Iptables Tutorial 1.1.

9

Página 1

Iptables Tutorial 1.1.9
Oskar Andreasson
blueflux@koffein.net

Copyright © 2001 by Oskar Andreasson

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1; with the Invariant Sections being "Introduction" and all subsections, with the Front-Cover Texts being "Original Author: Oskar Andreasson", and with no BackCover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". All scripts in this tutorial are covered by the GNU General Public License. The scripts are free source; you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation, version 2 of the License. These scripts are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License within this tutorial, under the section entitled "GNU General Public License"; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Table of Contents Introduction Why this document was written How it was written About the author Dedications Preparations Where to get iptables Kernel setup 1 userland setup Compiling the userland applications http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 2

Installation on Red Hat 7.1 How a rule is built Basics Tables Commands Matches Generic matches Implicit matches Explicit matches Targets/Jumps ACCEPT target DROP target QUEUE target RETURN target LOG target MARK target REJECT target TOS target MIRROR target SNAT target DNAT target MASQUERADE target REDIRECT target TTL target ULOG target Traversing of tables and chains General Mangle table 1 Nat table 2 Filter table rc.firewall file example rc.firewall explanation of rc.firewall Configuration options http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 3

Initial loading of extra modules proc set up Displacement of rules to different chains Setting up the different chains used INPUT chain The TCP allowed chain The ICMP chain The TCP chain The UDP chain OUTPUT chain FORWARD chain PREROUTING chain of the nat table Starting the Network Address Translation Example scripts rc.firewall.txt script structure The structure rc.firewall.txt rc.DMZ.firewall.txt rc.DHCP.firewall.txt 10. rc.UTIN.firewall.txt rc.test-iptables.txt rc.flush-iptables.txt Detailed explanations of special commands Listing your active ruleset Updating and flushing your tables Common problems and questionmarks Passive FTP but no DCC State NEW packets but no SYN bit set Internet Service Providers who use assigned IP addresses ICMP types Other resources and links Acknowledgements History GNU Free Documentation License 0. PREAMBLE 1. APPLICABILITY AND DEFINITIONS 2. VERBATIM COPYING http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 4

3. COPYING IN QUANTITY 4. MODIFICATIONS 1. 5. COMBINING DOCUMENTS 6. COLLECTIONS OF DOCUMENTS 7. AGGREGATION WITH INDEPENDENT WORKS 8. TRANSLATION 9. TERMINATION 10. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents GNU General Public License 0. Preamble 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. 2. How to Apply These Terms to Your New Programs Example scripts codebase Example rc.firewall script Example rc.DMZ.firewall script Example rc.UTIN.firewall script Example rc.DHCP.firewall script Example rc.flush-iptables script Example rc.test-iptables script

Introduction Why this document was written
Well, I found a big empty space in the HOWTO's out there lacking in information about the iptables and netfilter functions in the new Linux 2.4.x kernels. Among other things, I'm going to try to answer questions that some might have about the new possibilities like state matching. Is it possible to allow passive FTP to your server, but not allow outgoing DCC from IRC as an example? I will build this all up from an example rc.firewall.txt file that you can use in your /etc/rc.d/ scripts. Yes, this file was originally based upon the masquerading HOWTO for those of you who recognize it. Also, there's a small script that I wrote just in case you screw up as much as I did during the configuration available as rc.flush-iptables.txt.

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 5

How it was written
I've placed questions to Marc Boucher and others from the core netfilter team. A big thanks going out to them for their work and for their help on this tutorial that I wrote and maintain for boingworld.com. This document will guide you through the setup process step by step, hopefully make you understand some more about the iptables package. I will base most of the stuff here on the example rc.firewall file since I find that example to be a good way to learn how to use iptables. I have decided to just follow the basic chains and from there go down into each and one of the chains traversed in each due order. This tutorial has turned a little bit harder to follow this way but at the same time it is more logical. Whenever you find something that's hard to understand, just consult this tutorial.

About the author
I'm someone with too many old computers on my hands, sitting with my own LAN and wanting them all to be connected to the Internet, at the same time having it fairly secure. The new iptables is a good upgrade from the old ipchains in this regard. Before, you could make a fairly secure network by dropping all incoming packages not destined to certain ports, but this would be a problem with things like passive FTP or outgoing DCC in IRC, which assigns ports on the server, tells the client about it, and then lets the client connect. There was some child diseases in the iptables code that I ran into in the beginning, and in some respects I found the code not quite ready for release in full production. Today, I'd recommend everyone who uses ipchains or even older ipfwadm etc to upgrade unless they're happy with what their current code is capable of and if it does what they need it to.

Dedications
First of all I would like to dedicate this document to my wonderful girlfriend Ninel. She has supported me more than I ever can support her to any degree. I wish I could make you just as happy as you make me. Second of all, I would like to dedicate this work to all of the incredibly hard working Linux developers and maintainers. It is people like those who makes this wonderful operating system possible.

Preparations
This chapter is aimed at getting you started and to help you understand the role netfilter and iptables play in Linux today. This chapter should hopefully get you set up and finished to go with your experimentation and installation of a firewall which should hopefully run smoothly in the future.

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

PPP and SLIP interfaces. Ethernet adapter. You won't be able to do anything to be pretty honest. For example. CONFIG_IP_NF_MATCH_LIMIT . ie. Here we will show you the options available in a basic 2.txt to work.firewall. this is most definitely required if for anything in this tutorial to work at all. An example would be tcpdump or snort. you need to set up the proper configuration options in your kernel. masquerading or NAT.This module is needed to make connection tracking.This option is required if you're going to use your computer as a firewall or gateway to the internet. this option compiles the helper.unix-fu. CONFIG_NETFILTER .1.9 Página 6 Where to get iptables The iptables userspace package can be downloaded from the netfilter homepage. http://people. In other words. This option provides the LIMIT match. Connection tracking is used by. If you don't add this module you won't be able to FTP through a firewall or gateway properly. among other things. And of course you need to add the proper drivers for your interfaces to work properly. The above will only add some of the pure basics in iptables.Iptables Tutorial 1. it just adds the framework to the kernel.This module isn't exactly required but it's used in the example rc. The iptables package also makes use of kernel space facilities which can be configured into the kernel during make configure. For example.firewall. this module is required by the rc. Kernel setup To run the pure basics of iptables you need to configure the following options into the kernel while doing make config or one of it's related commands: CONFIG_PACKET .org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 .9 kernel and a brief explanation : CONFIG_IP_NF_CONNTRACK .4. This module can also be used to avoid certain Denial of Service attacks.txt. I assume you'll want this since you're reading this at all. -m limit --limit 3/minute would match a maximum of 3 packets per minute. NAT and Masquerading.This module is required if you want to do connection tracking on FTP connections. If you want to use the more advanced options in IPTables. It adds the whole iptables identification framework to kernel. Since FTP connections are quite hard to do connection tracking on in normal cases conntrack needs a so called helper. If you need to firewall machines on a LAN you most definitely should mark this option. The necessary pieces will be discussed a bit further down in this document.This option allows applications and programs that needs to work directly to certain network devices. Without this you won't be able to do anything at all with iptables. CONFIG_IP_NF_IPTABLES . CONFIG_IP_NF_FTP . that adds the possibility to control how many packets per minute that's supposed to be matched with a certain rule.This option is required if you want do any kind of filtering.

With this match we can match packets based on their TOS field.firewall.unix-fu.This allows us to match packets based on MAC addresses. This module is required if you plan to do any kind of filtering on packets that you receive and send.txt example. Note that this match is still experimental and might not work perfectly in all cases. For example. TOS stands for Type Of Service. CONFIG_IP_NF_MATCH_TOS . CONFIG_IP_NF_MATCH_MARK . and further down we will describe the actual target MARK. Mind you that TCP connections are always reset or refused with a TCP RST packet. CONFIG_IP_NF_TARGET_MIRROR .org/andreasson/iptables-tutorial/iptables-tutorial. UDP and ICMP packets that looks strange or are invalid. FORWARD and OUTPUT chains. We could for example drop these packets.This target allows us to specify that an ICMP error message should be sent in reply to incoming packets instead of plainly dropping them dead to the floor. if we set up a MIRROR target on destination port HTTP on our INPUT chain and someone tries to access this port we would plainly bounce his packets back to himself and finally he would see his own homepage. Note that this match is still experimental and might not work for everyone. We don't use this option in the rc. if we use the target MARK we could mark a packet and then depending on if this packet is marked further on in the table. CONFIG_IP_NF_MATCH_TCPMSS .txt example or anywhere else. This option is the actual match MARK. we can match based on this mark. This module was originally just written as an example on what could be done with the new iptables.This module will add the basic filter table which will enable you to do basic filtering.1. CONFIG_IP_NF_FILTER .This allows us to use a MARK match. we can allow only the user root to have Internet access. TOS can also be set by certain rules in the mangle table and via the ip/tc commands. CONFIG_IP_NF_MATCH_STATE .This module will add the possibility for us to match IP. this packet will be counted as ESTABLISHED.Iptables Tutorial 1.This module allows us to match packets with a whole range of destination ports or source ports. CONFIG_IP_NF_TARGET_REJECT . but we never know if they are legitimate or not. if we've already seen trafic in two directions in a TCP connection. In the filter table you'll find the INPUT. For example. For example.This option will add the possibility for us to do matching based on the owner of a socket. For example.firewall. With this module we can do stateful matching on packets. CONFIG_IP_NF_MATCH_MULTIPORT .html 21:25:51 10/06/2002 . This module is used extensively in the rc.This is one of the biggest news in comparison to ipchains. Every Ethernet adapter has it's own MAC address.This option adds the possibility for us to match TCP packets based on their MSS field. CONFIG_IP_NF_MATCH_OWNER . CONFIG_IP_NF_MATCH_UNCLEAN . but with this match it is. TCP. Normally this wouldn't be possible.9 Página 7 CONFIG_IP_NF_MATCH_MAC .This allows packets to be bounced back to the sender of the packet. http://people. We could for instance block packets based on what MAC address used and block a certain computer pretty well since the MAC address don't change.

I have briefly explained what kind of extra behaviours you can expect from each module here. CONFIG_IP_NF_TARGET_REDIRECT . we have the possibility to make a transparent proxy this way. masquerading etc. there is a heap of options.This target is useful together with proxies for example. In other words.2 kernels to 2. this option is required for the example rc.firewall. or as modules. look at the example firewall scripts section.4. If you would like to get a look at more options. unless you are able to provide unique IP addresses for all hosts.This adds the LOG target to iptables and the functionality of it. With this option we can do port forwarding. These functions should be added in the future. If you need help with the options that the other scripts needs. CONFIG_IP_NF_TARGET_TCPMSS . You will need the following options compiled into your kernel. These are only the options available in a vanilla Linux 2. or NAT. and most definitely on your network if you do not have the ability to add unique IP addresses as specified above. As you can see. but mostly is.firewall.9 Página 8 CONFIG_IP_NF_NAT . Instead of letting a packet pass right through. I suggest you look at the patch-o-matic functions in netfilter userland which will add heaps of other options in the kernel. CONFIG_IP_NF_TARGET_LOG . we'll be able to handle what the authors of netfilter themself call "criminally braindead ISPs or servers" in the kernel configuration help. for the rc.org/andreasson/iptables-tutorial/iptables-tutorial.This module adds the MASQUERADE target. We can use this module to log certain packets to syslogd and hense see the packet further on.Adds a compatibility mode with the old ipchains. This may be for various reasons such as the patch not being stable yet.unix-fu.4 kernels since it may well be gone with kernel 2. PPP.9 kernel. POM fixes are additions that are supposed to be added in the kernel in the future but has not quite reached the kernel yet. Masquerading gives a slightly higher load on the computer than NAT does.This module allows network address translation. CONFIG_IP_NF_TARGET_MASQUERADE . ssh works but scp dies after handshake. Do not look at this as any real long term solution for solving migration from Linux 2. Do absolutely not look at this as a real long term solution. if we use DHCP.txt script to work. SLIP or some other connection that dynamically assigns us an IP. but has not quite made it in yet.html 21:25:51 10/06/2002 . http://people. etcetera. in it's different forms.Compatibility mode with old ipfwadm.Iptables Tutorial 1. This can result in webpages not getting through. Note that this option is is not required for firewalling and masquerading of a LAN.txt to work properly. CONFIG_IP_NF_COMPAT_IPFWADM . but will work without us knowing the IP in advance. small mails getting through while larger mails don't get through. This could be useful for forensics or debugging a script you're writing. Hence. to Linus Torvalds being unable to keep up or not wanting to let the patch in to the mainstream kernel yet since it is still experimental.This option can be used to overcome Internet Service Providers and servers who block ICMP Fragmentation Needed packets. CONFIG_IP_NF_COMPAT_IPCHAINS . For instance if we don't know what IP we have to the Internet this would be the preferred way of getting the IP instead of using DNAT or SNAT.6. we need to use this target instead of SNAT. This way. we remap them to go to our local box instead. We can then use the TCPMSS target to overcome this by clamping our MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit). In other words.1.

using bzip2 -cd iptables-1.1 it is disabled per default.2.2. this may not work with older versions of tar).unix-fu.html 21:25:51 10/06/2002 .tar. which should do pretty much the same as the first command. let's look at how we compile the iptables package.1.bz2 | tar -xvf .3/INSTALL file which contains pretty good information on compiling and getting the program to run. However. In the other example scripts I will explain what requirements they have in their respective section. and other distributions further on in this chapter Compiling the userland applications First of all unpack the iptables package.2. This compilation goes quite a lot hand in hand with the kernel configuration and compilation so you are aware of this. For now.(this can also be accomplished with the tar -xjvf iptables-1. Here.org/andreasson/iptables-tutorial/iptables-tutorial.3 package and a vanilla 2.3. For more information read the iptables-1. we have used the iptables 1.3.1.9 kernel. one of these are Red Hat 7.firewall. Certain distributions comes with the iptables package preinstalled.tar. Hopefully the package should now be unpacked properly into a directory named iptables-1. Unpack as usual. in Red Hat 7.bz2.Iptables Tutorial 1. userland setup First of all. However.2. We will check closer on how to enable it on this.txt script.2.9 Página 9 CONFIG_PACKET CONFIG_NETFILTER CONFIG_CONNTRACK CONFIG_IP_NF_FTP CONFIG_IP_NF_IRC CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_TARGET_MASQUERADE The above will be required at the very least for the rc. http://people.3.4. lets try to stay focused on the main script which you should be studying now.

there are some even more experimental patches further along. there is the option to install extra modules and options etcetera to the kernel.The step described here will only check patches that are pending for inclusion to the kernel. However. there are heaps of extremely interesting matches and targets in this installation step so don't be afraid of at least looking at them.org/andreasson/iptables-tutorial/iptables-tutorial. though. Normally this should be /usr/src/linux/ but this may vary. To be able to install all of the patch-o-matic stuff you will need to run the following command: make patch-o-matic KERNEL_DIR=/usr/src/linux/ Don't forget to read the help for each patch thoroughly before doing anything. Some of these are highly experimental and may not be a very good idea to install.1.Iptables Tutorial 1. After this you are finished doing the patch-o-matic parts of installation. Note that we say ask.html 21:25:51 10/06/2002 . because that's what these commands actually do. http://people. there are some really interesting things in the patch-o-matic that you may want to look at so there's nothing bad in just running the commands and see what they contain. They ask you before anything is changed in the kernel source. Don't forget to configure the kernel again since the new patches probably are not added to the configured options and so on. you may either compile a new kernel making use of the new patches that you have added to the source. You may wait with the kernel compilation until after the compilation of the userland program iptables if you feel like it. To do this step we do something like this from the root of the iptables package: make pending-patches KERNEL_DIR=/usr/src/linux/ The variable KERNEL_DIR should point to the actual place that your kernel source is located at.unix-fu. which may only be available when you do some other steps. Some patches will destroy other patches while others may destroy your kernel if used together with some patches from patch-o-matic etc. However. but still skip the most extreme patches that might cause havoc in your kernel. You may totally ignore the above steps if you don't want to patch your kernel. There might be more patches and additions that the developers of netfilter are about to add to the kernel.9 Página 10 After this. it is in other words not necessary to do the above. but is a bit further away from actually getting there. One way to install these are by doing the following: make most-of-pom KERNEL_DIR=/usr/src/linux/ The above command would ask about installing parts of what in netfilter world is called patch-omatic. and most probably you will know yourself where the kernel source is available. This only asks about certain patches that are just about to enter the kernel anyways.

For more information about installing the userland applications from source. To do this. or to not run it if it was not previously started. To compile iptables you issue a simple command that looks like this: make KERNEL_DIR=/usr/src/linux/ The userland application should now compile properly.1 installation today comes with an utterly old version of the userspace applications so you might want to compile a new version of the applications as well as install a new and homecompiled kernel before fully exploiting iptables. Installation on Red Hat 7. let's take a brief look at how to turn the module off and how to install iptables instead. If everything has worked smoothly. The default Red Hat 7. So.x kernel that has netfilter and iptables compiled in. Now the service won't be started in the future. you would issue the following command to install them: make install KERNEL_DIR=/usr/src/linux/ Hopefully everything should work in the program now. Annoying to say the least. they have disabled the whole thing by using the backwards compatible ipchains module.d/ directory-structure.unix-fu. This is the service command which can be used to work on currently running services. you're on your own. you will need to change some filenames in the /etc/rc.1. To do this. if not.html 21:25:51 10/06/2002 . however. check the INSTALL file in the source which contains excellent information on the subject of installation. The following command should do it: chkconfig --level 0123456 ipchains off By doing this we move all the soft links that points to the real script to K92ipchains.org/andreasson/iptables-tutorial/iptables-tutorial. to stop the service from actually running right now we need to run another command. try to think logically about it and find out what's wrong or get someone to help you. and a lot of people are asking different mailing lists why iptables don't work. or possibly try the netfilter mailing list who might help you with your problems. There is a few things that might go wrong with the installation of iptables so don't panic if it won't work. We would then issue http://people. First of all you will need to turn off the ipchains modules so it won't start in the future. However. It also contains all the basic userland programs and configuration files that is needed to run it. The first letter which per default would be S tells the initscripts to start the script. By changing this to K we tell it to Kill the service instead.1 Red Hat 7. you're ready to install the binaries by now.9 Página 11 Continue by compiling the iptables userland application. To use any of the changes in the iptables userland applications you should definitely recompile and reinstall your kernel by now if you haven't done so before.4.1 comes preinstalled with a 2.Iptables Tutorial 1.

Full multiuser mode.d script. It may also be erased by updating from the iptables RPM package. The other way to save the script would be to use service iptables save which would save the script http://people. 3 and 5. The second way of doing the set up would require the following steps to be taken. Note. don't forget to edit a the stop) section either which tells the script what to do when the computer is going down for example. Also. Note that this set up may be automatically erased if you have. don't forget to check out the restart section and condrestart. when you need to fix a screwed up box. These runlevels are used for the following things: 2. and don't forget to experiment a bit. X11. To activate the iptables service. You could either use it normally.Iptables Tutorial 1. Also. First of all. and level 6 is for shutting the computer down. to start the iptables service. ie. make and write a ruleset in a file. for example.9 Página 12 the following command to stop the ipchains service: service ipchains stop Finally. This is used if you automatically boot into Xwindows.d/init. To add rules that should be run when the computer starts the service. The other way would be to load the ruleset and then save them with the iptables-save command and then have it loaded automatically by the rc. 3. Level 1 is for single user mode. there is no rules in the iptables script. the normal runlevel to run in.org/andreasson/iptables-tutorial/iptables-tutorial. However.d scripts. 5. that will meet your requirements. 3 and 5. we need to know which runlevels we want it to run in. so you should not really need to activate it for those runlevels.d/iptables script. This file is automatically used by the iptables rc.1. or directly with iptables. To add rules to an Red Hat 7. First of all. if you add the rules under the start) section don't forget to stop the start() function from running in the start) section. First we will describe the possibility of doing the set up by cut and paste to the iptables init. or when we are entering a runlevel that don't require iptables to run. Multiuser without NFS or the same as 3 if there is no networking.html 21:25:51 10/06/2002 . ie. such as iptables-save > /etc/ sysconfig/iptables which would save the ruleset to the file /etc/sysconfig/iptables. there is two common ways. use the iptables-save command. First of all. Level 4 should be unused.d script to restore the ruleset in the future. Normally this would be in runlevel 2. you chould edit the /etc/rc. or in the start() function. none of the other runlevels should be used. If you'd like the iptables service to run in some other runlevel you would have to issue the same command in those. we just run the following command: service iptables start Of course. Red Hat Network automatically updating your packages.1 box. you add them under the start) section. This would have the bad effect that the rules would be deleted if you updated the iptables package by RPM.unix-fu. When you find a set up that works without problems or bugs as you can see. To make iptables run in these runlevels we would do the following commands: chkconfig --level 235 iptables on The above commands would in other words make the iptables service run in runlevel 2.

instruction. This step is only necessary if you will install iptables from the source package. Also. None of the old binaries. we have used this way of writing rules since it is the most usual way of writing them.9 Página 13 automatically to this file. we perform the target. you would do this normally to get a better readability. etc: rpm -e ipchains After all this is done you are finished to update the iptables package from source according to the source installation instructions.d script will use the command iptables-restore to restore the ruleset from the save-file /etc/sysconfig/ iptables. however.html 21:25:51 10/06/2002 . A rule could be described as the pure rules the firewall will follow when blocking different connections and packets in each chain. the iptables rc. http://people. libraries or include files etc should be lying around any more. When all of these steps are finished we can deinstall the currently installed ipchains and iptables packages. We do this since we don't want the system to mix up the new iptables userland application with the old preinstalled iptables applications. It's not unusual that the new and the old package get's mixed up since the rpm based installation installs the package in non-standard places and won't get overwritten by the installation for the new iptables package.unix-fu. Each line you write that's inserted to a chain should be considered a rule. Normally we would write a rule something like this: iptables [-t table] command [match] [target/jump] There is nothing that says that the target instruction must be last in the line. why keep ipchains lying around when it is of no use? That is done the same way as with the old iptables binaries. If all the criterias. or jump. or matches. are met. Basics As we've already explained each rule is a line that the kernel looks at to find out what to do with a packet.1. Do not intermix this and the previous set up instruction since they may heavily damage eachother and render each and one useless. We will also discuss the basic matches that str available and how to use them as well as the different targets and how we can make new targets to use (ie. When you reboot the computer in the future.org/andreasson/iptables-tutorial/iptables-tutorial. How a rule is built This chapter will discuss in legth how to build your rules. new subchains). if you read someone elses script you'll most likely recognise the way of writing a rule and understand it quickly. Hence. To do the deinstallation.Iptables Tutorial 1. do as follows: rpm -e iptables And of course.

Iptables Tutorial 1. for example to insert a rule or to add a rule to the end of the chain. The match is the part which we send to the kernel that says what a packet must look like to be matched. The following options are available to the -t command: Table 1. The PREROUTING chain is used to alter packets as soon as they get in to the firewall. This is one reason why you should not do any filtering in this table.1. you could insert the table specification where [table] is specified. Finally we have the target of the packet.html 21:25:51 10/06/2002 . This tells the iptables command what to do. or we could tell kernel to send a specified reply to be sent back. The first packet of a stream is allowed. We could tell the kernel to send the packet to another chain that we create ourself. If all the matches are met for a packet we tell the kernel to perform this action on the packet. on the firewall) before they get to the routing decision. however. It is not required to put the table specification at this location. the command should always be first. The rest of the packets in the same stream are automatically NAT'ed or Masqueraded etc. We could tell the kernel to drop this packet dead and do no further processing. Tables The -t option specifies which table to use. We use this first variable to tell the program what to do. One thing to think about though. Packets in a stream only traverse this table once. or which network interface the packet must come from etc. either. The rest of the packets in the stream will in other words not go through this table again.9 Página 14 If you want to use another table than the standard table. However. but instead they will automatically have the same actions taken to them as the first packet in the stream. we presume. As with the rest of the content in this section. we'll look closer at them further on in the chapter.unix-fu. Tables Table nat Explanation The nat table is used mainly for Network Address Translation. it is more or less standard to put the table specification at the beginning of the commandline. or to delete a rule. it is not necessary to specify it explicitly all the time since iptables per default uses the filter table to implement your commands on. Note that OUTPUT is currently broken. Per default. http://people. We could specify what IP address the packet must come from. We will enter this a bit further on. or directly after the table specification. Finally we have the POSTROUTING chain which is used to alter packets just as they are about to leave the firewall. the filter table is used. as we will discuss more in length further on. It could be set pretty much anywhere in the rule. in case they are supposed to have those actions taken on them. The OUTPUT chain is used for altering locally generated packets (ie.org/andreasson/iptables-tutorial/iptables-tutorial. which must be part of this table. There is a heap of different matches that we can use that we will look closer at further on in this chapter.

Note that mangle can not be used for any kind of Network Address Translation or Masquerading. The command tells iptables what to do with the rest of the commandline that we send to the program. we could DROP. The rule will will in other words always be put last in the ruleset in comparison to previously added rules. Examples of this would be to change the TTL. This command appends the rule to the end of the chain.unix-fu. PREROUTING is used for altering packets just as they enter the firewall and before they hit the routing decision. There are three chain built in to this table.9 Página 15 mangle This table is used mainly for mangling packets.. OUTPUT is used for changing and altering locally generated packets before they enter the routing decision. in other words). The following commands are available to iptables: Table 2. filter The listing above has hopefully explained the basics about the three different tables that are available. Normally we want to either add or delete something to some table or another. and you should know what to use each chain for. They should be used for totally different things. TOS or MARK. The first one is named FORWARD and is used on all non-locally generated packets that are not destined for our localhost (the firewall. INPUT is used on all packets that are destined for our local host (the firewall) and OUTPUT is finally used for all locally generated packets.org/andreasson/iptables-tutorial/iptables-tutorial. and hence be checked last. the PREROUTING and OUTPUT chains. the nat table was made for these kinds of operations. but a mark for the packet is set in kernelspace which other rules or programs might use further on in the firewall to filter or do advanced routing on with tc as an example.. If you do not understand their usage you may well fall into a pit once someone finds the hole you have unknowingly placed in the firewall yourself. Commands Command Example Explanation -A.html 21:25:51 10/06/2002 . The filter table should be used for filtering packets generally. Note that the MARK is not really a change to the packet.Iptables Tutorial 1. unless you append or insert more rules later on. LOG. We could change different packets and how their headers look among other things.1. For example. http://people. --append iptables -A INPUT . The table consists of two built in chains. Commands In this section we will bring up all the different commands and what can be done with them. We will discuss the tables and chains more in the Traversing of tables and chains chapter. ACCEPT or REJECT packets without problems as in the other tables.

--insert iptables -I INPUT 1 --dport 80 -j ACCEPT Insert a rule somewhere in a chain. and hence it would be the absolutely first rule in the chain from now on. --list iptables -L INPUT This command lists all the entries in the specified chain. the chains will first be listed. you have probably seen the packet counter in the beginning of each field. iptables -D INPUT 1 This command deletes a rule in a chain. This could be done in two ways. --delete iptables -D INPUT --dport 80 -j DROP.0. --new-chain iptables -N allowed http://people. and will then delete all rules in all chains within the specified table. -L.168.unix-fu. If you have used the -v option with the -L command. the command would list all the chains in the specified table (To specify a table. In the last case. we would list all the entries in the INPUT chain. If you use the first way of deleting rules.1. -N. for example the -n and -v options. It's also legal to not specify any chain at all. -F.org/andreasson/iptables-tutorial/iptables-tutorial. they must match totally to the entry in the chain. If -L and -Z is used together (which is legal). it will replace it with a new entry.1 -j DROP This command replaces the old entry at the specified line. If you use the second way. but instead of totally deleting the entry. It works in the same way as the --delete command. use the -Z option. This option works the same as -L except that -Z won't list the rules. -Z. The command can be used without options. The exact output is affected by other options sent to the program. In other words. In the above case. and then the packet counters are zeroised. --flush iptables -F INPUT This command flushes the specified chain from all rules and is equivalent to deleting each rule one by one but is quite a bit faster. --replace iptables -R INPUT 1 -s 192. The rule is inserted at the actual number that we give. -R. either by specifying a rule to match with the -D option (as in the first example) or by specifying the rule number that we want to match. the above example would be inserted at place 1 in the INPUT chain. the rules are numbered from the top of each chain. see the Tables section). and the top rule is number 1.9 Página 16 -D. etcetera. To zero this packet counter. This might be good while experimenting with iptables mainly. -I.Iptables Tutorial 1. --zero iptables -Z INPUT This command tells the program to zero all counters in a specific chain or in all chains.html 21:25:51 10/06/2002 .

All packets that don't match any rule will then be forced to use the policy of the chain. you http://people. Legal targets are: DROP. For this command to work. If used together with the --list command it makes the output from the command include the interface address.000) multipliers. on a chain. --delete. In the above example we create a chain called allowed. Note that there must be no target of the same name previously to creating it. in other words. Also note that we do not tell you any options here that is only used to affect rules and matches. in other words.org/andreasson/iptables-tutorial/iptables-tutorial. --policy iptables -P INPUT DROP This command tells the kernel to set a specified default target.Iptables Tutorial 1.1. Note that we tell you with which commands the options can be used and what effect they will have. A command should always be specified.unix-fu. As usual. mail me if so) -E.html 21:25:51 10/06/2002 . Here comes a few options that can be used together with a few different commands.9 Página 17 This command tells the kernel to create a new chain by the specified name in the specified table.000) and G (x1. you would have to replace or delete all rules referring to the chain before actually deleting the chain. unless you just want to list the built-in help for iptables or get the version of the command. --verbose --list. Table 3. -P. in other words. To overcome this and to get exact output. --append. It is. --rename-chain iptables -E allowed disallowed The -E command tells iptables to rename the first name of a chain.000. --replace This command shows a verbose output and is mainly used together with the --list command.000. all chains that are not built in will be deleted from the specified table. Note that this will not affect the actual way the table will work. Options Option Commands used with Explanation -v. In the example above we would. rule options and TOS masks. use the -v option and to get the help message.000. In other words. ACCEPT and REJECT (There might be more. The matches and targets are instead looked upon in a later section of this chapter. If this command is used without any options. M (x1. To get the version. there must be no rules that are referring to the chain that is to be deleted. The --list command will also include a bytes and packet counter for each rule if the --verbose option is set. change the name of the chain from allowed to disallowed. -X. --delete-chain iptables -X allowed This command deletes the specified chain from the table. to the second name. use the -h option. just a cosmetic change to the table. or policy. --insert. These counters uses the K (x1000).

--set-counters --insert. network names or application names. --line-numbers --list The --line-numbers command is used to output line numbers together with the --list command. Note that this option is only usable in the -list command and isn't really relevant for any of the other commands. The output from --list will in other words not contain the K.html 21:25:51 10/06/2002 . This option is only applicable to the --list command.1. Matches This section will talk a bit more about the matches. which would tell the kernel to set the packet counter to 20 and byte counter to 4000. the program will output detailed information on what happens to the rules and if it was inserted correctly etcetera. First of all we have the generic matches which are generic and can be used in all rules. IP addresses and port numbers will be printed by using their numerical values and not hostnames. This option only works with the --list command. I've chosen to split down the matches into five different subcategories here. Instead we will get an exact output of how many packets and bytes that has matched the rule in question from the packets and bytes counters. --replace This option is used when creating a rule in some way or modifying it. --delete or --replace commands.9 Página 18 could use the -x option described later. M or G multipliers. This option can be used with all commands. --modprobe All The --modprobe option is used to tell iptables which command to use when probing for modules to the kernel. -c.Iptables Tutorial 1. If this option is used with the --append. --exact --list This option expands the numerics. We have UDP matches which can only be applied to UDP packets and ICMP matches which can only be http://people. The syntax would be something like --setcounters 20 4000. This option overrides the default of resolving all numerics to hosts and names if possible.unix-fu. --insert. -x. In such cases it might be necessary to specify this option so the program knows what to do in case a needed module is not loaded. Then we have the TCP matches which can only be applied to TCP packets. It could be used if your modprobe command is not somewhere in the searchpath etc. Each rule is numbered together with this option and it might be easier to know which rule has which number when you're going to insert rules. We can then use the option to initialize the packets and bytes counters of the rule. --append. --numeric --list This option tells iptables to output numerical values.org/andreasson/iptables-tutorial/iptables-tutorial. -n.

which in turn is the default behaviour in case the --protocol match is not used. owner and limit matches and so on. --source iptables -A INPUT -s 192. such as 255 which would mean the RAW IP protocol. for example.255.1. I hope this is a reasonable breakdown and that all people out there can understand this breakdown. since it can be used to match specific protocols. The line would then look something like. I have also added the -protocol match here. Table 4. The protocol may also take a numeric value.Iptables Tutorial 1. The main form can be used to match single IP addresses such as 192.html 21:25:51 10/06/2002 . if we want to use an TCP match.168.168. Examples of protocols are TCP. However. 192. The following matches are always available.org/andreasson/iptables-tutorial/iptables-tutorial.255. 192.9 Página 19 used on ICMP packets. A generic match is a kind of match that is always available whatever kind of protocol we are working on or whatever match extensions we have loaded. as well as ALL. First of all the protocol match can take one of the three aforementioned protocols.1.255 form (ie. This means that we could for example add /24 to use a 255.1 This is the source match which is used to match packets based on their source IP address.255.168.0.0 netmask. If we would in other words use a match in the form of --source ! http://people. too. such as our local networks or network segments behind the firewall. One way is to do it with an regular netmask in the 255.255.0/24. We could also inverse the match with an ! just as before.0. Finally. --protocol iptables -A INPUT -p tcp This match is used to check for certain protocols. The command may also take a comma delimited list of protocols.unix-fu. Generic matches This section will deal with Generic matches. we need to use the --protocol match and send TCP as an option to the match.tcp which would match all UDP and TCP packets. This list can vary a bit at the same time since it uses the /etc/protocols if it can not recognise the protocol itself. It could be used with a netmask in a bits form. UDP and ICMP. This match can also be inversed with the ! sign.0. it means ALL protocols. so --protocol ! tcp would mean to match the ICMP and UDP protocols. --protocol is in itself a match.1. We could then match whole IP ranges.168. --src. No special parameters are in other words needed to load these matches at all. This would match all packets in the 192. -s. which means to match all of the previous protocols. For example.168. such as udp.255. and the other way is to only specify the number of ones (1's) on the left side of the network mask. Generic matches Command Example Explanation -p.1. Finally we have special matches such as the state.255.x range. These final matches has in turn been split down to even more subcategories even though they might not necessarily be different matches at all.0).0/255. even though it is needed to use some protocol specific matches. the program knows about all the protocols in the /etc/protocols file as we already explained. If this match is given the numeric value of zero (0).

0. --dst. This option can also be used in conjunction with the ! sign. To inverse the meaning of the match. however. It works pretty much the same as the --source match and has the same syntax. the default behaviour if this match is left out is to match all devices. --out-interface iptables -A FORWARD -o eth0 The --out-interface match is used to match packets depending on which interface they are leaving on. in opposite of the --in-interface match.0/24 we would match all packets with a source address not coming from within the 192. in case the match is not specified. -o.0.255.0. Of course. you can use the ! sign in exactly the same sense as in the --in-interface match. is to assume a string value of +. -f. regardless of where the packet is going.1 would in other words match all packets except those not destined to the 192. --destination ! 192.1. and so on.x range. it works pretty much the same as the --in-interface match. We also match all packets that has not been fragmented during the transfer. among other things.0/255. except eth0.168.0. fragmented packets might in rather special cases be used to compile attacks against computers. except that it matches based on where the packets are going. When this match is inversed. -i.1 IP address. -d. and eth+ would in other words match all ethernet devices. --in-interface iptables -A INPUT -i eth0 This match is used to match based on which interface the packet came in on. third. fragments. We could also invert the whole match with an ! sign. Also.168.9 Página 20 192. we can add a netmask either in the exact netmask form.168.0/24 and both would be equivalent to each other.0.org/andreasson/iptables-tutorial/iptables-tutorial. FORWARD and PREROUTING chains and will render an error message when used anywhere else. http://people. and not the second.168. --destination iptables -A INPUT -d 192. or in the number of ones (1's) counted from the left side of the netmask bits. It would then look like either 192. Other than this. which would mean to match all incoming interfaces. The + value is used to match a string of letters and numbers. Note that this match is only available in the OUTPUT. To match an IP range.1.168. We can also invert the meaning of this option with the help of the ! sign.unix-fu. FORWARD and POSTROUTING chains. Note that this option is only legal in the INPUT.0 or like 192. The default is to match all IP addresses. The + string can also be used at the end of an interface. like this ! -f. in this case the ! sign must precede the match. and hence this match was created. The + extension is understood so you can match all eth devices with eth+ and so on. Such fragments of packets will not be matched by other rules when they look like this. nor ICMP types.Iptables Tutorial 1. The line would then have a syntax looking something like -i ! eth0.html 21:25:51 10/06/2002 . we match all head fragments and/or unfragmented packets. A single + would in other words tell the kernel to match all packets without considering which interface it came in on.168.1 The --destination match is used to match packets based on their destination address or addresses.0. there is no way to tell the source or destination ports of the fragments.168. just as before.255. The default behaviour of this match. What this means is that we match all the first fragments of a fragmented packets. --fragment iptables -A INPUT -f This match is used to match the second and third part of a fragmented packet. The reason for this is that in the case of fragmented packets.

unix-fu. --source-port iptables -A INPUT -p tcp --sport 22 The --source-port match is used to match packets based on their source port. TCP matches These matches are protocol specific and are only available when working with TCP packets and streams.html 21:25:51 10/06/2002 . As a secondary note. The --source-port match can also be used to match a whole range of ports in this fashion --source-port 22:80 for example. This match can either take a service name or a port number. after the TCP match section. the port 0 is assumed to be the one we mean. it could be a little bit harder to read in case you specify the numeric value. the entry of the rule will be slightly faster since iptables don't have to check up the service name. These are TCP matches. If we would write --source-port 22: we would in turn get a port specification that tells us to match all ports from http://people. and UDP based matches contain another set of matches that are available only for UDP packets. If we omit the first port specification. And if the last port specification is omitted. This example would match all source ports between 22 and 80. If you are writing a ruleset consisting of a 200 rules or more. UDP matches and ICMP matches.9 Página 21 Also note that there are defragmentation options within the kernel that can be used which are really good. --source-port :80 would then match port 0 through 80. If you specify a service name.Iptables Tutorial 1. Implicit matches This section will describe the matches that are loaded implicitly. To use these matches you need to specify --protocol tcp on the command line before trying to use these matches. Note that the --protocol tcp match must be to the left of the protocol specific matches. Implicit matches are loaded automatically when we tell iptables that this rule will match for example TCP packets with the -protocol match.1. TCP matches Match Example Explanation --sport. just as the UDP and ICMP matches are loaded implicitly. this could make as much as 10 seconds if you are running a large ruleset consisting of 1000 rules or so). There is also explicitly loaded matches that you must load explicitly with the m or --match option which we will go through later on in the next section. in case you use connection tracking you will not see any defragmented packets since they are dealt with before hitting any chain or table in iptables.org/andreasson/iptables-tutorial/iptables-tutorial. however. The other matches will be looked over in the continuation of this section. port 65535 is assumed. If you specify the port by port number. the service name must be in the /etc/services file since iptables uses this file to look up the service name in. The TCP based matches contain a set of different matches that are available for only TCP packets. and the same thing for ICMP packets. There are currently three types of implicit matches that are loaded automatically for three different protocols. These matches are loaded implicitly in a sense. Table 5. you should definitely do this by port numbers since you will be able to notice the difference(On a slow box.

First of all the match takes a list of flags to compare (a mask) and second it takes list of flags that should be set to 1. way. Also note that the comma delimitation should not include spaces. which in turn would mean that we want to match all ports but port 22 through 80. --dport. ALL and NONE is pretty much self describing. iptables automatically reverses the inversion. ! --syn. however. Both lists should be comma-delimited. http://people. exactly the same as --source-port in syntax. The match knows about the SYN. ALL means to use all flags and NONE means to use no flags for the option it is set. It uses exactly the same syntax as the --source-port match. If we inversed the port specification in the port range so the highest port would be first and the lowest would be last.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . look at the multiport match extension. --tcp-flags iptables -p tcp --tcp-flags SYN. ACK. it would be understood just the same as --sourceport 22:80. This option can also be inverted with the ! sign. We could also invert a match by adding a ! sign like --source-port ! 22 which would mean that we want to match all ports but port 22. If you block these packets. --tcp-option iptables -p tcp --tcp-option 16 This match is used to match packets depending on their TCP options.1.FIN SYN This match is used to match depending on the TCP flags in a packet.Iptables Tutorial 1. For more information about this. It does also reverse high and low ports in a port range specification if the high port went into the first spot and the low port into the last spot. hack a legit service and then make a program or such make the connect to you instead of setting up an open port on your host). This command would in other words be exactly the same as the --tcp-flags SYN. and for ease of traversing from one to the other. URG. look at the multiport match extension.unix-fu. In other words. you will not have blocked the outgoing connections which a lot of exploits today uses (for example. This would tell the match to match all packet with the FIN or the ACK bits set. Note that this match does not handle multiple separated ports and port ranges.ACK. you should have effectively blocked all incoming connection attempts. This match is used to match packets if they have the SYN bit set and the ACK and FIN bits unset. For more information about this. Note that this match does not handle multiple separated ports and port ranges. -tcp-flags ALL NONE would in other words mean to check all of the TCP flags and match if none of the flags are set. PSH flags but it also recognizes the words ALL and NONE. or turned on. FIN. as well as inversions. The match will also assume the values of 0 or 65535 if the high or low port is left out in a port range specification. RST.9 Página 22 port 22 through port 65535. If a source port definition looked like --source-port 80:22. in other words packets in an already established connection.ACK. This match can also be inverted with the ! sign in this. Such packets are used to request new TCP connections from a server mainly. The inversion could also be used together with a port range and would then look like --source-port ! 22:80. --syn iptables -p tcp --syn The --syn match is more or less an old relic from the ipchains days and is still there out of compatibility reasons. It understands port and port range specifications.FIN SYN match. The correct syntax could be seen in the example above. --destination-port iptables -A INPUT -p tcp --dport 22 This match is used to match TCP packets depending on its destination port.

The match handles port ranges. look at the multiport match extension. This would match all ports but port 80. they are simply lost (Not taking ICMP error messaging etcetera into account). single ports and inversions. If they are lost. This means that there is quite a lot less matches to work with on a UDP packet than there is on TCP packets. --dport. port 65535 is assumed.org/andreasson/iptables-tutorial/iptables-tutorial. to invert this we could do --destination-port ! 53. The match is used to match packets based on their UDP destination port.9 Página 23 UDP matches This section describes matches that will only work together with UDP packets. and hence there is no such thing as different flags to set in the packet to give data on what the datagram is supposed to do. If the last port is omitted. port 0 is assumed. Single UDP port matches look as in the example above. or if they are just simply supposed to send data. For more http://people. For more information about this. This example would match all packets destined for UDP port 22 through 80. Note that this match does not handle multiple ports and port ranges.Iptables Tutorial 1. Note that this match does not handle multiple separated ports and port ranges. To match a single port we do --destination-port 53. There will be more about the state machine in a future chapter. it is exactly the same as the equivalent TCP match. The state machine works pretty much the same on UDP packets as on TCP packets. port 0 is assumed.unix-fu. To make a UDP port range you could do 22:80 which would match UDP ports 22 through 80. The first would match all UDP packets going to port 53 while the second would match packets but those going to the destination port 53. It is used to perform matches on packets based on their source UDP ports. --source-port iptables -A INPUT -p udp --sport 53 This match works exactly the same as its TCP counterpart. To specify a port range. such as open or closing a connection.html 21:25:51 10/06/2002 . --destination-port iptables -A INPUT -p udp --dport 53 The same goes for this match as for the UDP version of --source-port.1. but will work with UDP packets instead. If the second port is omitted. the ports switch place with eachother automatically. UDP packets do not require any kind of acknowledgement either. If the first value is omitted. the match can understand service names as long as they are available in the /etc/services file. add a ! sign in this. If the high port is placed before the low port. single ports and port inversions with the same syntax. Note that the state machine will work on all kinds of packets even though UDP or ICMP packets are counted as connectionless protocols. To invert the port match. --source-port ! 53 fashion. port 65535 is assumed. Of course. Table 6. Note that UDP packets are not connection oriented. we would do --destination-port 22:80 for example. they automatically switch place so the low port winds up before the high port. These matches are implicitly loaded when you specify the --protocol UDP match and will be available after this specification. UDP matches Match Example Explanation --sport. It has support for port ranges. If the first port is omitted. If the high port comes before the low port.

There is only one ICMP specific match available for ICMP packets.Iptables Tutorial 1.9 Página 24 information about this. Note that some ICMP types are obsolete. To find a complete listing of the ICMP name values. among other things. This match can also be inverted with the ! sign in this. ICMP matches These are the ICMP matches. redirect packets to the wrong places. but contains differences. do a iptables --protocol icmp --help. while explicitly loaded matches will not be loaded automatically in any case and it is up to you to activate them before using them. ICMP matches Match Example Explanation --icmp-type iptables -A INPUT -p icmp --icmp-type 8 This match is used to specify the ICMP type to match. or was created for testing/experimental use or plainly to show examples of what could be accomplished with iptables. they should mostly be useful since it all depends on your imagination and your needs. --icmp-type ! 8. Table 7. http://people. among other things. and hopefully this should suffice.html 21:25:51 10/06/2002 . or check the ICMP types appendix.For a complete listing of ICMP types. These packets are even worse than UDP packets in the sense that they are connectionless.unix-fu. The headers of a ICMP packet are very similar to those of the IP headers. ICMP types can be specified either by their numeric values or by their names. look at the multiport match extension. Explicit matches Explicit matches are matches that must be specifically loaded with the -m or --match option. The ICMP protocol is mainly used for error reporting and for connection controlling and such features. we would get an ICMP host unreachable in return.org/andreasson/iptables-tutorial/iptables-tutorial. for example. we would have to write -m state to the left of the actual match using the state matches. Some of these matches may be specific to some protocols. Numerical values are specified in RFC 792. This match is implicitly loaded when we use the --protocol ICMP match and we get access to it automatically. however. and others again may be "dangerous" for a simple host since they may. This in turn means that all these matches may not always be useful. The main feature of this protocol is the type header which tells us what the packet is to do.1. If we would like to use the state matches for example. fashion. see the ICMP types appendix. match TCP packets. so we can know source and destination adress too. The difference between implicitly loaded matches and explicitly loaded ones is that the implicitly loaded matches will automatically be loaded when you. One example is if we try to access an unaccessible IP adress. Note that all the generic matches can also be used. ICMP is not a protocol subordinated to the IP protocol. but more of a protocol beside the IP protocol that helps handling errors.

and get limited logging of this. you could use this to match all packets that goes over the edge of a certain chain.unix-fu. The MAC address specified must be in the form XX:XX:XX:XX:XX:XX. is that when we add this match we limit how many times a certain rule may be matched in a certain timeframe.Iptables Tutorial 1. or 3/hour. Note that since MAC addresses are only used on ethernet type networks. The match may be reversed with an ! sign and would look like --mac-source ! 00:00:00:00:00:01. but there are more usages. What this means. This tells the limit match how many times to let this match run per timeunit (ie /minute). --limit-burst http://people. this match will only be possible to use on ethernet based networks. Limit match options Match Example Explanation --limit iptables -A INPUT -m limit --limit 3/hour This sets the maximum average matching rate of the limit match.html 21:25:51 10/06/2002 . The following time specifiers are currently recognised: / second /minute /hour /day.9 Página 25 MAC match Table 8. The default value here is 3 per hour. The limit match may also be inversed by adding a ! flag in front of the limit match explicit loading. This would in other words reverse the meaning of the match so all packets except packets from this MAC address would be matched. This match is excellent to use to do limited logging of specific rules etcetera. else it will not be legal. This means that all packets will be matched after they have broken the limit. This match is also only valid in the PREROUTING. Table 9. of course.org/andreasson/iptables-tutorial/iptables-tutorial. MAC match options Match Example Explanation --mac-source iptables -A INPUT --mac-source 00:00:00:00:00:01 This match is used to match packets based on their MAC source address. it would then look like -m ! limit. This is its main usage. FORWARD and INPUT chains and nowhere else. This match is specified with a number and an optional time specifier. Limit match The limit match extension must be loaded explicitly with the -m limit option.1. For example.

110 This match extension can be used to match packets based both on their destination port and their source port. (If anyone got a good/better and simpler explanation than this. port 80 to port 80 and if you have specified port 80 to the --port match. The default value is 5.53.80. The ports must be comma delimited.1. --destination-port iptables -A INPUT -p tcp -m multiport --destination-port 22. Mark match The mark match extension is used to match packets based on the marks they have set. It can only be used in conjunction with -p tcp and -p udp.53.9 Página 26 iptables -A INPUT -m limit --limit-burst 5 This is the setting for the burst limit of the limit match. This match may only be used in conjunction with the -p tcp or -p udp matches. Multiport match options Match Example Explanation --source-port iptables -A INPUT -p tcp -m multiport --source-port 22. --port iptables -A INPUT -p tcp -m multiport --port 22.80.Iptables Tutorial 1. It has a maximum specification of 15 ports and may only be used in conjunction with -p tcp and -p udp.110 This match is used to match multiple destination ports. It works exactly the same way as the source port match mentioned just above. as you can see in the example. up to this number. This number gets recharged by one every time the limit specified is not reached. except that it matches destination ports.html 21:25:51 10/06/2002 .80. It can take a maximum of 15 ports specified to it in one argument.org/andreasson/iptables-tutorial/iptables-tutorial. Table 10.53. Multiport match The multiport match extension can be used to specify more destination ports and port ranges than one. It tells iptables the maximum initial number of packets to match. It is mainly an enhanced version of the normal -source-port match. A mark is a special field only maintained within the kernel that is associated with the packets as they travel through http://people. It works the same way as the --source-port and --destination-port matches above. for example. A maximum of 15 separate ports may be specified.110 This match matches multiple source ports.unix-fu. which would sometimes mean you would have to make several rules looking exactly the same just to match different ports. send me a mail and I'll try to make this more understandable). Note that this means that it will only match packets that comes from.

If a mask is specified. It is pretty much impossible to find out any information about who sent a packet on the other end. In other words. The mark field is currently set to an unsigned integer. for example. Table 11. Notorious packets of that sort is different ICMP responses among other things. This extension was originally written as an example on what iptables might be used for. They may be used by different kernel routines for such tasks as traffic shaping and filtering. hence. Owner match options Match Example Explanation --uid-owner iptables -A OUTPUT -m owner --uid-owner 500 http://people. Mark match options Match Example Explanation --mark iptables -t mangle -A INPUT -m mark --mark 1 This match is used to match packets that have previously been marked. This was previously done with the FWMARK target in ipchains.unix-fu. Marks can be set with the MARK target which we will discuss a bit more later on in the next section.org/andreasson/iptables-tutorial/iptables-tutorial. ICMP responses will. never match. If this mark field matches the mark match it is a match. --mark 1/1.Iptables Tutorial 1. hence there can be a maximum of 65535 different marks. with or without the packet. there is only one way of setting a mark in Linux.1. for obvious reasons. Even within the OUTPUT chain it is not very reliable since certain packets may not have an owner. or if we where an intermediate hop to the real destination.9 Página 27 the computer. The mark field is an unsigned integer. hence the limit of 65535 possible marks to use within your ruleset. Note that this mark field does not in any way travel outside. This match only works within the OUTPUT chain as it looks today. namely the MARK target in iptables. you are probably not going to run into this limit in quite some time. All packets traveling through netfilter gets a special mark field associated with them. Owner match The owner match extension is used to match packets based on who created them. it is logically ANDed with the mark specified before the actual comparison. As of today. The mark specification would then look like.html 21:25:51 10/06/2002 . Table 12. You may also use a mask with the mark. the actual computer itself. this is why people still refer to FWMARK in advanced routing areas.

or as described above to only allow "httpgroup" to be able to create packets going out on the HTTP port. including stateless protocols such as ICMP and UDP. please give me a note of it and of other possible uses. Table 13. In all cases. or another possible use could be to block everyone but the httpuser from creating packets from HTTP. --gid-owner iptables -A OUTPUT -m owner --gid-owner 0 This match is used to match all packets based on their Group ID (GID).html 21:25:51 10/06/2002 .unix-fu. This could be used to match outgoing packets based on who created them. This could be used to block all but the users part of the "network" group from getting out onto the internet. This means that we match all packets based on what group the user creating the packets are in.Iptables Tutorial 1.9 Página 28 This packet match will match if the packet was created by the given User ID (UID). This match is a bit harder to use. This concept will be more deeply introduced in a future chapter since it is such a large area. You will then have access to one new match. there will be a default timeout for the connection and it will then be dropped from the connection tracking database. One possible use would be to block any other user than root to open new connections outside your firewall. If anyone have an idea for the usage of this match. This match needs to be loaded explicitly by adding a -m state statement to the rule. (If anyone has actually used this match for a production server. This allows us to know in what state the connection is. but one example would be to only allow PID 94 to send packets on the HTTP port.ESTABLISHED http://people. I would love to hear what they used it for and how they did it). State match The state match extension is used in conjunction with the connection tracking code in the kernel and allows access to the connection tracking state of the packets. and works for pretty much all protocols.1. --sid-owner iptables -A OUTPUT -m owner --sid-owner 100 This match is used to match packets based on their Session ID and the Session ID used by the program in question. State matches Match Example Explanation --state iptables -A INPUT -m state --state RELATED. or we could write a small script that grabs the PID from a ps output for a specific daemon and then adds a rule for it. --pid-owner iptables -A OUTPUT -m owner --pid-owner 78 This match is used to match packets based on their Process ID (PID) and which PID created the packets.org/andreasson/iptables-tutorial/iptables-tutorial.

nor will it take care of all unclean packages or problems. RELATED means that the packet is starting a new connection and is associated with an already established connection. INVALID. consists of 8 bits. Unclean match The unclean match takes no options and requires no more than explicit loading when you want to use it. INVALID means that the packet is associated with no known stream or connection and that it may contain faulty data or headers. there may be times where this could be useful. This match is loaded explicitly by adding -m tos to the rule. while others try their best to do something good with the packets in question and the data they provide. TOS stands for Type Of Service. Note that this option is regarded as experimental and may not work at all times. Table 14. or it needs to be able to send as much payload as possible). For more information on how this could be used.html 21:25:51 10/06/2002 . or that it is associated with a connection that has not seen packets in both directions. How different routers and people deal with these values depends. such as packets with bad headers or checksums and so on. and what kind of content it has(not really. There is currently 4 states that can be used.unix-fu. NEW and RELATED. or an ICMP error associated with an TCP or UDP connection for example.9 Página 29 This match option tells the state match what states the packets must be in to be matched. The match takes an hex or numeric value as an http://people. TOS matches Match Example Explanation --tos iptables -A INPUT -p tcp -m tos --tos 0x16 This match is used as described above. among other things. Most do not care at all. read in the future chapter on the state machine.Iptables Tutorial 1. NEW means that the packet has or will start a new connection. Note that the NEW state does not look for SYN bits in TCP packets trying to start a new connection and should. TOS is normally used to tell intermediate hosts the preceeding of the stream. hence. This could be used for. but it tells us if there is any specific requirements for this stream such as that it needs to be sent as fast as possible. however you should be aware that this may break legal connections too. it can match packets based on their TOS field and their value.1. Finally. TOS match The TOS match can be used to match packets based on their TOS field. not be considered very good in cases where we have only one firewall and no load balancing between different firewalls. This could be used to DROP connections and to check for bad streams etcetera. and is located in the IP header. This match tries to match packets which seems malformed or unusual. ESTABLISHED. However. to mark packets for later usage together with the iproute2 and advanced routing functions in linux. ESTABLISHED means that the packet is part of an already established connection that has seen packets in both directions and is fully valid.org/andreasson/iptables-tutorial/iptables-tutorial. This could for example mean an FTP data transfer.

It takes an numeric value and matches based on this value. Minimize-Delay means to minimize the delay until the packets gets through all the way to the client/server. Normal-Service would finally mean any normal protocol that has no special needs for their transfers. Table 15. would be to find hosts with bad TTL values set as default (may be due to badly implemented TCP/IP stack. a standard protocol would be FTP-data. as well as in all kinds of matches. some good protocols that would fit with this TOS values would be BOOTP and TFTP. for example hosts which seems to have problems connecting to hosts on the internet. SSH and FTP-control.unix-fu. At the time of writing it contained the following named values: Minimize-Delay 16 (0x10). If the TTL reaches 0. ie find the fastest route.9 Página 30 option. There is a few basic targets.org/andreasson/iptables-tutorial/iptables-tutorial. an ICMP type 11 code 0 (TTL equals 0 during transit) or code 1 (TTL equals 0 during reassembly) is transmitted to the party sending the packet and telling about the problem. One example. however. This is true here. To load this match. MaximizeThroughput 8 (0x08).1. The usage is pretty much limited.html 21:25:51 10/06/2002 . it is only your imagination which stops you. There is no inversion and there is no other specifics to this match. the ACCEPT and DROP targets which we will deal with first http://people. Maximize-Reliability means to maximize the reliability of the connection and to use lines that are as reliable as possible. TTL matches Command Example Explanation --ttl iptables -A OUTPUT -m ttl --ttl 60 This match option is used to specify which TTL value to match. Some good protocols that would use this would be RTSP (Real Time Stream Control Protocol) and other streaming video/radio protocols. Targets/Jumps The target/jumps tells the rule what to do with a packet that is a perfect match with the match section of the rule. Maximize-Throughput means to find a path that allows as big throughput as possible. MinimizeCost 2 (0x02). and Normal-Service 0 (0x00). TTL match The TTL match is used to match packets based on their TTL (Time To Live) field residing in the IP header. This match is only used to match packets based on their TTL. or to find possible infestations of trojans etcetera. you need to add an -m ttl to the rule. example of standard protocols that this includes are telnet. or due to a malconfiguration).Iptables Tutorial 1. and not to change anything. This target could be used for debugging your local network. Minimize-Delay means to minimize the delay for the packets. Maximize-Reliability 4 (0x04). as described above. or possibly one of the names given if you do an iptables -m tos -h. The TTL field contains 2 bits and is decremented once every time it is processed by an intermediate host between the client and host.

There is also a number of other actions we may want to take which we will describe further on in this section. a good example of this would be the LOG. To jump to a specific chain. Let us have a look at what kinds of targets there are. a chain is created with the -N command. and it does not require. will not pass through any of the rules further on in the chain or superset chains. When a packet is perfectly matched and this target is set. ACCEPT target This target takes no special options first of all. We could then add a jump target to it like this: iptables -A INPUT -p tcp -j tcp_packets. We could for example. Targets on the other hand specify an action to take on the packet in question. This may be good in cases where we want to take two actions on the same packet. it drops packets dead to the ground and refuses to process them anymore. nor any of the calling chains.Iptables Tutorial 1. If a packet is ACCEPT'ed within one of the subchains. that packets that was accepted in one chain will still travel through any subsequent chains within the other tables and may be dropped there. some targets will make the packet stop traversing the specific chain and superset chains as described above. let us have a brief look at how a jump is done. When/If we reach the end of that chain. we get dropped back to the INPUT chain and the packet starts traversing from the rule one step below where it jumped to the other chain (tcp_packets in this case).org/andreasson/iptables-tutorial/iptables-tutorial. However. it is accepted and will not continue traversing the chain where it was accepted in. The jump specification is done exactly the same as the target definition except that it requires a chain within the same table to jump to. it is required that the chain has already been created. we specify it like -j ACCEPT. masquerade to ports and so on). For more information on table and chain traversing. These packets may be logged. Good examples of such rules are DROP and ACCEPT. To use this target. A packet that matches a rule perfectly and then has this action taken on it will be blocked and no further processing will be done. For example. it will automatically be ACCEPT'ed in the superset chain also and it will not traverse any of the superset chains any further. what TOS value to use etcetera) while others have options not necessary. or have the possibility. such as both mangling the TTL and the TOS value of a specific packet/stream. may take an action on the packet and then the packet will continue passing through the rest of the rules anyway. to add options to the target. DROP target The DROP target does just what it says. Some targets will also take options that may be necessary (What address to do NAT to. see the Traversing of tables and chains chapter. do note that the packet will traverse all other chains in the other tables in a normal fashion. DNAT and SNAT targets. Other targets. but available in any case (log prefixes. We would then jump from the INPUT chain to the tcp_packets chain and start traversing that chain. before we do that. DROP or ACCEPT the packet depending on what we want to do.9 Página 31 of all targets.1. There is nothing special about this target whatsoever. especially when you want to block certain portscanners from getting to http://people. Do note.unix-fu. Note that this action may be a bit bad in certain cases since it may leave dead sockets around on the server and client. Rules that are stopped. A better solution would be to use the REJECT target in those cases. Targets may also end with different results one could say.html 21:25:51 10/06/2002 . However. Network Address Translationed and then be passed on to the other rules in the same chains. As we have already explained before. We will try to answer all these questions as we go in the descriptions. let's say we create a chain in the filter table called tcp_packets like this: iptables -N tcp_packets.

org/andreasson/iptables-tutorial/iptables-tutorial. For example. and all of a sudden it matches a specific rule which has the --jump RETURN target set. for example the INPUT chain. either to tell the client or the server as told previously. The LOG target will log specific information such as most of the IP headers and other interesting information via the kernel logging facility. It would then be dropped to the default policy as previously described.1. This information may then be read with dmesg or syslogd and likely programs and applications. which in this case would be the INPUT chain. It will then jump back to the previous chain. QUEUE target Table 16. The target will not send any kind of information in either direction. Also note that it may be a really great idea to use the LOG target instead of the DROP target while you are testing a rule you are not 100% sure about on a production firewall since this may otherwise cause severe connectivity problems for your users. If the chain is the main chain. Also note that the http://people. QUEUE target Option Example Explanation Option Example Explanation RETURN target The RETURN target will make the current packet stop travelling through the chain where it hit the rule. LOG target The LOG target is specially made to make it possible to log snippets of information about packets that may be illegal. lets say a packet enters the INPUT chain and then hits a rule that it matches and that gives it --jump EXAMPLE_CHAIN. the packet will have the default policy taken on it. Another example would be if the packet hit a --jump RETURN rule in the INPUT chain.html 21:25:51 10/06/2002 . The default policy is normally set to ACCEPT or DROP or something the like. or for pure bughunting and errorfinding.Iptables Tutorial 1. the packet will not be processed in any of the above chains in the structure either. the packet will continue to travel through the above chains in the structure as if nothing had happened.9 Página 32 much information. The packet will then start traversing the EXAMPLE_CHAIN. If it is a subchain to another chain. and no more actions would be taken in this chain.unix-fu. Also note that if a packet has the DROP action taken on them in a subchain. such as filtered ports and so on. This is an excellent target to use while you are debugging your rulesets to see what packets go where and what rules are applied on what packets.

notice. Normally there are the following log levels. error. crit. The priority defines the severity of the message being logged. Note that all three of these are deprecated.=info /var/log/iptables in your syslog. The keyword error is the same as err. warning. All messages are logged through the kernel facility. warn is the same as warning and panic is the same as emerg. http://people. Note that this option is a security risk if the log is readable by any users.9 Página 33 ULOG target may be interesting in case you are getting heavy logs. alert. In other words. info. The LOG target currently takes five options that may be interesting to use in case you have specific needs for more information. or want to set different options to specific values. setting kern. The prefix may be up to 29 letters long. emerg and panic. Read more in man syslog.conf file and then letting all your LOG messages in iptables use log level info.conf for information about these kind of problems.conf. The TCP Sequence number are special numbers that identify each packet and where it fits into a TCP sequence and how the stream should be reassembled.html 21:25:51 10/06/2002 . or priorities as they are normally referred to: debug. LOG target options Option Example Explanation --log-level iptables -A FORWARD -p tcp -j LOG --log-level debug This is the option that we can use to tell iptables and syslog which log level to use. --log-prefix iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets" This option tells iptables to prefix all log messages with a specific prefix which may then be very good to use together with. Note that there may be other messages here as well from other parts of the kernel that uses the info priority.1. for example. Table 17. err. in other words do not use error. but instead a problem of your syslogd configuration which you may find in /etc/syslog. or by the world for that matter.unix-fu. including whitespace and those kind of symbols. For a complete list of loglevels read the syslog. --log-tcp-sequence iptables -A INPUT -p tcp -j LOG --log-tcp-sequence This option will log the TCP Sequence numbers together with the log message.org/andreasson/iptables-tutorial/iptables-tutorial. since the ULOG target has support for logging directly to MySQL databases and such. warn and panic. Note that it is not a iptables or netfilter problem in case you get your logs to the consoles or likely.Iptables Tutorial 1. They are all listed below.conf manual. Any log that is. which may contain logging messages from iptables. warn.conf manpages as well as other HOWTO's etcetera. would make all messages appear in the /var/log/iptables file. For more information on logging I recommend you to read the syslog and syslog. grep and other tools to distinguish specific problems and outputs from specific rules.

In other words. just the same as the previous option.org/andreasson/iptables-tutorial/iptables-tutorial. and will not work outside there. FORWARD and OUTPUT chain or subchains of those chains. we may set mark 2 to a specific stream of packets. MARK target The MARK target is used to set netfilter mark values that are associated with specific packets. --log-ip-options iptables -A FORWARD -p tcp -j LOG --log-ip-options The --log-ip-options option will log most of the IP packet header options. The REJECT target is as of today only valid in the INPUT. you may not set a MARK for a package and then expect the MARK to still be there on another computer. REJECT target The REJECT target works basically the same as the DROP target. etcetera.1.Iptables Tutorial 1. If this is what you want.html 21:25:51 10/06/2002 . The MARK values may be used in conjunction with the advanced routing capabilities in Linux to send different packets through different routes and to tell them to use different queue disciplines (qdisc). These may be valuable when trying to debug what may go wrong and what has gone wrong. This option takes no variable fields or anything like that. The --set-mark match takes an integer value. Table 18. For example. Note that the mark value is not set within the actual package. MARK target options Option Example Explanation --set-mark iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2 The --set-mark option is required to set a mark. but it also sends back an error message to the host sending the packet that was blocked. but is an value that is associated within the kernel with the packet.9 Página 34 --log-tcp-options iptables -A FORWARD -p tcp -j LOG --log-tcp-options The --log-tcp-options option will log the different options from the TCP packets header. This target is only valid in the mangle table. or on all packets from a specific host and then do advanced routing on that host. just as most of the LOG options.unix-fu. For more information on advanced routing. This works exactly thesame as the --log-tcp-options option. limiting or unlimiting their network speed etcetera. which would also http://people. These logging messages may be valuable when trying to debug or finding out specific culprits and what goes wrong. you will be better off with the TOS target which will mangle the TOS value in the IP header. check out the LARTC HOWTO. but instead works on the IP options.

else they won't work. and OUTPUT chains. For more information about the TCP RST read RFC 793 . There are currently the following reject types that can be used: icmp-net-unreachable. Most of them are fairly easy to understand if you have a basic knowledge of TCP/IP. and you may get some more information by looking in the appendix ICMP types. and then the packet is dropped dead to the ground. There currently is only one option which controls the nature of how this target works. This is one of the few fields that can be used within iproute2 and its subsystem to route packets. The default error message is to send an port-unreachable to the host. There are currently a lot of routers on the internet which does a pretty bad job at this so it may be a bit useless as of now to do any TOS mangling before sending the packets on to the internet. TCP RST are used to close open connections gracefully. icmp-host-unreachable. just the same as with the DROP target. At worst.Transmission Control Protocol. TOS target The TOS target is used to set the Type of Service field within the IP header. As noted before. There is also an option called echo-reply. FORWARD.1. this is mainly useful for blocking ident probes which frequently occur when sending mail to broken mail hosts. icmp-proto-unreachable.html 21:25:51 10/06/2002 . the tcp-reset option will tell REJECT to send an TCP RST packet in reply to the sending host. Finally. they will look at the TOS field and do the wrong thing based on the information. but this option may only be used in conjunction with rules which would match ICMP ping packets. At best the routers will do nothing with the TOS field.org/andreasson/iptables-tutorial/iptables-tutorial. you should hence set the TOS field which was developed for this. there is most definitely a good use if you http://people. the target will first of all send the specified reply. there is one more option called tcp-reset which may only be used together with the TCP protocol. icmp-net-prohibited and icmp-host-prohibited. REJECT target Option Example Explanation --reject-with iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset This option tells the REJECT target what response to send to the host that sent the packet that we found to be a match. the MARK target which sets a MARK associated with a specific packet is only available within the kernel. and can not be propagated with the packet. Once we get a packet that matches a specific rule and we specify this target. which in turn may take a huge set of variables. Also note that if you handle several separate firewalls and routers. The TOS field consists of 8 bits which are used to route packets.9 Página 35 be the only chains where it would make any sense to put this target in. Table 19. which won't accept your mail otherwise.unix-fu. this is the only way to propagate routing information between these routers and firewalls within the actual packet. As stated in the iptables man page.Iptables Tutorial 1. All of the above are ICMP error messages and may be set as you wish. If you feel a need to propagate routing information on how to do routing for a specific packet or stream. and they will not even look at them. icmp-portunreachable. Note that the chains that uses the REJECT target may only be called upon by the INPUT. As stated previously. however.

either in hex or in decimal value.5 and should hopefully be so for another period of time. This listing is complete as of iptables 1. and it should generally be recommended since the values behind the names may be changed if you are unlucky. and I would be quite sure that someone has had a good laugh at some cracker or another that has cracked his own box via this target by now.1. hex value 0x00).com back (since this is where he came from). TOS target Option Example Explanation --set-tos iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10 The --set-tos option tells the TOS mangler what TOS value to set on packets that are matched. and then to retransmit the packet. of course. MaximizeReliability (decimal value 4.com. hex value 0x08). and you should be warned of using this since it may result in really bad loops. or 0. The TOS target only takes one option as described below. Note that most of these values will never be used by anyone on the internet so you may be better of by using the named values available (which should be more or less standardized). which in turn most probably would be mangled and the connection would never work. at least within your own network. As the TOS value consists of 8 bits. use the actual names instead of the actual hex values to set up the TOS value. among other things. The result of this target is really simple.unix-fu. MIRROR target The MIRROR target is an experimental demonstration target only.2. The default value on most packets are Normal-Service.2 or below) of iptables provided a broken implementation of this target which would not fix the packet checksum upon mangling. This results in some really funny things.org/andreasson/iptables-tutorial/iptables-tutorial. and tried to access the HTTP server at computer A. http://people. Maximize-Throughput (decimal value 8. Lets say we set up a MIRROR target for port 80 at computer A.html 21:25:51 10/06/2002 . Also note that some old versions (1. hex value 0x04).9 Página 36 have a large WAN or LAN with several routers and actually have the possibility to give packets different routes and preference depending on their TOS value. Table 20. For a complete listing of the "descriptive values". These values are Minimize-Delay (decimal value 16. hence resulting in a bad kind of Denial of Service.2. hex value 0x10). If computer B would be coming from yahoo. do an iptables -j TOS -h. The option takes a numeric value. Note that this target is only valid within the mangle table and can not be used outside it. Note that you can. or in hex 0x00-0xFF. the MIRROR target would make so computer B got the webpage at yahoo. and hence rendered the packets bad and in need of retransmission. Minimize-Cost (decimal value 2. the value may be 0-255. The MIRROR target is used to invert the source and destination fields in the IP header. hex 0x02) or Normal-Service (decimal value 0.Iptables Tutorial 1.

This option. which would be our firewall. If there is only 1 hop. One thing would for example be to send a spoofed packet to a host that uses the MIRRORcommand with a TTL of 255.236. depending on how many hops there is between them.236.236.1.Iptables Tutorial 1. then all future packets in the same connection will also be SNAT'ed and. NAT or mangle tables to avoid loops and other problems. Without doing this. Table 21.html 21:25:51 10/06/2002 . takes one IP address to which we should transform all the source IP addresses in the IP header. the packet will jump back and forth 240-255 times. The packet will then bounce back and forth a huge set of times. also. no further processing of rules in the POSTROUTING chain will be commenced on the packets in the same stream. this is good when we want several computers to share an internet connection. For example. within the POSTROUTING chain. the outside world would not know where to send reply packets. at it simplest.50. However. whichever we want to call them. this does not make the target free of any likely problems. it would then look like.9 Página 37 Note that the MIRROR target is only valid within the INPUT. This is in other words the only place that you may do SNAT in. The SNAT target does all the translation needed to do this kind of work.unix-fu. since our local networks should use the IANA specified IP addresses which are allocated for LAN networks. If the first packet in a connection is mangled in this fashion. If we forwarded these packets as is. and any user-defined chains which are only called from those chains. 194. Also note that the outgoing packets created by the MIRROR target is not seen by any of the normal chains in the filter. and eat up 380 kbyte of your connection.155-194.160 as http://people.org/andreasson/iptables-tutorial/iptables-tutorial. letting all packets leaving our LAN look as if they came from a single host. and see to it that the packet is spoofed so it looks as if it comes from another host that uses the MIRROR command. Not bad for a cracker in other words to send 1500 bytes of data. If we want to balance between several IP addresses we could use an range of IP addresses separated by a hyphen. The SNAT target is only valid within the nat table. noone on the internet would know that they where actually from us. and then set an SNAT rule which would translate all packets from our local network to the source IP of our own internet connection. Note that this is a best case scenario for the cracker or scriptkiddie.236. which means that this target will rewrite the Source IP address in the IP header of the packet. FORWARD and PREROUTING chains.50.160:1024-32000 The --to-source option is used to specify which source the packets should use. SNAT target Option Example Explanation --to-source iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 194. We could then turn on ip forwarding in the kernel.50.155194. SNAT target The SNAT target is used to do Source Network Address Translation.50. for example.

we will be able to deal with a kind of load balancing by doing this. an :80 statement to the IP addresses to which we want to http://people. in which case we would always be connected to the same host. This target can be extremely useful. when you have an host running your webserver inside a LAN. All other ports will be mapped to 1024 or above.23. and the DNAT mechanism will choose the destination IP address at random for each stream.1. as described previously. and where to send packets that are matched. Those between source ports 512 and 1023 will be mapped to ports below 1024. The above example would send on all packets destined for IP address 15. but no real IP to give it that will work on the internet. All the source ports would then be mapped to the ports specified. and that each stream will randomly be given an IP address that it will always be Destinated for. within that stream. Table 22. iptables will map one of them to another port. Hence. such as the POSTROUTING chain.168. but if two hosts tries to use the same ports.67 --dport 80 -j DNAT --to-destination 192. DNAT target Option Example Explanation --to-destination iptables -t nat -A PREROUTING -p tcp -d 15. We may also specify a whole range of destination IP addresses. Note that this has nothing to do with destination ports. DNAT target The DNAT target is used to do Destination Network Address Translation. host or network. iptables will always try to maintain the source ports used by the actual workstation making the connection.45. This is done by adding.Iptables Tutorial 1. Note that the DNAT target is only available within the PREROUTING and OUTPUT chains in the nat table. for example. so if a client tries to make contact with an HTTP server outside the firewall. namely 192.10 The --to-destination option tells the DNAT mechanism which Destination IP to set in the IP header. which means that it is used to rewrite the Destination IP address of a packet. This would hence look as within the example above. and then routed on to the correct device.unix-fu. Note that chains containing DNAT targets may not be used from any other chains. it will not be mapped to the FTP control port. then all source ports below 512 will be mapped to other ports below 512 if needed.html 21:25:51 10/06/2002 . As previously stated.23. If a packet is matched.9 Página 38 described in the example above. :1024-32000 or something alike.45. iptables will always try to not make any port alterations if it is possible.168. and any of the chains called upon from any of those listed chains.168. and a single stream would always use the same IP address for packets within that stream. and all subsequent packets in the same stream will be translated. You could then tell the firewall to forward all packets going to its own HTTP port.1. on to the real webserver within the LAN.1.67 to a range of LAN IP's. for example.1 through 10.1-192. the packet. We could also have specified only one IP address. and this is the target of the rule. There may also be an range of ports specified that should only be used by SNAT. Also note that we may add an port or port range to which the traffic would be redirected to.org/andreasson/iptables-tutorial/iptables-tutorial. If no port range is specified. that a single stream will always use the same host. The source IP would then be set randomly for each stream that we open. Note.1.

which is optional. dialup connections. If you have a static IP connection. which gets dynamic IP addresses when connecting to the network in question. The MASQUERADE target takes on option specified below. the syntax is pretty much the same for the DNAT target. or like --to-destination 192. the connection is lost anyways. which is extremely good if we.1:80 for example.unix-fu. Do note that port specifications are only valid for rules that specify the TCP or UDP protocols with the --protocol option. for example. and it is more or less idiotic to keep the entry around. it is not favorable since it will add extra overhead.168. The MASQUERADE target also has the effect that connections are forgotten when an interface goes down.168. and there may be inconsistencies in the future which will thwart your existing scripts and render them "unusable". This alters the default SNAT port-selection as described in the SNAT target section.1.Iptables Tutorial 1. If we would have used the SNAT target. In case we are assigned a different IP. as for the SNAT target even though they do two totally different things. Either you can specify a single port like --to-ports 1025 or you may specify a port range as --to-ports 10243000. but it does not require any --to-source option. The reason for this is that the MASQUERADE target was made to work with. MASQUERADE target Option Example Explanation --to-ports iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000 The --to-ports option is used to set the source port or ports to use on outgoing packets. A rule could then look like --to-destination 192. As you can see. and the IP address is automatically grabbed from the information about the specific interface. Table 23. which would be lying around for days. This is in general the correct behaviour when dealing with dialup lines that are probable to be assigned a different IP every time it is up'ed. kill a specific interface. In other words. When you masquerade a connection. for example. MASQUERADE target The MASQUERADE target is used basically the same as the SNAT target. Note that the MASQUERADE target is only valid within the POSTROUTING chain in the nat table.9 Página 39 DNAT the packets. It is still possible to use the MASQUERADE target instead of SNAT even though you do have an static IP. however.1:80-100 if we wanted to specify a port range. which we don't know the actual address of at all times.1.html 21:25:51 10/06/2002 . we may have been left with a lot of old connection tracking data. The --to-ports option is only valid if the rule match section specifies the TCP or UDP protocols with http://people. swallowing up worthful connection tracking memory.1. just as the SNAT target. it means that we set the IP address used on a specific network interface instead of the --to-source option.org/andreasson/iptables-tutorial/iptables-tutorial. you should instead use the SNAT target. the lower port range delimiter and the upper port range delimiter separated with a hyphen. or DHCP connections. This means that you should only use the MASQUERADE target with dynamically assigned IP connections.

This is specified. In other words. since it wouldn't make any sense anywhere else. to use.0.txt.org/andreasson/iptables-tutorial/iptables-tutorial. Without the --to-ports option. all of them described below in the table.unix-fu. http://people.1. transparent proxying. Locally generated packets are mapped to the 127. the destination port is never altered. and who actively pursue this. such as 64 as specified in Linux kernel. read the ip-sysctl.0. The TTL target is only valid within the mangle table. and nowhere else. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid. we would do it like --toports 8080-8090. If we would want to specify an port range. TTL target The TTL target is used to modify the Time To Live field in the IP header. --to-ports 8080 in case we only want to specify one port. The REDIRECT target is extremely good to use when we want. on our own host. REDIRECT target Option Example Explanation --to-ports iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 The --to-ports option specifies the destination port. this rewrites the destination address to our own host for packets that are forwarded.Iptables Tutorial 1. We may then reset the TTL value for all outgoing packets to a standardized value. or something alike. Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. It is also valid within user-defined chains that are only called from those chains. The REDIRECT target takes only one option. For more information on how to set the default value used in Linux. which tells the REDIRECT target to redirect the packets to the ports 8080 through 8090. will effectively make it a little bit harder for them to notify that you are doing this.9 Página 40 the --protocol match. and nowhere else. as described below. It takes 3 options as of writing this.html 21:25:51 10/06/2002 . Setting all TTL values to the same value. where the LAN hosts do not know about the proxy at all. One reason for doing this is if you have a bully ISP which don't allow you to have more than one machine connected to the same internet connection.1 address. One useful application of this is to change all Time To Live values to the same value on all outgoing packets. for example. REDIRECT target The REDIRECT target is used to redirect packets and streams to the machine itself. as above. Table 24. or port range. Note that this option is only available in rules specifying the TCP or UDP protocol with the --protocol matcher. which you may find within the Other resources and links appendix.

9 Página 41 Table 25. If a packet is matched and the ULOG target is set. and it contains much better facilities for logging http://people. the packet would leave our host with a TTL value of 49. which it always does. This may be used to make our firewall a bit more stealthy to traceroutes among other things. --ttl-dec iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-dec 1 The --ttl-dec option tells the TTL target to decrement the Time To Live value by the amount specified after the --ttl-decoption. and the higher the TTL. we effectively make the firewall hidden from traceroutes.unix-fu. since the packet may start bouncing back and forth between two misconfigured routers. the more bandwidth will be eaten unnecessary in such a case. This means that we should raise the TTL value with the value specified in the -ttl-inc option. it gives the hacker/cracker some good information about your upstreams if they have targeted you. the packet information is multicasted together with the whole packet through a netlink socket. where the network code will automatically decrement the TTL value by 1.1.Iptables Tutorial 1. a packet entering with a TTL of 53 would leave the host with TTL 56. from 53 to 49 in other words. A good value would be around 64 somewhere. ULOG target The ULOG target is used to provide userspace logging of matching packets.txt script. Note that the same thing goes here. By setting the TTL one value higher for all incoming packets. For a good example on how this could be used. Traceroutes are a loved and hated thing. One or more userspace processes may then subscribe to various multicast groups and receive the packet.html 21:25:51 10/06/2002 . IF ANYONE HAS A GOOD USAGE FOR THIS OPTION. The reason for this is that the networking code will automatically decrement the TTL value by 1. Do not set this value too high. It's not too long. if the TTL for an incoming packet was 53 and we had set --ttl-dec 3. In other words. hence the packet will be decremented by 4 steps. but at the same time. This is in other words a more complete and more sophisticated logging facility that is only used by iptables and netfilter so far. see the ttl-inc. and it is not too short. since they provide excellent information on problems with connections and where it happens. as for the previous example of the --ttl-dec option. since it may affect your network and it is a bit immoral to set this value to high.org/andreasson/iptables-tutorial/iptables-tutorial. NOTIFY ME --ttl-inc iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-inc 1 The --ttl-inc option tells the TTL target to increment the Time To Live value with the value specified to the --ttl-inc option. TTL target Option Example Explanation --ttl-set iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-set 64 The --ttl-set option tells the TTL target which TTL value to set on the packet in question. and if we specified --ttl-inc 4.

and is definitely most useful to distinguish different logmessages and where they came from. The default value here is 1 because of backwards compatibility. Traversing of tables and chains This chapter will talk about how packets traverse the the different chains and in which order. With this we mainly mean the different routing decisions and http://people. we would copy 100 bytes of the whole packet to userspace. and other databases. This target enables us to log information to MySQL databases. and to group log entries etcetera. ULOG target Option Example Explanation --ulog-nlgroup iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2 The --ulog-nlgroup option tells the ULOG target which netlink group to send the packet to. the userspace daemon did not know how to handle multipart messages previously. For example. The default value is 0. which are simply specified as 1-32. so the whole packet will be copied to userspace. plus some leading data within the actual packet. the whole packet will be copied to userspace. Also we will speak about in which order the tables are traversed. --ulog-qthreshold iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10 The --ulog-qthreshold option tells the ULOG target how many packets to queue inside the kernel before actually sending the data to userspace. This option prefixes all log entries with a userspecified log prefix. and then transmit it outside to the userspace as one single netlink multipart message. which would include the whole header hopefully.1. This is extremely valuable information later on when you write your own specific rules. Table 26.9 Página 42 packets. The default netlink groupd used is 1. If we specify 100 as above.unix-fu. There are 32 netlink groups. --ulog-cprange iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100 The --ulog-cprange option tells the ULOG target how many bytes of the packet to send to the userspace daemon of ULOG.Iptables Tutorial 1. We will also look at which points certain other parts that also are kernel dependant gets in the picture. if we set the threshold to 10 as above. --ulog-prefix iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: " The --ulog-prefix option works just the same as the prefix value for the standard LOG target.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . It can be 32 characters long. If we would like to reach netlink group 5. the kernel would first accumulate 10 packets inside the kernel. If we specify 0. we would simply write --ulog-nlgroup 5. making it much simpler to search for specific packets. regardless of the packets size.

is the packet destined for our localhost or to be forwarded and where. we're assuming that the packet is destined for another host on another network.9 Página 43 so on. changing TOS and so on. Source Network Address Translation is done further on. avoid doing filtering here since certain packets might pass this chain without ever hitting it. eth0) This chain is normally used for mangling packets.1.html 21:25:51 10/06/2002 . ie. Note that all traffic that's forwarded goes through here (not only in one direction). Then the packet starts to go through a series of steps in the kernel before it is either sent to the correct application (locally).org/andreasson/iptables-tutorial/iptables-tutorial. This chain should first and foremost be used for Source Network Address Translation. internet) Comes in on the interface(ie. so you need to think about it when writing your ruleset. Goes out on the outgoing interface (ie. The packet can be stopped at any of the iptables chains.unix-fu. or anywhere else in case it is malformed. 5 6 7 nat POSTROUTING 8 9 As you can see. Routing decision. or forwarded to another host or whatever happens to it. In this example. Avoid filtering in this chain since it will be passed through in certain cases. This is especially needed if you want to write rules with iptables that chould change how different packets get routed. there's quite a lot of steps to pass through. This is also where Masquerading is done. however. we are mainly interested in the iptables aspect of this lot. Out on the wire again (ie. Forwarded packets Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire(ie. eth1). The packet goes through the different steps in the following fashion: Table 1. ie. we do all the filtering here. filter FORWARD The packet got routed onto the FORWARD chain. General When a packet first enters the firewall. good examples of this is DNAT and SNAT and of course the TOS bits. Do note that there is no specific chains or tables for different interfaces or http://people.Iptables Tutorial 1. LAN). it hits the hardware and then get's passed on to the proper device driver in the kernel. only forwarded packets go through here. This chain is used for Destination Network Address Translation mainly.

server/client program) 5 6 7 Note that this time the packet was passed through the INPUT chain instead of the FORWARD chain.unix-fu. Local process/application (ie. changing TOS and so on. Most probably the only thing that's really logical about the traversing of tables and chains in your eyes in the beginning. server/client program) This is where we mangle packets.1.Iptables Tutorial 1. I think. ie. filter INPUT This is where we do filtering for all incoming traffic destined for our localhost. 3 4 Nat Filter OUTPUT OUTPUT http://people. could someone tell me when this will be fixed? Please? This is where we filter packets going out from localhost. is the packet destined for our localhost or to be forwarded and where. no matter what interface and so on it came from. ie.html 21:25:51 10/06/2002 . Note that all incoming packets destined for this host passes through this chain. Finally we look at the outgoing packets from our own localhost and what steps they go through. Table 3. Now. Destination localhost Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire (ie. but if you continue to dig in it. This chain is used for Destination Network Address Translation mainly. Avoid filtering in this chain since it will be passed through in certain cases. Quite logical. Internet) Comes in on the interface(ie. FORWARD is always passed by all packets that are forwarded over this firewall/ router. Source localhost Step 1 2 Mangle OUTPUT Table Chain Comment Local process/application (ie.9 Página 44 anything like that. This is currently broken. it is suggested that you do not filter in this chain since it can have sideeffects. Routing decision. let us have a look at a packet that is destined for our own localhost. I think it gets clearer with time.org/andreasson/iptables-tutorial/iptables-tutorial. eth0) This chain is normally used for mangling packets. It would pass through the following steps before actually being delivered to our application to receive it: Table 2.

Goes out on some interface (ie.9 Página 45 5 6 Nat POSTROUTING Routing decision. Internet) 7 8 We have now seen how the different chains are traversed in three separate scenarios. If we would figure out a good map of all this. It is suggested that you don't do filtering here since it can have sideeffects.unix-fu. eth0) On the wire (ie.org/andreasson/iptables-tutorial/iptables-tutorial. This is where we decide where the packet should go.html 21:25:51 10/06/2002 . and certain packets might slip through even though you set a default policy of DROP. it would look something like this: http://people. This is where we do Source Network Address Translation as described earlier.Iptables Tutorial 1.1.

unix-fu.Iptables Tutorial 1.txt script.test-iptables. This test script should give you the necessary rules to test how the tables and chains are traversed.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. If you feel that you want more information. http://people. this might still be wrong or it might change in the future. All comments welcome.1.9 Página 46 Hopefully you got a clearer picture of how the packets traverses the built in chains now. you could use the rc.

unix-fu.html 21:25:51 10/06/2002 . After this. Nat table This table should only be used for NAT (Network Address Translation) on different packets. In other words. Some Internet Service Providers does not like users running multiple computers on one single connection. the rest of the packets http://people.1.9 Página 47 Mangle table This table should as we've already noted mainly be used for mangling packets. or if they don't have any. and sometimes. In other words. One good reason for this could be that we don't want to give ourself away to nosy Internet Service Providers.Iptables Tutorial 1. and there are some Internet Service Providers known to look for a single host generating many different TTL values. nor will any DNAT. SNAT or Masquerading work in this table.org/andreasson/iptables-tutorial/iptables-tutorial. Note that. These marks could then be recognised by the iproute2 programs to do different routing on the packet depending on what mark they have. We could tell packets to only have a specific TTL and so on. it should only be used to translate packets source field or destination field. Target's that only valid in the mangle table: TOS TTL MARK The TOS target is used to set and/or change the Type of Service field in the packet. This could be used for setting up policies on the network regarding how a packet should be routed and so on. they act faulty on what they get. Note that this has not been perfected and is not really implemented on the internet and most of the routers don't care about the value in this field. It is strongly adviced that you don't use this table to do any filtering in. you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) fields and so on. The MARK target is used to set special mark values to the packet. and takes this as one of many signs of multiple computers connected to a single connection. as we have said before. We could also do bandwidth limiting and Class Based Queuing based on these marks. only the first packet in a stream will hit this chain. The TTL target is used to change the TTL (Time To Live) field of the packet. Don't set this in other words for packets going to the internet unless you want to do routing decisions on it with iproute2.

In other words. as you already know. etcetera. The MASQUERADE target will on the other hand work properly with Dynamic IP addresses that you may be provided when you connect to the Internet with. Of course we may do filtering earlier too. etc. SNAT (Source Network Address Translation) is mainly used for changing the source address of packets. A good example when this is very good is when we have a firewall that we know the outside IP address of.x. The MASQUERADE target is used in exactly the same way as SNAT. Filter table The filter table is.1. however.168. we change the destination address of the packet and reroute it to some other host. This is mainly done to hide our local networks or DMZ. however.x netmask for example. this is the place that was designed for it. of course. this is where we (should) do the main filtering. The reason for this is that each time that the MASQUERADE target gets hit by a packet. This should be used to get a basic idea on how to solve different problems and what you may need to think about before http://people. The firewall will with this target automatically SNAT and De-SNAT the packets. If you're network uses 192. but need to change our local networks IP numbers to the same of the IP of our firewall.Iptables Tutorial 1. Almost all targets are usable in this chain. hence making it possible to make connections from the LAN to the Internet. it automatically checks for the IP address to use. rc. We will not go into deeper discussion about this table though. We can match packets and filter them however we want.9 Página 48 will automatically have the same action taken on them as the first packet.unix-fu. the packets would never get back from the Internet because these networks are regulated to be used in LAN's by IANA.org/andreasson/iptables-tutorial/iptables-tutorial.firewall file This chapter will deal with an example firewall setup and how the script file could look. the targets discussed previously in this chapter are only usable in their respective tables. We have used one of the basic setups and dug deeper into how it works and what we do in it. This is the place that we actually take action against packets and look at what they contain and DROP/ACCEPT depending on their payload. instead of doing as the SNAT target does and just use an IP address submitted while the rule was parsed. but the MASQUERADE target takes a little bit more overhead to compute. for example PPP. and there is nothing special to this chain or special packets that might slip through because they are malformed. mainly used for filtering packets.html 21:25:51 10/06/2002 . SLIP or DHCP. The actual targets that does these kind of things are: DNAT SNAT MASQUERADE The DNAT (Destination Network Address Translation) target is mainly used in cases such as when you have one IP and want to redirect accesses to the firewall to some other host on a DMZ for example.

This could be eth0. hence it is available here.firewall. which will point the script to the exact location of the http://people. explanation of rc. This script does not contain any special configuration options for DHCP or PPPoE. For example. The Local Area Network section contains most of the configuration options for your LAN.firewall Ok. as you may see there is a Localhost configuration section.9 Página 49 actually putting your scripts into work. I suggest you read through the script file to get a basic hum about how it looks. hence these sections are empty.DHCP.txt. the $INET_IFACE variable should point to the actual device used for your internet connection. eth1. As long as you have a very basic setup however. but is not suggested since it may not work perfectly together with your network setup. You should at least be if you have come this far. This should always be changed since it contains the information that is vital to your actual configuration.1 IP address and the interface will amost certainly be named lo.0. or (hold yourself) create your own from scratch. ppp0.firewall. It could be used as is with some changes to the variables.org/andreasson/iptables-tutorial/iptables-tutorial. if you got one (if not. This example rc. the script has been written for readability so that everyone can understand it without having to know too much BASH scripting before reading this example rc. If you need these parts. Instead of looking for comments. tr0.html 21:25:51 10/06/2002 . then you could always create a mix of the different scripts. they are however left there so you can spot the differences between the scripts in a more efficient way.1. and then you return here to get the nitty gritty about the whole script. Also. Also. you will find a brief section that pertains to the iptables. you need to specify the IP address of the physical interface connected to the LAN as well as the IP range which the LAN uses and the interface that the box is connected to the LAN through. note that there might be more efficient ways of making the ruleset. Also.Iptables Tutorial 1. The same goes for all sections that are empty. it will very likely run quite smooth with just a few fixes to it. however. your IP address will always change.txt is the configuration section. Mainly. however you will with 99% certainty not change any of the values within this section since you will almost always use the 127.unix-fu. The $INET_IP should always be a fully valid IP address. however. For example. so you have everything set up and are ready to check out an example configuration script.firewall.txt (also included in the Example scripts codebaseappendix) is fairly large but not a lot of comments in it. then you should probably look closer at the rc.firewall Configuration options The first section you should note within the example rc. this section only consists of the $IPTABLES variable.0. read on since this script will introduce a lot of interesting stuff anyways). just below the Localhost configuration. etcetera just to name a few possible device names. which are necessary. We do provide it.

and the default location when compiling the iptables package by hand is /usr/local/sbin/iptables. In other words. and it sends connection information within the actual payload of the packet. We may also load extra modules for the state matching code here. the DCC connection will look as if it wants the receiver to connect to some host on the receivers own local network. After this we load the modules that we will require for this script. You could also disallow all users but your own user and root to connect from your box to the Internet. we see to it that the module dependencies files are up to date by issuing an /sbin/depmod -a command. For example. since it will take some extra effort to make additional rules this way. it will send its own local network IP address within the payload of the packet. The same thing applies for DCC file transfers (sends) and chats. This is due to how the DCC starts a connection. This may vary a bit. The NAT helpers on the other hand.1. So. Without the helpers. Without these helpers. are extensions of the connection tracking helpers that tells the kernel what to look for in specific packets and how to translate these so the connections will actually work. Connection tracking helpers are special modules that tells the kernel how to properly track the specific connections. if one of your hosts NAT'ed boxes connect to a FTP server on the internet.Iptables Tutorial 1. The FTP NAT helpers do all of the translations within these connections so the FTP server will actually know where to connect. Since this local network address is not valid outside your own network. and tells the FTP server to connect to that IP address. the whole connection will be http://people. First off. Without these so called helpers. you could allow only root to do FTP and HTTP connections to redhat and DROP all the others. and if possible try to avoid having modules lying around at all unless you will be using them. but you will be a bit more secure to bouncing hacker attacks and attacks where the hacker will only use your host as an intermediate host. but not be able to send files. Always avoid loading modules that you do not need. you tell the receiver that you want to send a file and where he should connect to. for example. which could for example be used to only allow certain users to make certain connections. however. some FTP and IRC stuff will work no doubt. For more information about the ipt_owner match. we load these modules as follows: /sbin/insmod ipt_LOG /sbin/insmod ipt_REJECT /sbin/insmod ipt_MASQUERADE Next is the option to load ipt_owner module. For example. FTP is a complex protocol by definition. might be boring for others.9 Página 50 iptables application.unix-fu. you may be able to receive files over DCC. which in turn requires some translation to be done.org/andreasson/iptables-tutorial/iptables-tutorial. This is for security reasons. Creating these kind of connections requires the IP address and ports to be sent within the IRC protocol. However. Now. REJECT and MASQUERADE targets and don't have this compiled statically into your kernel. All modules that extend the state matching code and connection tracking code are called ip_conntrack_* and ip_nat_*. I will not use that module in this example but basically. the FTP server will not know what to do with it and hence the connection will break down. the kernel would not know what to look for when it tries to track specific connections. Initial loading of extra modules First. etcetera. some other things will not work. if you want to have support for the LOG.html 21:25:51 10/06/2002 . many distributions put the actual application in another location such as /usr/sbin/iptables and so on. look at the Owner match section within the How a rule is built chapter.

They are used the same way as the conntrack modules. There are also H. This may give malicious people a small timeframe to actually get through our firewall.9 Página 51 broken. For a long explanation of these conntrack and nat modules. This will lead to a brief period of time where the firewall will accept forwarding any kind of traffic for everything between a millisecond to a minute depending on what script we are running and on what box.323 conntrack helpers within the patch-o-matic. we turn it on before actually creating any kind of IP filters (ie. In other words. there's other documentations on how to do these things and this is out of the scope of this documentation. you need to use the patch-omatic and compile your own kernel. it will work flawlessly since the sender will (most probably) give you the correct address to connect to. which is also available within the Other resources and links appendix. proc set up At this point we start the IP forwarding by echoing a 1 to /proc/sys/net/ipv4/ ip_forward in this fashion: echo "1" > /proc/sys/net/ipv4/ip_forward It may be worth a thought where and when we turn on the IP forwarding. read the Common problems and questionmarks appendix. To be able to use these helpers. this option should really be turned on after creating all firewall rules. but it will make it possible for the computer to do NAT on these two protocols. there is only the option to load modules which add support for the FTP and IRC protocols. it may be worth looking at that appendix in the future. Note that you need to load the ip_nat_irc and ip_nat_ftp if you want Network Adress Translation to work properly on any of the FTP and IRC protocols.Iptables Tutorial 1. In case you need dynamic IP support. PPP or DHCP you may enable the next option. Also. http://people. However. iptables rulesets).unix-fu. I have chosen to turn it on here to maintain consistency with the script breakdown currently user. In this script and all others within the tutorial. ip_dynaddr by doing the following : echo "1" > /proc/sys/net/ipv4/ip_dynaddr If there is any other options you might need to turn on you should follow that style.1. As of this writing. as well as some other conntrack helpers. the other way around. For a better explanation on how this is done. You will also need to load the ip_conntrack_irc and ip_conntrack_ftp modules before actually loading the NAT modules. in case there are possible additional links added to other and better resources of information. There is a good but rather brief document about the proc system available within the kernel.html 21:25:51 10/06/2002 . for example if you use SLIP. read the Preparations chapter.org/andreasson/iptables-tutorial/iptables-tutorial. however.

I simply match all TCP packets and then let the TCP packets traverse an user specified chain. Also. this will remind you a little bit of how the specific tables and chains are traversed in a real live example. and all others contained within this tutorial. This example is also based upon the assumption that we have a static IP to the internet (as opposed to DHCP. In this case. and we trust our local network fully and hence we will not block any of the traffic from the local network. UDP and TCP rules. do contain a small section of non-required proc settings. With these pictures and explanations. this script has as a main priority to only allow traffic that we explicitly want to allow. this section contains a brief look back to the Traversing of tables and chains chapter. I wish to explain and clarify the goals of this script. PPP and SLIP and others). one firewall and an Internet connection connected to the firewall. However. Since the local network is fully trusted. In the case of this scenario. Displacement of rules to different chains This section will briefly describe my choices within the tutorial regarding user specified chains and some choices specific to the rc. Some of the paths I have chosen to go here may be wrong from one or another of aspect. Hopefully. the Internet is most definitely not a trusted network and hence we want to block http://people. we want to set default policies within the chains to DROP.firewall. I hope to point these aspects and possible problems out to you when and where they occur.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 52 The rc. however. This whole example script is based upon the assumption that we are looking at a scenario containing one local network. We will not discuss any specific details yet. we want to allow all kind of traffic from the local network to the internet. This will effectively kill all connections and all packets that we do not explicitly allow inside our network or our firewall.html 21:25:51 10/06/2002 . do not turn these on before actually knowing what they mean. To do this. Instead of letting a TCP packet traverse ICMP.Iptables Tutorial 1.txt script. we would also like to let our local network do connections to the internet. This way we do not get too much overhead out of it all.txt script. The following picture will try to explain the basics of how an incoming packet traverses netfilter. let's make clear what our goals are. but instead further on in the chapter.firewall. This is a really trivial picture in comparison to the one in the Traversing of tables and chains chapter where we discussed the whole traversal of chains and tables in depth. Based upon this picture. I have displaced all the different user-chains in the fashion I have to save as much CPU as possible but at the same time put the main weight on security and readability. we also want to allow the firewall to act as a server for certain services on the internet.unix-fu.1. Also. These may be a good starters to look at.

html 21:25:51 10/06/2002 . As for our firewall. For instance. By doing this. and reduce redundancy within the network. For a closer discussion of this. and hence it should be allowed through the INPUT chain. By traversing less rules. Since we have an FTP server running on the server. Based upon these general assumptions. we do not want to allow specific packets or packet headers in specific conjunctions. We trust our local network to the fullest. we want to add special rules to allow all traffic from the local network as well as the loopback network interface. we may be a bit low on funds perhaps. we want to split the rules down into subchains. nor do we want to allow some IP ranges to reach the firewall from the Internet. All of this is done within the PREROUTING chain. of course.1. we add a rule which lets all established and related traffic through at the top of the INPUT chain.0. This means that we will also have to do some filtering within the FORWARD chain since we will otherwise allow outsiders full access to our local network. Therefore. read the Common problems and questionmarks chapter. we want the local network to be able to connect to the internet. as well as the fact we want to traverse as few rules as possible. we also trust the local network fully. we make the ruleset less timeconsuming for each packet. we will need to NAT all packets since none of the local computers have real IP addresses. For the same reason. which in turn will allow all return traffic from the Internet to our local network.9 Página 53 them from getting to our local network. which is created last in this script. To do this. All of these protocols are available on the actual firewall. we will want to block all traffic from the Internet to our local network except already established and related connections. http://people.0/8 address range is reserved for local networks and hence we would normally not want to allow packets from such a address range since they would with 90% certainty be spoofed. Also.0. the 10. we have decided to allow HTTP.org/andreasson/iptables-tutorial/iptables-tutorial. our packets will hopefully only need to traverse as few rules as possible. and because of that we specifically allow all traffic from our local network to the internet. However.unix-fu. let's look at what we need to do and what we do not need to do. However. or we just want to offer a few services to people on the internet.Iptables Tutorial 1. and the loopback device and IP address are also trusted. Since noone on the Internet should be allowed to contact our local network computers. First of all. SSH and IDENTD access to the actual firewall. Because of this. we must note that certain Internet Service Providers actually use these address ranges within their own networks. FTP. and we need to allow the return traffic through the OUTPUT chain. before we implement this.

we send to the udp_packets chain which handles all incoming UDP packets. We do not do any specific user blocking. and should contain a few extra checks before finally accepting the packet. This chain we choose to call the "allowed" chain. As for ICMP packets. and hence we accept the directly. Also.org/andreasson/iptables-tutorial/iptables-tutorial. All incoming UDP packets should be sent to this chain. These packets. we have the UDP packets which needs to be dealt with. such as speak freely and ICQ. Finally.html 21:25:51 10/06/2002 . this box is also used as a secondary workstation and to give some extra levy for this. we have the firewalls OUTPUT chain. Finally. Since we are running on a relatively small network. iptables -P <chain name> <policy> http://people. so we would like to create one more subchain for all packets that are accepted for using valid port numbers to the firewall. First of all. now you got a small picture on how the packet traverses the different chains and how they belong together. nor do we do any blocking of specific protocols. as well as all of the rulesets within the chains. UDP or ICMP. these will traverse the icmp_packets chain. we allow pretty much all traffic leaving the firewall. Since we actually trust the firewall quite a lot.unix-fu. we set all the default policies on the different chains with a quite simple command. Setting up the different chains used So.Iptables Tutorial 1. which will contain rules for all TCP ports and protocols that we want to allow. When we decided on how to create this chain. You should also have a clear picture of the goals of this script. and if they are of an allowed type we should accept them immediately without any further checking.9 Página 54 In this script. All TCP packets traverse a specific chain named tcp_packets. we want to allow certain specific protocols to make contact with the firewall itself. We would most likely implement this by adding rules that ACCEPT all packets leaving the firewall in case they come from one of the IP addresses assigned to the firewall. It is now about time that we take care of setting up all the rules and chains that we wish to create and to use.1. for example TCP. we choose to split the different packets down by their protocol family. and hence we only want to allow traffic from the IP addresses assigned to the firewall itself. we want to do some extra checking on the TCP packets. and if not they will be dropped by the default policy in the OUTPUT chain. However. we do not want people to use this box to spoof packets leaving the firewall itself. we could not see any specific needs for extra checks before allowing the ICMP packets through if we agree with the type and code of the ICMP packet.

we check for everything that comes from our $LOCALHOST_IP. We do certain checks for bad packets here. In either case we want to know about it so it can be dealt with. These applications will not work properly without it.9 Página 55 The default policy is used every time the packets don't match a rule in the chain. we do the same match for TCP packets on the $INET_IFACE and send those to the tcp_packets chain. Before we hit the default policy of the INPUT chain. First of all we match all ICMP packets in the INPUT chain that come on the incoming interface $INET_IFACE. If you want to fully understand this. you need to look at the Appendices regarding state NEW and non-SYN packets getting through other rules.1 and ACCEPT all incoming traffic from there.0. we don't log more than 3 packets per minute as to not getting flooded with crap all over the log files. udpincoming_packets and the allowed chain for tcp_packets. This way we don't get too much load from the iptables. After this. The default policy was set quite some time back. and send those to the icmp_packets.org/andreasson/iptables-tutorial/iptables-tutorial. I allow everything that comes from my own Internet IP that is either ESTABLISHED or RELATED to some connection. Finally. Incoming packets on eth0. INPUT chain The INPUT chain as I've written it uses mostly other chains to do the hard work. The TCP allowed chain If a packet comes in on eth0 and is of TCP type. also we set a prefix to all log entries so we know where it came from.0.Iptables Tutorial 1. we log them to our logs and then we DROP them.1. we log it so we might be able to find out about possible problems and or bugs. as you might remember. and it will work much better on slow machines which might otherwise drop packets at high loads. we allow broadcast traffic from our LAN. and after this. Everything that hasn't yet been caught will be DROP'ed by the default policy on the INPUT chain. will be redirected to tcp_packets and incoming packets of UDP type from eth0 go to udpincoming_packets chain. tcp_packets. Hence. of TCP type. which would normally be 127.0/24. These packets could be allowed under certain circumstances but in 99% of the cases we wouldn't want these packets to get through. which in my case is eth0.0. Either it might be a packet that we just dont want to allow or it might be someone who's doing something bad to us. After this. Though. which was previously described. some applications depend on it such as Samba etc. and after this all UDP packets get sent to udpincoming_packets chain. we create the different special chains that we want to use with the -N command. The new chains are created and set up with no rules inside of them. or finally it might be a problem in our firewall not allowing traffic that should be allowed.168. if the connection is against an allowed port.unix-fu. it travels through the tcp_packets chain. The chains we will use are icmp_packets. of ICMP type. something that some might consider a security problem. Also. which in my case would be 192.html 21:25:51 10/06/2002 . we want to do some final checks on it to see if we actually do http://people. will be redirected to the chain icmp_packets. do the same for everything to $LAN_IP.

There is no practical use of not starting a connection with a SYN packet. Redirect and Time Exceeded. the connection then must be in state ESTABLISHED. The reason that I allow these ICMP packets are as follows. As a side-note. we didn't reply to the SYN packet. If it is a SYN packet. Then we check if the packet comes from an ESTABLISHED or RELATED connection. then we. allow it. is allowed in the case where we might want to traceroute some host or if a packet gets its Time To Live set to 0. everything works perfectly while blocking all the other ICMP types that I don't allow. and so on until we get an actual reply from the host we finally want to get to. we create the chain the same way as all the others. if it does. we check if the packet is a SYN packet. After that. then TTL = 2 and the second gateway sends Time Exceeded. In this case this pretty much means everything that hasn't seen traffic in both directions. DROP the crap since it's 99% sure to be a portscan. again of course. it is most likely to be the first packet in a new connection so. The last rule in this chain will DROP everything else.org/andreasson/iptables-tutorial/iptables-tutorial.Internet Control Message Protocol by J. There is no currently available TCP/IP implementation that supports opening a TCP connection with something else than a SYN packet to my knowledge. I only allow incoming ICMP Echo Replies. and it gets down to 0 at the first hop on the way out. Time Exceeded. see the appendix ICMP types.1. For more information on ICMP types and their usage.html 21:25:51 10/06/2002 . Echo Replies is what you get for example when you ping another host. As it is now. http://people. when you traceroute someone. and a Time Exceeded is sent back from the first gateway en route to the host we're trying to traceroute. hence. An ESTABLISHED connection is a connection that has seen traffic in both directions. you start out with TTL = 1. This way we won't have to wait until the browser's timeouts kicks in after some 60 seconds or more. of course. or they are trying to start the connection with a non SYN packet. Destination Unreachable is used if a certain host is unreachable. If a packet of ICMP type comes in on eth0 on the INPUT chain. For example. we then redirect it to the icmp_packets chain as explained before. we allow this.Iptables Tutorial 1. First of all. if we don't allow this. Destination unreachable. so for example if we send a HTTP request. and since we've got a SYN packet. I might be wrong in blocking some of these ICMP types for you. The ICMP chain This is where we decide what ICMP types to allow.unix-fu. we will get a reply about this. and the host is unreachable. but in my case. the last gateway that was unable to find the route to the host replies with a Destination Unreachable telling us that it was unable to find it. ie. Here we check what kind of ICMP types to allow. we will be unable to ping other hosts. For a complete listing of all ICMP types. i suggest reading the following documents and reports : The Internet Control Message Protocol ICMP RFC 792 .9 Página 56 want to allow it or not. except to portscan people pretty much. Postel. and a reply to this SYN packet.

This specifies what ports that are allowed to use on the firewall from the Internet. Note that you are dealing with a firewall. the rule will be added to the end of the chain.0 and netmask 0. of course. they will be passed back to the original chain that sent the packet to the tcp_packets chain.unix-fu. Firewalls should always be kept to a bare minimum and not more. which is IDENTD and might be necessary for some protocols like IRC. well.0. we can unload the ip_conntrack_ftp module and delete the $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed line from the rc.0. there is still more checks to do. hence we allow DNS.1. As it is now. We don't want this behaviour. which we described previously. delete it if you don't want to run a web server on your site. Port 80 is HTTP.0.0. etc to work properly. in other words if the packet is destined for port 21 they also match. this is actually the default behaviour but I'm using it for brevity in here. --dport 21 means destination port 21. -A tcp_packets tells iptables in which chain to add the new rule.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. If we don't want to allow FTP at all. in other words everything again. if you want to allow anyone from the outside to use a shell on your box at all.9 Página 57 The TCP chain So now we reach TCP connections.0 with netmask 0.0. in other words all sources addresses. I allow TCP port 21. Port 22 is SSH.0. http://people. which is NTP or network time protocol. loaded.0. which is used to control FTP connections and later on I also allow all RELATED connections.0. then the packet will be targeted for the allowed chain. It is always a bad idea to give others than yourself any kind of access to these kind of boxes.firewall. without this we wouldn't be able to do domain name lookups and we would be reversed to only use IP's. Though. If all the criteria are matched. This protocol is used to set your computer clock to the same time as certain other time servers which have very accurate clocks. much better than allowing telnet on port 23. -p TCP tells it to match TCP packets and -s 0/0 matches all source addresses from 0.Iptables Tutorial 1. we ACCEPT them directly. its quite self explanatory how to do that by now=). If they have a source port of 53 also. and that way we allow PASSIVE and PORT connections since the ip_conntrack_ftp module is. As it is now. I ACCEPT incoming UDP packets from port 53. If you feel like adding more open ports with this script. If it doesn't match any of the rules. which is what we use to do DNS lookups.0. hopefully. The UDP chain If we do get a UDP packet on the INPUT chain. I personally also allow port 123. or FTP control port. in other words your web server. And finally we allow port 113.txt file.0. we send them on to udpincoming_packets where we once again do a match for the UDP protocol with -p UDP and then match everything with a source address of 0. hence we send each and one of them on to allowed chain.

There is at least 5 different ICQ clones for Linux and it's one of the most widely used chat programs in the world. After this we allow everything in a state ESTABLISHED or RELATED from everywhere. which is used for certain real-time `multimedia' applications like speak freely which you can use to talk to other people in real-time by using speakers and a microphone. $LAN_IP or $STATIC_IP. We finally hit the default policy of the FORWARD chain that says to DROP everything. We log maximally 3 log entries per minute as to not flood our own logs. If it does get dropped. if we open a connection from our LAN to something on the Internet. And after this we log everything and drop it. I'm allowing it per default since I know there are some who actually do. Finally we DROP the packet in the default policy. in other words. http://people. Note that this chain should not be used for any filtering or such. Everything else might be spoofed in some fashion. Also we log them with debug level.unix-fu. or it's a weird packet that's spoofed. PREROUTING chain of the nat table The PREROUTING chain is pretty much what it says. OUTPUT chain Since i know that there's pretty much no one but me using this box which is partially used as a Firewall and a workstation currently. Either it's a nasty error. I would like to comment on the few lines in there anyways. and prefix them with a short line that is possible to grep for in the logfiles. I doubt there is any further need to explain what it is. we first of all ACCEPT all packets coming from our LAN with the following line: /usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT So everything from our Localnet's interface gets ACCEPT'ed whatever the circumstances.1. Last of all we log everything that gets dropped. a headset. I allow pretty much everything that goes out from it that has a source address $LOCALHOST_IP. This should be an extremely well known protocol that is used by the Mirabilis application named ICQ.9 Página 58 Though. We currently also allow port 2074. it should be used for network adress translation. As it is now. most of you probably don't use this protocol.firewall. FORWARD chain Even though I haven't actually set up a certain section in the rc.Iptables Tutorial 1. it does network adress translation on packets before they actually hit the routing tables that sends them onwards to the INPUT or FORWARD chains in the filter table. among other things since this chain is only traversed by the first packet in a stream.txt example file. Port 4000 is the ICQ protocol. or even better.org/andreasson/iptables-tutorial/iptables-tutorial. even though I doubt anyone that I know would do it on my box. we allow the packets coming back from that site that's either ESTABLISHED or RELATED but nothing else. we'll sure as hell want to know about it for some reason or another.html 21:25:51 10/06/2002 .

So all packets that match this rule will be masqueraded to look as it came from your Internet interface.x. We also set a prefix to the log with the --log-prefix and set the log level with the --log-level. per default settings in this script) and finally we target the packet for MASQUERADE'ing. in the POSTROUTING chain that will masquerade all packets going out on our interface connected to the Internet. and the burst is also set to 3 so if we get 3 log entries in 2 seconds. Starting the Network Address Translation So. but also to improve the readability a bit. such as in case we get packets from the Internet interface that claim to have a source IP of 192.html 21:25:51 10/06/2002 .9 Página 59 First of all we check for obviously spoofed IP addresses. it'll have to wait for another 1 minute for the next log entry. The -t option tells us which table to use. This is good if someone starts to flood you with crap stuff that otherwise would generate many megabytes of logs. All packets that are being forwarded on our box traverse the FORWARD chain in the filter table. or logging facility what kind of importance this log entry has. The last thing we do is to log all traffic that gets dropped over the border.1. correct? At least to me. This means we get maximally 3 log entries per minute from this specific line. As it looks now. and to provide an overlook of the scripts and what services they provide. we drop them quicker than hell since these IP's are reserved especially for local intranets and definitely shouldn't be used on the Internet. isn't it? The next step we take is to ACCEPT all packets traversing the FORWARD chain in the default table filter that come from the input interface eth1 which is my interface connecting to the internal network. we might drop that too. It is in other words up to you to make these scripts suitable for your needs. The next thing we do is to ACCEPT all packets from anywhere that are ESTABLISHED and/or RELATED to some connection. then when the Internet box replies.x.x. These scripts are not in any way perfect. We allow this rule to be matched a maximum of 3 times per minute with a burst limit of 3.x. it gets caught by this rule since the connection has seen packets in both directions. and hits the default policy. and since it comes from eth1 we ACCEPT it. in this case nat while the A command tells us that we want to Add a new rule to an existing chain named POSTROUTING and -o $INET_IFACE tells us to match all outgoing packets on INET_IFACE (or eth0. Log level tells the syslogd. our final mission would be to get the MASQUERADEing up. This might be used in the opposite direction. if we get an packet from $LAN_IFACE that claims to not come from an IP address in the range which we know that our LAN is on.x. and they may not fit your exact intentions perfectly. For me this would be eth0. These settings are widely used within the example scripts. 10. mainly to make them easier to configure. we first send a packet from our local box behind eth1. there are specific variables added to these example scripts that may be used to automatically configure these settings. However. In some cases these might be packets that should have gotten through but didn't.16. First of all we add a rule to the nat table.x or 172. In other words. in other cases it might be packets that definitely shouldn't get through and you want to be notified about this. The rest of this tutorial should most probably be http://people. Simple. Example scripts The objective of this chapter is to give a fairly brief and short explanation of each script available with this tutorial.168. in such case.unix-fu.x.org/andreasson/iptables-tutorial/iptables-tutorial. we don't do that though. too.Iptables Tutorial 1.

The reason for this is that they should be fairly conformative to each other and to make it easier to find the differences between the scripts. do note that this may not be the best structure for your scripts. Configuration options should pretty much always be the first thing in any shell-script. and if there are any special circumstances that raises the chances that he is using a PPPoE connection. These variables are highly unlikely to change. we will add the DHCP specific configuration options here. It is only a structure that I have chosen to use since it fits the need of being easy to read and follow the best according to my logic. The structure This is the structure that all scripts in this tutorial should follow.1. or small corporate network.These options pertain to our localhost.If there is any reason to it. unless it is specifically explained why I have broken this structure.Iptables Tutorial 1.html 21:25:51 10/06/2002 . Configuration . This could be skipped if we do not have any Internet connection. we will add options pertaining to that in this section. will not have one. If they differ in some way it is probably an error on my part. 2. 1. This chapter should hopefully give a short understanding to why all the scripts has been written as they have. DHCP . This structure should be fairly well documented in this brief chapter. we will add a DMZ zone configuration at this point. Even though this is the structure I have chosen. DMZ . but we have put most of it into variables anyway. 3. but only such that pertains to our Internet connection.org/andreasson/iptables-tutorial/iptables-tutorial. The first section of this tutorial deals with the actual structure that I have established in each script so we may find our way within the script a bit easier.9 Página 60 helpful in making this feat. PPPoE .First of all we have the configuration options which the rest of the script should use. rc. 2. mainly because any normal home network. Note that there may be more subsections than those listed here. 4.If there is any LAN available behind the firewall. hence this section will almost always be available.unix-fu. 1. we will add specific options for those here.txt script structure All scripts written for this tutorial has been written after a specific structure. and why I have chosen to maintain this structure. LAN . Internet . Most scripts lacks this section. Localhost .firewall. there should be no reason to change these variables.If there are possibly any special DHCP requirements with this specific script.If there are a possibility that the user that wants to use this specific script. Hopefully.This is the configuration section which pertains to the Internet connection. This is most likely. 1. http://people.

5. and possibly special modules that adds to the security or adds special services to the administrator or clients. or add certain services or possibilities. Note that some modules that may raise security. they should first of all be fitted into the correct subsection (If it pertains to the Internet connection.If there are any other specific options and variables. they will be listed as such.This section should take care of any special configuration needed in the proc filesystem. If some of these options are required. iptables .By now the scripts should most probably be ready to insert the ruleset. 3.This section should contain the required modules. Required proc configuration .This section of the scripts should maintain a list of modules. 4.Iptables Tutorial 1. 2. It could possibly also contain configurations that raises security. it is up to you. while the second part should contain the non-required modules. it should be subsectioned directly to the configuration options somewhere. Most of the useful proc configurations will be listed here. All of them should be commented out. Other . I have also chosen to set the chains and their rulespecifications in the same order as they are output by the iptables -L command. Module loading .This section should contain non-required proc configurations that may prove useful. Required modules . Non-required modules . All of these modules should be commented out per default.9 Página 61 5. In most scripts and situations this should only require one variable which tells us where the iptables binary is located. http://people.This section contains iptables specific configuration. since they are not actually necessary to get the script to work.This section should contain all of the required proc configurations for the script in question to work. 1. Non-required proc configuration . 6. may have been added even though they are not required. 1. and if you want to add the service it provides. All user specified chains are created before we do anything to the system builtin chains. rules set up .unix-fu. 2.html 21:25:51 10/06/2002 . I have chosen to split all the rules down after table and then chain names. they should be commented out per default.org/andreasson/iptables-tutorial/iptables-tutorial. This should normally be noted in such cases within the example scripts. If it does not fit in anywhere. it should be subsectioned there. and listed under the non-required proc configurations.1.This section contains modules that are not required for normal operations. proc configuration . The first part should contain the required modules. but far from all of them. if not. This list will contain far from all of the proc configurations or nodes. etcetera). and possibly which adds special services or possibilities for the administrator or clients.

Create content in user specified chains . we do not have a lot of things left to do within the filter table so we get onto the INPUT chain.First of all we set up all the default policies within the nat table. FORWARD chain . we add the rules dealing with the OUTPUT chain.First of all we go through the filter table and its content.9 Página 62 1.Set up all the default policies for the systemchains. 6. and specifically ACCEPT services and streams that I want to allow inside. 1. but none of the filter rules has been run).After the filter table we take care of the nat table. Normally. This may be wrong in some perspectives. 5. while the nat table acts as a layer lying around the filter table. INPUT chain . I will be satisfied with the default policy set from the beginning. This way we will get rid of all ports that we do not want to let people use.After creating the user specified chains we may as well enter all the rules within these chains. and we http://people.At this point we create all the user specified chains that we want to use later on within this table. 3. 2. At this point we should add all rules within the INPUT chain. it is totally up to you. OUTPUT chain . 1. We will not be able to use these chains in the systemchains anyways if they are not already created so we could as well get to it as soon as possible. This table should not be used for filtering anyways. which could possibly lead to packets getting through the firewall at just the wrong timepoint (ie. however. Create user specified chains .At this point we go on to add the rules within the FORWARD chain. do try to avoid mixing up data from different tables and chains since it will become much harder to read such rulesets and to fix possible problems. 4. I look upon the nat table as a sort of layer that lies just outside the filter table and kind of surrounds it.org/andreasson/iptables-tutorial/iptables-tutorial. Set policies . Nothing special about this decision. There should hopefully not be too much to do at this point.When we have come this far.html 21:25:51 10/06/2002 . Filter table . 2. Set policies . and finally the mangle table lies around the nat table as a second layer.1. Normally I will set DROP policies on the chains in the filter table. First of all we do not want to turn the whole forwarding mechanism and NAT function on at a too early stage. You may as well put this later on in your script. There is no reason for you to stay with this structure. This is done after the filter table because of a number of reasons within these scripts. The filter table would hence be the core. when the NAT has been turned on.unix-fu.Iptables Tutorial 1. nat table . namely the ACCEPT policy. At this point we start following the output from the iptables -L command as you may see.Last of all in the filter table. but not too far from reality. The only reason I have to enter this data at this point already is that may as well put it close to the creation of the user specified chains. First of all we should set up all the policies in the table. Also.

unless they have specific needs. I have in other words chosen to leave these parts of the scripts more or less blank. PREROUTING chain . and hence you should avoid it all together. 7.The OUTPUT chain is barely used at all in any of the scripts.unix-fu. If anyone has a reason to use this chain. or at the very least commented out. since it should normally not be used for anyone.Iptables Tutorial 1.1. Normally I do not have any of these.Set the default policies within the chain. 4. but I have been unable to find any good reasons to use this chain so far. Normally I will not use this table at all. We add this material here since I do not see any reason not to. I have neither created any chains here since it is fairly unusable without any data to use within it.Create all the user specified chains. 5. In most scripts this feature is not used. 6. Since I have barely used the mangle table at all in the scripts. I let these chains be set to ACCEPT since there is no reason not to do so. Create user specified chains . As it looks now. The same thing goes here as for the user specified chains in the filter table. Within some scripts we have this turned on by default since the sole purpose of those scripts are to provide such services. but I have added this section anyways. I have not set any policies in any of the scripts in the mangle table one way or the other.By now it should be time to add all the rules to the user specified chains in the nat table. Note that the user specified chains must be created before they can actually be used within the systemchains. or I.The last table to do anything about is the mangle table. Create content in user specified chains . and you are encouraged not to do so either. 4. send me a line and I will add it to the tutorial. http://people.9 Página 63 should not let packets be dropped here since there are some really nasty things that may happen in such cases due to our own presumptions. would have the need for it in the future. Mainly we will try to use the SNAT target. 3. 2.The POSTROUTING chain should be fairly well used by the scripts I have written since most of them depend upon the fact that you have one or more local networks that we want to firewall against the Internet. However. Set policies . it is not broken. OUTPUT chain . this section was added just in case someone. 1.The PREROUTING chain is used to do DNAT on packets in case we have any need for it.org/andreasson/iptables-tutorial/iptables-tutorial. POSTROUTING chain . The same thing goes here as for the nat table pretty much. The table was not made for filtering.html 21:25:51 10/06/2002 . reason being that we do not want to open up big holes to our local network without knowing about it. mangle table . Create user specified chains .At this point we create any user specified chains that we want within the nat table. just in case. such as masking all boxes to use the exact same TTL or to change TOS fields etcetera. with a few exceptions where I have added a few examples of what it may be used for. but in certain cases we are forced to use the MASQUERADE target instead.

and should mainly just be seen as a brief explanation to what and why the scripts has been split down as they have.9 Página 64 3.html 21:25:51 10/06/2002 . you may att this point add the rules that you want within them here.firewall. 5.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. Hopefully this should explain more in detail how each script is structured and why they are structured in such a way.org/andreasson/iptables-tutorial/iptables-tutorial.1. 4. PREROUTING . Create content in userspecified chains .txt http://people.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. rc.Iptables Tutorial 1.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. There is nothing that says that this is the only and best way to go. POSTROUTING chain . 6. Do note that these descriptions are extremely brief. FORWARD chain .If you have any user specified chains within this table. INPUT chain . OUTPUT chain .unix-fu. 8. 7.

Iptables Tutorial 1. please take a closer look at the rc. If you are looking for a script that will work with those setups.9 Página 65 The rc.firewall file chapter should explain every detail in the script most thoroughly.DMZ. Mainly it was written for a dual homed network. The rc.unix-fu.html 21:25:51 10/06/2002 . rc. For example.firewall.txt script. where you have one LAN and one Internet Connection. and hence don't use DHCP.org/andreasson/iptables-tutorial/iptables-tutorial.txt script is the main core on which the rest of the scripts are based upon.txt http://people. SLIPor some other protocol that assigns you an IP automatically.DHCP. This script also makes the assumption that you have a static IP to the Internet.1. PPP.firewall.firewall.

txt script was written for those people out there that has one Trusted Internal Network. Do note that this will "steal" two IP's for you.DMZ.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial. If the packet would not have been translated. There are several ways to get this to work. to send the packet on to our DNS on the DMZ network. the packet will be destined for the actual DNS internal network IP. You could then set the IP's to the DMZ'ed boxes as you wish.1.168.0/24 and consists of a Trusted Internal Network. For example. one De-Militarized Zone and one Internet Connection. ie. one is to set 1-to-1 NAT. one for the broadcast address and one for the network address.0/24 and consists of the De-Militarized Zone which we will do 1-to-1 NAT to. but it will not tell you exactly what you need to do since it is out of the scope of the tutorial. We will show a short example of how the DNAT code looks: $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP http://people. which stands for Destination Network Adress Translation.168. then we use DNAT.9 Página 66 The rc.html 21:25:51 10/06/2002 . this tutorial will give you the tools to actually accomplish the firewalling and NAT'ing part. the DNS wouldn't have answered the packet. When the DNS sees our packet. The other one uses IP range 192. One uses IP range 192. you must make the box recognise packets for more than one IP. The De-Militarized Zone is in this case 1-to-1 NAT'ed and requires you to do some IP aliasing on your firewall.unix-fu. You need to have two internal networks with this script as you can see from the picture. This is pretty much up to you to decide and to implement.0. giving the firewall one IP both internally and externally.firewall.1. and not to our external DNS IP. another one if you have a whole subnet is to create a subnetwork. if someone from the internet sends a packet to our DNS_IP.

html 21:25:51 10/06/2002 .Iptables Tutorial 1. in other words Destination NAT. This script will allow people who uses DHCP. it automatically gets un-DNAT'ed.firewall. If we actually get such a packet we give a target of DNAT.1. DNAT can only be performed in the PREROUTING chain of the nat table.firewall. The actual changes needed to be done to the original script is minimal.org/andreasson/iptables-tutorial/iptables-tutorial. The main changes done to the script consists of erasing the STATIC_IP variable as I already said and deleting all referenses to this variable. Then we look for TCP protocol on our $INET_IFACE with destination IP that matches our $DNS_IP. mail me since it is probably a fault on my side. this script no longer uses the STATIC_IP variable. If there is something you don't understand.DHCP.txt. which is the main change to the original rc. When the reply to the DNAT'ed packet is sent through the firewall. This is how basic DNAT works.DHCP. By now you should have enough understanding of how everything works to be able to understand this script pretty well without any huge complications.firewall. I've had some people mail me and ask about the problem so this script will be a good solution for you. However. After that we specify where we want the packet to go with the --to-destination option and give it the value of $DMZ_DNS_IP. rc.unix-fu. that hasn't been gone through in the rest of the tutorial. which is the TCP port for zone transfers between DNS's.txt The rc.txt script is pretty much identical to the original rc.txt script. however.firewall. Instead of using this variable the script now does it's main http://people.9 Página 67 First of all. and is directed to port 53. in other words the IP of the DNS on our DMZ network. The reason is that this won't work together with a dynamic IP connection. PPP and SLIP connections to connect to the internet.

it is easier to spot problems. it is rather harsh to add and erase rules all the time. We could for example make a script that grabs the IP from ifconfig and adds it to a variable. If we go to the main page. In other words -d $STATIC_IP has been changed to -i $INET_IFACE. if you get rid of the NEW not SYN rules for example.org site from the Other resources and links appendix. If you got rules that are static and always want to be around. This also applies in a sense to the case where we got a static IP. and to keep order in it. we would get a real hard trouble. However. It is possible to get by. 2. and if so ACCEPT them. as described in the following list. but in such cases it could be gotten around by adding rules which checks the LAN interface packets for our INET_IP. there is the possibility to add something like this to your scripts: INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` The above would automatically grab the IP address of the $INET_IFACE variable. would e to use for example the ip-up scripts provided with pppd and some other programs. --in-interface $LAN_IFACE --dst $INET_IP. Also.1. upon bootup of the internet connection. http://people. For a good site.org/andreasson/iptables-tutorial/iptables-tutorial. without hurting the already existing ones. but at the same time operate a script from the PPP daemon. which could be some dyndns solution. One great example is if we are running an HTTP on our firewall. You will find a link to the linuxguruz. but it is questionable. There is some more things to think about though. which contains static links back to the same host.org iptables site which has a huge collection of scripts available to download. then try to access that IP. It may get unnecessarily complicated.firewall.unix-fu. This in turn forces us to filter only based on interfaces in such cases where the internal machines must access the internet adressable IP. or write one. In case we filter based on interface and IP.txt script. For example. check out the linuxguruz. We can no longer filter in the INPUT chain depending on. how would you do it without erasing your already active rules blocking the LAN? 3. it will hang all currently active connections due to the NEW not SYN rules (see the State NEW packets but no SYN bit set section). This is pretty much the only changes made and that's all that's needed really. for example. I would definitely advise you to use that script if at all possible since this script is more open to attacks from the outside. there are serious drawbacks with this approach.html 21:25:51 10/06/2002 .Iptables Tutorial 1. for example. it may be a good idea to grab a script.9 Página 68 filtering on the variable INET_IFACE. This script might be a bit less secure than the rc. A good way to do this. If the script is run from within a script which in turn is executed by. The NAT'ed box would ask the DNS for the IP of the HTTP server. As you may read from above. the NAT'ed box would be unable to get to the HTTP because the INPUT chain would DROP the packets flat to the ground. if you want to block hosts on your LAN to connect to the firewall. that handles dynamic IP in a better sense. the PPP daemon. grep the correct line which contains the IP address and then cuts it down to a manageable IP address. as seen above which in turn could lead to security compromises. 1. If the script is kept simple.

We also don't trust the internal users to access the firewall more than we trust users on the Internet. but it might need some tweaking depending on your configuration. This script follows the golden rule to not trust anyone.1.org/andreasson/iptables-tutorial/iptables-tutorial. The only things we actually allow is POP3.txt script.test-iptables.txt The rc. It will work for mostly everyone though who has all the basic set up and all the basic tables loaded into kernel. we don't trust anyone on any networks we are connected to.firewall. It's not very different from the original rc.test-iptables.UTIN.9 Página 69 rc. All it really does is set some LOG targets which will log ping reply's http://people. In other words.UTIN. rc. but a large part of the hacks and cracks that a company gets hit by is a matter of people from their own staff perpetrating the hit.firewall.unix-fu. HTTP and FTP access to the internet. and setting up masquerading etcetera.txt The rc.txt script can be used to test all the different chains. not even our own employees. We also disallow people on our LAN to do anything but specific tasks on the Internet.firewall. such as turning on ip_forwarding.Iptables Tutorial 1.txt script will in contrast to the other scripts block the LAN that is sitting behind us. This is a sad fact. but it does give a few hints at what we would normally let through etc. This script will hopefully give you some clues as to what you can do with your firewall to strengthen it up.html 21:25:51 10/06/2002 .

Detailed explanations of special commands Listing your active ruleset To list your currently active ruleset you run a special option to the iptables command. This script is intended for actually setting up and troubleshooting your firewall. and hence we only care about opening the whole thing up and reset it to default values.firewall start and the script starts. This way. For example.1. rc. In other words.flush-iptables.txt The rc. This way we know there is no redundant rules lying around anywhere. The script starts by setting the default policies to ACCEPT on the INPUT.internet And tail -n 0 -f /var/log/messages while doing the first command. Adding shell script syntax and other things makes the script harder to read as far as I am concerned and the tutorial was written with readability in mind and will continue being so. which we have discussed briefly previously in the How a rule is built chapter. You may consider adding rules to flush your MANGLE table if you use it. When this step is done. After this we reset the default policies of the PREROUTING. The rc.org/andreasson/iptables-tutorial/iptables-tutorial. Certain people has mailed me asking from me to put this script into the original rc. This would look like the following: http://people. it's not a good idea to have rules like this that logs everything of one sort since your log partitions might get filled up quickly and it would be an effective Denial of Service attack against you and might lead to real attacks on you that would be unlogged after the initial Denial of Service attack.txt script will reset and flush all your tables and chains.firewall script using redhat Linux syntax where you type something like rc.on. run this script and then do: ping -c 1 host.unix-fu. unless the log entries are swapped around for some reason. This script was written for testing purposes only. you will get information on which chain was traversed and in which order. POSTROUTING and OUTPUT chains of the nat table. After this we flush all chains first in the filter table and then in the NAT table. we consider the script done. I will not do that since this is a tutorial and should be used as a place to fetch ideas mainly and it shouldn't be filled up with shell scripts and strange syntax. However. This should show you all the different chains used and in which order.flush-iptables.Iptables Tutorial 1.9 Página 70 and ping requests.html 21:25:51 10/06/2002 .the.flush-iptables. We do this first so we won't have to bother about closed connections and packets not getting through.txt script should not really be called a script in itself. we jump down to the next section where we erase all the user specified chains in the NAT and filter tables. OUTPUT and FORWARD chains of the filter table. One final word on this issue. When all of this is done.

0.Iptables Tutorial 1. it is rather simple to add http://people. though. in case you've got multiple lines looking exactly the same in the chain. this script will not erase those. to something useful.0/16 is a private range though and should not resolve to anything and the command will seem to hang while resolving the IP.html 21:25:51 10/06/2002 .txt file properly. There is also instances where you want to flush a whole chain. For example.1. for example iptables -P INPUT ACCEPT. This table can not be edited and even if it was possible. so if this is set to DROP you'll block the whole INPUT chain if used as above. there are actually commands to flush them. To reset the chain policy.unix-fu. 192. The later can be a bit of a problem though. Updating and flushing your tables If at some point you screw up your iptables. it would be a bad idea.firewall. you might just change the -A parameter to -D in the line you added in error. We could get this by adding the verbose flag. it might be interesting to know what connections are currently in the conntrack table. it erases the first instance it finds matching your rule.168.1.org/andreasson/iptables-tutorial/iptables-tutorial. To get around this problem we would do something like the following: iptables -L -n Another thing that might be interesting is to see a few statistics about each policy. For example.168. iptables -F INPUT will erase the whole INPUT chain. One thing though. this will not change the default policy. rule and chain. To see the table you can run the following command: cat /proc/net/conntrack | less The above command will show all currently tracked connections even though it might be a bit hard to understand everything. it will translate all the different ports according to the /etc/ services file as well as DNS all the IP addresses to get DNS records instead. If you added a rule in error. iptables will find the erroneous line and erase it for you. if you start mucking around in the mangle table. For example. and translate everything possible to a more readable form.1. in this case you might want to run the -F option. This table contains all the different connections currently tracked and serves as a basic table so we always know what state a connection currently is in. it will try to resolve LAN IP addresses. It would then look something like this: iptables -L -n -v There is also a few files that might be interesting to look at in the /proc filesystem. I have made a small script (available as an appendix as well) that will flush and reset your iptables that you might consider using while setting up your rc.9 Página 71 iptables -L This command should list your currently active ruleset. If this is not the wanted behaviour you might try to use the -D option as iptables -D INPUT 10 which will erase the 10th rule in the INPUT chain. For example. ie 192. I've actually gotten this question a couple times by now so I thought I'd answer it right here. so you don't have to reboot. do as how you set it to DROP.

Common problems and questionmarks Passive FTP but no DCC This is one of the really nice parts about the new iptables support in the 2. If you for example want to allow Passive FTP.unix-fu. that is what the ip_nat_ftp module does. You may ask yourself how. but not DCC send.1. Do note that the ip_nat_* modules are only needed in case you need and want to do Network Adress Translation on the connections. you would load the ip_conntrack_ftp and ip_nat_ftp modules. during Active FTP the client sends the server an IP address and random port to use and then the server connects to this port on the client. ip_conntrack_ftp and ip_nat_ftp code as modules and not statically into the kernel. ie. you'd just load the ip_conntrack_irc and ip_nat_irc modules. telling the client what address to connect to and what port to use.org/andreasson/iptables-tutorial/iptables-tutorial. The client tells the server that it wants to send or receive data and the server replies.firewall. What these modules do is that they add support to the connection tracking machine and the NAT machine so they can distinguish and modify a Passive FTP connection or a DCC send connection. Postel and J.4. For more information about Active and Passive FTP. If you use state NEW.txt script so far. Reynolds. This feature makes it possible to have two or more firewalls. ip_nat_irc.Iptables Tutorial 1. In Passive FTP. you can for example allow Passive FTP connections.html 21:25:51 10/06/2002 . but not the ip_conntrack_irc and ip_nat_irc modules and then do: /usr/local/sbin/iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT To allow Passive FTP but not DCC. its quite simple once you get to think of it. including me). Without these modules they can't recognize these kinds of connections. In case your client sits behind a Network Address Translationing system (iptables). but not allow DCC send functions with the new state matching code. This feature is there because in certain cases we want to consider that a packet may be part of an already ESTABLISHED connection on. then the packets data section needs to be NAT'ed too. the proceeding is reversed. and for one of the firewalls to go down without any http://people. packets with the SYN bit unset will get through your firewall. if you want to let people run IRC from your local network which is using a NAT'ed or masqueraded connection to the internet. This RFC contains information regarding the FTP protocol and Active and Passive FTP and how they work. If you would want to do the reverse. Just compile the ip_conntrack_irc.File Transfer Protocol by J. another firewall. State NEW packets but no SYN bit set There is a certain feature in iptables that is not so well documented and may therefore be overlooked by a lot of people(yes. read RFC 959 . As you can understand from this document. for instance.9 Página 72 the few lines needed to erase those but I have not added those here since the mangle table is not used in my rc. but not the ip_conntrack_ftp and ip_nat_ftp modules. well.x kernels.

which uses the 10. the swedish Internet Service Provider and phone monopoly Telia uses this approach for example on their DNS servers. Internet Service Providers who use assigned IP addresses I have added this since a friend of mine told me something I have totally forgotten. and the modules are loaded and unloaded each time you run the script. or if you are worried anyways. Certain stupid Internet Service Providers use IP addresses assigned by IANA for their local networks on which you connect to. a huge warning is in it's place for this kind of behaviour on your firewall.firewall. regardless if this is the initial 3-way handshake or not.org/andreasson/iptables-tutorial/iptables-tutorial. This only applies when you are running with the conntrack and nat codebases as modules.Iptables Tutorial 1. set the --log-headers option to the rule and log the headers too and you'll get a better look at what the packet looks like.x IP address range.x. Start the connection tracking modules. Note that there is some troubles with the above rules and bad Microsoft TCP/IP implementations. If someone is currently connected to the firewall. The above rules will lead to certain conditions where packets generated by microsoft products gets labeled as a state NEW and hence get logged and dropped. the person previously connected through the LAN will be more or less killed. Finally.1. To take care of this problem we add the following rules to our firewalls INPUT. the telnet client or daemon tries to send something.txt script from a telnet connection from a host not on the actual firewall. then load the NEW not SYN packet rules. lets say from the LAN. The problem http://people. This is a badly documented behaviour of the netfilter/iptables project and should definitely be more highlighted.unix-fu. and you have the script set to be activated when running a PPP connection. In other words. The matter is that when a connection gets closed and the final FIN/ACK has been sent and the state machine of netfilter has closed this connection and it is no longer in the conntrack table.This does however lead to the fact that state NEW will allow pretty much any kind of TCP connection. To put it simple.x. OUTPUT and FORWARD chain: $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP The above rules will take care of this problem. There is one more known problem with these rules. Hence. The firewalling of the subnet could then be taken over by our secondary firewall. In other words. In this case. At this point the faulty Microsoft implementation sends another packet which is considered as state NEW but lacks the SYN bit and hence gets matched by the above rules. you connect with telnet or some other stream connection.9 Página 73 loss of data. the packet will match to the rules and be logged and afterwards dropped to the ground. Another way to get this problem is to run the rc. also there will be no SYN bits set since it is not actually the first packet in the connection. don't worry to much about this rule. It will however not lead to broken connections to my knowledge. when you start the PPP connection. the connection tracking code will not recognise this connection as a legal connection since it has not seen packets in any direction on this connection before. For example.html 21:25:51 10/06/2002 .

do not allow connections from any IP addresses in the 10.0. or you could just comment out that part of the script. Well. bit set Source routing failed Destination network unknown Destination host unknown Source host isolated (obsolete) Destination network administratively prohibited Destination host administratively prohibited Network unreachable for TOS Host unreachable for TOS Communication administratively prohibited by filtering Host precedence violation Query x x x x x x x x x x x x x x x x Error http://people.html 21:25:51 10/06/2002 .x range to us. These IP address ranges are not assigned for you to use for dumb stuff like this. ICMP types TYPE CODE Description 0 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Echo Reply Network Unreachable Host Unreachable Protocol Unreachable Port Unreachable Fragmentation needed but no frag. here is unfortunately an example where you actually might have to lift a bit on those rules. For large corporate sites it is more than ok.0.1. at least not to my knowledge. You might just insert an ACCEPT rule above the spoof section to allow traffic from those DNS servers. but you are not supposed to force us to open up ourself just because of some whince of yours. This is how it might look: /usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10. ICMP types This is a complete listing of all ICMP types: Table 1.org/andreasson/iptables-tutorial/iptables-tutorial. or your own home network.Iptables Tutorial 1.9 Página 74 you will most probably run into is that we.x.x.unix-fu. in this script. because of spoofing possibilities.1/32 -j ACCEPT I would like to take my moment to bitch at these Internet Service Providers.

txt .8 .The official netfilter and iptables site. A really short reference to the ip_dynaddr settings available via sysctl and the proc filesystem.4.org/andreasson/iptables-tutorial/iptables-tutorial.org/ .4 man page. http://netfilter. It is a must for everyone wanting to set up iptables and netfilter in linux.14 kernel.html 21:25:51 10/06/2002 . ip_dynaddr.9 Página 75 3 4 5 5 5 5 8 9 10 11 11 12 12 13 14 15 16 17 18 15 0 0 1 2 3 0 0 0 0 1 0 1 0 Precedence cutoff in effect Source quench Redirect for network Redirect for host Redirect for TOS and network Redirect for TOS and host Echo request Router advertisement Route sollicitation TTL equals 0 during transit TTL equals 0 during reassembly IP header bad (catchall error) Required options missing Timestamp request (obsolete) Timestamp reply (obsolete) x x x x x x x x x x x x 0 0 0 0 Information request (obsolete) Information reply (obsolete) Address mask request Address mask reply Other resources and links Here is a list of links to resources and where I have gotten information from. http://people. iptables.filewatcher. etc : ip-sysctl.from the 2.4.1. This is an HTML'ized version of the man page which is an excellent reference when reading/writing iptables rulesets. Always have it at hand.from the 2.The iptables 1.14 kernel.unix-fu.2. A little bit short but a good reference for the IP networking controls and what they do to the kernel.txt .Iptables Tutorial 1.

http://lists.unix-fu.html .org/unreliable-guides/NAT-HOWTO/index.linuxguruz. For major updates to my horrible grammar and spelling. Rusty Russell. http://netfilter. tc and the ip commands in Linux. Extremely useful in case you have questions about something not covered in this document or any of the other links here.samba. Also a huge thanks for updating the tutorial to DocBook format with make files etc. Also maintains a list of different iptables scripts for different purposes.org/netfilter-faq.html .filewatcher.html . This was also written by Rusty Russell.filewatcher. Acknowledgements I would like to thank the following people for their help on this document: Fabrice Marie.net/veerapen.Iptables Tutorial 1.org/unreliable-guides/packet-filtering-HOWTO/index.The official netfilter mailing-list. http://netfilter. http://people. http://www. And of course the iptables source.1.org/mailman/listinfo/netfilter .filewatcher. http://www.org .Excellent linkpage with links to most of the pages on the internet about iptables and netfilter. documentation and individuals who helped me.islandsoft. Marc Boucher.Rusty Russells Unreliable Netfilter Hacking HOWTO.9 Página 76 http://netfilter.html .org/iptables/ .Excellent discussion on automatic hardening of iptables and how to make small changes that will make your computer automatically add hostile sites to a special banlist in iptables.org/andreasson/iptables-tutorial/iptables-tutorial. For helping me out on some aspects on using the state matching code. http://www. Maintained by Stef Coene.docum. http://netfilter.filewatcher.Rusty Russells Unreliable Guide to Network Address Translation. One of the few documentations on how to write code in the netfilter and iptables userspace and kernel space codebase.html .Excellent information about the CBQ. One of the few sites that has any information at all about these programs. Also a good place to stat at when wondering what iptables and netfilter is about. Excellent documentation about Network Address Translation in iptables and netfilter written by one of the core developers.html 21:25:51 10/06/2002 .org/unreliable-guides/netfilter-hacking-HOWTO/index.Rusty Russells Unreliable Guide to packet filtering.The official netfilter Frequently Asked Questions. Excellent documentation about basic packet filtering with iptables written by one of the core developers of iptables and netfilter.

html 21:25:51 10/06/2002 . Kent `Artech' Stahre. Adam Mansbridge. Alexander W. And of course everyone else I talked to and asked for comments on this file.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Contributors: Parimi Ravi. Steven McClintoc.8 (5 March 2002) http://www.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Contributors: Vince Herried.6 (7 December 2001) http://people.1. Jelle Kalf. For giving me hints at stuff that might screw up for people and for trying it out and checking for errors in what I've written. Dave Wreski. Janne Johansson.1.9 (21 March 2002) http://www.1. History Version 1. I know I suck at graphics. Neil Jolly.unix-fu.firewall rules and giving great inspiration while i was to rewrite the ruleset and being the one who introduced the multiple table traversing into the same file. For greatly improving the rc. Erik Sjölund. Doug Monroe.unix-fu. Jeremy `Spliffy' Smith.boingworld. Also thanks for checking the tutorial for errors etc. Kelly Ashe. Togan Muftuoglu. Anders 'DeZENT' Johansson. Göran Båge.1. Mitch Landers.org/andreasson/ By: Oskar Andreasson Contributors: Jim Ramsey. and you're better than most I know who do graphics. Both for making me realize I was thinking wrong about how packets traverse the basic NAT and filters tables and in which order they show up. Bill Dossett.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Version 1. Jason Lam and Evan Nemerson Version 1. Phil Schultz.7 (4 February 2002) http://www.1. Michiel Brandenburg. Vasoo Veerapen.Iptables Tutorial 1. Jasper http://people.).9 Página 77 Frode E. Janssen. Thomas Smets. sorry for not mentioning everyone. Peter Horst. For hinting me about strange ISP's and so on that uses reserved networks on the Internet. For helping me out with the graphics.boingworld. Phil Schultz. Aladdin and Rusty Russell.org/andreasson/iptables-tutorial/iptables-tutorial. or at least on the internet for you. Nyboe. Chapman Brad. Galen Johnson. Version 1. Myles Uyema.boingworld. For helping me out with some of the state matching code and getting it to work.

0.9 Página 78 Aikema.1. Jacco van Koll and Dave Wreski Version 1.1. Chris Pluta and Kurt Lieber Version 1. N.unix-fu.0.org/andreasson By: Oskar Andreasson Version 1.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. Chris Martin.org/andreasson By: Oskar Andreasson Contributors: Stig W. Branco.8 (7 September 2001) http://people.org/andreasson/ By: Oskar Andreasson Contributors: Fabrice Marie.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie Version 1.3 (9 October 2001) http://people. Jan Labanowski.0.org/andreasson By: Oskar Andreasson Version 1. Jonas Pasche.unix-fu. Kurt Lieber.1.unix-fu.9 (9 September 2001) http://people.5 http://people.Iptables Tutorial 1.org/andreasson By: Oskar Andreasson Contributors: Dave Richardson Version 1.unix-fu.org/andreasson By: Oskar Andreasson Version 1.1.html 21:25:51 10/06/2002 .4 (6 November 2001) http://people.unix-fu.0.1.1.org/andreasson By: Oskar Andreasson Contributors: Joni Chu.unix-fu.0 (15 September 2001) http://people.unix-fu. Steve Hnizdur.org/andreasson By: Oskar Andreasson Version 1.0.1 (26 September 2001) http://people.unix-fu.org/andreasson By: Oskar Andreasson Version 1.1. Merijn Schering and Kurt Lieber Version 1. Rodrigo R.5 (14 November 2001) http://people.7 (23 August 2001) http://people.2 (29 September 2001) http://people.6 http://people.Emile Akabi-Davis and Jelle Kalf Version 1. Jensen.unix-fu. Chris Tallon.unix-fu.

because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. below. which is a copyleft license designed for free software.html 21:25:51 10/06/2002 . Any member of the public is a licensee.unix-fu. while not being considered responsible for modifications made by others. either copied verbatim. 59 Temple Place. But this License is not limited to software manuals. or with modifications and/or translated into another language. The "Document".org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie GNU Free Documentation License Version 1. either commercially or noncommercially. We recommend this License principally for works whose purpose is instruction or reference. APPLICABILITY AND DEFINITIONS This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. this License preserves for the author and publisher a way to get credit for their work. A "Modified Version" of the Document means any work containing the Document or a portion of it. or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it. and is addressed as "you". 1. http://people.Iptables Tutorial 1. textbook. Suite 330. This License is a kind of "copyleft". 0. it can be used for any textual work. Secondarily. refers to any such manual or work. but changing it is not allowed. PREAMBLE The purpose of this License is to make a manual. Inc. We have designed this License in order to use it for manuals for free software.org/andreasson/iptables-tutorial/iptables-tutorial. It complements the GNU General Public License. Boston.9 Página 79 http://people. MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document. which means that derivative works of the document must themselves be free in the same sense.1. March 2000 Copyright (C) 2000 Free Software Foundation.unix-fu. regardless of subject matter or whether it is published as a printed book. with or without modifying it. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject.1.

Opaque formats include PostScript. http://people. PDF. and that you add no other conditions whatsoever to those of this License.) The relationship could be a matter of historical connection with the subject or with related matters. and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters.Iptables Tutorial 1. "Title Page" means the text near the most prominent appearance of the work's title. legibly. the material this License requires to appear in the title page. or of legal. LaTeX input format. preceding the beginning of the body of the text. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. as being those of Invariant Sections.html 21:25:51 10/06/2002 . commercial. either commercially or noncommercially.org/andreasson/iptables-tutorial/iptables-tutorial. whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor. in the notice that says that the Document is released under this License. represented in a format whose specification is available to the general public. You may also lend copies. A "Transparent" copy of the Document means a machine-readable copy. you may accept compensation in exchange for copies. and standardconforming simple HTML designed for human modification. in the notice that says that the Document is released under this License. proprietary formats that can be read and edited only by proprietary word processors. Texinfo input format. under the same conditions stated above. for a printed book. if the Document is in part a textbook of mathematics. SGML or XML using a publicly available DTD. and the machine-generated HTML produced by some word processors for output purposes only.1. For works in formats which do not have any title page as such. 2. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. The "Invariant Sections" are certain Secondary Sections whose titles are designated. However. Examples of suitable formats for Transparent copies include plain ASCII without markup. VERBATIM COPYING You may copy and distribute the Document in any medium. plus such following pages as are needed to hold. the title page itself. a Secondary Section may not explain any mathematics. The "Title Page" means. as Front-Cover Texts or BackCover Texts. philosophical. ethical or political position regarding them. SGML or XML for which the DTD and/or processing tools are not generally available. and you may publicly display copies. A copy that is not "Transparent" is called "Opaque".unix-fu.9 Página 80 (For example. The "Cover Texts" are certain short passages of text that are listed. provided that this License. the copyright notices. and the license notice saying this License applies to the Document are reproduced in all copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

but not required. If you publish or distribute Opaque copies of the Document numbering more than 100.1. that you contact the authors of the Document well before redistributing any large number of copies. you must take reasonably prudent steps. which the general network-using public has access to download anonymously at no charge using public-standard network protocols.Iptables Tutorial 1. with the Modified Version filling the role of the Document.html 21:25:51 10/06/2002 . free of added material.unix-fu. If you use the latter option. You may add other material on the covers in addition. as long as they preserve the title of the Document and satisfy these conditions. or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document. clearly and legibly. and continue the rest onto adjacent pages. http://people. as authors. provided that you release the Modified Version under precisely this License. you must do these things in the Modified Version: A. when you begin distribution of Opaque copies in quantity. and from those of previous versions (which should. one or more persons or entities responsible for authorship of the modifications in the Modified Version. Copying with changes limited to the covers. and Back-Cover Texts on the back cover.org/andreasson/iptables-tutorial/iptables-tutorial. be listed in the History section of the Document). you should put the first ones listed (as many as fit reasonably) on the actual cover. thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. if any) a title distinct from that of the Document. The front cover must present the full title with all words of the title equally prominent and visible. if there were any. and the Document's license notice requires Cover Texts. you must enclose the copies in covers that carry. can be treated as verbatim copying in other respects. If the required texts for either cover are too voluminous to fit legibly. you must either include a machine-readable Transparent copy along with each Opaque copy. Use in the Title Page (and on the covers. B. In addition. Both covers must also clearly and legibly identify you as the publisher of these copies. all these Cover Texts: Front-Cover Texts on the front cover. List on the Title Page. 4. It is requested. if it has less than five). MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above. together with at least five of the principal authors of the Document (all of its principal authors. You may use the same title as a previous version if the original publisher of that version gives permission.9 Página 81 3. COPYING IN QUANTITY If you publish printed copies of the Document numbering more than 100. to give them a chance to provide you with an updated version of the Document. to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

http://people. provided it contains nothing but endorsements of your Modified Version by various parties--for example.unix-fu. You may omit a network location for a work that was published at least four years before the Document itself. Delete any section entitled "Endorsements".org/andreasson/iptables-tutorial/iptables-tutorial. and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. To do this.html 21:25:51 10/06/2002 . Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section.9 Página 82 C. You may add a section entitled "Endorsements". Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. In any section entitled "Acknowledgements" or "Dedications". Preserve all the Invariant Sections of the Document. These may be placed in the "History" section. Such a section may not be included in the Modified Version. immediately after the copyright notices. unaltered in their text and in their titles. State on the Title page the name of the publisher of the Modified Version. E. If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document. in the form shown in the Addendum below. and its title. These titles must be distinct from any other section titles. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice. create one stating the title. D. K. H. G. add their titles to the list of Invariant Sections in the Modified Version's license notice. authors. or if the original publisher of the version it refers to gives permission. L. and publisher of the Document as given on its Title Page. and add to it an item stating at least the title. and publisher of the Modified Version as given on the Title Page. year. a license notice giving the public permission to use the Modified Version under the terms of this License. Preserve all the copyright notices of the Document. and likewise the network locations given in the Document for previous versions it was based on. you may at your option designate some or all of these sections as invariant. If there is no section entitled "History" in the Document. N. preserve the section's title. M. given in the Document for public access to a Transparent copy of the Document. as the publisher. Preserve the section entitled "History". J.1. Section numbers or the equivalent are not considered part of the section titles. statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. F. Include an unaltered copy of this License. then add an item describing the Modified Version as stated in the previous sentence. Preserve the network location. year. if any. new authors.Iptables Tutorial 1. Include. I.

Iptables Tutorial 1.1.9

Página 83

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

5. COMBINING DOCUMENTS
You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."

6. COLLECTIONS OF DOCUMENTS
You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

7. AGGREGATION WITH INDEPENDENT
http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 84

WORKS
A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.

8. TRANSLATION
Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.

9. TERMINATION
You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

10. FUTURE REVISIONS OF THIS LICENSE
The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/. Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 85

following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.

How to use this License for your documents
To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page: Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. A copy of the license is included in the section entitled "GNU Free Documentation License". If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts. If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.

GNU General Public License
Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

0. Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 86

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow.

1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 87

having been made by running the Program). Whether that is true depends on what the Program does. 3. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 4. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: 1. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. 2. You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. 3. If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 5. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

distributing or modifying the Program or works based on it. a complete machine-readable copy of the corresponding source code. For an executable work.9 Página 88 one of the following: 6. complete source code means all the source code for all modules it contains. valid for at least three years. sublicense. parties who have received copies. kernel. which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. the recipient automatically receives a license from the original licensor to copy. unless that component itself accompanies the executable. then offering equivalent access to copy the source code from the same place counts as distribution of the source code. you indicate your acceptance of this License to do so. as a special exception. or distribute the Program except as expressly provided under this License. for a charge no more than your cost of physically performing source distribution.org/andreasson/iptables-tutorial/iptables-tutorial. A.) The source code for a work means the preferred form of the work for making modifications to it. Each time you redistribute the Program (or any work based on the Program). distribute or modify the Program subject to these terms and conditions. plus the scripts used to control compilation and installation of the executable. Accompany it with the complete corresponding machine-readable source code.Iptables Tutorial 1. You may not copy. If distribution of executable or object code is made by offering access to copy from a designated place. or rights. the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler. or. 7. http://people. However. These actions are prohibited by law if you do not accept this License. Any attempt otherwise to copy. B. 9. You are not responsible for enforcing compliance by third parties to this License. to give any third party. C. by modifying or distributing the Program (or any work based on the Program). in accord with Subsection b above. You are not required to accept this License. and will automatically terminate your rights under this License. or. However. and so on) of the operating system on which the executable runs. modify. Accompany it with the information you received as to the offer to distribute corresponding source code. from you under this License will not have their licenses terminated so long as such parties remain in full compliance. modify. and all its terms and conditions for copying. even though third parties are not compelled to copy the source along with the object code.unix-fu. sublicense or distribute the Program is void. However. Therefore.1. 8.html 21:25:51 10/06/2002 . (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer. plus any associated interface definition files. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. since you have not signed it. nothing else grants you permission to modify or distribute the Program or its derivative works. Accompany it with a written offer.

Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.org/andreasson/iptables-tutorial/iptables-tutorial. If. If any portion of this section is held invalid or unenforceable under any particular circumstance. we sometimes make exceptions for this. then as a consequence you may not distribute the Program at all. http://people. the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations. if a patent license would not permit royaltyfree redistribution of the Program by all those who receive copies directly or indirectly through you. this License incorporates the limitation as if written in the body of this License. Such new versions will be similar in spirit to the present version. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims. agreement or otherwise) that contradict the conditions of this License. it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. In such case. you may choose any version ever published by the Free Software Foundation. 12. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version". this section has the sole purpose of protecting the integrity of the free software distribution system.9 Página 89 10. so that distribution is permitted only in or among countries not thus excluded. then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. they do not excuse you from the conditions of this License. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces.1. conditions are imposed on you (whether by court order. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different. write to the Free Software Foundation. If the Program does not specify a version number of this License.unix-fu. but may differ in detail to address new problems or concerns. write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. which is implemented by public license practices. you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. 11.Iptables Tutorial 1. For example. as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues).html 21:25:51 10/06/2002 . the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

and you want it to be of the greatest possible use to the public. BUT NOT LIMITED TO.9 Página 90 13.unix-fu. TO THE EXTENT PERMITTED BY APPLICABLE LAW.1. BE LIABLE TO YOU FOR DAMAGES. or (at your option) any later version. attach the following notices to the program. INCLUDING. you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND. SPECIAL. INCLUDING ANY GENERAL. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty. SHOULD THE PROGRAM PROVE DEFECTIVE. To do so. either version 2 of the License.> Copyright (C) <year> <name of author> This program is free software.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE.Iptables Tutorial 1. REPAIR OR CORRECTION. YOU ASSUME THE COST OF ALL NECESSARY SERVICING. 14. <one line to give the program's name and a brief idea of what it does. EITHER EXPRESSED OR IMPLIED. THERE IS NO WARRANTY FOR THE PROGRAM. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER. How to Apply These Terms to Your New Programs If you develop a new program. NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. http://people. the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. END OF TERMS AND CONDITIONS 2. INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS). EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. and each file should have at least the "copyright" line and a pointer to where the full notice is found.

You should have received a copy of the GNU General Public License along with this program.html 21:25:51 10/06/2002 .4. Inc. alter the names: Yoyodyne. You should also get your employer (if you work as a programmer) or your school. 59 Temple Place. Here is a sample. See the GNU General Public License for more details. Inc.firewall .Iptables Tutorial 1. 1 April 1989 Ty Coon. If your program is a subroutine library.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. use the GNU Library General Public License instead of this License.9 Página 91 This program is distributed in the hope that it will be useful. Of course. hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. if any. If the program is interactive. Suite 330. type `show c' for details. Boston.firewall script #!/bin/sh # # rc.1. <signature of Ty Coon>. MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail.Initial SIMPLE IP Firewall script for Linux 2. you may consider it more useful to permit linking proprietary applications with the library.net> # http://people. if necessary. and you are welcome to redistribute it under certain conditions. President of Vice This General Public License does not permit incorporating your program into proprietary programs. write to the Free Software Foundation.. for details type `show w'. they could even be mouse-clicks or menu items--whatever suits your program. the commands you use may be called something other than `show w' and `show c'. make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69. Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY. but WITHOUT ANY WARRANTY. without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. If this is what you want to do. Example scripts codebase Example rc. to sign a "copyright disclaimer" for the program. This is free software. if not.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein..

/24 means to only use the first 24 # bits of the 32 bit IP adress.255" LAN_IFACE="eth1" # # 1.9 Página 92 # This program is free software.3 DMZ Configuration. # INET_IP="194. # # your LAN's IP range and localhost IP.1.0 # LAN_IP="192. MA 02111-1307 USA # ########################################################################### # # 1.155" INET_IFACE="eth0" # # 1. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. # # # 1. Boston. version 2 of the License. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.0. Inc.50. write to the Free Software Foundation.1 Internet Configuration.168.0/16" LAN_BCAST_ADRESS="192.255. See the # GNU General Public License for more details.236.2 PPPoE # # # 1. Suite 330.1..255. http://people. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 59 Temple # Place.0. Configuration options.org/andreasson/iptables-tutorial/iptables-tutorial.168.168.2 Local Area Network configuration.1 DHCP # # # 1. # # This program is distributed in the hope that it will be useful.2" LAN_IP_RANGE="192.1.unix-fu.255.html 21:25:51 10/06/2002 . the same as netmask 255.Iptables Tutorial 1. if not. # but WITHOUT ANY WARRANTY.

# ########################################################################### # # 2. Module loading. # # # Needed to initially load modules # /sbin/depmod -a # # 2.1" # # 1.9 Página 93 # # # 1.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT http://people.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.4 Localhost Configuration.html 21:25:51 10/06/2002 .Iptables Tutorial 1.unix-fu.0.0.5 IPTables Configuration. # LO_IFACE="lo" LO_IP="127.org/andreasson/iptables-tutorial/iptables-tutorial.6 Other Configuration.1. # IPTABLES="/usr/sbin/iptables" # # 1.

1.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.unix-fu.html 21:25:51 10/06/2002 . /proc set up. # # # 3.org/andreasson/iptables-tutorial/iptables-tutorial. rules set up.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets http://people. # ###### # 4.1.1 Filter table # # # 4.1.Iptables Tutorial 1.9 Página 94 #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.

unix-fu. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 95 # # Create separate chains for ICMP.1.1.html 21:25:51 10/06/2002 .3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports http://people.Iptables Tutorial 1.

# $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet.9 Página 96 # # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.unix-fu. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.1.5 FORWARD chain # http://people.Iptables Tutorial 1.4 INPUT chain # # # Bad TCP packets we don't want.html 21:25:51 10/06/2002 .RELATED \ -j ACCEPT # # Log weird packets that don't match the above.1. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.1.org/andreasson/iptables-tutorial/iptables-tutorial.

6 OUTPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.1. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.2 nat table # http://people.1.9 Página 97 # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.html 21:25:51 10/06/2002 .RELATED -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.unix-fu.Iptables Tutorial 1.

4 PREROUTING chain # # # 4.html 21:25:51 10/06/2002 .2.1.9 Página 98 # # 4.3 Create content in user specified chains # # # 4.3.2.3.org/andreasson/iptables-tutorial/iptables-tutorial.3.3.2.2.4 PREROUTING chain # http://people.6 OUTPUT chain # ###### # 4.1 Set policies # # # 4.unix-fu.2.3 mangle table # # # 4.2 Create user specified chains # # # 4.3 Create content in user specified chains # # # 4.1 Set policies # # # 4.2 Create user specified chains # # # 4.Iptables Tutorial 1.2.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.

6 FORWARD chain # # # 4.8 POSTROUTING chain # Example rc.unix-fu.DMZ IP Firewall script for Linux 2.3. if not.4. Inc. See the # GNU General Public License for more details.3.3. 59 Temple # Place.. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. version 2 of the License.org/andreasson/iptables-tutorial/iptables-tutorial.DMZ. MA 02111-1307 USA # ########################################################################### # # 1. Suite 330.7 OUTPUT chain # # # 4. # # This program is distributed in the hope that it will be useful.DMZ.html 21:25:51 10/06/2002 .Iptables Tutorial 1.firewall script #!/bin/sh # # rc. write to the Free Software Foundation. # # http://people. Boston. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.1.firewall .3. # but WITHOUT ANY WARRANTY.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. Configuration options.5 INPUT chain # # # 4.net> # # This program is free software. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.9 Página 99 # # 4.

1.html 21:25:51 10/06/2002 . # DMZ_HTTP_IP="192.1.50.168.1.50.0 # LAN_IP="192.255.255.1.2 PPPoE # # # 1.236.168.9 Página 100 # 1.50.0.236.255" LAN_IFACE="eth1" # # 1.2" LAN_IP_RANGE="192. # IPTABLES="/usr/sbin/iptables" http://people. # INET_IP="194.2" DMZ_DNS_IP="192.1 Internet Configuration. /24 means to only use the first 24 # bits of the 32 bit IP adress.Iptables Tutorial 1.0.unix-fu.168.4 Localhost Configuration.1" # # 1.255.152" HTTP_IP="194. the same as netmask 255.org/andreasson/iptables-tutorial/iptables-tutorial.168.0.154" INET_IFACE="eth0" # # 1.1 DHCP # # # 1. # # your LAN's IP range and localhost IP.0.0/16" LAN_BCAST_ADRESS="192.168.236.2 Local Area Network configuration.1.168.1.3 DMZ Configuration.153" DNS_IP="194. # LO_IFACE="lo" LO_IP="127.3" DMZ_IP="192.1" DMZ_IFACE="eth2" # # 1.5 IPTables Configuration.

9 Página 101 # # 1. # # # 3.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.unix-fu. # # # Needed to initially load modules # /sbin/depmod -a # # 2.1. /proc set up. Module loading.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3.6 Other Configuration.Iptables Tutorial 1.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. # ########################################################################### # # 2.1 Required proc configuration # http://people.

org/andreasson/iptables-tutorial/iptables-tutorial.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. rules set up.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.1 Filter table # # # 4.1.1.1.unix-fu.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.Iptables Tutorial 1.3 Create content in userspecified chains # http://people. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4. # ###### # 4.9 Página 102 echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.html 21:25:51 10/06/2002 .

1.9 Página 103 # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.1.unix-fu. DMZ or LOCALHOST # # # From DMZ Interface to DMZ firewall IP # http://people.4 INPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Packets from the Internet to this box # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # # Packets from LAN.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1.html 21:25:51 10/06/2002 .RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # 4.

5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # DMZ section # # General rules # $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT http://people.Iptables Tutorial 1.RELATED \ -j ACCEPT # # Logging rule # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.html 21:25:51 10/06/2002 .9 Página 104 $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT # # From LAN Interface to LAN firewall IP # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT # # From Localhost interface to Localhost IP # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # # All established and related packets incoming from the internet to the # firewall # $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.org/andreasson/iptables-tutorial/iptables-tutorial.1.1.unix-fu.

6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets http://people.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1.RELATED -j ACCEPT # # LOG all packets reaching here # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT # # HTTP server # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ --dport 80 -j allowed $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ -j icmp_packets # # DNS server # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j allowed $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ -j icmp_packets # # LAN section # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.unix-fu.1.1.9 Página 105 $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \ --state ESTABLISHED.

4 PREROUTING chain # # # Enable IP Destination NAT for DMZ zone # $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \ -j DNAT --to-destination $DMZ_HTTP_IP $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP $IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.5 POSTROUTING chain # http://people.html 21:25:51 10/06/2002 .1.unix-fu.2.2 Create user specified chains # # # 4.2.2.2 nat table # # # 4.2.3 Create content in user specified chains # # # 4.1 Set policies # # # 4.Iptables Tutorial 1.2.9 Página 106 # # Allow ourself to send packets not spoofed everywhere # $IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT # # Logging rule # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.

Iptables Tutorial 1.6 OUTPUT chain # ###### # 4.3.9 Página 107 # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.3.3.unix-fu.1 Set policies # # # 4.html 21:25:51 10/06/2002 .3 Create content in user specified chains # # # 4.3.1.2.2 Create user specified chains # # # 4.4 PREROUTING chain # # # 4.5 INPUT chain # # # 4.3.7 OUTPUT chain # # # 4.3.org/andreasson/iptables-tutorial/iptables-tutorial.6 FORWARD chain # # # 4.3.3 mangle table # # # 4.3.8 POSTROUTING chain # http://people.

# but WITHOUT ANY WARRANTY. # INET_IP="194.1 DHCP # # # 1.firewall .1.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . 59 Temple # Place. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.2 PPPoE # # # 1. # # # 1.. if not.Iptables Tutorial 1. See the # GNU General Public License for more details.155" INET_IFACE="eth0" # # 1. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. Configuration options.firewall script #!/bin/sh # # rc.UTIN.9 Página 108 Example rc. Suite 330. # # your LAN's IP range and localhost IP.1 Internet Configuration.UTIN Firewall script for Linux 2. MA 02111-1307 USA # ########################################################################### # # 1.236. Boston. write to the Free Software Foundation.50. Inc. # # This program is distributed in the hope that it will be useful.1.unix-fu.2 Local Area Network configuration.4.1. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.net> # # This program is free software. version 2 of the License. /24 means to only use the first 24 http://people.

0. # IPTABLES="/usr/sbin/iptables" # # 1. Module loading.5 IPTables Configuration.2" LAN_IP_RANGE="192.168.1. # # # 1.4 Localhost Configuration. # ########################################################################### # # 2.255.168.0/16" LAN_BCAST_ADRESS="192.9 Página 109 # bits of the 32 bit IP adress.0 # LAN_IP="192.6 Other Configuration.0.Iptables Tutorial 1.0.255.255" LAN_IFACE="eth1" # # 1.html 21:25:51 10/06/2002 .1" # # 1.org/andreasson/iptables-tutorial/iptables-tutorial.3 DMZ Configuration. the same as netmask 255. # LO_IFACE="lo" LO_IP="127.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat http://people.255. # # # Needed to initially load modules # /sbin/depmod -a # # 2.168.unix-fu.0.

unix-fu.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3.1.1 Filter table # # # 4.9 Página 110 /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2. rules set up. # ###### # 4.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP http://people.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. # # # 3.1.html 21:25:51 10/06/2002 . /proc set up.

2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.9 Página 111 $IPTABLES -P FORWARD DROP # # 4.Iptables Tutorial 1.1.1.1. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT http://people.html 21:25:51 10/06/2002 .unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.

# http://people.Iptables Tutorial 1. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from anywhere # $IPTABLES -A INPUT -p ICMP -j icmp_packets $IPTABLES -A INPUT -p TCP -j tcp_packets $IPTABLES -A INPUT -p UDP -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.html 21:25:51 10/06/2002 .1.1.9 Página 112 # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu.4 INPUT chain # # # Bad TCP packets we don't want.RELATED \ -j ACCEPT # # Log weird packets that don't match the above.

org/andreasson/iptables-tutorial/iptables-tutorial.1.Iptables Tutorial 1. # $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # http://people.html 21:25:51 10/06/2002 .1.9 Página 113 $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.unix-fu. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.6 OUTPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward between interfaces.RELATED -j ACCEPT # # Log weird packets that don't match the above.1.

3 Create content in user specified chains # # # 4. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.1.1 Set policies # # # 4.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.2.3.2.4 PREROUTING chain # # # 4.2.2.9 Página 114 # Log weird packets that don't match the above.2.2 Create user specified chains # # # 4.6 OUTPUT chain # ###### # 4.2.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.3 mangle table # # # 4.1 Set policies # # http://people.unix-fu.Iptables Tutorial 1.2 nat table # # # 4.

3.4 PREROUTING chain # # # 4.3. # but WITHOUT ANY WARRANTY.1.3.2 Create user specified chains # # # 4. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.firewall . # # This program is distributed in the hope that it will be useful.6 FORWARD chain # # # 4.html 21:25:51 10/06/2002 .5 INPUT chain # # # 4.DHCP. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it http://people.net> # # This program is free software.3.unix-fu.8 POSTROUTING chain # Example rc. See the # GNU General Public License for more details.4.3 Create content in user specified chains # # # 4.3.org/andreasson/iptables-tutorial/iptables-tutorial.3.DHCP IP Firewall script for Linux 2. version 2 of the License.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.firewall script #!/bin/sh # # rc.7 OUTPUT chain # # # 4.Iptables Tutorial 1.3.9 Página 115 # 4.

Iptables Tutorial 1.1.9

Página 116

# from; if not, write to the Free Software Foundation, Inc., 59 Temple # Place, Suite 330, Boston, MA 02111-1307 USA # ########################################################################### # # 1. Configuration options. # # # 1.1 Internet Configuration. # INET_IFACE="eth0" # # 1.1.1 DHCP # # # Information pertaining to DHCP over the Internet, if needed. # # Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP # over the Internet set this variable to yes, and set up the proper IP # adress for the DHCP server in the DHCP_SERVER variable. # DHCP="no" DHCP_SERVER="195.22.90.65" # # 1.1.2 PPPoE # # Configuration options pertaining to PPPoE. # # If you have problem with your PPPoE connection, such as large mails not # getting through while small mail get through properly etc, you may set # this option to "yes" which may fix the problem. This option will set a # rule in the PREROUTING chain of the mangle table which will clamp # (resize) all routed packets to PMTU (Path Maximum Transmit Unit). # # Note that it is better to set this up in the PPPoE package itself, since # the PPPoE configuration option will give less overhead. # PPPOE_PMTU="no" # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 117

# 1.2 Local Area Network configuration. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # LAN_IP="192.168.0.2" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth1" # # 1.3 DMZ Configuration. # # # 1.4 Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 IPTables Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. #

########################################################################### # # 2. Module loading. # # # Needed to initially load modules # /sbin/depmod -a # # 2.1 Required modules # /sbin/modprobe ip_conntrack http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 118

/sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_MASQUERADE # # 2.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc

########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. rules set up. # ###### # 4.1 Filter table # # # 4.1.1 Set policies # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 119

$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP, TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 120

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT if [ $DHCP == "yes" ] ; then $IPTABLES -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \ --dport 68 -j ACCEPT fi # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.1.4 INPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

unix-fu.9 Página 121 $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \ --state ESTABLISHED. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.1.html 21:25:51 10/06/2002 .1. http://people.1.RELATED -j ACCEPT # # Log weird packets that don't match the above.Iptables Tutorial 1.6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.org/andreasson/iptables-tutorial/iptables-tutorial.RELATED -j ACCEPT # # Log weird packets that don't match the above.

1 Set policies # # # 4.3 Create content in user specified chains # # # 4.unix-fu.2.2.org/andreasson/iptables-tutorial/iptables-tutorial.5 POSTROUTING chain # if [ $PPPOE_PMTU == "yes" ] .html 21:25:51 10/06/2002 .2.Iptables Tutorial 1.2 nat table # # # 4.2.9 Página 122 # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # # Log weird packets that don't match the above.RST SYN \ -j TCPMSS --clamp-mss-to-pmtu fi $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE # # 4. then $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN.6 OUTPUT chain # ###### # 4.4 PREROUTING chain # # # 4.2 Create user specified chains # # # 4.2.2. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.3 mangle table http://people.1.

3.9 Página 123 # # # 4.3.unix-fu.3.1 Set policies # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.4 PREROUTING chain # # # 4.1.8 POSTROUTING chain # Example rc.3.flush-iptables script #!/bin/sh # http://people.html 21:25:51 10/06/2002 .3.7 OUTPUT chain # # # 4.3.3.3 Create content in user specified chains # # # 4.5 INPUT chain # # # 4.6 FORWARD chain # # # 4.2 Create user specified chains # # # 4.Iptables Tutorial 1.3.

# # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net> # # This program is free software.1. # $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT # # reset the default policies in the nat table. MA 02111-1307 USA # # Configurations # IPTABLES="/usr/sbin/iptables" # # reset the default policies in the filter table.flush-iptables . Boston. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. See the # GNU General Public License for more details..Iptables Tutorial 1. if not.9 Página 124 # rc. # but WITHOUT ANY WARRANTY.html 21:25:51 10/06/2002 .unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.Resets iptables to default values. # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F http://people. version 2 of the License. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. 59 Temple # Place. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT # # flush all the rules in the filter and nat tables. # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # reset the default policies in the mangle table. write to the Free Software Foundation. # # This program is distributed in the hope that it will be useful. Inc. Suite 330.

html 21:25:51 10/06/2002 .unix-fu. # but WITHOUT ANY WARRANTY.test-iptables script #!/bin/bash # # rc. See the # GNU General Public License for more details. write to the Free Software Foundation.Iptables Tutorial 1. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. all chains # iptables -t filter -A INPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter FORWARD:" http://people.1.net> # # This program is free software. Suite 330. Inc. Boston.org/andreasson/iptables-tutorial/iptables-tutorial. # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.test script for iptables chains and tables. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.9 Página 125 # # erase all chains that's not default in filter and nat table. # # This program is distributed in the hope that it will be useful.test-iptables . MA 02111-1307 USA # # # Filter table. version 2 of the License. if not. # $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X Example rc. 59 Temple # Place..

all chains except OUTPUT which don't work.1. all chains # iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle OUTPUT:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle OUTPUT:" Done. # iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat PREROUTING:" iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat PREROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat OUTPUT:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat OUTPUT:" # # Mangle table.9 Página 126 iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter FORWARD:" # # NAT table.9 Oskar Andreasson blueflux@koffein.html 21:25:51 10/06/2002 . Iptables Tutorial 1.Iptables Tutorial 1.org/andreasson/iptables-tutorial/iptables-tutorial.1.unix-fu.net Copyright © 2001 by Oskar Andreasson http://people.

unix-fu. A copy of the license is included in the section entitled "GNU Free Documentation License". without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. under the section entitled "GNU General Public License". These scripts are distributed in the hope that they will be useful. See the GNU General Public License for more details. Suite 330..1. if not.1 How a rule is built Basics Tables Commands Matches Generic matches Implicit matches Explicit matches http://people.html 21:25:51 10/06/2002 . with the Front-Cover Texts being "Original Author: Oskar Andreasson". write to the Free Software Foundation. The scripts are free source. Inc. 59 Temple Place. but WITHOUT ANY WARRANTY. You should have received a copy of the GNU General Public License within this tutorial.9 Página 127 Permission is granted to copy. with the Invariant Sections being "Introduction" and all subsections. you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation. version 2 of the License. Boston.Iptables Tutorial 1. Version 1. and with no BackCover Texts.org/andreasson/iptables-tutorial/iptables-tutorial. MA 02111-1307 USA Table of Contents Introduction Why this document was written How it was written About the author Dedications Preparations Where to get iptables Kernel setup 1 userland setup Compiling the userland applications Installation on Red Hat 7. distribute and/or modify this document under the terms of the GNU Free Documentation License.1. All scripts in this tutorial are covered by the GNU General Public License.

firewall file example rc.firewall explanation of rc.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1.firewall Configuration options Initial loading of extra modules proc set up Displacement of rules to different chains Setting up the different chains used INPUT chain The TCP allowed chain The ICMP chain The TCP chain The UDP chain OUTPUT chain FORWARD chain PREROUTING chain of the nat table Starting the Network Address Translation http://people.9 Página 128 Targets/Jumps ACCEPT target DROP target QUEUE target RETURN target LOG target MARK target REJECT target TOS target MIRROR target SNAT target DNAT target MASQUERADE target REDIRECT target TTL target ULOG target Traversing of tables and chains General Mangle table 1 Nat table 2 Filter table rc.1.html 21:25:51 10/06/2002 .unix-fu.

TERMINATION 10.txt rc. MODIFICATIONS 1.txt rc.Iptables Tutorial 1.DMZ. VERBATIM COPYING 3.txt script structure The structure rc.firewall. APPLICABILITY AND DEFINITIONS 2. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents GNU General Public License http://people. AGGREGATION WITH INDEPENDENT WORKS 8. TRANSLATION 9.firewall.txt Detailed explanations of special commands Listing your active ruleset Updating and flushing your tables Common problems and questionmarks Passive FTP but no DCC State NEW packets but no SYN bit set Internet Service Providers who use assigned IP addresses ICMP types Other resources and links Acknowledgements History GNU Free Documentation License 0.firewall.firewall.org/andreasson/iptables-tutorial/iptables-tutorial.firewall.html 21:25:51 10/06/2002 .test-iptables.txt rc. COLLECTIONS OF DOCUMENTS 7. PREAMBLE 1.txt rc.txt 10.1.9 Página 129 Example scripts rc. COMBINING DOCUMENTS 6.DHCP.UTIN.flush-iptables. rc.unix-fu. 5. COPYING IN QUANTITY 4.

html 21:25:51 10/06/2002 . Is it possible to allow passive FTP to your server.flush-iptables.firewall file since I find that example to be a good way to learn how to use iptables.firewall script Example rc.txt. This tutorial has turned a little bit harder to follow this way but at the same time it is more logical.unix-fu. Yes. I found a big empty space in the HOWTO's out there lacking in information about the iptables and netfilter functions in the new Linux 2.flush-iptables script Example rc.Iptables Tutorial 1.x kernels. just consult this tutorial.org/andreasson/iptables-tutorial/iptables-tutorial. I'm going to try to answer questions that some might have about the new possibilities like state matching. hopefully make you understand some more about the iptables package.test-iptables script Introduction Why this document was written Well. but not allow outgoing DCC from IRC as an example? I will build this all up from an example rc.9 Página 130 0.firewall script Example rc. How it was written I've placed questions to Marc Boucher and others from the core netfilter team. http://people.firewall script Example rc. Among other things.com. This document will guide you through the setup process step by step.UTIN. I have decided to just follow the basic chains and from there go down into each and one of the chains traversed in each due order.txt file that you can use in your /etc/rc.DMZ. Preamble 1. I will base most of the stuff here on the example rc. A big thanks going out to them for their work and for their help on this tutorial that I wrote and maintain for boingworld.DHCP. this file was originally based upon the masquerading HOWTO for those of you who recognize it. 2.1.d/ scripts. Whenever you find something that's hard to understand. DISTRIBUTION AND MODIFICATION 1.4.firewall. TERMS AND CONDITIONS FOR COPYING. How to Apply These Terms to Your New Programs Example scripts codebase Example rc.firewall script Example rc. Also. there's a small script that I wrote just in case you screw up as much as I did during the configuration available as rc.

Dedications First of all I would like to dedicate this document to my wonderful girlfriend Ninel. Second of all.Iptables Tutorial 1. Where to get iptables The iptables userspace package can be downloaded from the netfilter homepage. but this would be a problem with things like passive FTP or outgoing DCC in IRC. and in some respects I found the code not quite ready for release in full production. at the same time having it fairly secure. Before. you could make a fairly secure network by dropping all incoming packages not destined to certain ports. which assigns ports on the server. The iptables package also makes use of kernel space facilities which can be configured into the kernel during make configure . She has supported me more than I ever can support her to any degree.org/andreasson/iptables-tutorial/iptables-tutorial. It is people like those who makes this wonderful operating system possible. This chapter should hopefully get you set up and finished to go with your experimentation and installation of a firewall which should hopefully run smoothly in the future. sitting with my own LAN and wanting them all to be connected to the Internet. I'd recommend everyone who uses ipchains or even older ipfwadm etc to upgrade unless they're happy with what their current code is capable of and if it does what they need it to.9 Página 131 About the author I'm someone with too many old computers on my hands. I wish I could make you just as happy as you make me.unix-fu. and then lets the client connect. tells the client about it. Today. Preparations This chapter is aimed at getting you started and to help you understand the role netfilter and iptables play in Linux today.1. I would like to dedicate this work to all of the incredibly hard working Linux developers and maintainers.html 21:25:51 10/06/2002 . Kernel setup To run the pure basics of iptables you need to configure the following options into the kernel while doing make config or one of it's related commands: http://people. The new iptables is a good upgrade from the old ipchains in this regard. The necessary pieces will be discussed a bit further down in this document. There was some child diseases in the iptables code that I ran into in the beginning.

CONFIG_IP_NF_MATCH_MULTIPORT .1. but with this match it is. this option compiles the helper. For example. If you want to use the more advanced options in IPTables. that adds the possibility to control how many packets per minute that's supposed to be matched with a certain rule.This module isn't exactly required but it's used in the example rc. You won't be able to do anything to be pretty honest. In other words. CONFIG_IP_NF_MATCH_MAC .txt. Here we will show you the options available in a basic 2. This option provides the LIMIT match. and further down we will describe the actual target MARK. We don't use this option in the rc. we can match based on this mark. this module is required by the rc.org/andreasson/iptables-tutorial/iptables-tutorial. For example. CONFIG_IP_NF_MATCH_TOS . Without this you won't be able to do anything at all with iptables. this is most definitely required if for anything in this tutorial to work at all. TOS can also be set by certain rules in the mangle table and via the ip/ tc commands. The above will only add some of the pure basics in iptables.firewall.With this match we can match packets based on their TOS field. If you don't add this module you won't be able to FTP through a firewall or gateway properly. PPP and SLIP interfaces. http://people.This allows us to match packets based on MAC addresses. ie.txt to work. I assume you'll want this since you're reading this at all. among other things.firewall. you need to set up the proper configuration options in your kernel. This option is the actual match MARK. For example. it just adds the framework to the kernel. Every Ethernet adapter has it's own MAC address.This option is required if you want do any kind of filtering. CONFIG_IP_NF_IPTABLES . CONFIG_IP_NF_MATCH_LIMIT . -m limit --limit 3/ minute would match a maximum of 3 packets per minute.4.This module is needed to make connection tracking.Iptables Tutorial 1. Ethernet adapter. An example would be tcpdump or snort.This allows us to use a MARK match. CONFIG_IP_NF_MATCH_MARK .9 kernel and a brief explanation : CONFIG_IP_NF_CONNTRACK .unix-fu.This module allows us to match packets with a whole range of destination ports or source ports. Connection tracking is used by. CONFIG_IP_NF_FTP . NAT and Masquerading. masquerading or NAT. If you need to firewall machines on a LAN you most definitely should mark this option.This option allows applications and programs that needs to work directly to certain network devices.This option is required if you're going to use your computer as a firewall or gateway to the internet.This module is required if you want to do connection tracking on FTP connections. It adds the whole iptables identification framework to kernel. if we use the target MARK we could mark a packet and then depending on if this packet is marked further on in the table. We could for instance block packets based on what MAC address used and block a certain computer pretty well since the MAC address don't change.firewall.9 Página 132 CONFIG_PACKET . TOS stands for Type Of Service.html 21:25:51 10/06/2002 . Since FTP connections are quite hard to do connection tracking on in normal cases conntrack needs a so called helper. And of course you need to add the proper drivers for your interfaces to work properly. CONFIG_NETFILTER . This module can also be used to avoid certain Denial of Service attacks.txt example or anywhere else. Normally this wouldn't be possible.

For example. Note that this match is still experimental and might not work perfectly in all cases.1.Iptables Tutorial 1. but mostly is. For instance if we don't know what IP we have to the Internet this would be the preferred way of getting the IP instead of using DNAT or SNAT. Instead of letting a packet pass right through. UDP and ICMP packets that looks strange or are invalid. we remap them to go to our local box instead. we can allow only the user root to have Internet access. we need to use this target instead of SNAT. this option is required for the example rc. Masquerading gives a slightly higher load on the computer than NAT does.org/andreasson/iptables-tutorial/iptables-tutorial. CONFIG_IP_NF_TARGET_MIRROR . we have the possibility to make a transparent proxy this way.9 Página 133 CONFIG_IP_NF_MATCH_TCPMSS . TCP.firewall.txt example. this packet will be counted as ESTABLISHED. Note that this option is is not required for firewalling and masquerading of a LAN. CONFIG_IP_NF_TARGET_REJECT . Note that this match is still experimental and might not work for everyone. Mind you that TCP connections are always reset or refused with a TCP RST packet. In the filter table you'll find the INPUT. CONFIG_IP_NF_FILTER .This module allows network address translation. PPP.html 21:25:51 10/06/2002 . CONFIG_IP_NF_MATCH_STATE .This module will add the basic filter table which will enable you to do basic filtering. or NAT. This module is used extensively in the rc.This target is useful together with proxies for example. SLIP or some other connection that dynamically assigns us an IP. For example. CONFIG_IP_NF_MATCH_OWNER .This module adds the MASQUERADE target. if we've already seen trafic in two directions in a TCP connection. but will work without us knowing the IP in advance. CONFIG_IP_NF_TARGET_REDIRECT . CONFIG_IP_NF_MATCH_UNCLEAN .This allows packets to be bounced back to the sender of the packet. With this option we can do port forwarding.This option adds the possibility for us to match TCP packets based on their MSS field.firewall. For example.txt to work properly. Hence.This option will add the possibility for us to do matching based on the owner of a socket.This target allows us to specify that an ICMP error message should be sent in reply to incoming packets instead of plainly dropping them dead to the floor.This module will add the possibility for us to match IP. We could for example drop these packets. With this module we can do stateful matching on packets. but we never know if they are legitimate or not. if we set up a MIRROR target on destination port HTTP on our INPUT chain and someone tries to access this port we would plainly bounce his packets back to himself and finally he would see his own homepage. masquerading etc. This module was originally just written as an example on what could be done with the new iptables.unix-fu. In other words. CONFIG_IP_NF_NAT . if we use DHCP. FORWARD and OUTPUT chains. unless you are able to provide unique IP addresses for all hosts. CONFIG_IP_NF_TARGET_MASQUERADE .This is one of the biggest news in comparison to ipchains. in it's different forms. http://people. In other words. and most definitely on your network if you do not have the ability to add unique IP addresses as specified above. This module is required if you plan to do any kind of filtering on packets that you receive and send.

small mails getting through while larger mails don't get through. CONFIG_IP_NF_COMPAT_IPFWADM . This may be for various reasons such as the patch not being stable yet. I have briefly explained what kind of extra behaviours you can expect from each module here.1.txt script to work. If you would like to get a look at more options. We can use this module to log certain packets to syslogd and hense see the packet further on. Do absolutely not look at this as a real long term solution.html 21:25:51 10/06/2002 . As you can see. This can result in webpages not getting through.4 kernels since it may well be gone with kernel 2.6. If you need help with the options that the other scripts needs. These are only the options available in a vanilla Linux 2. Do not look at this as any real long term solution for solving migration from Linux 2. ssh works but scp dies after handshake.unix-fu.Adds a compatibility mode with the old ipchains. We can then use the TCPMSS target to overcome this by clamping our MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit). etcetera.Iptables Tutorial 1. but has not quite made it in yet.2 kernels to 2. This could be useful for forensics or debugging a script you're writing. This way. or as modules.firewall. for the rc.9 Página 134 CONFIG_IP_NF_TARGET_LOG .Compatibility mode with old ipfwadm. to Linus Torvalds being unable to keep up or not wanting to let the patch in to the mainstream kernel yet since it is still experimental.This option can be used to overcome Internet Service Providers and servers who block ICMP Fragmentation Needed packets. there is a heap of options. CONFIG_IP_NF_COMPAT_IPCHAINS . CONFIG_IP_NF_TARGET_TCPMSS . These functions should be added in the future.org/andreasson/iptables-tutorial/iptables-tutorial.9 kernel.4. You will need the following options compiled into your kernel. POM fixes are additions that are supposed to be added in the kernel in the future but has not quite reached the kernel yet. I suggest you look at the patch-o-matic functions in netfilter userland which will add heaps of other options in the kernel.This adds the LOG target to iptables and the functionality of it. look at the example firewall scripts section. CONFIG_PACKET CONFIG_NETFILTER CONFIG_CONNTRACK CONFIG_IP_NF_FTP CONFIG_IP_NF_IRC CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT http://people. we'll be able to handle what the authors of netfilter themself call "criminally braindead ISPs or servers" in the kernel configuration help.

there are some even more experimental patches further along.4. However.9 kernel. Here. there are heaps of extremely interesting matches and targets in this installation step so don't be afraid of at least looking at them. Normally this should be /usr/src/linux/ but this may vary. and other distributions further on in this chapter Compiling the userland applications First of all unpack the iptables package. and most probably you will know yourself where the kernel source is available. Unpack as usual.tar. userland setup First of all.The step described here will only check patches that are pending for inclusion to the kernel.1 it is disabled per default. using bzip2 -cd iptables-1. In the other example scripts I will explain what requirements they have in their respective section. this may not work with older versions of tar).3/INSTALL file which contains pretty good information on compiling and getting the program to run. lets try to stay focused on the main script which you should be studying now.2. one of these are Red Hat 7. which should do pretty much the same as the first command.3 package and a vanilla 2. Hopefully the package should now be unpacked properly into a directory named iptables-1.3.3. For now.firewall.txt script. This compilation goes quite a lot hand in hand with the kernel configuration and compilation so you are aware of this. Some of these are highly experimental and may not be a very good idea to install.2. which may only be available when you do some other steps.2. After this.bz2.tar.html 21:25:51 10/06/2002 .1.(this can also be accomplished with the tar -xjvf iptables-1. We will check closer on how to enable it on this. we have used the iptables 1. let's look at how we compile the iptables package.2.9 Página 135 CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_TARGET_MASQUERADE The above will be required at the very least for the rc.org/andreasson/iptables-tutorial/iptables-tutorial. http://people. To do this step we do something like this from the root of the iptables package: make pending-patches KERNEL_DIR=/usr/src/linux/ The variable KERNEL_DIR should point to the actual place that your kernel source is located at.bz2 | tar -xvf . in Red Hat 7.2.Iptables Tutorial 1. However.unix-fu. Certain distributions comes with the iptables package preinstalled. For more information read the iptables-1. there is the option to install extra modules and options etcetera to the kernel.1. However.3.

Some patches will destroy other patches while others may destroy your kernel if used together with some patches from patch-omatic etc. There might be more patches and additions that the developers of netfilter are about to add to the kernel. They ask you before anything is changed in the kernel source. To be able to install all of the patch-o-matic stuff you will need to run the following command: make patch-o-matic KERNEL_DIR=/usr/src/linux/ Don't forget to read the help for each patch thoroughly before doing anything. You may totally ignore the above steps if you don't want to patch your kernel. If everything has worked smoothly.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. you may either compile a new kernel making use of the new patches that you have added to the source. because that's what these commands actually do. One way to install these are by doing the following: make most-of-pom KERNEL_DIR=/usr/src/linux/ The above command would ask about installing parts of what in netfilter world is called patch-o-matic. there are some really interesting things in the patch-o-matic that you may want to look at so there's nothing bad in just running the commands and see what they contain. try to think logically about it and find out what's wrong or get someone to help you.1. you would issue the following command to install them: make install KERNEL_DIR=/usr/src/linux/ Hopefully everything should work in the program now. or possibly try the netfilter mailing list who might help you with your problems. if not. though. To use any of the changes in the iptables userland applications you should definitely recompile and reinstall your kernel by now if you haven't done so http://people. To do this. you're ready to install the binaries by now. Continue by compiling the iptables userland application.unix-fu. Don't forget to configure the kernel again since the new patches probably are not added to the configured options and so on. You may wait with the kernel compilation until after the compilation of the userland program iptables if you feel like it.9 Página 136 This only asks about certain patches that are just about to enter the kernel anyways. you're on your own. However. Note that we say ask. To compile iptables you issue a simple command that looks like this: make KERNEL_DIR=/usr/src/linux/ The userland application should now compile properly. There is a few things that might go wrong with the installation of iptables so don't panic if it won't work.Iptables Tutorial 1. but still skip the most extreme patches that might cause havoc in your kernel. but is a bit further away from actually getting there. it is in other words not necessary to do the above. After this you are finished doing the patch-o-matic parts of installation.

d/ directory-structure. Multiuser without NFS or the same as 3 if there is no networking. check the INSTALL file in the source which contains excellent information on the subject of installation. they have disabled the whole thing by using the backwards compatible ipchains module. First of all you will need to turn off the ipchains modules so it won't start in the future. Now the service won't be started in the future. We would then issue the following command to stop the ipchains service: service ipchains stop Finally. or to not run it if it was not previously started. So. Annoying to say the least. let's take a brief look at how to turn the module off and how to install iptables instead. This is used if you automatically boot into Xwindows. To do this. 3 and 5. however. To make iptables run in these runlevels we would do the following commands: chkconfig --level 235 iptables on http://people. The following command should do it: chkconfig --level 0123456 ipchains off By doing this we move all the soft links that points to the real script to K92ipchains. to stop the service from actually running right now we need to run another command. For more information about installing the userland applications from source. By changing this to K we tell it to Kill the service instead. the normal runlevel to run in.4. to start the iptables service. These runlevels are used for the following things: 2. This is the service command which can be used to work on currently running services.1.Iptables Tutorial 1. However. and a lot of people are asking different mailing lists why iptables don't work. Installation on Red Hat 7. First of all.1 Red Hat 7.1 installation today comes with an utterly old version of the userspace applications so you might want to compile a new version of the applications as well as install a new and homecompiled kernel before fully exploiting iptables.1 comes preinstalled with a 2.x kernel that has netfilter and iptables compiled in.unix-fu.9 Página 137 before. Full multiuser mode. 3.html 21:25:51 10/06/2002 . we need to know which runlevels we want it to run in. The first letter which per default would be S tells the initscripts to start the script. you will need to change some filenames in the /etc/rc. X11. It also contains all the basic userland programs and configuration files that is needed to run it.org/andreasson/iptables-tutorial/iptables-tutorial. Normally this would be in runlevel 2. 5. The default Red Hat 7. ie.

The other way to save the script would be to use service iptables save which would save the script automatically to this file. To activate the iptables service. don't forget to edit a the stop) section either which tells the script what to do when the computer is going down for example. First we will describe the possibility of doing the set up by cut and paste to the iptables init. To add rules that should be run when the computer starts the service. why keep ipchains lying around when it is of no use? That is done the same way as with the old iptables binaries. when you need to fix a screwed up box. However. To add rules to an Red Hat 7. 3 and 5. we just run the following command: service iptables start Of course. do as follows: rpm -e iptables And of course. for example.org/andreasson/iptables-tutorial/iptables-tutorial. there is no rules in the iptables script. This step is only necessary if you will install iptables from the source package.d scripts. ie. or directly with iptables.d script. there is two common ways. such as iptables-save > /etc/sysconfig/ iptables which would save the ruleset to the file /etc/sysconfig/iptables.d script to restore the ruleset in the future.9 Página 138 The above commands would in other words make the iptables service run in runlevel 2.Iptables Tutorial 1. The other way would be to load the ruleset and then save them with the iptables-save command and then have it loaded automatically by the rc. so you should not really need to activate it for those runlevels. First of all. Note that this set up may be automatically erased if you have. Red Hat Network automatically updating your packages. make and write a ruleset in a file. It's not unusual that the new and the old package get's mixed up since the rpm based installation installs the package in non-standard places and won't get overwritten by the installation for the new iptables package. Note. Also. and level 6 is for shutting the computer down.unix-fu. If you'd like the iptables service to run in some other runlevel you would have to issue the same command in those. if you add the rules under the start) section don't forget to stop the start() function from running in the start) section. You could either use it normally.1. When all of these steps are finished we can deinstall the currently installed ipchains and iptables packages. and don't forget to experiment a bit. Do not intermix this and the previous set up instruction since they may heavily damage eachother and render each and one useless. To do the deinstallation. don't forget to check out the restart section and condrestart. When you find a set up that works without problems or bugs as you can see.html 21:25:51 10/06/2002 . This would have the bad effect that the rules would be deleted if you updated the iptables package by RPM. It may also be erased by updating from the iptables RPM package.d script will use the command iptablesrestore to restore the ruleset from the save-file /etc/sysconfig/iptables.d/init. you chould edit the /etc/rc. When you reboot the computer in the future. you add them under the start) section. use the iptables-save command. This file is automatically used by the iptables rc. Level 1 is for single user mode. or when we are entering a runlevel that don't require iptables to run. the iptables rc.d/iptables script. etc: http://people. First of all.1 box. We do this since we don't want the system to mix up the new iptables userland application with the old preinstalled iptables applications. or in the start() function. that will meet your requirements. none of the other runlevels should be used. Level 4 should be unused. The second way of doing the set up would require the following steps to be taken. Also.

or jump.9 Página 139 rpm -e ipchains After all this is done you are finished to update the iptables package from source according to the source installation instructions. it is more or less standard to put the table specification at the beginning of the commandline. or matches. or directly after the table specification. If you want to use another table than the standard table.org/andreasson/iptables-tutorial/iptables-tutorial. Each line you write that's inserted to a chain should be considered a rule. How a rule is built This chapter will discuss in legth how to build your rules. One thing to think about though. new subchains). or which network interface the packet must come from etc. the command should always be first. We use this first variable to tell the program what to do. We will also discuss the basic matches that str available and how to use them as well as the different targets and how we can make new targets to use (ie. There is a heap of different matches that we can use that we will look closer at further on in this chapter.html 21:25:51 10/06/2002 . you would do this normally to get a better readability. We could specify what IP address the packet must come from. We will enter this a bit further on. you could insert the table specification where [table] is specified. however. libraries or include files etc should be lying around any more. However. either. it is not necessary to specify it explicitly all the time since iptables per default uses the filter table to implement your commands on. for example to insert a rule or to add a rule to the end of the chain. It is not required to put the table specification at this location. Basics As we've already explained each rule is a line that the kernel looks at to find out what to do with a packet. are met. instruction. A rule could be described as the pure rules the firewall will follow when blocking different connections and packets in each chain. or to delete a rule. we have used this way of writing rules since it is the most usual way of writing them. It could be set pretty much anywhere in the rule. http://people. If all the criterias. Also. The match is the part which we send to the kernel that says what a packet must look like to be matched.unix-fu. This tells the iptables command what to do. None of the old binaries. if you read someone elses script you'll most likely recognise the way of writing a rule and understand it quickly.1. however. Hence. Normally we would write a rule something like this: iptables [-t table] command [match] [target/jump] There is nothing that says that the target instruction must be last in the line.Iptables Tutorial 1. we perform the target.

The PREROUTING chain is used to alter packets as soon as they get in to the firewall.Iptables Tutorial 1. Tables The -t option specifies which table to use. The filter table should be used for filtering packets generally. The first one is named FORWARD and is used on all non-locally generated packets that are not destined for our localhost (the firewall.html . the nat table was made for these kinds of operations.1. on the firewall) before they get to the routing decision. There are three chain built in to this table. Note that OUTPUT is currently broken.9 Página 140 Finally we have the target of the packet. Note that the MARK is not really a change to the packet. LOG. Packets in a stream only traverse this table once. Per default. but instead they will automatically have the same actions taken to them as the first packet in the stream.unix-fu. PREROUTING is used for altering packets just as they enter the firewall and before they hit the routing decision. we presume. but a mark for the packet is set in kernelspace which other rules or programs might use further on in the firewall to filter or do advanced routing on with tc as an example. ACCEPT or REJECT packets without problems as in the other tables. The rest of the packets in the same stream are automatically NAT'ed or Masqueraded etc. The OUTPUT chain is used for altering locally generated packets (ie. For example. This table is used mainly for mangling packets. Tables Table nat Explanation The nat table is used mainly for Network Address Translation. As with the rest of the content in this section. Finally we have the POSTROUTING chain which is used to alter packets just as they are about to leave the firewall. in case they are supposed to have those actions taken on them. Note that mangle can not be used for any kind of Network Address Translation or Masquerading. the PREROUTING and OUTPUT chains. The first packet of a stream is allowed. We could tell the kernel to send the packet to another chain that we create ourself. in other words). or we could tell kernel to send a specified reply to be sent back. which must be part of this table. If all the matches are met for a packet we tell the kernel to perform this action on the packet. we could DROP. as we will discuss more in length further on. OUTPUT is used for changing and altering locally generated packets before they enter the routing decision. We could tell the kernel to drop this packet dead and do no further processing. we'll look closer at them further on in the chapter. We could change different packets and how their headers look among other things. Examples of this would be to change the TTL. 21:25:51 10/06/2002 mangle filter http://people. This is one reason why you should not do any filtering in this table. TOS or MARK. The table consists of two built in chains.org/andreasson/iptables-tutorial/iptables-tutorial. the filter table is used. The rest of the packets in the stream will in other words not go through this table again. INPUT is used on all packets that are destined for our local host (the firewall) and OUTPUT is finally used for all locally generated packets. The following options are available to the -t command: Table 1.

iptables -D INPUT 1 This command deletes a rule in a chain. The following commands are available to iptables: Table 2. This might be good while experimenting with iptables mainly. If you use the first way of deleting rules. and hence it would be the http://people. and you should know what to use each chain for. -R.html 21:25:51 10/06/2002 .1 -j DROP This command replaces the old entry at the specified line. Commands Command Example Explanation -A. and the top rule is number 1. Commands In this section we will bring up all the different commands and what can be done with them. either by specifying a rule to match with the -D option (as in the first example) or by specifying the rule number that we want to match. -I. This could be done in two ways. Normally we want to either add or delete something to some table or another.0. they must match totally to the entry in the chain. it will replace it with a new entry. unless you append or insert more rules later on. We will discuss the tables and chains more in the Traversing of tables and chains chapter. If you do not understand their usage you may well fall into a pit once someone finds the hole you have unknowingly placed in the firewall yourself. The command tells iptables what to do with the rest of the commandline that we send to the program. but instead of totally deleting the entry..1.org/andreasson/iptables-tutorial/iptables-tutorial. -D. the above example would be inserted at place 1 in the INPUT chain.unix-fu.168. They should be used for totally different things. The rule is inserted at the actual number that we give. --append iptables -A INPUT . --delete iptables -D INPUT --dport 80 -j DROP. It works in the same way as the --delete command.. In other words.9 Página 141 The listing above has hopefully explained the basics about the three different tables that are available. --insert iptables -I INPUT 1 --dport 80 -j ACCEPT Insert a rule somewhere in a chain. This command appends the rule to the end of the chain. If you use the second way. the rules are numbered from the top of each chain.Iptables Tutorial 1. The rule will will in other words always be put last in the ruleset in comparison to previously added rules. --replace iptables -R INPUT 1 -s 192. and hence be checked last.

Iptables Tutorial 1. you have probably seen the packet counter in the beginning of each field.unix-fu. -Z. It's also legal to not specify any chain at all. there must be no rules that are referring to the chain that is to be deleted. --list iptables -L INPUT This command lists all the entries in the specified chain. The exact output is affected by other options sent to the program. use the -Z option. -N. see the Tables section). --zero iptables -Z INPUT This command tells the program to zero all counters in a specific chain or in all chains. --policy iptables -P INPUT DROP This command tells the kernel to set a specified default target. or policy. In other words.org/andreasson/iptables-tutorial/iptables-tutorial. If -L and -Z is used together (which is legal). For this command to work. and will then delete all rules in all chains within the specified table. the command would list all the chains in the specified table (To specify a table. In the above example we create a chain called allowed.1. etcetera. In the last case. --flush iptables -F INPUT This command flushes the specified chain from all rules and is equivalent to deleting each rule one by one but is quite a bit faster. All packets that don't match any rule will then be forced to use the policy of the chain. --new-chain iptables -N allowed This command tells the kernel to create a new chain by the specified name in the specified table. -L. all chains that are not built in will be deleted from the specified table. we would list all the entries in the INPUT chain. mail me if so) -E. Note that there must be no target of the same name previously to creating it. To zero this packet counter. ACCEPT and REJECT (There might be more. you would have to replace or delete all rules referring to the chain before actually deleting the chain. on a chain.html 21:25:51 10/06/2002 . The command can be used without options. If this command is used without any options. --rename-chain iptables -E allowed disallowed http://people.9 Página 142 absolutely first rule in the chain from now on. --delete-chain iptables -X allowed This command deletes the specified chain from the table. This option works the same as -L except that -Z won't list the rules. and then the packet counters are zeroised. -P. for example the -n and -v options. the chains will first be listed. If you have used the -v option with the -L command. -X. -F. In the above case. Legal targets are: DROP.

change the name of the chain from allowed to disallowed. The --list command will also include a bytes and packet counter for each rule if the --verbose option is set. --numeric --list This option tells iptables to output numerical values. --delete or --replace commands. As usual.000. in other words. Also note that we do not tell you any options here that is only used to affect rules and matches.html 21:25:51 10/06/2002 . Table 3. network names or application names.000) and G (x1. Note that we tell you with which commands the options can be used and what effect they will have.unix-fu. use the -v option and to get the help message. This option overrides the default of resolving all numerics to hosts and names if possible. M or G multipliers.000) multipliers. rule options and TOS masks. The matches and targets are instead looked upon in a later section of this chapter. It is. These counters uses the K (x1000). Note that this will not affect the actual way the table will work.Iptables Tutorial 1. This option is only applicable to the --list command. --exact --list This option expands the numerics. If this option is used with the --append. To overcome this and to get exact output. M (x1. --insert. Note that this option is only usable in the --list command and isn't really relevant for any of the other commands. --replace This command shows a verbose output and is mainly used together with the --list command. In the example above we would. Options Option Commands used with Explanation -v.000.1.9 Página 143 The -E command tells iptables to rename the first name of a chain.000. The output from --list will in other words not contain the K. Instead we will get an exact output of how many packets and bytes that has matched the rule in question from the packets and bytes counters. in other words. IP addresses and port numbers will be printed by using their numerical values and not hostnames. the program will output detailed information on what happens to the rules and if it was inserted correctly etcetera. use the -h option. --delete. Here comes a few options that can be used together with a few different commands. --verbose --list. -x. If used together with the --list command it makes the output from the command include the interface address. To get the version. --append. --insert. -n.org/andreasson/iptables-tutorial/iptables-tutorial. in other words. you could use the -x option described later. to the second name. just a cosmetic change to the table. --line-numbers --list http://people. A command should always be specified. unless you just want to list the built-in help for iptables or get the version of the command.

I've chosen to split down the matches into five different subcategories here. I hope this is a reasonable breakdown and that all people out there can understand this breakdown. It could be used if your modprobe command is not somewhere in the searchpath etc. We have UDP matches which can only be applied to UDP packets and ICMP matches which can only be used on ICMP packets.org/andreasson/iptables-tutorial/iptables-tutorial. The syntax would be something like --set-counters 20 4000. too. Then we have the TCP matches which can only be applied to TCP packets. if we want to use an TCP match. even though it is needed to use some protocol specific matches. The following matches are always available. This option only works with the --list command.html 21:25:51 10/06/2002 . -c. Generic matches Command Example http://people. First of all we have the generic matches which are generic and can be used in all rules. For example.Iptables Tutorial 1. I have also added the --protocol match here. Each rule is numbered together with this option and it might be easier to know which rule has which number when you're going to insert rules. This option can be used with all commands. --modprobe All The --modprobe option is used to tell iptables which command to use when probing for modules to the kernel. Matches This section will talk a bit more about the matches. which would tell the kernel to set the packet counter to 20 and byte counter to 4000. we need to use the --protocol match and send TCP as an option to the match. No special parameters are in other words needed to load these matches at all. --replace This option is used when creating a rule in some way or modifying it. However. Generic matches This section will deal with Generic matches. owner and limit matches and so on. --set-counters --insert. We can then use the option to initialize the packets and bytes counters of the rule. A generic match is a kind of match that is always available whatever kind of protocol we are working on or whatever match extensions we have loaded. --append. since it can be used to match specific protocols. In such cases it might be necessary to specify this option so the program knows what to do in case a needed module is not loaded.9 Página 144 The --line-numbers command is used to output line numbers together with the --list command. Table 4. Finally we have special matches such as the state.1. --protocol is in itself a match.unix-fu. These final matches has in turn been split down to even more subcategories even though they might not necessarily be different matches at all.

0/24 we would match all packets with a source address not coming from within the 192. and the other way is to only specify the number of ones (1's) on the left side of the network mask. the program knows about all the protocols in the /etc/protocols file as we already explained.168.0.255. This would match all packets in the 192.0/24 and both would be equivalent to each other. It would then look like either 192.168. First of all the protocol match can take one of the three aforementioned protocols. This list can vary a bit at the same time since it uses the /etc/protocols if it can not recognise the protocol itself.0.0 or like 192. To match an IP range. 192. except that it matches based on where the packets are going.1. --src. FORWARD and PREROUTING chains and will render an error message when used anywhere else.0. UDP and ICMP. It could be used with a netmask in a bits form.1 would in other words match all packets except those not destined to the 192.168.1. -s. so -protocol ! tcp would mean to match the ICMP and UDP protocols. The default behaviour of this match. we can add a netmask either in the exact netmask form. The main form can be used to match single IP addresses such as 192. --dst. for example. We can also invert the meaning of this option with the help of the ! sign.org/andreasson/iptables-tutorial/iptables-tutorial. The line would then look something like. just as before. This means that we could for example add /24 to use a 255.9 Página 145 -p. such as our local networks or network segments behind the firewall. It works pretty much the same as the --source match and has the same syntax.1 The --destination match is used to match packets based on their destination address or addresses.1 IP address.168. which means to match all of the previous protocols.0.0. such as udp. is to assume a string value of +.0/24. --destination iptables -A INPUT -d 192.1. -i. The + string can also be used at the end of an interface. We could then match whole IP ranges. Examples of protocols are TCP.168.unix-fu.1. and eth+ would in other words match all ethernet devices.255. The line http://people.255.1.0.0.255.0 netmask. 192. If this match is given the numeric value of zero (0). as well as ALL.168. The protocol may also take a numeric value. Finally. --protocol Explanation iptables -A INPUT -p tcp This match is used to check for certain protocols. --destination ! 192. or in the number of ones (1's) counted from the left side of the netmask bits. If we would in other words use a match in the form of --source ! 192.168.Iptables Tutorial 1.168. The default is to match all IP addresses.0.255. The command may also take a comma delimited list of protocols. it means ALL protocols.html 21:25:51 10/06/2002 . We could also inverse the match with an ! just as before.255.x range.0. -d.0). This match can also be inversed with the ! sign. --in-interface iptables -A INPUT -i eth0 This match is used to match based on which interface the packet came in on. --source iptables -A INPUT -s 192. in case the match is not specified. which in turn is the default behaviour in case the --protocol match is not used.0/255. A single + would in other words tell the kernel to match all packets without considering which interface it came in on. The + value is used to match a string of letters and numbers.168.1 This is the source match which is used to match packets based on their source IP address. such as 255 which would mean the RAW IP protocol.255 form (ie.168.255.x range.0/ 255. Note that this option is only legal in the INPUT. One way is to do it with an regular netmask in the 255.168.tcp which would match all UDP and TCP packets.255.168. We could also invert the whole match with an ! sign.

Such fragments of packets will not be matched by other rules when they look like this. --out-interface iptables -A FORWARD -o eth0 The --out-interface match is used to match packets depending on which interface they are leaving on. When this match is inversed. like this ! -f. in case you use connection tracking you will not see any defragmented packets since they are dealt with before hitting any chain or table in iptables. among other things. nor ICMP types. and not the second.Iptables Tutorial 1. you can use the ! sign in exactly the same sense as in the --ininterface match. in opposite of the --in-interface match. we match all head fragments and/or unfragmented packets. Also note that there are defragmentation options within the kernel that can be used which are really good. Implicit matches This section will describe the matches that are loaded implicitly.org/andreasson/iptables-tutorial/iptables-tutorial. There are currently three types of implicit matches that are loaded automatically for three different protocols. The + extension is understood so you can match all eth devices with eth+ and so on. it works pretty much the same as the --ininterface match. there is no way to tell the source or destination ports of the fragments. the default behaviour if this match is left out is to match all devices. The reason for this is that in the case of fragmented packets.html 21:25:51 10/06/2002 . and the same thing for ICMP packets. These are TCP matches. The TCP based matches contain a set of different matches that are available for only TCP packets. The other matches will be looked over in the continuation of this section. To inverse the meaning of the match. To use these matches you need to specify --protocol tcp on the command line before trying to use these matches. Other than this. after the TCP match section. Note that the --protocol tcp match must be to the left of the protocol specific matches. just as the UDP and ICMP matches are loaded implicitly. This option can also be used in conjunction with the ! sign. which would mean to match all incoming interfaces.1. UDP matches and ICMP matches. and so on.9 Página 146 would then have a syntax looking something like -i ! eth0. and UDP based matches contain another set of matches that are available only for UDP packets. What this means is that we match all the first fragments of a fragmented packets. except eth0. third. fragmented packets might in rather special cases be used to compile attacks against computers. -o. --fragment iptables -A INPUT -f This match is used to match the second and third part of a fragmented packet.unix-fu. We also match all packets that has not been fragmented during the transfer. TCP matches These matches are protocol specific and are only available when working with TCP packets and streams. fragments. in this case the ! sign must precede the match. and hence this match was created. http://people. -f. FORWARD and POSTROUTING chains. As a secondary note. Also. There is also explicitly loaded matches that you must load explicitly with the -m or -match option which we will go through later on in the next section. however. These matches are loaded implicitly in a sense. Of course. Note that this match is only available in the OUTPUT. regardless of where the packet is going. Implicit matches are loaded automatically when we tell iptables that this rule will match for example TCP packets with the --protocol match.

the service name must be in the / etc/services file since iptables uses this file to look up the service name in. And if the last port specification is omitted. look at the multiport match extension. Note that this match does not handle multiple separated ports and port ranges.ACK. It understands port and port range specifications. TCP matches Match Example Explanation --sport. If we would write --source-port 22: we would in turn get a port specification that tells us to match all ports from port 22 through port 65535. or turned on. it would be understood just the same as --source-port 22:80. --destination-port iptables -A INPUT -p tcp --dport 22 This match is used to match TCP packets depending on its destination port.9 Página 147 Table 5. port 65535 is assumed. FIN. If you are writing a ruleset consisting of a 200 rules or more. The match will also assume the values of 0 or 65535 if the high or low port is left out in a port range specification. as well as inversions. which in turn would mean that we want to match all ports but port 22 through 80. --tcp-flags iptables -p tcp --tcp-flags SYN. you should definitely do this by port numbers since you will be able to notice the difference(On a slow box. RST. --dport. The match knows about the SYN. The inversion could also be used together with a port range and would then look like --source-port ! 22:80. If we omit the first port specification.unix-fu. For more information about this.Iptables Tutorial 1. PSH http://people. We could also invert a match by adding a ! sign like --source-port ! 22 which would mean that we want to match all ports but port 22. look at the multiport match extension.FIN SYN This match is used to match depending on the TCP flags in a packet. it could be a little bit harder to read in case you specify the numeric value. This match can either take a service name or a port number. the entry of the rule will be slightly faster since iptables don't have to check up the service name. iptables automatically reverses the inversion. If we inversed the port specification in the port range so the highest port would be first and the lowest would be last. however. If you specify a service name. This example would match all source ports between 22 and 80. The --source-port match can also be used to match a whole range of ports in this fashion --source-port 22:80 for example.1. URG. Both lists should be comma-delimited. Note that this match does not handle multiple separated ports and port ranges. If you specify the port by port number.html 21:25:51 10/06/2002 . exactly the same as -source-port in syntax. ACK. First of all the match takes a list of flags to compare (a mask) and second it takes list of flags that should be set to 1. --source-port :80 would then match port 0 through 80. In other words. For more information about this.org/andreasson/iptables-tutorial/iptables-tutorial. the port 0 is assumed to be the one we mean. It uses exactly the same syntax as the --source-port match. It does also reverse high and low ports in a port range specification if the high port went into the first spot and the low port into the last spot. If a source port definition looked like -source-port 80:22. --source-port iptables -A INPUT -p tcp --sport 22 The --source-port match is used to match packets based on their source port. this could make as much as 10 seconds if you are running a large ruleset consisting of 1000 rules or so).

Also note that the comma delimitation should not include spaces. This command would in other words be exactly the same as the --tcp-flags SYN. Such packets are used to request new TCP connections from a server mainly. they are simply lost (Not taking ICMP error messaging etcetera into account).org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . Note that the state machine will work on all kinds of packets even though UDP or ICMP packets are counted as connectionless protocols. --tcp-option iptables -p tcp --tcp-option 16 This match is used to match packets depending on their TCP options. such as open or closing a connection. Note that UDP packets are not connection oriented. These matches are implicitly loaded when you specify the --protocol UDP match and will be available after this specification. way. --tcp-flags ALL NONE would in other words mean to check all of the TCP flags and match if none of the flags are set. This match is used to match packets if they have the SYN bit set and the ACK and FIN bits unset. you should have effectively blocked all incoming connection attempts. There will be more about the state machine in a future chapter. If they are lost. or if they are just simply supposed to send data. and for ease of traversing from one to the other. hack a legit service and then make a program or such make the connect to you instead of setting up an open port on your host).unix-fu. you will not have blocked the outgoing connections which a lot of exploits today uses (for example. UDP matches This section describes matches that will only work together with UDP packets. --syn iptables -p tcp --syn The --syn match is more or less an old relic from the ipchains days and is still there out of compatibility reasons. UDP packets do not require any kind of acknowledgement either. This would tell the match to match all packet with the FIN or the ACK bits set. ALL means to use all flags and NONE means to use no flags for the option it is set. however. and hence there is no such thing as different flags to set in the packet to give data on what the datagram is supposed to do. The correct syntax could be seen in the example above. The state machine works pretty much the same on UDP packets as on TCP packets. ALL and NONE is pretty much self describing. --source-port iptables -A INPUT -p udp --sport 53 http://people. Table 6. UDP matches Match Example Explanation --sport. This match can also be inverted with the ! sign in this.1.9 Página 148 flags but it also recognizes the words ALL and NONE.FIN SYN match. This option can also be inverted with the ! sign. ! --syn.ACK.Iptables Tutorial 1. If you block these packets. in other words packets in an already established connection. This means that there is quite a lot less matches to work with on a UDP packet than there is on TCP packets.

It has support for port ranges. One example is if we try to access an unaccessible IP adress. port 0 is assumed. For more information about this. port 65535 is assumed. among other things.unix-fu. To make a UDP port range you could do 22:80 which would match UDP ports 22 through 80. single ports and inversions. the match can understand service names as long as they are available in the /etc/services file.html 21:25:51 10/06/2002 . to invert this we could do --destination-port ! 53. For more information about this. If the second port is omitted. The match is used to match packets based on their UDP destination port.1. Table 7. --destination-port iptables -A INPUT -p udp --dport 53 The same goes for this match as for the UDP version of --source-port. The first would match all UDP packets going to port 53 while the second would match packets but those going to the destination port 53. There is only one ICMP specific match available for ICMP packets. look at the multiport match extension. To specify a port range. The ICMP protocol is mainly used for error reporting and for connection controlling and such features. it is exactly the same as the equivalent TCP match. Of course. Note that this match does not handle multiple separated ports and port ranges. If the last port is omitted. ICMP matches Match Example Explanation --icmp-type http://people. single ports and port inversions with the same syntax.9 Página 149 This match works exactly the same as its TCP counterpart. Note that this match does not handle multiple ports and port ranges. --source-port ! 53 fashion. To invert the port match. so we can know source and destination adress too. To match a single port we do --destination-port 53. ICMP is not a protocol subordinated to the IP protocol. If the first port is omitted. but will work with UDP packets instead. Single UDP port matches look as in the example above. If the high port comes before the low port. they automatically switch place so the low port winds up before the high port. port 0 is assumed. These packets are even worse than UDP packets in the sense that they are connectionless.For a complete listing of ICMP types. but contains differences. port 65535 is assumed. If the high port is placed before the low port. The main feature of this protocol is the type header which tells us what the packet is to do. the ports switch place with eachother automatically. Note that all the generic matches can also be used. we would do --destination-port 22:80 for example. we would get an ICMP host unreachable in return. The match handles port ranges. It is used to perform matches on packets based on their source UDP ports. This would match all ports but port 80. but more of a protocol beside the IP protocol that helps handling errors.org/andreasson/iptables-tutorial/iptables-tutorial. and hopefully this should suffice. This example would match all packets destined for UDP port 22 through 80. If the first value is omitted. add a ! sign in this.Iptables Tutorial 1. ICMP matches These are the ICMP matches. look at the multiport match extension. This match is implicitly loaded when we use the --protocol ICMP match and we get access to it automatically. see the ICMP types appendix. --dport. The headers of a ICMP packet are very similar to those of the IP headers.

Numerical values are specified in RFC 792. The MAC address specified must be in the form XX:XX:XX:XX:XX:XX. FORWARD and INPUT chains and nowhere else. else it will not be legal.1. while explicitly loaded matches will not be loaded automatically in any case and it is up to you to activate them before using them. To find a complete listing of the ICMP name values.html 21:25:51 10/06/2002 . fashion. do a iptables --protocol icmp --help. or check the ICMP types appendix. The difference between implicitly loaded matches and explicitly loaded ones is that the implicitly loaded matches will automatically be loaded when you. MAC match Table 8. however. This match is also only valid in the PREROUTING. redirect packets to the wrong places. --icmp-type ! 8. you could use this to match all packets http://people. and others again may be "dangerous" for a simple host since they may. ICMP types can be specified either by their numeric values or by their names. we would have to write -m state to the left of the actual match using the state matches. Limit match The limit match extension must be loaded explicitly with the -m limit option. this match will only be possible to use on ethernet based networks. match TCP packets.unix-fu. Note that since MAC addresses are only used on ethernet type networks.9 Página 150 iptables -A INPUT -p icmp --icmp-type 8 This match is used to specify the ICMP type to match. Some of these matches may be specific to some protocols. For example. Explicit matches Explicit matches are matches that must be specifically loaded with the -m or --match option. The match may be reversed with an ! sign and would look like --mac-source ! 00:00:00:00:00:01. This match can also be inverted with the ! sign in this. This would in other words reverse the meaning of the match so all packets except packets from this MAC address would be matched. Note that some ICMP types are obsolete. or was created for testing/experimental use or plainly to show examples of what could be accomplished with iptables. If we would like to use the state matches for example. among other things.org/andreasson/iptables-tutorial/iptables-tutorial. This in turn means that all these matches may not always be useful. MAC match options Match Example Explanation --mac-source iptables -A INPUT --mac-source 00:00:00:00:00:01 This match is used to match packets based on their MAC source address.Iptables Tutorial 1. for example. This match is excellent to use to do limited logging of specific rules etcetera. they should mostly be useful since it all depends on your imagination and your needs.

The limit match may also be inversed by adding a ! flag in front of the limit match explicit loading.org/andreasson/iptables-tutorial/iptables-tutorial. This number gets recharged by one every time the limit specified is not reached. as you can see in the example. it would then look like -m ! limit. Multiport match options Match Example Explanation --source-port iptables -A INPUT -p tcp -m multiport --source-port 22.html 21:25:51 10/06/2002 . What this means. The ports must be comma delimited. but there are more usages. Table 9. This tells the limit match how many times to let this match run per timeunit (ie /minute). --limit-burst iptables -A INPUT -m limit --limit-burst 5 This is the setting for the burst limit of the limit match. of course. up to this number. The default value is 5.53. Table 10.110 This match matches multiple source ports. or 3/hour. This match is specified with a number and an optional time specifier.unix-fu. is that when we add this match we limit how many times a certain rule may be matched in a certain timeframe. Multiport match The multiport match extension can be used to specify more destination ports and port ranges than one.1. The following time specifiers are currently recognised: /second /minute / hour /day. The default value here is 3 per hour. and get limited logging of this. send me a mail and I'll try to make this more understandable). It tells iptables the maximum initial number of packets to match. This is its main usage.9 Página 151 that goes over the edge of a certain chain.80. This match may only be used in http://people. (If anyone got a good/better and simpler explanation than this. Limit match options Match Example Explanation --limit iptables -A INPUT -m limit --limit 3/hour This sets the maximum average matching rate of the limit match.Iptables Tutorial 1. This means that all packets will be matched after they have broken the limit. A maximum of 15 separate ports may be specified. which would sometimes mean you would have to make several rules looking exactly the same just to match different ports.

it is logically ANDed with the mark specified before the actual comparison. you are probably not going to run into this limit in quite some time. Note that this means that it will only match packets that comes from. It works exactly the same way as the source port match mentioned just above. It can take a maximum of 15 ports specified to it in one argument. If this mark field matches the mark match it is a match.80. In other words. It works the same way as the --source-port and --destination-port matches above. with or without the packet.110 This match extension can be used to match packets based both on their destination port and their source port.53. It can only be used in conjunction with -p tcp and -p udp. --mark 1/1. If a mask is specified. As of today. namely the MARK target in iptables. this is why people still refer to FWMARK in advanced routing areas. except that it matches destination ports. port 80 to port 80 and if you have specified port 80 to the --port match. hence there can be a maximum of 65535 different marks. there is only one way of setting a mark in Linux. The mark specification would then look like. They may be used by different kernel routines for such tasks as traffic shaping and filtering. A mark is a special field only maintained within the kernel that is associated with the packets as they travel through the computer. All packets traveling through netfilter gets a special mark field associated with them.110 This match is used to match multiple destination ports.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. Table 11. It has a maximum specification of 15 ports and may only be used in conjunction with -p tcp and -p udp. The mark field is currently set to an unsigned integer.9 Página 152 conjunction with the -p tcp or -p udp matches. hence the limit of 65535 possible marks to use within your ruleset. for example. http://people. Mark match The mark match extension is used to match packets based on the marks they have set. Mark match options Match Example Explanation --mark iptables -t mangle -A INPUT -m mark --mark 1 This match is used to match packets that have previously been marked. This was previously done with the FWMARK target in ipchains. It is mainly an enhanced version of the normal --sourceport match.80. for example. Marks can be set with the MARK target which we will discuss a bit more later on in the next section.53. the actual computer itself. --destination-port iptables -A INPUT -p tcp -m multiport --destination-port 22.unix-fu. Note that this mark field does not in any way travel outside. The mark field is an unsigned integer. --port iptables -A INPUT -p tcp -m multiport --port 22. You may also use a mask with the mark.1.Iptables Tutorial 1.

Owner match options Match Example Explanation --uid-owner iptables -A OUTPUT -m owner --uid-owner 500 This packet match will match if the packet was created by the given User ID (UID). This extension was originally written as an example on what iptables might be used for. --pid-owner iptables -A OUTPUT -m owner --pid-owner 78 This match is used to match packets based on their Process ID (PID) and which PID created the packets.9 Página 153 Owner match The owner match extension is used to match packets based on who created them.unix-fu. for obvious reasons. never match. Notorious packets of that sort is different ICMP responses among other things. It is pretty much impossible to find out any information about who sent a packet on the other end.Iptables Tutorial 1. or we could write a small script that grabs the PID from a ps output for a specific daemon and then adds a rule for it.org/andreasson/iptables-tutorial/iptables-tutorial. Table 12. ICMP responses will. One possible use would be to block any other user than root to open new connections outside your firewall. hence. or as described above to only allow "httpgroup" to be able to create packets going out on the HTTP port. This could be used to block all but the users part of the "network" group from getting out onto the internet. or if we where an intermediate hop to the real destination. or another possible use could be to block everyone but the httpuser from creating packets from HTTP.1. http://people. I would love to hear what they used it for and how they did it).html 21:25:51 10/06/2002 . Even within the OUTPUT chain it is not very reliable since certain packets may not have an owner. (If anyone has actually used this match for a production server. If anyone have an idea for the usage of this match. --sid-owner iptables -A OUTPUT -m owner --sid-owner 100 This match is used to match packets based on their Session ID and the Session ID used by the program in question. --gid-owner iptables -A OUTPUT -m owner --gid-owner 0 This match is used to match all packets based on their Group ID (GID). This match only works within the OUTPUT chain as it looks today. please give me a note of it and of other possible uses. but one example would be to only allow PID 94 to send packets on the HTTP port. This could be used to match outgoing packets based on who created them. This means that we match all packets based on what group the user creating the packets are in. This match is a bit harder to use.

nor will it take care of all unclean packages or problems. ESTABLISHED means that the packet is part of an already established connection that has seen packets in both directions and is fully valid. ESTABLISHED. including stateless protocols such as ICMP and UDP. TOS match http://people. or that it is associated with a connection that has not seen packets in both directions. NEW means that the packet has or will start a new connection. For more information on how this could be used. hence. Finally.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. Unclean match The unclean match takes no options and requires no more than explicit loading when you want to use it. State matches Match Example Explanation --state iptables -A INPUT -m state --state RELATED.ESTABLISHED This match option tells the state match what states the packets must be in to be matched. Note that the NEW state does not look for SYN bits in TCP packets trying to start a new connection and should. You will then have access to one new match. This match needs to be loaded explicitly by adding a -m state statement to the rule. there may be times where this could be useful.1. There is currently 4 states that can be used. In all cases. This allows us to know in what state the connection is. INVALID. and works for pretty much all protocols. This concept will be more deeply introduced in a future chapter since it is such a large area. NEW and RELATED. However. This could be used to DROP connections and to check for bad streams etcetera. RELATED means that the packet is starting a new connection and is associated with an already established connection. not be considered very good in cases where we have only one firewall and no load balancing between different firewalls. Table 13.unix-fu. Note that this option is regarded as experimental and may not work at all times. however you should be aware that this may break legal connections too. INVALID means that the packet is associated with no known stream or connection and that it may contain faulty data or headers. This match tries to match packets which seems malformed or unusual. read in the future chapter on the state machine.9 Página 154 State match The state match extension is used in conjunction with the connection tracking code in the kernel and allows access to the connection tracking state of the packets. This could for example mean an FTP data transfer. there will be a default timeout for the connection and it will then be dropped from the connection tracking database. or an ICMP error associated with an TCP or UDP connection for example. such as packets with bad headers or checksums and so on.html 21:25:51 10/06/2002 .

If the TTL reaches 0. or possibly one of the names given if you do an iptables -m tos -h. as well as in all kinds of matches.9 Página 155 The TOS match can be used to match packets based on their TOS field. some good protocols that would fit with this TOS values would be BOOTP and TFTP. Some good protocols that would use this would be RTSP (Real Time Stream Control Protocol) and other streaming video/radio protocols. or it needs to be able to send as much payload as possible). ie find the fastest route. This could be used for. you need to add an -m ttl to the rule. Maximize-Reliability means to maximize the reliability of the connection and to use lines that are as reliable as possible. among other things.1. and what kind of content it has(not really. an ICMP type 11 code 0 (TTL equals 0 during transit) or code 1 (TTL equals 0 during reassembly) is transmitted to the party sending the packet and telling about the problem.html 21:25:51 10/06/2002 . Maximize-Throughput means to find a path that allows as big throughput as possible. Table 15. but it tells us if there is any specific requirements for this stream such as that it needs to be sent as fast as possible. At the time of writing it contained the following named values: Minimize-Delay 16 (0x10). This match is loaded explicitly by adding -m tos to the rule. Minimize-Delay means to minimize the delay until the packets gets through all the way to the client/server.unix-fu. a standard protocol would be FTP-data. Maximize-Reliability 4 (0x04). This is true here. Table 14. Normal-Service would finally mean any normal protocol that has no special needs for their transfers. TOS stands for Type Of Service. Minimize-Delay means to minimize the delay for the packets. The match takes an hex or numeric value as an option. Most do not care at all. and Normal-Service 0 (0x00). SSH and FTP-control. example of standard protocols that this includes are telnet. TTL match The TTL match is used to match packets based on their TTL (Time To Live) field residing in the IP header.org/andreasson/iptables-tutorial/iptables-tutorial. to mark packets for later usage together with the iproute2 and advanced routing functions in linux. and is located in the IP header. it can match packets based on their TOS field and their value. To load this match. TOS matches Match Example Explanation --tos iptables -A INPUT -p tcp -m tos --tos 0x16 This match is used as described above. consists of 8 bits. Minimize-Cost 2 (0x02). The TTL field contains 2 bits and is decremented once every time it is processed by an intermediate host between the client and host. TOS is normally used to tell intermediate hosts the preceeding of the stream. How different routers and people deal with these values depends. TTL matches http://people. This match is only used to match packets based on their TTL.Iptables Tutorial 1. Maximize-Throughput 8 (0x08). while others try their best to do something good with the packets in question and the data they provide. and not to change anything.

We could then add a jump target to it like this: iptables -A INPUT -p tcp -j tcp_packets. Good examples of such rules are DROP and ACCEPT. This target could be used for debugging your local network. This may be good in cases where we want to take two actions on the same packet. One example. The usage is pretty much limited.9 Página 156 Command Example Explanation --ttl iptables -A OUTPUT -m ttl --ttl 60 This match option is used to specify which TTL value to match.1. There is also a number of other actions we may want to take which we will describe further on in this section. As we have already explained before. do note that the packet will traverse all other chains in the other tables in a normal fashion.html 21:25:51 10/06/2002 . it is required that the chain has already been created. DROP or ACCEPT the packet depending on what we want to do. For more information on table and chain traversing. There is no inversion and there is no other specifics to this match. we get dropped back to the INPUT chain and the packet starts traversing from the rule one step below where it jumped to the other chain (tcp_packets in this case). will not pass through any of the rules further on in the chain or superset chains. a chain is created with the -N command. or due to a malconfiguration). see the Traversing of tables and chains chapter. Other targets. for example hosts which seems to have problems connecting to hosts on the internet. let's say we create a chain in the filter table called tcp_packets like this: iptables -N tcp_packets. We would then jump from the INPUT chain to the tcp_packets chain and start traversing that chain. Targets may also end with different results one could say. some targets will make the packet stop traversing the specific chain and superset chains as described above. DNAT and SNAT targets. it is only your imagination which stops you. before we do that. would be to find hosts with bad TTL values set as default (may be due to badly implemented TCP/IP stack. it will automatically be ACCEPT'ed in the superset chain also and it will not traverse any of the superset chains any further. However. To jump to a specific chain. or to find possible infestations of trojans etcetera. Rules that are stopped. When/If we reach the end of that chain. however. a good example of this would be the LOG. For example. However. as described above. We could for example. the ACCEPT and DROP targets which we will deal with first of all targets. It takes an numeric value and matches based on this value. Network Address Translationed and then be passed on to the other rules in the same chains. The jump specification is done exactly the same as the target definition except that it requires a chain within the same table to jump to.org/andreasson/iptables-tutorial/iptables-tutorial. Some targets will also take options that may be necessary (What address to do NAT to. Targets on the other hand specify an action to take on the packet in question. let us have a brief look at how a jump is done. These packets may be logged. what TOS value to use etcetera) while others have options not http://people.unix-fu. Targets/Jumps The target/jumps tells the rule what to do with a packet that is a perfect match with the match section of the rule. If a packet is ACCEPT'ed within one of the subchains.Iptables Tutorial 1. There is a few basic targets. such as both mangling the TTL and the TOS value of a specific packet/stream. may take an action on the packet and then the packet will continue passing through the rest of the rules anyway.

Let us have a look at what kinds of targets there are. the packet will not be processed in any of the above chains in the structure either.unix-fu.Iptables Tutorial 1. Do note. to add options to the target. for example the INPUT chain. but available in any case (log prefixes.9 Página 157 necessary. the packet will continue to travel through the above chains in the structure as if nothing had happened. We will try to answer all these questions as we go in the descriptions. There is nothing special about this target whatsoever. ACCEPT target This target takes no special options first of all. To use this target. When a packet is perfectly matched and this target is set. and it does not require. it drops packets dead to the ground and refuses to process them anymore. or have the possibility. A better solution would be to use the REJECT target in those cases. either to tell the client or the server as told previously. If the chain is the main chain. that packets that was accepted in one chain will still travel through any subsequent chains within the other tables and may be dropped there. the packet will http://people. Note that this action may be a bit bad in certain cases since it may leave dead sockets around on the server and client. DROP target The DROP target does just what it says. masquerade to ports and so on). especially when you want to block certain portscanners from getting to much information. QUEUE target Table 16. The target will not send any kind of information in either direction. we specify it like -j ACCEPT.1. such as filtered ports and so on.org/andreasson/iptables-tutorial/iptables-tutorial. QUEUE target Option Example Explanation Option Example Explanation RETURN target The RETURN target will make the current packet stop travelling through the chain where it hit the rule. Also note that if a packet has the DROP action taken on them in a subchain. If it is a subchain to another chain. A packet that matches a rule perfectly and then has this action taken on it will be blocked and no further processing will be done. nor any of the calling chains. it is accepted and will not continue traversing the chain where it was accepted in.html 21:25:51 10/06/2002 .

lets say a packet enters the INPUT chain and then hits a rule that it matches and that gives it --jump EXAMPLE_CHAIN. Normally there are the following log levels.Iptables Tutorial 1.1. Table 17. The LOG target currently takes five options that may be interesting to use in case you have specific needs for more information. Also note that it may be a really great idea to use the LOG target instead of the DROP target while you are testing a rule you are not 100% sure about on a production firewall since this may otherwise cause severe connectivity problems for your users.=info /var/log/iptables in your syslog. In other words. It would then be dropped to the default policy as previously described.9 Página 158 have the default policy taken on it. which in this case would be the INPUT chain. alert. error. All messages are logged through the kernel facility. LOG target options Option Example Explanation --log-level iptables -A FORWARD -p tcp -j LOG --log-level debug This is the option that we can use to tell iptables and syslog which log level to use.unix-fu. emerg and panic. in other words do not use error. err. notice.conf. crit. and no more actions would be taken in this chain. but instead a problem of your syslogd configuration which you may find in /etc/syslog. For example. Note that all three of these are deprecated.org/andreasson/iptables-tutorial/iptables-tutorial.conf for information about these kind of problems. They are all listed below. LOG target The LOG target is specially made to make it possible to log snippets of information about packets that may be illegal. or want to set different options to specific values. info. The priority defines the severity of the message being logged. Note that it is not a iptables or netfilter problem in case you get your logs to the consoles or likely.conf manual. This information may then be read with dmesg or syslogd and likely programs and applications. warn. and all of a sudden it matches a specific rule which has the --jump RETURN target set. or for pure bughunting and errorfinding.conf file http://people. Also note that the ULOG target may be interesting in case you are getting heavy logs. The LOG target will log specific information such as most of the IP headers and other interesting information via the kernel logging facility. warn and panic. It will then jump back to the previous chain. warning. This is an excellent target to use while you are debugging your rulesets to see what packets go where and what rules are applied on what packets. Read more in man syslog.html 21:25:51 10/06/2002 . The keyword error is the same as err. For a complete list of loglevels read the syslog. The packet will then start traversing the EXAMPLE_CHAIN. Another example would be if the packet hit a --jump RETURN rule in the INPUT chain. since the ULOG target has support for logging directly to MySQL databases and such. The default policy is normally set to ACCEPT or DROP or something the like. warn is the same as warning and panic is the same as emerg. or priorities as they are normally referred to: debug. setting kern.

For more information on advanced routing. These logging messages may be valuable when trying to debug or finding out specific culprits and what goes wrong. The prefix may be up to 29 letters long. for example. These may be valuable when trying to debug what may go wrong and what has gone wrong. --log-prefix iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets" This option tells iptables to prefix all log messages with a specific prefix which may then be very good to use together with.conf manpages as well as other HOWTO's etcetera. This target is only valid in the mangle table. just as most of the LOG options. or by the world for that matter. but is an value that is associated within the kernel with the packet. just the same as the previous option. --log-tcp-options iptables -A FORWARD -p tcp -j LOG --log-tcp-options The --log-tcp-options option will log the different options from the TCP packets header. http://people.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. Note that this option is a security risk if the log is readable by any users. The TCP Sequence number are special numbers that identify each packet and where it fits into a TCP sequence and how the stream should be reassembled. --log-tcp-sequence iptables -A INPUT -p tcp -j LOG --log-tcp-sequence This option will log the TCP Sequence numbers together with the log message.1. Note that the mark value is not set within the actual package. This option takes no variable fields or anything like that. MARK target The MARK target is used to set netfilter mark values that are associated with specific packets. check out the LARTC HOWTO.9 Página 159 and then letting all your LOG messages in iptables use log level info.html 21:25:51 10/06/2002 . etcetera. including whitespace and those kind of symbols. In other words. For more information on logging I recommend you to read the syslog and syslog. but instead works on the IP options.Iptables Tutorial 1. you will be better off with the TOS target which will mangle the TOS value in the IP header. This works exactly thesame as the --log-tcp-options option. you may not set a MARK for a package and then expect the MARK to still be there on another computer. Any log that is. --log-ip-options iptables -A FORWARD -p tcp -j LOG --log-ip-options The --log-ip-options option will log most of the IP packet header options. The MARK values may be used in conjunction with the advanced routing capabilities in Linux to send different packets through different routes and to tell them to use different queue disciplines (qdisc). If this is what you want. would make all messages appear in the /var/log/iptables file. grep and other tools to distinguish specific problems and outputs from specific rules. which may contain logging messages from iptables. Note that there may be other messages here as well from other parts of the kernel that uses the info priority. and will not work outside there.

Once we get a packet that matches a specific rule and we specify this target. else they won't work. For example.9 Página 160 Table 18. limiting or unlimiting their network speed etcetera. Finally. The --set-mark match takes an integer value. There currently is only one option which controls the nature of how this target works. the http://people. or on all packets from a specific host and then do advanced routing on that host. The default error message is to send an port-unreachable to the host. which in turn may take a huge set of variables. and then the packet is dropped dead to the ground. There are currently the following reject types that can be used: icmp-net-unreachable. icmp-net-prohibited and icmphost-prohibited. All of the above are ICMP error messages and may be set as you wish. The REJECT target is as of today only valid in the INPUT. REJECT target Option Example Explanation --reject-with iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset This option tells the REJECT target what response to send to the host that sent the packet that we found to be a match. which would also be the only chains where it would make any sense to put this target in. icmp-host-unreachable.org/andreasson/iptables-tutorial/iptables-tutorial. just the same as with the DROP target. the target will first of all send the specified reply. Table 19. Most of them are fairly easy to understand if you have a basic knowledge of TCP/IP.unix-fu. FORWARD. REJECT target The REJECT target works basically the same as the DROP target. MARK target options Option Example Explanation --set-mark iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2 The --set-mark option is required to set a mark. FORWARD and OUTPUT chain or subchains of those chains. There is also an option called echo-reply. there is one more option called tcp-reset which may only be used together with the TCP protocol.Iptables Tutorial 1. we may set mark 2 to a specific stream of packets. and OUTPUT chains. Note that the chains that uses the REJECT target may only be called upon by the INPUT. but this option may only be used in conjunction with rules which would match ICMP ping packets. icmp-proto-unreachable.html 21:25:51 10/06/2002 . and you may get some more information by looking in the appendix ICMP types. but it also sends back an error message to the host sending the packet that was blocked.1. icmp-portunreachable.

or in hex 0x00-0xFF. Also note that some old versions (1. At best the routers will do nothing with the TOS field. hex value 0x04). hex value 0x10).2.Transmission Control Protocol. The TOS field consists of 8 bits which are used to route packets. Table 20. These values are Minimize-Delay (decimal value 16. which won't accept your mail otherwise. For more information about the TCP RST read RFC 793 . Note that this target is only valid within the mangle table and can not be used outside it. this is mainly useful for blocking ident probes which frequently occur when sending mail to broken mail hosts.9 Página 161 tcp-reset option will tell REJECT to send an TCP RST packet in reply to the sending host. TOS target The TOS target is used to set the Type of Service field within the IP header. and they will not even look at them. and hence rendered the packets bad and in need of retransmission. hex 0x02) or Normal-Service (decimal value 0. As stated previously. however. Note that most of these values will never be used by anyone on the internet so you may be better of by using the named values available (which should be more or less standardized). there is most definitely a good use if you have a large WAN or LAN with several routers and actually have the possibility to give packets different routes and preference depending on their TOS value. the value may be 0-255. which in turn most probably would be mangled and the connection would never work. The option takes a numeric value. hex value 0x08). TOS target Option Example Explanation --set-tos iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10 The --set-tos option tells the TOS mangler what TOS value to set on packets that are matched. Also note that if you handle several separate firewalls and routers. The default value on most packets http://people. MaximizeReliability (decimal value 4. you should hence set the TOS field which was developed for this. Maximize-Throughput (decimal value 8.html 21:25:51 10/06/2002 .2 or below) of iptables provided a broken implementation of this target which would not fix the packet checksum upon mangling. At worst. this is the only way to propagate routing information between these routers and firewalls within the actual packet. There are currently a lot of routers on the internet which does a pretty bad job at this so it may be a bit useless as of now to do any TOS mangling before sending the packets on to the internet. the MARK target which sets a MARK associated with a specific packet is only available within the kernel. Minimize-Cost (decimal value 2.org/andreasson/iptables-tutorial/iptables-tutorial. As the TOS value consists of 8 bits. As noted before. The TOS target only takes one option as described below. This is one of the few fields that can be used within iproute2 and its subsystem to route packets. at least within your own network. and can not be propagated with the packet. As stated in the iptables man page. hex value 0x00). TCP RST are used to close open connections gracefully. they will look at the TOS field and do the wrong thing based on the information. either in hex or in decimal value.Iptables Tutorial 1.1.unix-fu. If you feel a need to propagate routing information on how to do routing for a specific packet or stream.

do an iptables -j TOS -h. or 0. For example.html 21:25:51 10/06/2002 . Also note that the outgoing packets created by the MIRROR target is not seen by any of the normal chains in the filter. However. which means that this target will rewrite the Source IP address in the IP header of the packet. The SNAT target is only valid within the nat table. which would be our firewall. then all future packets in the same connection will also be SNAT'ed and. and I would be quite sure that someone has had a good laugh at some cracker or another that has cracked his own box via this target by now. SNAT target The SNAT target is used to do Source Network Address Translation. use the actual names instead of the actual hex values to set up the TOS value. noone on the internet would know that they where actually from us. Note that you can. Not bad for a cracker in other words to send 1500 bytes of data. This listing is complete as of iptables 1. The result of this target is really simple.com. Without doing this. If we forwarded these packets as is. The MIRROR target is used to invert the source and destination fields in the IP header. since our local networks should use the IANA specified IP addresses which are allocated for LAN networks. and eat up 380 kbyte of your connection. If the first packet in a connection is mangled in this fashion. and you should be warned of using this since it may result in really bad loops. This is in other words the only place that you may do SNAT in. Note that this is a best case scenario for the cracker or scriptkiddie. and then to retransmit the packet.org/andreasson/iptables-tutorial/iptables-tutorial.1. depending on how many hops there is between them. and then set an SNAT rule which would translate all packets from our local network to the source IP of our own internet connection. of course. NAT or mangle tables to avoid loops and other problems. If there is only 1 hop. and tried to access the HTTP server at computer A. We could then turn on ip forwarding in the kernel. the outside world would not know where to send reply packets. The packet will then bounce back and forth a huge set of times. and it should generally be recommended since the values behind the names may be changed if you are unlucky.9 Página 162 are Normal-Service. If computer B would be coming from yahoo. FORWARD and PREROUTING chains.2. within the POSTROUTING chain. this is good when we want several computers to share an internet connection. and see to it that the packet is spoofed so it looks as if it comes from another host that uses the MIRROR command. letting all packets leaving our LAN look as if they came from a single host. Note that the MIRROR target is only valid within the INPUT. among other things. no further processing of rules in the POSTROUTING chain will be commenced on the packets in the same stream. The SNAT target does all the translation needed to do this kind of work. this does not make the target free of any likely problems. the packet will jump back and forth 240-255 times.unix-fu.Iptables Tutorial 1. the MIRROR target would make so computer B got the webpage at yahoo. One thing would for example be to send a spoofed packet to a host that uses the MIRRORcommand with a TTL of 255. whichever we want to call them. Lets say we set up a MIRROR target for port 80 at computer A. and any user-defined chains which are only called from those chains. For a complete listing of the "descriptive values". MIRROR target The MIRROR target is an experimental demonstration target only.5 and should hopefully be so for another period of time.com back (since this is where he came from). http://people. hence resulting in a bad kind of Denial of Service. also. This results in some really funny things.

If we want to balance between several IP addresses we could use an range of IP addresses separated by a hyphen.1. but no real IP to give it that will work on the internet. Note that this has nothing to do with destination ports. If a packet is matched.155-194.org/andreasson/iptables-tutorial/iptables-tutorial. This target can be extremely useful.50. DNAT target http://people.236. and a single stream would always use the same IP address for packets within that stream.html 21:25:51 10/06/2002 .50. 194. for example. for example. All the source ports would then be mapped to the ports specified. iptables will always try to not make any port alterations if it is possible. it would then look like.160 as described in the example above. then all source ports below 512 will be mapped to other ports below 512 if needed. This would hence look as within the example above. such as the POSTROUTING chain. and then routed on to the correct device. Table 22. host or network.unix-fu. on to the real webserver within the LAN.9 Página 163 Table 21.50. This option.Iptables Tutorial 1. so if a client tries to make contact with an HTTP server outside the firewall. There may also be an range of ports specified that should only be used by SNAT. Those between source ports 512 and 1023 will be mapped to ports below 1024. it will not be mapped to the FTP control port. when you have an host running your webserver inside a LAN. and the DNAT mechanism will choose the destination IP address at random for each stream. takes one IP address to which we should transform all the source IP addresses in the IP header. SNAT target Option Example Explanation --to-source iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 194. and any of the chains called upon from any of those listed chains. at it simplest. We may also specify a whole range of destination IP addresses. As previously stated. and all subsequent packets in the same stream will be translated.160:1024-32000 The --to-source option is used to specify which source the packets should use.155194. and this is the target of the rule.50. All other ports will be mapped to 1024 or above. but if two hosts tries to use the same ports. You could then tell the firewall to forward all packets going to its own HTTP port. If no port range is specified. the packet. iptables will map one of them to another port.236.236. we will be able to deal with a kind of load balancing by doing this. which means that it is used to rewrite the Destination IP address of a packet. iptables will always try to maintain the source ports used by the actual workstation making the connection.236. Note that the DNAT target is only available within the PREROUTING and OUTPUT chains in the nat table. Hence. :102432000 or something alike. Note that chains containing DNAT targets may not be used from any other chains. The source IP would then be set randomly for each stream that we open. DNAT target The DNAT target is used to do Destination Network Address Translation.

If you have a static IP connection. that a single stream will always use the same host. as described previously.html 21:25:51 10/06/2002 . the syntax is pretty much the same for the DNAT target.168.1.org/andreasson/iptables-tutorial/iptables-tutorial. namely 192.9 Página 164 --to-destination Option iptables -t nat -A PREROUTING -p tcp -d 15. The MASQUERADE target takes on option specified below. an :80 statement to the IP addresses to which we want to DNAT the packets.1. and it is more or less idiotic to keep the entry around. for example. kill a specific interface. it is not favorable since it will add extra overhead.168. and where to send packets that are matched.1 through 10. In case we are assigned a different IP. The reason for this is that the MASQUERADE target was made to work with. A rule could then look like --to-destination 192. as for the SNAT target even though they do two totally different things. MASQUERADE target http://people.1:80-100 if we wanted to specify a port range.67 to a range of LAN IP's.168.23. for example. but it does not require any -to-source option. however. dialup connections. and that each stream will randomly be given an IP address that it will always be Destinated for. or DHCP connections. which is extremely good if we.1-192. swallowing up worthful connection tracking memory. The MASQUERADE target also has the effect that connections are forgotten when an interface goes down.10 Explanation The --to-destination option tells the DNAT mechanism which Destination IP to set in the IP header. and the IP address is automatically grabbed from the information about the specific interface.1. This is in general the correct behaviour when dealing with dialup lines that are probable to be assigned a different IP every time it is up'ed.1. or like --todestination 192. and there may be inconsistencies in the future which will thwart your existing scripts and render them "unusable". Note that the MASQUERADE target is only valid within the POSTROUTING chain in the nat table. just as the SNAT target. you should instead use the SNAT target. which gets dynamic IP addresses when connecting to the network in question.45. for example.67 --dport 80 -j DNAT --to-destination Example 192. we may have been left with a lot of old connection tracking data. within that stream. which is optional. Note. which would be lying around for days.1.168. It is still possible to use the MASQUERADE target instead of SNAT even though you do have an static IP. When you masquerade a connection.Iptables Tutorial 1. Do note that port specifications are only valid for rules that specify the TCP or UDP protocols with the --protocol option.1:80 for example. the connection is lost anyways. Table 23. This means that you should only use the MASQUERADE target with dynamically assigned IP connections.23.168.1. which we don't know the actual address of at all times. in which case we would always be connected to the same host. As you can see. MASQUERADE target The MASQUERADE target is used basically the same as the SNAT target. If we would have used the SNAT target.45. We could also have specified only one IP address. This is done by adding. it means that we set the IP address used on a specific network interface instead of the --to-source option.unix-fu. Also note that we may add an port or port range to which the traffic would be redirected to. The above example would send on all packets destined for IP address 15.

and who actively pursue this. or something alike. REDIRECT target The REDIRECT target is used to redirect packets and streams to the machine itself. where the LAN hosts do not know about the proxy at all.0. Table 24.unix-fu. will effectively http://people. Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. The --to-ports option is only valid if the rule match section specifies the TCP or UDP protocols with the --protocol match. REDIRECT target Option Example Explanation --to-ports iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 The --to-ports option specifies the destination port. and nowhere else. as above. Note that this option is only available in rules specifying the TCP or UDP protocol with the -protocol matcher. as described below. on our own host. It is also valid within user-defined chains that are only called from those chains. The REDIRECT target takes only one option. or port range. If we would want to specify an port range. Setting all TTL values to the same value.9 Página 165 --to-ports Option iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000 Example The --to-ports option is used to set the source port or ports to use on outgoing packets. Locally generated packets are mapped to the 127. to use.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid. for example. the destination port is never altered. This is specified. Without the --to-ports option.Iptables Tutorial 1. the lower port range delimiter and the upper port range delimiter separated with a hyphen. this rewrites the destination address to our own host for packets that are forwarded. we would do it like --toports 8080-8090. --to-ports 8080 in case we only want to specify one port. The REDIRECT target is extremely good to use when we want. This alters the default SNAT port-selection as described in the SNAT target section. One reason for doing this is if you have a bully ISP which don't allow you to have more than one machine connected to the same internet connection. Either you can Explanation specify a single port like --to-ports 1025 or you may specify a port range as --to-ports 1024-3000. transparent proxying. In other words. since it wouldn't make any sense anywhere else.0. One useful application of this is to change all Time To Live values to the same value on all outgoing packets.1. which tells the REDIRECT target to redirect the packets to the ports 8080 through 8090. TTL target The TTL target is used to modify the Time To Live field in the IP header. In other words.1 address.

It's not too long. TTL target Option Example Explanation --ttl-set iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-set 64 The --ttl-set option tells the TTL target which TTL value to set on the packet in question. --ttl-dec iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-dec 1 The --ttl-dec option tells the TTL target to decrement the Time To Live value by the amount specified after the --ttl-decoption. The reason for this is that the networking code will automatically decrement the TTL value by 1. Table 25. it gives the hacker/cracker some good information about your upstreams if they have targeted you.Iptables Tutorial 1. http://people. and it is not too short. and the higher the TTL.unix-fu. Traceroutes are a loved and hated thing. and if we specified --ttl-inc 4. and nowhere else. This may be used to make our firewall a bit more stealthy to traceroutes among other things.txt.html 21:25:51 10/06/2002 . which it always does. as for the previous example of the --ttl-dec option. IF ANYONE HAS A GOOD USAGE FOR THIS OPTION. We may then reset the TTL value for all outgoing packets to a standardized value.txt script. since the packet may start bouncing back and forth between two misconfigured routers. see the ttl-inc. the packet would leave our host with a TTL value of 49. NOTIFY ME --ttl-inc iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-inc 1 The --ttl-inc option tells the TTL target to increment the Time To Live value with the value specified to the --ttl-inc option. Do not set this value too high. from 53 to 49 in other words. which you may find within the Other resources and links appendix. In other words. This means that we should raise the TTL value with the value specified in the --ttlinc option. The TTL target is only valid within the mangle table.org/andreasson/iptables-tutorial/iptables-tutorial. hence the packet will be decremented by 4 steps. For more information on how to set the default value used in Linux.9 Página 166 make it a little bit harder for them to notify that you are doing this. the more bandwidth will be eaten unnecessary in such a case. all of them described below in the table. since they provide excellent information on problems with connections and where it happens. A good value would be around 64 somewhere. read the ip-sysctl. if the TTL for an incoming packet was 53 and we had set -ttl-dec 3. It takes 3 options as of writing this. Note that the same thing goes here.1. a packet entering with a TTL of 53 would leave the host with TTL 56. For a good example on how this could be used. where the network code will automatically decrement the TTL value by 1. we effectively make the firewall hidden from traceroutes. but at the same time. such as 64 as specified in Linux kernel. By setting the TTL one value higher for all incoming packets. since it may affect your network and it is a bit immoral to set this value to high.

There are 32 netlink groups. This target enables us to log information to MySQL databases. One or more userspace processes may then subscribe to various multicast groups and receive the packet. If we would like to reach netlink group 5. For example. If we specify 0.1. This option prefixes all log entries with a userspecified log prefix. --ulog-cprange iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100 The --ulog-cprange option tells the ULOG target how many bytes of the packet to send to the userspace daemon of ULOG. and is definitely most useful to distinguish different logmessages and where they came from. http://people. --ulog-prefix iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: " The --ulog-prefix option works just the same as the prefix value for the standard LOG target.9 Página 167 ULOG target The ULOG target is used to provide userspace logging of matching packets. making it much simpler to search for specific packets. Table 26.org/andreasson/iptables-tutorial/iptables-tutorial. --ulog-qthreshold iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10 The --ulog-qthreshold option tells the ULOG target how many packets to queue inside the kernel before actually sending the data to userspace. so the whole packet will be copied to userspace.html 21:25:51 10/06/2002 . the packet information is multicasted together with the whole packet through a netlink socket. and to group log entries etcetera. plus some leading data within the actual packet. and it contains much better facilities for logging packets. the whole packet will be copied to userspace. if we set the threshold to 10 as above. and then transmit it outside to the userspace as one single netlink multipart message. we would copy 100 bytes of the whole packet to userspace. If we specify 100 as above. This is in other words a more complete and more sophisticated logging facility that is only used by iptables and netfilter so far. which are simply specified as 1-32. and other databases.Iptables Tutorial 1. ULOG target Option Example Explanation --ulog-nlgroup iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2 The --ulog-nlgroup option tells the ULOG target which netlink group to send the packet to. regardless of the packets size. we would simply write --ulog-nlgroup 5. If a packet is matched and the ULOG target is set. which would include the whole header hopefully. the kernel would first accumulate 10 packets inside the kernel.unix-fu. The default value here is 1 because of backwards compatibility. It can be 32 characters long. The default value is 0. The default netlink groupd used is 1. the userspace daemon did not know how to handle multipart messages previously.

ie. General When a packet first enters the firewall. This chain is used for Destination Network Address Translation mainly. Note that all traffic that's forwarded goes through here (not only in one direction). internet) Comes in on the interface(ie. The packet goes through the different steps in the following fashion: Table 1.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. so you need to think about it when writing your ruleset. good examples of this is DNAT and SNAT and of course the TOS bits. Also we will speak about in which order the tables are traversed. eth0) This chain is normally used for mangling packets. Forwarded packets Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire(ie.html . filter FORWARD The packet got routed onto the FORWARD chain. This chain should first and foremost be used for Source Network Address Translation.9 Página 168 Traversing of tables and chains This chapter will talk about how packets traverse the the different chains and in which order. Routing decision. This is especially needed if you want to write rules with iptables that chould change how different packets get routed. or forwarded to another host or whatever happens to it. only forwarded packets go through here. This is extremely valuable information later on when you write your own specific rules. changing TOS and so on. ie. avoid doing filtering here since certain packets might pass this chain without ever hitting it. This is also where Masquerading is done. We will also look at which points certain other parts that also are kernel dependant gets in the picture. we do all the filtering here. we're assuming that the packet is destined for another host on another network. is the packet destined for our localhost or to be forwarded and where. Avoid filtering in this chain since it will be passed through in certain cases.unix-fu. it hits the hardware and then get's passed on to the proper device driver in the kernel. In this example. 21:25:51 10/06/2002 5 6 7 nat POSTROUTING http://people. With this we mainly mean the different routing decisions and so on. Then the packet starts to go through a series of steps in the kernel before it is either sent to the correct application (locally). Source Network Address Translation is done further on.1.

It would pass through the following steps before actually being delivered to our application to receive it: Table 2.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 169 8 9 Goes out on the outgoing interface (ie. there's quite a lot of steps to pass through. Internet) Comes in on the interface(ie. or anywhere else in case it is malformed. we are mainly interested in the iptables aspect of this lot. eth1).html . ie. Local process/application (ie.Iptables Tutorial 1. Source localhost Step 1 2 Mangle OUTPUT Table Chain Comment Local process/application (ie. however.1. 21:25:51 10/06/2002 http://people. ie. Avoid filtering in this chain since it will be passed through in certain cases. This chain is used for Destination Network Address Translation mainly. The packet can be stopped at any of the iptables chains.unix-fu. Quite logical. Finally we look at the outgoing packets from our own localhost and what steps they go through. let us have a look at a packet that is destined for our own localhost. I think. I think it gets clearer with time. Note that all incoming packets destined for this host passes through this chain. Do note that there is no specific chains or tables for different interfaces or anything like that. filter INPUT This is where we do filtering for all incoming traffic destined for our localhost. server/client program) 5 6 7 Note that this time the packet was passed through the INPUT chain instead of the FORWARD chain. FORWARD is always passed by all packets that are forwarded over this firewall/ router. Out on the wire again (ie. Now. but if you continue to dig in it. As you can see. Table 3. Destination localhost Step 1 2 3 4 mangle nat PREROUTING PREROUTING Table Chain Comment On the wire (ie. no matter what interface and so on it came from. changing TOS and so on. Most probably the only thing that's really logical about the traversing of tables and chains in your eyes in the beginning. Routing decision. is the packet destined for our localhost or to be forwarded and where. eth0) This chain is normally used for mangling packets. LAN). server/client program) This is where we mangle packets. it is suggested that you do not filter in this chain since it can have sideeffects.

Routing decision.1. could someone tell me when this will be fixed? Please? This is where we filter packets going out from localhost. Goes out on some interface (ie. This is where we decide where the packet should go. and certain packets might slip through even though you set a default policy of DROP.unix-fu.html 21:25:51 10/06/2002 . eth0) On the wire (ie.org/andreasson/iptables-tutorial/iptables-tutorial. it would look something like this: http://people. Nat POSTROUTING This is where we do Source Network Address Translation as described earlier. If we would figure out a good map of all this. Internet) 7 8 We have now seen how the different chains are traversed in three separate scenarios.9 Página 170 3 4 5 6 Nat Filter OUTPUT OUTPUT This is currently broken.Iptables Tutorial 1. It is suggested that you don't do filtering here since it can have sideeffects.

html 21:25:51 10/06/2002 .txt script. All comments welcome.Iptables Tutorial 1. If you feel that you want more information. you could use the rc.org/andreasson/iptables-tutorial/iptables-tutorial. This test script should give you the necessary rules to test how the tables and chains are traversed.unix-fu. http://people. this might still be wrong or it might change in the future.test-iptables.9 Página 171 Hopefully you got a clearer picture of how the packets traverses the built in chains now.1.

Iptables Tutorial 1. they act faulty on what they get. and there are some Internet Service Providers known to look for a single host generating many different TTL values. nor will any DNAT. These marks could then be recognised by the iproute2 programs to do different routing on the packet depending on what mark they have. The actual targets that does these kind of things are: http://people. Note that this has not been perfected and is not really implemented on the internet and most of the routers don't care about the value in this field. it should only be used to translate packets source field or destination field.org/andreasson/iptables-tutorial/iptables-tutorial. SNAT or Masquerading work in this table. It is strongly adviced that you don't use this table to do any filtering in. Note that. This could be used for setting up policies on the network regarding how a packet should be routed and so on. The MARK target is used to set special mark values to the packet. In other words. and sometimes.html 21:25:51 10/06/2002 .1. The TTL target is used to change the TTL (Time To Live) field of the packet. only the first packet in a stream will hit this chain. We could tell packets to only have a specific TTL and so on. In other words.9 Página 172 Mangle table This table should as we've already noted mainly be used for mangling packets. After this. Don't set this in other words for packets going to the internet unless you want to do routing decisions on it with iproute2. Some Internet Service Providers does not like users running multiple computers on one single connection. you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) fields and so on. Target's that only valid in the mangle table: TOS TTL MARK The TOS target is used to set and/or change the Type of Service field in the packet. and takes this as one of many signs of multiple computers connected to a single connection. as we have said before. We could also do bandwidth limiting and Class Based Queuing based on these marks. One good reason for this could be that we don't want to give ourself away to nosy Internet Service Providers. the rest of the packets will automatically have the same action taken on them as the first packet. Nat table This table should only be used for NAT (Network Address Translation) on different packets. or if they don't have any.unix-fu.

SNAT (Source Network Address Translation) is mainly used for changing the source address of packets. We can match packets and filter them however we want. The MASQUERADE target will on the other hand work properly with Dynamic IP addresses that you may be provided when you connect to the Internet with. the targets discussed previously in this chapter are only usable in their respective tables. and there is nothing special to this chain or special packets that might slip through because they are malformed. this is where we (should) do the main filtering. This is the place that we actually take action against packets and look at what they contain and DROP/ACCEPT depending on their payload. instead of doing as the SNAT target does and just use an IP address submitted while the rule was parsed. As long as you have a very basic setup however. The reason for this is that each time that the MASQUERADE target gets hit by a packet. This should be used to get a basic idea on how to solve different problems and what you may need to think about before actually putting your scripts into work. mainly used for filtering packets. of course.Iptables Tutorial 1. The MASQUERADE target is used in exactly the same way as SNAT. but need to change our local networks IP numbers to the same of the IP of our firewall. In other words. Filter table The filter table is. we change the destination address of the packet and reroute it to some other host. however. etcetera. etc.x. it automatically checks for the IP address to use.168. hence making it possible to make connections from the LAN to the Internet. We will not go into deeper discussion about this table though. the packets would never get back from the Internet because these networks are regulated to be used in LAN's by IANA.org/andreasson/iptables-tutorial/iptables-tutorial.9 Página 173 DNAT SNAT MASQUERADE The DNAT (Destination Network Address Translation) target is mainly used in cases such as when you have one IP and want to redirect accesses to the firewall to some other host on a DMZ for example. it will very likely run quite smooth with just a few fixes to it. It could be used as is with some changes to the variables. If you're network uses 192.unix-fu. SLIP or DHCP. however. Of course we may do filtering earlier too. Almost all targets are usable in this chain. We have used one of the basic setups and dug deeper into how it works and what we do in it. for example PPP. but the MASQUERADE target takes a little bit more overhead to compute. but is not suggested since it may not work perfectly together with your network setup.firewall file This chapter will deal with an example firewall setup and how the script file could look.1. The firewall will with this target automatically SNAT and De-SNAT the packets. A good example when this is very good is when we have a firewall that we know the outside IP address of. rc. This is mainly done to hide our local networks or DMZ.x netmask for example. this is the place that was designed for it.html 21:25:51 10/06/2002 . as you already know. http://people.

However.firewall. eth1.1 IP address and the interface will amost certainly be named lo. Also. however. explanation of rc. which are necessary. This could be eth0. read on since this script will introduce a lot of interesting stuff anyways). they are however left there so you can spot the differences between the scripts in a more efficient way. Instead of looking for comments. you need to specify the IP address of the physical interface connected to the LAN as well as the IP range which the LAN uses and the interface that the box is connected to the LAN through. however.0. which will point the script to the exact location of the iptables application. then you could always create a mix of the different scripts. or (hold yourself) create your own from scratch. This example rc. For example. the script has been written for readability so that everyone can understand it without having to know too much BASH scripting before reading this example rc.unix-fu. If you need these parts. your IP address will always change. I suggest you read through the script file to get a basic hum about how it looks. and then you return here to get the nitty gritty about the whole script.txt (also included in the Example scripts codebaseappendix) is fairly large but not a lot of comments in it. many distributions put the actual application in another location such as /usr/sbin/iptables and so on. and the default location when compiling the iptables package by hand is /usr/ local/sbin/iptables. hence these sections are empty.firewall Configuration options The first section you should note within the example rc. This script does not contain any special configuration options for DHCP or PPPoE. tr0. then you should probably look closer at the rc.Iptables Tutorial 1. you will find a brief section that pertains to the iptables. http://people. if you got one (if not. ppp0. The same goes for all sections that are empty.firewall. The $INET_IP should always be a fully valid IP address.firewall.9 Página 174 note that there might be more efficient ways of making the ruleset. Also.txt is the configuration section. this section only consists of the $IPTABLES variable. so you have everything set up and are ready to check out an example configuration script. as you may see there is a Localhost configuration section.txt. however you will with 99% certainty not change any of the values within this section since you will almost always use the 127. the $INET_IFACE variable should point to the actual device used for your internet connection.DHCP. This should always be changed since it contains the information that is vital to your actual configuration. This may vary a bit.0. hence it is available here. For example. Also.org/andreasson/iptables-tutorial/iptables-tutorial. just below the Localhost configuration. Mainly. etcetera just to name a few possible device names. The Local Area Network section contains most of the configuration options for your LAN. We do provide it. You should at least be if you have come this far.html 21:25:51 10/06/2002 .1.firewall Ok.

However. some FTP and IRC stuff will work no doubt. the whole connection will be broken. however. First off. but not be able to send files. REJECT and MASQUERADE targets and don't have this compiled statically into your kernel. As of this writing. the other way around. Without these so called helpers. The NAT helpers on the other hand. etcetera. which could for example be used to only allow certain users to make certain connections. We may also load extra modules for the state matching code here. Creating these kind of connections requires the IP address and ports to be sent within the IRC protocol. I will not use that module in this example but basically. we load these modules as follows: /sbin/insmod ipt_LOG /sbin/insmod ipt_REJECT /sbin/insmod ipt_MASQUERADE Next is the option to load ipt_owner module. You could also disallow all users but your own user and root to connect from your box to the Internet.org/andreasson/iptables-tutorial/iptables-tutorial. if one of your hosts NAT'ed boxes connect to a FTP server on the internet. Always avoid loading modules that you do not need. Now. This is for security reasons. FTP is a complex protocol by definition. the kernel would not know what to look for when it tries to track specific connections. In other words. For a long explanation of these conntrack and nat modules. Since this local network address is not valid outside your own network. For example. you may be able to receive files over DCC.unix-fu. it will work flawlessly since the sender will (most probably) give you the correct address to connect to. for example. as well as http://people. you could allow only root to do FTP and HTTP connections to redhat and DROP all the others. After this we load the modules that we will require for this script. which in turn requires some translation to be done. the FTP server will not know what to do with it and hence the connection will break down. The FTP NAT helpers do all of the translations within these connections so the FTP server will actually know where to connect. This is due to how the DCC starts a connection. There are also H. are extensions of the connection tracking helpers that tells the kernel what to look for in specific packets and how to translate these so the connections will actually work. some other things will not work. For example. Without the helpers. So. the DCC connection will look as if it wants the receiver to connect to some host on the receivers own local network. since it will take some extra effort to make additional rules this way. Without these helpers. it will send its own local network IP address within the payload of the packet. and it sends connection information within the actual payload of the packet.323 conntrack helpers within the patch-o-matic.9 Página 175 Initial loading of extra modules First. if you want to have support for the LOG. Connection tracking helpers are special modules that tells the kernel how to properly track the specific connections.Iptables Tutorial 1. there is only the option to load modules which add support for the FTP and IRC protocols. you tell the receiver that you want to send a file and where he should connect to.1. and tells the FTP server to connect to that IP address. we see to it that the module dependencies files are up to date by issuing an /sbin/depmod -a command.html 21:25:51 10/06/2002 . For more information about the ipt_owner match. look at the Owner match section within the How a rule is built chapter. The same thing applies for DCC file transfers (sends) and chats. read the Common problems and questionmarks appendix. but you will be a bit more secure to bouncing hacker attacks and attacks where the hacker will only use your host as an intermediate host. might be boring for others. and if possible try to avoid having modules lying around at all unless you will be using them. All modules that extend the state matching code and connection tracking code are called ip_conntrack_* and ip_nat_*.

iptables rulesets). ip_dynaddr by doing the following : echo "1" > /proc/sys/net/ipv4/ip_dynaddr If there is any other options you might need to turn on you should follow that style. however. but it will make it possible for the computer to do NAT on these two protocols. In case you need dynamic IP support. This may give malicious people a small timeframe to actually get through our firewall. in case there are possible additional links added to other and better resources of information.1. and all others contained within this tutorial.org/andreasson/iptables-tutorial/iptables-tutorial. In this script and all others within the tutorial. Note that you need to load the ip_nat_irc and ip_nat_ftp if you want Network Adress Translation to work properly on any of the FTP and IRC protocols. They are used the same way as the conntrack modules.firewall. for example if you use SLIP. For a better explanation on how this is done. The rc.Iptables Tutorial 1. you need to use the patch-o-matic and compile your own kernel. In other words. which is also available within the Other resources and links appendix.9 Página 176 some other conntrack helpers. PPP or DHCP you may enable the next option. To be able to use these helpers. this option should really be turned on after creating all firewall rules. read the Preparations chapter. Also. This will lead to a brief period of time where the firewall will accept forwarding any kind of traffic for everything between a millisecond to a minute depending on what script we are running and on what box. however. You will also need to load the ip_conntrack_irc and ip_conntrack_ftp modules before actually loading the NAT modules. proc set up At this point we start the IP forwarding by echoing a 1 to /proc/sys/net/ipv4/ ip_forward in this fashion: echo "1" > /proc/sys/net/ipv4/ip_forward It may be worth a thought where and when we turn on the IP forwarding. we turn it on before actually creating any kind of IP filters (ie. There is a good but rather brief document about the proc system available within the kernel. I have chosen to turn it on here to maintain consistency with the script breakdown currently user. Displacement of rules to different chains http://people.html 21:25:51 10/06/2002 .unix-fu. These may be a good starters to look at. do not turn these on before actually knowing what they mean. do contain a small section of non-required proc settings.txt script. there's other documentations on how to do these things and this is out of the scope of this documentation. it may be worth looking at that appendix in the future.

Based upon these general assumptions. However.unix-fu. Also. we would also like to let our local network do connections to the internet. In this case.html 21:25:51 10/06/2002 . I have displaced all the different user-chains in the fashion I have to save as much CPU as possible but at the same time put the main weight on security and readability.org/andreasson/iptables-tutorial/iptables-tutorial. The following picture will try to explain the basics of how an incoming packet traverses netfilter. With these pictures and explanations. this section contains a brief look back to the Traversing of tables and chainschapter. I wish to explain and clarify the goals of this script. the Internet is most definitely not a trusted network and hence we want to block them from getting to our local network. Since the local network is fully trusted. In the case of this scenario. This is a really trivial picture in comparison to the one in the Traversing of tables and chains chapter where we discussed the whole traversal of chains and tables in depth. and we trust our local network fully and hence we will not block any of the traffic from the local network. Also. UDP and TCP rules. I hope to point these aspects and possible problems out to you when and where they occur. This will effectively kill all connections and all packets that we do not explicitly allow inside our network or our firewall. This whole example script is based upon the assumption that we are looking at a scenario containing one local network. this script has as a main priority to only allow traffic that we explicitly want to allow. Hopefully. we also want to allow the firewall to act as a server for certain services on the internet. let's make clear what our goals are.9 Página 177 This section will briefly describe my choices within the tutorial regarding user specified chains and some choices specific to the rc.1. This way we do not get too much overhead out of it all. This example is also based upon the assumption that we have a static IP to the internet (as opposed to DHCP.txt script. PPP and SLIP and others). Based upon this picture. Some of the paths I have chosen to go here may be wrong from one or another of aspect.firewall. http://people.Iptables Tutorial 1. Instead of letting a TCP packet traverse ICMP. one firewall and an Internet connection connected to the firewall. let's look at what we need to do and what we do not need to do. we want to set default policies within the chains to DROP. I simply match all TCP packets and then let the TCP packets traverse an user specified chain. but instead further on in the chapter. this will remind you a little bit of how the specific tables and chains are traversed in a real live example. We will not discuss any specific details yet. To do this. we want to allow all kind of traffic from the local network to the internet.

and hence it should be allowed through the INPUT chain. These packets. By doing this. and reduce redundancy within the network.org/andreasson/iptables-tutorial/iptables-tutorial. By traversing less rules. before we implement this. In this script. we may be a bit low on funds perhaps. and we need to allow the return traffic through the OUTPUT chain. of course. For the same reason. and because of that we specifically allow all traffic from our local network to the internet. and should contain a few extra checks before finally accepting the packet. or we just want to offer a few services to people on the internet. we want to split the rules down into subchains. As for ICMP packets. and hence we accept the directly. we add a rule which lets all established and related traffic through at the top of the INPUT chain. SSH and IDENTD access to the actual firewall. the 10. Since we have an FTP server running on the server. and the loopback device and IP address are also trusted. as well as the fact we want to traverse as few rules as possible.9 Página 178 First of all. nor do we want to allow some IP ranges to reach the firewall from the Internet.0. As for our firewall. so we would like to create one more subchain for all packets that are accepted for using valid port numbers to the firewall. we send to the udp_packets chain which handles all incoming UDP packets. However. we could not see any specific needs for extra checks before allowing the ICMP packets through if we agree with the type and code of the ICMP packet. This chain we choose to call the "allowed" chain. When we decided on how to create this chain. we choose to split the different packets down by their protocol family. We trust our local network to the fullest.html 21:25:51 10/06/2002 . we also trust the local network fully. we will need to NAT all packets since none of the local computers have real IP addresses.0. we make the ruleset less timeconsuming for each packet. which will contain rules for all TCP ports and protocols that we want to allow. For a closer discussion of this. All of this is done within the PREROUTING chain. we will want to block all traffic from the Internet to our local network except already established and related connections. we have the UDP packets which needs to be dealt with. FTP.unix-fu. Finally.1.0/8 address range is reserved for local networks and hence we would normally not want to allow packets from such a address range since they would with 90% certainty be spoofed. Also. For instance. we want to do some extra checking on the TCP packets. for example TCP. we must note that certain Internet Service Providers actually use these address ranges within their own networks. Because of this. our packets will hopefully only need to traverse as few rules as possible. we do not want to allow specific packets or packet headers in specific conjunctions. which in turn will allow all return traffic from the Internet to our local network. Since noone on the Internet should be allowed to contact our local network computers. we want the local network to be able to connect to the internet. All of these protocols are available on the actual firewall. All TCP packets traverse a specific chain named tcp_packets. Also. which is created last in this script. we have decided to allow HTTP. However. these will traverse the icmp_packets chain. we want to add special rules to allow all traffic from the local network as well as the loopback network interface. Therefore. UDP or ICMP. This means that we will also have to do some filtering within the FORWARD chain since we will otherwise allow outsiders full access to our local network. http://people.Iptables Tutorial 1. read the Common problems and questionmarks chapter. To do this.

We would most likely implement this by adding rules that ACCEPT all packets leaving the firewall in case they come from one of the IP addresses assigned to the firewall.unix-fu. as well as all of the rulesets within the chains. this box is also used as a secondary workstation and to give some extra levy for this. we create the different special chains that we want to use with the -N command.1. INPUT chain http://people. will be redirected to tcp_packets and incoming packets of UDP type from eth0 go to udpincoming_packets chain. such as speak freely and ICQ. and hence we only want to allow traffic from the IP addresses assigned to the firewall itself.9 Página 179 All incoming UDP packets should be sent to this chain. Setting up the different chains used So. You should also have a clear picture of the goals of this script. Finally. Incoming packets on eth0. It is now about time that we take care of setting up all the rules and chains that we wish to create and to use. we do not want people to use this box to spoof packets leaving the firewall itself.html 21:25:51 10/06/2002 . tcp_packets. udpincoming_packets and the allowed chain for tcp_packets. Since we actually trust the firewall quite a lot. and if not they will be dropped by the default policy in the OUTPUT chain. iptables -P <chain name> <policy> The default policy is used every time the packets don't match a rule in the chain.Iptables Tutorial 1. we set all the default policies on the different chains with a quite simple command. will be redirected to the chain icmp_packets. Since we are running on a relatively small network. we allow pretty much all traffic leaving the firewall. nor do we do any blocking of specific protocols. we want to allow certain specific protocols to make contact with the firewall itself. The chains we will use are icmp_packets. The new chains are created and set up with no rules inside of them. We do not do any specific user blocking. we have the firewalls OUTPUT chain. and if they are of an allowed type we should accept them immediately without any further checking. First of all. of ICMP type. now you got a small picture on how the packet traverses the different chains and how they belong together. However. of TCP type. After this.org/andreasson/iptables-tutorial/iptables-tutorial.

and it will work much better on slow machines which might otherwise drop packets at high loads.0/24. we log them to our logs and then we DROP them. The TCP allowed chain If a packet comes in on eth0 and is of TCP type. Everything that hasn't yet been caught will be DROP'ed by the default policy on the INPUT chain. Also.1. First of all. Finally. and after this.Iptables Tutorial 1. Either it might be a packet that we just dont want to allow or it might be someone who's doing something bad to us. you need to look at the Appendices regarding state NEW and non-SYN packets getting through other rules. we log it so we might be able to find out about possible problems and or bugs.unix-fu. In this case this pretty much means everything that hasn't seen traffic in both directions. we check if the packet is a SYN packet. we create the chain the same way as all the others. we check for everything that comes from our $LOCALHOST_IP.0. it is most likely to be the first packet in a new connection so. we want to do some final checks on it to see if we actually do want to allow it or not. something that some might consider a security problem. These applications will not work properly without it. After that.0. In either case we want to know about it so it can be dealt with. After this. and a reply to this SYN packet. Then we check if the packet comes from an ESTABLISHED or RELATED connection.9 Página 180 The INPUT chain as I've written it uses mostly other chains to do the hard work.168. These packets could be allowed under certain circumstances but in 99% of the cases we wouldn't want these packets to get through. which in my case is eth0. If you want to fully understand this. do the same for everything to $LAN_IP.1 and ACCEPT all incoming traffic from there. except to portscan people http://people. if the connection is against an allowed port. An ESTABLISHED connection is a connection that has seen traffic in both directions. again of course. which would normally be 127. Though.org/andreasson/iptables-tutorial/iptables-tutorial. and after this all UDP packets get sent to udpincoming_packets chain. which was previously described. then we. The default policy was set quite some time back. also we set a prefix to all log entries so we know where it came from. which in my case would be 192. the connection then must be in state ESTABLISHED. of course. Hence. Before we hit the default policy of the INPUT chain. if it does. it travels through the tcp_packets chain. we do the same match for TCP packets on the $INET_IFACE and send those to the tcp_packets chain. and send those to the icmp_packets. There is no practical use of not starting a connection with a SYN packet. allow it. we allow broadcast traffic from our LAN. or finally it might be a problem in our firewall not allowing traffic that should be allowed. we didn't reply to the SYN packet. or they are trying to start the connection with a non SYN packet. ie.html 21:25:51 10/06/2002 . This way we don't get too much load from the iptables. we allow this. as you might remember. We do certain checks for bad packets here. If it is a SYN packet. some applications depend on it such as Samba etc.0. The last rule in this chain will DROP everything else. we don't log more than 3 packets per minute as to not getting flooded with crap all over the log files. and since we've got a SYN packet. I allow everything that comes from my own Internet IP that is either ESTABLISHED or RELATED to some connection. First of all we match all ICMP packets in the INPUT chain that come on the incoming interface $INET_IFACE.

0. the last gateway that was unable to find the route to the host replies with a Destination Unreachable telling us that it was unable to find it. -A tcp_packets tells iptables in which chain to add the new rule.org/andreasson/iptables-tutorial/iptables-tutorial. For example. For more information on ICMP types and their usage.0. I might be wrong in blocking some of these ICMP types for you.0. Destination unreachable. For a complete listing of all ICMP types. and a Time Exceeded is sent back from the first gateway en route to the host we're trying to traceroute. there is still more checks to do. and the host is unreachable. The reason that I allow these ICMP packets are as follows. --dport 21 means destination port 21. Echo Replies is what you get for example when you ping another host. we then redirect it to the icmp_packets chain as explained before. The ICMP chain This is where we decide what ICMP types to allow. we will be unable to ping other hosts.0. i suggest reading the following documents and reports : The Internet Control Message Protocol ICMP RFC 792 . Destination Unreachable is used if a certain host is unreachable. DROP the crap since it's 99% sure to be a portscan. hence we send each and one of them on to allowed chain.Iptables Tutorial 1. when you traceroute someone. Time Exceeded. I only allow incoming ICMP Echo Replies.html 21:25:51 10/06/2002 . The TCP chain So now we reach TCP connections. As a side-note. hence. in other words if the packet is destined for port 21 they also match.Internet Control Message Protocol by J. in other words all sources addresses. if we don't allow this. we will get a reply about this.unix-fu. Postel. There is no currently available TCP/IP implementation that supports opening a TCP connection with something else than a SYN packet to my knowledge.9 Página 181 pretty much. everything works perfectly while blocking all the other ICMP types that I don't allow. -p TCP tells it to match TCP packets and -s 0/0 matches all source addresses from 0. which we described previously. Here we check what kind of ICMP types to allow. then the packet will be targeted for the allowed http://people. this is actually the default behaviour but I'm using it for brevity in here. the rule will be added to the end of the chain. and it gets down to 0 at the first hop on the way out. but in my case. is allowed in the case where we might want to traceroute some host or if a packet gets its Time To Live set to 0. As it is now.0. If all the criteria are matched. This way we won't have to wait until the browser's timeouts kicks in after some 60 seconds or more. and so on until we get an actual reply from the host we finally want to get to. then TTL = 2 and the second gateway sends Time Exceeded. If a packet of ICMP type comes in on eth0 on the INPUT chain.0 with netmask 0. Redirect and Time Exceeded. Though. so for example if we send a HTTP request. see the appendix ICMP types. This specifies what ports that are allowed to use on the firewall from the Internet.1. you start out with TTL = 1.

txt file. This protocol is used to set your computer clock to the same time as certain other time servers which have very accurate clocks. Note that you are dealing with a firewall. in other words your web server. Port 4000 is the ICQ protocol. its quite self explanatory how to do that by now=). I allow TCP port 21. And finally we allow port 113. There is at least 5 different ICQ clones for Linux and it's one of the most widely used chat programs in the world. Though. If it doesn't match any of the rules. and that way we allow PASSIVE and PORT connections since the ip_conntrack_ftp module is.0. I doubt there is any further need to explain what it is. Port 80 is HTTP.firewall. loaded. in other words everything again. delete it if you don't want to run a web server on your site. much better than allowing telnet on port 23. hence we allow DNS. etc to work properly. Firewalls should always be kept to a bare minimum and not more. I ACCEPT incoming UDP packets from port 53. we can unload the ip_conntrack_ftp module and delete the $IPTABLES -A tcp_packets -p TCP -s 0/ 0 --dport 21 -j allowed line from the rc. without this we wouldn't be able to do domain name lookups and we would be reversed to only use IP's. most of you probably don't use this protocol.0. or even better. I'm allowing it per default since I know there are some who actually do. which is used for certain real-time `multimedia' applications like speak freely which you can use to talk to other people in real-time by using speakers and a microphone. which is what we use to do DNS lookups.0. The UDP chain If we do get a UDP packet on the INPUT chain. It is always a bad idea to give others than yourself any kind of access to these kind of boxes. they will be passed back to the original chain that sent the packet to the tcp_packets chain.0.Iptables Tutorial 1.1. I personally also allow port 123. http://people. If you feel like adding more open ports with this script. a headset.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial. If we don't want to allow FTP at all.0 and netmask 0. If they have a source port of 53 also. which is used to control FTP connections and later on I also allow all RELATED connections. We currently also allow port 2074. or FTP control port. As it is now. Port 22 is SSH. As it is now. hopefully. if you want to allow anyone from the outside to use a shell on your box at all. which is NTP or network time protocol. we send them on to udpincoming_packets where we once again do a match for the UDP protocol with -p UDP and then match everything with a source address of 0. we ACCEPT them directly.9 Página 182 chain. which is IDENTD and might be necessary for some protocols like IRC. We don't want this behaviour. well.unix-fu. This should be an extremely well known protocol that is used by the Mirabilis application named ICQ. of course.0.

First of all we check for obviously spoofed IP addresses. Note that this chain should not be used for any filtering or such.x. We log maximally 3 log entries per minute as to not flood our own logs. it does network adress translation on packets before they actually hit the routing tables that sends them onwards to the INPUT or FORWARD chains in the filter table. Starting the Network Address Translation http://people. Finally we DROP the packet in the default policy. 10. in such case. or it's a weird packet that's spoofed.unix-fu. we first of all ACCEPT all packets coming from our LAN with the following line: /usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT So everything from our Localnet's interface gets ACCEPT'ed whatever the circumstances. And after this we log everything and drop it. we allow the packets coming back from that site that's either ESTABLISHED or RELATED but nothing else. I allow pretty much everything that goes out from it that has a source address $LOCALHOST_IP.txt example file. such as in case we get packets from the Internet interface that claim to have a source IP of 192. we don't do that though.x. I would like to comment on the few lines in there anyways.x. we'll sure as hell want to know about it for some reason or another.x or 172. This might be used in the opposite direction. we drop them quicker than hell since these IP's are reserved especially for local intranets and definitely shouldn't be used on the Internet.9 Página 183 OUTPUT chain Since i know that there's pretty much no one but me using this box which is partially used as a Firewall and a workstation currently.16. If it does get dropped. we might drop that too.org/andreasson/iptables-tutorial/iptables-tutorial.x. PREROUTING chain of the nat table The PREROUTING chain is pretty much what it says. After this we allow everything in a state ESTABLISHED or RELATED from everywhere. Either it's a nasty error. Everything else might be spoofed in some fashion.x. it should be used for network adress translation. Last of all we log everything that gets dropped. As it looks now.html 21:25:51 10/06/2002 . and prefix them with a short line that is possible to grep for in the logfiles. in other words.Iptables Tutorial 1.firewall. too. if we get an packet from $LAN_IFACE that claims to not come from an IP address in the range which we know that our LAN is on. if we open a connection from our LAN to something on the Internet. Also we log them with debug level.1. As it is now. among other things since this chain is only traversed by the first packet in a stream.168. $LAN_IP or $STATIC_IP. We finally hit the default policy of the FORWARD chain that says to DROP everything. even though I doubt anyone that I know would do it on my box.x. FORWARD chain Even though I haven't actually set up a certain section in the rc.

we first send a packet from our local box behind eth1. This chapter should hopefully http://people. For me this would be eth0.txt script structure All scripts written for this tutorial has been written after a specific structure. or logging facility what kind of importance this log entry has. The last thing we do is to log all traffic that gets dropped over the border. The rest of this tutorial should most probably be helpful in making this feat. These settings are widely used within the example scripts.1. We allow this rule to be matched a maximum of 3 times per minute with a burst limit of 3. This is good if someone starts to flood you with crap stuff that otherwise would generate many megabytes of logs. there are specific variables added to these example scripts that may be used to automatically configure these settings.html 21:25:51 10/06/2002 . First of all we add a rule to the nat table. In some cases these might be packets that should have gotten through but didn't. However. and to provide an overlook of the scripts and what services they provide. In other words. our final mission would be to get the MASQUERADEing up.9 Página 184 So. in the POSTROUTING chain that will masquerade all packets going out on our interface connected to the Internet. It is in other words up to you to make these scripts suitable for your needs. rc. These scripts are not in any way perfect. This means we get maximally 3 log entries per minute from this specific line. The reason for this is that they should be fairly conformative to each other and to make it easier to find the differences between the scripts. The next thing we do is to ACCEPT all packets from anywhere that are ESTABLISHED and/or RELATED to some connection. The first section of this tutorial deals with the actual structure that I have established in each script so we may find our way within the script a bit easier. and since it comes from eth1 we ACCEPT it. then when the Internet box replies.unix-fu. per default settings in this script) and finally we target the packet for MASQUERADE'ing. and hits the default policy. it'll have to wait for another 1 minute for the next log entry. Example scripts The objective of this chapter is to give a fairly brief and short explanation of each script available with this tutorial.org/andreasson/iptables-tutorial/iptables-tutorial. Log level tells the syslogd. The -t option tells us which table to use. We also set a prefix to the log with the --log-prefix and set the log level with the --log-level. correct? At least to me. All packets that are being forwarded on our box traverse the FORWARD chain in the filter table. isn't it? The next step we take is to ACCEPT all packets traversing the FORWARD chain in the default table filter that come from the input interface eth1 which is my interface connecting to the internal network. in this case nat while the -A command tells us that we want to Add a new rule to an existing chain named POSTROUTING and -o $INET_IFACE tells us to match all outgoing packets on INET_IFACE (or eth0. it gets caught by this rule since the connection has seen packets in both directions. So all packets that match this rule will be masqueraded to look as it came from your Internet interface. This structure should be fairly well documented in this brief chapter. Simple. in other cases it might be packets that definitely shouldn't get through and you want to be notified about this.firewall. mainly to make them easier to configure. and they may not fit your exact intentions perfectly. and the burst is also set to 3 so if we get 3 log entries in 2 seconds.Iptables Tutorial 1. but also to improve the readability a bit.

If there are a possibility that the user that wants to use this specific script. The structure This is the structure that all scripts in this tutorial should follow. Hopefully.org/andreasson/iptables-tutorial/iptables-tutorial.If there are any other specific options and variables.These options pertain to our localhost. but we have put most of it into variables anyway. Even though this is the structure I have chosen. 4. 6. do note that this may not be the best structure for your scripts. they should first of all be fitted into the correct subsection (If it pertains to the Internet connection. hence this section will almost always be available. we will add a DMZ zone configuration at this point. it should be subsectioned directly to the configuration options somewhere. unless it is specifically explained why I have broken this structure. If it does not fit in anywhere. 5. we will add the DHCP specific configuration options here.1. Note that there may be more subsections than those listed here. DHCP . we will add specific options for those here. This could be skipped if we do not have any Internet connection.unix-fu. Configuration options should pretty much always be the first thing in any shell-script.First of all we have the configuration options which the rest of the script should use.Iptables Tutorial 1. It is only a structure that I have chosen to use since it fits the need of being easy to read and follow the best according to my logic. Internet . DMZ . LAN . 2. etcetera). Localhost .This is the configuration section which pertains to the Internet connection. Configuration . mainly because any normal home network. iptables . If they differ in some way it is probably an error on my part. we will add options pertaining to that in this section. 1. and if there are any special circumstances that raises the chances that he is using a PPPoE connection. In most scripts and situations this should only require one variable which tells us where the iptables binary is located. http://people. but only such that pertains to our Internet connection. 3.If there is any reason to it.9 Página 185 give a short understanding to why all the scripts has been written as they have. 1. These variables are highly unlikely to change.If there are possibly any special DHCP requirements with this specific script.If there is any LAN available behind the firewall. it should be subsectioned there. 2. Most scripts lacks this section. PPPoE . Other .This section contains iptables specific configuration. This is most likely.html 21:25:51 10/06/2002 . 1. or small corporate network. and why I have chosen to maintain this structure. will not have one. there should be no reason to change these variables.

http://people.First of all we go through the filter table and its content. Non-required modules . All of them should be commented out.org/andreasson/iptables-tutorial/iptables-tutorial.This section should contain all of the required proc configurations for the script in question to work.9 Página 186 2. If some of these options are required. and specifically ACCEPT services and streams that I want to allow inside. It could possibly also contain configurations that raises security. and possibly which adds special services or possibilities for the administrator or clients. This list will contain far from all of the proc configurations or nodes. The first part should contain the required modules. Filter table . if not.Iptables Tutorial 1. 1.By now the scripts should most probably be ready to insert the ruleset. Module loading . Required modules . may have been added even though they are not required. 1. since they are not actually necessary to get the script to work. This should normally be noted in such cases within the example scripts. Required proc configuration . All user specified chains are created before we do anything to the system builtin chains. or add certain services or possibilities. Non-required proc configuration . First of all we should set up all the policies in the table. 1.This section should take care of any special configuration needed in the proc filesystem. they should be commented out per default. but far from all of them.1. Create user specified chains . Most of the useful proc configurations will be listed here.html 21:25:51 10/06/2002 .This section contains modules that are not required for normal operations. it is up to you. they will be listed as such. and if you want to add the service it provides. and possibly special modules that adds to the security or adds special services to the administrator or clients.This section should contain non-required proc configurations that may prove useful. We will not be able to use these chains in the systemchains anyways if they are not already created so we could as well get to it as soon as possible. Set policies . rules set up . I have also chosen to set the chains and their rulespecifications in the same order as they are output by the iptables -L command. This way we will get rid of all ports that we do not want to let people use.Set up all the default policies for the systemchains. 3. and listed under the non-required proc configurations. 1. 4.unix-fu.This section of the scripts should maintain a list of modules.This section should contain the required modules. All of these modules should be commented out per default. Normally I will set DROP policies on the chains in the filter table. 2. 2. Note that some modules that may raise security. I have chosen to split all the rules down after table and then chain names. while the second part should contain the non-required modules. proc configuration .At this point we create all the user specified chains that we want to use later on within this table. 2.

Create content in user specified chains . 2. 6. The filter table would hence be the core. At this point we should add all rules within the INPUT chain.After creating the user specified chains we may as well enter all the rules within these chains. At this point we start following the output from the iptables -L command as you may see. do try to avoid mixing up data from different tables and chains since it will become much harder to read such rulesets and to fix possible problems.At this point we create any user specified chains that we want within the nat table. but none of the filter rules has been run). 5. There is no reason for you to stay with this structure. 1. The same thing goes here as for the user specified chains in the filter table.Last of all in the filter table.By now it should be time to add all the rules to the user specified chains in the nat table.After the filter table we take care of the nat table. FORWARD chain . Nothing special about this decision. The only reason I have to enter this data at this point already is that may as well put it close to the creation of the user specified chains. INPUT chain .1. First of all we do not want to turn the whole forwarding mechanism and NAT function on at a too early stage. it is totally up to you. There should hopefully not be too much to do at this point. Also. OUTPUT chain . while the nat table acts as a layer lying around the filter table.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu. we do not have a lot of things left to do within the filter table so we get onto the INPUT chain. http://people. and we should not let packets be dropped here since there are some really nasty things that may happen in such cases due to our own presumptions. Normally. You may as well put this later on in your script. nat table . Create content in user specified chains . but I have added this section anyways. 3. but not too far from reality. Note that the user specified chains must be created before they can actually be used within the systemchains. we add the rules dealing with the OUTPUT chain. which could possibly lead to packets getting through the firewall at just the wrong timepoint (ie. 3.9 Página 187 3. I look upon the nat table as a sort of layer that lies just outside the filter table and kind of surrounds it. however. We add this material here since I do not see any reason not to. This may be wrong in some perspectives. I let these chains be set to ACCEPT since there is no reason not to do so.First of all we set up all the default policies within the nat table. This table should not be used for filtering anyways. I will be satisfied with the default policy set from the beginning. namely the ACCEPT policy.html 21:25:51 10/06/2002 .When we have come this far. and finally the mangle table lies around the nat table as a second layer. just in case. when the NAT has been turned on.Iptables Tutorial 1. This is done after the filter table because of a number of reasons within these scripts. 4. Set policies . Create user specified chains . Normally I do not have any of these.At this point we go on to add the rules within the FORWARD chain.

The POSTROUTING chain should be fairly well used by the scripts I have written since most of them depend upon the fact that you have one or more local networks that we want to firewall against the Internet. send me a line and I will add it to the tutorial. As it looks now. 2. 1.The OUTPUT chain is barely used at all in any of the scripts.org/andreasson/iptables-tutorial/iptables-tutorial. POSTROUTING chain .Create all the user specified chains. Set policies . you may att this point add the rules that you want within them here.9 Página 188 4. this section was added just in case someone. 5. and hence you should avoid it all together. Within some scripts we have this turned on by default since the sole purpose of those scripts are to provide such services. 4. 6. I have in other words chosen to leave these parts of the scripts more or less blank. FORWARD chain .At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.The last table to do anything about is the mangle table. OUTPUT chain . If anyone has a reason to use this chain. or I. mangle table . INPUT chain . Since I have barely used the mangle table at all in the scripts. The table was not made for filtering. I have neither created any chains here since it is fairly unusable without any data to use within it.unix-fu. 7. such as masking all boxes to use the exact same TTL or to change TOS fields etcetera. unless they have specific needs. http://people. 5. PREROUTING chain . Create user specified chains . since it should normally not be used for anyone. 5. but I have been unable to find any good reasons to use this chain so far. it is not broken. 6. reason being that we do not want to open up big holes to our local network without knowing about it. but in certain cases we are forced to use the MASQUERADE target instead.Set the default policies within the chain.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. would have the need for it in the future.Iptables Tutorial 1. Create content in userspecified chains .At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. OUTPUT chain . 3. The same thing goes here as for the nat table pretty much. or at the very least commented out. with a few exceptions where I have added a few examples of what it may be used for. Mainly we will try to use the SNAT target.1.html 21:25:51 10/06/2002 . and you are encouraged not to do so either. PREROUTING .At this point there is barely any information in any of the scripts in this tutorial that contains any rules here. Normally I will not use this table at all. In most scripts this feature is not used. I have not set any policies in any of the scripts in the mangle table one way or the other. However.If you have any user specified chains within this table.The PREROUTING chain is used to do DNAT on packets in case we have any need for it.

Mainly it was written for a dual homed network.txt script.firewall.unix-fu. rc. PPP. There is nothing that says that this is the only and best way to go.org/andreasson/iptables-tutorial/iptables-tutorial. please take a closer look at the rc. The rc. For example. This script also makes the assumption that you have a static IP to the Internet.firewall file chapter should explain every detail in the script most thoroughly. where you have one LAN and one Internet Connection.At this point there is barely any information in any of the scripts in this tutorial that contains any rules here.9 Página 189 8.html 21:25:51 10/06/2002 . http://people.1.txt The rc. and hence don't use DHCP.txt script is the main core on which the rest of the scripts are based upon.firewall.DHCP. Hopefully this should explain more in detail how each script is structured and why they are structured in such a way. and should mainly just be seen as a brief explanation to what and why the scripts has been split down as they have. SLIPor some other protocol that assigns you an IP automatically.Iptables Tutorial 1. If you are looking for a script that will work with those setups. Do note that these descriptions are extremely brief.firewall. POSTROUTING chain .

this tutorial will give you the tools to actually accomplish the firewalling and NAT'ing part.org/andreasson/iptables-tutorial/iptables-tutorial.DMZ. if someone from the internet sends a packet to our DNS_IP.Iptables Tutorial 1.168. If the packet would not have been translated.9 Página 190 rc. giving the firewall one IP both internally and externally.1. which stands for Destination Network Adress Translation.txt script was written for those people out there that has one Trusted Internal Network. and not to our external DNS IP. one De-Militarized Zone and one Internet Connection. The De-Militarized Zone is in this case 1-to-1 NAT'ed and requires you to do some IP aliasing on your firewall. When the DNS sees our packet.txt The rc. to send the packet on to our DNS on the DMZ network. but it will not tell you exactly what you need to do since it is out of the scope of the tutorial.0/24 and consists of the De-Militarized Zone which we will do 1-to-1 NAT to. ie. You could then set the IP's to the DMZ'ed boxes as you wish. Do note that this will "steal" two IP's for you. one for the broadcast address and one for the network address. There are several ways to get this to work. One uses IP range 192.0. then we use DNAT. For example.168. you must make the box recognise packets for more than one IP. We will show a short example of how the DNAT code looks: http://people.1.DMZ. the DNS wouldn't have answered the packet.0/24 and consists of a Trusted Internal Network. one is to set 1-to-1 NAT. This is pretty much up to you to decide and to implement.firewall.unix-fu. the packet will be destined for the actual DNS internal network IP.html 21:25:51 10/06/2002 . The other one uses IP range 192. another one if you have a whole subnet is to create a subnetwork. You need to have two internal networks with this script as you can see from the picture.firewall.

org/andreasson/iptables-tutorial/iptables-tutorial. PPP and SLIP connections to connect to the internet. that hasn't been gone through in the rest of the tutorial. DNAT can only be performed in the PREROUTING chain of the nat table. When the reply to the DNAT'ed packet is sent through the firewall.firewall. The reason is that this won't work together with a dynamic IP connection. it automatically gets un-DNAT'ed. http://people.9 Página 191 $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP First of all.firewall. The actual changes needed to be done to the original script is minimal.unix-fu. If we actually get such a packet we give a target of DNAT. By now you should have enough understanding of how everything works to be able to understand this script pretty well without any huge complications. rc. This is how basic DNAT works.firewall. in other words the IP of the DNS on our DMZ network.DHCP. Then we look for TCP protocol on our $INET_IFACE with destination IP that matches our $DNS_IP. If there is something you don't understand. After that we specify where we want the packet to go with the --to-destination option and give it the value of $DMZ_DNS_IP.txt script.html 21:25:51 10/06/2002 . I've had some people mail me and ask about the problem so this script will be a good solution for you. mail me since it is probably a fault on my side.1. however. this script no longer uses the STATIC_IP variable.firewall. in other words Destination NAT. and is directed to port 53.txt The rc. This script will allow people who uses DHCP. which is the TCP port for zone transfers between DNS's.DHCP. However.txt script is pretty much identical to the original rc.txt.Iptables Tutorial 1. which is the main change to the original rc.

If the script is run from within a script which in turn is executed by. the NAT'ed box would be unable to get to the HTTP because the INPUT chain would DROP the packets flat to the ground. This is pretty much the only changes made and that's all that's needed really.org site from the Other resources and links appendix. It is possible to get by. which contains static links back to the same host. there is the possibility to add something like this to your scripts: INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` The above would automatically grab the IP address of the $INET_IFACE variable. there are serious drawbacks with this approach. Also. as described in the following list. it is rather harsh to add and erase rules all the time. we would get a real hard trouble. and if so ACCEPT them. 2.Iptables Tutorial 1. then try to access that IP. One great example is if we are running an HTTP on our firewall. Instead of using this variable the script now does it's main filtering on the variable INET_IFACE. If we go to the main page. The NAT'ed box would ask the DNS for the IP of the HTTP server. In case we filter based on interface and IP.firewall. but it is questionable. A good way to do this.org/andreasson/iptables-tutorial/iptables-tutorial. that handles dynamic IP in a better sense. if you want to block hosts on your LAN to connect to the firewall. We can no longer filter in the INPUT chain depending on.1.org iptables site which has a huge collection of scripts available to download. For a good site. grep the correct line which contains the IP address and then cuts it down to a manageable IP address. or write one. if you get rid of the NEW not SYN rules for example. There is some more things to think about though. check out the linuxguruz. --in-interface $LAN_IFACE --dst $INET_IP. However. In other words -d $STATIC_IP has been changed to -i $INET_IFACE. This script might be a bit less secure than the rc.txt script. it will hang all currently active connections due to the NEW not SYN rules (see the State NEW packets but no SYN bit set section). I would definitely advise you to use that script if at all possible since this script is more open to attacks from the outside. for example. without hurting the already existing ones.html 21:25:51 10/06/2002 . for example.9 Página 192 The main changes done to the script consists of erasing the STATIC_IP variable as I already said and deleting all referenses to this variable. 1.unix-fu. If you got rules that are static and always want to be around. the PPP daemon. upon bootup of the internet connection. This in turn forces us to filter only based on interfaces in such cases where the internal machines must access the internet adressable IP. For example. how would you do it without erasing your already active rules blocking the LAN? http://people. but at the same time operate a script from the PPP daemon. You will find a link to the linuxguruz. which could be some dyndns solution. would e to use for example the ip-up scripts provided with pppd and some other programs. it may be a good idea to grab a script. This also applies in a sense to the case where we got a static IP. As you may read from above. but in such cases it could be gotten around by adding rules which checks the LAN interface packets for our INET_IP. We could for example make a script that grabs the IP from ifconfig and adds it to a variable.

as seen above which in turn could lead to security compromises. It's not very different from the original rc.firewall. and to keep order in it. HTTP and FTP access to the internet. It may get unnecessarily complicated. rc. This is a sad fact.Iptables Tutorial 1.firewall.firewall.txt The rc.txt script.1. rc. it is easier to spot problems.9 Página 193 3. In other words.UTIN.test-iptables. If the script is kept simple. This script will hopefully give you some clues as to what you can do with your firewall to strengthen it up. but a large part of the hacks and cracks that a company gets hit by is a matter of people from their own staff perpetrating the hit. but it does give a few hints at what we would normally let through etc. We also don't trust the internal users to access the firewall more than we trust users on the Internet. This script follows the golden rule to not trust anyone.txt script will in contrast to the other scripts block the LAN that is sitting behind us. we don't trust anyone on any networks we are connected to. not even our own employees. The only things we actually allow is POP3.txt http://people. We also disallow people on our LAN to do anything but specific tasks on the Internet.unix-fu.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.UTIN.

unix-fu. I will not do that since this is a tutorial and should be used as a place to fetch ideas mainly and it shouldn't be filled up with shell scripts and strange syntax. You may consider adding rules to flush your MANGLE table if you use it.1. The script starts by setting the default policies to ACCEPT on the INPUT.flush-iptables. However. In other words.firewall start and the script starts. Detailed explanations of special commands http://people. This should show you all the different chains used and in which order. and hence we only care about opening the whole thing up and reset it to default values. we jump down to the next section where we erase all the user specified chains in the NAT and filter tables. The rc.flush-iptables.txt script can be used to test all the different chains. rc. For example. This script was written for testing purposes only. such as turning on ip_forwarding.html 21:25:51 10/06/2002 .firewall script using redhat Linux syntax where you type something like rc.txt script should not really be called a script in itself. it's not a good idea to have rules like this that logs everything of one sort since your log partitions might get filled up quickly and it would be an effective Denial of Service attack against you and might lead to real attacks on you that would be unlogged after the initial Denial of Service attack. All it really does is set some LOG targets which will log ping reply's and ping requests. OUTPUT and FORWARD chains of the filter table. One final word on this issue. When all of this is done. We do this first so we won't have to bother about closed connections and packets not getting through.txt The rc. Certain people has mailed me asking from me to put this script into the original rc.on. After this we flush all chains first in the filter table and then in the NAT table. Adding shell script syntax and other things makes the script harder to read as far as I am concerned and the tutorial was written with readability in mind and will continue being so. This script is intended for actually setting up and troubleshooting your firewall. you will get information on which chain was traversed and in which order. After this we reset the default policies of the PREROUTING. and setting up masquerading etcetera. POSTROUTING and OUTPUT chains of the nat table.Iptables Tutorial 1.test-iptables. we consider the script done.org/andreasson/iptables-tutorial/iptables-tutorial. unless the log entries are swapped around for some reason.9 Página 194 The rc. run this script and then do: ping -c 1 host.txt script will reset and flush all your tables and chains.flush-iptables. When this step is done.the. This way we know there is no redundant rules lying around anywhere.internet And tail -n 0 -f /var/log/messages while doing the first command. It will work for mostly everyone though who has all the basic set up and all the basic tables loaded into kernel. but it might need some tweaking depending on your configuration. This way.

This table can not be edited and even if it was possible. The later can be a bit of a problem though. in this case you might want to run the -F option. Updating and flushing your tables If at some point you screw up your iptables. This table contains all the different connections currently tracked and serves as a basic table so we always know what state a connection currently is in. For example.1. To get around this problem we would do something like the following: iptables -L -n Another thing that might be interesting is to see a few statistics about each policy. it erases the first instance it finds matching your rule.168. rule and chain. If you added a rule in error.168.9 Página 195 Listing your active ruleset To list your currently active ruleset you run a special option to the iptables command.org/andreasson/iptables-tutorial/iptables-tutorial. For example. For example.1. I've actually gotten this question a couple times by now so I thought I'd answer it right here. to something useful. there are actually commands to flush them. it would be a bad idea. iptables -F INPUT will erase the whole INPUT chain.1.html 21:25:51 10/06/2002 . and translate everything possible to a more readable form. It would then look something like this: iptables -L -n -v There is also a few files that might be interesting to look at in the /proc filesystem. For example. in case you've got multiple lines looking exactly the same in the chain. There is also instances where you want to flush a whole chain.Iptables Tutorial 1. you might just change the -A parameter to -D in the line you added in error. ie 192.unix-fu. this will not change http://people. iptables will find the erroneous line and erase it for you.0. it will try to resolve LAN IP addresses. though. To see the table you can run the following command: cat /proc/net/conntrack | less The above command will show all currently tracked connections even though it might be a bit hard to understand everything. it might be interesting to know what connections are currently in the conntrack table. so you don't have to reboot. which we have discussed briefly previously in the How a rule is built chapter. 192.0/16 is a private range though and should not resolve to anything and the command will seem to hang while resolving the IP. If this is not the wanted behaviour you might try to use the -D option as iptables -D INPUT 10 which will erase the 10th rule in the INPUT chain. it will translate all the different ports according to the /etc/services file as well as DNS all the IP addresses to get DNS records instead. This would look like the following: iptables -L This command should list your currently active ruleset. We could get this by adding the verbose flag.

Postel and J. during Active FTP the client sends the server an IP address and random port to use and then the server connects to this port on the client. so if this is set to DROP you'll block the whole INPUT chain if used as above. read RFC 959 .html 21:25:51 10/06/2002 . Without these modules they can't recognize these kinds of connections.txt script so far. In case your client sits behind a Network Address Translationing system (iptables). Do note that the ip_nat_* modules are only needed in case you need and want to do Network Adress Translation on the connections. this script will not erase those. This RFC contains information regarding the FTP protocol and Active and Passive FTP and how they work. if you want to let people run IRC from your local network which is using a NAT'ed or masqueraded connection to the internet. the proceeding is reversed. Common problems and questionmarks Passive FTP but no DCC This is one of the really nice parts about the new iptables support in the 2. if you start mucking around in the mangle table. As you can understand from this document.Iptables Tutorial 1. you'd just load the ip_conntrack_irc and ip_nat_irc modules.x kernels. ip_conntrack_ftp and ip_nat_ftp code as modules and not statically into the kernel.org/andreasson/iptables-tutorial/iptables-tutorial. ip_nat_irc. I have made a small script (available as an appendix as well) that will flush and reset your iptables that you might consider using while setting up your rc. do as how you set it to DROP. To reset the chain policy. One thing though. The client tells the server that it wants to send or receive data and the server replies. For more information about Active and Passive FTP. Reynolds. State NEW packets but no SYN bit set http://people. but not allow DCC send functions with the new state matching code.firewall. but not the ip_conntrack_ftp and ip_nat_ftp modules. but not the ip_conntrack_irc and ip_nat_irc modules and then do: /usr/local/sbin/iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT To allow Passive FTP but not DCC. for example iptables -P INPUT ACCEPT. Just compile the ip_conntrack_irc.File Transfer Protocol by J.1. In Passive FTP.4. you would load the ip_conntrack_ftp and ip_nat_ftp modules. well. then the packets data section needs to be NAT'ed too.firewall. you can for example allow Passive FTP connections.txt file properly. but not DCC send.9 Página 196 the default policy. it is rather simple to add the few lines needed to erase those but I have not added those here since the mangle table is not used in my rc. telling the client what address to connect to and what port to use. If you would want to do the reverse. What these modules do is that they add support to the connection tracking machine and the NAT machine so they can distinguish and modify a Passive FTP connection or a DCC send connection.unix-fu. that is what the ip_nat_ftp module does. If you for example want to allow Passive FTP. its quite simple once you get to think of it. You may ask yourself how. ie.

This does however lead to the fact that state NEW will allow pretty much any kind of TCP connection. Start the connection tracking modules. This feature makes it possible to have two or more firewalls. when you start the PPP connection. Internet Service Providers who use assigned http://people. In other words. This only applies when you are running with the conntrack and nat codebases as modules.firewall. It will however not lead to broken connections to my knowledge. the connection tracking code will not recognise this connection as a legal connection since it has not seen packets in any direction on this connection before. regardless if this is the initial 3-way handshake or not. for instance.1. the packet will match to the rules and be logged and afterwards dropped to the ground. you connect with telnet or some other stream connection. and the modules are loaded and unloaded each time you run the script. Another way to get this problem is to run the rc. This is a badly documented behaviour of the netfilter/iptables project and should definitely be more highlighted. There is one more known problem with these rules.html 21:25:51 10/06/2002 . In this case. The firewalling of the subnet could then be taken over by our secondary firewall. including me). The matter is that when a connection gets closed and the final FIN/ACK has been sent and the state machine of netfilter has closed this connection and it is no longer in the conntrack table. and you have the script set to be activated when running a PPP connection. OUTPUT and FORWARD chain: $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP The above rules will take care of this problem. set the --log-headers option to the rule and log the headers too and you'll get a better look at what the packet looks like. At this point the faulty Microsoft implementation sends another packet which is considered as state NEW but lacks the SYN bit and hence gets matched by the above rules. the telnet client or daemon tries to send something.org/andreasson/iptables-tutorial/iptables-tutorial. or if you are worried anyways.Iptables Tutorial 1. also there will be no SYN bits set since it is not actually the first packet in the connection. and for one of the firewalls to go down without any loss of data. To take care of this problem we add the following rules to our firewalls INPUT.txt script from a telnet connection from a host not on the actual firewall. don't worry to much about this rule. packets with the SYN bit unset will get through your firewall. Note that there is some troubles with the above rules and bad Microsoft TCP/IP implementations. lets say from the LAN. In other words. This feature is there because in certain cases we want to consider that a packet may be part of an already ESTABLISHED connection on. If someone is currently connected to the firewall. The above rules will lead to certain conditions where packets generated by microsoft products gets labeled as a state NEW and hence get logged and dropped. To put it simple. the person previously connected through the LAN will be more or less killed. a huge warning is in it's place for this kind of behaviour on your firewall. Hence. If you use state NEW. another firewall.9 Página 197 There is a certain feature in iptables that is not so well documented and may therefore be overlooked by a lot of people(yes. then load the NEW not SYN packet rules. Finally.unix-fu.

which uses the 10.0. the swedish Internet Service Provider and phone monopoly Telia uses this approach for example on their DNS servers. or you could just comment out that part of the script. Well. ICMP types TYPE CODE Description 0 3 3 3 3 3 3 3 3 3 3 3 0 0 1 2 3 4 5 6 7 8 9 10 Echo Reply Network Unreachable Host Unreachable Protocol Unreachable Port Unreachable Fragmentation needed but no frag.1. This is how it might look: /usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10. do not allow connections from any IP addresses in the 10.x IP address range. at least not to my knowledge. but you are not supposed to force us to open up ourself just because of some whince of yours. ICMP types This is a complete listing of all ICMP types: Table 1.org/andreasson/iptables-tutorial/iptables-tutorial. The problem you will most probably run into is that we. or your own home network.x. here is unfortunately an example where you actually might have to lift a bit on those rules.0.unix-fu. in this script.x.x.html 21:25:51 10/06/2002 . Certain stupid Internet Service Providers use IP addresses assigned by IANA for their local networks on which you connect to. because of spoofing possibilities. bit set Source routing failed Destination network unknown Destination host unknown Source host isolated (obsolete) Destination network administratively prohibited Destination host administratively prohibited Query x x x x x x x x x x x x Error http://people.1/32 -j ACCEPT I would like to take my moment to bitch at these Internet Service Providers.Iptables Tutorial 1.9 Página 198 IP addresses I have added this since a friend of mine told me something I have totally forgotten. You might just insert an ACCEPT rule above the spoof section to allow traffic from those DNS servers. For large corporate sites it is more than ok. These IP address ranges are not assigned for you to use for dumb stuff like this. For example.x.x range to us.

A little bit short but a good reference for the IP networking controls and what they do to the kernel.14 kernel.unix-fu.4.org/andreasson/iptables-tutorial/iptables-tutorial. etc : ip-sysctl. http://people.1.txt .Iptables Tutorial 1.9 Página 199 3 3 3 3 3 4 5 5 5 5 8 9 10 11 11 12 12 13 14 15 16 17 18 11 12 13 14 15 0 0 1 2 3 0 0 0 0 1 0 1 0 Network unreachable for TOS Host unreachable for TOS Communication administratively prohibited by filtering Host precedence violation Precedence cutoff in effect Source quench Redirect for network Redirect for host Redirect for TOS and network Redirect for TOS and host Echo request Router advertisement Route sollicitation TTL equals 0 during transit TTL equals 0 during reassembly IP header bad (catchall error) Required options missing Timestamp request (obsolete) Timestamp reply (obsolete) x x x x x x x x x x x x x x x x 0 0 0 0 Information request (obsolete) Information reply (obsolete) Address mask request Address mask reply Other resources and links Here is a list of links to resources and where I have gotten information from.from the 2.html 21:25:51 10/06/2002 .

8 .html 21:25:51 10/06/2002 .Rusty Russells Unreliable Netfilter Hacking HOWTO. One of the few documentations on how to write code in the netfilter and iptables userspace and kernel space codebase. Always have it at hand. Excellent documentation about Network Address Translation in iptables and netfilter written by one of the core developers. Excellent documentation about basic packet filtering with iptables written by one of the core developers of iptables and netfilter.filewatcher.islandsoft.html .org/ .Excellent linkpage with links to most of the pages on the internet about iptables and netfilter.org/netfilter-faq.The official netfilter mailing-list.9 Página 200 ip_dynaddr.samba. http://netfilter.html .filewatcher.net/veerapen. This is an HTML'ized version of the man page which is an excellent reference when reading/writing iptables rulesets.html . One of the few sites that has any information at all about these programs.4.from the 2.org/andreasson/iptables-tutorial/iptables-tutorial. Maintained by Stef Coene.filewatcher.Rusty Russells Unreliable Guide to packet filtering.1. Also a good place to stat at when wondering what iptables and netfilter is about. http://www. http://netfilter. Extremely useful in case you have questions about something not covered in this document or any of the other links here.Iptables Tutorial 1. http://netfilter. http://netfilter.filewatcher.org/mailman/listinfo/netfilter .org/unreliable-guides/packet-filtering-HOWTO/index. It is a must for everyone wanting to set up iptables and netfilter in linux.filewatcher.linuxguruz. http://netfilter.org/iptables/ .org .html . http://lists. tc and the ip commands in Linux. http://www. Rusty Russell.Excellent information about the CBQ. http://people.org/unreliable-guides/netfilter-hacking-HOWTO/index.The official netfilter Frequently Asked Questions.The official netfilter and iptables site.docum.The iptables 1.txt . And of course the iptables source. This was also written by Rusty Russell.unix-fu. A really short reference to the ip_dynaddr settings available via sysctl and the proc filesystem. Also maintains a list of different iptables scripts for different purposes. documentation and individuals who helped me.Excellent discussion on automatic hardening of iptables and how to make small changes that will make your computer automatically add hostile sites to a special banlist in iptables.org/unreliable-guides/NAT-HOWTO/index.html .Rusty Russells Unreliable Guide to Network Address Translation.2. http://www.14 kernel. iptables.4 man page.

com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Contributors: Vince Herried.unix-fu. Jason Lam and Evan Nemerson Version 1. Nyboe.boingworld. or at least on the internet for you. and you're better than most I know who do graphics. Neil Jolly.boingworld. Galen Johnson. For hinting me about strange ISP's and so on that uses reserved networks on the Internet. And of course everyone else I talked to and asked for comments on this file. Alexander W.1. Jeremy `Spliffy' Smith. Chapman Brad. Janssen. Peter Horst.boingworld.com/workshops/linux/iptables-tutorial/ http://people.1. sorry for not mentioning everyone. Kelly Ashe.7 (4 February 2002) http://www. For greatly improving the rc.Iptables Tutorial 1. History Version 1. Both for making me realize I was thinking wrong about how packets traverse the basic NAT and filters tables and in which order they show up. For helping me out with the graphics. For helping me out with some of the state matching code and getting it to work. Frode E.1. For giving me hints at stuff that might screw up for people and for trying it out and checking for errors in what I've written.html 21:25:51 10/06/2002 . For major updates to my horrible grammar and spelling. Togan Muftuoglu.9 Página 201 Acknowledgements I would like to thank the following people for their help on this document: Fabrice Marie. Anders 'DeZENT' Johansson.9 (21 March 2002) http://www. Janne Johansson. Mitch Landers. Kent `Artech' Stahre.8 (5 March 2002) http://www. Thomas Smets.org/andreasson/iptables-tutorial/iptables-tutorial.1. Also thanks for checking the tutorial for errors etc. Marc Boucher. For helping me out on some aspects on using the state matching code.firewall rules and giving great inspiration while i was to rewrite the ruleset and being the one who introduced the multiple table traversing into the same file. Also a huge thanks for updating the tutorial to DocBook format with make files etc. Jelle Kalf.com/workshops/linux/iptables-tutorial/ By: Oskar Andreasson Version 1. Michiel Brandenburg. Myles Uyema. I know I suck at graphics.).

Version 1.4 (6 November 2001) http://people.org/andreasson/iptables-tutorial/iptables-tutorial.9 (9 September 2001) http://people.1. Phil Schultz. N. Chris Tallon. Erik Sjölund.1.unix-fu. Vasoo Veerapen.unix-fu.1 (26 September 2001) http://people.1.org/andreasson By: Oskar Andreasson Contributors: Joni Chu.1.Emile Akabi-Davis and Jelle Kalf Version 1.0.org/andreasson/ By: Oskar Andreasson Contributors: Fabrice Marie.org/andreasson By: Oskar Andreasson Contributors: Dave Richardson Version 1.unix-fu.1.unix-fu. Jacco van Koll and Dave Wreski Version 1.unix-fu.0 (15 September 2001) http://people. Dave Wreski. Steve Hnizdur. Phil Schultz. Doug Monroe.org/andreasson By: Oskar Andreasson Version 1. Aladdin and Rusty Russell.1.0.7 (23 August 2001) http://people.2 (29 September 2001) http://people.unix-fu. Rodrigo R. Jasper Aikema.unix-fu.8 (7 September 2001) http://people. Kurt Lieber. Chris Pluta and Kurt Lieber Version 1.org/andreasson By: Oskar Andreasson Version 1. Jensen. Göran Båge.unix-fu.org/andreasson/ By: Oskar Andreasson Contributors: Jim Ramsey.0. Steven McClintoc. Jan Labanowski.9 Página 202 By: Oskar Andreasson Contributors: Parimi Ravi. Merijn Schering and Kurt Lieber Version 1. Jonas Pasche. Adam Mansbridge. Chris Martin.org/andreasson By: Oskar Andreasson Version 1. Bill Dossett.html 21:25:51 10/06/2002 .1.6 (7 December 2001) http://people. Branco.5 (14 November 2001) http://people.org/andreasson By: Oskar Andreasson Version 1.Iptables Tutorial 1.org/andreasson By: Oskar Andreasson Contributors: Stig W.1.unix-fu.unix-fu.3 (9 October 2001) http://people.

MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1. Boston. regardless of subject matter or whether it is published as a printed book. It complements the GNU General Public License.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie GNU Free Documentation License Version 1. 59 Temple Place.1. We have designed this License in order to use it for manuals for free software. 1. which means that derivative works of the document must themselves be free in the same sense.unix-fu.html 21:25:51 10/06/2002 . or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it.unix-fu. APPLICABILITY AND DEFINITIONS http://people. this License preserves for the author and publisher a way to get credit for their work. while not being considered responsible for modifications made by others. with or without modifying it. but changing it is not allowed.6 http://people. March 2000 Copyright (C) 2000 Free Software Foundation.9 Página 203 http://people. Inc.unix-fu.unix-fu. PREAMBLE The purpose of this License is to make a manual. Suite 330. textbook. 0.0. This License is a kind of "copyleft". which is a copyleft license designed for free software. But this License is not limited to software manuals.1.5 http://people. because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. it can be used for any textual work. We recommend this License principally for works whose purpose is instruction or reference.0. Secondarily.org/andreasson By: Oskar Andreasson Version 1. either commercially or noncommercially.org/andreasson By: Oskar Andreasson Contributors: Fabrice Marie Version 1.

A "Transparent" copy of the Document means a machine-readable copy.1. "Title Page" means the text near the most prominent appearance of the work's title. for a printed book. and that you add no other conditions whatsoever to those of this License. and the machine-generated HTML produced by some word processors for output purposes only. provided that this License. SGML or XML for which the DTD and/or processing tools are not generally available. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. preceding the beginning of the body of the text. The "Cover Texts" are certain short passages of text that are listed. (For example. whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor. either copied verbatim. Examples of suitable formats for Transparent copies include plain ASCII without markup. or of legal. philosophical.unix-fu. or with modifications and/or translated into another language. The "Document". if the Document is in part a textbook of mathematics. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. commercial.html 21:25:51 10/06/2002 . 2. the title page itself. LaTeX input format.) The relationship could be a matter of historical connection with the subject or with related matters. the copyright notices. and the license notice saying this License applies to the Document are reproduced in all copies. refers to any such manual or work. a Secondary Section may not explain any mathematics. The "Title Page" means. A "Modified Version" of the Document means any work containing the Document or a portion of it. You may not use technical measures to obstruct or control the reading or further copying of the http://people. and is addressed as "you". legibly. proprietary formats that can be read and edited only by proprietary word processors. in the notice that says that the Document is released under this License. plus such following pages as are needed to hold. VERBATIM COPYING You may copy and distribute the Document in any medium.Iptables Tutorial 1. the material this License requires to appear in the title page. PDF. A copy that is not "Transparent" is called "Opaque". in the notice that says that the Document is released under this License. represented in a format whose specification is available to the general public. and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. ethical or political position regarding them.org/andreasson/iptables-tutorial/iptables-tutorial. and standard-conforming simple HTML designed for human modification. as being those of Invariant Sections. The "Invariant Sections" are certain Secondary Sections whose titles are designated. either commercially or noncommercially. SGML or XML using a publicly available DTD. Opaque formats include PostScript.9 Página 204 This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. as Front-Cover Texts or Back-Cover Texts. Any member of the public is a licensee. For works in formats which do not have any title page as such. below. Texinfo input format.

if any) a title distinct from that of the Document. If you distribute a large enough number of copies you must also follow the conditions in section 3. and from those of previous versions (which should. to give them a chance to provide you with an updated version of the Document. If you publish or distribute Opaque copies of the Document numbering more than 100. It is requested.unix-fu. can be treated as verbatim copying in other respects. In addition. you should put the first ones listed (as many as fit reasonably) on the actual cover. 3. provided that you release the Modified Version under precisely this License. and the Document's license notice requires Cover Texts. all these Cover Texts: Front-Cover Texts on the front cover. or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document. free of added material. However. If the required texts for either cover are too voluminous to fit legibly. you must either include a machine-readable Transparent copy along with each Opaque copy. clearly and legibly. you may accept compensation in exchange for copies. Both covers must also clearly and legibly identify you as the publisher of these copies.1. thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission. and you may publicly display copies. with the Modified Version filling the role of the Document. and Back-Cover Texts on the back cover. under the same conditions stated above. that you contact the authors of the Document well before redistributing any large number of copies.Iptables Tutorial 1. and continue the rest onto adjacent pages.9 Página 205 copies you make or distribute. but not required. COPYING IN QUANTITY If you publish printed copies of the Document numbering more than 100. when you begin distribution of Opaque copies in quantity. Copying with changes limited to the covers. Use in the Title Page (and on the covers. you must enclose the copies in covers that carry.html 21:25:51 10/06/2002 . as long as they preserve the title of the Document and satisfy these conditions. You may also lend copies. http://people. if there were any. you must take reasonably prudent steps. The front cover must present the full title with all words of the title equally prominent and visible. If you use the latter option. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above. You may add other material on the covers in addition. to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. which the general network-using public has access to download anonymously at no charge using public-standard network protocols.org/andreasson/iptables-tutorial/iptables-tutorial. you must do these things in the Modified Version: A. 4.

These titles must be distinct from any other section titles. Preserve the network location. F. N. E. D. In any section entitled "Acknowledgements" or "Dedications". one or more persons or entities responsible for authorship of the modifications in the Modified Version. and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. I.1. J. authors. G. Preserve all the copyright notices of the Document. in the form shown in the Addendum below. C. State on the Title page the name of the publisher of the Modified Version. or if the original publisher of the version it refers to gives permission. year. preserve the section's title.html 21:25:51 10/06/2002 . if it has less than five). a license notice giving the public permission to use the Modified Version under the terms of this License. L. add their titles to the list of Invariant Sections in the Modified Version's license notice. If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document. new authors.org/andreasson/iptables-tutorial/iptables-tutorial. Include an unaltered copy of this License. and publisher of the Document as given on its Title Page. Include. and its title. and likewise the network locations given in the Document for previous versions it was based on. K. If there is no section entitled "History" in the Document. H. Preserve all the Invariant Sections of the Document. unaltered in their text and in their titles.Iptables Tutorial 1. and add to it an item stating at least the title. you may at your option designate some or all of these sections as invariant.9 Página 206 B. You may omit a network location for a work that was published at least four years before the Document itself. and publisher of the Modified Version as given on the Title Page. Such a section may not be included in the Modified Version. To do this. as the publisher.unix-fu. year. as authors. M. Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section. given in the Document for public access to a Transparent copy of the Document. These may be placed in the "History" section. together with at least five of the principal authors of the Document (all of its principal authors. Preserve the section entitled "History". immediately after the copyright notices. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice. List on the Title Page. http://people. if any. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. Delete any section entitled "Endorsements". then add an item describing the Modified Version as stated in the previous sentence. create one stating the title. Section numbers or the equivalent are not considered part of the section titles.

You may add a passage of up to five words as a Front-Cover Text. statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. provided you insert a copy of this License into the extracted document. under the terms defined in section 4 above for modified versions. http://people. or else a unique number. If there are multiple Invariant Sections with the same name but different contents. forming one section entitled "History".1. You may extract a single document from such a collection. COLLECTIONS OF DOCUMENTS You may make a collection consisting of the Document and other documents released under this License. previously added by you or by arrangement made by the same entity you are acting on behalf of. provided that you include in the combination all of the Invariant Sections of all of the original documents. and replace the individual copies of this License in the various documents with a single copy that is included in the collection. but you may replace the old one. make the title of each such section unique by adding at the end of it. you must combine any sections entitled "History" in the various original documents.html 21:25:51 10/06/2002 . likewise combine any sections entitled "Acknowledgements". You must delete all sections entitled "Endorsements. If the Document already includes a cover text for the same cover.9 Página 207 You may add a section entitled "Endorsements". on explicit permission from the previous publisher that added the old one. you may not add another. and any sections entitled "Dedications". The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.unix-fu." 6. provided it contains nothing but endorsements of your Modified Version by various parties--for example.org/andreasson/iptables-tutorial/iptables-tutorial. COMBINING DOCUMENTS You may combine the Document with other documents released under this License. the name of the original author or publisher of that section if known. 5. and a passage of up to 25 words as a Back-Cover Text. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. and distribute it individually under this License. in parentheses.Iptables Tutorial 1. and follow this License in all other respects regarding verbatim copying of that document. and list them all as Invariant Sections of your combined work in its license notice. In the combination. The combined work need only contain one copy of this License. to the end of the list of Cover Texts in the Modified Version. unmodified. and multiple identical Invariant Sections may be replaced with a single copy.

Replacing Invariant Sections with translations requires special permission from their copyright holders. provided no compilation copyright is claimed for the compilation. but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. If the Cover Text requirement of section 3 is applicable to these copies of the Document. FUTURE REVISIONS OF THIS LICENSE The Free Software Foundation may publish new. revised versions of the GNU Free Documentation License from time to time. sublicense or distribute the Document is void.org/copyleft/. In case of a disagreement between the translation and the original English version of this License.9 Página 208 7. parties who have received copies. TRANSLATION Translation is considered a kind of modification. Such new versions will be similar in spirit to the present version. from you under this License will not have their licenses terminated so long as such parties remain in full compliance. AGGREGATION WITH INDEPENDENT WORKS A compilation of the Document or its derivatives with other separate and independent documents or works. or distribute the Document except as expressly provided for under this License. so you may distribute translations of the Document under the terms of section 4. in or on a volume of a storage or distribution medium. sublicense.Iptables Tutorial 1. You may include a translation of this License provided that you also include the original English version of this License. See http://www. the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. However. Otherwise they must appear on covers around the whole aggregate.gnu. 8. TERMINATION You may not copy. the original English version will prevail.html 21:25:51 10/06/2002 . if they are not themselves derivative works of the Document. and this License does not apply to the other self-contained works thus compiled with the Document. 10. and will automatically terminate your rights under this License. does not as a whole count as a Modified Version of the Document. then if the Document is less than one quarter of the entire aggregate. http://people. or rights. modify. modify.org/andreasson/iptables-tutorial/iptables-tutorial. on account of their being thus compiled. Such a compilation is called an "aggregate".unix-fu. Any other attempt to copy. 9. but may differ in detail to address new problems or concerns.1.

How to use this License for your documents To use this License in a document you have written.org/andreasson/iptables-tutorial/iptables-tutorial. likewise for Back-Cover Texts. By contrast. June 1991 Copyright (C) 1989.1. 59 Temple Place. Version 1. If the Document does not specify a version number of this License. A copy of the license is included in the section entitled "GNU Free Documentation License". you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. include a copy of the License in the document and put the following copyright and license notices just after the title page: Copyright (c) YEAR YOUR NAME. Inc. Boston. with the Front-Cover Texts being LIST. and with the Back-Cover Texts being LIST.unix-fu. such as the GNU General Public License. If your document contains nontrivial examples of program code. 0. Suite 330. Preamble The licenses for most software are designed to take away your freedom to share and change it. GNU General Public License Version 2.html 21:25:51 10/06/2002 .Iptables Tutorial 1. but changing it is not allowed.1 or any later version published by the Free Software Foundation. we recommend releasing these examples in parallel under your choice of free software license. you may choose any version ever published (not as a draft) by the Free Software Foundation. write "with no Invariant Sections" instead of saying which ones are invariant. If the Document specifies that a particular numbered version of this License "or any later version" applies to it. If you have no Invariant Sections. 1991 Free Software Foundation.9 Página 209 Each version of the License is given a distinguishing version number. distribute and/or modify this document under the terms of the GNU Free Documentation License. write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST". Permission is granted to copy. with the Invariant Sections being LIST THEIR TITLES. to permit their use in free software. MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document. If you have no Front-Cover Texts. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to http://people. the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.

These restrictions translate to certain responsibilities for you if you distribute copies of the software. distribute and/or modify the software. Activities other than copying.Iptables Tutorial 1. in effect making the program proprietary. either verbatim or with modifications and/or translated into another language. 1. translation is included without limitation in the term "modification". we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.9 Página 210 using it. any free program is threatened constantly by software patents. and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say. DISTRIBUTION AND MODIFICATION 1. we want to make certain that everyone understands that there is no warranty for this free software. The precise terms and conditions for copying. We protect your rights with two steps: (1) copyright the software.1. not price. When we speak of free software. TERMS AND CONDITIONS FOR COPYING. or if you modify it. The "Program".) You can apply it to your programs.html 21:25:51 10/06/2002 .) Each licensee is addressed as "you". for each author's protection and ours. and that you know you can do these things. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses. And you must show them these terms so they know their rights. Also. we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights.unix-fu. To protect your rights. You must make sure that they.org/andreasson/iptables-tutorial/iptables-tutorial. refers to any such program or work. (Hereinafter. if you distribute copies of such a program. whether gratis or for a fee. below. Finally. For example. To prevent this. that you can change the software or use pieces of it in new free programs. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. distribution and modification follow. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish). and the output from the Program is covered only if its contents constitute a work based on the Program (independent of http://people. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead. too. so that any problems introduced by others will not reflect on the original authors' reputations. The act of running the Program is not restricted. a work containing the Program or a portion of it. too. If the software is modified by someone else and passed on. and (2) offer you this license which gives you legal permission to copy. they are outside its scope. we are referring to freedom. receive or can get the source code. we want its recipients to know that what they have is not the original. you must give the recipients all the rights that you have. distribution and modification are not covered by this License. that you receive source code or can get it if you want it.

rather. mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. If identifiable sections of that work are not derived from the Program. You may modify your copy or copies of the Program or any portion of it. then this License. that in whole or in part contains or is derived from the Program or any part thereof.) These requirements apply to the modified work as a whole. saying that you provide a warranty) and that users may redistribute the program under these conditions. and give any other recipients of the Program a copy of this License along with the Program. (Exception: if the Program itself is interactive but does not normally print such an announcement. 3. 3. Whether that is true depends on what the Program does. 4. and thus to each and every part regardless of who wrote it. do not apply to those sections when you distribute them as separate works. it is not the intent of this section to claim rights or contest your rights to work written entirely by you.html 21:25:51 10/06/2002 . your work based on the Program is not required to print an announcement. and copy and distribute such modifications or work under the terms of Section 1 above. You must cause any work that you distribute or publish. you must cause it. under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: http://people. thus forming a work based on the Program. and can be reasonably considered independent and separate works in themselves. the distribution of the whole must be on the terms of this License. in any medium. provided that you also meet all of these conditions: 1. If the modified program normally reads commands interactively when run. whose permissions for other licensees extend to the entire whole. In addition. provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty. to be licensed as a whole at no charge to all third parties under the terms of this License.unix-fu. and its terms. to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else. You may charge a fee for the physical act of transferring a copy.9 Página 211 having been made by running the Program). 2. You may copy and distribute verbatim copies of the Program's source code as you receive it. 5.1. the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. keep intact all the notices that refer to this License and to the absence of any warranty.Iptables Tutorial 1. You may copy and distribute the Program (or a work based on it. and you may at your option offer warranty protection in exchange for a fee. Thus. But when you distribute the same sections as part of a whole which is a work based on the Program. when started running for such interactive use in the most ordinary way. and telling the user how to view a copy of this License.org/andreasson/iptables-tutorial/iptables-tutorial. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

plus the scripts used to control compilation and installation of the executable. kernel. they do not excuse you from http://people. sublicense.html 21:25:51 10/06/2002 . You may not copy. However.org/andreasson/iptables-tutorial/iptables-tutorial. complete source code means all the source code for all modules it contains. nothing else grants you permission to modify or distribute the Program or its derivative works. If distribution of executable or object code is made by offering access to copy from a designated place. as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues).9 Página 212 A. plus any associated interface definition files. and will automatically terminate your rights under this License.) 6. Each time you redistribute the Program (or any work based on the Program). 7. 8. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer. a complete machine-readable copy of the corresponding source code. and all its terms and conditions for copying.unix-fu. valid for at least three years. or.Iptables Tutorial 1. conditions are imposed on you (whether by court order. the recipient automatically receives a license from the original licensor to copy. Any attempt otherwise to copy. in accord with Subsection b above. agreement or otherwise) that contradict the conditions of this License. for a charge no more than your cost of physically performing source distribution. modify. to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. If. by modifying or distributing the Program (or any work based on the Program). Accompany it with a written offer. as a special exception. C. B. Therefore. distributing or modifying the Program or works based on it. the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler. which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. since you have not signed it. unless that component itself accompanies the executable. or distribute the Program except as expressly provided under this License. or rights. even though third parties are not compelled to copy the source along with the object code. Accompany it with the information you received as to the offer to distribute corresponding source code. parties who have received copies. then offering equivalent access to copy the source code from the same place counts as distribution of the source code. you indicate your acceptance of this License to do so.1. distribute or modify the Program subject to these terms and conditions. to give any third party. sublicense or distribute the Program is void. 10. Accompany it with the complete corresponding machine-readable source code. from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License. You are not responsible for enforcing compliance by third parties to this License. or. and so on) of the operating system on which the executable runs. These actions are prohibited by law if you do not accept this License. However. However. modify. For an executable work. The source code for a work means the preferred form of the work for making modifications to it.

we sometimes make exceptions for this. write to the author to ask for permission.9 Página 213 the conditions of this License. Such new versions will be similar in spirit to the present version. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. For software which is copyrighted by the Free Software Foundation. this section has the sole purpose of protecting the integrity of the free software distribution system. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims.Iptables Tutorial 1. the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries. If the Program does not specify a version number of this License. the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. If any portion of this section is held invalid or unenforceable under any particular circumstance. which is implemented by public license practices. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. If the Program specifies a version number of this License which applies to it and "any later version".unix-fu. but may differ in detail to address new problems or concerns. this License incorporates the limitation as if written in the body of this License. if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you. 11.org/andreasson/iptables-tutorial/iptables-tutorial. it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.html 21:25:51 10/06/2002 . The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. 14. 12. Each version is given a distinguishing version number. write to the Free Software Foundation.1. THERE IS NO WARRANTY FOR THE PROGRAM. so that distribution is permitted only in or among countries not thus excluded. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces. In such case. you may choose any version ever published by the Free Software Foundation. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different. For example. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system. TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT http://people. then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations. 13. NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE. then as a consequence you may not distribute the Program at all.

attach the following notices to the program. Boston. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 59 Temple Place. REPAIR OR CORRECTION. OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE. How to Apply These Terms to Your New Programs If you develop a new program. EITHER EXPRESSED OR IMPLIED. but WITHOUT ANY WARRANTY. Suite 330. and you want it to be of the greatest possible use to the public. SHOULD THE PROGRAM PROVE DEFECTIVE. See the GNU General Public License for more details. YOU ASSUME THE COST OF ALL NECESSARY SERVICING. if not. MA 02111-1307 USA http://people.> Copyright (C) <year> <name of author> This program is free software. or (at your option) any later version. BE LIABLE TO YOU FOR DAMAGES. INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS). To do so. You should have received a copy of the GNU General Public License along with this program.unix-fu.9 Página 214 HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND.Iptables Tutorial 1. the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.org/andreasson/iptables-tutorial/iptables-tutorial. 16. write to the Free Software Foundation. INCLUDING ANY GENERAL. Inc. either version 2 of the License.1. without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. <one line to give the program's name and a brief idea of what it does. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER. This program is distributed in the hope that it will be useful. you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BUT NOT LIMITED TO. INCLUDING. and each file should have at least the "copyright" line and a pointer to where the full notice is found.. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. END OF TERMS AND CONDITIONS 2. SPECIAL.html 21:25:51 10/06/2002 .

make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.Iptables Tutorial 1. Of course. they could even be mouse-clicks or menu items--whatever suits your program. Example scripts codebase Example rc. If your program is a subroutine library. http://people.4. hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. to sign a "copyright disclaimer" for the program.unix-fu. the commands you use may be called something other than `show w' and `show c'. alter the names: Yoyodyne.firewall script #!/bin/sh # # rc. you may consider it more useful to permit linking proprietary applications with the library. for details type `show w'.1. Here is a sample. You should also get your employer (if you work as a programmer) or your school. If this is what you want to do.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.org/andreasson/iptables-tutorial/iptables-tutorial. use the GNU Library General Public License instead of this License. President of Vice This General Public License does not permit incorporating your program into proprietary programs. # # This program is distributed in the hope that it will be useful. if necessary.Initial SIMPLE IP Firewall script for Linux 2. Inc. if any. # but WITHOUT ANY WARRANTY. 1 April 1989 Ty Coon.firewall .. <signature of Ty Coon>.9 Página 215 Also add information on how to contact you by electronic and paper mail. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. version 2 of the License. Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY. and you are welcome to redistribute it under certain conditions. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License.net> # # This program is free software. type `show c' for details. This is free software. See the # GNU General Public License for more details. If the program is interactive.html 21:25:51 10/06/2002 .

9 Página 216 # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. # LO_IFACE="lo" LO_IP="127.org/andreasson/iptables-tutorial/iptables-tutorial.1 Internet Configuration.. # # # 1.255. 59 Temple # Place.2 PPPoE # # # 1.255" LAN_IFACE="eth1" # # 1.unix-fu. Boston.0. Inc.0.1" http://people.255. Suite 330. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. Configuration options.2" LAN_IP_RANGE="192.0/16" LAN_BCAST_ADRESS="192.255.50.236. # # # 1.1.155" INET_IFACE="eth0" # # 1. if not.1.html 21:25:51 10/06/2002 .2 Local Area Network configuration.1.1 DHCP # # # 1.3 DMZ Configuration.4 Localhost Configuration.168. the same as netmask 255. write to the Free Software Foundation. MA 02111-1307 USA # ########################################################################### # # 1.168.0.Iptables Tutorial 1. # INET_IP="194.0.0 # LAN_IP="192.168.

# ########################################################################### # # 2.1. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. # http://people.9 Página 217 # # 1.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3.unix-fu. Module loading.org/andreasson/iptables-tutorial/iptables-tutorial.5 IPTables Configuration. # # # Needed to initially load modules # /sbin/depmod -a # # 2.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.Iptables Tutorial 1. /proc set up.html 21:25:51 10/06/2002 .

1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.9 Página 218 # # 3.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1. rules set up.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu.Iptables Tutorial 1.1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.html 21:25:51 10/06/2002 . TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets http://people.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.1 Filter table # # # 4.1. # ###### # 4.

org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 .1.Iptables Tutorial 1.1.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT http://people.9 Página 219 $IPTABLES -N udpincoming_packets # # 4.unix-fu.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.

# $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.html 21:25:51 10/06/2002 .unix-fu.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward http://people.1.Iptables Tutorial 1.9 Página 220 # # 4. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.org/andreasson/iptables-tutorial/iptables-tutorial.RELATED \ -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet.4 INPUT chain # # # Bad TCP packets we don't want.1.1.

1.unix-fu.2 Create user specified chains # http://people.2.Iptables Tutorial 1.1.2 nat table # # # 4.RELATED -j ACCEPT # # Log weird packets that don't match the above.9 Página 221 # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002 . # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that don't match the above.6 OUTPUT chain # # # Bad TCP packets we don't want.1 Set policies # # # 4. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.2.

3.4 PREROUTING chain # # # 4.2.5 INPUT chain # # # 4.3.1 Set policies # # # 4.2 Create user specified chains # # # 4.html 21:25:51 10/06/2002 .3.3.6 FORWARD chain # http://people.Iptables Tutorial 1.2.6 OUTPUT chain # ###### # 4.3 Create content in user specified chains # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.3.3.2.9 Página 222 # # 4.4 PREROUTING chain # # # 4.3 mangle table # # # 4.1.3 Create content in user specified chains # # # 4.unix-fu.2.

write to the Free Software Foundation.firewall script #!/bin/sh # # rc.236.DMZ IP Firewall script for Linux 2.1. if not.8 POSTROUTING chain # Example rc.org/andreasson/iptables-tutorial/iptables-tutorial. # INET_IP="194. # but WITHOUT ANY WARRANTY.153" DNS_IP="194. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.3. # # This program is distributed in the hope that it will be useful.3.236.html 21:25:51 10/06/2002 . Boston. Configuration options.50. # # # 1.1 Internet Configuration. See the # GNU General Public License for more details. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.net> # # This program is free software.DMZ.DMZ.9 Página 223 # # 4.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. MA 02111-1307 USA # ########################################################################### # # 1.4.7 OUTPUT chain # # # 4. Suite 330.50. Inc.unix-fu.firewall . 59 Temple # Place.50.154" INET_IFACE="eth0" http://people.Iptables Tutorial 1.236. version 2 of the License..152" HTTP_IP="194.

Iptables Tutorial 1.1.9

Página 224

# # 1.1.1 DHCP # # # 1.1.2 PPPoE # # # 1.2 Local Area Network configuration. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # LAN_IP="192.168.0.2" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth1" # # 1.3 DMZ Configuration. # DMZ_HTTP_IP="192.168.1.2" DMZ_DNS_IP="192.168.1.3" DMZ_IP="192.168.1.1" DMZ_IFACE="eth2" # # 1.4 Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 IPTables Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. # ########################################################################### # # 2. Module loading. http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 225

# # # Needed to initially load modules # /sbin/depmod -a

# # 2.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 226

#echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. rules set up. # ###### # 4.1 Filter table # # # 4.1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP, TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 227

# # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # 4.1.4 INPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Packets from the Internet to this box # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # # Packets from LAN, DMZ or LOCALHOST # # # From DMZ Interface to DMZ firewall IP # $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT # # From LAN Interface to LAN firewall IP # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 228

# # From Localhost interface to Localhost IP # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # # All established and related packets incoming from the internet to the # firewall # $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \ -j ACCEPT # # Logging rule # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.1.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

# # DMZ section # # General rules # $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \ --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT # # HTTP server # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Allow ourself to send packets not spoofed everywhere # $IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT http://people.org/andreasson/iptables-tutorial/iptables-tutorial.1.1.html 21:25:51 10/06/2002 .unix-fu.RELATED -j ACCEPT # # LOG all packets reaching here # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.9 Página 229 $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ --dport 80 -j allowed $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ -j icmp_packets # # DNS server # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j allowed $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ -j icmp_packets # # LAN section # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.Iptables Tutorial 1.

Iptables Tutorial 1.1.9

Página 230

# # Logging rule # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.2 nat table # # # 4.2.1 Set policies # # # 4.2.2 Create user specified chains # # # 4.2.3 Create content in user specified chains # # # 4.2.4 PREROUTING chain # # # Enable IP Destination NAT for DMZ zone # $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \ -j DNAT --to-destination $DMZ_HTTP_IP $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP $IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP # # 4.2.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 231

# # 4.2.6 OUTPUT chain # ###### # 4.3 mangle table # # # 4.3.1 Set policies # # # 4.3.2 Create user specified chains # # # 4.3.3 Create content in user specified chains # # # 4.3.4 PREROUTING chain # # # 4.3.5 INPUT chain # # # 4.3.6 FORWARD chain # # # 4.3.7 OUTPUT chain # # # 4.3.8 POSTROUTING chain #

Example rc.UTIN.firewall script
#!/bin/sh # # rc.firewall - UTIN Firewall script for Linux 2.4.x and iptables # http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 232

# Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from; if not, write to the Free Software Foundation, Inc., 59 Temple # Place, Suite 330, Boston, MA 02111-1307 USA # ########################################################################### # # 1. Configuration options. # # # 1.1 Internet Configuration. # INET_IP="194.236.50.155" INET_IFACE="eth0" # # 1.1.1 DHCP # # # 1.1.2 PPPoE # # # 1.2 Local Area Network configuration. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # LAN_IP="192.168.0.2" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth1"

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 233

# # 1.3 DMZ Configuration. # # # 1.4 Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 IPTables Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. # ########################################################################### # # 2. Module loading. # # # Needed to initially load modules # /sbin/depmod -a # # 2.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.2 Non-Required modules #

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

21:25:51 10/06/2002

Iptables Tutorial 1.1.9

Página 234

#/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr

########################################################################### # # 4. rules set up. # ###### # 4.1 Filter table # # # 4.1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Create userspecified chains # # # Create chain for bad tcp packets http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html 21:25:51 10/06/2002

1.html 21:25:51 10/06/2002 .9 Página 235 # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.1. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu.Iptables Tutorial 1.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed http://people.

org/andreasson/iptables-tutorial/iptables-tutorial.4 INPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.html 21:25:51 10/06/2002 .1.Iptables Tutorial 1.9 Página 236 # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.1.1.RELATED \ -j ACCEPT # # Log weird packets that don't match the above.5 FORWARD chain # http://people.unix-fu. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from anywhere # $IPTABLES -A INPUT -p ICMP -j icmp_packets $IPTABLES -A INPUT -p TCP -j tcp_packets $IPTABLES -A INPUT -p UDP -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED.

# $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.org/andreasson/iptables-tutorial/iptables-tutorial.1. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.Iptables Tutorial 1.9 Página 237 # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward between interfaces.6 OUTPUT chain # # # Bad TCP packets we don't want.html 21:25:51 10/06/2002 .1. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.2 nat table http://people.RELATED -j ACCEPT # # Log weird packets that don't match the above.unix-fu.

html 21:25:51 10/06/2002 .3.6 OUTPUT chain # ###### # 4.4 PREROUTING chain # # # 4.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP # # 4.9 Página 238 # # # 4.3.2.3.1 Set policies # # # 4.2 Create user specified chains # # # 4.3 Create content in user specified chains # # http://people.unix-fu.Iptables Tutorial 1.2.1.2.1 Set policies # # # 4.2 Create user specified chains # # # 4.2.3 mangle table # # # 4.org/andreasson/iptables-tutorial/iptables-tutorial.2.2.3 Create content in user specified chains # # # 4.

without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.firewall .9 Página 239 # 4. Inc.3. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation.3. # # This program is distributed in the hope that it will be useful.4 PREROUTING chain # # # 4.html 21:25:51 10/06/2002 .unix-fu.3.7 OUTPUT chain # # # 4. version 2 of the License.DHCP IP Firewall script for Linux 2. See the # GNU General Public License for more details.5 INPUT chain # # # 4.3.8 POSTROUTING chain # Example rc. write to the Free Software Foundation.4. Suite 330. Configuration options.6 FORWARD chain # # # 4.. MA 02111-1307 USA # ########################################################################### # # 1. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from.org/andreasson/iptables-tutorial/iptables-tutorial. # http://people.1.net> # # This program is free software. Boston.firewall script #!/bin/sh # # rc. if not. # but WITHOUT ANY WARRANTY.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein. 59 Temple # Place.3.Iptables Tutorial 1.DHCP.

255.0 # LAN_IP="192.0.html 21:25:51 10/06/2002 . # INET_IFACE="eth0" # # 1. # # Note that it is better to set this up in the PPPoE package itself.1.1.1 Internet Configuration.168.65" # # 1.9 Página 240 # # 1.22. and set up the proper IP # adress for the DHCP server in the DHCP_SERVER variable. the same as netmask 255. # # your LAN's IP range and localhost IP. if needed. such as large mails not # getting through while small mail get through properly etc.0.unix-fu.2 Local Area Network configuration.2" LAN_IP_RANGE="192. # PPPOE_PMTU="no" # # 1. # DHCP="no" DHCP_SERVER="195. # # If you have problem with your PPPoE connection. If you get DHCP # over the Internet set this variable to yes. This option will set a # rule in the PREROUTING chain of the mangle table which will clamp # (resize) all routed packets to PMTU (Path Maximum Transmit Unit).1. since # the PPPoE configuration option will give less overhead. # # Set DHCP variable to no if you don't get IP from DHCP.255.90.168.Iptables Tutorial 1.2 PPPoE # # Configuration options pertaining to PPPoE. you may set # this option to "yes" which may fix the problem.org/andreasson/iptables-tutorial/iptables-tutorial.0/16" http://people.1 DHCP # # # Information pertaining to DHCP over the Internet. /24 means to only use the first 24 # bits of the 32 bit IP adress.

1.4 Localhost Configuration.0.6 Other Configuration. # # # Needed to initially load modules # /sbin/depmod -a # # 2.5 IPTables Configuration.Iptables Tutorial 1.1" # # 1.html 21:25:51 10/06/2002 .1 Required modules # /sbin/modprobe ip_conntrack /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_MASQUERADE http://people.9 Página 241 LAN_BCAST_ADRESS="192. # # # 1.3 DMZ Configuration.unix-fu. Module loading.255" LAN_IFACE="eth1" # # 1.168.255.org/andreasson/iptables-tutorial/iptables-tutorial. # LO_IFACE="lo" LO_IP="127.0. # IPTABLES="/usr/sbin/iptables" # # 1. # ########################################################################### # # 2.

2 Create userspecified chains # http://people.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.9 Página 242 # # 2.org/andreasson/iptables-tutorial/iptables-tutorial.1. # ###### # 4. rules set up.1 Filter table # # # 4.unix-fu.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4.html 21:25:51 10/06/2002 .1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3. /proc set up.Iptables Tutorial 1.1.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3. # # # 3.

html 21:25:51 10/06/2002 .unix-fu.1.1.RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed http://people.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED.org/andreasson/iptables-tutorial/iptables-tutorial. TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # 4.Iptables Tutorial 1.9 Página 243 # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP.

then $IPTABLES -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \ --dport 68 -j ACCEPT fi # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # 4.Iptables Tutorial 1.html 21:25:51 10/06/2002 . http://people.4 INPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \ --state ESTABLISHED.org/andreasson/iptables-tutorial/iptables-tutorial.unix-fu.9 Página 244 $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT if [ $DHCP == "yes" ] .RELATED -j ACCEPT # # Log weird packets that don't match the above.1. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for incoming packets from the internet.1.

html 21:25:51 10/06/2002 .9 Página 245 # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.unix-fu. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # # Log weird packets that don't match the above.1.RELATED -j ACCEPT # # Log weird packets that don't match the above.org/andreasson/iptables-tutorial/iptables-tutorial.Iptables Tutorial 1.6 OUTPUT chain # # # Bad TCP packets we don't want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow.1. http://people. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.1.

1 Set policies # # # 4.2 nat table # # # 4.2 Create user specified chains http://people.3.unix-fu.3 Create content in user specified chains # # # 4.1 Set policies # # # 4.9 Página 246 # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.2.1.2. then $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN.2.2 Create user specified chains # # # 4.3.3 mangle table # # # 4.2.RST SYN \ -j TCPMSS --clamp-mss-to-pmtu fi $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE # # 4.2.org/andreasson/iptables-tutorial/iptables-tutorial.6 OUTPUT chain # ###### # 4.2.4 PREROUTING chain # # # 4.html 21:25:51 10/06/2002 .5 POSTROUTING chain # if [ $PPPOE_PMTU == "yes" ] .Iptables Tutorial 1.

org/andreasson/iptables-tutorial/iptables-tutorial. # http://people. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation. # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.3.1.3.Resets iptables to default values.3.9 Página 247 # # # 4.4 PREROUTING chain # # # 4.7 OUTPUT chain # # # 4.3.flush-iptables .3 Create content in user specified chains # # # 4.net> # # This program is free software.Iptables Tutorial 1.6 FORWARD chain # # # 4.3.3.8 POSTROUTING chain # Example rc.flush-iptables script #!/bin/sh # # rc.html 21:25:51 10/06/2002 . version 2 of the License.unix-fu.5 INPUT chain # # # 4.

# $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT # # flush all the rules in the filter and nat tables. # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # # erase all chains that's not default in filter and nat table. Suite 330. # $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X http://people. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. MA 02111-1307 USA # # Configurations # IPTABLES="/usr/sbin/iptables" # # reset the default policies in the filter table..html 21:25:51 10/06/2002 . # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # reset the default policies in the mangle table.Iptables Tutorial 1. write to the Free Software Foundation. Inc. # $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT # # reset the default policies in the nat table. if not.unix-fu. # but WITHOUT ANY WARRANTY. See the # GNU General Public License for more details.org/andreasson/iptables-tutorial/iptables-tutorial. Boston. 59 Temple # Place. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.1.9 Página 248 # This program is distributed in the hope that it will be useful.

unix-fu. Inc. Suite 330. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from. # but WITHOUT ANY WARRANTY. See the # GNU General Public License for more details.1. write to the Free Software Foundation.html 21:25:51 10/06/2002 .test script for iptables chains and tables.net> # # This program is free software. if not. # iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat PREROUTING:" http://people. Boston. version 2 of the License.test-iptables . all chains except OUTPUT which don't work.9 Página 249 Example rc. without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. all chains # iptables -t filter -A INPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter INPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter OUTPUT:" iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \ -j LOG --log-prefix="filter FORWARD:" iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="filter FORWARD:" # # NAT table.org/andreasson/iptables-tutorial/iptables-tutorial. MA 02111-1307 USA # # # Filter table. 59 Temple # Place. you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation..test-iptables script #!/bin/bash # # rc. # # This program is distributed in the hope that it will be useful. # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.Iptables Tutorial 1.

all chains # iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle PREROUTING:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="mangle OUTPUT:" iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="mangle OUTPUT:" Done.1. http://people.Iptables Tutorial 1.unix-fu.9 Página 250 iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat PREROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat POSTROUTING:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \ -j LOG --log-prefix="nat OUTPUT:" iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \ -j LOG --log-prefix="nat OUTPUT:" # # Mangle table.html 21:25:51 10/06/2002 .org/andreasson/iptables-tutorial/iptables-tutorial.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.