Sample iptables rules

This page provides examples of the use of various iptables test and target modules. The examples in the -sample files were automatically generated from the firewall bricks in the Modwall project to show the actual commands created.

Targets (actions)

Module Description Samples

-j LOG This target saves a summary of the packet headers to syslog. I have a short summary of the fields used. logremainder-sample

-j REJECT Discards the given packet and, unlike the DROP target, notifies the sender that the packet was dropped by returning some kind of error. autoreject-sample
identreject-sample

-j ULOG Unlike the LOG target which just saves a header summary to syslog, ULOG can copy the entire packet from the kernel to userspace, where the ulogd daemon can save it to a pcap file or sql database (it can also perform other pluggable actions as well). I have an article on its use at http://www.stearns.org/doc/iptables-ulog.current.html. scrutinize-sample
syncapture-sample

Test modules

Module Description Samples

-m addrtype This module can ask the kernel to classify either the source or destination address as one or more of: local, broadcast, blackhole, unreachable, prohibit, unspec, unicast, anycast, multicast, throw, nat, or xresolve. fwddstaddrtype-sample

-m icmp The -p icmp checks to see if a packet is an ICMP packet (IP protocol 1). The firewall designer can also check the icmp type and code by way of descriptive names and the --icmp-type parameter. catchmapreply-sample

-m ipv4options This can check for the existance of particular (or any) ip options attached to an IPv4 IP header. The Strict and Loose Source Routing options are generally considered malicious as they can be used to circumvent routing tables and make spoofing source addresses easier for attackers. ipopts-sample

-m length Checks the length of a packet (including the IP header, tcp/udp/icmp/protocol header, and payload, but not including the ethernet/physical layer header). mapssh-sample
plength-sample

-m mac This allows you to test the source and destination mac addresses of packets coming off an ethernet network. Note that the mac address is not always available.

-m psd The Port Scan Detector module identifies port scans by looking for a source address that makes connections to a lot of destinations in a short period of time. catchmapper-sample

-m recent This module can remember IP addresses. Firewalls using it need to take 2 steps. First, some firewall rule (say, one that detects portscans with the portscan detector) remembers the source or offending address in a kernel table maintained by the recent module. Second, other iptables rules can later compare the source or destination address of some future packet to the addresses stored in that table. This has the effect of remembering IP addresses that have behaved a certain way in the past (such has "portscanners") and treat new packets from those addresses differently. I have an article on adaptive firewalls using the recent module. banfor30-sample
catchmapper-sample
catchmapreply-sample

-m state The state module can identify whether a given packet is new to us (--state NEW), part of an existing connection found in the kernel's state tables (--state ESTABLISHED), or related to an existing connection (such as icmp errors about an existing connection or ftp data channels; --state RELATED). established-sample

-p tcp In addition to requiring that the packet be tcp in the first place, this module can check arbitrary tcp flags combinations, source an destination ports, and tcp options in use. tcpchk-sample

-m u32 The u32 module allows one to test any arbitrary value in a packet. It can test from a single bit up to 4 bytes at once. There's a full article on its use at http://www.stearns.org/doc/iptables-u32.current.html mapssh-sample
plength-sample

-p udp This can check that a packet is udp and also check the source and destination port used. udpchk-sample

Misc

Module Description Samples

-P The policy option sets the default policy (the action to take at the end of INPUT, OUTPUT, or FORWARD if no previous matching rule has made a decision about what to do with this packet. policy-sample

Targets (actions)
Module	Description	Samples
-j LOG	This target saves a summary of the packet headers to syslog. I have a short summary of the fields used.	logremainder-sample
-j REJECT	Discards the given packet and, unlike the DROP target, notifies the sender that the packet was dropped by returning some kind of error.	autoreject-sample identreject-sample
-j ULOG	Unlike the LOG target which just saves a header summary to syslog, ULOG can copy the entire packet from the kernel to userspace, where the ulogd daemon can save it to a pcap file or sql database (it can also perform other pluggable actions as well). I have an article on its use at http://www.stearns.org/doc/iptables-ulog.current.html.	scrutinize-sample syncapture-sample
Test modules
Module	Description	Samples
-m addrtype	This module can ask the kernel to classify either the source or destination address as one or more of: local, broadcast, blackhole, unreachable, prohibit, unspec, unicast, anycast, multicast, throw, nat, or xresolve.	fwddstaddrtype-sample
-m icmp	The `-p icmp` checks to see if a packet is an ICMP packet (IP protocol 1). The firewall designer can also check the icmp type and code by way of descriptive names and the `--icmp-type` parameter.	catchmapreply-sample
-m ipv4options	This can check for the existance of particular (or any) ip options attached to an IPv4 IP header. The Strict and Loose Source Routing options are generally considered malicious as they can be used to circumvent routing tables and make spoofing source addresses easier for attackers.	ipopts-sample
-m length	Checks the length of a packet (including the IP header, tcp/udp/icmp/protocol header, and payload, but not including the ethernet/physical layer header).	mapssh-sample plength-sample
-m mac	This allows you to test the source and destination mac addresses of packets coming off an ethernet network. Note that the mac address is not always available.
-m psd	The Port Scan Detector module identifies port scans by looking for a source address that makes connections to a lot of destinations in a short period of time.	catchmapper-sample
-m recent	This module can remember IP addresses. Firewalls using it need to take 2 steps. First, some firewall rule (say, one that detects portscans with the portscan detector) remembers the source or offending address in a kernel table maintained by the recent module. Second, other iptables rules can later compare the source or destination address of some future packet to the addresses stored in that table. This has the effect of remembering IP addresses that have behaved a certain way in the past (such has "portscanners") and treat new packets from those addresses differently. I have an article on adaptive firewalls using the recent module.	banfor30-sample catchmapper-sample catchmapreply-sample
-m state	The state module can identify whether a given packet is new to us (`--state NEW`), part of an existing connection found in the kernel's state tables (`--state ESTABLISHED`), or related to an existing connection (such as icmp errors about an existing connection or ftp data channels; `--state RELATED`).	established-sample
-p tcp	In addition to requiring that the packet be tcp in the first place, this module can check arbitrary tcp flags combinations, source an destination ports, and tcp options in use.	tcpchk-sample
-m u32	The u32 module allows one to test any arbitrary value in a packet. It can test from a single bit up to 4 bytes at once. There's a full article on its use at http://www.stearns.org/doc/iptables-u32.current.html	mapssh-sample plength-sample
-p udp	This can check that a packet is udp and also check the source and destination port used.	udpchk-sample
Misc
Module	Description	Samples
-P	The policy option sets the default policy (the action to take at the end of INPUT, OUTPUT, or FORWARD if no previous matching rule has made a decision about what to do with this packet.	policy-sample

William is an Open-Source developer, enthusiast, and advocate from New Hampshire, USA. His day job at SANS pays him to work on network security and Linux projects.

Last updated 2/11/2004.