iptables has a small number of built-in matches and targets and a set of extensions that are loaded if they are referenced. The matches for IP are considered built-in, and the others are considered match extensions (even though the icmp, tcp and udp match extensions are automatically loaded when the corresponding protocols are referenced with the -p built-in IP match option).
|
These built-in matches are available without a preceding -m argument to iptables. Table 7-8 shows the layout of the fields in an Internet Protocol (IPv4) packet. These fields are the subjects of various match and target extensions (including the set of built-in matches described in this section). Table 7-8 describes the options to this match.
|
Option |
Description |
|---|---|
|
Destination address addr (or range, if mask is given). | |
|
Synonym for -d. | |
|
Synonym for -d. | |
|
Second or further fragment of a packet that has undergone fragmentation. Connection tracking does automatic defragmentation, so this option is not often useful. If aren't using connection tracking, though, you can use it. | |
|
Synonym for -f. Commonly abbreviated (including in the iptables manpage) --fragment. | |
|
Input interface in (if in ends with +, any interface having a name that starts with in will match). | |
|
Synonym for -i. | |
|
Input interface out (if out ends with +,any interface having a name that starts with out will match). | |
|
Synonym for -o. | |
|
Protocol name or number proto. See Table 7-9 for a list of common protocol names and numbers. Your system's http://www.iana.org/assignments/protocol-numbers. -p protocol includes an implicit -m protocol when protocol is one of icmp, tcp, or udp. | |
|
Synonym for -p. Commonly abbreviated --proto. | |
|
Source address addr (or range, if mask is given). | |
|
Synonym for -s. | |
|
Synonym for -s. |
You can use the old-style dotted-quad notation for masks such as 192.168.1.0/255.255.255.0, or the newer Common Inter-Domain Routing (CIDR) notation such as 192.168.1.0/24 (see RFC 1591, available online at http://www.rfc-editor.org/rfc/rfc1519.txt) for the address specifications of -s and -d.
|
Name |
Number(s) |
Description |
|---|---|---|
|
ALL |
1, 6, 17 |
Equivalent to not specifying protocol at all |
|
icmp |
1 |
Internet Control Message Protocol |
|
tcp |
6 |
Transmission Control Protocol |
|
udp |
17 |
User Datagram Protocol |
This match is based on the Media Access Controller (MAC) address of the source Ethernet interface. Table 7-10 describes the single option to this match.
This is actually not an IP match. Ethernet is at a lower level in the network architecture, but since many IP networks run over Ethernet, and the MAC information is available, this match extension is included anyway.
|
|
Option |
Description |
|---|---|
|
Match when the Ethernet frame source MAC field matches mac. The format is: XX:XX:XX:XX:XX:XX, where each XX is replaced by two hexadecimal digits. |
Use this only with rules on the PREROUTING, FORWARD, or INPUT chains, and only for packets coming from Ethernet devices.
For example, to allow only a single Ethernet device to communicate over an interface (such as an interface connected to a wireless device):
iptables -A PREROUTING -i eth1 -m mac --mac-source ! 0d:bc:97:02:18:21 -j DROP
The Internet Control Message Protocol (ICMP) match extension is automatically loaded if -p icmp is used. Table 7-11 describes the options to this match.
|
Option |
Description |
|---|---|
|
Matches ICMP type typename | |
|
--icmp-type [!] type[/code] |
Matches ICMP type and code given |
You can find the official ICMP types and codes at the official database at http://www.iana.org/assignments/icmp-parameters (per RFC 3232, "Assigned Numbers: RFC 1700 is Replaced by an On-line Database," available online at http://www.rfc-editor.org/rfc/rfc3232.txt).
The User Datagram Protocol (UDP) match extension is automatically loaded if -p udp is used. Table 7-12 describes the options to this match.
|
Option |
Description |
|---|---|
|
Match when the UDP destination port number is equal to port (if only one port is given) or in the inclusive range (if both ports are given). Ports can be specified by name (from your system's /etc/services file) or number. | |
|
Synonym for --destination-port. | |
|
Match when the UDP source port is equal to port (if only one port is given) or in the inclusive range (if both ports are given). Ports can be specified by name (from your system's /etc/services file) or number. | |
|
Synonym for --source-port. |
The Transmission Control Protocol (TCP) match extension is automatically loaded if -p tcp is used. Table 7-13 describes the options to this match.
|
Option |
Description |
|---|---|
|
Synonym for --dport. | |
|
Match when the TCP destination port number is equal to port (if only one port is given) or in the inclusive range (if both ports are given). Ports can be specified by name (from your system's /etc/services file) or number. | |
|
Match SYN and ACK packets when the value of the TCP protocol Maximum Segment Size (MSS) field is equal to value (if only one value is given) or in the inclusive range (if both values are given). See also the tcpmss match extension. | |
|
Synonym for --sport. | |
|
Match when the TCP source port is equal to port (if only one port is given) or in the inclusive range (if both ports are given). Ports can be specified by name (from your system's /etc/services file) or number. | |
|
Synonym for --tcp-flags SYN,RST,ACK SYN. Packets matching this are called "SYN" packets. This option can be used to construct rules to block incoming connections while permitting outgoing connections. | |
|
[!] mask comp |
Check the mask flags, and match if only the comp flags are set. The mask and comp arguments are comma-separated lists of flag names, or one of the two special values ALL and NONE. |
Let's suppose that we have a network in our organization and that we are using a Linux-based firewall host to allow our users to be able to access WWW (HTTP on port 80 only, not HTTPS on port 443) servers on the Internet, but to allow no other traffic to be passed. The commands that follow could be used to set up a simple set of forwarding rules to implement this policy. Note, however, that while this example is simple, the NAT and Masquerading solutions discussed in Chapter 9 are more often used for this type of application.
If our network has a 24-bit network mask (class C) and has an address of 172.16.1.0, then we'd use the following iptables rules:
# modprobe ip_tables # iptables -F FORWARD # iptables -P FORWARD DROP # iptables -A FORWARD -p tcp -s 0/0 --sport 80 \ -d 172.16.1.0/24 --syn -j DROP # iptables -A FORWARD -p tcp -s 172.16.1.0/24 \ --dport 80 -d 0/0 -j ACCEPT # iptables -A FORWARD -p tcp -d 172.16.1.0/24 \ --sport 80 -s 0/0 -j ACCEPT
Lines 1-3 install iptables into the running kernel, flush the FORWARD chain of the filter table (the default table if no explicit table is mentioned in the iptables command's arguments), and sets the default policy for the FORWARD chain of the filter table to DROP.
Line 4 prevents Internet hosts establishing connection from to the internal network by dropping SYN packets (but only if the source port is 80 since those are the only ones that would be let through by later rules)
Line 5 allows all packets heading from the internal network to port 80 on any host to get out.
Line 6 allows all packets heading from port 80 on any host to hosts on the internal network through.