174


Chapter 13. Firewalls and


iptables


INVALID


  The matching packet cannot be tied to a known connection.


NEW


  The matching packet is either creating a new connection or is part of a two way connection


not previously seen.


RELATED


  The matching packet is starting a new connection related in some way to an existing


connection.


These connection states can be used in combination with one another by separating them with com 


mas, such as


 m state   state INVALID,NEW


.


To specifically match a hardware MAC address of an Ethernet device, use the


mac


module, which


accepts


  mac source


plus a MAC address as an option. To exclude a MAC address from a rule,


place an exclamation point (


!


) after the


  mac source


match option.


To view other match options available through modules, see the


iptables


man page.


13.3.6. Target Options


Once a packet has matched a particular rule, the rule can direct the packet to a number of different


targets that decide its fate and, possibly, take additional actions, such as logging the action. Addition 


ally, each chain has a default target, which is used if none of the rules on that chain match a packet or


if none of the rules which match the packet specify a target.


There are only a few standard targets available to decide what happens with the packet:


user defined chain


  The name of a previously created and defined chain within this


p


q


table with rules that will be checked against this packet, in addition to any other rules in any other


chains that must be checked against this packet.


  ACCEPT


  Allows the packet to successfully move on to its destination or another chain.


  DROP


  Drops the packet without responding to the requester. The system that sent the packet


is not notified of the failure. The packet is simply removed from the rule checking the chain and


discarded.


  QUEUE


  The packet is queued for handling by a user space application.


  RETURN


  Stops checking the packet against rules in the current chain. If the packet with a


RETURN


target matches a rule in a chain called from another chain, the packet is returned to the first chain to


resume rule checking where it left off. If the


RETURN


rule is used on a built in chain and the packet


cannot move up to its previous chain, the default target for the current chain decides what action to


take.


In addition to these standard targets, various other targets may be used with extensions called target


modules. For more information about match option modules, see Section 13.3.5.4.


There are many extended target modules, most of which only apply to specific tables or situations. A


couple of the most popular target modules included by default in Red Hat Linux are:


  LOG


Logs all packets that match this rule. Since the packets are logged by the kernel, the


/etc/syslog.conf


file determines where these log entries are written. By default, they are


placed in the


/var/log/messages


file.


Various options can be used after the


LOG


target to specify the way in which logging occurs:


  log level


  Sets the priority level a of logging event. A list of priority levels can be found


in the


syslog.conf


man page.


  log ip options


  Any options set in the header of a IP packet is logged.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      tomcat hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved