Targets rules and chains examine
How the rules work and chain
Iptables firewall rules specifies criteria for the packets , so if the packets does not mach it will go to the next rule in the chain to examined, if not match then examine the next target rule , which can be the name of a user defined chain or one of the special values ACCEPT, DROP, QUEUE, or RETURN.
- ACCEPT means to let the packet get through.
- DROP rule means it will drop the packet on the floor.
- QUEUE this rule means that it will pass the packet to userspace.
- RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain.
There are currently three independent tables (which tables are present at any time depends on the kernel configuration options and which modules are present).
This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there.
The tables are as follows:
- filter: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
- nat: This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).
- mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).
- raw: This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)
COMMANDS the bellow options will specify action to perform :
- -A, –append chain rule-specification : Append one or more rules to the end of the selected chain. incase the source (or/and) destination names resolve to more than one address,a rule will be added for each possible address
- -D, –delete chain rule-specification:Delete one or more rules from the selected chain.
- -I, –insert chain [rulenum] rule-specification: Insert one or more rules in the selected chain as the given rule number. So, the default rule number is 1, the rule or rules are inserted at the head of the chain. Unless you change the rule number.
- -R, –replace :Replace a rule in the selected chain.
- -L, –list [chain]:List all rules in the selected chain. If no chain is selected, all chains are listed. As every other iptables command, it applies to the specified table (filter is the default)
- -F, –flush [chain]:Flush or Delete the selected chain (if not chain specified then all the chains in the table will deleted).
- -Z, –zero [chain]:Zero the packet and byte counters in all chains.
- -N, –new-chain chain: Create a new user defined chain by given new name. There must be no target of that name already.
- -X, –delete-chain [chain]:Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted.
- -P, –policy chain target:Set the policy for the chain to the given target.
- -E, –rename-chain old-chain new-chain:Rename the user specified chain
- -h:Help description of the command syntax.
the following parameters make up a rule specification for (add, delete, insert, replace and append commands)
- -p, –protocol [!] protocol:specify protocol of the rule or of the packet to check as one of tcp, udp, icmp, or all. A “!” argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted.
- -s, –source [!] address[/mask]:Source specification. Address can be either a network name, a hostname,a network IP address (with /mask), or a plain IP address.A “!” argument before the address specification inverts the sense of the address.
- -d, –destination [!] address[/mask]:Destination specification. Address can be either a network name, a hostname,a network IP address (with /mask), or a plain IP address.A “!” argument before the address specification inverts the sense of the address.
- -j, –jump target:Specifies the target of the rule . As example what to do if the packet matches it. The target can be a user defined chain , one of the special builtin targets which decide the fate of the packet immediately,
- -g, –goto chain: This specifies that the processing should continue in a user specified chain. Unlike the –jump option return will not continue processing in this chain but instead in the chain that called us via –jump.
- -i, –in-interface [!] name:Name of an interface via which a packet was received.When “!” argument is used before the interface name, the sense is inverted.
- -o, –out-interface [!] name:Name of an interface via which a packet is going to be sent.
- [!] -f, –fragment:it means that the rule only refers to second and further fragments of fragmented packets. Since there is no way to tell the source or destination ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the “!” argument precedes the “-f” flag, the rule will only match head fragments, or unfragmented packets.
- -c, –set-counters PKTS BYTESallow the administrator to initialize the packet and byte counters of a rule
- -v, –verbose:Verbose output. This option makes the list command show the interface name, the rule options (if any), and the TOS masks. The packet and byte counters are also listed, with the suffix ‘K’, ‘M’ or ‘G’ for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
- -n, –numeric:Numeric output. IP addresses and port numbers will be printed in numeric format.
- -x, –exact:Expand numbers. Display the value of the packet and byte counters, instead of only the rounded number in K’s (multiples of 1000) M’s (multiples of 1000K) or G’s (multiples of 1000M). This option is only related with -L command.
- –line-numbers: while listing rules, add line numbers to the beginning of each rule, corresponding to that rule’s position in the chain.
Parameters with Match
The following are included in the base package, and most of these can be preceded by a ! to invert the sense of the match.
- –aaddr network/netmask: defines network/netmask for which make statistics.
- –aname name:defines name of list where statistics will be kept. If no aname is specified the DEFAULT will be used.
- –ashort:colect only short statistics
- –src-type type: Matches if the source address is of given type
- –dst-type type: Matches if the destination address is of given type
- –ctproto proto: Protocol to match (eigher apply number or name)
- –ctorigsrc [!] address[/mask]: Match original source address with mask option
- –ctorigdst [!] address[/mask]:Match destination address with mask option
- –source-port,–sport [!] port[:port]:Match when the DCCP packet type is one of ‘mask’. ‘mask’ is a comma-separated list of packet types. Packet types are: REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID.
- –destination-port,–dport [!] port[:port]: as Above
- –dccp-types [!] mask: as Above
- –dccp-option [!] number:Match if DCP option specified.
- [–dstlimit-burst burst]:Number of packets to match in a burst. Default: 5
- [!]–src-range ip-ip: Match source IP-Address range in the specified range.
- [!]–dst-range ip-ip:Match destination IP-Address range in the specified range.
- –source-ports port[,port[,port…]]:Match the source port is one of the given ports.
- –destination-ports port[,port[,port…]]:Match the destination port is one of the given ports.
- –ports port[,port[,port…]]: Match if the both the source and destination ports are equal to each other and to one of the given ports.
- –source-ports [!] port[,port[,port:port…]]:Match if the source port is one of the given ports.
- –destination-ports [!] port[,port[,port:port…]]:Match if the destination port is one of the given ports.
- –ports [!] port[,port[,port:port…]]: Match if either the source or destination ports are equal to one of the given ports.