Skip to content

Latest commit

 

History

History
89 lines (83 loc) · 5.7 KB

iptables.md

File metadata and controls

89 lines (83 loc) · 5.7 KB
Raw

iptables

NOTE: Iptables produces output that must be passed, line by line, to the 'iptables/ip6tables' command line. For 'iptables-restore' compatible output, please use the Speedway generator.

The Iptables header designation has the following format:

target:: iptables [INPUT|OUTPUT|FORWARD|custom] {ACCEPT|DROP} {truncatenames} {nostate} {inet|inet6}
INPUT: apply the terms to the input filter.
OUTPUT: apply the terms to the output filter.
FORWARD: apply the terms to the forwarding filter.
custom: create the terms under a custom filter name, which must then be linked/jumped to from one of the default filters (e.g. iptables -A input -j custom)
ACCEPT: specifies that the default policy on the filter should be 'accept'.
DROP: specifies that the default policy on the filter should be to 'drop'.
inet: specifies that the resulting filter should only render IPv4 addresses.
inet6: specifies that the resulting filter should only render IPv6 addresses.
truncatenames: specifies to abbreviate term names if necessary (see lib/iptables.py:CheckTerMLength for abbreviation table)
nostate: specifies to produce 'stateless' filter output (e.g. no connection tracking)

Iptables

NOTE: Iptables produces output that must be passed, line by line, to the 'iptables/ip6tables' command line. For 'iptables-restore' compatible output, please use the Speedway generator. The Iptables header designation has the following format:

target:: iptables [INPUT|OUTPUT|FORWARD|custom] {ACCEPT|DROP} {truncatenames} {nostate} {inet|inet6}
  • INPUT: apply the terms to the input filter.
  • OUTPUT: apply the terms to the output filter.
  • FORWARD: apply the terms to the forwarding filter.
  • custom: create the terms under a custom filter name, which must then be linked/jumped to from one of the default filters (e.g. iptables -A input -j custom)
  • ACCEPT: specifies that the default policy on the filter should be 'accept'.
  • DROP: specifies that the default policy on the filter should be to 'drop'.
  • inet: specifies that the resulting filter should only render IPv4 addresses.
  • inet6: specifies that the resulting filter should only render IPv6 addresses.
  • truncatenames: specifies to abbreviate term names if necessary (see lib/iptables.py:CheckTerMLength for abbreviation table) *nostate: specifies to produce 'stateless' filter output (e.g. no connection tracking)

Term Format

  • action:: The action to take when matched. See Actions section for valid options.
  • comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
  • counter:: Update a counter for matching packets
  • destination-address:: One or more destination address tokens
  • destination-exclude:: Exclude one or more address tokens from the specified destination-address
  • destination-interface:: Specify specific interface a term should apply to (e.g. destination-interface:: eth3)
  • destination-port:: One or more service definition tokens
  • destination-prefix:: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
  • expiration:: stop rendering this term after specified date. YYYY-MM-DD
  • fragement-offset:: specify a fragment offset of a fragmented packet
  • icmp-code:: Specifies the ICMP code to filter on.
  • icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
  • logging:: Specify that this packet should be logged via syslog.
  • name:: Name of the term.
  • option:: See platforms supported Options section.
  • owner:: Owner of the term, used for organizational purposes.
  • packet-length:: specify packet length.
  • platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
  • protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
  • routing-instance:: specify routing instance for matching packets.
  • source-address:: one or more source address tokens.
  • source-exclude:: exclude one or more address tokens from the specified source-address.
  • source-interface:: specify specific interface a term should apply to (e.g. source-interface:: eth3).
  • source-port:: one or more service definition tokens.
  • source-prefix:: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
  • verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • ack:: Match on ACK flag being present.
  • all:: Matches all protocols.
  • established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • fin:: Match on FIN flag being present.
  • first-fragment:: Only match on first fragment of a fragmented pakcet.
  • initial:: Only matches on initial packet.
  • is-fragment:: Matches on if a packet is a fragment.
  • none:: Matches none.
  • psh:: Match on PSH flag being present.
  • rst:: Match on RST flag being present.
  • sample:: Samples traffic for netflow.
  • syn:: Match on SYN flag being present.
  • tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial:: Only match initial packet for TCP protocol.
  • urg:: Match on URG flag being present.