Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions

  




 

 

Linux Packet Filtering and iptables

Oskar Andreasson

     
    


Dedications

I would like to dedicate this document to my wonderful sister for inspiring me and for giving me feedback. She is a source of joy and a ray of light when I have need of it. Thank you!

Second of all, I would like to dedicate this work to all of the incredibly hard working Linux developers and maintainers. It is people like those who make this wonderful operating system possible.

Table of Contents
About the author
How to read
Prerequisites
Conventions used in this document
1. Introduction
1.1. Why this document was written
1.2. How it was written
1.3. Terms used in this document
2. TCP/IP repetition
2.1. TCP/IP Layers
2.2. IP characteristics
2.3. IP headers
2.4. TCP characteristics
2.5. TCP headers
2.6. UDP characteristics
2.7. UDP headers
2.8. ICMP characteristics
2.9. ICMP headers
2.9.1. ICMP Echo Request/Reply
2.9.2. ICMP Destination Unreachable
2.9.3. Source Quench
2.9.4. Redirect
2.9.5. TTL equals 0
2.9.6. Parameter problem
2.9.7. Timestamp request/reply
2.9.8. Information request/reply
2.10. TCP/IP destination driven routing
2.11. What's next?
3. IP filtering introduction
3.1. What is an IP filter
3.2. IP filtering terms and expressions
3.3. How to plan an IP filter
3.4. Whats next?
4. Network Address Translation Introduction
4.1. What NAT is used for and basic terms and expressions
4.2. Caveats using NAT
4.3. Example NAT machine in theory
4.3.1. What is needed to build a NAT machine
4.3.2. Placement of NAT machines
4.3.3. How to place proxies
4.3.4. The final stage of our NAT machine
4.4. What's next?
5. Preparations
5.1. Where to get iptables
5.2. Kernel setup
5.3. User-land setup
5.3.1. Compiling the user-land applications
5.3.2. Installation on Red Hat 7.1
6. Traversing of tables and chains
6.1. General
6.2. mangle table
6.3. nat table
6.4. Filter table
7. The state machine
7.1. Introduction
7.2. The conntrack entries
7.3. User-land states
7.4. TCP connections
7.5. UDP connections
7.6. ICMP connections
7.7. Default connections
7.8. Complex protocols and connection tracking
8. Saving and restoring large rule-sets
8.1. Speed considerations
8.2. Drawbacks with restore
8.3. iptables-save
8.4. iptables-restore
9. How a rule is built
9.1. Basics of the iptables command
9.2. Tables
9.3. Commands
10. Iptables matches
10.1. Generic matches
10.2. Implicit matches
10.2.1. TCP matches
10.2.2. UDP matches
10.2.3. ICMP matches
10.3. Explicit matches
10.3.1. AH/ESP match
10.3.2. Conntrack match
10.3.3. DSCP match
10.3.4. ECN match
10.3.5. Helper match
10.3.6. IP range match
10.3.7. Length match
10.3.8. Limit match
10.3.9. MAC match
10.3.10. Mark match
10.3.11. Multiport match
10.3.12. Owner match
10.3.13. Packet type match
10.3.14. Recent match
10.3.15. State match
10.3.16. TCPMSS match
10.3.17. TOS match
10.3.18. TTL match
10.3.19. Unclean match
11. Iptables targets and jumps
11.1. ACCEPT target
11.2. CLASSIFY target
11.3. DNAT target
11.4. DROP target
11.5. DSCP target
11.6. ECN target
11.7. LOG target options
11.8. MARK target
11.9. MASQUERADE target
11.10. MIRROR target
11.11. NETMAP target
11.12. QUEUE target
11.13. REDIRECT target
11.14. REJECT target
11.15. RETURN target
11.16. SAME target
11.17. SNAT target
11.18. TCPMSS target
11.19. TOS target
11.20. TTL target
11.21. ULOG target
12. Debugging your scripts
12.1. Debugging, a necessity
12.2. Bash debugging tips
12.3. System tools used for debugging
12.4. Iptables debugging
12.5. Other debugging tools
12.5.1. Nmap
12.5.2. Nessus
12.6. What's next?
13. rc.firewall file
13.1. example rc.firewall
13.2. explanation of rc.firewall
13.2.1. Configuration options
13.2.2. Initial loading of extra modules
13.2.3. proc set up
13.2.4. Displacement of rules to different chains
13.2.5. Setting up default policies
13.2.6. Setting up user specified chains in the filter table
13.2.7. INPUT chain
13.2.8. FORWARD chain
13.2.9. OUTPUT chain
13.2.10. PREROUTING chain of the nat table
13.2.11. Starting SNAT and the POSTROUTING chain
14. Example scripts
14.1. rc.firewall.txt script structure
14.1.1. The structure
14.2. rc.firewall.txt
14.3. rc.DMZ.firewall.txt
14.4. rc.DHCP.firewall.txt
14.5. rc.UTIN.firewall.txt
14.6. rc.test-iptables.txt
14.7. rc.flush-iptables.txt
14.8. Limit-match.txt
14.9. Pid-owner.txt
14.10. Recent-match.txt
14.11. Sid-owner.txt
14.12. Ttl-inc.txt
14.13. Iptables-save ruleset
15. Graphical User Interfaces for Iptables/netfilter
15.1. fwbuilder
15.2. Turtle Firewall Project
15.3. Integrated Secure Communications System
15.4. IPMenu
15.5. Easy Firewall Generator
15.6. What's next?
A. Detailed explanations of special commands
A.1. Listing your active rule-set
A.2. Updating and flushing your tables
B. Common problems and questions
B.1. Problems loading modules
B.2. State NEW packets but no SYN bit set
B.3. SYN/ACK and NEW packets
B.4. Internet Service Providers who use assigned IP addresses
B.5. Letting DHCP requests through iptables
B.6. mIRC DCC problems
C. ICMP types
D. TCP options
E. Other resources and links
F. Acknowledgments
G. History
H. GNU Free Documentation License
0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents
I. GNU General Public License
0. Preamble
1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
2. How to Apply These Terms to Your New Programs
J. Example scripts code-base
J.1. Example rc.firewall script
J.2. Example rc.DMZ.firewall script
J.3. Example rc.UTIN.firewall script
J.4. Example rc.DHCP.firewall script
J.5. Example rc.flush-iptables script
J.6. Example rc.test-iptables script

 
 
  Published under the terms fo the GNU General Public License Design by Interspire