netfilter/iptables FAQ Harald Welte Version $Revision: 529 $, $Date: 2002-07-26 22:19:42 +0200 (vie, 26 jul 2002) $ netfilter . FAQ . ______________________________________________________________________ Table of Contents 1. 1.1 netfilter/iptables ? 1.2 2.2 netfilter ? 1.3 ICQ conntrack/NAT helper module ? 1.4 ip_masq_vdolive / ip_masq_quake / ... ? 1.5 patch-o-matic ? 1.6 ipnatctl ? 2. 2.1 >= 2.4.0-test4 iptables-1.1.1 . 2.2 (>=2.3.99-pre8) iptables 1.1.0 . 2.3 iptables-1.2.1a patch-o-matic kernel >= 2.4.4 . 2.4 ipt_BALANCE, ip_nat_ftp, ip_nat_irc, ipt_SAME, ipt_NETMAP . 2.5 Alan Cox 2.4.x-acXX . 3. 3.1 NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> 224.bbb.bbb.bbb 3.2 NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> bbb.bbb.bbb.bbb 3.3 netfilter . 3.4 IRC DCC RESUME . 3.5 SNAT ? 3.6 ip_conntrack: maximum limit of XXX entries exceeded 3.7 2.2.x 'ipchains -L -M' tracking/ ? 3.8 IP ? 3.9 iptable-1.2 iptables-save / iptables-restore . 3.10 iptables -L . 3.11 ? 3.12 squid iptables transparent ? 3.13 LOG target ? / LOG DROP ? 3.14 : Out of window data xxx 4. netfilter 4.1 QUEUE target . 4.2 . ? 4.3 / . ? ______________________________________________________________________ 1. . 1.1. netfilter/iptables ? Netfilter Iptables 2.4.x . . 'iptables' netfilter . , or . 1.2. 2.2 netfilter ? . netfilter . . 1.3. ICQ conntrack/NAT helper module ? 2.2 icq ip_masq_icq . ICQ netfilter . . Rusty (free) (free) netfilter . ICQ (free) .( freedom free ) 1.4. ip_masq_vdolive / ip_masq_quake / ... ? netfilter . netfilter UDP full connection tracking . 1.5. patch-o-matic ? 2.4.x . . patch-o-matic . patch-o-matic . patch- o-matic iptables ( CVS) netfilter . patch-o-matic . make patch-o-matic /usr/src/linux make KERNEL_DIR={your-kernel-dir} patch-o-matic iptables . patch-o-matic . . 1.6. ipnatctl ? ipnatctl netfilter 2.3.x NAT . . ipnatctl iptables . netfilter NAT HOWTO . 2. 2.1. >= 2.4.0-test4 iptables-1.1.1 . . "make" "make build" . : iptables-1.1.2 . 2.2. (>=2.3.99-pre8) iptables 1.1.0 . iptables . iptables >= 1.1.1 . 2.3. iptables-1.2.1a patch-o-matic kernel >= 2.4.4 . iptables-1.2.2 release netfilter CVS . 2.4. ipt_BALANCE, ip_nat_ftp, ip_nat_irc, ipt_SAME, ipt_NETMAP . ip_nat_setup_info . iptables <= 1.2.2 `dropped-table' `ftp-fixes' . iptables > 1.2.2 CVS 'dropped-table' BALANCE, NETMAP, irc-nat,SAME, talk-nat . 2.5. Alan Cox 2.4.x-acXX . netfilter . -ac . 3. 3.1. NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> 224.bbb.bbb.bbb NAT NAT . connection tracking . : iptables -t mangle -I PREROUTING -j DROP -d 224.0.0.0/8 3.2. NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> bbb.bbb.bbb.bbb syslog : NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> bbb.bbb.bbb.bbb NAT NAT connection tracking . connection tracking conntrack . : o conntrack o tuple (multicast, broadcast) o kmem_cache_alloc ( ) o o o icmp o icmp o icmp ( ) : iptables -t mangle -A PREROUTING -j LOG -m state --state INVALID NAT mangle . 3.3. netfilter . transparent ? . 2.4.16 . . 3.4. IRC DCC RESUME . . . NAT . NAT . 3.5. SNAT ? netfilter . freshly-rebooted SNAT 1234 netfilter ip . source SNAT IP netfilter IP . But if there are more than one available, it again only has to mangle the IP part. 2 ip . 3.6. ip_conntrack: maximum limit of XXX entries exceeded syslog conntrack . connection tracking . (64MB: 4096, 128MB: 8192,...). tracking 350 non-swappable . 8192 echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max 3.7. 2.2.x 'ipchains -L -M' tracking/ ? proc /proc/net/ip_conntrack . . cat /proc/net/ip_conntrack 3.8. IP ? IP . cat /proc/net/ip_tables_names 3.9. iptable-1.2 iptables-save / iptables-restore . cvs iptables >=1.2.1 . 3.10. iptables -L . iptables ip DNS lookup . 2 DNS lookup . ip (10.x.x.x 192.168.x.x), DNS . . DNS lookup -n (numeric) . 3.11. ? syslogd . LOG target warning(4) . syslogd.conf . debug(7) . 7 4 LOG . . 3.12. squid iptables transparent ? DNAT REDIRECT . squid NAT REDIRECT . : iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.22.33:3128 squid . squid . squid 2.3 squid.conf . http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on squid 2.4 . httpd_accel_single_host off 3.13. LOG target ? / LOG DROP ? LOG target "non-terminating target" . ( traverse) . LOG target . ? 2 . iptables -N logdrop iptables -A logdrop -j LOG iptables -A logdrop -j DROP "-j logdrop". "-j logdrop" . 3.14. : Out of window data xxx patch-o-matic tcp-window-tracking . seq/ack , TCP . (out of the window) INVALID . fail . o ACK is under the lower bound ( ACK ) o ACK is over the upper bound ( ack ) o SEQ is under the lower bound ( ack smitted already ACKed data) o SEQ is over the upper bound ( window ) sysctl sysctl . echo 0 > /proc/sys/net/ipv4/netfilter/ip_ct_tcp_log_out_of_window 4. netfilter 4.1. QUEUE target . libipq . man . iptable . make install-devel man 3 libipq . libipq . perlipq . . o netfilter CVS testsuite/tools/intercept.c o ipqmpd ( ) o nfqtest(see ) o Jerome Etienne WAN ( ) 4.2. . ? netfilter TODO . CVS . . 4.3. / . ? netfilter-devel . . . o [PATCH] o (MIME ) o diff cvs-checkin/Changelog o `diff -u old new' netfilter-extension-HOWTO . .