Iptables Tutorial 1.2.2
Dedications About the author How to read Prerequisites Conventions used in this document Chapter 1. Introduction Why this document was written How it was written Terms used in this document What's next? Chapter 2. TCP/IP repetition TCP/IP Layers IP characteristics IP headers TCP characteristics TCP headers UDP characteristics UDP headers ICMP characteristics ICMP headers ICMP Echo Request/Reply ICMP Destination Unreachable Source Quench Redirect TTL equals 0 Parameter problem Timestamp request/reply Information request/reply SCTP Characteristics Initialization and association Data sending and control session Shutdown and abort SCTP Headers SCTP Generic header format SCTP Common and generic headers SCTP ABORT chunk SCTP COOKIE ACK chunk SCTP COOKIE ECHO chunk SCTP DATA chunk SCTP ERROR chunk SCTP HEARTBEAT chunk SCTP HEARTBEAT ACK chunk SCTP INIT chunk SCTP INIT ACK chunk SCTP SACK chunk SCTP SHUTDOWN chunk SCTP SHUTDOWN ACK chunk SCTP SHUTDOWN COMPLETE chunk TCP/IP destination driven routing What's next? Chapter 3. IP filtering introduction What is an IP filter IP filtering terms and expressions How to plan an IP filter What's next? Chapter 4. Network Address Translation Introduction What NAT is used for and basic terms and expressions Caveats using NAT Example NAT machine in theory What is needed to build a NAT machine Placement of NAT machines How to place proxies The final stage of our NAT machine What's next? Chapter 5. Preparations Where to get iptables Kernel setup User-land setup Compiling the user-land applications Installation on Red Hat 7.1 What's next? Chapter 6. Traversing of tables and chains General Mangle table Nat table Raw table Filter table User specified chains What's next? Chapter 7. The state machine Introduction The conntrack entries User-land states TCP connections UDP connections ICMP connections Default connections Untracked connections and the raw table Complex protocols and connection tracking What's next? Chapter 8. Saving and restoring large rule-sets Speed considerations Drawbacks with restore iptables-save iptables-restore What's next? Chapter 9. How a rule is built Basics of the iptables command Tables Commands What's next? Chapter 10. Iptables matches Generic matches Implicit matches TCP matches UDP matches ICMP matches SCTP matches Explicit matches Addrtype match AH/ESP match Comment match Connmark match Conntrack match Dscp match Ecn match Hashlimit match Helper match IP range match Length match Limit match Mac match Mark match Multiport match Owner match Packet type match Realm match Recent match State match Tcpmss match Tos match Ttl match Unclean match What's next? Chapter 11. Iptables targets and jumps ACCEPT target CLASSIFY target CLUSTERIP target CONNMARK target CONNSECMARK target DNAT target DROP target DSCP target ECN target LOG target options MARK target MASQUERADE target MIRROR target NETMAP target NFQUEUE target NOTRACK target QUEUE target REDIRECT target REJECT target RETURN target SAME target SECMARK target SNAT target TCPMSS target TOS target TTL target ULOG target What's next? Chapter 12. Debugging your scripts Debugging, a necessity Bash debugging tips System tools used for debugging Iptables debugging Other debugging tools Nmap Nessus What's next? Chapter 13. rc.firewall file example rc.firewall explanation of rc.firewall Configuration options Initial loading of extra modules proc set up Displacement of rules to different chains Setting up default policies Setting up user specified chains in the filter table INPUT chain FORWARD chain OUTPUT chain PREROUTING chain of the nat table Starting SNAT and the POSTROUTING chain What's next? Chapter 14. Example scripts rc.firewall.txt script structure The structure rc.firewall.txt rc.DMZ.firewall.txt rc.DHCP.firewall.txt rc.UTIN.firewall.txt rc.test-iptables.txt rc.flush-iptables.txt Limit-match.txt Pid-owner.txt Recent-match.txt Sid-owner.txt Ttl-inc.txt Iptables-save ruleset What's next? Chapter 15. Graphical User Interfaces for Iptables/netfilter fwbuilder Turtle Firewall Project Integrated Secure Communications System IPMenu Easy Firewall Generator What's next? Chapter 16. Commercial products based on Linux, iptables and netfilter Ingate Firewall 1200 What's next? Appendix A. Detailed explanations of special commands Listing your active rule-set Updating and flushing your tables Appendix B. Common problems and questions Problems loading modules State NEW packets but no SYN bit set SYN/ACK and NEW packets Internet Service Providers who use assigned IP addresses Letting DHCP requests through iptables mIRC DCC problems Appendix C. ICMP types Appendix D. TCP options Appendix E. Other resources and links Appendix F. Acknowledgments Appendix G. History Appendix H. GNU Free Documentation License 0. PREAMBLE 1. APPLICABILITY AND DEFINITIONS 2. VERBATIM COPYING 3. COPYING IN QUANTITY 4. MODIFICATIONS 5. COMBINING DOCUMENTS 6. COLLECTIONS OF DOCUMENTS 7. AGGREGATION WITH INDEPENDENT WORKS 8. TRANSLATION 9. TERMINATION 10. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents Appendix I. GNU General Public License 0. Preamble 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 2. How to Apply These Terms to Your New Programs Appendix J. Example scripts code-base Example rc.firewall script Example rc.DMZ.firewall script Example rc.UTIN.firewall script Example rc.DHCP.firewall script Example rc.flush-iptables script Example rc.test-iptables script Index Symbols A B C D E F G H I J K L M N O P Q R S T U V W X
UDP headers The UDP header can be said to contain a very basic and simplified TCP header. It contains destination-, source-ports, header length and a checksum as seen in the image below.
Source port - bit 0-15. This is the source port of the packet, describing where a reply packet should be sent. This can actually be set to zero if it doesn't apply. For example, sometimes we don't require a reply packet, and the packet can then be set to source port zero. In most implementations, it is set to some port number.
Destination port - bit 16-31. The destination port of the packet. This is required for all packets, as opposed to the source port of a packet.
Length - bit 32-47. The length field specifies the length of the whole packet in octets, including header and data portions. The shortest possible packet can be 8 octets long.
Checksum - bit 48-63. The checksum is the same kind of checksum as used in the TCP header, except that it contains a different set of data. In other words, it is a one's complement of the one's complement sum of parts of the IP header, the whole UDP header, theUDP data and padded with zeroes at the end when necessary.