Chapter 13. Firewalls and
iptables
169
packets. For this reason, you must be sure to place the rule designed to catch a particular packet in
the rule that will actually see the packet.
The advantage is that you now have more control over the disposition of each packet. If you are
attempting to block access to a particular website, it is now possible to block access attempts from
clients running on hosts which use your host as a gateway. An OUTPUT rule which denies access
will no longer prevent access for hosts which use your host as a gateway.
The DENY target has been changed to DROP. In
ipchains
, packets that matched a rule in a
chain could be directed to the DENY target, which silently dropped the packet. This target must be
changed to DROP in
iptables
to have the same effect.
Order matters when placing options in a rule. Previously, with
ipchains
, it did not matter very
much how you ordered the rule options. The
iptables
command is a bit pickier about where some
options may go. For example, you must now specify the source or destination port after the protocol
(ICMP, TCP, or UDP) to be used in a rule.
When specifying network interfaces to be used with a rule, you must only use incoming interfaces
(
 i
option) with INPUT or FORWARD chains and outgoing interfaces (
 o
option) with FORWARD
or OUTPUT chains. This is necessary because OUTPUT chains are no longer used by incoming
interfaces, and INPUT chains are not seen by packets moving through outgoing interfaces.
This is by no means a comprehensive list of the changes, given that
iptables
represents a funda 
mentally rewritten network filter. For more specific information, consult the Linux 2.4 Packet Filtering
HOWTO and the sources found in Section 13.5.
13.3. Options Used in
iptables
Commands
Rules that allow packets to be filtered by the kernel are put in place by running the
iptables
com 
mand. When using the
iptables
command, you must specify the following options:
Packet Type   This dictates what type of packets the command filters.
Packet Source or Destination   This dictates what packets the command filters based on the source
or destination of the packet.
Target   This dictates what action is taken on packets matching the above criteria.
The options used with given
iptables
rule must be grouped logically, based on the purpose and
conditions of the overall rule, in order for the rule to be valid.
13.3.1. Tables
A powerful aspect of
iptables
is that multiple tables can be used to decide the fate of a partic 
ular packet, depending upon the type of packet being monitored and what is to be done with the
packet. Thanks to the extensible nature of
iptables
, specialized tables can be created and stored
in the
/etc/modules/ kernel version /kernel/net/ipv4/netfilter/
directory to meet
b
c
specific goals. Think of
iptables
as being able to run multiple sets of
ipchains
rules in defined
chains, with each set fulfilling a particular role.
The default table, named
filter
, contains the standard built in INPUT, OUTPUT, and FORWARD
chains. This is somewhat similar to the standard chains in use with
ipchains
. However, by default,
iptables
also includes two additional tables that perform specific packet filtering jobs. The
nat
table can be used to modify the source and destination addresses recorded in packets, and the
mangle
table allows you to alter packets in specialized ways.
Each table contains default chains that perform necessary tasks based on the purpose of the table, but
you can easily set up new chains in each of the tables.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

tomcat hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved