Firewall functions: IPTABLES
It allows to replace hosts of a network with hosts of another one. For example the
command:
iptables –t nat –A PREROUTING –d 10.10.10.0/24 –j NETMAP –
to 192.168.1.0/24
replaces the destination address 10.10.10.x with 192.168.1.x
It is used to modify the value of TCP Maximum Segment Size. For example:
iptables.... –j TCPMSS --clamp-mss-to-pmtu
It is included the option --set-mss value.
It allows to mark packets in order to analyze them in other points. For example, in
order to add a route according to the source address:
iptables –t mangle –A PREROUTING –s 10.10.1.1 –j MARK --set-mark 0x04
ip rule add fwmark 0x04 table 40
ip route add table 40 dev atm0
In order to display a list of available parameters the following command is used:
iptables –j <TARGET> --help.
For example:
iptables –j REJECT --help
iptables –j TOS --help
iptables –j DSCP --help
ADVANCED MATCH CRITERIA
In addition to the previous criteria, there are also very flexible and powerful extensions. The
following table includes the most significant ones.
It allows to establish the number of simultaneous connections, for example:
iptables –A INPUT –p tcp --dport 23 –s 192.168.254.201 -m connlimit --connlimit-above 4 –j REJECT
allows a maximum of 4 simultaneously active telnet connections towards the router from
the address 191.168.254.201. Other connections are refused.
The rule is satisfied if the rate of arrival of the packets conforms to the specified
parameter. Possible options are:
--limit rate/unit
--limit-burst value/unit
for example by using the rules:
iptables –A FORWARD -p icmp –m limit –-limit 10/s–j ACCEPT
iptables –A FORWARD –p icmp –j DROP
only icmp packets are accepted at the rate of 10 per second.
It checks the source MAC address, for example:
iptables –A FORWARD -m mac --mac-source 00:0d:5a:04:01:02 –j
DROP
To Next Page
Loading...
Need help?
General
