Iptables Tutorial 1.2.2

Oskar Andreasson

     
    

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1; with the Invariant Sections being "Introduction" and all sub-sections, with the Front-Cover Texts being "Original Author: Oskar Andreasson", and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

All scripts in this tutorial are covered by the GNU General Public License. The scripts are free source; you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation, version 2 of the License.

These scripts are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License within this tutorial, under the section entitled "GNU General Public License"; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA


Dedications

I would like to dedicate this document to my wonderful sister, niece and brother-in-law for giving me inspiration and feedback. They are a source of joy and a ray of light when I have need of it. Thank you!

A special word should also be extended to Ninel for always encouraging my writing and for taking care of me when I needed it the most. Thank you!

Second of all, I would like to dedicate this work to all of the incredibly hard working Linux developers and maintainers. It is people like those who make this wonderful operating system possible.

Table of Contents
About the author
How to read
Prerequisites
Conventions used in this document
1. Introduction
Why this document was written
How it was written
Terms used in this document
What's next?
2. TCP/IP repetition
TCP/IP Layers
IP characteristics
IP headers
TCP characteristics
TCP headers
UDP characteristics
UDP headers
ICMP characteristics
ICMP headers
ICMP Echo Request/Reply
ICMP Destination Unreachable
Source Quench
Redirect
TTL equals 0
Parameter problem
Timestamp request/reply
Information request/reply
SCTP Characteristics
Initialization and association
Data sending and control session
Shutdown and abort
SCTP Headers
SCTP Generic header format
SCTP Common and generic headers
SCTP ABORT chunk
SCTP COOKIE ACK chunk
SCTP COOKIE ECHO chunk
SCTP DATA chunk
SCTP ERROR chunk
SCTP HEARTBEAT chunk
SCTP HEARTBEAT ACK chunk
SCTP INIT chunk
SCTP INIT ACK chunk
SCTP SACK chunk
SCTP SHUTDOWN chunk
SCTP SHUTDOWN ACK chunk
SCTP SHUTDOWN COMPLETE chunk
TCP/IP destination driven routing
What's next?
3. IP filtering introduction
What is an IP filter
IP filtering terms and expressions
How to plan an IP filter
What's next?
4. Network Address Translation Introduction
What NAT is used for and basic terms and expressions
Caveats using NAT
Example NAT machine in theory
What is needed to build a NAT machine
Placement of NAT machines
How to place proxies
The final stage of our NAT machine
What's next?
5. Preparations
Where to get iptables
Kernel setup
User-land setup
Compiling the user-land applications
Installation on Red Hat 7.1
What's next?
6. Traversing of tables and chains
General
Mangle table
Nat table
Raw table
Filter table
User specified chains
What's next?
7. The state machine
Introduction
The conntrack entries
User-land states
TCP connections
UDP connections
ICMP connections
Default connections
Untracked connections and the raw table
Complex protocols and connection tracking
What's next?
8. Saving and restoring large rule-sets
Speed considerations
Drawbacks with restore
iptables-save
iptables-restore
What's next?
9. How a rule is built
Basics of the iptables command
Tables
Commands
What's next?
10. Iptables matches
Generic matches
Implicit matches
TCP matches
UDP matches
ICMP matches
SCTP matches
Explicit matches
Addrtype match
AH/ESP match
Comment match
Connmark match
Conntrack match
Dscp match
Ecn match
Hashlimit match
Helper match
IP range match
Length match
Limit match
Mac match
Mark match
Multiport match
Owner match
Packet type match
Realm match
Recent match
State match
Tcpmss match
Tos match
Ttl match
Unclean match
What's next?
11. Iptables targets and jumps
ACCEPT target
CLASSIFY target
CLUSTERIP target
CONNMARK target
CONNSECMARK target
DNAT target
DROP target
DSCP target
ECN target
LOG target options
MARK target
MASQUERADE target
MIRROR target
NETMAP target
NFQUEUE target
NOTRACK target
QUEUE target
REDIRECT target
REJECT target
RETURN target
SAME target
SECMARK target
SNAT target
TCPMSS target
TOS target
TTL target
ULOG target
What's next?
12. Debugging your scripts
Debugging, a necessity
Bash debugging tips
System tools used for debugging
Iptables debugging
Other debugging tools
Nmap
Nessus
What's next?
13. rc.firewall file
example rc.firewall
explanation of rc.firewall
Configuration options
Initial loading of extra modules
proc set up
Displacement of rules to different chains
Setting up default policies
Setting up user specified chains in the filter table
INPUT chain
FORWARD chain
OUTPUT chain
PREROUTING chain of the nat table
Starting SNAT and the POSTROUTING chain
What's next?
14. Example scripts
rc.firewall.txt script structure
The structure
rc.firewall.txt
rc.DMZ.firewall.txt
rc.DHCP.firewall.txt
rc.UTIN.firewall.txt
rc.test-iptables.txt
rc.flush-iptables.txt
Limit-match.txt
Pid-owner.txt
Recent-match.txt
Sid-owner.txt
Ttl-inc.txt
Iptables-save ruleset
What's next?
15. Graphical User Interfaces for Iptables/netfilter
fwbuilder
Turtle Firewall Project
Integrated Secure Communications System
IPMenu
Easy Firewall Generator
What's next?
16. Commercial products based on Linux, iptables and netfilter
Ingate Firewall 1200
What's next?
A. Detailed explanations of special commands
Listing your active rule-set
Updating and flushing your tables
B. Common problems and questions
Problems loading modules
State NEW packets but no SYN bit set
SYN/ACK and NEW packets
Internet Service Providers who use assigned IP addresses
Letting DHCP requests through iptables
mIRC DCC problems
C. ICMP types
D. TCP options
E. Other resources and links
F. Acknowledgments
G. History
H. GNU Free Documentation License
0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents
I. GNU General Public License
0. Preamble
1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
2. How to Apply These Terms to Your New Programs
J. Example scripts code-base
Example rc.firewall script
Example rc.DMZ.firewall script
Example rc.UTIN.firewall script
Example rc.DHCP.firewall script
Example rc.flush-iptables script
Example rc.test-iptables script
Index
List of Tables
2-1. SCTP Types
2-2. Error Causes
2-3. INIT Variable Parameters
2-4. INIT ACK Variable Parameters
6-1. Destination local host (our own machine)
6-2. Source local host (our own machine)
6-3. Forwarded packets
7-1. User-land states
7-2. Internal states
7-3. Complex protocols support
9-1. Tables
9-2. Commands
9-3. Options
10-1. Generic matches
10-2. TCP matches
10-3. UDP matches
10-4. ICMP matches
10-5. SCTP matches
10-6. Address types
10-7. Addrtype match options
10-8. AH match options
10-9. ESP match options
10-10. Comment match options
10-11. Connmark match options
10-12. Conntrack match options
10-13. Dscp match options
10-14. Ecn match options
10-15. ECN Field in IP
10-16. Hashlimit match options
10-17. Helper match options
10-18. IP range match options
10-19. Length match options
10-20. Limit match options
10-21. Mac match options
10-22. Mark match options
10-23. Multiport match options
10-24. Owner match options
10-25. Packet type match options
10-26. Realm match options
10-27. Recent match options
10-28. State match options
10-29. Tcpmss match options
10-30. Tos match options
10-31. Ttl match options
11-1. CLASSIFY target options
11-2. CLUSTERIP target options
11-3. CONNMARK target options
11-4. CONNSECMARK target options
11-5. DNAT target options
11-6. DSCP target options
11-7. ECN target options
11-8. LOG target options
11-9. MARK target options
11-10. MASQUERADE target options
11-11. NETMAP target options
11-12. NFQUEUE target options
11-13. REDIRECT target options
11-14. REJECT target options
11-15. SAME target options
11-16. SECMARK target options
11-17. SNAT target options
11-18. TCPMSS target options
11-19. TOS target options
11-20. TTL target options
11-21. ULOG target options
C-1. ICMP types
D-1. TCP Options