Текст книги "Iptables Tutorial 1.2.2"
Автор книги: Oskar Andreasson
Жанр:
Интернет
сообщить о нарушении
Текущая страница: 28 (всего у книги 30 страниц)
Example rc.DHCP.firewall script
#!/bin/sh
#
# rc.DHCP.firewall – DHCP IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#
###########################################################################
#
# 1. Configuration options.
#
#
# 1.1 Internet Configuration.
#
INET_IFACE="eth0"
#
# 1.1.1 DHCP
#
#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP
# over the Internet set this variable to yes, and set up the proper IP
# address for the DHCP server in the DHCP_SERVER variable.
#
DHCP="no"
DHCP_SERVER="195.22.90.65"
#
# 1.1.2 PPPoE
#
# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not
# getting through while small mail get through properly etc, you may set
# this option to "yes" which may fix the problem. This option will set a
# rule in the PREROUTING chain of the mangle table which will clamp
# (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since
# the PPPoE configuration option will give less overhead.
#
PPPOE_PMTU="no"
#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#
LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth1"
#
# 1.3 DMZ Configuration.
#
#
# 1.4 Localhost Configuration.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
# 1.5 IPTables Configuration.
#
IPTABLES="/usr/sbin/iptables"
#
# 1.6 Other Configuration.
#
###########################################################################
#
# 2. Module loading.
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# 2.1 Required modules
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE
#
# 2.2 Non-Required modules
#
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
###########################################################################
#
# 3. /proc set up.
#
#
# 3.1 Required proc configuration
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# 3.2 Non-Required proc configuration
#
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###########################################################################
#
# 4. rules set up.
#
######
# 4.1 Filter table
#
#
# 4.1.1 Set policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# 4.1.2 Create userspecified chains
#
#
# Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
#
# 4.1.3 Create content in userspecified chains
#
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp –tcp-flags SYN,ACK SYN,ACK
–m state –state NEW -j REJECT –reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG
–log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP
#
# allowed chain
#
$IPTABLES -A allowed -p TCP –syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 113 -j allowed
#
# UDP ports
#
$IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
$IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER –sport 67
–dport 68 -j ACCEPT
fi
#$IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 123 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 2074 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 4000 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE
#–destination-port 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255
#–destination-port 67:68 -j DROP
#
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT
#
# 4.1.4 INPUT chain
#
#
# Bad TCP packets we don't want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE –dport 67 –sport 68 -j ACCEPT
#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state –state ESTABLISHED,RELATED
–j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
#
# Log weird packets that don't match the above.
#
$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG
–log-level DEBUG –log-prefix "IPT INPUT packet died: "
#
# 4.1.5 FORWARD chain
#
#
# Bad TCP packets we don't want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG
–log-level DEBUG –log-prefix "IPT FORWARD packet died: "
#
# 4.1.6 OUTPUT chain
#
#
# Bad TCP packets we don't want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG
–log-level DEBUG –log-prefix "IPT OUTPUT packet died: "
######
# 4.2 nat table
#
#
# 4.2.1 Set policies
#
#
# 4.2.2 Create user specified chains
#
#
# 4.2.3 Create content in user specified chains
#
#
# 4.2.4 PREROUTING chain
#
#
# 4.2.5 POSTROUTING chain
#
if [ $PPPOE_PMTU == "yes" ] ; then
$IPTABLES -t nat -A POSTROUTING -p tcp –tcp-flags SYN,RST SYN
–j TCPMSS –clamp-mss-to-pmtu
fi
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
#
# 4.2.6 OUTPUT chain
#
######
# 4.3 mangle table
#
#
# 4.3.1 Set policies
#
#
# 4.3.2 Create user specified chains
#
#
# 4.3.3 Create content in user specified chains
#
#
# 4.3.4 PREROUTING chain
#
#
# 4.3.5 INPUT chain
#
#
# 4.3.6 FORWARD chain
#
#
# 4.3.7 OUTPUT chain
#
#
# 4.3.8 POSTROUTING chain
#
Example rc.flush-iptables script
#!/bin/sh
#
# rc.flush-iptables – Resets iptables to default values.
#
# Copyright (C) 2001 Oskar Andreasson
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#
# Configurations
#
IPTABLES="/usr/sbin/iptables"
#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
Example rc.test-iptables script
#!/bin/bash
#
# rc.test-iptables – test script for iptables chains and tables.
#
# Copyright (C) 2001 Oskar Andreasson
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#
#
# Filter table, all chains
#
iptables -t filter -A INPUT -p icmp –icmp-type echo-request
–j LOG –log-prefix="filter INPUT:"
iptables -t filter -A INPUT -p icmp –icmp-type echo-reply
–j LOG –log-prefix="filter INPUT:"
iptables -t filter -A OUTPUT -p icmp –icmp-type echo-request
–j LOG –log-prefix="filter OUTPUT:"
iptables -t filter -A OUTPUT -p icmp –icmp-type echo-reply
–j LOG –log-prefix="filter OUTPUT:"
iptables -t filter -A FORWARD -p icmp –icmp-type echo-request
–j LOG –log-prefix="filter FORWARD:"
iptables -t filter -A FORWARD -p icmp –icmp-type echo-reply
–j LOG –log-prefix="filter FORWARD:"
#
# NAT table, all chains except OUTPUT which don't work.
#
iptables -t nat -A PREROUTING -p icmp –icmp-type echo-request
–j LOG –log-prefix="nat PREROUTING:"
iptables -t nat -A PREROUTING -p icmp –icmp-type echo-reply
–j LOG –log-prefix="nat PREROUTING:"
iptables -t nat -A POSTROUTING -p icmp –icmp-type echo-request
–j LOG –log-prefix="nat POSTROUTING:"
iptables -t nat -A POSTROUTING -p icmp –icmp-type echo-reply
–j LOG –log-prefix="nat POSTROUTING:"
iptables -t nat -A OUTPUT -p icmp –icmp-type echo-request
–j LOG –log-prefix="nat OUTPUT:"
iptables -t nat -A OUTPUT -p icmp –icmp-type echo-reply
–j LOG –log-prefix="nat OUTPUT:"
#
# Mangle table, all chains
#
iptables -t mangle -A PREROUTING -p icmp –icmp-type echo-request
–j LOG –log-prefix="mangle PREROUTING:"
iptables -t mangle -A PREROUTING -p icmp –icmp-type echo-reply
–j LOG –log-prefix="mangle PREROUTING:"
iptables -t mangle -I FORWARD 1 -p icmp –icmp-type echo-request
–j LOG –log-prefix="mangle FORWARD:"
iptables -t mangle -I FORWARD 1 -p icmp –icmp-type echo-reply
–j LOG –log-prefix="mangle FORWARD:"
iptables -t mangle -I INPUT 1 -p icmp –icmp-type echo-request
–j LOG –log-prefix="mangle INPUT:"
iptables -t mangle -I INPUT 1 -p icmp –icmp-type echo-reply
–j LOG –log-prefix="mangle INPUT:"
iptables -t mangle -A OUTPUT -p icmp –icmp-type echo-request
–j LOG –log-prefix="mangle OUTPUT:"
iptables -t mangle -A OUTPUT -p icmp –icmp-type echo-reply
–j LOG –log-prefix="mangle OUTPUT:"
iptables -t mangle -I POSTROUTING 1 -p icmp –icmp-type echo-request
–j LOG –log-prefix="mangle POSTROUTING:"
iptables -t mangle -I POSTROUTING 1 -p icmp –icmp-type echo-reply
–j LOG –log-prefix="mangle POSTROUTING:"
Index
Symbols
$INET_IP, Configuration options
$LAN_IFACE, FORWARD chain
$LAN_IP, OUTPUT chain
$LOCALHOST_IP, OUTPUT chain
$STATIC_IP, OUTPUT chain
–ahspi, AH/ESP match
–chunk-types, SCTP matches
–clamp-mss-to-pmtu, TCPMSS target
–clustermac, CLUSTERIP target
–cmd-owner, Owner match
–comment, Comment match
–ctexpire, Conntrack match
–ctorigdst, Conntrack match
–ctorigsrc, Conntrack match
–ctproto, Conntrack match
–ctrepldst, Conntrack match
–ctreplsrc, Conntrack match
–ctstate, Conntrack match
–ctstatus, Conntrack match
–destination, Generic matches
–destination-port, TCP matches, UDP matches, SCTP matches, Multiport match
–dscp, Dscp match
–dscp-class, Dscp match
–dst-range, IP range match
–dst-type, Addrtype match
–ecn, Ecn match
–ecn-ip-ect, Ecn match
–ecn-tcp-ece, Ecn match
–ecn-tcp-remove, ECN target
–espspi, AH/ESP match
–fragment, Generic matches
–gid-owner, Owner match
–hash-init, CLUSTERIP target
–hashlimit, Hashlimit match
–hashlimit-burst, Hashlimit match
–hashlimit-htable-expire, Hashlimit match
–hashlimit-htable-expire match, Hashlimit match
–hashlimit-htable-gcinterval, Hashlimit match
–hashlimit-htable-max, Hashlimit match
–hashlimit-htable-size, Hashlimit match
–hashlimit-mode, Hashlimit match
–hashlimit-name, Hashlimit match
–hashmode, CLUSTERIP target
–helper, Helper match
–hitcount, Recent match
–icmp-type, ICMP matches
–in-interface, Generic matches
–length, Length match
–limit, Limit match
–limit-burst, Limit match
–local-node, CLUSTERIP target
–log-ip-options, LOG target options
–log-level, LOG target options
–log-prefix, LOG target options
–log-tcp-options, LOG target options
–log-tcp-sequence, LOG target options
–mac-source, Mac match
–mark, Connmark match, Mark match
–mask, CONNMARK target
–match, Implicit matches
–mss, Tcpmss match
–name, Recent match
–new, CLUSTERIP target
–nodst, SAME target
–out-interface, Generic matches
–pid-owner, Owner match
–pkt-type, Packet type match
–pkt-type match, Packet type match
–port, Multiport match
–protocol, Generic matches
–queue-num, NFQUEUE target
–rcheck, Recent match
–rdest, Recent match
–realm, Realm match
–reject-with, REJECT target
–remove, Recent match
–restore, CONNSECMARK target
–restore-mark, CONNMARK target
–rsource, Recent match
–rttl, Recent match
–save, CONNSECMARK target
–save-mark, CONNMARK target
–seconds, Recent match
–selctx, SECMARK target
–set, Recent match
–set-class, CLASSIFY target
–set-dscp, DSCP target
–set-dscp-class, DSCP target
–set-mark, CONNMARK target, MARK target
–set-mss, TCPMSS target
–set-tos, TOS target
–sid-owner, Owner match
–source, Generic matches
–source-port, TCP matches, UDP matches, SCTP matches, Multiport match
–src-range, IP range match
–src-type, Addrtype match
–state, State match
–syn, TCP matches
–tcp-flags, TCP matches
–tcp-option, TCP matches
–to, NETMAP target, SAME target
–to-destination, DNAT target
–to-destination target, DNAT target
–to-ports, MASQUERADE target, REDIRECT target
–to-source, SNAT target
–tos, Tos match
–total-nodes, CLUSTERIP target
–ttl-dec, TTL target
–ttl-eq, Ttl match
–ttl-gt, Ttl match
–ttl-inc, TTL target
–ttl-lt, Ttl match
–ttl-set, TTL target
–uid-owner, Owner match
–ulog-cprange, ULOG target
–ulog-nlgroup, ULOG target
–ulog-prefix, ULOG target
–ulog-qthreshold, ULOG target
–update, Recent match
[ASSURED], TCP connections
[UNREPLIED], TCP connections
A
Accept, IP filtering terms and expressions
ACCEPT target, ACCEPT target, Displacement of rules to different chains, The UDP chain
ACK, TCP headers
Acknowledgment Number, TCP headers
Addrtype match, Addrtype match
–dst-type, Addrtype match
–src-type, Addrtype match
ANYCAST, Addrtype match
BLACKHOLE, Addrtype match
BROADCAST, Addrtype match
LOCAL, Addrtype match
MULTICAST, Addrtype match
NAT, Addrtype match
PROHIBIT, Addrtype match
THROW, Addrtype match
UNICAST, Addrtype match
UNREACHABLE, Addrtype match
UNSPEC, Addrtype match
XRESOLVE, Addrtype match
Advanced routing, TCP/IP destination driven routing
AH/ESP match, AH/ESP match
–ahspi, AH/ESP match
Ahspi match, AH/ESP match
Amanda, Complex protocols and connection tracking
ANYCAST, Addrtype match
Application layer, TCP/IP Layers
ASSURED, The conntrack entries, TCP connections
B
Bad_tcp_packets, The bad_tcp_packets chain, INPUT chain
Bash, Bash debugging tips
+-sign, Bash debugging tips
–x, Bash debugging tips
Basics, Where to get iptables
Commands, Commands
Compiling iptables, Compiling the user-land applications
Displacement, Displacement of rules to different chains
Drawbacks with restore, Drawbacks with restore
Filter table, Tables
Installation on Red Hat 7.1, Installation on Red Hat 7.1
iptables-restore, Saving and restoring large rule-sets, iptables-restore
iptables-save, Saving and restoring large rule-sets
Mangle table, Tables
Modules, Initial loading of extra modules
see also Modules
NAT, Network Address Translation Introduction
Nat table, Tables
Policy, Setting up default policies
Preparations, Preparations
Proc set up, proc set up
Raw table, Tables
Speed considerations, Speed considerations
State machine, Introduction
Tables, Tables
User specified chains, Setting up user specified chains in the filter table
User-land setup, User-land setup
BLACKHOLE, Addrtype match
BROADCAST, Addrtype match
C
Chain, IP filtering terms and expressions
FORWARD, General, Displacement of rules to different chains, FORWARD chain, PREROUTING chain of the nat table, The structure, The structure
INPUT, General, Displacement of rules to different chains, The ICMP chain, INPUT chain, The structure, The structure
OUTPUT, General, Raw table, Displacement of rules to different chains, OUTPUT chain, The structure, The structure, The structure
POSTROUTING, General, Starting SNAT and the POSTROUTING chain, The structure, The structure
PREROUTING, General, Raw table, PREROUTING chain of the nat table, The structure, The structure
Traversing, Traversing of tables and chains
User specified, User specified chains
Checksum, TCP headers, UDP headers, ICMP headers
Chkconfig, Installation on Red Hat 7.1
Chunk flags (SCTP), SCTP matches
Chunk types (SCTP), SCTP matches
Chunk-types match, SCTP matches
Cisco PIX, How to plan an IP filter
Clamp-mss-to-pmtu target, TCPMSS target
CLASSIFY target, CLASSIFY target
–set-class, CLASSIFY target
CLUSTERIP target, CLUSTERIP target
–clustermac, CLUSTERIP target
–hash-init, CLUSTERIP target
–hashmode, CLUSTERIP target
–local-node, CLUSTERIP target
–new, CLUSTERIP target
–total-nodes, CLUSTERIP target
Clustermac target, CLUSTERIP target
Cmd-owner match, Owner match
cmd.exe, What is an IP filter
Code, ICMP headers
Commands, Commands
–append, Commands
–delete, Commands
–delete-chain, Commands
–flush, Commands
–insert, Commands
–list, Commands
–new-chain, Commands
–policy, Commands
–rename-chain, Commands
–replace, Commands
–zero, Commands
Comment match, Comment match
–comment, Comment match
Commercial products, Commercial products based on Linux, iptables and netfilter
Ingate Firewall 1200, Ingate Firewall 1200
Common problems, Common problems and questions
DHCP, Letting DHCP requests through iptables
IRC DCC, mIRC DCC problems
ISP using private IP's, Internet Service Providers who use assigned IP addresses
Listing rule-sets, Listing your active rule-set
Modules, Problems loading modules
NEW not SYN, State NEW packets but no SYN bit set
SYN/ACK and NEW, SYN/ACK and NEW packets
Updating and flushing, Updating and flushing your tables
Complex protocols
Amanda, Complex protocols and connection tracking
FTP, Complex protocols and connection tracking
IRC, Complex protocols and connection tracking
TFTP, Complex protocols and connection tracking
Connection, Terms used in this document
Connection tracking, IP filtering terms and expressions
connection-oriented, IP characteristics
Connmark match, Connmark match
–mark, Connmark match
CONNMARK target, CONNMARK target
–mask, CONNMARK target
–restore-mark, CONNMARK target
–save-mark, CONNMARK target
–set-mark, CONNMARK target
CONNSECMARK target, Mangle table, CONNSECMARK target
–restore, CONNSECMARK target
–save, CONNSECMARK target
Conntrack, The state machine
Entries, The conntrack entries
Helpers, Complex protocols and connection tracking
ip_conntrack, The conntrack entries
Conntrack match, Conntrack match
–ctexpire, Conntrack match
–ctorigdst, Conntrack match
–ctorigsrc, Conntrack match
–ctproto, Conntrack match
–ctrepldst, Conntrack match
–ctreplsrc, Conntrack match
–ctstate, Conntrack match
–ctstatus, Conntrack match
console, Bash debugging tips
cron, How to plan an IP filter, Bash debugging tips
crontab, System tools used for debugging
Ctexpire match, Conntrack match
Ctorigdst match, Conntrack match
Ctorigsrc match, Conntrack match
Ctproto match, Conntrack match
Ctrepldst match, Conntrack match
Ctreplsrc match, Conntrack match
Ctstate match, Conntrack match
Ctstatus match, Conntrack match
CWR, TCP headers
