Iptables Tutorial 1.2.2
Dedications About the author How to read Prerequisites Conventions used in this document Chapter 1. Introduction Why this document was written How it was written Terms used in this document What's next? Chapter 2. TCP/IP repetition TCP/IP Layers IP characteristics IP headers TCP characteristics TCP headers UDP characteristics UDP headers ICMP characteristics ICMP headers ICMP Echo Request/Reply ICMP Destination Unreachable Source Quench Redirect TTL equals 0 Parameter problem Timestamp request/reply Information request/reply SCTP Characteristics Initialization and association Data sending and control session Shutdown and abort SCTP Headers SCTP Generic header format SCTP Common and generic headers SCTP ABORT chunk SCTP COOKIE ACK chunk SCTP COOKIE ECHO chunk SCTP DATA chunk SCTP ERROR chunk SCTP HEARTBEAT chunk SCTP HEARTBEAT ACK chunk SCTP INIT chunk SCTP INIT ACK chunk SCTP SACK chunk SCTP SHUTDOWN chunk SCTP SHUTDOWN ACK chunk SCTP SHUTDOWN COMPLETE chunk TCP/IP destination driven routing What's next? Chapter 3. IP filtering introduction What is an IP filter IP filtering terms and expressions How to plan an IP filter What's next? Chapter 4. Network Address Translation Introduction What NAT is used for and basic terms and expressions Caveats using NAT Example NAT machine in theory What is needed to build a NAT machine Placement of NAT machines How to place proxies The final stage of our NAT machine What's next? Chapter 5. Preparations Where to get iptables Kernel setup User-land setup Compiling the user-land applications Installation on Red Hat 7.1 What's next? Chapter 6. Traversing of tables and chains General Mangle table Nat table Raw table Filter table User specified chains What's next? Chapter 7. The state machine Introduction The conntrack entries User-land states TCP connections UDP connections ICMP connections Default connections Untracked connections and the raw table Complex protocols and connection tracking What's next? Chapter 8. Saving and restoring large rule-sets Speed considerations Drawbacks with restore iptables-save iptables-restore What's next? Chapter 9. How a rule is built Basics of the iptables command Tables Commands What's next? Chapter 10. Iptables matches Generic matches Implicit matches TCP matches UDP matches ICMP matches SCTP matches Explicit matches Addrtype match AH/ESP match Comment match Connmark match Conntrack match Dscp match Ecn match Hashlimit match Helper match IP range match Length match Limit match Mac match Mark match Multiport match Owner match Packet type match Realm match Recent match State match Tcpmss match Tos match Ttl match Unclean match What's next? Chapter 11. Iptables targets and jumps ACCEPT target CLASSIFY target CLUSTERIP target CONNMARK target CONNSECMARK target DNAT target DROP target DSCP target ECN target LOG target options MARK target MASQUERADE target MIRROR target NETMAP target NFQUEUE target NOTRACK target QUEUE target REDIRECT target REJECT target RETURN target SAME target SECMARK target SNAT target TCPMSS target TOS target TTL target ULOG target What's next? Chapter 12. Debugging your scripts Debugging, a necessity Bash debugging tips System tools used for debugging Iptables debugging Other debugging tools Nmap Nessus What's next? Chapter 13. rc.firewall file example rc.firewall explanation of rc.firewall Configuration options Initial loading of extra modules proc set up Displacement of rules to different chains Setting up default policies Setting up user specified chains in the filter table INPUT chain FORWARD chain OUTPUT chain PREROUTING chain of the nat table Starting SNAT and the POSTROUTING chain What's next? Chapter 14. Example scripts rc.firewall.txt script structure The structure rc.firewall.txt rc.DMZ.firewall.txt rc.DHCP.firewall.txt rc.UTIN.firewall.txt rc.test-iptables.txt rc.flush-iptables.txt Limit-match.txt Pid-owner.txt Recent-match.txt Sid-owner.txt Ttl-inc.txt Iptables-save ruleset What's next? Chapter 15. Graphical User Interfaces for Iptables/netfilter fwbuilder Turtle Firewall Project Integrated Secure Communications System IPMenu Easy Firewall Generator What's next? Chapter 16. Commercial products based on Linux, iptables and netfilter Ingate Firewall 1200 What's next? Appendix A. Detailed explanations of special commands Listing your active rule-set Updating and flushing your tables Appendix B. Common problems and questions Problems loading modules State NEW packets but no SYN bit set SYN/ACK and NEW packets Internet Service Providers who use assigned IP addresses Letting DHCP requests through iptables mIRC DCC problems Appendix C. ICMP types Appendix D. TCP options Appendix E. Other resources and links Appendix F. Acknowledgments Appendix G. History Appendix H. GNU Free Documentation License 0. PREAMBLE 1. APPLICABILITY AND DEFINITIONS 2. VERBATIM COPYING 3. COPYING IN QUANTITY 4. MODIFICATIONS 5. COMBINING DOCUMENTS 6. COLLECTIONS OF DOCUMENTS 7. AGGREGATION WITH INDEPENDENT WORKS 8. TRANSLATION 9. TERMINATION 10. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents Appendix I. GNU General Public License 0. Preamble 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 2. How to Apply These Terms to Your New Programs Appendix J. Example scripts code-base Example rc.firewall script Example rc.DMZ.firewall script Example rc.UTIN.firewall script Example rc.DHCP.firewall script Example rc.flush-iptables script Example rc.test-iptables script Index Symbols A B C D E F G H I J K L M N O P Q R S T U V W X
Chapter 2. TCP/IP repetition Iptables is an extremely knowledge intensive tool. This means that iptables takes quite a bit of knowledge to be able to use iptables to it's full extent. Among other things, you must have a very good understanding of the TCP/IP protocol.
This chapter aims at explaining the pure "must understands" of TCP/IP before you can go on and work with iptables. Among the things we will go through are the IP, TCP, UDP and ICMP protocols and their headers, and general usages of each of these protocols and how they correlate to each other. Iptables works inside Internet and Transport layers, and because of that, this chapter will focus mainly on those layers as well.
Iptables is also able to work on higher layers, such as the Application layer. However, it was not built for this task, and should not be used for that kind of usage. I will explain more about this in the IP filtering introduction