Links

   Quran Explorer - Interactive Audio Recitations & Translations

Monday, July 6, 2009

IPTables Intro

Six pre-defined "chain" rules are available:
* INPUT
* OUTPUT
* FORWARD
* PREROUTING
* POSTROUTING
* User defined chains (give it a new name)


General /sbin/iptables format to add rules:
---------------------------------------------------
iptables [-t|--table table] -command [chain] [-i interface] [-p protocol] [-s address [port[:port]]] [-d address [port[:port]]] -j policy

Options:
----------
1. --table [-t]
filter - the default table
nat - NAT table
mangle - used for QoS and preferential treatment
raw - enables optimization

2. Command (use only one - mutualy exclusive)
--append [-A] - append rule to chain
--delete [-D] - delete rule from chain
--insert [-I] - insert at the begining or at specified position in chain
--replace [-R] - replace rule
--flush [-F] - flush all rules
--zero [-Z] - Zero byte counters in all chains ????
--list [-L] - list all rules. use option --line-numbers for rule number
--new-chain [-N] - create new
--delete-chain [-X] - delete user defined chain
--policy [-P] - set default policy for chain
--rename-chain [-E] - rename

3. Command Option(s)
--source [-s] - source address of packet
--destination [-d] - destination address
--in-interface [-i] - interface packet is arriving from
--out-interface [-o] - interface packet is going to
--jump [-j] - target to send packet to
--fragment [-f] - fragment matching
--set-counters [-c] - set packet/byte counter
--protocol [-p] - protocol:
*udp
*icmp
*mac
*tcp
--sport port [:port]
--dport port [:port]
--syn
--match tcp[-m tcp]
*--source-port port[:port](port # or range #:#)
*--destination-port port[:port]
*--tcp-flags
--match state [-m state]
--state
*ESTABLISHED
*RELATED
*NEW
*INVALID
(push content, not expected to recieve this packet)

4. Defined Policies

ACCEPT - accept
DROP - deny packet with no reply
REJECT - deny packet and notify sender
RETURN - handled by default targets
MARK - used for error response.
MASQUERADE - used with NAT table and DHCP
ULOG - Log to file and specify userspace logging messages
SNAT -valid in PREROUTING chain. used by nat
REDIRECT - used with nat table. output
DNAT - valid in POSTROUTING chain. output
QUEUE - pass packet to userspace
LOG - Log to file and specify message:
*--log-level #
*--log-prefix "prefix"
*--log-tcp-sequence
*--log-tcp-options
*--log-ip-options
Posted by at
Labels:

No comments:

Post a Comment

Feel free to leave a comment

Subscribe to: Post Comments (Atom)