Running Linux, 5th Edition - Matthias Kalle Dalheimer [466]
Stateful inspection
netfilter includes a set of helper modules that can perform stateful connection inspection, such as management of FTP connections, as described earlier.
Network Address Translation
Network Address Translation (NAT), also called IP masquerading, provides a means of rewriting the IP addresses and port numbers of packets as they pass through a chain. NAT is most commonly used to allow systems on a private network to use a connection to the Internet with a single IP address. NAT is a complex subject that we don't discuss at length, but a simple example is provided later in this chapter. You can learn more about NAT in the NAT HOWTO or in TCP/IP Network Administration, Third Edition (O'Reilly).
Packet and byte accounting
netfilter provides counters that allow you to measure how the network traffic handled each rule. Several IP accounting systems are based on these statistics. These counters are visible when you use iptables to list rulesets in verbose mode; we demonstrate this in Example 26-3, later in this chapter.
Using the iptables command
The iptables command is used to make changes to the netfilter chains and rulesets. You can create new chains, delete chains, list the rules in a chain, flush chains (that is, remove all rules from a chain), and set the default action for a chain. iptables also allows you to insert, append, delete, and replace rules in a chain.
The iptables command has a large number of command-line arguments and options, but once you've used it a few times, the syntax becomes fairly obvious. In this section we only cover the most common uses of iptables, so some arguments and options are left out of the following discussion. Specifically, we don't discuss user-defined chains here. Table 26-1 summarizes the iptables arguments that operate on chains, and Table 26-2 summarizes the iptables arguments that operate on individual rules.
Table 26-1. iptables operations on chains
Argument
Description
-L chain
List the rules in the specified chain or all chains.
-F chain
Flush (delete) the rules from the specified chain or all chains.
-Z chain
Zero the byte counters in the specified chain or all chains.
-P chain action
Set the default action (policy) of the specified chain to action.
Table 26-2. iptables operations on rules
Argument
Description
-A chain rule-specification
Append a rule to chain.
-D chain rulenum
Delete the rule with rule number rulenum from chain.
-R chain rulenum rule-specification
Replace rule number rulenum in chain with rule-specification.
-I chain rulenum rule-specification
Insert a rule into chain at slot number rulenum with specification rule-specification. If no rulenum is specified, 1 is assumed.
Each filtering rule includes parameters that describe which packets match the rule. The most common rule parameters are summarized in Table 26-3. Using an exclamation point (!) before a parameter inverts it. For example, the parameter -dport 80 means "match destination port 80," whereas the parameter -dport ! 80 means "match any destination port except 80."
Table 26-3. iptables rule parameters
Parameter
Matches
-p ! protocol
The packet protocol. Valid settings are tcp, udp, icmp, or all.
-s ! source/mask
Source address of the packet, specified as a hostname or IP address. mask specifies an optional netmask as either a literal netmask or a number of bits. For example, /255.255.255.0 gives the literal netmask, and /24 gives the number of bits in the mask.
-d ! source/mask
Destination address of the packet. Uses the same syntax as the source address.
-- sport ! port
The source port of the packe, specified as a literal port number or as a service name from /etc/services.
-- dport ! port
The destination port of the packet. Uses the same syntax as