Iptables Tutorial 1.2.2
Dedications About the author How to read Prerequisites Conventions used in this document Chapter 1. Introduction Why this document was written How it was written Terms used in this document What's next? Chapter 2. TCP/IP repetition TCP/IP Layers IP characteristics IP headers TCP characteristics TCP headers UDP characteristics UDP headers ICMP characteristics ICMP headers ICMP Echo Request/Reply ICMP Destination Unreachable Source Quench Redirect TTL equals 0 Parameter problem Timestamp request/reply Information request/reply SCTP Characteristics Initialization and association Data sending and control session Shutdown and abort SCTP Headers SCTP Generic header format SCTP Common and generic headers SCTP ABORT chunk SCTP COOKIE ACK chunk SCTP COOKIE ECHO chunk SCTP DATA chunk SCTP ERROR chunk SCTP HEARTBEAT chunk SCTP HEARTBEAT ACK chunk SCTP INIT chunk SCTP INIT ACK chunk SCTP SACK chunk SCTP SHUTDOWN chunk SCTP SHUTDOWN ACK chunk SCTP SHUTDOWN COMPLETE chunk TCP/IP destination driven routing What's next? Chapter 3. IP filtering introduction What is an IP filter IP filtering terms and expressions How to plan an IP filter What's next? Chapter 4. Network Address Translation Introduction What NAT is used for and basic terms and expressions Caveats using NAT Example NAT machine in theory What is needed to build a NAT machine Placement of NAT machines How to place proxies The final stage of our NAT machine What's next? Chapter 5. Preparations Where to get iptables Kernel setup User-land setup Compiling the user-land applications Installation on Red Hat 7.1 What's next? Chapter 6. Traversing of tables and chains General Mangle table Nat table Raw table Filter table User specified chains What's next? Chapter 7. The state machine Introduction The conntrack entries User-land states TCP connections UDP connections ICMP connections Default connections Untracked connections and the raw table Complex protocols and connection tracking What's next? Chapter 8. Saving and restoring large rule-sets Speed considerations Drawbacks with restore iptables-save iptables-restore What's next? Chapter 9. How a rule is built Basics of the iptables command Tables Commands What's next? Chapter 10. Iptables matches Generic matches Implicit matches TCP matches UDP matches ICMP matches SCTP matches Explicit matches Addrtype match AH/ESP match Comment match Connmark match Conntrack match Dscp match Ecn match Hashlimit match Helper match IP range match Length match Limit match Mac match Mark match Multiport match Owner match Packet type match Realm match Recent match State match Tcpmss match Tos match Ttl match Unclean match What's next? Chapter 11. Iptables targets and jumps ACCEPT target CLASSIFY target CLUSTERIP target CONNMARK target CONNSECMARK target DNAT target DROP target DSCP target ECN target LOG target options MARK target MASQUERADE target MIRROR target NETMAP target NFQUEUE target NOTRACK target QUEUE target REDIRECT target REJECT target RETURN target SAME target SECMARK target SNAT target TCPMSS target TOS target TTL target ULOG target What's next? Chapter 12. Debugging your scripts Debugging, a necessity Bash debugging tips System tools used for debugging Iptables debugging Other debugging tools Nmap Nessus What's next? Chapter 13. rc.firewall file example rc.firewall explanation of rc.firewall Configuration options Initial loading of extra modules proc set up Displacement of rules to different chains Setting up default policies Setting up user specified chains in the filter table INPUT chain FORWARD chain OUTPUT chain PREROUTING chain of the nat table Starting SNAT and the POSTROUTING chain What's next? Chapter 14. Example scripts rc.firewall.txt script structure The structure rc.firewall.txt rc.DMZ.firewall.txt rc.DHCP.firewall.txt rc.UTIN.firewall.txt rc.test-iptables.txt rc.flush-iptables.txt Limit-match.txt Pid-owner.txt Recent-match.txt Sid-owner.txt Ttl-inc.txt Iptables-save ruleset What's next? Chapter 15. Graphical User Interfaces for Iptables/netfilter fwbuilder Turtle Firewall Project Integrated Secure Communications System IPMenu Easy Firewall Generator What's next? Chapter 16. Commercial products based on Linux, iptables and netfilter Ingate Firewall 1200 What's next? Appendix A. Detailed explanations of special commands Listing your active rule-set Updating and flushing your tables Appendix B. Common problems and questions Problems loading modules State NEW packets but no SYN bit set SYN/ACK and NEW packets Internet Service Providers who use assigned IP addresses Letting DHCP requests through iptables mIRC DCC problems Appendix C. ICMP types Appendix D. TCP options Appendix E. Other resources and links Appendix F. Acknowledgments Appendix G. History Appendix H. GNU Free Documentation License 0. PREAMBLE 1. APPLICABILITY AND DEFINITIONS 2. VERBATIM COPYING 3. COPYING IN QUANTITY 4. MODIFICATIONS 5. COMBINING DOCUMENTS 6. COLLECTIONS OF DOCUMENTS 7. AGGREGATION WITH INDEPENDENT WORKS 8. TRANSLATION 9. TERMINATION 10. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents Appendix I. GNU General Public License 0. Preamble 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 2. How to Apply These Terms to Your New Programs Appendix J. Example scripts code-base Example rc.firewall script Example rc.DMZ.firewall script Example rc.UTIN.firewall script Example rc.DHCP.firewall script Example rc.flush-iptables script Example rc.test-iptables script Index Symbols A B C D E F G H I J K L M N O P Q R S T U V W X
ICMP characteristics ICMP messages are used for a basic kind of error reporting between host to host, or host to gateway. Between gateway to gateway, a protocol called Gateway to Gateway protocol (GGP) should normally be used for error reporting. As we have already discussed, the IP protocol is not designed for perfect error handling, but ICMP messages solves some parts of these problems. The big problem from one standpoint is that the headers of the ICMP messages are rather complicated, and differ a little bit from message to message. However, this will not be a big problem from a filtering standpoint most of the time.
The basic form is that the message contains the standard IP header, type, code and a checksum. All ICMP messages contains these fields. The type specifies what kind of error or reply message this packet is, such as for example destination unreachable, echo, echo reply, or redirect message. The code field specifies more information, if necessary. If the packet is of type destination unreachable, there are several possible values on this code field such as network unreachable, host unreachable, or port unreachable. The checksum is simply a checksum for the whole packet.
As you may have noticed, I mentioned the IP header explicitly for the ICMP packet. This was done since the actual IP header is an integral part of the ICMP packet, and the ICMP protocol lives on the same level as the IP protocol in a sense. ICMP does use the IP protocol as if it where a higher level protocol, but at the same time not. ICMP is an integral part of IP, and ICMP must be implemented in every IP implementation.