This is just my quick-reference for the kernel 2.4 "iptables"
tool from
the netfilter framework.
Current set of default tables:
filter (default table): Starts with built-in chains:
INPUT: Arriving.
FORWARD: Being routed.
OUTPUT: Locally generated
nat (traffic that creates new connections): Starts with
built-in chains:
PREROUTING: Arriving.
OUTPUT: Locally generated.
POSTROUTING: Exiting.
mangle (specialised packet alteration): Starts with built-in
chains:
PREROUTING: Incoming, before routing.
OUTPUT: Locally generated.
INPUT: Arriving.
FORWARD: Being routed.
POSTROUTING: Exiting.
The admin can create/delete/rename additional chains for any target.
Each chain consists of a set of rules, consulted in order (thus
the term
"chain") until one's conditions match. If none match, the
default
policy applies, "-P" option. (Policies exist only for built-in
chains.
Policy target may only be one of the four predefined rules.) Each
rule has:
criterion: Which packets will be affected.
target: Which rule to consult next. (May optionally be one of
the
predefined rules ACCEPT, DROP, QUEUE=userspace-handled, or
RETURN=policy.)
Each rule is assigned a rulenum, which can be used to refer to it
in
iptables commands.
Since rulesets live in RAM, one can preserve them to disk or
reload them
using iptables-save and iptables-restore, respectively.
Many of the more interesting features, such as stateful
inspection, are
via dynamically-loaded helper modules (option "-m").
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j
LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
Spoofing:
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16
-j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j
DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j
DROP
## Create chain that blocks new connections, except if coming
from inside.
# iptables -N block
# iptables -A block -m state --state ESTABLISHED,RELATED -j
ACCEPT
# iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
# iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
# iptables -A INPUT -j block
# iptables -A FORWARD -j block
Type of Service (TOS) prioritisation: To maximize ssh
response
while maintaining maximum file data transfer over HTTP
connections:
# /sbin/iptables -A PREROUTING -t mangle -p tcp --sport ssh
\
-j TOS --set-tos Minimize-Delay
# /sbin/iptables -A PREROUTING -t mangle -p tcp --sport http
\
-j TOS --set-tos Maximize-Throughput
Netfilter architecture
Block diagram
--->PREROUTING-->[ROUTE]--->FORWARD---------->POSTROUTING------>
Conntrack | Mangle ^ Mangle
Mangle | Filter | NAT (Src)
NAT (Dst) | | Conntrack
(QDisc) | [ROUTE]
v |
INPUT Filter OUTPUT Conntrack
| Conntrack ^ Mangle
| Mangle | NAT (Dst)
v | Filter
>- local processes >--