Iptables Tutorial 1.1.19

Oskar Andreasson

     blueflux@koffein.net
    

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1; with the Invariant Sections being "Introduction" and all sub-sections, with the Front-Cover Texts being "Original Author: Oskar Andreasson", and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

2019-06-20 6:08:03 - Can not save data into file: /apps/webhotels/www.linuxadmin.org/www//GoRjrit/cache_linuxadmin_org_f9.txt
2019-06-20 6:08:03 - Can not save data into file: /apps/webhotels/www.linuxadmin.org/www//GoRjrit/cache_linuxadmin_org_f9.txt
Best prices in karaoke deals ever
the best teeth whitening

All scripts in this tutorial are covered by the GNU General Public License. The scripts are free source; you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation, version 2 of the License.

These scripts are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License within this tutorial, under the section entitled "GNU General Public License"; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA


Dedications

First of all I would like to dedicate this document to my wonderful girlfriend Ninel. She has supported me more than I ever can support her to any degree. I wish I could make you just as happy as you make me.

Second of all, I would like to dedicate this work to all of the incredibly hard working Linux developers and maintainers. It is people like those who make this wonderful operating system possible.

Table of Contents
About the author
How to read
Prerequisites
Conventions used in this document
1. Introduction
1.1. Why this document was written
1.2. How it was written
1.3. Terms used in this document
2. Preparations
2.1. Where to get iptables
2.2. Kernel setup
2.3. User-land setup
2.3.1. Compiling the user-land applications
2.3.2. Installation on Red Hat 7.1
3. Traversing of tables and chains
3.1. General
3.2. mangle table
3.3. nat table
3.4. Filter table
4. The state machine
4.1. Introduction
4.2. The conntrack entries
4.3. User-land states
4.4. TCP connections
4.5. UDP connections
4.6. ICMP connections
4.7. Default connections
4.8. Complex protocols and connection tracking
5. Saving and restoring large rule-sets
5.1. Speed considerations
5.2. Drawbacks with restore
5.3. iptables-save
5.4. iptables-restore
6. How a rule is built
6.1. Basics
6.2. Tables
6.3. Commands
6.4. Matches
6.4.1. Generic matches
6.4.2. Implicit matches
6.4.3. Explicit matches
6.4.4. Unclean match
6.5. Targets/Jumps
6.5.1. ACCEPT target
6.5.2. DNAT target
6.5.3. DROP target
6.5.4. LOG target
6.5.5. MARK target
6.5.6. MASQUERADE target
6.5.7. MIRROR target
6.5.8. QUEUE target
6.5.9. REDIRECT target
6.5.10. REJECT target
6.5.11. RETURN target
6.5.12. SNAT target
6.5.13. TOS target
6.5.14. TTL target
6.5.15. ULOG target
7. rc.firewall file
7.1. example rc.firewall
7.2. explanation of rc.firewall
7.2.1. Configuration options
7.2.2. Initial loading of extra modules
7.2.3. proc set up
7.2.4. Displacement of rules to different chains
7.2.5. Setting up default policies
7.2.6. Setting up user specified chains in the filter table
7.2.7. INPUT chain
7.2.8. FORWARD chain
7.2.9. OUTPUT chain
7.2.10. PREROUTING chain of the nat table
7.2.11. Starting SNAT and the POSTROUTING chain
8. Example scripts
8.1. rc.firewall.txt script structure
8.1.1. The structure
8.2. rc.firewall.txt
8.3. rc.DMZ.firewall.txt
8.4. rc.DHCP.firewall.txt
8.5. rc.UTIN.firewall.txt
8.6. rc.test-iptables.txt
8.7. rc.flush-iptables.txt
8.8. Limit-match.txt
8.9. Pid-owner.txt
8.10. Sid-owner.txt
8.11. Ttl-inc.txt
8.12. Iptables-save ruleset
A. Detailed explanations of special commands
A.1. Listing your active rule-set
A.2. Updating and flushing your tables
B. Common problems and questions
B.1. Problems loading modules
B.2. State NEW packets but no SYN bit set
B.3. SYN/ACK and NEW packets
B.4. Internet Service Providers who use assigned IP addresses
B.5. Letting DHCP requests through iptables
B.6. mIRC DCC problems
C. ICMP types
D. Other resources and links
E. Acknowledgments
F. History
G. GNU Free Documentation License
0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents
H. GNU General Public License
0. Preamble
1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
2. How to Apply These Terms to Your New Programs
I. Example scripts code-base
I.1. Example rc.firewall script
I.2. Example rc.DMZ.firewall script
I.3. Example rc.UTIN.firewall script
I.4. Example rc.DHCP.firewall script
I.5. Example rc.flush-iptables script
I.6. Example rc.test-iptables script
List of Tables
3-1. Destination local host (our own machine)
3-2. Source local host (our own machine)
3-3. Forwarded packets
4-1. User-land states
4-2. Internal states
6-1. Tables
6-2. Commands
6-3. Options
6-4. Generic matches
6-5. TCP matches
6-6. UDP matches
6-7. ICMP matches
6-8. Limit match options
6-9. MAC match options
6-10. Mark match options
6-11. Multiport match options
6-12. Owner match options
6-13. State matches
6-14. TOS matches
6-15. TTL matches
6-16. DNAT target
6-17. LOG target options
6-18. MARK target options
6-19. MASQUERADE target
6-20. REDIRECT target
6-21. REJECT target
6-22. SNAT target
6-23. TOS target
6-24. TTL target
6-25. ULOG target
C-1. ICMP types