iptables tutorial

[ Pobierz całość w formacie PDF ]

do destination-port 22:80 for example. This example would match all packets
destined for UDP port 22 through 80. If the first port is omitted, port 0 is assumed. If
the second port is omitted, port 65535 is assumed. If the high port is placed before
the low port, they automatically switch place so the low port winds up before the
high port. Note that this match does not handle multiple ports and port ranges. For
more information about this, look at the multiport match extension.
ICMP matches
These are the ICMP matches. These packets are even worse than UDP packets in
the sense that they are connectionless. The ICMP protocol is mainly used for error
reporting and for connection controlling and such features. ICMP is not a protocol
subordinated to the IP protocol, but more of a protocol beside the IP protocol that
helps handling errors. The headers of a ICMP packet is very similar to that of an IP
header, but contains differences. The main feature of this protocol is the type header
which tells us what the packet is to do. One example is if we try to access an unac-
cessible IP adress, we would get an ICMP host unreachable in return.For a complete
listing of ICMP types, see the ICMP types appendix. There is only one ICMP specific
match available for ICMP packets, and hopefully this should suffice. This match is
implicitly loaded when we use the protocol ICMP match and we get access to it
automatically. Note that all the generic matches can also be used, so we can know
source and destination adress too, among other things.
Table 3-7. ICMP matches
Match
Example
Explanation
icmp-type
iptables -A INPUT -p icmp icmp-type 8
17
Chapter 3. How a rule is built
Match
Example
Explanation
This match is used to specify the ICMP type to match. ICMP types can be specified
either by their numeric values or by their names. Numerical values are specified in
RFC 792. To find a complete listing of the ICMP name values, do a iptables protocol
icmp help, or check the ICMP types appendix. This match can also be inverted
with the ! sign in this, icmp-type ! 8, fashion. Note that some ICMP types are
obsolete, and others again may be "dangerous" for a simple host since they may,
among other things, redirect packets to the wrong places.
Explicit matches
Explicit matches are matches that must be specifically loaded with the -m or match
option. If we would like to use the state matches for example, we would have to write
-m state to the left of the actual match using the state matches. These matches may
in turn be specific to some protocols, or was made for testing/experimental use or
plainly to show examples of what could be accomplished with iptables. This in turn
means that all these matches may not always be useful, however, they should mostly
be useful since it all depends on your imagination and your needs. The difference
between implicitly loaded matches and explicitly loaded ones is that the implicitly
loaded matches will automatically be loaded when you, for example, match TCP
packets, while explicitly loaded matches will not be loaded automatically in any case
and it is up to you to activate them before using them.
MAC match
Table 3-8. MAC match options
Match Example
Explanation
mac-source
iptables -A INPUT mac-source 00:00:00:00:00:01
This match is used to match packets based on their MAC source address. The MAC
address specified must be in the form XX:XX:XX:XX:XX:XX, else it will not be legal.
The match may be reversed with an ! sign and would look like mac-source !
00:00:00:00:00:01. This would in other words reverse the meaning of the match so all
packets except packets from this MAC address would be matched. Note that since
MAC addresses are only used on ethernet type networks, this match will only be
possible to use on ethernet based networks. This match is also only valid in the
PREROUTING, FORWARD and INPUT chains and nowhere else.
Limit match
The limit match extension must be loaded explicitly with the -m limit option. This [ Pobierz całość w formacie PDF ]

Tematy