Iptables Tutorial 1.2.2
Dedications About the author How to read Prerequisites Conventions used in this document Chapter 1. Introduction Why this document was written How it was written Terms used in this document What's next? Chapter 2. TCP/IP repetition TCP/IP Layers IP characteristics IP headers TCP characteristics TCP headers UDP characteristics UDP headers ICMP characteristics ICMP headers ICMP Echo Request/Reply ICMP Destination Unreachable Source Quench Redirect TTL equals 0 Parameter problem Timestamp request/reply Information request/reply SCTP Characteristics Initialization and association Data sending and control session Shutdown and abort SCTP Headers SCTP Generic header format SCTP Common and generic headers SCTP ABORT chunk SCTP COOKIE ACK chunk SCTP COOKIE ECHO chunk SCTP DATA chunk SCTP ERROR chunk SCTP HEARTBEAT chunk SCTP HEARTBEAT ACK chunk SCTP INIT chunk SCTP INIT ACK chunk SCTP SACK chunk SCTP SHUTDOWN chunk SCTP SHUTDOWN ACK chunk SCTP SHUTDOWN COMPLETE chunk TCP/IP destination driven routing What's next? Chapter 3. IP filtering introduction What is an IP filter IP filtering terms and expressions How to plan an IP filter What's next? Chapter 4. Network Address Translation Introduction What NAT is used for and basic terms and expressions Caveats using NAT Example NAT machine in theory What is needed to build a NAT machine Placement of NAT machines How to place proxies The final stage of our NAT machine What's next? Chapter 5. Preparations Where to get iptables Kernel setup User-land setup Compiling the user-land applications Installation on Red Hat 7.1 What's next? Chapter 6. Traversing of tables and chains General Mangle table Nat table Raw table Filter table User specified chains What's next? Chapter 7. The state machine Introduction The conntrack entries User-land states TCP connections UDP connections ICMP connections Default connections Untracked connections and the raw table Complex protocols and connection tracking What's next? Chapter 8. Saving and restoring large rule-sets Speed considerations Drawbacks with restore iptables-save iptables-restore What's next? Chapter 9. How a rule is built Basics of the iptables command Tables Commands What's next? Chapter 10. Iptables matches Generic matches Implicit matches TCP matches UDP matches ICMP matches SCTP matches Explicit matches Addrtype match AH/ESP match Comment match Connmark match Conntrack match Dscp match Ecn match Hashlimit match Helper match IP range match Length match Limit match Mac match Mark match Multiport match Owner match Packet type match Realm match Recent match State match Tcpmss match Tos match Ttl match Unclean match What's next? Chapter 11. Iptables targets and jumps ACCEPT target CLASSIFY target CLUSTERIP target CONNMARK target CONNSECMARK target DNAT target DROP target DSCP target ECN target LOG target options MARK target MASQUERADE target MIRROR target NETMAP target NFQUEUE target NOTRACK target QUEUE target REDIRECT target REJECT target RETURN target SAME target SECMARK target SNAT target TCPMSS target TOS target TTL target ULOG target What's next? Chapter 12. Debugging your scripts Debugging, a necessity Bash debugging tips System tools used for debugging Iptables debugging Other debugging tools Nmap Nessus What's next? Chapter 13. rc.firewall file example rc.firewall explanation of rc.firewall Configuration options Initial loading of extra modules proc set up Displacement of rules to different chains Setting up default policies Setting up user specified chains in the filter table INPUT chain FORWARD chain OUTPUT chain PREROUTING chain of the nat table Starting SNAT and the POSTROUTING chain What's next? Chapter 14. Example scripts rc.firewall.txt script structure The structure rc.firewall.txt rc.DMZ.firewall.txt rc.DHCP.firewall.txt rc.UTIN.firewall.txt rc.test-iptables.txt rc.flush-iptables.txt Limit-match.txt Pid-owner.txt Recent-match.txt Sid-owner.txt Ttl-inc.txt Iptables-save ruleset What's next? Chapter 15. Graphical User Interfaces for Iptables/netfilter fwbuilder Turtle Firewall Project Integrated Secure Communications System IPMenu Easy Firewall Generator What's next? Chapter 16. Commercial products based on Linux, iptables and netfilter Ingate Firewall 1200 What's next? Appendix A. Detailed explanations of special commands Listing your active rule-set Updating and flushing your tables Appendix B. Common problems and questions Problems loading modules State NEW packets but no SYN bit set SYN/ACK and NEW packets Internet Service Providers who use assigned IP addresses Letting DHCP requests through iptables mIRC DCC problems Appendix C. ICMP types Appendix D. TCP options Appendix E. Other resources and links Appendix F. Acknowledgments Appendix G. History Appendix H. GNU Free Documentation License 0. PREAMBLE 1. APPLICABILITY AND DEFINITIONS 2. VERBATIM COPYING 3. COPYING IN QUANTITY 4. MODIFICATIONS 5. COMBINING DOCUMENTS 6. COLLECTIONS OF DOCUMENTS 7. AGGREGATION WITH INDEPENDENT WORKS 8. TRANSLATION 9. TERMINATION 10. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents Appendix I. GNU General Public License 0. Preamble 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 2. How to Apply These Terms to Your New Programs Appendix J. Example scripts code-base Example rc.firewall script Example rc.DMZ.firewall script Example rc.UTIN.firewall script Example rc.DHCP.firewall script Example rc.flush-iptables script Example rc.test-iptables script Index Symbols A B C D E F G H I J K L M N O P Q R S T U V W X
TTL equals 0
The TTL equals 0 ICMP type is also known as Time Exceeded Message and has type 11 set to it, and has 2 ICMP codes available. If the TTL field reaches 0 during transit through a gateway or fragment reassembly on the destination host, the packet must be discarded. To notify the sending host of this problem, we can send a TTL equals 0 ICMP packet. The sender can then raise the TTL of outgoing packets to this destination if necessary.
The packet only contains the extra data portion of the packet. The data field contains the Internet header plus 64 bits of the data of the IP packet, so that the other end may match the packet to the proper process. As previously mentioned, the TTL equals 0 type can have two codes.
• Code 0 - TTL equals 0 during transit - This is sent to the sending host if the original packet TTL reached 0 when it was forwarded by a gateway.
• Code 1 - TTL equals 0 during reassembly - This is sent if the original packet was fragmented, and TTL reached 0 during reassembly of the fragments. This code should only be sent from the destination host.