Netfilter
I'm learning about Linux netfilter (and iptables) so I can configure 'glam' sensibly.
Resources
Concepts
Tables
Tables I'm interested in (there are others).
- filter (default)
- nat
Chains
Each table has a chain for some of these hook points (see packet flow for details):
- PREROUTING
- INPUT
- FORWARD
- POSTROUTING
- OUTPUT
Subcommands
Some subcommands I might use:
Command | Long command | Description |
---|---|---|
-A chain rule | --append | appends rule to chain |
-F [chain] | --flush | flush (delete) chain (or all chains if no chain given) |
-L [chain] | --list | list rules for chain (or all chains if no chain given) |
-P chain target | --policy | set default policy of chain to target |
-V | --version | shows iptables version number |
-Z [chain] | --zero | zeroes counters for chain (or all chains if no chain given) |
Targets
Some targets I'm interested in. Non-terminal targets don't terminate and continue with the next rule.
Target | Terminal | Options |
---|---|---|
ACCEPT | yes | |
DROP | yes | |
DNAT | yes | --to-destination a1[-a2][:p1-p2] |
LOG | no | --log-level level --log-prefix prefix --log-ip-options --log-tcp-options --log-tcp-sequence |
LOG target options
Option | Description |
---|---|
--log-level level | log level $level; default is warning |
--log-prefix prefix | prefix log entries with $prefix |
--log-ip-options | include the IP options in log entries |
--log-tcp-options | include TCP options in log entries |
--log-tcp-sequence | include TCP sequence numbers in log entries |
Logging levels
These are the same as defined in linux/kernel.h.
Level | Name | Description |
---|---|---|
0 | emerg or panic | system is about to crash |
1 | alert | immediate attention is required |
2 | crit | critical hardware or software failure |
3 | err or error | hardware problem reported by driver |
4 | warning or warn | something is wrong but it's not serious |
5 | notice | advisory note (nothing is wrong) |
6 | info | general information (such as info about hardware) |
7 | debug | debugging info |
Match options
Length match options
To match overall packet length:
- --length min
- --length min:
- --length :max
- --length min:max
To drop long ping packets:
iptables -A INPUT -p icmp --icmp-type ping -m length --length 1000 -j DROP
Limit match options
Match until a packet rate limit is exceeded, then stop matching.
Option | Description |
---|---|
--limit [rate[/unit]] | the number of packets to let through per $unit of time; defaults to 3/hour; $rate is second if unspecified |
--limit-burst [count] | set the $count of packets that will be matched in a burst; $count defaults to 5 |
Internet Protocol match options
IPv4 match options I'm interested in:
Option | Long option | Description |
---|---|---|
-d [!] addr[/mask] | --dst --destination | destination address $addr (or range, if $mask is given) |
-i [!] in | --in-interface | input interface $in (or if $in ends with + any interface that starts with $in) |
-o [!] out | --out-interface | output interface $out (or if $out ends with + any interface that starts with $out) |
-p [!] proto | --protocol | protocol name or number $proto (see Common IP protocols) |
-s [!] addr[/mask] | --src --source | source address $addr (or range, if $mask is given) |
Common IP protocols
IP protocols I'm interested in.
Name | Number(s) | Description |
---|---|---|
ALL | 1, 6, 17 | same as not specifying a protocol at all |
icmp | 1 | Internet Control Message Protocol |
tcp | 6 | Transmission Control Protocol |
udp | 17 | User Datagram Protocol |
ICMP match options
This extension is loaded if '--protocol icmp' is specified. It provides the following option:
Option | Description |
---|---|
--icmp-type [!] typename | This allows specification of the ICMP type, which can be a numeric ICMP type, or one of the ICMP type names |
ICMP type names
This is the output from `iptables -p icmp -h`:
- any
- echo-reply (pong)
- destination-unreachable
- network-unreachable
- host-unreachable
- protocol-unreachable
- port-unreachable
- fragmentation-needed
- source-route-failed
- network-unknown
- host-unknown
- network-prohibited
- host-prohibited
- TOS-network-unreachable
- TOS-host-unreachable
- communication-prohibited
- host-precedence-violation
- precedence-cutoff
- source-quench
- redirect
- network-redirect
- host-redirect
- TOS-network-redirect
- TOS-host-redirect
- echo-request (ping)
- router-advertisement
- router-solicitation
- time-exceeded (ttl-exceeded)
- ttl-zero-during-transit
- ttl-zero-during-reassembly
- parameter-problem
- ip-header-bad
- required-option-missing
- timestamp-request
- timestamp-reply
- address-mask-request
- address-mask-reply
TCP match options
This extension is loaded if '--protocol tcp' is specified. Some TCP match options I'm interested in (there are more).
Option | Long option | Description |
---|---|---|
--dport [!] port[:port] | --destination-port | inclusive range for TCP destination port |
--sport [!] port[:port] | --source-port | inclusive range for TCP source port |
UDP match options
This extension is loaded if '--protocol udp' is specified. UDP match options (this is all of them).
Option | Long option | Description |
---|---|---|
--dport [!] port[:port] | --destination-port | inclusive range for UDP destination port |
--sport [!] port[:port] | --source-port | inclusive range for UDP source port |
Packet flow
The four flows are:
Packet flows from one network interface to another (forwarding)
Table | Chain |
---|---|
mangle | PREROUTING |
nat | PREROUTING |
mangle | FORWARD |
filter | FORWARD |
mangle | POSTROUTING |
nat | POSTROUTING |
Packet flows from a network interface to a local process (input)
Table | Chain |
---|---|
mangle | PREROUTING |
nat | PREROUTING |
mangle | INPUT |
filter | INPUT |
Packet flows from a local process to a network interface (output)
Table | Chain |
---|---|
mangle | OUTPUT |
nat | OUTPUT |
filter | OUTPUT |
mangle | POSTROUTING |
nat | POSTROUTING |
Packet flows from a local process to another local process (local)
Table | Chain |
---|---|
mangle | OUTPUT |
nat | OUTPUT |
filter | OUTPUT |
filter | INPUT |
mangle | INPUT |