174
Chapter 13. Firewalls and
iptables
INVALID
  The matching packet cannot be tied to a known connection.
NEW
  The matching packet is either creating a new connection or is part of a two way connection
not previously seen.
RELATED
  The matching packet is starting a new connection related in some way to an existing
connection.
These connection states can be used in combination with one another by separating them with com 
mas, such as
 m state   state INVALID,NEW
.
To specifically match a hardware MAC address of an Ethernet device, use the
mac
module, which
accepts
  mac source
plus a MAC address as an option. To exclude a MAC address from a rule,
place an exclamation point (
!
) after the
  mac source
match option.
To view other match options available through modules, see the
iptables
man page.
13.3.6. Target Options
Once a packet has matched a particular rule, the rule can direct the packet to a number of different
targets that decide its fate and, possibly, take additional actions, such as logging the action. Addition 
ally, each chain has a default target, which is used if none of the rules on that chain match a packet or
if none of the rules which match the packet specify a target.
There are only a few standard targets available to decide what happens with the packet:
user defined chain
  The name of a previously created and defined chain within this
p
q
table with rules that will be checked against this packet, in addition to any other rules in any other
chains that must be checked against this packet.
  ACCEPT
  Allows the packet to successfully move on to its destination or another chain.
  DROP
  Drops the packet without responding to the requester. The system that sent the packet
is not notified of the failure. The packet is simply removed from the rule checking the chain and
discarded.
  QUEUE
  The packet is queued for handling by a user space application.
  RETURN
  Stops checking the packet against rules in the current chain. If the packet with a
RETURN
target matches a rule in a chain called from another chain, the packet is returned to the first chain to
resume rule checking where it left off. If the
RETURN
rule is used on a built in chain and the packet
cannot move up to its previous chain, the default target for the current chain decides what action to
take.
In addition to these standard targets, various other targets may be used with extensions called target
modules. For more information about match option modules, see Section 13.3.5.4.
There are many extended target modules, most of which only apply to specific tables or situations. A
couple of the most popular target modules included by default in Red Hat Linux are:
  LOG
Logs all packets that match this rule. Since the packets are logged by the kernel, the
/etc/syslog.conf
file determines where these log entries are written. By default, they are
placed in the
/var/log/messages
file.
Various options can be used after the
LOG
target to specify the way in which logging occurs:
  log level
  Sets the priority level a of logging event. A list of priority levels can be found
in the
syslog.conf
man page.
  log ip options
  Any options set in the header of a IP packet is logged.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

tomcat hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved