174
Chapter 13. Firewalls and
iptables
INVALID
The matching packet cannot be tied to a known connection.
NEW
The matching packet is either creating a new connection or is part of a two way connection
not previously seen.
RELATED
The matching packet is starting a new connection related in some way to an existing
connection.
These connection states can be used in combination with one another by separating them with com
mas, such as
m state state INVALID,NEW
.
To specifically match a hardware MAC address of an Ethernet device, use the
mac
module, which
accepts
mac source
plus a MAC address as an option. To exclude a MAC address from a rule,
place an exclamation point (
!
) after the
mac source
match option.
To view other match options available through modules, see the
iptables
man page.
13.3.6. Target Options
Once a packet has matched a particular rule, the rule can direct the packet to a number of different
targets that decide its fate and, possibly, take additional actions, such as logging the action. Addition
ally, each chain has a default target, which is used if none of the rules on that chain match a packet or
if none of the rules which match the packet specify a target.
There are only a few standard targets available to decide what happens with the packet:
user defined chain
The name of a previously created and defined chain within this
p
q
table with rules that will be checked against this packet, in addition to any other rules in any other
chains that must be checked against this packet.
ACCEPT
Allows the packet to successfully move on to its destination or another chain.
DROP
Drops the packet without responding to the requester. The system that sent the packet
is not notified of the failure. The packet is simply removed from the rule checking the chain and
discarded.
QUEUE
The packet is queued for handling by a user space application.
RETURN
Stops checking the packet against rules in the current chain. If the packet with a
RETURN
target matches a rule in a chain called from another chain, the packet is returned to the first chain to
resume rule checking where it left off. If the
RETURN
rule is used on a built in chain and the packet
cannot move up to its previous chain, the default target for the current chain decides what action to
take.
In addition to these standard targets, various other targets may be used with extensions called target
modules. For more information about match option modules, see Section 13.3.5.4.
There are many extended target modules, most of which only apply to specific tables or situations. A
couple of the most popular target modules included by default in Red Hat Linux are:
LOG
Logs all packets that match this rule. Since the packets are logged by the kernel, the
/etc/syslog.conf
file determines where these log entries are written. By default, they are
placed in the
/var/log/messages
file.
Various options can be used after the
LOG
target to specify the way in which logging occurs:
log level
Sets the priority level a of logging event. A list of priority levels can be found
in the
syslog.conf
man page.
log ip options
Any options set in the header of a IP packet is logged.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved