Iptables Tutorial 1.2.2
Добавить в закладки К обложке
- Dedications - Страница 2
- About the author - Страница 3
- How to read - Страница 4
- Prerequisites - Страница 5
- Conventions used in this document - Страница 6
- Chapter 1. Introduction - Страница 7
- How it was written - Страница 8
- Terms used in this document - Страница 9
- What's next? - Страница 10
- Chapter 2. TCP/IP repetition - Страница 11
- TCP/IP Layers - Страница 12
- IP characteristics - Страница 14
- IP headers - Страница 16
- TCP characteristics - Страница 19
- TCP headers - Страница 20
- UDP characteristics - Страница 22
- UDP headers - Страница 23
- ICMP characteristics - Страница 24
- ICMP headers - Страница 25
- ICMP Echo Request/Reply - Страница 26
- ICMP Destination Unreachable - Страница 27
- Source Quench - Страница 28
- Redirect - Страница 29
- TTL equals 0 - Страница 30
- Parameter problem - Страница 31
- Timestamp request/reply - Страница 32
- Information request/reply - Страница 33
- SCTP Characteristics - Страница 34
- Initialization and association - Страница 35
- Data sending and control session - Страница 36
- Shutdown and abort - Страница 37
- SCTP Headers - Страница 38
- SCTP Generic header format - Страница 39
- SCTP Common and generic headers - Страница 40
- SCTP ABORT chunk - Страница 42
- SCTP COOKIE ACK chunk - Страница 43
- SCTP COOKIE ECHO chunk - Страница 44
- SCTP DATA chunk - Страница 45
- SCTP ERROR chunk - Страница 46
- SCTP HEARTBEAT chunk - Страница 47
- SCTP HEARTBEAT ACK chunk - Страница 48
- SCTP INIT chunk - Страница 49
- SCTP INIT ACK chunk - Страница 51
- SCTP SACK chunk - Страница 52
- SCTP SHUTDOWN chunk - Страница 53
- SCTP SHUTDOWN ACK chunk - Страница 54
- SCTP SHUTDOWN COMPLETE chunk - Страница 55
- TCP/IP destination driven routing - Страница 56
- What's next? - Страница 57
- Chapter 3. IP filtering introduction - Страница 58
- What is an IP filter - Страница 59
- IP filtering terms and expressions - Страница 61
- How to plan an IP filter - Страница 63
- What's next? - Страница 65
- Chapter 4. Network Address Translation Introduction - Страница 66
- What NAT is used for and basic terms and expressions - Страница 67
- Caveats using NAT - Страница 68
- Example NAT machine in theory - Страница 69
- What is needed to build a NAT machine - Страница 70
- Placement of NAT machines - Страница 71
- How to place proxies - Страница 72
- The final stage of our NAT machine - Страница 73
- What's next? - Страница 74
- Chapter 5. Preparations - Страница 75
- Where to get iptables - Страница 76
- Kernel setup - Страница 77
- User-land setup - Страница 80
- Compiling the user-land applications - Страница 81
- Installation on Red Hat 7.1 - Страница 82
- What's next? - Страница 84
- Chapter 6. Traversing of tables and chains - Страница 85
- General - Страница 86
- Mangle table - Страница 89
- Nat table - Страница 90
- Raw table - Страница 91
- Filter table - Страница 92
- User specified chains - Страница 93
- What's next? - Страница 94
- Chapter 7. The state machine - Страница 95
- Introduction - Страница 96
- The conntrack entries - Страница 97
- User-land states - Страница 99
- TCP connections - Страница 100
- UDP connections - Страница 102
- ICMP connections - Страница 103
- Default connections - Страница 105
- Untracked connections and the raw table - Страница 106
- Complex protocols and connection tracking - Страница 107
- What's next? - Страница 109
- Chapter 8. Saving and restoring large rule-sets - Страница 110
- Speed considerations - Страница 111
- Drawbacks with restore - Страница 112
- iptables-save - Страница 113
- iptables-restore - Страница 115
- What's next? - Страница 116
- Chapter 9. How a rule is built - Страница 117
- Basics of the iptables command - Страница 118
- Tables - Страница 119
- Commands - Страница 120
- What's next? - Страница 122
- Chapter 10. Iptables matches - Страница 123
- Generic matches - Страница 124
- Implicit matches - Страница 125
- TCP matches - Страница 126
- UDP matches - Страница 127
- ICMP matches - Страница 128
- SCTP matches - Страница 129
- Explicit matches - Страница 131
- Addrtype match - Страница 132
- AH/ESP match - Страница 133
- Comment match - Страница 134
- Connmark match - Страница 135
- Conntrack match - Страница 136
- Dscp match - Страница 137
- Ecn match - Страница 138
- Hashlimit match - Страница 139
- Helper match - Страница 140
- IP range match - Страница 141
- Length match - Страница 142
- Limit match - Страница 143
- Mac match - Страница 144
- Mark match - Страница 145
- Multiport match - Страница 146
- Owner match - Страница 147
- Packet type match - Страница 148
- Realm match - Страница 149
- Recent match - Страница 150
- State match - Страница 152
- Tcpmss match - Страница 153
- Tos match - Страница 154
- Ttl match - Страница 155
- Unclean match - Страница 156
- What's next? - Страница 157
- Chapter 11. Iptables targets and jumps - Страница 158
- ACCEPT target - Страница 159
- CLASSIFY target - Страница 160
- CLUSTERIP target - Страница 161
- CONNMARK target - Страница 163
- CONNSECMARK target - Страница 164
- DNAT target - Страница 165
- DROP target - Страница 168
- DSCP target - Страница 169
- ECN target - Страница 170
- LOG target options - Страница 171
- MARK target - Страница 172
- MASQUERADE target - Страница 173
- MIRROR target - Страница 174
- NETMAP target - Страница 175
- NFQUEUE target - Страница 176
- NOTRACK target - Страница 177
- QUEUE target - Страница 178
- REDIRECT target - Страница 179
- REJECT target - Страница 180
- RETURN target - Страница 181
- SAME target - Страница 182
- SECMARK target - Страница 183
- SNAT target - Страница 184
- TCPMSS target - Страница 185
- TOS target - Страница 186
- TTL target - Страница 187
- ULOG target - Страница 188
- What's next? - Страница 189
- Chapter 12. Debugging your scripts - Страница 190
- Debugging, a necessity - Страница 191
- Bash debugging tips - Страница 192
- System tools used for debugging - Страница 194
- Iptables debugging - Страница 195
- Other debugging tools - Страница 196
- Nmap - Страница 197
- Nessus - Страница 198
- What's next? - Страница 199
- Chapter 13. rc.firewall file - Страница 200
- example rc.firewall - Страница 201
- explanation of rc.firewall - Страница 202
- Initial loading of extra modules - Страница 203
- proc set up - Страница 205
- Displacement of rules to different chains - Страница 206
- Setting up default policies - Страница 208
- Setting up user specified chains in the filter table - Страница 209
- INPUT chain - Страница 212
- FORWARD chain - Страница 214
- OUTPUT chain - Страница 215
- PREROUTING chain of the nat table - Страница 216
- Starting SNAT and the POSTROUTING chain - Страница 217
- What's next? - Страница 218
- Chapter 14. Example scripts - Страница 219
- rc.firewall.txt script structure - Страница 220
- The structure - Страница 221
- rc.firewall.txt - Страница 224
- rc.DMZ.firewall.txt - Страница 225
- rc.DHCP.firewall.txt - Страница 226
- rc.UTIN.firewall.txt - Страница 228
- rc.test-iptables.txt - Страница 229
- rc.flush-iptables.txt - Страница 230
- Limit-match.txt - Страница 231
- Pid-owner.txt - Страница 232
- Recent-match.txt - Страница 233
- Sid-owner.txt - Страница 234
- Ttl-inc.txt - Страница 235
- Iptables-save ruleset - Страница 236
- What's next? - Страница 237
- Chapter 15. Graphical User Interfaces for Iptables/netfilter - Страница 238
- fwbuilder - Страница 239
- Turtle Firewall Project - Страница 240
- Integrated Secure Communications System - Страница 241
- IPMenu - Страница 242
- Easy Firewall Generator - Страница 243
- What's next? - Страница 244
- Chapter 16. Commercial products based on Linux, iptables and netfilter - Страница 245
- Ingate Firewall 1200 - Страница 246
- What's next? - Страница 247
- Appendix A. Detailed explanations of special commands - Страница 248
- Listing your active rule-set - Страница 249
- Updating and flushing your tables - Страница 250
- Appendix B. Common problems and questions - Страница 251
- Problems loading modules - Страница 252
- State NEW packets but no SYN bit set - Страница 253
- SYN/ACK and NEW packets - Страница 254
- Internet Service Providers who use assigned IP addresses - Страница 255
- Letting DHCP requests through iptables - Страница 256
- mIRC DCC problems - Страница 257
- Appendix C. ICMP types - Страница 258
- Appendix D. TCP options - Страница 259
- Appendix E. Other resources and links - Страница 260
- Appendix F. Acknowledgments - Страница 264
- Appendix G. History - Страница 265
- Appendix H. GNU Free Documentation License - Страница 267
- 0. PREAMBLE - Страница 268
- 1. APPLICABILITY AND DEFINITIONS - Страница 269
- 2. VERBATIM COPYING - Страница 270
- 3. COPYING IN QUANTITY - Страница 271
- 4. MODIFICATIONS - Страница 272
- 5. COMBINING DOCUMENTS - Страница 274
- 6. COLLECTIONS OF DOCUMENTS - Страница 275
- 7. AGGREGATION WITH INDEPENDENT WORKS - Страница 276
- 8. TRANSLATION - Страница 277
- 9. TERMINATION - Страница 278
- 10. FUTURE REVISIONS OF THIS LICENSE - Страница 279
- How to use this License for your documents - Страница 280
- Appendix I. GNU General Public License - Страница 281
- 0. Preamble - Страница 282
- 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - Страница 283
- 2. How to Apply These Terms to Your New Programs - Страница 286
- Appendix J. Example scripts code-base - Страница 287
- Example rc.firewall script - Страница 288
- Example rc.DMZ.firewall script - Страница 291
- Example rc.UTIN.firewall script - Страница 294
- Example rc.DHCP.firewall script - Страница 297
- Example rc.flush-iptables script - Страница 300
- Example rc.test-iptables script - Страница 301
- Index - Страница 302
- A - Страница 306
- B - Страница 307
- C - Страница 308
- D - Страница 312
- E - Страница 315
- F - Страница 318
- G - Страница 319
- H - Страница 320
- I - Страница 321
- J - Страница 325
- K - Страница 326
- L - Страница 327
- M - Страница 328
- N - Страница 331
- O - Страница 332
- P - Страница 333
- Q - Страница 335
- R - Страница 336
- S - Страница 339
- T - Страница 347
- U - Страница 352
- V - Страница 354
- W - Страница 355
- X - Страница 356
iptables-save
The iptables-save command is, as we have already explained, a tool to save the current rule-set into a file that iptables-restore can use. This command is quite simple really, and takes only two arguments. Take a look at the following example to understand the syntax of the command.
iptables-save [-c] [-t table]
The -c argument tells iptables-save to keep the values specified in the byte and packet counters. This could for example be useful if we would like to reboot our main firewall, but not lose byte and packet counters which we may use for statistical purposes. Issuing a iptables-save command with the -c argument would then make it possible for us to reboot without breaking our statistical and accounting routines. The default value is, of course, to not keep the counters intact when issuing this command.
The -t argument tells the iptables-save command which tables to save. Without this argument the command will automatically save all tables available into the file. The following is an example on what output you can expect from the iptables-save command if you do not have any rule-set loaded.
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:17 2002
*filter
:INPUT ACCEPT [404:19766]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [530:43376]
COMMIT
# Completed on Wed Apr 24 10:19:17 2002
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:17 2002
*mangle
:PREROUTING ACCEPT [451:22060]
:INPUT ACCEPT [451:22060]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [594:47151]
:POSTROUTING ACCEPT [594:47151]
COMMIT
# Completed on Wed Apr 24 10:19:17 2002
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:17 2002
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [3:450]
:OUTPUT ACCEPT [3:450]
COMMIT
# Completed on Wed Apr 24 10:19:17 2002
This contains a few comments starting with a # sign. Each table is marked like *<table-name>, for example *mangle. Then within each table we have the chain specifications and rules. A chain specification looks like :<chain-name> <chain-policy> [<packet-counter>:<byte-counter>]. The chain-name may be for example PREROUTING, the policy is described previously and can, for example, be ACCEPT. Finally the packet-counter and byte-counters are the same counters as in the output from iptables -L -v. Finally, each table declaration ends in a COMMIT keyword. The COMMIT keyword tells us that at this point we should commit all rules currently in the pipeline to kernel.
The above example is pretty basic, and hence I believe it is nothing more than proper to show a brief example which contains a very small Iptables-save ruleset. If we would run iptables-save on this, it would look something like this in the output:
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
*filter
:INPUT DROP [1:229]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Apr 24 10:19:55 2002
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
*mangle
:PREROUTING ACCEPT [658:32445]
:INPUT ACCEPT [658:32445]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [891:68234]
:POSTROUTING ACCEPT [891:68234]
COMMIT
# Completed on Wed Apr 24 10:19:55 2002
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
*nat
:PREROUTING ACCEPT [1:229]
:POSTROUTING ACCEPT [3:450]
:OUTPUT ACCEPT [3:450]
-A POSTROUTING -o eth0 -j SNAT --to-source 195.233.192.1
COMMIT
# Completed on Wed Apr 24 10:19:55 2002
As you can see, each command has now been prefixed with the byte and packet counters since we used the -c argument. Except for this, the command-line is quite intact from the script. The only problem now, is how to save the output to a file. Quite simple, and you should already know how to do this if you have used linux at all before. It is only a matter of piping the command output on to the file that you would like to save it as. This could look like the following:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- 317
- 318
- 319
- 320
- 321
- 322
- 323
- 324
- 325
- 326
- 327
- 328
- 329
- 330
- 331
- 332
- 333
- 334
- 335
- 336
- 337
- 338
- 339
- 340
- 341
- 342
- 343
- 344
- 345
- 346
- 347
- 348
- 349
- 350
- 351
- 352
- 353
- 354
- 355
- 356