|
About
Coreteam Contributors History License Thanks PGP key Projects iptables libnfnetlink libnetfilter_log libnetfilter_queue libnetfilter_conntrack conntrack-tools ipset nf-hipac patch-o-matic-ng base repository extra repository external repository ulogd Downloads git Repository ftp Server rsync Server News iptables 1.4.2-rc1 released libnetfilter_conntrack-0.0.96 release libraries release iptables 1.4.1.1 released iptables 1.4.1 released iptables 1.4.1-rc3 released several releases iptables 1.4.1-rc2 released iptables 1.4.1-rc1 released Moving to GIT 6th Netfilter Workshop libnfnetlink release conntrack-tools 0.9.6 release libnetfilter_conntrack release iptables-1.4.0 Michael Rash's book libnetfilter_conntrack release iptables-1.4.0rc1 security announces libnetfilter_queue release libnfnetlink release conntrack-tools-0.9.5 release libnetfilter_conntrack release conntrack-tools-0.9.4 release libnetfilter_conntrack release iptables-1.3.8 conntrack-tools release libnetfilter_conntrack release Netfilter Workshop new PGP key Pablo Neira Ayuso joins core team library releases iptables-1.3.7 iptables-1.3.6 iptables-1.3.5 ulogd-1.24 ulogd-2.00beta1 library releases iptables-1.3.4 Yasuyuki Kozakai joins core team planet.netfilter.org conntrack-0.81 iptables-1.3.3 Documentation FAQ HOWTOs Events Tutorials Various other docs Security Information Mailing Lists List Rules netfilter-announce list netfilter list netfilter-devel list netfilter-failover list Contact bugzilla coreteam webmaster imprint / postal address Supporting netfilter Licensing Events Links Mirrors About website |
netfilter/iptables - Patch-o-Matic Listing - externalACCOUNT IPMARK ROUTE condition connlimit geoip ipp2p pknock time
This patch adds the ACCOUNT target The ACCOUNT target is a high performance accounting system for local networks. It takes two parameters: --addr network/netmask and --tname NAME. --addr is the subnet which is accounted for --tname is the table name where the information is stored The data can be queried later using the libipt_ACCOUNT userspace library or by the "iptaccount" tool which is part of the libipt_ACCOUNT package. A special subnet is "0.0.0.0/0": All data is stored in the src_bytes and src_packets structure of slot "0". This is useful if you want to account the overall traffic to/from your internet provider. For more information go to http://www.intra2net.com/de/produkte/opensource/ipt_account/
This option adds a `IPMARK' target, which allows you to mark
a received packet basing on its IP address. This can replace even
thousands of mangle/mark or tc entries with only one.
This target is to be used inside the mangle table, in the PREROUTING,
POSTROUTING or FORWARD hooks.
IPMARK target options:
--addr src/dst Use source or destination IP address.
--and-mask mask Perform bitwise `and' on the IP address and this mask.
--or-mask mask Perform bitwise `or' on the IP address and this mask.
The order of IP address bytes is reversed to meet "human order of bytes":
192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
`or'.
Examples:
We create a queue for each user, the queue number is adequate
to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.
Earlier we had thousands of tc filter rules:
tc filter add dev eth3 parent 1:0 prio 10 u32 match ip dst 192.168.5.2 flowid 1:502
tc filter add dev eth3 parent 1:0 prio 10 u32 match ip dst 192.168.5.3 flowid 1:503
...
or thousands of MARK rules (with tc fw classifier):
iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
--set-mark 0x10502
iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
--set-mark 0x10503
...
Using IPMARK target we can replace all the mangle/mark rules with ONLY ONE:
iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
--and-mask=0xffff --or-mask=0x10000
and all previous tc filter classifier rules with ONLY ONE:
tc filter add dev eth3 parent 1:0 protocol ip fw
On the routers with hundreds of users there should be significant load
decrease (e.g. twice).
This option adds a `ROUTE' target, which enables you to setup unusual
routes. For example, the ROUTE lets you route a received packet through
an interface or towards a host, even if the regular destination of the
packet is the router itself. The ROUTE target is also able to change the
incoming interface of a packet.
The target can be or not a final target. It has to be used inside the
mangle table.
ROUTE target options:
--oif ifname Send the packet out using `ifname' network interface.
--iif ifname Change the packet's incoming interface to `ifname'.
--gw ip Route the packet via this gateway.
--continue Route the packet and continue traversing the rules.
--tee Route a copy of the packet, but continue traversing
the rules with the original packet, undisturbed.
Note that --iif, --continue, and --tee, are mutually exclusive.
Examples :
# To force all outgoing icmp packet to go through the eth1 interface
# (final target) :
iptables -A POSTROUTING -t mangle -p icmp -j ROUTE --oif eth1
# To tunnel outgoing http packets and continue traversing the rules :
iptables -A POSTROUTING -t mangle -p tcp --dport 80 -j ROUTE --oif tunl1 --continue
# To forward all ssh packets to gateway w.x.y.z, and continue traversing
# the rules :
iptables -A POSTROUTING -t mangle -p tcp --dport 22 -j ROUTE --gw w.x.y.z --continue
# To change the incoming network interface from eth0 to eth1 for all icmp
# packets (final target) :
iptables -A PREROUTING -t mangle -p icmp -i eth0 -j ROUTE --iif eth1
# To copy (duplicate) all traffic from and to a local ECHO server
# to a second box (nonfinal target)
iptables -A PREROUTING -t mangle -p tcp --dport 7 -j ROUTE --gw 1.2.3.4 --tee
iptables -A POSTROUTING -t mangle -p tcp --sport 7 -j ROUTE --gw 1.2.3.4 --tee
This option allows you to match firewall rules against condition variables stored in the /proc/net/ipt_condition directory. Multiple rules can match on a single condition variable. Example: iptables -A INPUT -p tcp -m condition --condition web_ok --dport 80 -j ACCEPT To allow this rule to match: echo 1 > /proc/net/nf_condition/web_ok To disable this rule: echo 0 > /proc/net/nf_condition/web_ok NB: it was /proc/net/ipt_condition on 2.4.
This adds an iptables match which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). Examples: # allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT # you can also match the other way around: iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT # limit the nr of parallel http requests to 16 per class C sized # network (24 bit netmask) iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \ --connlimit-mask 24 -j REJECT
This patch makes possible to match a packet
by its source or destination country.
GeoIP options:
[!] --src-cc, --source-country country[,country,country,...]
Match packet coming from (one of)
the specified country(ies)
[!] --dst-cc, --destination-country country[,country,country,...]
Match packet going to (one of)
the specified country(ies)
NOTE: The country is inputed by its ISO3166 code.
The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx).
Take a look at http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.html
for a quick HOWTO.
This option makes possible to match some P2P packets therefore helps controlling such traffic. Dropping all matches prohibits P2P networks. Combined with conntrack, CONNMARK and a packet scheduler it can be used for accounting or shaping of P2P traffic. Examples: iptables -A FORWARD -m ipp2p --edk --kazaa --bit -j DROP iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP
This patch allows you to implement Port Knocking and SPA (Simple Packet Authentication) in kernel space. pknock options: --knockports port[,port,port,...] Matches destination port(s). --time seconds --t seconds Time between port match. --opensecret [secret] hmac must be in the packets. --closesecret [secret] --strict Knocks sequence must be exact. --name [rule_name] Rule name. --checkip Matches if the source ip is in the list. --chkip Example: iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW \ -m pknock --knockports 3000,2000,5000 --time 10 --name SSH \ -m tcp --dport 22 -j ACCEPT For more information go to http://portknocko.berlios.de/
This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time/date
(arrival time/date at the machine which the netfilter is running on) or
departure time/date (for locally generated packets).
Supported options are:
[ --timestart value ]
Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).
[ --timestop value ]
Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).
[ --days listofdays ]
Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)
[ --datestart date ]
Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 1970)
[ --datestop date ]
Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 2037)
Example:
-A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
to Friday.
-A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010
will match the packets (locally generated) that have a departure timestamp
in the range 8:00->18:00 on Monday only, until 2010
NOTE: the time match does not track changes in daylight savings time
|
