172
Chapter 13. Firewalls and
iptables
iptables
man page for more information on these and other targets, including rules regarding
their use.
You may also direct a packet matching this rule to a user defined chain outside of the current
chain. This allows you to apply other rules against this packet, further filtering it with more specific
criteria.
If no target is specified, the packet moves past the rule with no action taken. However, the counter
for this rule is still increased by one, as the packet matched the specified rule.
   o
  Sets the outgoing network interface for a particular rule, and may only be used with OUTPUT
and FORWARD chains in the
filter
table and the POSTROUTING chain in the
nat
and
mangle
tables. This parameter's options are the same as those of the incoming network interface parameter
(
 i
).
   p
  Sets the IP protocol for the rule, which can be either
icmp
,
tcp
,
udp
, or
all
, to match every
supported protocol. In addition, lesser used protocols listed in
/etc/protocols
may also be used.
If this option is omitted when creating a rule, the
all
option is the default.
   s
  Sets the source for a particular packet, using the same syntax as the destination (
 d
) param 
eter.
13.3.5. Match Options
Different network protocols provide specialized matching options which may be set in specific ways
to match a particular packet using that protocol. Of course, the protocol must first be specified in
the
iptables
command, such as using
 p tcp
protocol name
, to make the options for that
l
m
protocol available.
13.3.5.1. TCP Protocol
These match options are available for the TCP protocol (
 p tcp
):
  dport
  Sets the destination port for the packet. You can use either a network service name
(such as
www
or
smtp
), port number, or range of port numbers to configure this option. To browse
the names and aliases of network services and the port numbers they use, view the
/etc/services
file. You can also use
  destination port
to specify this match option.
To specify a specific range of port numbers, separate the two numbers with a colon (
:
), such as
 p
tcp   dport 3000:3200
. The largest valid range is
0:65535
.
You may also use an exclamation point character (
!
) as a flag after the
  dport
option to tell
iptables
to match all packets which do not use that network service or port.
  sport
  Sets the source port of the packet, using the same options as
  dport
. You can also
use
  source port
to specify this match option.
  syn
  Applies to all TCP packets designed to initiate communication, commonly called SYN
packets. Any packets that carry a data payload are not touched. Placing an exclamation point char 
acter (
!
) as a flag after the
  syn
option causes all non SYN packets to be matched.
  tcp flags
  Allows TCP packets with specific bits, or flags, set to be matched with a rule.
The
  tcp flags
match option accepts two parameters after it, which are flags for the various
bits arranged in a comma separated list. The first parameter is the mask, which sets the flags to be
examined on the packet. The second parameter refers to the flags that must be set in the packet to
make a match. The possible flags are
ACK
,
FIN
,
PSH
,
RST
,
SYN
, and
URG
. In addition,
ALL
and
NONE
can also be used to match every flag or none of them.
For example, an
iptables
rule which contains
 p tcp   tcp flags ACK,FIN,SYN SYN
will
only match TCP packets that have the SYN flag set and the ACK and FIN flags unset.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

tomcat hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved