Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

2.9.3.4.4. Additional Match Option Modules
Additional match options are available through modules loaded by the iptables command.
To use a match option module, load the module by name using the -m <module-name> , where <module-name> is the name of the module.
Many modules are available by default. You can also create modules to provide additional functionality.
The following is a partial list of the most commonly used modules:
  • limit module — Places limits on how many packets are matched to a particular rule.
    When used in conjunction with the LOG target, the limit module can prevent a flood of matching packets from filling up the system log with repetitive messages or using up system resources.
    Refer to Section 2.9.3.5, “Target Options” for more information about the LOG target.
    The limit module enables the following options:
    • --limit — Sets the maximum number of matches for a particular time period, specified as a <value>/<period> pair. For example, using --limit 5/hour allows five rule matches per hour.
      Periods can be specified in seconds, minutes, hours, or days.
      If a number and time modifier are not used, the default value of 3/hour is assumed.
    • --limit-burst — Sets a limit on the number of packets able to match a rule at one time.
      This option is specified as an integer and should be used in conjunction with the --limit option.
      If no value is specified, the default value of five (5) is assumed.
  • state module — Enables state matching.
    The state module enables the following options:
    • --state — match a packet with the following connection states:
      • ESTABLISHED — The matching packet is associated with other packets in an established connection. You need to accept this state if you want to maintain a connection between a client and a server.
      • INVALID — The matching packet cannot be tied to a known connection.
      • NEW — The matching packet is either creating a new connection or is part of a two-way connection not previously seen. You need to accept this state if you want to allow new connections to a service.
      • RELATED — The matching packet is starting a new connection related in some way to an existing connection. An example of this is FTP, which uses one connection for control traffic (port 21), and a separate connection for data transfer (port 20).
      These connection states can be used in combination with one another by separating them with commas, such as -m state --state INVALID,NEW.
  • mac module — Enables hardware MAC address matching.
    The mac module enables the following option:
    • --mac-source — Matches a MAC address of the network interface card that sent the packet. To exclude a MAC address from a rule, place an exclamation point character (!) after the --mac-source match option.
Refer to the iptables man page for more match options available through modules.

 
 
  Published under the terms of the Open Publication License Design by Interspire