Iptables Tutorial 1.2.1

Oskar Andreasson


Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1; with the Invariant Sections being "Introduction" and all sub-sections, with the Front-Cover Texts being "Original Author: Oskar Andreasson", and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

All scripts in this tutorial are covered by the GNU General Public License. The scripts are free source; you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation, version 2 of the License.

These scripts are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License within this tutorial, under the section entitled "GNU General Public License"; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA


I would like to dedicate this document to my wonderful sister for inspiring me and for giving me feedback. She is a source of joy and a ray of light when I have need of it. Thank you!

Second of all, I would like to dedicate this work to all of the incredibly hard working Linux developers and maintainers. It is people like those who make this wonderful operating system possible.

Table of Contents
About the author
How to read
Conventions used in this document
1. Introduction
1.1. Why this document was written
1.2. How it was written
1.3. Terms used in this document
2. TCP/IP repetition
2.1. TCP/IP Layers
2.2. IP characteristics
2.3. IP headers
2.4. TCP characteristics
2.5. TCP headers
2.6. UDP characteristics
2.7. UDP headers
2.8. ICMP characteristics
2.9. ICMP headers
2.9.1. ICMP Echo Request/Reply
2.9.2. ICMP Destination Unreachable
2.9.3. Source Quench
2.9.4. Redirect
2.9.5. TTL equals 0
2.9.6. Parameter problem
2.9.7. Timestamp request/reply
2.9.8. Information request/reply
2.10. TCP/IP destination driven routing
2.11. What's next?
3. IP filtering introduction
3.1. What is an IP filter
3.2. IP filtering terms and expressions
3.3. How to plan an IP filter
3.4. Whats next?
4. Network Address Translation Introduction
4.1. What NAT is used for and basic terms and expressions
4.2. Caveats using NAT
4.3. Example NAT machine in theory
4.3.1. What is needed to build a NAT machine
4.3.2. Placement of NAT machines
4.3.3. How to place proxies
4.3.4. The final stage of our NAT machine
4.4. What's next?
5. Preparations
5.1. Where to get iptables
5.2. Kernel setup
5.3. User-land setup
5.3.1. Compiling the user-land applications
5.3.2. Installation on Red Hat 7.1
6. Traversing of tables and chains
6.1. General
6.2. mangle table
6.3. nat table
6.4. Filter table
7. The state machine
7.1. Introduction
7.2. The conntrack entries
7.3. User-land states
7.4. TCP connections
7.5. UDP connections
7.6. ICMP connections
7.7. Default connections
7.8. Complex protocols and connection tracking
8. Saving and restoring large rule-sets
8.1. Speed considerations
8.2. Drawbacks with restore
8.3. iptables-save
8.4. iptables-restore
9. How a rule is built
9.1. Basics of the iptables command
9.2. Tables
9.3. Commands
10. Iptables matches
10.1. Generic matches
10.2. Implicit matches
10.2.1. TCP matches
10.2.2. UDP matches
10.2.3. ICMP matches
10.3. Explicit matches
10.3.1. AH/ESP match
10.3.2. Conntrack match
10.3.3. DSCP match
10.3.4. ECN match
10.3.5. Helper match
10.3.6. IP range match
10.3.7. Length match
10.3.8. Limit match
10.3.9. MAC match
10.3.10. Mark match
10.3.11. Multiport match
10.3.12. Owner match
10.3.13. Packet type match
10.3.14. Recent match
10.3.15. State match
10.3.16. TCPMSS match
10.3.17. TOS match
10.3.18. TTL match
10.3.19. Unclean match
11. Iptables targets and jumps
11.1. ACCEPT target
11.2. CLASSIFY target
11.3. DNAT target
11.4. DROP target
11.5. DSCP target
11.6. ECN target
11.7. LOG target options
11.8. MARK target
11.9. MASQUERADE target
11.10. MIRROR target
11.11. NETMAP target
11.12. QUEUE target
11.13. REDIRECT target
11.14. REJECT target
11.15. RETURN target
11.16. SAME target
11.17. SNAT target
11.18. TCPMSS target
11.19. TOS target
11.20. TTL target
11.21. ULOG target
12. Debugging your scripts
12.1. Debugging, a necessity
12.2. Bash debugging tips
12.3. System tools used for debugging
12.4. Iptables debugging
12.5. Other debugging tools
12.5.1. Nmap
12.5.2. Nessus
12.6. What's next?
13. rc.firewall file
13.1. example rc.firewall
13.2. explanation of rc.firewall
13.2.1. Configuration options
13.2.2. Initial loading of extra modules
13.2.3. proc set up
13.2.4. Displacement of rules to different chains
13.2.5. Setting up default policies
13.2.6. Setting up user specified chains in the filter table
13.2.7. INPUT chain
13.2.8. FORWARD chain
13.2.9. OUTPUT chain
13.2.10. PREROUTING chain of the nat table
13.2.11. Starting SNAT and the POSTROUTING chain
14. Example scripts
14.1. rc.firewall.txt script structure
14.1.1. The structure
14.2. rc.firewall.txt
14.3. rc.DMZ.firewall.txt
14.4. rc.DHCP.firewall.txt
14.5. rc.UTIN.firewall.txt
14.6. rc.test-iptables.txt
14.7. rc.flush-iptables.txt
14.8. Limit-match.txt
14.9. Pid-owner.txt
14.10. Recent-match.txt
14.11. Sid-owner.txt
14.12. Ttl-inc.txt
14.13. Iptables-save ruleset
15. Graphical User Interfaces for Iptables/netfilter
15.1. fwbuilder
15.2. Turtle Firewall Project
15.3. Integrated Secure Communications System
15.4. IPMenu
15.5. Easy Firewall Generator
15.6. What's next?
16. Commercial products based on Linux, iptables and netfilter
16.1. Ingate Firewall 1200
A. Detailed explanations of special commands
A.1. Listing your active rule-set
A.2. Updating and flushing your tables
B. Common problems and questions
B.1. Problems loading modules
B.2. State NEW packets but no SYN bit set
B.3. SYN/ACK and NEW packets
B.4. Internet Service Providers who use assigned IP addresses
B.5. Letting DHCP requests through iptables
B.6. mIRC DCC problems
C. ICMP types
D. TCP options
E. Other resources and links
F. Acknowledgments
G. History
H. GNU Free Documentation License
How to use this License for your documents
I. GNU General Public License
0. Preamble
2. How to Apply These Terms to Your New Programs
J. Example scripts code-base
J.1. Example rc.firewall script
J.2. Example rc.DMZ.firewall script
J.3. Example rc.UTIN.firewall script
J.4. Example rc.DHCP.firewall script
J.5. Example rc.flush-iptables script
J.6. Example rc.test-iptables script
List of Tables
6-1. Destination local host (our own machine)
6-2. Source local host (our own machine)
6-3. Forwarded packets
7-1. User-land states
7-2. Internal states
7-3. Complex protocols support
9-1. Tables
9-2. Commands
9-3. Options
10-1. Generic matches
10-2. TCP matches
10-3. UDP matches
10-4. ICMP matches
10-5. AH match options
10-6. ESP match options
10-7. Conntrack match options
10-8. DSCP match options
10-9. ECN match options
10-10. ECN Field in IP
10-11. Helper match options
10-12. IP range match options
10-13. Length match options
10-14. Limit match options
10-15. MAC match options
10-16. Mark match options
10-17. Multiport match options
10-18. Owner match options
10-19. Packet type match options
10-20. Recent match options
10-21. State matches
10-22. TCPMSS match options
10-23. TOS matches
10-24. TTL matches
11-1. CLASSIFY target options
11-2. DNAT target
11-3. DSCP target options
11-4. ECN target options
11-5. LOG target options
11-6. MARK target options
11-7. MASQUERADE target
11-8. NETMAP target options
11-9. REDIRECT target
11-10. REJECT target
11-11. SAME target options
11-12. SNAT target options
11-13. TCPMSS target options
11-14. TOS target
11-15. TTL target
11-16. ULOG target
C-1. ICMP types
D-1. TCP Options