Firewall functions: IPTABLES
Both in the case of FORWARD and OUTPUT, before leaving the network interface eth1, the packet is
subjected to the rules in the POSTROUTING chain. During this step Source-nat (SNAT) or
Masquerade rules are applied.
In each chain rules modifying packets are applied.
STANDARD MATCH CRITERIA
There are different possibilities of matching packets and they can be combined within the same
rule:
IP Protocol (tcp, udp, icmp, gre, ah,...)
IP source address (or source network with mask)
IP destination address (or network with mask)
The criteria can be denied by using the character !. For example all the protocols excepting ICMP:
-p ! icmp.
In the case of the TCP protocol (-p tcp) the following extensions are valid:
The source port or a range of source ports. For example 1:1024 = > all ports between
1 and 1024
The destination port or a range of destination ports. For example 1:1024 = > all the
ports between 1 and 1024
Used to specify the presence of flags in a TCP packet (SYN, ACK, FIN, RST, URG). A list
of bits and their value are indicated.
Packets with only SYN active (new connections)
For example, in order to cancel all the requests for TCP incoming connections towards privileged
ports the command is:
iptables -I INPUT -p tcp --syn --dport 0:1024 -j DROP
In order to list all the possible extensions for TCP:
iptables –p tcp --help
In the case of the UDP protocol (-p udp) the following extensions are valid:
The source port or a range of source ports.
For example 1:1024 = > all the ports between 1 and 1024
The destination port or a range of destination ports.
For example 1:1024 = > all the ports between 1 and 1024
For example, in order to allow UDP packets for traceroute the command is:
iptables -I INPUT –p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
In order to check all the possible UDP extensions the command is:
iptables –p udp --help
To Next Page
Loading...
Need help?
General
