Contents
Preamble
About the author
How to read
Prerequisites
Conventions used in this document
1. Introduction to iptables
Why this document was written
How it was written
Terms used in this document
What's next?
2. TCP/IP repetition
TCP/IP Layers
IP characteristics
IP headers
TCP characteristics
TCP headers
UDP characteristics
UDP headers
ICMP characteristics
ICMP headers
ICMP Echo Request/Reply
ICMP Destination Unreachable
Source Quench
Redirect
TTL equals 0
Parameter problem
Timestamp request/reply
Information request/reply
SCTP Characteristics
Initialization and association
Data sending and control session
Shutdown and abort
SCTP Headers
SCTP Generic header format
SCTP Common and generic headers
SCTP ABORT chunk
SCTP COOKIE ACK chunk
SCTP COOKIE ECHO chunk
SCTP DATA chunk
SCTP ERROR chunk
SCTP HEARTBEAT chunk
SCTP HEARTBEAT ACK chunk
SCTP INIT chunk
SCTP INIT ACK chunk
SCTP SACK chunk
SCTP SHUTDOWN chunk
SCTP SHUTDOWN ACK chunk
SCTP SHUTDOWN COMPLETE chunk
TCP/IP destination driven routing
What's next?
3. IP filtering introduction
What is an IP filter
IP filtering terms and expressions
How to plan an IP filter
What's next?
4. Network Address Translation Introduction
What NAT is used for and basic terms and expressions
Caveats using NAT
Example NAT machine in theory
What is needed to build a NAT machine
Placement of NAT machines
How to place proxies
The final stage of our NAT machine
What's next?
5. Preparations
Where to get iptables
Kernel setup
User-land setup
Compiling the user-land applications)
Installation on Red Hat 7.1
What's next?
6. Traversing of tables and chains
General
Mangle table
Nat table
Raw table
Filter table
User specified chains
What's next?
7. The state machine
Introduction
The conntrack entries
User-land states
TCP connections
UDP connections
ICMP connections
Default connections
Untracked connections and the raw table
Complex protocols and connection tracking
What's next?
8. Saving and restoring large rule-sets
Speed considerations
Drawbacks with restore
iptables-save
iptables-restore
What's next?
9. How a rule is built in iptables
Basics of the iptables command
Tables
Commands
What's next?
10. Iptables matches
Generic matches
Implicit matches
TCP matches
UDP matches
ICMP matches
SCTP matches
Explicit matches
Addrtype match
AH/ESP match
Comment match
Connmark match
Conntrack match
Dscp match
Ecn match
Hashlimit match
Helper match
IP range match
Length match
Limit match
Mac match
Mark match
Multiport match
Owner match
Packet type match
Realm match
Recent match
State match
Tcpmss match
Tos match
Ttl match
Unclean match
What's next?
11. Iptables targets and jumps
ACCEPT target
CLASSIFY target
CLUSTERIP target
CONNMARK target
CONNSECMARK target
DNAT target
DROP target
DSCP target
ECN target
LOG target options
MARK target
MASQUERADE target
MIRROR target
NETMAP target
NFQUEUE target
NOTRACK target
QUEUE target
REDIRECT target
REJECT target
RETURN target
SAME target
SECMARK target
SNAT target
TCPMSS target
TOS target
TTL target
ULOG target
What's next?
12. Debugging your scripts
Debugging, a necessity
Bash debugging tips
System tools used for debugging
Iptables debugging
Other debugging tools
Nmap
Nessus
What's next?
13. rc.firewall file
example rc.firewall
explanation of rc.firewall
Configuration options
Initial loading of extra modules
proc set up
Displacement of rules to different chains
Setting up default policies
Setting up user specified chains in the filter table
INPUT chain
FORWARD chain
OUTPUT chain
PREROUTING chain of the nat table
Starting SNAT and the POSTROUTING chain
What's next?
14. Example scripts
rc.firewall.txt script structure
The structure
rc.firewall.txt
rc.DMZ.firewall.txt
rc.DHCP.firewall.txt
rc.UTIN.firewall.txt
rc.test-iptables.txt
rc.flush-iptables.txt
Limit-match.txt
Pid-owner.txt
Recent-match.txt
Sid-owner.txt
Ttl-inc.txt
Iptables-save ruleset
What's next?
15. Graphical User Interfaces for Iptables/netfilter
fwbuilder
Turtle Firewall Project
Integrated Secure Communications System
IPMenu
Easy Firewall Generator
What's next?
16. Commercial products based on Linux, iptables and netfilter
Ingate Firewall 1200
What's next?
A. Detailed explanations of special commands
Listing your active rule-set
Updating and flushing your tables
B. Common problems and questions
Problems loading modules
State NEW packets but no SYN bit set
SYN/ACK and NEW packets
Internet Service Providers who use assigned IP addresses
Letting DHCP requests through iptables
mIRC DCC problems
C. ICMP types
D. TCP options
E. Other resources and links
F. Acknowledgments
G. History
H. GNU Free Documentation License
0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents
I. GNU General Public License
0. Preamble
1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
2. How to Apply These Terms to Your New Programs
J. Example scripts code-base
Example rc.firewall script
Example rc.DMZ.firewall script
Example rc.UTIN.firewall script
Example rc.DHCP.firewall script
Example rc.flush-iptables script
Example rc.test-iptables script
   
Hosted by HB.BY 2008 © iptables.info