لطفا منتظر باشید ...
7.9. Basic iptables Matches
iptables
has a small number of built-in matches and targets and a set of
extensions that are loaded if they are referenced. The matches for IP
are considered built-in, and the others are considered match
extensions (even though the icmp,
tcp and udp match extensions
are automatically loaded when the corresponding protocols are
referenced with the -p built-in IP match option).
|
7.9.1. Internet Protocol (IPv4) Matches
These built-in matches are available
without a preceding -m argument to iptables. Table 7-8 shows
the layout of the fields in an Internet Protocol (IPv4) packet. These
fields are the subjects of various match and target extensions
(including the set of built-in matches described in this section).
Table 7-8 describes the options to this match.
Option | Description |
|---|---|
-d [!] addr[/mask] | Destination address addr (or range, if mask is given). |
--destination | Synonym for -d. |
--dst | Synonym for -d. |
[!] -f | Second or further fragment of a packet that has undergone fragmentation.Connection tracking does automatic defragmentation, so this option is not often useful. If aren't using connection tracking, though, you can use it. |
--fragments | Synonym for -f. Commonly abbreviated (including in the iptables manpage) --fragment. |
-i [!] in | Input interface in (if in ends with +, any interface having a name that starts with in will match). |
--in-interface | Synonym for -i. |
-o [!] out | Input interface out (if out ends with +,any interface having a name that starts with out will match). |
--out-interface | Synonym for -o. |
-p [!] proto | Protocol name or number proto.See Table 7-9 for a list of common protocol names and numbers. Your system's http://www.iana.org/assignments/protocol-numbers.-p protocol includes an implicit -m protocol when protocol is one of icmp, tcp, or udp. |
--protocol | Synonym for -p. Commonly abbreviated --proto. |
-s [!] addr[/mask] | Source address addr (or range, if mask is given). |
--source | Synonym for -s. |
--src | Synonym for -s. |
notation for masks such as 192.168.1.0/255.255.255.0, or the newer Common
Inter-Domain Routing (CIDR) notation such as 192.168.1.0/24 (see RFC 1591, available online
at http://www.rfc-editor.org/rfc/rfc1519.txt)
for the address specifications of -s and
-d.
Name | Number(s) | Description |
|---|---|---|
ALL | 1, 6, 17 | Equivalent to not specifying protocol at all |
icmp | 1 | Internet Control Message Protocol |
tcp | 6 | Transmission Control Protocol |
udp | 17 | User Datagram Protocol |
7.9.2. Ethernet Media Access Controller (MAC) Match
This match is based on the Media Access
Controller (MAC) address of the source Ethernet interface. Table 7-10 describes the single option to this match.This is actually not an IP match. Ethernet is at a lower level in the
network architecture, but since many IP networks run over Ethernet,
and the MAC information is available, this match extension is
included anyway.
|
PREROUTING, FORWARD, or
INPUT chains, and only for packets coming from
Ethernet devices.For example, to allow only a single Ethernet device to communicate
over an interface (such as an interface connected to a wireless
device):
iptables -A PREROUTING -i eth1 -m mac --mac-source ! 0d:bc:97:02:18:21 -j DROP
7.9.3. Internet Control Message Protocol Match
The Internet Control Message Protocol
(ICMP) match extension is automatically loaded if -p
icmp is used. Table 7-11 describes the
options to this match.
Option | Description |
|---|---|
--icmp-type [!] typename | Matches ICMP type typename |
--icmp-type [!] type[/code] | Matches ICMP type and code given |
codes at the official database at http://www.iana.org/assignments/icmp-parameters
(per RFC 3232, "Assigned Numbers: RFC 1700 is
Replaced by an On-line Database," available online
at http://www.rfc-editor.org/rfc/rfc3232.txt).
7.9.4. User Datagram Protocol Match
The User Datagram Protocol (UDP) match
extension is automatically loaded if -p udp is
used. Table 7-12 describes the options to this
match.
7.9.5. Transmission Control Protocol Match
The Transmission Control Protocol
(TCP) match extension is automatically loaded if -p
tcp is used. Table 7-13 describes the
options to this match.
7.9.6. A Naive Example
Let's suppose that we have a network in our
organization and that we are using a Linux-based firewall host to
allow our users to be able to access WWW (HTTP on port 80 only, not
HTTPS on port 443) servers on the Internet, but to allow no other
traffic to be passed. The commands that follow could be used to set
up a simple set of forwarding rules to implement this policy. Note,
however, that while this example is simple, the NAT and Masquerading
solutions discussed in Chapter 9 are more often
used for this type of application.If our network has a 24-bit network mask (class C) and has an address
of 172.16.1.0, then
we'd use the following iptables rules:
# modprobe ip_tablesLines 1-3 install iptables into the
# iptables -F FORWARD
# iptables -P FORWARD DROP
# iptables -A FORWARD -p tcp -s 0/0 --sport 80 \
-d 172.16.1.0/24 --syn -j DROP
# iptables -A FORWARD -p tcp -s 172.16.1.0/24 \
--dport 80 -d 0/0 -j ACCEPT
# iptables -A FORWARD -p tcp -d 172.16.1.0/24 \
--sport 80 -s 0/0 -j ACCEPT
running kernel, flush the FORWARD chain of the
filter table (the default table if no explicit
table is mentioned in the iptables
command's arguments), and sets the default policy
for the FORWARD chain of the filter table to
DROP.Line 4 prevents Internet hosts establishing connection from to the
internal network by dropping SYN packets (but only
if the source port is 80 since those are the only ones that would be
let through by later rules)Line 5 allows all packets heading from the internal network to port
80 on any host to get out.Line 6 allows all packets heading from port 80 on any host to hosts
on the internal network through.
