Netfilter: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 92: | Line 92: | ||
= Match options = | = Match options = | ||
== Length match == | == Length match options == | ||
To match overall packet length: | To match overall packet length: | ||
Revision as of 00:39, 8 November 2023
I'm learning about Linux netfilter (and iptables) so I can configure 'glam' sensibly.
Concepts
Chains
There is a chain for each of these hook points:
- PREROUTING
- INPUT
- FORWARD
- POSTROUTING
- OUTPUT
Tables
Tables I'm interested in (there are others).
- filter (default)
- nat
- mangle
Subcommands
Some subcommands I might use:
| Command | Long command | Description |
|---|---|---|
| -A chain rule | --append | appends rule to chain |
| -F [chain] | --flush | flush (delete) chain (or all chains if no chain given) |
| -L [chain] | --list | list rules for chain (or all chains if no chain given) |
| -P chain target | --policy | set default policy of chain to target |
| -V | --version | shows iptables version number |
| -Z [chain] | --zero | zeroes counters for chain (or all chains if no chain given) |
Targets
Some targets I'm interested in.
- ACCEPT
- DROP
- DNAT --to-destination a1[-a2][:p1-p2]
- LOG --log-ip-options --log-level level --log-prefix prefix --log-tcp-options --log-tcp-sequence
LOG target options
| Option | Description |
|---|---|
| --log-ip-options | include the IP options in log entries |
| --log-level level | log level $level; default is warning |
| --log-prefix prefix | prefix log entries with $prefix |
| --log-tcp-options | include TCP options in log entries |
| --log-tcp-sequence | include TCP sequence numbers in log entries |
Logging levels
These are the same as defined in linux/kernel.h.
| Level | Name | Description |
|---|---|---|
| 0 | emerg or panic | system is about to crash |
| 1 | alert | immediate attention is required |
| 2 | crit | critical hardware or software failure |
| 3 | err or error | hardware problem reported by driver |
| 4 | warning or warn | something is wrong but it's not serious |
| 5 | notice | advisory note (nothing is wrong) |
| 6 | info | general information (such as info about hardware) |
| 7 | debug | debugging info |
Match options
Length match options
To match overall packet length:
- --length min
- --length min:
- --length :max
- --length min:max
To drop long ping packets:
iptables -A INPUT -p icmp --icmp-type ping -m length --length 1000 -j DROP
Limit match
Match until a packet rate limit is exceeded, then stop matching.
| Option | Description |
|---|---|
| --limit [rate[/unit]] | the number of packets to let through per $unit of time; defaults to 3/hour; $rate is second if unspecified |
| --limit-burst [count] | set the $count of packets that will be matched in a burst; $count defaults to 5 |
Internet Protocol match options
IPv4 match options I'm interested in:
| Option | Long option | Description |
|---|---|---|
| -d [!] addr[/mask] | --dst --destination | destination address $addr (or range, if $mask is given) |
| -i [!] in | --in-interface | input interface $in (or if $in ends with + any interface that starts with $in) |
| -o [!] out | --out-interface | output interface $out (or if $out ends with + any interface that starts with $out) |
| -p [!] proto | --protocol | protocol name or number $proto (see Common IP protocols) |
| -s [!] addr[/mask] | --src --source | source address $addr (or range, if $mask is given) |
Common IP protocols
IP protocols I'm interested in.
| Name | Number(s) | Description |
|---|---|---|
| ALL | 1, 6, 17 | same as not specifying a protocol at all |
| icmp | 1 | Internet Control Message Protocol |
| tcp | 6 | Transmission Control Protocol |
| udp | 17 | User Datagram Protocol |
TCP match options
Some TCP match options I'm interested in (there are more).
| Option | Long option | Description |
|---|---|---|
| --dport [!] port[:port] | --destination-port | inclusive range for TCP destination port |
| --sport [!] port[:port] | --source-port | inclusive range for TCP source port |
UDP match options
UDP match options (this is all of them).
| Option | Long option | Description |
|---|---|---|
| --dport [!] port[:port] | --destination-port | inclusive range for UDP destination port |
| --sport [!] port[:port] | --source-port | inclusive range for UDP source port |
Packet flow
Packet flows from one network interface to another (forwarding)
| Table | Chain |
|---|---|
| mangle | PREROUTING |
| nat | PREROUTING |
| mangle | FORWARD |
| filter | FORWARD |
| mangle | POSTROUTING |
| nat | POSTROUTING |
Packet flows from a network interface to a local process (input)
| Table | Chain |
|---|---|
| mangle | PREROUTING |
| nat | PREROUTING |
| mangle | INPUT |
| filter | INPUT |
Packet flows from a local process to a network interface (output)
| Table | Chain |
|---|---|
| mangle | OUTPUT |
| nat | OUTPUT |
| filter | OUTPUT |
| mangle | POSTROUTING |
| nat | POSTROUTING |
Packet flows from a local process to another local process (local)
| Table | Chain |
|---|---|
| mangle | OUTPUT |
| nat | OUTPUT |
| filter | OUTPUT |
| filter | INPUT |
| mangle | INPUT |