --dport 80 -j DROP.1 -j DROP This command replaces the old entry at the specified line. Commands Command Example Explanation -A. If you use the second way. it will replace it with a new entry. and you should know what to use each chain for. -R. and hence it would be the http://people. If you do not understand their usage you may well fall into a pit once someone finds the hole you have unknowingly placed in the firewall yourself.. Normally we want to either add or delete something to some table or another. They should be used for totally different things. and hence be checked last. and the top rule is number 1. The command tells iptables what to do with the rest of the commandline that we send to the program. -I.

All packets that don't match any rule will then be forced to use the policy of the chain. and then the packet counters are zeroised. If you have used the -v option with the -L command. -L. see the Tables section). -F. -Z. you would have to replace or delete all rules referring to the chain before actually deleting the chain. --list iptables -L INPUT This command lists all the entries in the specified chain. -N. To zero this packet counter. Note that there must be no target of the same name previously to creating it.Iptables Tutorial 1. -P. and will then delete all rules in all chains within the specified table. In the above example we create a chain called allowed.9 Página 142 absolutely first rule in the chain from now on. the command would list all the chains in the specified table (To specify a table.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. In other words.1. there must be no rules that are referring to the chain that is to be deleted. The exact output is affected by other options sent to the program. --zero iptables -Z INPUT This command tells the program to zero all counters in a specific chain or in all chains. on a chain. If this command is used without any options. Legal targets are: DROP. all chains that are not built in will be deleted from the specified table. -X. If -L and -Z is used together (which is legal). This option works the same as -L except that -Z won't list the rules. --flush iptables -F INPUT This command flushes the specified chain from all rules and is equivalent to deleting each rule one by one but is quite a bit faster. for example the -n and -v options. --new-chain iptables -N allowed This command tells the kernel to create a new chain by the specified name in the specified table. or policy. you have probably seen the packet counter in the beginning of each field. It's also legal to not specify any chain at all. --rename-chain iptables -E allowed disallowed http://people. The command can be used without options. etcetera. ACCEPT and REJECT (There might be more. --delete-chain iptables -X allowed This command deletes the specified chain from the table. In the above case. --policy iptables -P INPUT DROP This command tells the kernel to set a specified default target. For this command to work. mail me if so) -E. we would list all the entries in the INPUT chain. use the -Z option. the chains will first be listed. In the last case.html 21:25:51 10/06/2002 .

the program will output detailed information on what happens to the rules and if it was inserted correctly etcetera. you could use the -x option described later. Note that this option is only usable in the --list command and isn't really relevant for any of the other commands. A command should always be specified. Also note that we do not tell you any options here that is only used to affect rules and matches. The matches and targets are instead looked upon in a later section of this chapter. This option overrides the default of resolving all numerics to hosts and names if possible. unless you just want to list the built-in help for iptables or get the version of the command. Note that we tell you with which commands the options can be used and what effect they will have. M (x1. If used together with the --list command it makes the output from the command include the interface address.9 Página 143 The -E command tells iptables to rename the first name of a chain. -x. --delete or --replace commands. If this option is used with the --append. To overcome this and to get exact output.000.000) multipliers. These counters uses the K (x1000).000. in other words.000) and G (x1. use the -h option. just a cosmetic change to the table. --verbose --list. It is. --numeric --list This option tells iptables to output numerical values. The --list command will also include a bytes and packet counter for each rule if the --verbose option is set. use the -v option and to get the help message. In the example above we would. Note that this will not affect the actual way the table will work. IP addresses and port numbers will be printed by using their numerical values and not hostnames. in other words.1. in other words. The output from --list will in other words not contain the K. network names or application names. Table 3. -n. --line-numbers --list http://people. --insert. This option is only applicable to the --list command. To get the version. As usual. --delete. Instead we will get an exact output of how many packets and bytes that has matched the rule in question from the packets and bytes counters.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. Here comes a few options that can be used together with a few different commands.unix-fu. rule options and TOS masks. change the name of the chain from allowed to disallowed.html 21:25:51 10/06/2002 . --append. --replace This command shows a verbose output and is mainly used together with the --list command. --exact --list This option expands the numerics. Options Option Commands used with Explanation -v. --insert. to the second name. M or G multipliers.000.

In such cases it might be necessary to specify this option so the program knows what to do in case a needed module is not loaded. The syntax would be something like --set-counters 20 4000. --protocol is in itself a match. Matches This section will talk a bit more about the matches.unix-fu. owner and limit matches and so on. I have also added the --protocol match here. We have UDP matches which can only be applied to UDP packets and ICMP matches which can only be used on ICMP packets. The following matches are always available. No special parameters are in other words needed to load these matches at all. We can then use the option to initialize the packets and bytes counters of the rule. For example. --replace This option is used when creating a rule in some way or modifying it. Generic matches Command Example http://people. Each rule is numbered together with this option and it might be easier to know which rule has which number when you're going to insert rules. which would tell the kernel to set the packet counter to 20 and byte counter to 4000. Generic matches This section will deal with Generic matches.9 Página 144 The --line-numbers command is used to output line numbers together with the --list command. It could be used if your modprobe command is not somewhere in the searchpath etc. -c. even though it is needed to use some protocol specific matches. too.Iptables Tutorial 1. if we want to use an TCP match.1. A generic match is a kind of match that is always available whatever kind of protocol we are working on or whatever match extensions we have loaded. This option only works with the --list command. --append. This option can be used with all commands. I hope this is a reasonable breakdown and that all people out there can understand this breakdown. Finally we have special matches such as the state. First of all we have the generic matches which are generic and can be used in all rules. These final matches has in turn been split down to even more subcategories even though they might not necessarily be different matches at all.html 21:25:51 10/06/2002 . --modprobe All The --modprobe option is used to tell iptables which command to use when probing for modules to the kernel. --set-counters --insert. since it can be used to match specific protocols. Table 4. we need to use the --protocol match and send TCP as an option to the match. I've chosen to split down the matches into five different subcategories here. Then we have the TCP matches which can only be applied to TCP packets.org/andreasson/iptables-tutorial/iptables-tutorial. However.

0/24 and both would be equivalent to each other. We could then match whole IP ranges.0). Examples of protocols are TCP.168. such as udp. --protocol Explanation iptables -A INPUT -p tcp This match is used to check for certain protocols.168. We could also inverse the match with an ! just as before.255 form (ie.tcp which would match all UDP and TCP packets.168. 192.1.0. it means ALL protocols.x range. The line http://people.html 21:25:51 10/06/2002 . so -protocol ! tcp would mean to match the ICMP and UDP protocols.168. except that it matches based on where the packets are going. we can add a netmask either in the exact netmask form.0/24.255.255.0. Finally. is to assume a string value of +. It works pretty much the same as the --source match and has the same syntax. which in turn is the default behaviour in case the --protocol match is not used. The protocol may also take a numeric value. --in-interface iptables -A INPUT -i eth0 This match is used to match based on which interface the packet came in on. The + string can also be used at the end of an interface.255. --src.1.168. FORWARD and PREROUTING chains and will render an error message when used anywhere else.1.1 would in other words match all packets except those not destined to the 192. First of all the protocol match can take one of the three aforementioned protocols. This would match all packets in the 192. The line would then look something like.0/255. If we would in other words use a match in the form of --source ! 192.1 The --destination match is used to match packets based on their destination address or addresses. for example.0.0.168. We can also invert the meaning of this option with the help of the ! sign. which means to match all of the previous protocols.168. --destination ! 192.x range.0. -i.0/24 we would match all packets with a source address not coming from within the 192. and eth+ would in other words match all ethernet devices. the program knows about all the protocols in the /etc/protocols file as we already explained.1.1 IP address. One way is to do it with an regular netmask in the 255. If this match is given the numeric value of zero (0).255. --source iptables -A INPUT -s 192. The main form can be used to match single IP addresses such as 192.255.0. or in the number of ones (1's) counted from the left side of the netmask bits.org/andreasson/iptables-tutorial/iptables-tutorial. It could be used with a netmask in a bits form. -s. The default behaviour of this match.168.255.Iptables Tutorial 1.1. To match an IP range. This match can also be inversed with the ! sign. The default is to match all IP addresses. Note that this option is only legal in the INPUT.0/ 255.168. A single + would in other words tell the kernel to match all packets without considering which interface it came in on. It would then look like either 192. just as before. and the other way is to only specify the number of ones (1's) on the left side of the network mask.168.0. The command may also take a comma delimited list of protocols. --destination iptables -A INPUT -d 192. -d. --dst. The + value is used to match a string of letters and numbers. in case the match is not specified.1 This is the source match which is used to match packets based on their source IP address. 192. We could also invert the whole match with an ! sign. such as 255 which would mean the RAW IP protocol. This means that we could for example add /24 to use a 255.255. such as our local networks or network segments behind the firewall.9 Página 145 -p.168.unix-fu.0 netmask. as well as ALL.0.0 or like 192. This list can vary a bit at the same time since it uses the /etc/protocols if it can not recognise the protocol itself. UDP and ICMP.255.0.168.

http://people. To inverse the meaning of the match. What this means is that we match all the first fragments of a fragmented packets. which would mean to match all incoming interfaces. among other things. This option can also be used in conjunction with the ! sign. The TCP based matches contain a set of different matches that are available for only TCP packets. and so on. in opposite of the --in-interface match. and the same thing for ICMP packets. The reason for this is that in the case of fragmented packets. Note that the --protocol tcp match must be to the left of the protocol specific matches. Also note that there are defragmentation options within the kernel that can be used which are really good. and hence this match was created.9 Página 146 would then have a syntax looking something like -i ! eth0. TCP matches These matches are protocol specific and are only available when working with TCP packets and streams. fragments. Also. -o.Iptables Tutorial 1. As a secondary note. To use these matches you need to specify --protocol tcp on the command line before trying to use these matches. Of course. however. just as the UDP and ICMP matches are loaded implicitly. Such fragments of packets will not be matched by other rules when they look like this. Other than this. Implicit matches This section will describe the matches that are loaded implicitly. third. fragmented packets might in rather special cases be used to compile attacks against computers. When this match is inversed. There is also explicitly loaded matches that you must load explicitly with the -m or -match option which we will go through later on in the next section. in this case the ! sign must precede the match. Implicit matches are loaded automatically when we tell iptables that this rule will match for example TCP packets with the --protocol match. We also match all packets that has not been fragmented during the transfer. --fragment iptables -A INPUT -f This match is used to match the second and third part of a fragmented packet. we match all head fragments and/or unfragmented packets.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial. The + extension is understood so you can match all eth devices with eth+ and so on. and UDP based matches contain another set of matches that are available only for UDP packets.1. in case you use connection tracking you will not see any defragmented packets since they are dealt with before hitting any chain or table in iptables. --out-interface iptables -A FORWARD -o eth0 The --out-interface match is used to match packets depending on which interface they are leaving on. you can use the ! sign in exactly the same sense as in the --ininterface match. -f. regardless of where the packet is going.html 21:25:51 10/06/2002 . These matches are loaded implicitly in a sense. and not the second. nor ICMP types. like this ! -f. The other matches will be looked over in the continuation of this section. after the TCP match section. UDP matches and ICMP matches. These are TCP matches. the default behaviour if this match is left out is to match all devices. there is no way to tell the source or destination ports of the fragments. it works pretty much the same as the --ininterface match. There are currently three types of implicit matches that are loaded automatically for three different protocols. Note that this match is only available in the OUTPUT. except eth0. FORWARD and POSTROUTING chains.

URG. If we inversed the port specification in the port range so the highest port would be first and the lowest would be last. however. it would be understood just the same as --source-port 22:80.unix-fu. This match can either take a service name or a port number.html 21:25:51 10/06/2002 . If you specify the port by port number. --destination-port iptables -A INPUT -p tcp --dport 22 This match is used to match TCP packets depending on its destination port. iptables automatically reverses the inversion. And if the last port specification is omitted.Iptables Tutorial 1. look at the multiport match extension. Both lists should be comma-delimited. look at the multiport match extension. --tcp-flags iptables -p tcp --tcp-flags SYN. TCP matches Match Example Explanation --sport. ACK. which in turn would mean that we want to match all ports but port 22 through 80. you should definitely do this by port numbers since you will be able to notice the difference(On a slow box. as well as inversions. The inversion could also be used together with a port range and would then look like --source-port ! 22:80. In other words. or turned on. If you specify a service name. --source-port iptables -A INPUT -p tcp --sport 22 The --source-port match is used to match packets based on their source port. RST. PSH http://people. It understands port and port range specifications. It uses exactly the same syntax as the --source-port match. --dport.9 Página 147 Table 5. Note that this match does not handle multiple separated ports and port ranges. The match knows about the SYN. FIN. If you are writing a ruleset consisting of a 200 rules or more. the service name must be in the / etc/services file since iptables uses this file to look up the service name in. If a source port definition looked like -source-port 80:22. exactly the same as -source-port in syntax.ACK. Note that this match does not handle multiple separated ports and port ranges. We could also invert a match by adding a ! sign like --source-port ! 22 which would mean that we want to match all ports but port 22. the port 0 is assumed to be the one we mean. This example would match all source ports between 22 and 80. If we omit the first port specification.1. the entry of the rule will be slightly faster since iptables don't have to check up the service name. For more information about this. If we would write --source-port 22: we would in turn get a port specification that tells us to match all ports from port 22 through port 65535. The match will also assume the values of 0 or 65535 if the high or low port is left out in a port range specification. it could be a little bit harder to read in case you specify the numeric value. --source-port :80 would then match port 0 through 80.FIN SYN This match is used to match depending on the TCP flags in a packet. The --source-port match can also be used to match a whole range of ports in this fashion --source-port 22:80 for example. It does also reverse high and low ports in a port range specification if the high port went into the first spot and the low port into the last spot. First of all the match takes a list of flags to compare (a mask) and second it takes list of flags that should be set to 1.org/andreasson/iptables-tutorial/iptables-tutorial. this could make as much as 10 seconds if you are running a large ruleset consisting of 1000 rules or so). port 65535 is assumed. For more information about this.

Note that the state machine will work on all kinds of packets even though UDP or ICMP packets are counted as connectionless protocols.unix-fu. UDP packets do not require any kind of acknowledgement either. This would tell the match to match all packet with the FIN or the ACK bits set. --source-port iptables -A INPUT -p udp --sport 53 http://people. --syn iptables -p tcp --syn The --syn match is more or less an old relic from the ipchains days and is still there out of compatibility reasons. If you block these packets. in other words packets in an already established connection.1. and hence there is no such thing as different flags to set in the packet to give data on what the datagram is supposed to do. ALL and NONE is pretty much self describing. These matches are implicitly loaded when you specify the --protocol UDP match and will be available after this specification. they are simply lost (Not taking ICMP error messaging etcetera into account). you will not have blocked the outgoing connections which a lot of exploits today uses (for example.ACK. way. The state machine works pretty much the same on UDP packets as on TCP packets. Such packets are used to request new TCP connections from a server mainly. such as open or closing a connection. --tcp-flags ALL NONE would in other words mean to check all of the TCP flags and match if none of the flags are set. you should have effectively blocked all incoming connection attempts. --tcp-option iptables -p tcp --tcp-option 16 This match is used to match packets depending on their TCP options. This command would in other words be exactly the same as the --tcp-flags SYN. ! --syn. This match can also be inverted with the ! sign in this. ALL means to use all flags and NONE means to use no flags for the option it is set. or if they are just simply supposed to send data.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. Also note that the comma delimitation should not include spaces. however. This means that there is quite a lot less matches to work with on a UDP packet than there is on TCP packets.html 21:25:51 10/06/2002 . Note that UDP packets are not connection oriented.FIN SYN match. Table 6.9 Página 148 flags but it also recognizes the words ALL and NONE. There will be more about the state machine in a future chapter. This match is used to match packets if they have the SYN bit set and the ACK and FIN bits unset. hack a legit service and then make a program or such make the connect to you instead of setting up an open port on your host). The correct syntax could be seen in the example above. UDP matches This section describes matches that will only work together with UDP packets. If they are lost. This option can also be inverted with the ! sign. and for ease of traversing from one to the other. UDP matches Match Example Explanation --sport.

among other things. One example is if we try to access an unaccessible IP adress. to invert this we could do --destination-port ! 53. port 65535 is assumed. This would match all ports but port 80. we would get an ICMP host unreachable in return. If the high port comes before the low port. but more of a protocol beside the IP protocol that helps handling errors. For more information about this. The headers of a ICMP packet are very similar to those of the IP headers.org/andreasson/iptables-tutorial/iptables-tutorial.1. ICMP matches Match Example Explanation --icmp-type http://people. --source-port ! 53 fashion. --destination-port iptables -A INPUT -p udp --dport 53 The same goes for this match as for the UDP version of --source-port. For more information about this. ICMP matches These are the ICMP matches. see the ICMP types appendix. If the second port is omitted. Note that this match does not handle multiple ports and port ranges. ICMP is not a protocol subordinated to the IP protocol. It is used to perform matches on packets based on their source UDP ports. port 65535 is assumed. we would do --destination-port 22:80 for example. This example would match all packets destined for UDP port 22 through 80.html 21:25:51 10/06/2002 . add a ! sign in this. port 0 is assumed. The match handles port ranges.For a complete listing of ICMP types. If the last port is omitted.unix-fu. but will work with UDP packets instead. single ports and port inversions with the same syntax.Iptables Tutorial 1. Of course. but contains differences. If the first port is omitted. look at the multiport match extension. There is only one ICMP specific match available for ICMP packets. The main feature of this protocol is the type header which tells us what the packet is to do. The ICMP protocol is mainly used for error reporting and for connection controlling and such features. the match can understand service names as long as they are available in the /etc/services file. single ports and inversions. port 0 is assumed. Table 7. If the high port is placed before the low port. These packets are even worse than UDP packets in the sense that they are connectionless. To invert the port match. look at the multiport match extension. Note that this match does not handle multiple separated ports and port ranges. The match is used to match packets based on their UDP destination port. Note that all the generic matches can also be used. so we can know source and destination adress too. the ports switch place with eachother automatically. it is exactly the same as the equivalent TCP match. --dport. The first would match all UDP packets going to port 53 while the second would match packets but those going to the destination port 53. and hopefully this should suffice. they automatically switch place so the low port winds up before the high port. Single UDP port matches look as in the example above. To specify a port range. To make a UDP port range you could do 22:80 which would match UDP ports 22 through 80.9 Página 149 This match works exactly the same as its TCP counterpart. If the first value is omitted. This match is implicitly loaded when we use the --protocol ICMP match and we get access to it automatically. To match a single port we do --destination-port 53. It has support for port ranges.

If we would like to use the state matches for example. Explicit matches Explicit matches are matches that must be specifically loaded with the -m or --match option. To find a complete listing of the ICMP name values. they should mostly be useful since it all depends on your imagination and your needs. do a iptables --protocol icmp --help. redirect packets to the wrong places. Some of these matches may be specific to some protocols. however. this match will only be possible to use on ethernet based networks. The MAC address specified must be in the form XX:XX:XX:XX:XX:XX. The match may be reversed with an ! sign and would look like --mac-source ! 00:00:00:00:00:01. or was created for testing/experimental use or plainly to show examples of what could be accomplished with iptables. This match is excellent to use to do limited logging of specific rules etcetera. For example. MAC match Table 8. The difference between implicitly loaded matches and explicitly loaded ones is that the implicitly loaded matches will automatically be loaded when you.unix-fu. --icmp-type ! 8. ICMP types can be specified either by their numeric values or by their names. This match is also only valid in the PREROUTING.html 21:25:51 10/06/2002 . or check the ICMP types appendix. MAC match options Match Example Explanation --mac-source iptables -A INPUT --mac-source 00:00:00:00:00:01 This match is used to match packets based on their MAC source address. you could use this to match all packets http://people. This in turn means that all these matches may not always be useful.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 150 iptables -A INPUT -p icmp --icmp-type 8 This match is used to specify the ICMP type to match. Numerical values are specified in RFC 792. we would have to write -m state to the left of the actual match using the state matches. match TCP packets. and others again may be "dangerous" for a simple host since they may. FORWARD and INPUT chains and nowhere else. Limit match The limit match extension must be loaded explicitly with the -m limit option.Iptables Tutorial 1. This match can also be inverted with the ! sign in this. fashion. while explicitly loaded matches will not be loaded automatically in any case and it is up to you to activate them before using them. else it will not be legal. Note that some ICMP types are obsolete. Note that since MAC addresses are only used on ethernet type networks. for example.1. This would in other words reverse the meaning of the match so all packets except packets from this MAC address would be matched. among other things.

of course. The ports must be comma delimited. This is its main usage. This number gets recharged by one every time the limit specified is not reached.53. Multiport match options Match Example Explanation --source-port iptables -A INPUT -p tcp -m multiport --source-port 22. which would sometimes mean you would have to make several rules looking exactly the same just to match different ports. The limit match may also be inversed by adding a ! flag in front of the limit match explicit loading. A maximum of 15 separate ports may be specified.html 21:25:51 10/06/2002 . or 3/hour.1.org/andreasson/iptables-tutorial/iptables-tutorial.110 This match matches multiple source ports. Table 9.unix-fu.Iptables Tutorial 1.80. This match is specified with a number and an optional time specifier. up to this number. send me a mail and I'll try to make this more understandable). is that when we add this match we limit how many times a certain rule may be matched in a certain timeframe. The following time specifiers are currently recognised: /second /minute / hour /day. it would then look like -m ! limit. What this means. Limit match options Match Example Explanation --limit iptables -A INPUT -m limit --limit 3/hour This sets the maximum average matching rate of the limit match. The default value is 5.9 Página 151 that goes over the edge of a certain chain. The default value here is 3 per hour. Multiport match The multiport match extension can be used to specify more destination ports and port ranges than one. This match may only be used in http://people. This tells the limit match how many times to let this match run per timeunit (ie /minute). as you can see in the example. This means that all packets will be matched after they have broken the limit. but there are more usages. (If anyone got a good/better and simpler explanation than this. and get limited logging of this. --limit-burst iptables -A INPUT -m limit --limit-burst 5 This is the setting for the burst limit of the limit match. Table 10. It tells iptables the maximum initial number of packets to match.

110 This match extension can be used to match packets based both on their destination port and their source port. Mark match options Match Example Explanation --mark iptables -t mangle -A INPUT -m mark --mark 1 This match is used to match packets that have previously been marked.80.unix-fu. http://people. A mark is a special field only maintained within the kernel that is associated with the packets as they travel through the computer.53. As of today. --destination-port iptables -A INPUT -p tcp -m multiport --destination-port 22. If this mark field matches the mark match it is a match. The mark field is currently set to an unsigned integer. hence the limit of 65535 possible marks to use within your ruleset. Marks can be set with the MARK target which we will discuss a bit more later on in the next section.1. except that it matches destination ports. hence there can be a maximum of 65535 different marks.80. there is only one way of setting a mark in Linux.110 This match is used to match multiple destination ports. It can take a maximum of 15 ports specified to it in one argument. It can only be used in conjunction with -p tcp and -p udp. namely the MARK target in iptables. this is why people still refer to FWMARK in advanced routing areas. The mark specification would then look like. Table 11. --port iptables -A INPUT -p tcp -m multiport --port 22. The mark field is an unsigned integer. In other words. with or without the packet.Iptables Tutorial 1. for example.org/andreasson/iptables-tutorial/iptables-tutorial. You may also use a mask with the mark. This was previously done with the FWMARK target in ipchains. If a mask is specified. All packets traveling through netfilter gets a special mark field associated with them. It works the same way as the --source-port and --destination-port matches above. for example.9 Página 152 conjunction with the -p tcp or -p udp matches. Mark match The mark match extension is used to match packets based on the marks they have set. It is mainly an enhanced version of the normal --sourceport match.html 21:25:51 10/06/2002 . port 80 to port 80 and if you have specified port 80 to the --port match. you are probably not going to run into this limit in quite some time. the actual computer itself. it is logically ANDed with the mark specified before the actual comparison. It has a maximum specification of 15 ports and may only be used in conjunction with -p tcp and -p udp. --mark 1/1. Note that this mark field does not in any way travel outside.53. Note that this means that it will only match packets that comes from. They may be used by different kernel routines for such tasks as traffic shaping and filtering. It works exactly the same way as the source port match mentioned just above.

This extension was originally written as an example on what iptables might be used for. or another possible use could be to block everyone but the httpuser from creating packets from HTTP. Table 12. --gid-owner iptables -A OUTPUT -m owner --gid-owner 0 This match is used to match all packets based on their Group ID (GID). Notorious packets of that sort is different ICMP responses among other things. or as described above to only allow "httpgroup" to be able to create packets going out on the HTTP port. One possible use would be to block any other user than root to open new connections outside your firewall. Owner match options Match Example Explanation --uid-owner iptables -A OUTPUT -m owner --uid-owner 500 This packet match will match if the packet was created by the given User ID (UID). This could be used to block all but the users part of the "network" group from getting out onto the internet. It is pretty much impossible to find out any information about who sent a packet on the other end. but one example would be to only allow PID 94 to send packets on the HTTP port.org/andreasson/iptables-tutorial/iptables-tutorial. or we could write a small script that grabs the PID from a ps output for a specific daemon and then adds a rule for it. This means that we match all packets based on what group the user creating the packets are in. never match. This could be used to match outgoing packets based on who created them. If anyone have an idea for the usage of this match.html 21:25:51 10/06/2002 . (If anyone has actually used this match for a production server.unix-fu. ICMP responses will.9 Página 153 Owner match The owner match extension is used to match packets based on who created them. Even within the OUTPUT chain it is not very reliable since certain packets may not have an owner.Iptables Tutorial 1. please give me a note of it and of other possible uses. This match is a bit harder to use. http://people. or if we where an intermediate hop to the real destination. hence. --pid-owner iptables -A OUTPUT -m owner --pid-owner 78 This match is used to match packets based on their Process ID (PID) and which PID created the packets. for obvious reasons. I would love to hear what they used it for and how they did it). --sid-owner iptables -A OUTPUT -m owner --sid-owner 100 This match is used to match packets based on their Session ID and the Session ID used by the program in question.1. This match only works within the OUTPUT chain as it looks today.

Note that this option is regarded as experimental and may not work at all times. however you should be aware that this may break legal connections too.org/andreasson/iptables-tutorial/iptables-tutorial. Finally. This allows us to know in what state the connection is. Table 13. including stateless protocols such as ICMP and UDP. This match tries to match packets which seems malformed or unusual. NEW and RELATED. ESTABLISHED means that the packet is part of an already established connection that has seen packets in both directions and is fully valid. and works for pretty much all protocols. INVALID. There is currently 4 states that can be used. hence. TOS match http://people. This could for example mean an FTP data transfer. Unclean match The unclean match takes no options and requires no more than explicit loading when you want to use it. such as packets with bad headers or checksums and so on. State matches Match Example Explanation --state iptables -A INPUT -m state --state RELATED. However.unix-fu. there may be times where this could be useful. RELATED means that the packet is starting a new connection and is associated with an already established connection.Iptables Tutorial 1. not be considered very good in cases where we have only one firewall and no load balancing between different firewalls. For more information on how this could be used. NEW means that the packet has or will start a new connection. This concept will be more deeply introduced in a future chapter since it is such a large area. This match needs to be loaded explicitly by adding a -m state statement to the rule. nor will it take care of all unclean packages or problems. You will then have access to one new match. or an ICMP error associated with an TCP or UDP connection for example. In all cases.html 21:25:51 10/06/2002 . or that it is associated with a connection that has not seen packets in both directions. INVALID means that the packet is associated with no known stream or connection and that it may contain faulty data or headers. ESTABLISHED.1. This could be used to DROP connections and to check for bad streams etcetera. there will be a default timeout for the connection and it will then be dropped from the connection tracking database. read in the future chapter on the state machine. Note that the NEW state does not look for SYN bits in TCP packets trying to start a new connection and should.9 Página 154 State match The state match extension is used in conjunction with the connection tracking code in the kernel and allows access to the connection tracking state of the packets.ESTABLISHED This match option tells the state match what states the packets must be in to be matched.

Table 15. Table 14. example of standard protocols that this includes are telnet. If the TTL reaches 0. or it needs to be able to send as much payload as possible). and is located in the IP header. an ICMP type 11 code 0 (TTL equals 0 during transit) or code 1 (TTL equals 0 during reassembly) is transmitted to the party sending the packet and telling about the problem.org/andreasson/iptables-tutorial/iptables-tutorial. Minimize-Cost 2 (0x02).Iptables Tutorial 1. TOS stands for Type Of Service. This match is only used to match packets based on their TTL. as well as in all kinds of matches. ie find the fastest route. TTL matches http://people. TTL match The TTL match is used to match packets based on their TTL (Time To Live) field residing in the IP header. Most do not care at all. or possibly one of the names given if you do an iptables -m tos -h. to mark packets for later usage together with the iproute2 and advanced routing functions in linux. Maximize-Throughput means to find a path that allows as big throughput as possible. This match is loaded explicitly by adding -m tos to the rule. SSH and FTP-control. The match takes an hex or numeric value as an option. some good protocols that would fit with this TOS values would be BOOTP and TFTP. you need to add an -m ttl to the rule. Normal-Service would finally mean any normal protocol that has no special needs for their transfers. This is true here. it can match packets based on their TOS field and their value. TOS matches Match Example Explanation --tos iptables -A INPUT -p tcp -m tos --tos 0x16 This match is used as described above. Maximize-Reliability 4 (0x04).1. but it tells us if there is any specific requirements for this stream such as that it needs to be sent as fast as possible. Maximize-Throughput 8 (0x08). To load this match. and what kind of content it has(not really. How different routers and people deal with these values depends.html 21:25:51 10/06/2002 .unix-fu. Minimize-Delay means to minimize the delay for the packets. consists of 8 bits.9 Página 155 The TOS match can be used to match packets based on their TOS field. At the time of writing it contained the following named values: Minimize-Delay 16 (0x10). Maximize-Reliability means to maximize the reliability of the connection and to use lines that are as reliable as possible. Some good protocols that would use this would be RTSP (Real Time Stream Control Protocol) and other streaming video/radio protocols. TOS is normally used to tell intermediate hosts the preceeding of the stream. Minimize-Delay means to minimize the delay until the packets gets through all the way to the client/server. This could be used for. while others try their best to do something good with the packets in question and the data they provide. and not to change anything. a standard protocol would be FTP-data. among other things. The TTL field contains 2 bits and is decremented once every time it is processed by an intermediate host between the client and host. and Normal-Service 0 (0x00).

Good examples of such rules are DROP and ACCEPT. it will automatically be ACCEPT'ed in the superset chain also and it will not traverse any of the superset chains any further. let's say we create a chain in the filter table called tcp_packets like this: iptables -N tcp_packets. the ACCEPT and DROP targets which we will deal with first of all targets. However. Targets may also end with different results one could say. it is required that the chain has already been created. however. Other targets. some targets will make the packet stop traversing the specific chain and superset chains as described above. it is only your imagination which stops you. do note that the packet will traverse all other chains in the other tables in a normal fashion. This may be good in cases where we want to take two actions on the same packet. Network Address Translationed and then be passed on to the other rules in the same chains. will not pass through any of the rules further on in the chain or superset chains. or to find possible infestations of trojans etcetera. It takes an numeric value and matches based on this value. There is also a number of other actions we may want to take which we will describe further on in this section. we get dropped back to the INPUT chain and the packet starts traversing from the rule one step below where it jumped to the other chain (tcp_packets in this case). Rules that are stopped. DROP or ACCEPT the packet depending on what we want to do.1. When/If we reach the end of that chain. Targets on the other hand specify an action to take on the packet in question. a good example of this would be the LOG. For example. The jump specification is done exactly the same as the target definition except that it requires a chain within the same table to jump to. or due to a malconfiguration). These packets may be logged. before we do that. As we have already explained before. what TOS value to use etcetera) while others have options not http://people. DNAT and SNAT targets.9 Página 156 Command Example Explanation --ttl iptables -A OUTPUT -m ttl --ttl 60 This match option is used to specify which TTL value to match. We could then add a jump target to it like this: iptables -A INPUT -p tcp -j tcp_packets. see the Traversing of tables and chains chapter. We would then jump from the INPUT chain to the tcp_packets chain and start traversing that chain. There is no inversion and there is no other specifics to this match. Targets/Jumps The target/jumps tells the rule what to do with a packet that is a perfect match with the match section of the rule. If a packet is ACCEPT'ed within one of the subchains. There is a few basic targets. To jump to a specific chain. This target could be used for debugging your local network.unix-fu. would be to find hosts with bad TTL values set as default (may be due to badly implemented TCP/IP stack. a chain is created with the -N command. such as both mangling the TTL and the TOS value of a specific packet/stream.org/andreasson/iptables-tutorial/iptables-tutorial. However. We could for example.Iptables Tutorial 1. Some targets will also take options that may be necessary (What address to do NAT to. The usage is pretty much limited. let us have a brief look at how a jump is done. as described above. For more information on table and chain traversing.html 21:25:51 10/06/2002 . for example hosts which seems to have problems connecting to hosts on the internet. One example. may take an action on the packet and then the packet will continue passing through the rest of the rules anyway.

and it does not require. the packet will continue to travel through the above chains in the structure as if nothing had happened. To use this target. the packet will not be processed in any of the above chains in the structure either. but available in any case (log prefixes. we specify it like -j ACCEPT.1. There is nothing special about this target whatsoever. or have the possibility. Let us have a look at what kinds of targets there are. it drops packets dead to the ground and refuses to process them anymore. QUEUE target Table 16. When a packet is perfectly matched and this target is set.Iptables Tutorial 1. especially when you want to block certain portscanners from getting to much information. masquerade to ports and so on). The target will not send any kind of information in either direction. the packet will http://people. that packets that was accepted in one chain will still travel through any subsequent chains within the other tables and may be dropped there. QUEUE target Option Example Explanation Option Example Explanation RETURN target The RETURN target will make the current packet stop travelling through the chain where it hit the rule. Also note that if a packet has the DROP action taken on them in a subchain.9 Página 157 necessary. A better solution would be to use the REJECT target in those cases.unix-fu. for example the INPUT chain.html 21:25:51 10/06/2002 . to add options to the target. If the chain is the main chain.org/andreasson/iptables-tutorial/iptables-tutorial. it is accepted and will not continue traversing the chain where it was accepted in. ACCEPT target This target takes no special options first of all. DROP target The DROP target does just what it says. If it is a subchain to another chain. Note that this action may be a bit bad in certain cases since it may leave dead sockets around on the server and client. such as filtered ports and so on. either to tell the client or the server as told previously. Do note. nor any of the calling chains. We will try to answer all these questions as we go in the descriptions. A packet that matches a rule perfectly and then has this action taken on it will be blocked and no further processing will be done.

which in this case would be the INPUT chain. LOG target The LOG target is specially made to make it possible to log snippets of information about packets that may be illegal. Also note that the ULOG target may be interesting in case you are getting heavy logs. The keyword error is the same as err. setting kern. For a complete list of loglevels read the syslog. err.Iptables Tutorial 1.html 21:25:51 10/06/2002 .conf for information about these kind of problems. For example. The priority defines the severity of the message being logged. but instead a problem of your syslogd configuration which you may find in /etc/syslog. The packet will then start traversing the EXAMPLE_CHAIN. Note that all three of these are deprecated. In other words. Also note that it may be a really great idea to use the LOG target instead of the DROP target while you are testing a rule you are not 100% sure about on a production firewall since this may otherwise cause severe connectivity problems for your users. and all of a sudden it matches a specific rule which has the --jump RETURN target set. It will then jump back to the previous chain. and no more actions would be taken in this chain. notice. Another example would be if the packet hit a --jump RETURN rule in the INPUT chain. emerg and panic.=info /var/log/iptables in your syslog.unix-fu. in other words do not use error. warn and panic. alert. since the ULOG target has support for logging directly to MySQL databases and such. This information may then be read with dmesg or syslogd and likely programs and applications.1. Read more in man syslog. It would then be dropped to the default policy as previously described. This is an excellent target to use while you are debugging your rulesets to see what packets go where and what rules are applied on what packets. Normally there are the following log levels. Table 17. or for pure bughunting and errorfinding. All messages are logged through the kernel facility.conf file http://people. or priorities as they are normally referred to: debug. They are all listed below.conf. warning.9 Página 158 have the default policy taken on it. warn.conf manual. crit. warn is the same as warning and panic is the same as emerg. lets say a packet enters the INPUT chain and then hits a rule that it matches and that gives it --jump EXAMPLE_CHAIN. or want to set different options to specific values. The default policy is normally set to ACCEPT or DROP or something the like.org/andreasson/iptables-tutorial/iptables-tutorial. The LOG target currently takes five options that may be interesting to use in case you have specific needs for more information. info. The LOG target will log specific information such as most of the IP headers and other interesting information via the kernel logging facility. Note that it is not a iptables or netfilter problem in case you get your logs to the consoles or likely. LOG target options Option Example Explanation --log-level iptables -A FORWARD -p tcp -j LOG --log-level debug This is the option that we can use to tell iptables and syslog which log level to use. error.

Any log that is. check out the LARTC HOWTO. For more information on logging I recommend you to read the syslog and syslog. This works exactly thesame as the --log-tcp-options option. The TCP Sequence number are special numbers that identify each packet and where it fits into a TCP sequence and how the stream should be reassembled. In other words. which may contain logging messages from iptables. http://people.html 21:25:51 10/06/2002 . --log-tcp-options iptables -A FORWARD -p tcp -j LOG --log-tcp-options The --log-tcp-options option will log the different options from the TCP packets header.unix-fu.1. including whitespace and those kind of symbols.org/andreasson/iptables-tutorial/iptables-tutorial.conf manpages as well as other HOWTO's etcetera. The prefix may be up to 29 letters long. just the same as the previous option. you will be better off with the TOS target which will mangle the TOS value in the IP header. --log-ip-options iptables -A FORWARD -p tcp -j LOG --log-ip-options The --log-ip-options option will log most of the IP packet header options. --log-tcp-sequence iptables -A INPUT -p tcp -j LOG --log-tcp-sequence This option will log the TCP Sequence numbers together with the log message. MARK target The MARK target is used to set netfilter mark values that are associated with specific packets. for example. Note that the mark value is not set within the actual package. just as most of the LOG options. but is an value that is associated within the kernel with the packet. These logging messages may be valuable when trying to debug or finding out specific culprits and what goes wrong. but instead works on the IP options. etcetera. --log-prefix iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets" This option tells iptables to prefix all log messages with a specific prefix which may then be very good to use together with.Iptables Tutorial 1. Note that there may be other messages here as well from other parts of the kernel that uses the info priority. This option takes no variable fields or anything like that.9 Página 159 and then letting all your LOG messages in iptables use log level info. and will not work outside there. Note that this option is a security risk if the log is readable by any users. This target is only valid in the mangle table. would make all messages appear in the /var/log/iptables file. These may be valuable when trying to debug what may go wrong and what has gone wrong. you may not set a MARK for a package and then expect the MARK to still be there on another computer. grep and other tools to distinguish specific problems and outputs from specific rules. If this is what you want. or by the world for that matter. The MARK values may be used in conjunction with the advanced routing capabilities in Linux to send different packets through different routes and to tell them to use different queue disciplines (qdisc). For more information on advanced routing.

Note that the chains that uses the REJECT target may only be called upon by the INPUT. and you may get some more information by looking in the appendix ICMP types.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial. Once we get a packet that matches a specific rule and we specify this target. MARK target options Option Example Explanation --set-mark iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2 The --set-mark option is required to set a mark. icmp-host-unreachable. the target will first of all send the specified reply. but it also sends back an error message to the host sending the packet that was blocked. The REJECT target is as of today only valid in the INPUT. icmp-proto-unreachable. there is one more option called tcp-reset which may only be used together with the TCP protocol. Table 19. There currently is only one option which controls the nature of how this target works. which would also be the only chains where it would make any sense to put this target in. There are currently the following reject types that can be used: icmp-net-unreachable. The --set-mark match takes an integer value. just the same as with the DROP target. For example.9 Página 160 Table 18. else they won't work. the http://people. REJECT target Option Example Explanation --reject-with iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset This option tells the REJECT target what response to send to the host that sent the packet that we found to be a match. icmp-portunreachable. which in turn may take a huge set of variables. FORWARD. REJECT target The REJECT target works basically the same as the DROP target. and OUTPUT chains. icmp-net-prohibited and icmphost-prohibited. or on all packets from a specific host and then do advanced routing on that host. Finally.html 21:25:51 10/06/2002 . The default error message is to send an port-unreachable to the host. limiting or unlimiting their network speed etcetera. but this option may only be used in conjunction with rules which would match ICMP ping packets.1. FORWARD and OUTPUT chain or subchains of those chains. Most of them are fairly easy to understand if you have a basic knowledge of TCP/IP. All of the above are ICMP error messages and may be set as you wish. and then the packet is dropped dead to the ground. There is also an option called echo-reply.unix-fu. we may set mark 2 to a specific stream of packets.

The default value on most packets http://people. As noted before. These values are Minimize-Delay (decimal value 16.2.Iptables Tutorial 1. As the TOS value consists of 8 bits. which in turn most probably would be mangled and the connection would never work. TOS target Option Example Explanation --set-tos iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10 The --set-tos option tells the TOS mangler what TOS value to set on packets that are matched. As stated in the iptables man page. and can not be propagated with the packet. The TOS target only takes one option as described below. they will look at the TOS field and do the wrong thing based on the information. Minimize-Cost (decimal value 2. The option takes a numeric value. This is one of the few fields that can be used within iproute2 and its subsystem to route packets. this is mainly useful for blocking ident probes which frequently occur when sending mail to broken mail hosts. hex value 0x10). As stated previously. At best the routers will do nothing with the TOS field. at least within your own network. and they will not even look at them.2 or below) of iptables provided a broken implementation of this target which would not fix the packet checksum upon mangling.Transmission Control Protocol. hex value 0x08). this is the only way to propagate routing information between these routers and firewalls within the actual packet. the value may be 0-255.unix-fu. TOS target The TOS target is used to set the Type of Service field within the IP header.html 21:25:51 10/06/2002 . hex value 0x04). TCP RST are used to close open connections gracefully. hex value 0x00). Note that this target is only valid within the mangle table and can not be used outside it. At worst. The TOS field consists of 8 bits which are used to route packets.1. however. which won't accept your mail otherwise. Note that most of these values will never be used by anyone on the internet so you may be better of by using the named values available (which should be more or less standardized). For more information about the TCP RST read RFC 793 . the MARK target which sets a MARK associated with a specific packet is only available within the kernel. there is most definitely a good use if you have a large WAN or LAN with several routers and actually have the possibility to give packets different routes and preference depending on their TOS value. you should hence set the TOS field which was developed for this. or in hex 0x00-0xFF. There are currently a lot of routers on the internet which does a pretty bad job at this so it may be a bit useless as of now to do any TOS mangling before sending the packets on to the internet. hex 0x02) or Normal-Service (decimal value 0. Table 20.org/andreasson/iptables-tutorial/iptables-tutorial. Also note that if you handle several separate firewalls and routers. either in hex or in decimal value. Also note that some old versions (1.9 Página 161 tcp-reset option will tell REJECT to send an TCP RST packet in reply to the sending host. MaximizeReliability (decimal value 4. Maximize-Throughput (decimal value 8. If you feel a need to propagate routing information on how to do routing for a specific packet or stream. and hence rendered the packets bad and in need of retransmission.

the outside world would not know where to send reply packets. This listing is complete as of iptables 1. also. depending on how many hops there is between them. MIRROR target The MIRROR target is an experimental demonstration target only. Lets say we set up a MIRROR target for port 80 at computer A. and then to retransmit the packet. Note that the MIRROR target is only valid within the INPUT. since our local networks should use the IANA specified IP addresses which are allocated for LAN networks. For example. SNAT target The SNAT target is used to do Source Network Address Translation. For a complete listing of the "descriptive values". this does not make the target free of any likely problems. The result of this target is really simple. which would be our firewall. NAT or mangle tables to avoid loops and other problems. If we forwarded these packets as is.html 21:25:51 10/06/2002 . and then set an SNAT rule which would translate all packets from our local network to the source IP of our own internet connection. the packet will jump back and forth 240-255 times. However. hence resulting in a bad kind of Denial of Service. which means that this target will rewrite the Source IP address in the IP header of the packet. FORWARD and PREROUTING chains.Iptables Tutorial 1.1. this is good when we want several computers to share an internet connection. among other things. http://people. The SNAT target is only valid within the nat table. This results in some really funny things. The packet will then bounce back and forth a huge set of times.com back (since this is where he came from).org/andreasson/iptables-tutorial/iptables-tutorial. whichever we want to call them. Without doing this.9 Página 162 are Normal-Service. If computer B would be coming from yahoo. and tried to access the HTTP server at computer A. noone on the internet would know that they where actually from us. Not bad for a cracker in other words to send 1500 bytes of data.2. and eat up 380 kbyte of your connection. and see to it that the packet is spoofed so it looks as if it comes from another host that uses the MIRROR command. The SNAT target does all the translation needed to do this kind of work. The MIRROR target is used to invert the source and destination fields in the IP header.unix-fu. of course. the MIRROR target would make so computer B got the webpage at yahoo. and it should generally be recommended since the values behind the names may be changed if you are unlucky. Note that this is a best case scenario for the cracker or scriptkiddie. Note that you can. We could then turn on ip forwarding in the kernel.com. This is in other words the only place that you may do SNAT in. no further processing of rules in the POSTROUTING chain will be commenced on the packets in the same stream. Also note that the outgoing packets created by the MIRROR target is not seen by any of the normal chains in the filter. then all future packets in the same connection will also be SNAT'ed and. If the first packet in a connection is mangled in this fashion. and any user-defined chains which are only called from those chains. do an iptables -j TOS -h. letting all packets leaving our LAN look as if they came from a single host. and you should be warned of using this since it may result in really bad loops. or 0. If there is only 1 hop. and I would be quite sure that someone has had a good laugh at some cracker or another that has cracked his own box via this target by now.5 and should hopefully be so for another period of time. within the POSTROUTING chain. One thing would for example be to send a spoofed packet to a host that uses the MIRRORcommand with a TTL of 255. use the actual names instead of the actual hex values to set up the TOS value.

for example. and all subsequent packets in the same stream will be translated. and this is the target of the rule. for example. and the DNAT mechanism will choose the destination IP address at random for each stream. the packet. but if two hosts tries to use the same ports.9 Página 163 Table 21. which means that it is used to rewrite the Destination IP address of a packet. we will be able to deal with a kind of load balancing by doing this.html 21:25:51 10/06/2002 . takes one IP address to which we should transform all the source IP addresses in the IP header. As previously stated.unix-fu. There may also be an range of ports specified that should only be used by SNAT. If we want to balance between several IP addresses we could use an range of IP addresses separated by a hyphen. but no real IP to give it that will work on the internet. iptables will always try to not make any port alterations if it is possible. Note that this has nothing to do with destination ports. at it simplest. when you have an host running your webserver inside a LAN. then all source ports below 512 will be mapped to other ports below 512 if needed.236.236. SNAT target Option Example Explanation --to-source iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 194. 194. so if a client tries to make contact with an HTTP server outside the firewall. it would then look like.50. Note that the DNAT target is only available within the PREROUTING and OUTPUT chains in the nat table. such as the POSTROUTING chain. We may also specify a whole range of destination IP addresses. If a packet is matched.50. Table 22. Note that chains containing DNAT targets may not be used from any other chains. This option. :102432000 or something alike.50. This would hence look as within the example above. You could then tell the firewall to forward all packets going to its own HTTP port. host or network.Iptables Tutorial 1.160 as described in the example above.160:1024-32000 The --to-source option is used to specify which source the packets should use.1. iptables will always try to maintain the source ports used by the actual workstation making the connection. If no port range is specified.org/andreasson/iptables-tutorial/iptables-tutorial. Those between source ports 512 and 1023 will be mapped to ports below 1024. The source IP would then be set randomly for each stream that we open. DNAT target The DNAT target is used to do Destination Network Address Translation. This target can be extremely useful. All the source ports would then be mapped to the ports specified. iptables will map one of them to another port. DNAT target http://people.50. Hence. and any of the chains called upon from any of those listed chains.155-194.155194.236. on to the real webserver within the LAN. it will not be mapped to the FTP control port. and then routed on to the correct device. and a single stream would always use the same IP address for packets within that stream.236. All other ports will be mapped to 1024 or above.

you should instead use the SNAT target.1. As you can see. which gets dynamic IP addresses when connecting to the network in question. or DHCP connections. Do note that port specifications are only valid for rules that specify the TCP or UDP protocols with the --protocol option. and that each stream will randomly be given an IP address that it will always be Destinated for. We could also have specified only one IP address. it is not favorable since it will add extra overhead. dialup connections.unix-fu. as for the SNAT target even though they do two totally different things.1:80 for example. namely 192.168. for example.45. in which case we would always be connected to the same host.67 to a range of LAN IP's.9 Página 164 --to-destination Option iptables -t nat -A PREROUTING -p tcp -d 15.1-192.1. swallowing up worthful connection tracking memory.1. It is still possible to use the MASQUERADE target instead of SNAT even though you do have an static IP. Note. The reason for this is that the MASQUERADE target was made to work with. and there may be inconsistencies in the future which will thwart your existing scripts and render them "unusable". kill a specific interface. Also note that we may add an port or port range to which the traffic would be redirected to.org/andreasson/iptables-tutorial/iptables-tutorial. If you have a static IP connection. or like --todestination 192. the syntax is pretty much the same for the DNAT target. for example.45.html 21:25:51 10/06/2002 . which is extremely good if we. which is optional.23.168. and where to send packets that are matched. which we don't know the actual address of at all times.67 --dport 80 -j DNAT --to-destination Example 192.Iptables Tutorial 1. as described previously.10 Explanation The --to-destination option tells the DNAT mechanism which Destination IP to set in the IP header. When you masquerade a connection. within that stream. The above example would send on all packets destined for IP address 15.1. and the IP address is automatically grabbed from the information about the specific interface. just as the SNAT target. Table 23.1. This is in general the correct behaviour when dealing with dialup lines that are probable to be assigned a different IP every time it is up'ed.168. This means that you should only use the MASQUERADE target with dynamically assigned IP connections. we may have been left with a lot of old connection tracking data. it means that we set the IP address used on a specific network interface instead of the --to-source option. Note that the MASQUERADE target is only valid within the POSTROUTING chain in the nat table. the connection is lost anyways. but it does not require any -to-source option.1:80-100 if we wanted to specify a port range. MASQUERADE target http://people.23. A rule could then look like --to-destination 192. for example. This is done by adding. In case we are assigned a different IP.1. which would be lying around for days. that a single stream will always use the same host. MASQUERADE target The MASQUERADE target is used basically the same as the SNAT target. and it is more or less idiotic to keep the entry around. an :80 statement to the IP addresses to which we want to DNAT the packets. The MASQUERADE target takes on option specified below. If we would have used the SNAT target. however.1 through 10.168.168. The MASQUERADE target also has the effect that connections are forgotten when an interface goes down.

0. This alters the default SNAT port-selection as described in the SNAT target section. or port range. One reason for doing this is if you have a bully ISP which don't allow you to have more than one machine connected to the same internet connection. since it wouldn't make any sense anywhere else. One useful application of this is to change all Time To Live values to the same value on all outgoing packets. --to-ports 8080 in case we only want to specify one port. Either you can Explanation specify a single port like --to-ports 1025 or you may specify a port range as --to-ports 1024-3000. REDIRECT target Option Example Explanation --to-ports iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 The --to-ports option specifies the destination port. where the LAN hosts do not know about the proxy at all. Setting all TTL values to the same value. In other words. for example. The REDIRECT target is extremely good to use when we want. transparent proxying. Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. as described below. In other words.0.Iptables Tutorial 1. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid. and who actively pursue this. or something alike. Without the --to-ports option. It is also valid within user-defined chains that are only called from those chains.9 Página 165 --to-ports Option iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000 Example The --to-ports option is used to set the source port or ports to use on outgoing packets. will effectively http://people. the destination port is never altered. TTL target The TTL target is used to modify the Time To Live field in the IP header.html 21:25:51 10/06/2002 . we would do it like --toports 8080-8090.unix-fu. The REDIRECT target takes only one option. this rewrites the destination address to our own host for packets that are forwarded. on our own host. The --to-ports option is only valid if the rule match section specifies the TCP or UDP protocols with the --protocol match.1. Table 24. REDIRECT target The REDIRECT target is used to redirect packets and streams to the machine itself. which tells the REDIRECT target to redirect the packets to the ports 8080 through 8090. Locally generated packets are mapped to the 127. and nowhere else. Note that this option is only available in rules specifying the TCP or UDP protocol with the -protocol matcher.1 address. as above.org/andreasson/iptables-tutorial/iptables-tutorial. This is specified. to use. the lower port range delimiter and the upper port range delimiter separated with a hyphen. If we would want to specify an port range.

Table 25. and nowhere else. A good value would be around 64 somewhere. and the higher the TTL. since it may affect your network and it is a bit immoral to set this value to high.org/andreasson/iptables-tutorial/iptables-tutorial. By setting the TTL one value higher for all incoming packets. we effectively make the firewall hidden from traceroutes. which you may find within the Other resources and links appendix. We may then reset the TTL value for all outgoing packets to a standardized value. and it is not too short. hence the packet will be decremented by 4 steps. it gives the hacker/cracker some good information about your upstreams if they have targeted you. a packet entering with a TTL of 53 would leave the host with TTL 56.9 Página 166 make it a little bit harder for them to notify that you are doing this. where the network code will automatically decrement the TTL value by 1. IF ANYONE HAS A GOOD USAGE FOR THIS OPTION.Iptables Tutorial 1. see the ttl-inc. Note that the same thing goes here. It takes 3 options as of writing this. since they provide excellent information on problems with connections and where it happens. The reason for this is that the networking code will automatically decrement the TTL value by 1. The TTL target is only valid within the mangle table. as for the previous example of the --ttl-dec option.html 21:25:51 10/06/2002 . but at the same time. Do not set this value too high. --ttl-dec iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-dec 1 The --ttl-dec option tells the TTL target to decrement the Time To Live value by the amount specified after the --ttl-decoption. read the ip-sysctl. For more information on how to set the default value used in Linux. such as 64 as specified in Linux kernel. For a good example on how this could be used. if the TTL for an incoming packet was 53 and we had set -ttl-dec 3. TTL target Option Example Explanation --ttl-set iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-set 64 The --ttl-set option tells the TTL target which TTL value to set on the packet in question. NOTIFY ME --ttl-inc iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-inc 1 The --ttl-inc option tells the TTL target to increment the Time To Live value with the value specified to the --ttl-inc option. which it always does. the packet would leave our host with a TTL value of 49. all of them described below in the table. from 53 to 49 in other words. the more bandwidth will be eaten unnecessary in such a case. and if we specified --ttl-inc 4. In other words.1. It's not too long. http://people.unix-fu.txt script. since the packet may start bouncing back and forth between two misconfigured routers. This may be used to make our firewall a bit more stealthy to traceroutes among other things.txt. This means that we should raise the TTL value with the value specified in the --ttlinc option. Traceroutes are a loved and hated thing.

so the whole packet will be copied to userspace. and it contains much better facilities for logging packets. which would include the whole header hopefully. and then transmit it outside to the userspace as one single netlink multipart message. the whole packet will be copied to userspace. and to group log entries etcetera. the kernel would first accumulate 10 packets inside the kernel. This option prefixes all log entries with a userspecified log prefix.org/andreasson/iptables-tutorial/iptables-tutorial. The default value is 0. If we specify 100 as above.unix-fu. plus some leading data within the actual packet. if we set the threshold to 10 as above. which are simply specified as 1-32. The default value here is 1 because of backwards compatibility. For example. There are 32 netlink groups. If a packet is matched and the ULOG target is set. --ulog-cprange iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100 The --ulog-cprange option tells the ULOG target how many bytes of the packet to send to the userspace daemon of ULOG. http://people. the packet information is multicasted together with the whole packet through a netlink socket. and is definitely most useful to distinguish different logmessages and where they came from. If we would like to reach netlink group 5.1.Iptables Tutorial 1. we would simply write --ulog-nlgroup 5. making it much simpler to search for specific packets. This is in other words a more complete and more sophisticated logging facility that is only used by iptables and netfilter so far.html 21:25:51 10/06/2002 . and other databases. we would copy 100 bytes of the whole packet to userspace. One or more userspace processes may then subscribe to various multicast groups and receive the packet.9 Página 167 ULOG target The ULOG target is used to provide userspace logging of matching packets. If we specify 0. ULOG target Option Example Explanation --ulog-nlgroup iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2 The --ulog-nlgroup option tells the ULOG target which netlink group to send the packet to. It can be 32 characters long. --ulog-qthreshold iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10 The --ulog-qthreshold option tells the ULOG target how many packets to queue inside the kernel before actually sending the data to userspace. regardless of the packets size. the userspace daemon did not know how to handle multipart messages previously. Table 26. This target enables us to log information to MySQL databases. The default netlink groupd used is 1. --ulog-prefix iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: " The --ulog-prefix option works just the same as the prefix value for the standard LOG target.

Source Network Address Translation is done further on. The packet goes through the different steps in the following fashion: Table 1.org/andreasson/iptables-tutorial/iptables-tutorial. This is especially needed if you want to write rules with iptables that chould change how different packets get routed. eth0) This chain is normally used for mangling packets. General When a packet first enters the firewall.html . This chain is used for Destination Network Address Translation mainly. changing TOS and so on. Avoid filtering in this chain since it will be passed through in certain cases. we do all the filtering here.unix-fu.1. is the packet destined for our localhost or to be forwarded and where.9 Página 168 Traversing of tables and chains This chapter will talk about how packets traverse the the different chains and in which order. ie. 21:25:51 10/06/2002 5 6 7 nat POSTROUTING http://people. internet) Comes in on the interface(ie. Note that all traffic that's forwarded goes through here (not only in one direction). filter FORWARD The packet got routed onto the FORWARD chain. This is extremely valuable information later on when you write your own specific rules. With this we mainly mean the different routing decisions and so on. only forwarded packets go through here. This chain should first and foremost be used for Source Network Address Translation. so you need to think about it when writing your ruleset. it hits the hardware and then get's passed on to the proper device driver in the kernel. Then the packet starts to go through a series of steps in the kernel before it is either sent to the correct application (locally). In this example. Also we will speak about in which order the tables are traversed. Routing decision. Forwarded packets Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire(ie. we're assuming that the packet is destined for another host on another network.Iptables Tutorial 1. good examples of this is DNAT and SNAT and of course the TOS bits. This is also where Masquerading is done. We will also look at which points certain other parts that also are kernel dependant gets in the picture. ie. avoid doing filtering here since certain packets might pass this chain without ever hitting it. or forwarded to another host or whatever happens to it.

no matter what interface and so on it came from. changing TOS and so on. 21:25:51 10/06/2002 http://people. Local process/application (ie. eth0) This chain is normally used for mangling packets. Most probably the only thing that's really logical about the traversing of tables and chains in your eyes in the beginning. ie. eth1). Now. it is suggested that you do not filter in this chain since it can have sideeffects. let us have a look at a packet that is destined for our own localhost. Out on the wire again (ie.9 Página 169 8 9 Goes out on the outgoing interface (ie.unix-fu.Iptables Tutorial 1. however.org/andreasson/iptables-tutorial/iptables-tutorial. Table 3. Source localhost Step 1 2 Mangle OUTPUT Table Chain Comment Local process/application (ie. Finally we look at the outgoing packets from our own localhost and what steps they go through. server/client program) This is where we mangle packets. is the packet destined for our localhost or to be forwarded and where. Avoid filtering in this chain since it will be passed through in certain cases. This chain is used for Destination Network Address Translation mainly.html . but if you continue to dig in it. The packet can be stopped at any of the iptables chains. Internet) Comes in on the interface(ie. LAN). we are mainly interested in the iptables aspect of this lot. I think.1. Do note that there is no specific chains or tables for different interfaces or anything like that. As you can see. server/client program) 5 6 7 Note that this time the packet was passed through the INPUT chain instead of the FORWARD chain. or anywhere else in case it is malformed. Quite logical. Destination localhost Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire (ie. there's quite a lot of steps to pass through. I think it gets clearer with time. Routing decision. ie. FORWARD is always passed by all packets that are forwarded over this firewall/ router. Note that all incoming packets destined for this host passes through this chain. It would pass through the following steps before actually being delivered to our application to receive it: Table 2. filter INPUT This is where we do filtering for all incoming traffic destined for our localhost.

unix-fu. and certain packets might slip through even though you set a default policy of DROP. it would look something like this: http://people.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 170 3 4 5 6 Nat Filter OUTPUT OUTPUT This is currently broken. This is where we decide where the packet should go. Internet) 7 8 We have now seen how the different chains are traversed in three separate scenarios. Goes out on some interface (ie. It is suggested that you don't do filtering here since it can have sideeffects. Nat POSTROUTING This is where we do Source Network Address Translation as described earlier. eth0) On the wire (ie. If we would figure out a good map of all this.html 21:25:51 10/06/2002 .Iptables Tutorial 1. Routing decision.1. could someone tell me when this will be fixed? Please? This is where we filter packets going out from localhost.

this might still be wrong or it might change in the future.test-iptables.txt script. If you feel that you want more information.9 Página 171 Hopefully you got a clearer picture of how the packets traverses the built in chains now. This test script should give you the necessary rules to test how the tables and chains are traversed. http://people. you could use the rc.1.unix-fu.Iptables Tutorial 1.html 21:25:51 10/06/2002 . All comments welcome.org/andreasson/iptables-tutorial/iptables-tutorial.

and sometimes. One good reason for this could be that we don't want to give ourself away to nosy Internet Service Providers. you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) fields and so on. and takes this as one of many signs of multiple computers connected to a single connection. Target's that only valid in the mangle table: TOS TTL MARK The TOS target is used to set and/or change the Type of Service field in the packet.Iptables Tutorial 1.unix-fu. Nat table This table should only be used for NAT (Network Address Translation) on different packets. In other words. After this. they act faulty on what they get. In other words.html 21:25:51 10/06/2002 . only the first packet in a stream will hit this chain. nor will any DNAT. These marks could then be recognised by the iproute2 programs to do different routing on the packet depending on what mark they have. This could be used for setting up policies on the network regarding how a packet should be routed and so on. The actual targets that does these kind of things are: http://people. SNAT or Masquerading work in this table. or if they don't have any. We could tell packets to only have a specific TTL and so on. it should only be used to translate packets source field or destination field. We could also do bandwidth limiting and Class Based Queuing based on these marks. Some Internet Service Providers does not like users running multiple computers on one single connection. as we have said before. Don't set this in other words for packets going to the internet unless you want to do routing decisions on it with iproute2. Note that. The TTL target is used to change the TTL (Time To Live) field of the packet.1. Note that this has not been perfected and is not really implemented on the internet and most of the routers don't care about the value in this field. It is strongly adviced that you don't use this table to do any filtering in.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 172 Mangle table This table should as we've already noted mainly be used for mangling packets. and there are some Internet Service Providers known to look for a single host generating many different TTL values. The MARK target is used to set special mark values to the packet. the rest of the packets will automatically have the same action taken on them as the first packet.

mainly used for filtering packets. we change the destination address of the packet and reroute it to some other host.x. The MASQUERADE target is used in exactly the same way as SNAT.x netmask for example. the packets would never get back from the Internet because these networks are regulated to be used in LAN's by IANA. etcetera. Of course we may do filtering earlier too. the targets discussed previously in this chapter are only usable in their respective tables. We have used one of the basic setups and dug deeper into how it works and what we do in it. This is mainly done to hide our local networks or DMZ. We will not go into deeper discussion about this table though. We can match packets and filter them however we want.168. SLIP or DHCP. instead of doing as the SNAT target does and just use an IP address submitted while the rule was parsed.Iptables Tutorial 1.html 21:25:51 10/06/2002 . but the MASQUERADE target takes a little bit more overhead to compute. It could be used as is with some changes to the variables. This is the place that we actually take action against packets and look at what they contain and DROP/ACCEPT depending on their payload. A good example when this is very good is when we have a firewall that we know the outside IP address of. Filter table The filter table is. however. Almost all targets are usable in this chain. as you already know. etc. The reason for this is that each time that the MASQUERADE target gets hit by a packet. rc.org/andreasson/iptables-tutorial/iptables-tutorial. this is where we (should) do the main filtering. however. but is not suggested since it may not work perfectly together with your network setup. This should be used to get a basic idea on how to solve different problems and what you may need to think about before actually putting your scripts into work. and there is nothing special to this chain or special packets that might slip through because they are malformed. this is the place that was designed for it. but need to change our local networks IP numbers to the same of the IP of our firewall. http://people.1. hence making it possible to make connections from the LAN to the Internet. for example PPP. of course. SNAT (Source Network Address Translation) is mainly used for changing the source address of packets. If you're network uses 192.unix-fu.firewall file This chapter will deal with an example firewall setup and how the script file could look.9 Página 173 DNAT SNAT MASQUERADE The DNAT (Destination Network Address Translation) target is mainly used in cases such as when you have one IP and want to redirect accesses to the firewall to some other host on a DMZ for example. As long as you have a very basic setup however. In other words. it automatically checks for the IP address to use. it will very likely run quite smooth with just a few fixes to it. The MASQUERADE target will on the other hand work properly with Dynamic IP addresses that you may be provided when you connect to the Internet with. The firewall will with this target automatically SNAT and De-SNAT the packets.

however. This could be eth0. read on since this script will introduce a lot of interesting stuff anyways). you need to specify the IP address of the physical interface connected to the LAN as well as the IP range which the LAN uses and the interface that the box is connected to the LAN through. The same goes for all sections that are empty. your IP address will always change.firewall Configuration options The first section you should note within the example rc. This example rc. etcetera just to name a few possible device names. This script does not contain any special configuration options for DHCP or PPPoE. This may vary a bit. explanation of rc. Instead of looking for comments. The $INET_IP should always be a fully valid IP address.firewall Ok. however. For example.html 21:25:51 10/06/2002 . and then you return here to get the nitty gritty about the whole script. just below the Localhost configuration. Mainly. If you need these parts. this section only consists of the $IPTABLES variable. then you should probably look closer at the rc.unix-fu.txt (also included in the Example scripts codebaseappendix) is fairly large but not a lot of comments in it. then you could always create a mix of the different scripts. This should always be changed since it contains the information that is vital to your actual configuration. You should at least be if you have come this far. We do provide it.0.firewall. and the default location when compiling the iptables package by hand is /usr/ local/sbin/iptables. ppp0. which are necessary. For example. Also.DHCP. eth1. Also. Also. hence these sections are empty.Iptables Tutorial 1. http://people.0.org/andreasson/iptables-tutorial/iptables-tutorial. if you got one (if not.1. you will find a brief section that pertains to the iptables. hence it is available here. which will point the script to the exact location of the iptables application.txt is the configuration section. However. I suggest you read through the script file to get a basic hum about how it looks.9 Página 174 note that there might be more efficient ways of making the ruleset. tr0. or (hold yourself) create your own from scratch. however you will with 99% certainty not change any of the values within this section since you will almost always use the 127. as you may see there is a Localhost configuration section.txt.firewall. The Local Area Network section contains most of the configuration options for your LAN. many distributions put the actual application in another location such as /usr/sbin/iptables and so on. the script has been written for readability so that everyone can understand it without having to know too much BASH scripting before reading this example rc. they are however left there so you can spot the differences between the scripts in a more efficient way.1 IP address and the interface will amost certainly be named lo. so you have everything set up and are ready to check out an example configuration script.firewall. the $INET_IFACE variable should point to the actual device used for your internet connection.

The same thing applies for DCC file transfers (sends) and chats. For a long explanation of these conntrack and nat modules.unix-fu. and tells the FTP server to connect to that IP address. There are also H. as well as http://people.html 21:25:51 10/06/2002 . there is only the option to load modules which add support for the FTP and IRC protocols. After this we load the modules that we will require for this script.1. For example. and if possible try to avoid having modules lying around at all unless you will be using them. but you will be a bit more secure to bouncing hacker attacks and attacks where the hacker will only use your host as an intermediate host. but not be able to send files. Without these so called helpers. however. some FTP and IRC stuff will work no doubt. the DCC connection will look as if it wants the receiver to connect to some host on the receivers own local network. For example. you may be able to receive files over DCC. read the Common problems and questionmarks appendix. Now. if one of your hosts NAT'ed boxes connect to a FTP server on the internet. I will not use that module in this example but basically.9 Página 175 Initial loading of extra modules First. For more information about the ipt_owner match. since it will take some extra effort to make additional rules this way. the kernel would not know what to look for when it tries to track specific connections. However. This is due to how the DCC starts a connection. the FTP server will not know what to do with it and hence the connection will break down. might be boring for others. which could for example be used to only allow certain users to make certain connections. are extensions of the connection tracking helpers that tells the kernel what to look for in specific packets and how to translate these so the connections will actually work. you tell the receiver that you want to send a file and where he should connect to. which in turn requires some translation to be done. the whole connection will be broken. some other things will not work. we load these modules as follows: /sbin/insmod ipt_LOG /sbin/insmod ipt_REJECT /sbin/insmod ipt_MASQUERADE Next is the option to load ipt_owner module. it will work flawlessly since the sender will (most probably) give you the correct address to connect to. Always avoid loading modules that you do not need. This is for security reasons. We may also load extra modules for the state matching code here. for example. Without these helpers. we see to it that the module dependencies files are up to date by issuing an /sbin/depmod -a command.323 conntrack helpers within the patch-o-matic. look at the Owner match section within the How a rule is built chapter. First off. REJECT and MASQUERADE targets and don't have this compiled statically into your kernel. As of this writing. In other words.org/andreasson/iptables-tutorial/iptables-tutorial. You could also disallow all users but your own user and root to connect from your box to the Internet. So. The NAT helpers on the other hand. The FTP NAT helpers do all of the translations within these connections so the FTP server will actually know where to connect. if you want to have support for the LOG. it will send its own local network IP address within the payload of the packet. Connection tracking helpers are special modules that tells the kernel how to properly track the specific connections. and it sends connection information within the actual payload of the packet. FTP is a complex protocol by definition. Without the helpers. you could allow only root to do FTP and HTTP connections to redhat and DROP all the others.Iptables Tutorial 1. All modules that extend the state matching code and connection tracking code are called ip_conntrack_* and ip_nat_*. Creating these kind of connections requires the IP address and ports to be sent within the IRC protocol. Since this local network address is not valid outside your own network. etcetera. the other way around.

we turn it on before actually creating any kind of IP filters (ie. iptables rulesets). in case there are possible additional links added to other and better resources of information. which is also available within the Other resources and links appendix. There is a good but rather brief document about the proc system available within the kernel. do not turn these on before actually knowing what they mean. This may give malicious people a small timeframe to actually get through our firewall. read the Preparations chapter. for example if you use SLIP. These may be a good starters to look at. In other words. I have chosen to turn it on here to maintain consistency with the script breakdown currently user. however. this option should really be turned on after creating all firewall rules. it may be worth looking at that appendix in the future. you need to use the patch-o-matic and compile your own kernel. In case you need dynamic IP support. To be able to use these helpers.html 21:25:51 10/06/2002 . do contain a small section of non-required proc settings. This will lead to a brief period of time where the firewall will accept forwarding any kind of traffic for everything between a millisecond to a minute depending on what script we are running and on what box.firewall.1. however. and all others contained within this tutorial. The rc. ip_dynaddr by doing the following : echo "1" > /proc/sys/net/ipv4/ip_dynaddr If there is any other options you might need to turn on you should follow that style.org/andreasson/iptables-tutorial/iptables-tutorial. For a better explanation on how this is done.9 Página 176 some other conntrack helpers.unix-fu. Also. Displacement of rules to different chains http://people. Note that you need to load the ip_nat_irc and ip_nat_ftp if you want Network Adress Translation to work properly on any of the FTP and IRC protocols.Iptables Tutorial 1. You will also need to load the ip_conntrack_irc and ip_conntrack_ftp modules before actually loading the NAT modules. PPP or DHCP you may enable the next option. but it will make it possible for the computer to do NAT on these two protocols. They are used the same way as the conntrack modules. there's other documentations on how to do these things and this is out of the scope of this documentation. In this script and all others within the tutorial. proc set up At this point we start the IP forwarding by echoing a 1 to /proc/sys/net/ipv4/ ip_forward in this fashion: echo "1" > /proc/sys/net/ipv4/ip_forward It may be worth a thought where and when we turn on the IP forwarding.txt script.

Also. the Internet is most definitely not a trusted network and hence we want to block them from getting to our local network. The following picture will try to explain the basics of how an incoming packet traverses netfilter. this will remind you a little bit of how the specific tables and chains are traversed in a real live example. one firewall and an Internet connection connected to the firewall. UDP and TCP rules. let's look at what we need to do and what we do not need to do. We will not discuss any specific details yet. we would also like to let our local network do connections to the internet. In this case. This way we do not get too much overhead out of it all. In the case of this scenario. we also want to allow the firewall to act as a server for certain services on the internet. and we trust our local network fully and hence we will not block any of the traffic from the local network. let's make clear what our goals are. I wish to explain and clarify the goals of this script. Some of the paths I have chosen to go here may be wrong from one or another of aspect. Also. This will effectively kill all connections and all packets that we do not explicitly allow inside our network or our firewall. but instead further on in the chapter.1. Hopefully. To do this. I hope to point these aspects and possible problems out to you when and where they occur.txt script. Instead of letting a TCP packet traverse ICMP.Iptables Tutorial 1. I have displaced all the different user-chains in the fashion I have to save as much CPU as possible but at the same time put the main weight on security and readability. http://people.9 Página 177 This section will briefly describe my choices within the tutorial regarding user specified chains and some choices specific to the rc. I simply match all TCP packets and then let the TCP packets traverse an user specified chain. we want to allow all kind of traffic from the local network to the internet. This is a really trivial picture in comparison to the one in the Traversing of tables and chains chapter where we discussed the whole traversal of chains and tables in depth.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. This example is also based upon the assumption that we have a static IP to the internet (as opposed to DHCP. However. Based upon this picture. Based upon these general assumptions. this section contains a brief look back to the Traversing of tables and chainschapter. Since the local network is fully trusted.html 21:25:51 10/06/2002 .firewall. With these pictures and explanations. PPP and SLIP and others). we want to set default policies within the chains to DROP. This whole example script is based upon the assumption that we are looking at a scenario containing one local network. this script has as a main priority to only allow traffic that we explicitly want to allow.

and we need to allow the return traffic through the OUTPUT chain. All of these protocols are available on the actual firewall. To do this. When we decided on how to create this chain. All TCP packets traverse a specific chain named tcp_packets. Finally. For instance. we want to add special rules to allow all traffic from the local network as well as the loopback network interface. Since we have an FTP server running on the server. we want the local network to be able to connect to the internet. of course. Also. This means that we will also have to do some filtering within the FORWARD chain since we will otherwise allow outsiders full access to our local network.unix-fu. before we implement this. we do not want to allow specific packets or packet headers in specific conjunctions. Also.0.9 Página 178 First of all. we will need to NAT all packets since none of the local computers have real IP addresses. Because of this. as well as the fact we want to traverse as few rules as possible. we have decided to allow HTTP. we also trust the local network fully. nor do we want to allow some IP ranges to reach the firewall from the Internet. and reduce redundancy within the network. read the Common problems and questionmarks chapter. and hence it should be allowed through the INPUT chain. For a closer discussion of this. and should contain a few extra checks before finally accepting the packet. we send to the udp_packets chain which handles all incoming UDP packets. However. these will traverse the icmp_packets chain. so we would like to create one more subchain for all packets that are accepted for using valid port numbers to the firewall. or we just want to offer a few services to people on the internet. which in turn will allow all return traffic from the Internet to our local network.0. In this script. UDP or ICMP. the 10. which will contain rules for all TCP ports and protocols that we want to allow. Since noone on the Internet should be allowed to contact our local network computers. For the same reason.Iptables Tutorial 1. we want to do some extra checking on the TCP packets. we will want to block all traffic from the Internet to our local network except already established and related connections.1.org/andreasson/iptables-tutorial/iptables-tutorial. As for our firewall. we make the ruleset less timeconsuming for each packet. By traversing less rules.html 21:25:51 10/06/2002 . SSH and IDENTD access to the actual firewall. As for ICMP packets. FTP.0/8 address range is reserved for local networks and hence we would normally not want to allow packets from such a address range since they would with 90% certainty be spoofed. Therefore. we may be a bit low on funds perhaps. we want to split the rules down into subchains. These packets. All of this is done within the PREROUTING chain. for example TCP. By doing this. we could not see any specific needs for extra checks before allowing the ICMP packets through if we agree with the type and code of the ICMP packet. and hence we accept the directly. we have the UDP packets which needs to be dealt with. we choose to split the different packets down by their protocol family. and the loopback device and IP address are also trusted. which is created last in this script. we add a rule which lets all established and related traffic through at the top of the INPUT chain. This chain we choose to call the "allowed" chain. We trust our local network to the fullest. and because of that we specifically allow all traffic from our local network to the internet. we must note that certain Internet Service Providers actually use these address ranges within their own networks. our packets will hopefully only need to traverse as few rules as possible. http://people. However.

we have the firewalls OUTPUT chain. and if not they will be dropped by the default policy in the OUTPUT chain.Iptables Tutorial 1. You should also have a clear picture of the goals of this script.9 Página 179 All incoming UDP packets should be sent to this chain. Since we are running on a relatively small network. such as speak freely and ICQ.html 21:25:51 10/06/2002 . and hence we only want to allow traffic from the IP addresses assigned to the firewall itself. Setting up the different chains used So. we create the different special chains that we want to use with the -N command. Since we actually trust the firewall quite a lot. this box is also used as a secondary workstation and to give some extra levy for this. It is now about time that we take care of setting up all the rules and chains that we wish to create and to use.unix-fu. The new chains are created and set up with no rules inside of them. now you got a small picture on how the packet traverses the different chains and how they belong together. and if they are of an allowed type we should accept them immediately without any further checking. iptables -P <chain name> <policy> The default policy is used every time the packets don't match a rule in the chain. we set all the default policies on the different chains with a quite simple command.org/andreasson/iptables-tutorial/iptables-tutorial. The chains we will use are icmp_packets. as well as all of the rulesets within the chains. We do not do any specific user blocking. After this. INPUT chain http://people. we want to allow certain specific protocols to make contact with the firewall itself. First of all.1. tcp_packets. However. nor do we do any blocking of specific protocols. of ICMP type. will be redirected to the chain icmp_packets. udpincoming_packets and the allowed chain for tcp_packets. Incoming packets on eth0. we allow pretty much all traffic leaving the firewall. we do not want people to use this box to spoof packets leaving the firewall itself. We would most likely implement this by adding rules that ACCEPT all packets leaving the firewall in case they come from one of the IP addresses assigned to the firewall. will be redirected to tcp_packets and incoming packets of UDP type from eth0 go to udpincoming_packets chain. Finally. of TCP type.

again of course. which would normally be 127. These applications will not work properly without it. we want to do some final checks on it to see if we actually do want to allow it or not. it is most likely to be the first packet in a new connection so. The TCP allowed chain If a packet comes in on eth0 and is of TCP type. and a reply to this SYN packet. and since we've got a SYN packet. If you want to fully understand this. we didn't reply to the SYN packet. and after this. In this case this pretty much means everything that hasn't seen traffic in both directions. we log it so we might be able to find out about possible problems and or bugs. and it will work much better on slow machines which might otherwise drop packets at high loads. we allow broadcast traffic from our LAN. we allow this. if it does. we check if the packet is a SYN packet. After that. which in my case is eth0. Finally. Also. If it is a SYN packet. ie. Either it might be a packet that we just dont want to allow or it might be someone who's doing something bad to us.unix-fu. First of all we match all ICMP packets in the INPUT chain that come on the incoming interface $INET_IFACE. We do certain checks for bad packets here.0.html 21:25:51 10/06/2002 . These packets could be allowed under certain circumstances but in 99% of the cases we wouldn't want these packets to get through. which was previously described.0. After this. An ESTABLISHED connection is a connection that has seen traffic in both directions. Before we hit the default policy of the INPUT chain. something that some might consider a security problem. Everything that hasn't yet been caught will be DROP'ed by the default policy on the INPUT chain. we do the same match for TCP packets on the $INET_IFACE and send those to the tcp_packets chain. some applications depend on it such as Samba etc. also we set a prefix to all log entries so we know where it came from. if the connection is against an allowed port. Then we check if the packet comes from an ESTABLISHED or RELATED connection. the connection then must be in state ESTABLISHED. Hence.0/24. I allow everything that comes from my own Internet IP that is either ESTABLISHED or RELATED to some connection. as you might remember.1 and ACCEPT all incoming traffic from there. which in my case would be 192.1. you need to look at the Appendices regarding state NEW and non-SYN packets getting through other rules. This way we don't get too much load from the iptables.Iptables Tutorial 1. then we.9 Página 180 The INPUT chain as I've written it uses mostly other chains to do the hard work. The default policy was set quite some time back.168. we don't log more than 3 packets per minute as to not getting flooded with crap all over the log files. we create the chain the same way as all the others. First of all. we check for everything that comes from our $LOCALHOST_IP.0. except to portscan people http://people. Though. or they are trying to start the connection with a non SYN packet. we log them to our logs and then we DROP them. and send those to the icmp_packets. allow it. do the same for everything to $LAN_IP. The last rule in this chain will DROP everything else. and after this all UDP packets get sent to udpincoming_packets chain. it travels through the tcp_packets chain. There is no practical use of not starting a connection with a SYN packet. or finally it might be a problem in our firewall not allowing traffic that should be allowed. In either case we want to know about it so it can be dealt with. of course.org/andreasson/iptables-tutorial/iptables-tutorial.

in other words all sources addresses.1. As it is now. the last gateway that was unable to find the route to the host replies with a Destination Unreachable telling us that it was unable to find it. and it gets down to 0 at the first hop on the way out. hence we send each and one of them on to allowed chain. If a packet of ICMP type comes in on eth0 on the INPUT chain. DROP the crap since it's 99% sure to be a portscan. we then redirect it to the icmp_packets chain as explained before. For more information on ICMP types and their usage. the rule will be added to the end of the chain.Iptables Tutorial 1. everything works perfectly while blocking all the other ICMP types that I don't allow. see the appendix ICMP types. i suggest reading the following documents and reports : The Internet Control Message Protocol ICMP RFC 792 . -p TCP tells it to match TCP packets and -s 0/0 matches all source addresses from 0. Echo Replies is what you get for example when you ping another host. if we don't allow this. This specifies what ports that are allowed to use on the firewall from the Internet. we will be unable to ping other hosts.html 21:25:51 10/06/2002 . so for example if we send a HTTP request. The reason that I allow these ICMP packets are as follows. then the packet will be targeted for the allowed http://people. Destination Unreachable is used if a certain host is unreachable. If all the criteria are matched. then TTL = 2 and the second gateway sends Time Exceeded. but in my case. Postel. when you traceroute someone. This way we won't have to wait until the browser's timeouts kicks in after some 60 seconds or more.9 Página 181 pretty much. Though. Time Exceeded. this is actually the default behaviour but I'm using it for brevity in here. and a Time Exceeded is sent back from the first gateway en route to the host we're trying to traceroute.0 with netmask 0. For a complete listing of all ICMP types. As a side-note. which we described previously. The ICMP chain This is where we decide what ICMP types to allow.0. For example. I only allow incoming ICMP Echo Replies. you start out with TTL = 1. The TCP chain So now we reach TCP connections. -A tcp_packets tells iptables in which chain to add the new rule. and so on until we get an actual reply from the host we finally want to get to. I might be wrong in blocking some of these ICMP types for you.0. --dport 21 means destination port 21. hence. we will get a reply about this.0. is allowed in the case where we might want to traceroute some host or if a packet gets its Time To Live set to 0. and the host is unreachable. Here we check what kind of ICMP types to allow.0. there is still more checks to do.org/andreasson/iptables-tutorial/iptables-tutorial. There is no currently available TCP/IP implementation that supports opening a TCP connection with something else than a SYN packet to my knowledge.Internet Control Message Protocol by J.unix-fu. Destination unreachable.0. Redirect and Time Exceeded. in other words if the packet is destined for port 21 they also match.

if you want to allow anyone from the outside to use a shell on your box at all. we ACCEPT them directly. without this we wouldn't be able to do domain name lookups and we would be reversed to only use IP's.0.html 21:25:51 10/06/2002 . If you feel like adding more open ports with this script.0. delete it if you don't want to run a web server on your site.1. much better than allowing telnet on port 23. This protocol is used to set your computer clock to the same time as certain other time servers which have very accurate clocks. of course.0. We currently also allow port 2074. I doubt there is any further need to explain what it is. I'm allowing it per default since I know there are some who actually do. http://people.Iptables Tutorial 1. which is what we use to do DNS lookups. or even better.0. in other words everything again. etc to work properly. Though. which is IDENTD and might be necessary for some protocols like IRC. in other words your web server. As it is now. or FTP control port. The UDP chain If we do get a UDP packet on the INPUT chain. If it doesn't match any of the rules. Note that you are dealing with a firewall.unix-fu. we can unload the ip_conntrack_ftp module and delete the $IPTABLES -A tcp_packets -p TCP -s 0/ 0 --dport 21 -j allowed line from the rc. most of you probably don't use this protocol. we send them on to udpincoming_packets where we once again do a match for the UDP protocol with -p UDP and then match everything with a source address of 0. Firewalls should always be kept to a bare minimum and not more. and that way we allow PASSIVE and PORT connections since the ip_conntrack_ftp module is. its quite self explanatory how to do that by now=). which is used for certain real-time `multimedia' applications like speak freely which you can use to talk to other people in real-time by using speakers and a microphone. loaded. well.0 and netmask 0. Port 4000 is the ICQ protocol. And finally we allow port 113. If they have a source port of 53 also. hence we allow DNS. Port 22 is SSH. Port 80 is HTTP. which is used to control FTP connections and later on I also allow all RELATED connections.txt file. I allow TCP port 21.firewall. I personally also allow port 123. which is NTP or network time protocol. If we don't want to allow FTP at all. they will be passed back to the original chain that sent the packet to the tcp_packets chain. We don't want this behaviour. This should be an extremely well known protocol that is used by the Mirabilis application named ICQ. I ACCEPT incoming UDP packets from port 53. a headset. There is at least 5 different ICQ clones for Linux and it's one of the most widely used chat programs in the world.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 182 chain.0. As it is now. hopefully. It is always a bad idea to give others than yourself any kind of access to these kind of boxes.

unix-fu. and prefix them with a short line that is possible to grep for in the logfiles.org/andreasson/iptables-tutorial/iptables-tutorial.x.Iptables Tutorial 1.x. PREROUTING chain of the nat table The PREROUTING chain is pretty much what it says. Last of all we log everything that gets dropped. If it does get dropped. Starting the Network Address Translation http://people. Either it's a nasty error. As it is now. if we open a connection from our LAN to something on the Internet. even though I doubt anyone that I know would do it on my box. we don't do that though. such as in case we get packets from the Internet interface that claim to have a source IP of 192. 10. among other things since this chain is only traversed by the first packet in a stream. in such case.x. Finally we DROP the packet in the default policy. we'll sure as hell want to know about it for some reason or another.txt example file.x or 172. As it looks now.168. After this we allow everything in a state ESTABLISHED or RELATED from everywhere. too.x. it should be used for network adress translation. First of all we check for obviously spoofed IP addresses. FORWARD chain Even though I haven't actually set up a certain section in the rc. I allow pretty much everything that goes out from it that has a source address $LOCALHOST_IP. We finally hit the default policy of the FORWARD chain that says to DROP everything. if we get an packet from $LAN_IFACE that claims to not come from an IP address in the range which we know that our LAN is on.16. we first of all ACCEPT all packets coming from our LAN with the following line: /usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT So everything from our Localnet's interface gets ACCEPT'ed whatever the circumstances.x. And after this we log everything and drop it. We log maximally 3 log entries per minute as to not flood our own logs. $LAN_IP or $STATIC_IP. in other words. it does network adress translation on packets before they actually hit the routing tables that sends them onwards to the INPUT or FORWARD chains in the filter table. Everything else might be spoofed in some fashion. Also we log them with debug level.x. I would like to comment on the few lines in there anyways.1. or it's a weird packet that's spoofed. we allow the packets coming back from that site that's either ESTABLISHED or RELATED but nothing else.html 21:25:51 10/06/2002 .9 Página 183 OUTPUT chain Since i know that there's pretty much no one but me using this box which is partially used as a Firewall and a workstation currently. we drop them quicker than hell since these IP's are reserved especially for local intranets and definitely shouldn't be used on the Internet.firewall. This might be used in the opposite direction. we might drop that too. Note that this chain should not be used for any filtering or such.

Simple.unix-fu. The -t option tells us which table to use. in the POSTROUTING chain that will masquerade all packets going out on our interface connected to the Internet. We allow this rule to be matched a maximum of 3 times per minute with a burst limit of 3.Iptables Tutorial 1.txt script structure All scripts written for this tutorial has been written after a specific structure. and since it comes from eth1 we ACCEPT it. For me this would be eth0. we first send a packet from our local box behind eth1. We also set a prefix to the log with the --log-prefix and set the log level with the --log-level. per default settings in this script) and finally we target the packet for MASQUERADE'ing. This means we get maximally 3 log entries per minute from this specific line.1. So all packets that match this rule will be masqueraded to look as it came from your Internet interface.firewall. Example scripts The objective of this chapter is to give a fairly brief and short explanation of each script available with this tutorial.org/andreasson/iptables-tutorial/iptables-tutorial. mainly to make them easier to configure. correct? At least to me. In some cases these might be packets that should have gotten through but didn't. The last thing we do is to log all traffic that gets dropped over the border. This is good if someone starts to flood you with crap stuff that otherwise would generate many megabytes of logs. Log level tells the syslogd. The rest of this tutorial should most probably be helpful in making this feat. then when the Internet box replies. and to provide an overlook of the scripts and what services they provide. or logging facility what kind of importance this log entry has. However. First of all we add a rule to the nat table. This structure should be fairly well documented in this brief chapter. and hits the default policy. it'll have to wait for another 1 minute for the next log entry. These scripts are not in any way perfect. in this case nat while the -A command tells us that we want to Add a new rule to an existing chain named POSTROUTING and -o $INET_IFACE tells us to match all outgoing packets on INET_IFACE (or eth0. All packets that are being forwarded on our box traverse the FORWARD chain in the filter table. and the burst is also set to 3 so if we get 3 log entries in 2 seconds. The first section of this tutorial deals with the actual structure that I have established in each script so we may find our way within the script a bit easier. These settings are widely used within the example scripts. and they may not fit your exact intentions perfectly. It is in other words up to you to make these scripts suitable for your needs. In other words. isn't it? The next step we take is to ACCEPT all packets traversing the FORWARD chain in the default table filter that come from the input interface eth1 which is my interface connecting to the internal network.html 21:25:51 10/06/2002 .9 Página 184 So. The next thing we do is to ACCEPT all packets from anywhere that are ESTABLISHED and/or RELATED to some connection. This chapter should hopefully http://people. The reason for this is that they should be fairly conformative to each other and to make it easier to find the differences between the scripts. our final mission would be to get the MASQUERADEing up. there are specific variables added to these example scripts that may be used to automatically configure these settings. in other cases it might be packets that definitely shouldn't get through and you want to be notified about this. it gets caught by this rule since the connection has seen packets in both directions. but also to improve the readability a bit. rc.

5. Other . we will add specific options for those here. Configuration options should pretty much always be the first thing in any shell-script.If there are any other specific options and variables. 1. it should be subsectioned directly to the configuration options somewhere. Internet . iptables . These variables are highly unlikely to change. will not have one. In most scripts and situations this should only require one variable which tells us where the iptables binary is located. Localhost .If there is any LAN available behind the firewall.org/andreasson/iptables-tutorial/iptables-tutorial. do note that this may not be the best structure for your scripts. 2. but only such that pertains to our Internet connection.Iptables Tutorial 1. 4. DHCP . but we have put most of it into variables anyway. Note that there may be more subsections than those listed here. It is only a structure that I have chosen to use since it fits the need of being easy to read and follow the best according to my logic.If there are a possibility that the user that wants to use this specific script. they should first of all be fitted into the correct subsection (If it pertains to the Internet connection. 1. etcetera). 2. LAN . http://people.1. and if there are any special circumstances that raises the chances that he is using a PPPoE connection. This is most likely. it should be subsectioned there. 3. we will add options pertaining to that in this section.First of all we have the configuration options which the rest of the script should use.9 Página 185 give a short understanding to why all the scripts has been written as they have.If there are possibly any special DHCP requirements with this specific script. DMZ .html 21:25:51 10/06/2002 . This could be skipped if we do not have any Internet connection. If it does not fit in anywhere. Configuration . The structure This is the structure that all scripts in this tutorial should follow.This section contains iptables specific configuration. Most scripts lacks this section. PPPoE . If they differ in some way it is probably an error on my part. 6. 1. there should be no reason to change these variables. we will add the DHCP specific configuration options here. and why I have chosen to maintain this structure.This is the configuration section which pertains to the Internet connection. we will add a DMZ zone configuration at this point. hence this section will almost always be available. Even though this is the structure I have chosen.unix-fu. unless it is specifically explained why I have broken this structure. or small corporate network. Hopefully. mainly because any normal home network.If there is any reason to it.These options pertain to our localhost.

This section should contain all of the required proc configurations for the script in question to work. but far from all of them. This should normally be noted in such cases within the example scripts. Set policies . I have also chosen to set the chains and their rulespecifications in the same order as they are output by the iptables -L command. if not.org/andreasson/iptables-tutorial/iptables-tutorial.This section should contain non-required proc configurations that may prove useful. Normally I will set DROP policies on the chains in the filter table. since they are not actually necessary to get the script to work. and specifically ACCEPT services and streams that I want to allow inside.This section contains modules that are not required for normal operations. Required modules . while the second part should contain the non-required modules.By now the scripts should most probably be ready to insert the ruleset. Filter table . All of them should be commented out. First of all we should set up all the policies in the table. and if you want to add the service it provides.At this point we create all the user specified chains that we want to use later on within this table. and possibly special modules that adds to the security or adds special services to the administrator or clients. http://people. they will be listed as such. and listed under the non-required proc configurations. proc configuration .This section of the scripts should maintain a list of modules. they should be commented out per default. rules set up . All of these modules should be commented out per default. it is up to you.Iptables Tutorial 1. Non-required modules .9 Página 186 2. I have chosen to split all the rules down after table and then chain names. All user specified chains are created before we do anything to the system builtin chains. 3.This section should take care of any special configuration needed in the proc filesystem.html 21:25:51 10/06/2002 . The first part should contain the required modules. If some of these options are required. may have been added even though they are not required.First of all we go through the filter table and its content. It could possibly also contain configurations that raises security. Create user specified chains . 1. Non-required proc configuration . 2. 2. Required proc configuration . 2. 1. Most of the useful proc configurations will be listed here.Set up all the default policies for the systemchains. 1. This way we will get rid of all ports that we do not want to let people use. This list will contain far from all of the proc configurations or nodes.unix-fu. We will not be able to use these chains in the systemchains anyways if they are not already created so we could as well get to it as soon as possible. 4. or add certain services or possibilities. Module loading .This section should contain the required modules. Note that some modules that may raise security. and possibly which adds special services or possibilities for the administrator or clients. 1.1.

We add this material here since I do not see any reason not to. Also. Nothing special about this decision. First of all we do not want to turn the whole forwarding mechanism and NAT function on at a too early stage. Create user specified chains . but I have added this section anyways. however. Normally.After the filter table we take care of the nat table. which could possibly lead to packets getting through the firewall at just the wrong timepoint (ie.org/andreasson/iptables-tutorial/iptables-tutorial.1.After creating the user specified chains we may as well enter all the rules within these chains. it is totally up to you.At this point we create any user specified chains that we want within the nat table. but none of the filter rules has been run). but not too far from reality.html 21:25:51 10/06/2002 . Create content in user specified chains . Note that the user specified chains must be created before they can actually be used within the systemchains.When we have come this far. and finally the mangle table lies around the nat table as a second layer. Create content in user specified chains . we do not have a lot of things left to do within the filter table so we get onto the INPUT chain. 3. Normally I do not have any of these. The only reason I have to enter this data at this point already is that may as well put it close to the creation of the user specified chains. This may be wrong in some perspectives. 3. nat table . I will be satisfied with the default policy set from the beginning. namely the ACCEPT policy. The filter table would hence be the core. when the NAT has been turned on. There is no reason for you to stay with this structure. OUTPUT chain . This table should not be used for filtering anyways. FORWARD chain . http://people.9 Página 187 3. At this point we start following the output from the iptables -L command as you may see.unix-fu. do try to avoid mixing up data from different tables and chains since it will become much harder to read such rulesets and to fix possible problems.Iptables Tutorial 1. INPUT chain . 6. 1.First of all we set up all the default policies within the nat table. At this point we should add all rules within the INPUT chain. There should hopefully not be too much to do at this point. The same thing goes here as for the user specified chains in the filter table. I look upon the nat table as a sort of layer that lies just outside the filter table and kind of surrounds it. 2. 4.At this point we go on to add the rules within the FORWARD chain. This is done after the filter table because of a number of reasons within these scripts.By now it should be time to add all the rules to the user specified chains in the nat table. just in case. 5. and we should not let packets be dropped here since there are some really nasty things that may happen in such cases due to our own presumptions. Set policies .Last of all in the filter table. You may as well put this later on in your script. I let these chains be set to ACCEPT since there is no reason not to do so. we add the rules dealing with the OUTPUT chain. while the nat table acts as a layer lying around the filter table.

org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . Create content in userspecified chains . The same thing goes here as for the nat table pretty much.Set the default policies within the chain. unless they have specific needs. it is not broken. PREROUTING . send me a line and I will add it to the tutorial. In most scripts this feature is not used. Within some scripts we have this turned on by default since the sole purpose of those scripts are to provide such services.Iptables Tutorial 1. Normally I will not use this table at all. 3.The PREROUTING chain is used to do DNAT on packets in case we have any need for it. 5. As it looks now. 7. reason being that we do not want to open up big holes to our local network without knowing about it. The table was not made for filtering. I have in other words chosen to leave these parts of the scripts more or less blank.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. PREROUTING chain . but in certain cases we are forced to use the MASQUERADE target instead. INPUT chain .The POSTROUTING chain should be fairly well used by the scripts I have written since most of them depend upon the fact that you have one or more local networks that we want to firewall against the Internet. 5.The OUTPUT chain is barely used at all in any of the scripts. Set policies . 6. 1. FORWARD chain . you may att this point add the rules that you want within them here. or I. If anyone has a reason to use this chain. I have not set any policies in any of the scripts in the mangle table one way or the other. 4.unix-fu. Mainly we will try to use the SNAT target. but I have been unable to find any good reasons to use this chain so far.If you have any user specified chains within this table. and you are encouraged not to do so either. 5. 2. POSTROUTING chain . However. 6. I have neither created any chains here since it is fairly unusable without any data to use within it.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. OUTPUT chain . or at the very least commented out. http://people. and hence you should avoid it all together. this section was added just in case someone. such as masking all boxes to use the exact same TTL or to change TOS fields etcetera. mangle table . OUTPUT chain . would have the need for it in the future.1.The last table to do anything about is the mangle table. Since I have barely used the mangle table at all in the scripts. with a few exceptions where I have added a few examples of what it may be used for. since it should normally not be used for anyone. Create user specified chains .9 Página 188 4.Create all the user specified chains.

please take a closer look at the rc. If you are looking for a script that will work with those setups.txt The rc.firewall file chapter should explain every detail in the script most thoroughly. POSTROUTING chain . and hence don't use DHCP.DHCP. PPP.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.html 21:25:51 10/06/2002 . rc.unix-fu.firewall.txt script is the main core on which the rest of the scripts are based upon.firewall. There is nothing that says that this is the only and best way to go.Iptables Tutorial 1.firewall. Do note that these descriptions are extremely brief. http://people.9 Página 189 8. Hopefully this should explain more in detail how each script is structured and why they are structured in such a way.txt script. The rc. and should mainly just be seen as a brief explanation to what and why the scripts has been split down as they have. SLIPor some other protocol that assigns you an IP automatically. where you have one LAN and one Internet Connection.1.org/andreasson/iptables-tutorial/iptables-tutorial. For example. This script also makes the assumption that you have a static IP to the Internet. Mainly it was written for a dual homed network.

which stands for Destination Network Adress Translation.org/andreasson/iptables-tutorial/iptables-tutorial.0/24 and consists of a Trusted Internal Network. then we use DNAT. to send the packet on to our DNS on the DMZ network.firewall. one is to set 1-to-1 NAT.txt script was written for those people out there that has one Trusted Internal Network. You could then set the IP's to the DMZ'ed boxes as you wish.firewall.0. ie.txt The rc.1.1. One uses IP range 192. this tutorial will give you the tools to actually accomplish the firewalling and NAT'ing part.DMZ. one for the broadcast address and one for the network address. The other one uses IP range 192. The De-Militarized Zone is in this case 1-to-1 NAT'ed and requires you to do some IP aliasing on your firewall. You need to have two internal networks with this script as you can see from the picture. If the packet would not have been translated. the packet will be destined for the actual DNS internal network IP. and not to our external DNS IP. This is pretty much up to you to decide and to implement. There are several ways to get this to work. if someone from the internet sends a packet to our DNS_IP. For example.9 Página 190 rc. the DNS wouldn't have answered the packet.Iptables Tutorial 1. Do note that this will "steal" two IP's for you. another one if you have a whole subnet is to create a subnetwork.168. you must make the box recognise packets for more than one IP. giving the firewall one IP both internally and externally. but it will not tell you exactly what you need to do since it is out of the scope of the tutorial. one De-Militarized Zone and one Internet Connection. When the DNS sees our packet.unix-fu.DMZ.168.0/24 and consists of the De-Militarized Zone which we will do 1-to-1 NAT to. We will show a short example of how the DNAT code looks: http://people.html 21:25:51 10/06/2002 .

Iptables Tutorial 1.firewall. this script no longer uses the STATIC_IP variable. The reason is that this won't work together with a dynamic IP connection. However. PPP and SLIP connections to connect to the internet. http://people.firewall. When the reply to the DNAT'ed packet is sent through the firewall.txt script.txt script is pretty much identical to the original rc. By now you should have enough understanding of how everything works to be able to understand this script pretty well without any huge complications. If we actually get such a packet we give a target of DNAT. Then we look for TCP protocol on our $INET_IFACE with destination IP that matches our $DNS_IP. This is how basic DNAT works.txt. DNAT can only be performed in the PREROUTING chain of the nat table. mail me since it is probably a fault on my side.firewall.9 Página 191 $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP First of all. and is directed to port 53.txt The rc.DHCP. in other words the IP of the DNS on our DMZ network.firewall. that hasn't been gone through in the rest of the tutorial. If there is something you don't understand.1. which is the main change to the original rc. which is the TCP port for zone transfers between DNS's. it automatically gets un-DNAT'ed. rc. After that we specify where we want the packet to go with the --to-destination option and give it the value of $DMZ_DNS_IP. in other words Destination NAT.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial. I've had some people mail me and ask about the problem so this script will be a good solution for you. The actual changes needed to be done to the original script is minimal.DHCP.html 21:25:51 10/06/2002 . This script will allow people who uses DHCP. however.

unix-fu. check out the linuxguruz. You will find a link to the linuxguruz. the NAT'ed box would be unable to get to the HTTP because the INPUT chain would DROP the packets flat to the ground.org iptables site which has a huge collection of scripts available to download. and if so ACCEPT them. it is rather harsh to add and erase rules all the time.1.txt script. However. how would you do it without erasing your already active rules blocking the LAN? http://people. There is some more things to think about though. For example. that handles dynamic IP in a better sense. It is possible to get by. there are serious drawbacks with this approach. then try to access that IP. As you may read from above. but it is questionable.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. grep the correct line which contains the IP address and then cuts it down to a manageable IP address. --in-interface $LAN_IFACE --dst $INET_IP. 1. which could be some dyndns solution. We can no longer filter in the INPUT chain depending on. 2. it may be a good idea to grab a script. A good way to do this. upon bootup of the internet connection. I would definitely advise you to use that script if at all possible since this script is more open to attacks from the outside. for example. if you get rid of the NEW not SYN rules for example. If we go to the main page. If you got rules that are static and always want to be around. One great example is if we are running an HTTP on our firewall. we would get a real hard trouble. Also. This script might be a bit less secure than the rc. but at the same time operate a script from the PPP daemon. there is the possibility to add something like this to your scripts: INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` The above would automatically grab the IP address of the $INET_IFACE variable. In other words -d $STATIC_IP has been changed to -i $INET_IFACE.9 Página 192 The main changes done to the script consists of erasing the STATIC_IP variable as I already said and deleting all referenses to this variable. This in turn forces us to filter only based on interfaces in such cases where the internal machines must access the internet adressable IP. the PPP daemon. In case we filter based on interface and IP. if you want to block hosts on your LAN to connect to the firewall.firewall. without hurting the already existing ones.org site from the Other resources and links appendix. for example. The NAT'ed box would ask the DNS for the IP of the HTTP server. or write one. but in such cases it could be gotten around by adding rules which checks the LAN interface packets for our INET_IP. which contains static links back to the same host.Iptables Tutorial 1. We could for example make a script that grabs the IP from ifconfig and adds it to a variable. it will hang all currently active connections due to the NEW not SYN rules (see the State NEW packets but no SYN bit set section). as described in the following list. would e to use for example the ip-up scripts provided with pppd and some other programs. This is pretty much the only changes made and that's all that's needed really. Instead of using this variable the script now does it's main filtering on the variable INET_IFACE. This also applies in a sense to the case where we got a static IP. For a good site. If the script is run from within a script which in turn is executed by.

HTTP and FTP access to the internet. In other words. but it does give a few hints at what we would normally let through etc. as seen above which in turn could lead to security compromises.html 21:25:51 10/06/2002 .txt http://people.Iptables Tutorial 1.txt The rc.UTIN.test-iptables. rc.firewall. rc. it is easier to spot problems. The only things we actually allow is POP3. This script follows the golden rule to not trust anyone. We also don't trust the internal users to access the firewall more than we trust users on the Internet.firewall. It may get unnecessarily complicated.org/andreasson/iptables-tutorial/iptables-tutorial. This script will hopefully give you some clues as to what you can do with your firewall to strengthen it up.9 Página 193 3. and to keep order in it.1.UTIN. It's not very different from the original rc.unix-fu. If the script is kept simple. We also disallow people on our LAN to do anything but specific tasks on the Internet.firewall. not even our own employees. but a large part of the hacks and cracks that a company gets hit by is a matter of people from their own staff perpetrating the hit.txt script will in contrast to the other scripts block the LAN that is sitting behind us.txt script. This is a sad fact. we don't trust anyone on any networks we are connected to.

After this we flush all chains first in the filter table and then in the NAT table. The rc.firewall script using redhat Linux syntax where you type something like rc.unix-fu. In other words.flush-iptables. All it really does is set some LOG targets which will log ping reply's and ping requests. This script is intended for actually setting up and troubleshooting your firewall.internet And tail -n 0 -f /var/log/messages while doing the first command. This way. This should show you all the different chains used and in which order.html 21:25:51 10/06/2002 . This script was written for testing purposes only. run this script and then do: ping -c 1 host. The script starts by setting the default policies to ACCEPT on the INPUT.9 Página 194 The rc. you will get information on which chain was traversed and in which order. When all of this is done. and hence we only care about opening the whole thing up and reset it to default values.firewall start and the script starts. it's not a good idea to have rules like this that logs everything of one sort since your log partitions might get filled up quickly and it would be an effective Denial of Service attack against you and might lead to real attacks on you that would be unlogged after the initial Denial of Service attack. such as turning on ip_forwarding. For example. unless the log entries are swapped around for some reason.org/andreasson/iptables-tutorial/iptables-tutorial. We do this first so we won't have to bother about closed connections and packets not getting through.test-iptables.txt script will reset and flush all your tables and chains. I will not do that since this is a tutorial and should be used as a place to fetch ideas mainly and it shouldn't be filled up with shell scripts and strange syntax. but it might need some tweaking depending on your configuration. One final word on this issue. POSTROUTING and OUTPUT chains of the nat table.flush-iptables. and setting up masquerading etcetera. However. When this step is done.1.the. Certain people has mailed me asking from me to put this script into the original rc.Iptables Tutorial 1. It will work for mostly everyone though who has all the basic set up and all the basic tables loaded into kernel. we consider the script done.on. Detailed explanations of special commands http://people.flush-iptables.txt The rc. After this we reset the default policies of the PREROUTING. Adding shell script syntax and other things makes the script harder to read as far as I am concerned and the tutorial was written with readability in mind and will continue being so. This way we know there is no redundant rules lying around anywhere. OUTPUT and FORWARD chains of the filter table.txt script can be used to test all the different chains. You may consider adding rules to flush your MANGLE table if you use it. rc.txt script should not really be called a script in itself. we jump down to the next section where we erase all the user specified chains in the NAT and filter tables.

though. We could get this by adding the verbose flag.168. it erases the first instance it finds matching your rule.9 Página 195 Listing your active ruleset To list your currently active ruleset you run a special option to the iptables command. it would be a bad idea.Iptables Tutorial 1. there are actually commands to flush them.168. rule and chain.unix-fu. ie 192. you might just change the -A parameter to -D in the line you added in error.org/andreasson/iptables-tutorial/iptables-tutorial. and translate everything possible to a more readable form. For example. it might be interesting to know what connections are currently in the conntrack table. If this is not the wanted behaviour you might try to use the -D option as iptables -D INPUT 10 which will erase the 10th rule in the INPUT chain. this will not change http://people.0/16 is a private range though and should not resolve to anything and the command will seem to hang while resolving the IP. It would then look something like this: iptables -L -n -v There is also a few files that might be interesting to look at in the /proc filesystem. To get around this problem we would do something like the following: iptables -L -n Another thing that might be interesting is to see a few statistics about each policy. 192. To see the table you can run the following command: cat /proc/net/conntrack | less The above command will show all currently tracked connections even though it might be a bit hard to understand everything. For example. in case you've got multiple lines looking exactly the same in the chain. which we have discussed briefly previously in the How a rule is built chapter. For example. it will translate all the different ports according to the /etc/services file as well as DNS all the IP addresses to get DNS records instead. This table can not be edited and even if it was possible. There is also instances where you want to flush a whole chain. If you added a rule in error.1. iptables will find the erroneous line and erase it for you. Updating and flushing your tables If at some point you screw up your iptables. I've actually gotten this question a couple times by now so I thought I'd answer it right here. iptables -F INPUT will erase the whole INPUT chain. This table contains all the different connections currently tracked and serves as a basic table so we always know what state a connection currently is in. This would look like the following: iptables -L This command should list your currently active ruleset.html 21:25:51 10/06/2002 . For example.1.1. to something useful. so you don't have to reboot. in this case you might want to run the -F option. The later can be a bit of a problem though.0. it will try to resolve LAN IP addresses.

but not the ip_conntrack_irc and ip_nat_irc modules and then do: /usr/local/sbin/iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT To allow Passive FTP but not DCC. you can for example allow Passive FTP connections. Reynolds.1. telling the client what address to connect to and what port to use. if you want to let people run IRC from your local network which is using a NAT'ed or masqueraded connection to the internet. the proceeding is reversed.File Transfer Protocol by J. do as how you set it to DROP. ip_nat_irc.firewall. If you for example want to allow Passive FTP. but not DCC send. this script will not erase those. To reset the chain policy. well.x kernels. Do note that the ip_nat_* modules are only needed in case you need and want to do Network Adress Translation on the connections. State NEW packets but no SYN bit set http://people. If you would want to do the reverse. For more information about Active and Passive FTP. but not allow DCC send functions with the new state matching code. In Passive FTP. that is what the ip_nat_ftp module does. during Active FTP the client sends the server an IP address and random port to use and then the server connects to this port on the client. you would load the ip_conntrack_ftp and ip_nat_ftp modules. Postel and J. Common problems and questionmarks Passive FTP but no DCC This is one of the really nice parts about the new iptables support in the 2. I have made a small script (available as an appendix as well) that will flush and reset your iptables that you might consider using while setting up your rc.txt file properly. for example iptables -P INPUT ACCEPT. you'd just load the ip_conntrack_irc and ip_nat_irc modules. read RFC 959 . The client tells the server that it wants to send or receive data and the server replies. so if this is set to DROP you'll block the whole INPUT chain if used as above. its quite simple once you get to think of it. it is rather simple to add the few lines needed to erase those but I have not added those here since the mangle table is not used in my rc. ie.Iptables Tutorial 1. In case your client sits behind a Network Address Translationing system (iptables). but not the ip_conntrack_ftp and ip_nat_ftp modules.txt script so far. if you start mucking around in the mangle table.org/andreasson/iptables-tutorial/iptables-tutorial. Just compile the ip_conntrack_irc. Without these modules they can't recognize these kinds of connections.unix-fu.html 21:25:51 10/06/2002 .4.9 Página 196 the default policy. ip_conntrack_ftp and ip_nat_ftp code as modules and not statically into the kernel. As you can understand from this document. One thing though. then the packets data section needs to be NAT'ed too. This RFC contains information regarding the FTP protocol and Active and Passive FTP and how they work.firewall. What these modules do is that they add support to the connection tracking machine and the NAT machine so they can distinguish and modify a Passive FTP connection or a DCC send connection. You may ask yourself how.

the packet will match to the rules and be logged and afterwards dropped to the ground.This does however lead to the fact that state NEW will allow pretty much any kind of TCP connection. regardless if this is the initial 3-way handshake or not.1. the connection tracking code will not recognise this connection as a legal connection since it has not seen packets in any direction on this connection before. This feature makes it possible to have two or more firewalls. then load the NEW not SYN packet rules.unix-fu.firewall. Another way to get this problem is to run the rc.org/andreasson/iptables-tutorial/iptables-tutorial. Hence. and the modules are loaded and unloaded each time you run the script. OUTPUT and FORWARD chain: $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP The above rules will take care of this problem.html 21:25:51 10/06/2002 . a huge warning is in it's place for this kind of behaviour on your firewall. also there will be no SYN bits set since it is not actually the first packet in the connection. another firewall. set the --log-headers option to the rule and log the headers too and you'll get a better look at what the packet looks like. The firewalling of the subnet could then be taken over by our secondary firewall. This feature is there because in certain cases we want to consider that a packet may be part of an already ESTABLISHED connection on. It will however not lead to broken connections to my knowledge. If you use state NEW. including me). The above rules will lead to certain conditions where packets generated by microsoft products gets labeled as a state NEW and hence get logged and dropped. packets with the SYN bit unset will get through your firewall. To put it simple. In this case. This is a badly documented behaviour of the netfilter/iptables project and should definitely be more highlighted. don't worry to much about this rule. In other words. or if you are worried anyways. when you start the PPP connection.9 Página 197 There is a certain feature in iptables that is not so well documented and may therefore be overlooked by a lot of people(yes. Start the connection tracking modules. Note that there is some troubles with the above rules and bad Microsoft TCP/IP implementations. Internet Service Providers who use assigned http://people. There is one more known problem with these rules.Iptables Tutorial 1. Finally. the telnet client or daemon tries to send something. and you have the script set to be activated when running a PPP connection. If someone is currently connected to the firewall. In other words. The matter is that when a connection gets closed and the final FIN/ACK has been sent and the state machine of netfilter has closed this connection and it is no longer in the conntrack table. you connect with telnet or some other stream connection. lets say from the LAN. the person previously connected through the LAN will be more or less killed. This only applies when you are running with the conntrack and nat codebases as modules. To take care of this problem we add the following rules to our firewalls INPUT. and for one of the firewalls to go down without any loss of data.txt script from a telnet connection from a host not on the actual firewall. for instance. At this point the faulty Microsoft implementation sends another packet which is considered as state NEW but lacks the SYN bit and hence gets matched by the above rules.

x. The problem you will most probably run into is that we.1/32 -j ACCEPT I would like to take my moment to bitch at these Internet Service Providers.unix-fu.0.x. ICMP types This is a complete listing of all ICMP types: Table 1.html 21:25:51 10/06/2002 . This is how it might look: /usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10. in this script.x. the swedish Internet Service Provider and phone monopoly Telia uses this approach for example on their DNS servers. Certain stupid Internet Service Providers use IP addresses assigned by IANA for their local networks on which you connect to. bit set Source routing failed Destination network unknown Destination host unknown Source host isolated (obsolete) Destination network administratively prohibited Destination host administratively prohibited Query x x x x x x x x x x x x Error http://people.Iptables Tutorial 1. do not allow connections from any IP addresses in the 10. which uses the 10.9 Página 198 IP addresses I have added this since a friend of mine told me something I have totally forgotten.x IP address range.x range to us. For large corporate sites it is more than ok. or you could just comment out that part of the script. or your own home network.x.1. because of spoofing possibilities. These IP address ranges are not assigned for you to use for dumb stuff like this. For example. Well. but you are not supposed to force us to open up ourself just because of some whince of yours. You might just insert an ACCEPT rule above the spoof section to allow traffic from those DNS servers. here is unfortunately an example where you actually might have to lift a bit on those rules. at least not to my knowledge. ICMP types TYPE CODE Description 0 3 3 3 3 3 3 3 3 3 3 3 0 0 1 2 3 4 5 6 7 8 9 10 Echo Reply Network Unreachable Host Unreachable Protocol Unreachable Port Unreachable Fragmentation needed but no frag.0.org/andreasson/iptables-tutorial/iptables-tutorial.

txt .unix-fu. A little bit short but a good reference for the IP networking controls and what they do to the kernel.4.Iptables Tutorial 1.from the 2.9 Página 199 3 3 3 3 3 4 5 5 5 5 8 9 10 11 11 12 12 13 14 15 16 17 18 11 12 13 14 15 0 0 1 2 3 0 0 0 0 1 0 1 0 Network unreachable for TOS Host unreachable for TOS Communication administratively prohibited by filtering Host precedence violation Precedence cutoff in effect Source quench Redirect for network Redirect for host Redirect for TOS and network Redirect for TOS and host Echo request Router advertisement Route sollicitation TTL equals 0 during transit TTL equals 0 during reassembly IP header bad (catchall error) Required options missing Timestamp request (obsolete) Timestamp reply (obsolete) x x x x x x x x x x x x x x x x 0 0 0 0 Information request (obsolete) Information reply (obsolete) Address mask request Address mask reply Other resources and links Here is a list of links to resources and where I have gotten information from.1. etc : ip-sysctl.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 .14 kernel. http://people.

The official netfilter mailing-list.filewatcher.filewatcher.14 kernel. documentation and individuals who helped me.txt .org/unreliable-guides/netfilter-hacking-HOWTO/index. Rusty Russell. Also maintains a list of different iptables scripts for different purposes.Iptables Tutorial 1.html .org/netfilter-faq.filewatcher.html .Excellent discussion on automatic hardening of iptables and how to make small changes that will make your computer automatically add hostile sites to a special banlist in iptables. Also a good place to stat at when wondering what iptables and netfilter is about.islandsoft.samba.html . http://netfilter.Excellent linkpage with links to most of the pages on the internet about iptables and netfilter.docum.org/unreliable-guides/packet-filtering-HOWTO/index. One of the few documentations on how to write code in the netfilter and iptables userspace and kernel space codebase.org/mailman/listinfo/netfilter .filewatcher. Extremely useful in case you have questions about something not covered in this document or any of the other links here. http://netfilter.unix-fu.The official netfilter and iptables site.The iptables 1. http://netfilter.html . http://www.1. This is an HTML'ized version of the man page which is an excellent reference when reading/writing iptables rulesets.org/iptables/ .4. Always have it at hand. This was also written by Rusty Russell.4 man page.8 .filewatcher.org/ .org .org/andreasson/iptables-tutorial/iptables-tutorial. tc and the ip commands in Linux. iptables. http://www. It is a must for everyone wanting to set up iptables and netfilter in linux.2. Excellent documentation about Network Address Translation in iptables and netfilter written by one of the core developers. http://www.linuxguruz.org/unreliable-guides/NAT-HOWTO/index.Rusty Russells Unreliable Guide to packet filtering.Rusty Russells Unreliable Guide to Network Address Translation. http://lists. And of course the iptables source.net/veerapen. http://netfilter.html . http://people. A really short reference to the ip_dynaddr settings available via sysctl and the proc filesystem. Maintained by Stef Coene.The official netfilter Frequently Asked Questions.html 21:25:51 10/06/2002 .from the 2. One of the few sites that has any information at all about these programs.Rusty Russells Unreliable Netfilter Hacking HOWTO. Excellent documentation about basic packet filtering with iptables written by one of the core developers of iptables and netfilter.Excellent information about the CBQ. http://netfilter.9 Página 200 ip_dynaddr.

Both for making me realize I was thinking wrong about how packets traverse the basic NAT and filters tables and in which order they show up. For hinting me about strange ISP's and so on that uses reserved networks on the Internet. Frode E. For greatly improving the rc. Also a huge thanks for updating the tutorial to DocBook format with make files etc. Janssen. or at least on the internet for you. Kelly Ashe. And of course everyone else I talked to and asked for comments on this file.html 21:25:51 10/06/2002 .9 (21 March 2002) http://www. Peter Horst. Michiel Brandenburg. For helping me out with the graphics.boingworld.boingworld. Myles Uyema. For helping me out with some of the state matching code and getting it to work. I know I suck at graphics. Jeremy `Spliffy' Smith.8 (5 March 2002) http://www.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Version 1. Galen Johnson.1. Alexander W. History Version 1.1.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Contributors: Vince Herried. Janne Johansson.). Jelle Kalf. For major updates to my horrible grammar and spelling. sorry for not mentioning everyone. Togan Muftuoglu. and you're better than most I know who do graphics. For giving me hints at stuff that might screw up for people and for trying it out and checking for errors in what I've written. Jason Lam and Evan Nemerson Version 1. Nyboe.boingworld.com/workshops/linux/iptables-tutorial/ http://people.unix-fu. Neil Jolly. Chapman Brad.firewall rules and giving great inspiration while i was to rewrite the ruleset and being the one who introduced the multiple table traversing into the same file. Kent `Artech' Stahre. Also thanks for checking the tutorial for errors etc.1.1. Mitch Landers. Marc Boucher. Anders 'DeZENT' Johansson. Thomas Smets. For helping me out on some aspects on using the state matching code.org/andreasson/iptables-tutorial/iptables-tutorial.7 (4 February 2002) http://www.Iptables Tutorial 1.9 Página 201 Acknowledgements I would like to thank the following people for their help on this document: Fabrice Marie.

Chris Tallon.1.org/andreasson By: Oskar Andreasson Version 1. Kurt Lieber.Emile Akabi-Davis and Jelle Kalf Version 1. Bill Dossett.unix-fu.1. Jacco van Koll and Dave Wreski Version 1.6 (7 December 2001) http://people.9 (9 September 2001) http://people.1.0.1. Erik Sjölund. Phil Schultz.1.unix-fu.7 (23 August 2001) http://people.4 (6 November 2001) http://people. Adam Mansbridge. Jensen.unix-fu.org/andreasson By: Oskar Andreasson Version 1.org/andreasson/iptables-tutorial/iptables-tutorial.1.1. Dave Wreski.3 (9 October 2001) http://people. Steve Hnizdur.org/andreasson By: Oskar Andreasson Contributors: Stig W. Chris Martin. Göran Båge.org/andreasson By: Oskar Andreasson Contributors: Dave Richardson Version 1.unix-fu.9 Página 202 By: Oskar Andreasson Contributors: Parimi Ravi. Rodrigo R.8 (7 September 2001) http://people. Steven McClintoc.unix-fu. Branco.unix-fu.Iptables Tutorial 1. Jonas Pasche. Phil Schultz.2 (29 September 2001) http://people.org/andreasson By: Oskar Andreasson Version 1.1.unix-fu. N. Jasper Aikema.unix-fu. Jan Labanowski.0 (15 September 2001) http://people.org/andreasson/ By: Oskar Andreasson Contributors: Jim Ramsey.unix-fu. Merijn Schering and Kurt Lieber Version 1. Vasoo Veerapen.0.5 (14 November 2001) http://people.org/andreasson By: Oskar Andreasson Version 1.1 (26 September 2001) http://people.html 21:25:51 10/06/2002 . Chris Pluta and Kurt Lieber Version 1.unix-fu. Doug Monroe. Version 1.org/andreasson By: Oskar Andreasson Contributors: Joni Chu.0. Aladdin and Rusty Russell.org/andreasson/ By: Oskar Andreasson Contributors: Fabrice Marie.

org/andreasson By: Oskar Andreasson Version 1. regardless of subject matter or whether it is published as a printed book.Iptables Tutorial 1.5 http://people.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie Version 1. It complements the GNU General Public License.6 http://people.0. which is a copyleft license designed for free software.html 21:25:51 10/06/2002 .unix-fu. Boston. it can be used for any textual work.1. We have designed this License in order to use it for manuals for free software. Inc. while not being considered responsible for modifications made by others. with or without modifying it. textbook. We recommend this License principally for works whose purpose is instruction or reference.0. Suite 330.unix-fu.1. This License is a kind of "copyleft". PREAMBLE The purpose of this License is to make a manual.unix-fu. but changing it is not allowed. APPLICABILITY AND DEFINITIONS http://people.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie GNU Free Documentation License Version 1. 59 Temple Place.unix-fu. or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it. 1.org/andreasson/iptables-tutorial/iptables-tutorial. March 2000 Copyright (C) 2000 Free Software Foundation. Secondarily. because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. this License preserves for the author and publisher a way to get credit for their work.9 Página 203 http://people. But this License is not limited to software manuals. 0. MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document. which means that derivative works of the document must themselves be free in the same sense. either commercially or noncommercially.

in the notice that says that the Document is released under this License. if the Document is in part a textbook of mathematics. "Title Page" means the text near the most prominent appearance of the work's title.1. A "Modified Version" of the Document means any work containing the Document or a portion of it. the title page itself. proprietary formats that can be read and edited only by proprietary word processors. and is addressed as "you". The "Invariant Sections" are certain Secondary Sections whose titles are designated. The "Cover Texts" are certain short passages of text that are listed. LaTeX input format. SGML or XML using a publicly available DTD. refers to any such manual or work. Examples of suitable formats for Transparent copies include plain ASCII without markup.org/andreasson/iptables-tutorial/iptables-tutorial. SGML or XML for which the DTD and/or processing tools are not generally available. For works in formats which do not have any title page as such. or with modifications and/or translated into another language. (For example. You may not use technical measures to obstruct or control the reading or further copying of the http://people.html 21:25:51 10/06/2002 . either commercially or noncommercially.9 Página 204 This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. A copy that is not "Transparent" is called "Opaque". legibly. commercial. and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. provided that this License. a Secondary Section may not explain any mathematics. preceding the beginning of the body of the text. philosophical. ethical or political position regarding them. or of legal. The "Title Page" means. A "Transparent" copy of the Document means a machine-readable copy. 2. either copied verbatim.unix-fu. and the license notice saying this License applies to the Document are reproduced in all copies. as Front-Cover Texts or Back-Cover Texts. and that you add no other conditions whatsoever to those of this License. and the machine-generated HTML produced by some word processors for output purposes only. Opaque formats include PostScript.) The relationship could be a matter of historical connection with the subject or with related matters. whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor. below. the copyright notices. as being those of Invariant Sections. Any member of the public is a licensee. PDF.Iptables Tutorial 1. for a printed book. represented in a format whose specification is available to the general public. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. the material this License requires to appear in the title page. The "Document". VERBATIM COPYING You may copy and distribute the Document in any medium. plus such following pages as are needed to hold. and standard-conforming simple HTML designed for human modification. Texinfo input format. in the notice that says that the Document is released under this License.

and Back-Cover Texts on the back cover. when you begin distribution of Opaque copies in quantity. you must do these things in the Modified Version: A. The front cover must present the full title with all words of the title equally prominent and visible. If you distribute a large enough number of copies you must also follow the conditions in section 3. and continue the rest onto adjacent pages. If the required texts for either cover are too voluminous to fit legibly. if any) a title distinct from that of the Document. However. 4. Copying with changes limited to the covers. You may use the same title as a previous version if the original publisher of that version gives permission. or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document. and from those of previous versions (which should. if there were any. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above. to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. 3.html 21:25:51 10/06/2002 . In addition. as long as they preserve the title of the Document and satisfy these conditions. clearly and legibly. Use in the Title Page (and on the covers. be listed in the History section of the Document). free of added material. but not required.unix-fu. COPYING IN QUANTITY If you publish printed copies of the Document numbering more than 100. You may also lend copies. you may accept compensation in exchange for copies. that you contact the authors of the Document well before redistributing any large number of copies. provided that you release the Modified Version under precisely this License. It is requested. can be treated as verbatim copying in other respects. which the general network-using public has access to download anonymously at no charge using public-standard network protocols. you must either include a machine-readable Transparent copy along with each Opaque copy. all these Cover Texts: Front-Cover Texts on the front cover.Iptables Tutorial 1. thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. You may add other material on the covers in addition. under the same conditions stated above. you must take reasonably prudent steps.org/andreasson/iptables-tutorial/iptables-tutorial. you should put the first ones listed (as many as fit reasonably) on the actual cover. http://people. with the Modified Version filling the role of the Document. and you may publicly display copies. and the Document's license notice requires Cover Texts. Both covers must also clearly and legibly identify you as the publisher of these copies.9 Página 205 copies you make or distribute. If you publish or distribute Opaque copies of the Document numbering more than 100. If you use the latter option.1. you must enclose the copies in covers that carry. to give them a chance to provide you with an updated version of the Document.

If there is no section entitled "History" in the Document. as the publisher. authors. List on the Title Page. and publisher of the Modified Version as given on the Title Page. L. and likewise the network locations given in the Document for previous versions it was based on. In any section entitled "Acknowledgements" or "Dedications". a license notice giving the public permission to use the Modified Version under the terms of this License. and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. http://people. in the form shown in the Addendum below. J. These may be placed in the "History" section. D. create one stating the title. E. C. if it has less than five). Include.Iptables Tutorial 1. add their titles to the list of Invariant Sections in the Modified Version's license notice. H. F. Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section. Preserve the section entitled "History". you may at your option designate some or all of these sections as invariant. These titles must be distinct from any other section titles. Section numbers or the equivalent are not considered part of the section titles. Preserve the network location. preserve the section's title.9 Página 206 B. and its title.html 21:25:51 10/06/2002 . Include an unaltered copy of this License.org/andreasson/iptables-tutorial/iptables-tutorial. as authors. or if the original publisher of the version it refers to gives permission. year. Preserve all the Invariant Sections of the Document. and publisher of the Document as given on its Title Page. G. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.unix-fu. Such a section may not be included in the Modified Version. one or more persons or entities responsible for authorship of the modifications in the Modified Version. year. M. You may omit a network location for a work that was published at least four years before the Document itself. together with at least five of the principal authors of the Document (all of its principal authors. and add to it an item stating at least the title. State on the Title page the name of the publisher of the Modified Version. new authors. Delete any section entitled "Endorsements". immediately after the copyright notices. then add an item describing the Modified Version as stated in the previous sentence. I. unaltered in their text and in their titles. if any. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice. To do this. N. Preserve all the copyright notices of the Document. K.1. given in the Document for public access to a Transparent copy of the Document. If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document.

and multiple identical Invariant Sections may be replaced with a single copy. and a passage of up to 25 words as a Back-Cover Text. previously added by you or by arrangement made by the same entity you are acting on behalf of.html 21:25:51 10/06/2002 . and list them all as Invariant Sections of your combined work in its license notice. provided it contains nothing but endorsements of your Modified Version by various parties--for example. in parentheses." 6. forming one section entitled "History". If the Document already includes a cover text for the same cover.org/andreasson/iptables-tutorial/iptables-tutorial. under the terms defined in section 4 above for modified versions. You must delete all sections entitled "Endorsements. and any sections entitled "Dedications". you must combine any sections entitled "History" in the various original documents. likewise combine any sections entitled "Acknowledgements". provided that you include in the combination all of the Invariant Sections of all of the original documents.Iptables Tutorial 1. 5.1.9 Página 207 You may add a section entitled "Endorsements". COMBINING DOCUMENTS You may combine the Document with other documents released under this License. you may not add another. provided you insert a copy of this License into the extracted document.unix-fu. COLLECTIONS OF DOCUMENTS You may make a collection consisting of the Document and other documents released under this License. http://people. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. but you may replace the old one. You may add a passage of up to five words as a Front-Cover Text. or else a unique number. provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. the name of the original author or publisher of that section if known. and follow this License in all other respects regarding verbatim copying of that document. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. to the end of the list of Cover Texts in the Modified Version. The combined work need only contain one copy of this License. unmodified. If there are multiple Invariant Sections with the same name but different contents. and distribute it individually under this License. on explicit permission from the previous publisher that added the old one. In the combination. and replace the individual copies of this License in the various documents with a single copy that is included in the collection. statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. make the title of each such section unique by adding at the end of it. You may extract a single document from such a collection.

gnu.9 Página 208 7. 9.1. 10. the original English version will prevail. and this License does not apply to the other self-contained works thus compiled with the Document.Iptables Tutorial 1. if they are not themselves derivative works of the Document. revised versions of the GNU Free Documentation License from time to time.html 21:25:51 10/06/2002 . http://people. Such new versions will be similar in spirit to the present version. but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. In case of a disagreement between the translation and the original English version of this License. or rights.org/andreasson/iptables-tutorial/iptables-tutorial. but may differ in detail to address new problems or concerns. Any other attempt to copy. Otherwise they must appear on covers around the whole aggregate. sublicense. and will automatically terminate your rights under this License. then if the Document is less than one quarter of the entire aggregate. TRANSLATION Translation is considered a kind of modification.unix-fu. on account of their being thus compiled. parties who have received copies. modify. does not as a whole count as a Modified Version of the Document. AGGREGATION WITH INDEPENDENT WORKS A compilation of the Document or its derivatives with other separate and independent documents or works. provided no compilation copyright is claimed for the compilation. Replacing Invariant Sections with translations requires special permission from their copyright holders. TERMINATION You may not copy. FUTURE REVISIONS OF THIS LICENSE The Free Software Foundation may publish new. sublicense or distribute the Document is void. so you may distribute translations of the Document under the terms of section 4. from you under this License will not have their licenses terminated so long as such parties remain in full compliance. See http://www. in or on a volume of a storage or distribution medium. or distribute the Document except as expressly provided for under this License.org/copyleft/. modify. Such a compilation is called an "aggregate". 8. However. If the Cover Text requirement of section 3 is applicable to these copies of the Document. You may include a translation of this License provided that you also include the original English version of this License.

1991 Free Software Foundation. and with the Back-Cover Texts being LIST. likewise for Back-Cover Texts. June 1991 Copyright (C) 1989. If you have no Invariant Sections. Suite 330. 0. Permission is granted to copy. Boston. we recommend releasing these examples in parallel under your choice of free software license. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to http://people. the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST".Iptables Tutorial 1.html 21:25:51 10/06/2002 . write "with no Invariant Sections" instead of saying which ones are invariant. but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. How to use this License for your documents To use this License in a document you have written. If the Document specifies that a particular numbered version of this License "or any later version" applies to it. distribute and/or modify this document under the terms of the GNU Free Documentation License. Inc.1 or any later version published by the Free Software Foundation.1. with the Invariant Sections being LIST THEIR TITLES. such as the GNU General Public License.9 Página 209 Each version of the License is given a distinguishing version number. 59 Temple Place. If your document contains nontrivial examples of program code. By contrast. If you have no Front-Cover Texts. Version 1. GNU General Public License Version 2. to permit their use in free software. you may choose any version ever published (not as a draft) by the Free Software Foundation.org/andreasson/iptables-tutorial/iptables-tutorial. A copy of the license is included in the section entitled "GNU Free Documentation License". If the Document does not specify a version number of this License. with the Front-Cover Texts being LIST. MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document. you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. include a copy of the License in the document and put the following copyright and license notices just after the title page: Copyright (c) YEAR YOUR NAME.unix-fu.

You must make sure that they. they are outside its scope. These restrictions translate to certain responsibilities for you if you distribute copies of the software. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish). too. The precise terms and conditions for copying. if you distribute copies of such a program. For example. TERMS AND CONDITIONS FOR COPYING. (Hereinafter. Also. or if you modify it. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. translation is included without limitation in the term "modification". we are referring to freedom. To prevent this. a work containing the Program or a portion of it. distribution and modification follow. And you must show them these terms so they know their rights. and the output from the Program is covered only if its contents constitute a work based on the Program (independent of http://people. When we speak of free software. not price. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead. We protect your rights with two steps: (1) copyright the software.) Each licensee is addressed as "you".html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. whether gratis or for a fee. and that you know you can do these things. we want to make certain that everyone understands that there is no warranty for this free software.Iptables Tutorial 1. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses. 1. below. The act of running the Program is not restricted. Activities other than copying. for each author's protection and ours. refers to any such program or work. Finally.unix-fu.1. To protect your rights. too. distribute and/or modify the software. and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say. so that any problems introduced by others will not reflect on the original authors' reputations. The "Program". that you receive source code or can get it if you want it. either verbatim or with modifications and/or translated into another language. distribution and modification are not covered by this License. If the software is modified by someone else and passed on. DISTRIBUTION AND MODIFICATION 1.) You can apply it to your programs. receive or can get the source code. you must give the recipients all the rights that you have. we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights.9 Página 210 using it. we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. that you can change the software or use pieces of it in new free programs. any free program is threatened constantly by software patents. we want its recipients to know that what they have is not the original. in effect making the program proprietary. and (2) offer you this license which gives you legal permission to copy.

to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else. keep intact all the notices that refer to this License and to the absence of any warranty. you must cause it. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. Thus.unix-fu. 5. then this License. whose permissions for other licensees extend to the entire whole. You may copy and distribute verbatim copies of the Program's source code as you receive it. 2. and telling the user how to view a copy of this License.html 21:25:51 10/06/2002 . thus forming a work based on the Program. saying that you provide a warranty) and that users may redistribute the program under these conditions. the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. provided that you also meet all of these conditions: 1.) These requirements apply to the modified work as a whole. in any medium. If identifiable sections of that work are not derived from the Program. to be licensed as a whole at no charge to all third parties under the terms of this License. and its terms. Whether that is true depends on what the Program does. it is not the intent of this section to claim rights or contest your rights to work written entirely by you. when started running for such interactive use in the most ordinary way. your work based on the Program is not required to print an announcement. 3.Iptables Tutorial 1. If the modified program normally reads commands interactively when run. rather. and you may at your option offer warranty protection in exchange for a fee. You may modify your copy or copies of the Program or any portion of it.1. (Exception: if the Program itself is interactive but does not normally print such an announcement. that in whole or in part contains or is derived from the Program or any part thereof. and can be reasonably considered independent and separate works in themselves. and copy and distribute such modifications or work under the terms of Section 1 above. You must cause any work that you distribute or publish. You may charge a fee for the physical act of transferring a copy. mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.org/andreasson/iptables-tutorial/iptables-tutorial. provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty. do not apply to those sections when you distribute them as separate works. and thus to each and every part regardless of who wrote it. But when you distribute the same sections as part of a whole which is a work based on the Program. 4. the distribution of the whole must be on the terms of this License.9 Página 211 having been made by running the Program). In addition. and give any other recipients of the Program a copy of this License along with the Program. 3. You may copy and distribute the Program (or a work based on it. under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: http://people.

The source code for a work means the preferred form of the work for making modifications to it. modify.) 6. to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. Accompany it with a written offer. These actions are prohibited by law if you do not accept this License. which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. or rights. or. 8. from you under this License will not have their licenses terminated so long as such parties remain in full compliance. the recipient automatically receives a license from the original licensor to copy. 10. parties who have received copies. for a charge no more than your cost of physically performing source distribution. complete source code means all the source code for all modules it contains. plus the scripts used to control compilation and installation of the executable. unless that component itself accompanies the executable. You are not responsible for enforcing compliance by third parties to this License. Each time you redistribute the Program (or any work based on the Program).org/andreasson/iptables-tutorial/iptables-tutorial. 7. If. C. Therefore. If distribution of executable or object code is made by offering access to copy from a designated place.Iptables Tutorial 1. and so on) of the operating system on which the executable runs. by modifying or distributing the Program (or any work based on the Program). Any attempt otherwise to copy.1. as a special exception. For an executable work. as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues). valid for at least three years. then offering equivalent access to copy the source code from the same place counts as distribution of the source code. However. even though third parties are not compelled to copy the source along with the object code. or. conditions are imposed on you (whether by court order. and will automatically terminate your rights under this License. to give any third party. or distribute the Program except as expressly provided under this License. the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler. Accompany it with the information you received as to the offer to distribute corresponding source code. a complete machine-readable copy of the corresponding source code. plus any associated interface definition files. 9. B. You are not required to accept this License.html 21:25:51 10/06/2002 . modify. distributing or modifying the Program or works based on it. sublicense. you indicate your acceptance of this License to do so. sublicense or distribute the Program is void. nothing else grants you permission to modify or distribute the Program or its derivative works. since you have not signed it. kernel. You may not copy. Accompany it with the complete corresponding machine-readable source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer.unix-fu. and all its terms and conditions for copying.9 Página 212 A. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. distribute or modify the Program subject to these terms and conditions. agreement or otherwise) that contradict the conditions of this License. they do not excuse you from http://people. in accord with Subsection b above. However. However.

then as a consequence you may not distribute the Program at all. If the Program does not specify a version number of this License. 11.9 Página 213 the conditions of this License. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. but may differ in detail to address new problems or concerns. 12. For example. it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. you may choose any version ever published by the Free Software Foundation. In such case. For software which is copyrighted by the Free Software Foundation. Each version is given a distinguishing version number. write to the author to ask for permission.Iptables Tutorial 1. the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. so that distribution is permitted only in or among countries not thus excluded. THERE IS NO WARRANTY FOR THE PROGRAM. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations. NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE. you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. we sometimes make exceptions for this.org/andreasson/iptables-tutorial/iptables-tutorial. this section has the sole purpose of protecting the integrity of the free software distribution system. if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system. this License incorporates the limitation as if written in the body of this License. 14. which is implemented by public license practices. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT http://people. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. TO THE EXTENT PERMITTED BY APPLICABLE LAW. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims. then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.1. If any portion of this section is held invalid or unenforceable under any particular circumstance. Such new versions will be similar in spirit to the present version. 13.html 21:25:51 10/06/2002 . write to the Free Software Foundation. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different. If the Program specifies a version number of this License which applies to it and "any later version".unix-fu.

if not.> Copyright (C) <year> <name of author> This program is free software. attach the following notices to the program. OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE. Inc. but WITHOUT ANY WARRANTY. BUT NOT LIMITED TO. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER. SPECIAL. either version 2 of the License. Boston. YOU ASSUME THE COST OF ALL NECESSARY SERVICING. EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.html 21:25:51 10/06/2002 . or (at your option) any later version. and you want it to be of the greatest possible use to the public.unix-fu. you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. END OF TERMS AND CONDITIONS 2. the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. You should have received a copy of the GNU General Public License along with this program. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 59 Temple Place.1.. without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS).org/andreasson/iptables-tutorial/iptables-tutorial. <one line to give the program's name and a brief idea of what it does. How to Apply These Terms to Your New Programs If you develop a new program. REPAIR OR CORRECTION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. BE LIABLE TO YOU FOR DAMAGES. INCLUDING. write to the Free Software Foundation. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty. EITHER EXPRESSED OR IMPLIED. To do so. MA 02111-1307 USA http://people. and each file should have at least the "copyright" line and a pointer to where the full notice is found. Suite 330.9 Página 214 HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND.Iptables Tutorial 1. SHOULD THE PROGRAM PROVE DEFECTIVE. See the GNU General Public License for more details. This program is distributed in the hope that it will be useful. INCLUDING ANY GENERAL. 16.

The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.Initial SIMPLE IP Firewall script for Linux 2. if necessary. Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY. the commands you use may be called something other than `show w' and `show c'. you may consider it more useful to permit linking proprietary applications with the library. If your program is a subroutine library.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. alter the names: Yoyodyne. 1 April 1989 Ty Coon. to sign a "copyright disclaimer" for the program. use the GNU Library General Public License instead of this License. they could even be mouse-clicks or menu items--whatever suits your program. This is free software. President of Vice This General Public License does not permit incorporating your program into proprietary programs. <signature of Ty Coon>. make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69. for details type `show w'. version 2 of the License.net> # # This program is free software.org/andreasson/iptables-tutorial/iptables-tutorial. You should also get your employer (if you work as a programmer) or your school. and you are welcome to redistribute it under certain conditions. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Example scripts codebase Example rc. Inc..1. If the program is interactive.firewall script #!/bin/sh # # rc. See the # GNU General Public License for more details.unix-fu. Here is a sample.Iptables Tutorial 1. # # This program is distributed in the hope that it will be useful. Of course.html 21:25:51 10/06/2002 .firewall .9 Página 215 Also add information on how to contact you by electronic and paper mail. if any. http://people. If this is what you want to do. # but WITHOUT ANY WARRANTY. hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. type `show c' for details.4.

# # # 1.236. /24 means to only use the first 24 # bits of the 32 bit IP adress.2 PPPoE # # # 1.2 Local Area Network configuration.0. # INET_IP="194. MA 02111-1307 USA # ########################################################################### # # 1. Boston. # # # 1.255.50.168.255.0 # LAN_IP="192.255.1.0.org/andreasson/iptables-tutorial/iptables-tutorial.4 Localhost Configuration.Iptables Tutorial 1.1" http://people. if not. the same as netmask 255. Configuration options.1.html 21:25:51 10/06/2002 . Suite 330.0. write to the Free Software Foundation. 59 Temple # Place.unix-fu.2" LAN_IP_RANGE="192.168.1 DHCP # # # 1.0/16" LAN_BCAST_ADRESS="192.1. Inc. # LO_IFACE="lo" LO_IP="127.3 DMZ Configuration.155" INET_IFACE="eth0" # # 1.1 Internet Configuration.255" LAN_IFACE="eth1" # # 1. # # your LAN's IP range and localhost IP.9 Página 216 # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.0.168..

unix-fu.html 21:25:51 10/06/2002 . # IPTABLES="/usr/sbin/iptables" # # 1.9 Página 217 # # 1.5 IPTables Configuration.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.1.org/andreasson/iptables-tutorial/iptables-tutorial.6 Other Configuration. /proc set up. Module loading. # ########################################################################### # # 2. # # # Needed to initially load modules # /sbin/depmod -a # # 2.Iptables Tutorial 1. # http://people.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3.

1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.1.1.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.unix-fu.1.1 Filter table # # # 4.Iptables Tutorial 1.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets http://people. rules set up.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP. # ###### # 4.9 Página 218 # # 3.

9 Página 219 $IPTABLES -N udpincoming_packets # # 4.1.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT http://people.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.1.html 21:25:51 10/06/2002 .Iptables Tutorial 1.

4 INPUT chain # # # Bad TCP packets we don't want.9 Página 220 # # 4. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet.org/andreasson/iptables-tutorial/iptables-tutorial.1.unix-fu.Iptables Tutorial 1.RELATED \ -j ACCEPT # # Log weird packets that don't match the above.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward http://people.1. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.1.html 21:25:51 10/06/2002 .

9 Página 221 # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.1.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.6 OUTPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.2 nat table # # # 4. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.unix-fu.2 Create user specified chains # http://people.1. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.2.2.1 Set policies # # # 4. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that don't match the above.RELATED -j ACCEPT # # Log weird packets that don't match the above.Iptables Tutorial 1.

2 Create user specified chains # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.2.6 FORWARD chain # http://people.3 mangle table # # # 4.3.3.5 INPUT chain # # # 4.2.3.Iptables Tutorial 1.1 Set policies # # # 4.6 OUTPUT chain # ###### # 4.3.3.unix-fu.9 Página 222 # # 4.1.4 PREROUTING chain # # # 4.3.2.2.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.3 Create content in user specified chains # # # 4.3 Create content in user specified chains # # # 4.html 21:25:51 10/06/2002 .4 PREROUTING chain # # # 4.

.DMZ IP Firewall script for Linux 2. write to the Free Software Foundation. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. # # This program is distributed in the hope that it will be useful. Suite 330.firewall .firewall script #!/bin/sh # # rc.4.1.3.50.DMZ.DMZ.50. # but WITHOUT ANY WARRANTY.236.152" HTTP_IP="194.3. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.unix-fu.50.153" DNS_IP="194.Iptables Tutorial 1.9 Página 223 # # 4.html 21:25:51 10/06/2002 .8 POSTROUTING chain # Example rc. # INET_IP="194. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.net> # # This program is free software. # # # 1.236. Boston. if not. MA 02111-1307 USA # ########################################################################### # # 1.7 OUTPUT chain # # # 4.236. Configuration options.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. Inc.154" INET_IFACE="eth0" http://people.1 Internet Configuration. 59 Temple # Place. See the # GNU General Public License for more details.org/andreasson/iptables-tutorial/iptables-tutorial. version 2 of the License.

Iptables Tutorial 1.1.9

Página 224

# # 1.1.1 DHCP # # # 1.1.2 PPPoE # # # 1.2 Local Area Network configuration. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # LAN_IP="192.168.0.2" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth1" # # 1.3 DMZ Configuration. # DMZ_HTTP_IP="192.168.1.2" DMZ_DNS_IP="192.168.1.3" DMZ_IP="192.168.1.1" DMZ_IFACE="eth2" # # 1.4 Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 IPTables Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. # ########################################################################### # # 2. Module loading. http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 225

# # # Needed to initially load modules # /sbin/depmod -a

# # 2.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 226

#echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. rules set up. # ###### # 4.1 Filter table # # # 4.1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP, TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 227

# # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # 4.1.4 INPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Packets from the Internet to this box # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # # Packets from LAN, DMZ or LOCALHOST # # # From DMZ Interface to DMZ firewall IP # $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT # # From LAN Interface to LAN firewall IP # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 228

# # From Localhost interface to Localhost IP # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # # All established and related packets incoming from the internet to the # firewall # $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \ -j ACCEPT # # Logging rule # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.1.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

# # DMZ section # # General rules # $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \ --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT # # HTTP server # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

1.1.Iptables Tutorial 1.RELATED -j ACCEPT # # LOG all packets reaching here # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.html 21:25:51 10/06/2002 .6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Allow ourself to send packets not spoofed everywhere # $IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 229 $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ --dport 80 -j allowed $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ -j icmp_packets # # DNS server # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j allowed $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ -j icmp_packets # # LAN section # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.

Iptables Tutorial 1.1.9

Página 230

# # Logging rule # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.2 nat table # # # 4.2.1 Set policies # # # 4.2.2 Create user specified chains # # # 4.2.3 Create content in user specified chains # # # 4.2.4 PREROUTING chain # # # Enable IP Destination NAT for DMZ zone # $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \ -j DNAT --to-destination $DMZ_HTTP_IP $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP $IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP # # 4.2.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 231

# # 4.2.6 OUTPUT chain # ###### # 4.3 mangle table # # # 4.3.1 Set policies # # # 4.3.2 Create user specified chains # # # 4.3.3 Create content in user specified chains # # # 4.3.4 PREROUTING chain # # # 4.3.5 INPUT chain # # # 4.3.6 FORWARD chain # # # 4.3.7 OUTPUT chain # # # 4.3.8 POSTROUTING chain #

Example rc.UTIN.firewall script
#!/bin/sh # # rc.firewall - UTIN Firewall script for Linux 2.4.x and iptables # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 232

# Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from; if not, write to the Free Software Foundation, Inc., 59 Temple # Place, Suite 330, Boston, MA 02111-1307 USA # ########################################################################### # # 1. Configuration options. # # # 1.1 Internet Configuration. # INET_IP="194.236.50.155" INET_IFACE="eth0" # # 1.1.1 DHCP # # # 1.1.2 PPPoE # # # 1.2 Local Area Network configuration. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # LAN_IP="192.168.0.2" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth1"

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 233

# # 1.3 DMZ Configuration. # # # 1.4 Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 IPTables Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. # ########################################################################### # # 2. Module loading. # # # Needed to initially load modules # /sbin/depmod -a # # 2.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.2 Non-Required modules #

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 234

#/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr

########################################################################### # # 4. rules set up. # ###### # 4.1 Filter table # # # 4.1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Create userspecified chains # # # Create chain for bad tcp packets http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.unix-fu.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed http://people.9 Página 235 # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.1.

# $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from anywhere # $IPTABLES -A INPUT -p ICMP -j icmp_packets $IPTABLES -A INPUT -p TCP -j tcp_packets $IPTABLES -A INPUT -p UDP -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.1.4 INPUT chain # # # Bad TCP packets we don't want.5 FORWARD chain # http://people.9 Página 236 # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.RELATED \ -j ACCEPT # # Log weird packets that don't match the above.unix-fu.1.html 21:25:51 10/06/2002 .1.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1.

RELATED -j ACCEPT # # Log weird packets that don't match the above.9 Página 237 # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward between interfaces. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.org/andreasson/iptables-tutorial/iptables-tutorial. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that don't match the above.6 OUTPUT chain # # # Bad TCP packets we don't want.1.1.Iptables Tutorial 1. # $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.html 21:25:51 10/06/2002 . # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.2 nat table http://people.unix-fu.

1.2.html 21:25:51 10/06/2002 .3 mangle table # # # 4.2 Create user specified chains # # # 4.3.1 Set policies # # # 4.4 PREROUTING chain # # # 4.Iptables Tutorial 1.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.unix-fu.2.3.2.3 Create content in user specified chains # # http://people.3 Create content in user specified chains # # # 4.6 OUTPUT chain # ###### # 4.9 Página 238 # # # 4.1 Set policies # # # 4.2.org/andreasson/iptables-tutorial/iptables-tutorial.2.2 Create user specified chains # # # 4.2.3.

Boston. Inc.3.8 POSTROUTING chain # Example rc.net> # # This program is free software.1. # # This program is distributed in the hope that it will be useful. Configuration options..html 21:25:51 10/06/2002 .4. Suite 330.6 FORWARD chain # # # 4.3.firewall script #!/bin/sh # # rc.5 INPUT chain # # # 4. version 2 of the License. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.3. # but WITHOUT ANY WARRANTY. 59 Temple # Place.DHCP.org/andreasson/iptables-tutorial/iptables-tutorial.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.3.4 PREROUTING chain # # # 4. MA 02111-1307 USA # ########################################################################### # # 1.7 OUTPUT chain # # # 4. # http://people.Iptables Tutorial 1. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.firewall . See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.9 Página 239 # 4. write to the Free Software Foundation.3.unix-fu. if not.DHCP IP Firewall script for Linux 2.

65" # # 1. # # Set DHCP variable to no if you don't get IP from DHCP. if needed. If you get DHCP # over the Internet set this variable to yes.1 DHCP # # # Information pertaining to DHCP over the Internet.255. This option will set a # rule in the PREROUTING chain of the mangle table which will clamp # (resize) all routed packets to PMTU (Path Maximum Transmit Unit).unix-fu. # # your LAN's IP range and localhost IP.9 Página 240 # # 1.0 # LAN_IP="192.1.168.1. # # If you have problem with your PPPoE connection. such as large mails not # getting through while small mail get through properly etc.0.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.168.0. # DHCP="no" DHCP_SERVER="195.0/16" http://people.90.Iptables Tutorial 1. you may set # this option to "yes" which may fix the problem.1 Internet Configuration. # INET_IFACE="eth0" # # 1. /24 means to only use the first 24 # bits of the 32 bit IP adress.22.2 PPPoE # # Configuration options pertaining to PPPoE. # PPPOE_PMTU="no" # # 1.1. # # Note that it is better to set this up in the PPPoE package itself. and set up the proper IP # adress for the DHCP server in the DHCP_SERVER variable. since # the PPPoE configuration option will give less overhead.2" LAN_IP_RANGE="192.2 Local Area Network configuration. the same as netmask 255.255.

3 DMZ Configuration.Iptables Tutorial 1. Module loading. # # # Needed to initially load modules # /sbin/depmod -a # # 2. # # # 1.0.org/andreasson/iptables-tutorial/iptables-tutorial.168.html 21:25:51 10/06/2002 .255.1" # # 1. # ########################################################################### # # 2. # LO_IFACE="lo" LO_IP="127.6 Other Configuration.5 IPTables Configuration.4 Localhost Configuration.0.9 Página 241 LAN_BCAST_ADRESS="192.unix-fu.1 Required modules # /sbin/modprobe ip_conntrack /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_MASQUERADE http://people.255" LAN_IFACE="eth1" # # 1. # IPTABLES="/usr/sbin/iptables" # # 1.1.

1 Filter table # # # 4.9 Página 242 # # 2.2 Create userspecified chains # http://people. # # # 3.org/andreasson/iptables-tutorial/iptables-tutorial. rules set up. /proc set up.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.1.Iptables Tutorial 1.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. # ###### # 4.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.1.unix-fu.html 21:25:51 10/06/2002 .

1.org/andreasson/iptables-tutorial/iptables-tutorial.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.Iptables Tutorial 1.9 Página 243 # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.1.html 21:25:51 10/06/2002 .RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed http://people.unix-fu.

unix-fu.Iptables Tutorial 1.1. http://people. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet.html 21:25:51 10/06/2002 .4 INPUT chain # # # Bad TCP packets we don't want.RELATED -j ACCEPT # # Log weird packets that don't match the above. then $IPTABLES -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \ --dport 68 -j ACCEPT fi # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.9 Página 244 $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT if [ $DHCP == "yes" ] .1.org/andreasson/iptables-tutorial/iptables-tutorial. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \ --state ESTABLISHED.

org/andreasson/iptables-tutorial/iptables-tutorial. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # # Log weird packets that don't match the above.1.RELATED -j ACCEPT # # Log weird packets that don't match the above.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.1.unix-fu.6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.Iptables Tutorial 1.html 21:25:51 10/06/2002 . # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.1. http://people.9 Página 245 # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.

Iptables Tutorial 1.2.5 POSTROUTING chain # if [ $PPPOE_PMTU == "yes" ] .org/andreasson/iptables-tutorial/iptables-tutorial.2 Create user specified chains http://people.2.2 nat table # # # 4.9 Página 246 # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.2. then $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN.2.6 OUTPUT chain # ###### # 4.1 Set policies # # # 4.2 Create user specified chains # # # 4.1 Set policies # # # 4.3 Create content in user specified chains # # # 4.2.3.3.RST SYN \ -j TCPMSS --clamp-mss-to-pmtu fi $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE # # 4.3 mangle table # # # 4.html 21:25:51 10/06/2002 .2.unix-fu.1.4 PREROUTING chain # # # 4.

8 POSTROUTING chain # Example rc.3.7 OUTPUT chain # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 247 # # # 4.1. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.3 Create content in user specified chains # # # 4.html 21:25:51 10/06/2002 .flush-iptables script #!/bin/sh # # rc. # http://people.5 INPUT chain # # # 4.6 FORWARD chain # # # 4. version 2 of the License.3.4 PREROUTING chain # # # 4.Iptables Tutorial 1.flush-iptables . # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.3.unix-fu.3.Resets iptables to default values.3.3.net> # # This program is free software.

html 21:25:51 10/06/2002 . See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # reset the default policies in the mangle table.unix-fu.. # but WITHOUT ANY WARRANTY. # $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X http://people.Iptables Tutorial 1. write to the Free Software Foundation. # $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT # # reset the default policies in the nat table. # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # # erase all chains that's not default in filter and nat table. Suite 330. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. if not. Boston. 59 Temple # Place. Inc.org/andreasson/iptables-tutorial/iptables-tutorial.1. MA 02111-1307 USA # # Configurations # IPTABLES="/usr/sbin/iptables" # # reset the default policies in the filter table.9 Página 248 # This program is distributed in the hope that it will be useful. # $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT # # flush all the rules in the filter and nat tables.

# iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat PREROUTING:" http://people. Suite 330. See the # GNU General Public License for more details. # # This program is distributed in the hope that it will be useful.net> # # This program is free software.test-iptables script #!/bin/bash # # rc..1. Boston.unix-fu. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.html 21:25:51 10/06/2002 . # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. write to the Free Software Foundation.9 Página 249 Example rc.test-iptables . 59 Temple # Place. all chains # iptables -t filter -A INPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter FORWARD:" iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter FORWARD:" # # NAT table. all chains except OUTPUT which don't work. MA 02111-1307 USA # # # Filter table. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. version 2 of the License. # but WITHOUT ANY WARRANTY. # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. if not. Inc.org/andreasson/iptables-tutorial/iptables-tutorial.test script for iptables chains and tables.Iptables Tutorial 1.

http://people.9 Página 250 iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat PREROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat OUTPUT:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat OUTPUT:" # # Mangle table.unix-fu.Iptables Tutorial 1. all chains # iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle OUTPUT:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle OUTPUT:" Done.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 .1.

Sign up to vote on this title
UsefulNot useful