This page provides examples of the use of various iptables test and target modules. The examples in the -sample files were automatically generated from the firewall bricks in the Modwall project to show the actual commands created.
|-j LOG||This target saves a summary of the packet headers to syslog. I have a short summary of the fields used.||logremainder-sample|
|-j REJECT||Discards the given packet and, unlike the DROP target, notifies the sender that the packet was dropped by returning some kind of error.||autoreject-sample
|-j ULOG||Unlike the LOG target which just saves a header summary to syslog, ULOG can copy the entire packet from the kernel to userspace, where the ulogd daemon can save it to a pcap file or sql database (it can also perform other pluggable actions as well). I have an article on its use at http://www.stearns.org/doc/iptables-ulog.current.html.||scrutinize-sample
|-m addrtype||This module can ask the kernel to classify either the source or destination address as one or more of: local, broadcast, blackhole, unreachable, prohibit, unspec, unicast, anycast, multicast, throw, nat, or xresolve.||fwddstaddrtype-sample|
|-m ipv4options||This can check for the existance of particular (or any) ip options attached to an IPv4 IP header. The Strict and Loose Source Routing options are generally considered malicious as they can be used to circumvent routing tables and make spoofing source addresses easier for attackers.||ipopts-sample|
|-m length||Checks the length of a packet (including the IP header, tcp/udp/icmp/protocol header, and payload, but not including the ethernet/physical layer header).||mapssh-sample
|-m mac||This allows you to test the source and destination mac addresses of packets coming off an ethernet network. Note that the mac address is not always available.|
|-m psd||The Port Scan Detector module identifies port scans by looking for a source address that makes connections to a lot of destinations in a short period of time.||catchmapper-sample|
|-m recent||This module can remember IP addresses. Firewalls using it need to take 2 steps. First, some firewall rule (say, one that detects portscans with the portscan detector) remembers the source or offending address in a kernel table maintained by the recent module. Second, other iptables rules can later compare the source or destination address of some future packet to the addresses stored in that table. This has the effect of remembering IP addresses that have behaved a certain way in the past (such has "portscanners") and treat new packets from those addresses differently. I have an article on adaptive firewalls using the recent module.||banfor30-sample
|-m state||The state module can identify whether a given packet is new to us
|-p tcp||In addition to requiring that the packet be tcp in the first place, this module can check arbitrary tcp flags combinations, source an destination ports, and tcp options in use.||tcpchk-sample|
|-m u32||The u32 module allows one to test any arbitrary value in a packet. It can test from a single bit up to 4 bytes at once. There's a full article on its use at http://www.stearns.org/doc/iptables-u32.current.html||mapssh-sample
|-p udp||This can check that a packet is udp and also check the source and destination port used.||udpchk-sample|
|-P||The policy option sets the default policy (the action to take at the end of INPUT, OUTPUT, or FORWARD if no previous matching rule has made a decision about what to do with this packet.||policy-sample|
William is an Open-Source developer, enthusiast, and advocate from New Hampshire, USA. His day job at SANS pays him to work on network security and Linux projects.
This document is Copyright 2004, William Stearns <email@example.com>.
Last updated 2/11/2004.