- IPV4OPTSSTRIP [IPV4OPTSSTRIP.patch] [IPV4OPTSSTRIP.patch.config.in] [IPV4OPTSSTRIP.patch.configure.help] [IPV4OPTSSTRIP.patch.help] [IPV4OPTSSTRIP.patch.makefile]
-
Author: Fabrice MARIE <fabrice@netfilter.org>
Status: Works For Me.
This option adds CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP, which supplies a target
module that will allow you to strip all the IP options from a packet.
The target doesn't take any option, and therefore is extremly easy to use :
# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
# iptables -t mangle --list -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
IPV4OPTSSTRIP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
- NETLINK [NETLINK.patch] [NETLINK.patch.config.in] [NETLINK.patch.configure.help] [NETLINK.patch.help] [NETLINK.patch.makefile]
-
Author: Gianni Tedesco <gianni@ecsc.co.uk>
Status: Working, will not go into main kernel
This patch adds CONFIG_IP_NF_TARGET_NETLINK, which adds a NETLINK
target that sends dropped packets to userspace via a netlink socket.
It replaces the old ipchains -o option.
- NETMAP [NETMAP.patch] [NETMAP.patch.config.in] [NETMAP.patch.configure.help] [NETMAP.patch.help] [NETMAP.patch.makefile]
-
Author: Svenning Soerensen <svenning@post5.tele.dk>
Status: Experimental
This adds CONFIG_IP_NF_TARGET_NETMAP option, which provides a target for
the nat table. It creates a static 1:1 mapping of the network address,
while keeping host addresses intact. It can be applied to the
PREROUTING chain to alter the destination of incoming connections,
to the POSTROUTING chain to alter the source of outgoing connections,
or both (with separate rules).
Examples:
iptables -t nat -A PREROUTING -d 1.2.3.0/24 -j NETMAP --to 5.6.7.0/24
iptables -t nat -A POSTROUTING -s 5.6.7.0/24 -j NETMAP --to 1.2.3.0/24
- REJECT [REJECT.patch.ipv6] [REJECT.patch.ipv6.config.in] [REJECT.patch.ipv6.configure.help] [REJECT.patch.ipv6.help] [REJECT.patch.ipv6.makefile]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: In Development, REQUIRES ipv6-fixes.patch
This adds CONFIG_IP6_NF_TARGET_REJECT option, which adds a REJECT target
to ip6tables. Please keep in mind that the icmp-types are different from
the icmpv6 types (see ip6tables -j REJECT -h for more info)
- SAME [SAME.patch] [SAME.patch.config.in] [SAME.patch.configure.help] [SAME.patch.help] [SAME.patch.makefile]
-
Author: Martin Josefsson <gandalf@wlug.westbo.se>
Status: In Development/Works For Me
This adds CONFIG_IP_NF_TARGET_SAME option, which is similar to
SNAT: it takes a range of addresses (`--to 1.2.3.4-1.2.3.7') and
gives a client the same address for each connection.
It has a --nodst option to make it not use the
destination-ip in the calculations when selecting
the new source-ip
Now it has support for multiple ranges, including 1-address ranges.
THIS PATCH IS INCOMPATIBLE WITH dropped-table.patch
- TTL [TTL.patch] [TTL.patch.config.in] [TTL.patch.configure.help] [TTL.patch.help] [TTL.patch.makefile]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Stable, needs new checksum handling
This adds CONFIG_IP_NF_TARGET_TTL option, which enables the user
to set the TTL value of an IP packet or to increment / decrement it
by a given value.
- ahesp6 [ahesp6.patch.ipv6] [ahesp6.patch.ipv6.config.in] [ahesp6.patch.ipv6.configure.help] [ahesp6.patch.ipv6.help] [ahesp6.patch.ipv6.makefile]
-
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: It works 4 me!
These two match extensions (`ah' and `esp') allow you to match a
range of SPIs inside AH or ESP headers of IPv6 packets.
AH options:
--ahspi [!] spi[:spi] match spi (range)
--ahlen [!] length total length of this header
--ahres check the reserved filed, too
ESP option:
--espspi [!] spi[:spi] match spi (range)
- frag6 [frag6.patch.ipv6] [frag6.patch.ipv6.config.in] [frag6.patch.ipv6.configure.help] [frag6.patch.ipv6.help] [frag6.patch.ipv6.makefile]
-
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: It works 4 me!
This match extension (`frag') allow you to select the packet based on the
fileds of the fragmentation header of the IPv6 packets.
FRAG options:
--fragid [!] id[:id] match the id (range)
--fraglen [!] length total length of this header
--fragres check the reserved filed, too
--fragfirst matches on the first fragment
[--fragmore|--fraglast] there are more fragments or this
is the last one
- fuzzy [fuzzy.patch] [fuzzy.patch.config.in] [fuzzy.patch.configure.help] [fuzzy.patch.help] [fuzzy.patch.makefile]
-
Author: Hime Aguiar e Oliveira Jr. <hime@engineer.com>
Status: Under development , but works .
This option adds CONFIG_IP_NF_MATCH_FUZZY,
which allows you to match packets according to a dynamic profile
implemented by means of a simple Fuzzy Logic Controller (FLC) .
Suppported options are:
--upper-limit => Desired upper bound for traffic rate
--lower-limit => Lower bound over which the FLC starts to limit traffic
- iplimit [iplimit.patch] [iplimit.patch.config.in] [iplimit.patch.configure.help] [iplimit.patch.help] [iplimit.patch.makefile]
-
Author: Gerd Knorr <kraxel@bytesex.org>
Status: ItWorksForMe[tm]
This adds CONFIG_IP_NF_MATCH_IPLIMIT match allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).
Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m iplimit --iplimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m iplimit ! --iplimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m iplimit --iplimit-above 16 \
--iplimit-mask 24 -j REJECT
- ipt_unclean-ubit [ipt_unclean-ubit.patch] [ipt_unclean-ubit.patch.help]
-
Author: Maciej Soltysiak <solt@dns.toxicfilms.tv>
Status: Works for me
This patch extends unclean's module to match packets with IP unused bit
set. This bit is the first bit in fragmentation offset of the IP header.
The offset contains 2 fields:
3 bit fragmentation flags
13 bit fragmentation offset
Exerpt from RFC 791:
Flags: 3 bits
Various Control Flags.
Bit 0: reserved, must be zero
Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment.
Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments.
0 1 2
+---+---+---+
| | D | M |
| 0 | F | F |
+---+---+---+
This adds what i see as a security feature to the unclean match, as the bit
may be used in very discrete OS fingerprinting as described by Ofir Arkin
in "Unverified Fields - A Problem with Firewalls & Firewall Technology
Today" available to read at:
http://www.sys-security.com/archive/papers/Unverified_Fields_1.0.pdf
http://www.sys-security.com/archive/papers/Unverified_Fields_1.0.ps
- ipv4options [ipv4options.patch] [ipv4options.patch.config.in] [ipv4options.patch.configure.help] [ipv4options.patch.help] [ipv4options.patch.makefile]
-
Author: Fabrice MARIE <fabrice@netfilter.org>
Status: experimental
This option adds CONFIG_IP_NF_MATCH_IPV4OPTIONS,
which supplies ip options match.
Suppported options are:
--ssrr
To match packets with the flag strict source routing.
--lsrr
To match packets with the flag loose source routing.
--no-srr
To match packets with no flag for source routing.
[!] --rr
To match packets with the RR flag.
[!] --ts
To match packets with the TS flag.
[!] --ra
To match packets with the router-alert option.
[!] --any-opt
To match a packet with at least one IP option, or no IP option
at all if ! is chosen.
Example:
$ iptables -A input -m ipv4options --rr -j DROP
will drop packets with the record-route flag.
$ iptables -A input -m ipv4options --ts -j DROP
will drop packets with the timestamp flag.
Bug ?
I tested --ts and --rr, but not source routing issues, nor the router-alert
since I don't know enough about them. So please let me know if it works or
doesn't work :)
- ipv6header [ipv6header.patch.ipv6] [ipv6header.patch.ipv6.config.in] [ipv6header.patch.ipv6.configure.help] [ipv6header.patch.ipv6.help] [ipv6header.patch.ipv6.makefile]
-
Author: Brad Chapman (kakadu_croc@yahoo.com)
Andras Kis-Szabo
Status: Under development, please test it!
This match allows you to match the specialty headers of an IPv6
packet. The list can be found from the help message of the match
module.
The usage of the module is as follows (e.g.):
ip6tables -t filter -A INPUT -m ipv6header --header frag -j ACCEPT
ip6tables -t filter -A INPUT -m ipv6header --header 44 -j ACCEPT
ip6tables -t filter -A INPUT -m ipv6header --header route --soft -j ACCEPT
syntax:
--header [!] headers
--soft
Supported formats:
hop,dst,route,frag,auth,esp,none,prot
hop-by-hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol
0,60,43,44,51,50,59
proto means that the packet has got a protocol payload.
The soft mode means that the packet contains the header.
Warning: there is a problem with the fragmented packets!
If there is an extension-header after the fragmentation header, we can match
them only in the first fragment!
- mport [mport.patch] [mport.patch.config.in] [mport.patch.configure.help] [mport.patch.help] [mport.patch.makefile]
-
Author: Andreas Ferber <af@devcon.net>
Status: It works for me.
This module is an enhanced multiport match. It has support for byte
ranges as well as for single ports.
Examples:
# iptables -A FORWARD -p tcp -m mport --ports 23:42,65
Up to 15 ports are allowed. Note that a portrange uses up 2 port values.
- nth [nth.patch] [nth.patch.config.in] [nth.patch.configure.help] [nth.patch.help] [nth.patch.makefile]
-
Author: Fabrice MARIE <fabrice@netfilter.org>
Status: Works For Me.
This option adds CONFIG_IP_NF_MATCH_NTH, which supplies a match
module that will allow you to match every Nth packet encountered.
By default there are 16 different counters that can be used.
This match functions in one of two ways
1) Match ever Nth packet, and only the Nth packet.
example:
iptables -t mangle -A PREROUTING -m nth --every 10 -j DROP
This rule will drop every 10th packet.
2) Unique rule for every packet. This is an easy and quick
method to produce load-balancing for both inbound and outbound.
example:
iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \
--every 3 --packet 0 -j SNAT --to-source 10.0.0.5
iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \
--every 3 --packet 1 -j SNAT --to-source 10.0.0.6
iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \
--every 3 --packet 2 -j SNAT --to-source 10.0.0.7
This example evenly splits connections between the three SNAT
addresses.
By using the mangle table and iproute2, you can setup complex
load-balanced routing. There's lot of other uses. Be creative!
Suppported options are:
--every Nth Match every Nth packet
[--counter] num Use counter 0-15 (default:0)
[--start] num Initialize the counter at the number 'num'
instead of 0. Must be between 0 and Nth-1
[--packet] num Match on 'num' packet. Must be between 0
and Nth-1.
If --packet is used for a counter than
there must be Nth number of --packet
rules, covering all values between 0 and
Nth-1 inclusively.
- opts6 [opts6.patch.ipv6] [opts6.patch.ipv6.config.in] [opts6.patch.ipv6.configure.help] [opts6.patch.ipv6.help] [opts6.patch.ipv6.makefile]
-
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: It works 4 me!
These match extensions (`hbh' and `dst') allow you to select the packet
based on the fileds of the option header of the IPv6 packets.
HBH options:
--hbh-len [!] length total length of this header
--hbh-opts TYPE[:LEN][,TYPE[:LEN]...]
Options and its length (list, max: 16)
DST options:
--dst-len [!] length total length of this header
--dst-opts TYPE[:LEN][,TYPE[:LEN]...]
Options and its length (list, max: 16)
- pool [pool.patch] [pool.patch.config.in] [pool.patch.configure.help] [pool.patch.help] [pool.patch.makefile]
-
Author: Patrick <bof@bof.de>
Status: Development: please tell me if and where I fucked up on the locks.
This adds CONFIG_IP_NF_POOL, which provides a match which lets you use
bitmaps with one bit per address from some range of IP addresses; the
match depends on whether a checked source or destination address has
its bit set in the pool. It also provides a POOL target, which can be
used to add or remove the addresses of a packet to/from a pool.
The userspace program ippool(8) is also compiled (in the ippool/
directory), and is used to define the pools and their bounds.
- psd [psd.patch] [psd.patch.config.in] [psd.patch.configure.help] [psd.patch.help] [psd.patch.makefile]
-
Author: Dennis Koslowski <dkoslowski@astaro.de>
Status: Experimental
This option adds CONFIG_IP_NF_MATCH_PSD, which supplies portscan
detection match (psd). This match will attempt to detect TCP and UDP
port scans. This match was derived from Solar Designer's scanlogd.
Suppported options are:
--psd-weight-threshold
Total weight of the latest TCP/UDP packets with different
destination ports coming from the same host to be treated as port
scan sequence.
--psd-delay-threshold
Delay (in hundredths of second) for the packets with different
destination ports coming from the same host to be treated as
possible port scan subsequence.
--psd-lo-ports-weight
Weight of the packet with privileged (<=1024) destination port.
--psd-hi-ports-weight
Weight of the packet with non-priviliged destination port.
- quota [quota.patch] [quota.patch.config.in] [quota.patch.configure.help] [quota.patch.help] [quota.patch.makefile]
-
Author: Sam Johnston <samj@samj.net>
Status: worksforme
This option adds CONFIG_IP_NF_MATCH_QUOTA, which implements network
quotas by decrementing a byte counter with each packet.
Supported options are:
--quota
The quota in bytes.
- random [random.patch] [random.patch.config.in] [random.patch.configure.help] [random.patch.help] [random.patch.makefile]
-
Author: Fabrice MARIE <fabrice@netfilter.org>
Status: Works For Me.
This option adds CONFIG_IP_NF_MATCH_RANDOM,
which allow you to match packets randomly
following a given probability.
Suppported options are:
[--average] percent will match randomly packets with a probability of 'percent'
default is 50%
- realm [realm.patch] [realm.patch.config.in] [realm.patch.configure.help] [realm.patch.help] [realm.patch.makefile]
-
Author: Sampsa Ranta <sampsa@netsonic.fi>
Status: Experimental
realm match: uses realm key from routing as match criteria similiar to
one in packet classifier
/** snip from packet classifier documentation */
Routing tables based classifier
CONFIG_NET_CLS_ROUTE4
If you say Y here, you will be able to classify outgoing packets
according to the route table entry they matched. If unsure, say Y.
/** end snip **/
# Example
# add route
/sbin/ip route add 194.29.194.0/24 via 194.29.192.1 realm 10
# source realm is in realm with mask 0xFFFF0000,
# destination is in realm with mask 0x0000FFFF
# match destination realm
/usr/local/sbin/iptables -A OUTPUT -m realm --realm 10 -j LOG
# match realm of source, this is also determinated by routing,
/usr/local/sbin/iptables -A INPUT -m realm --realm 655360 -j LOG
THIS PATCH REQUIRES CONFIG_NET_CLS_ROUTE TO BE SET
- route6 [route6.patch.ipv6] [route6.patch.ipv6.config.in] [route6.patch.ipv6.configure.help] [route6.patch.ipv6.help] [route6.patch.ipv6.makefile]
-
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: It works 4 me!
This match extension (`rt') allow you to select the packet based on the
fileds of the routing header of the IPv6 packets.
RT options:
--rt-type [!] type match the type
--rt-segsleft [!] num[:num] match the Segments Left field (range)
--rt-len [!] length total length of this header
--rt-0-res check the reserved filed, too (type 0)
--rt-0-addrs ADDR[,ADDR...] Type=0 addresses (list, max: 16)
--rt-0-not-strict List of Type=0 addresses not a strict list
- time [time.patch] [time.patch.config.in] [time.patch.configure.help] [time.patch.help] [time.patch.makefile]
-
Author: Fabrice MARIE <fabrice@netfilter.org>
Status: It Works For Me.
This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time
(arrival time at the machine which the netfilter is running on) or
departure time (for locally generated packets).
Supported options are:
--timestart HH:MM
The starting point of the time match frame.
--timestop HH:MM
The stopping point of the time match frame
--days Tue,Mon...
Days of the week to match separated by a coma, no space
(one of Sun,Mon,Tue,Wed,Thu,Fri,Sat)
Example:
-A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
to Friday.
-A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon
will match the packets (locally generated) that have a departure timestamp
in the range 8:00->18:00 on Monday only.
- CONNMARK [CONNMARK.patch] [CONNMARK.patch.config.in] [CONNMARK.patch.configure.help] [CONNMARK.patch.help] [CONNMARK.patch.makefile]
-
Author: Henrik Nordstrom <hno@marasystems.com>
Status: working
This patch adds per connection marks, and a target (CONNMARK)
respective a match (connmark) for using these.
Usage:
connmark
This module matches the netfilter mark field associated
with a connection (which can be set using the CONNMARK
target below).
--mark value[/mask]
Matches packets in connections with the given
unsigned mark value (if a mask is specified, this
is logically ANDed with the mark before the compar
ison).
CONNMARK
This is used to set the netfilter mark value associated
with the connection
--set-mark mark
Set connection mark
--save-mark
Set connection mark to the same as the one on the
packet
--restore-mark
Set the netfilter packet mark value to the one
associated with the connection. This is only valid
in the mangle table.
- ROUTE [ROUTE.patch] [ROUTE.patch.config.in] [ROUTE.patch.configure.help] [ROUTE.patch.help] [ROUTE.patch.makefile]
-
Author: Cédric de Launois <delaunois@info.ucl.ac.be>
Status: In Development/Works for me
This option adds a `ROUTE' target, which allows you to directly route
a received packet through a specified interface or towards a host, even
if the regular destination of the packet is the router itself.
This target never modifies packets but allows a different routing scheme
than the one provided by the standard kernel routing table.
This target is to be used inside the mangle table, in the PREROUTING,
POSTROUTING or FORWARD hooks.
ROUTE target options:
--iface name Send the packet directly through this interface.
--to ip Route the packet as if its destination address was ip.
Examples :
To redirect all outgoing icmp packet to the eth1 interface :
# iptables -A POSTROUTING -t mangle -p icmp -j ROUTE --iface eth1
To tunnel all incoming http packets
# iptables -A PREROUTING -t mangle -p tcp --dport 80 -j ROUTE --iface tunl1
To force the next-hop used for ssh packets
# iptables -A PREROUTING -t mangle -p tcp --dport 22 -j ROUTE --to w.x.y.z
- amanda-conntrack-nat [amanda-conntrack-nat.patch] [amanda-conntrack-nat.patch.config.in] [amanda-conntrack-nat.patch.configure.help] [amanda-conntrack-nat.patch.help] [amanda-conntrack-nat.patch.makefile]
-
Author: Brian J. Murrell <netfilter@interlinx.bc.ca>
Status: Works for me
This adds CONFIG_IP_NF_AMANDA:
Connection tracking and NATting for the Amanda backup protocol.
- condition [condition.patch] [condition.patch.config.in] [condition.patch.configure.help] [condition.patch.help] [condition.patch.makefile]
-
Author: Stephane Ouellette <ouellettes@videotron.ca>
Status: ItWorksForMe(tm)
This patch adds CONFIG_IP_NF_MATCH_CONDITION which allows you to
match firewall rules against condition variables stored in /proc files.
- eggdrop-conntrack [eggdrop-conntrack.patch] [eggdrop-conntrack.patch.config.in] [eggdrop-conntrack.patch.configure.help] [eggdrop-conntrack.patch.help] [eggdrop-conntrack.patch.makefile]
-
Author: Magnus Sandin <magnus@sandin.cx>
Status: Development
This adds CONFIG_IP_NF_EGG:
Connection tracking for eggdrop bot networks.
It now also supports eggdrop v1.6.x
- h323-conntrack-nat [h323-conntrack-nat.patch] [h323-conntrack-nat.patch.config.in] [h323-conntrack-nat.patch.configure.help] [h323-conntrack-nat.patch.help] [h323-conntrack-nat.patch.makefile]
-
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Status: Alpha
This adds CONFIG_IP_NF_H323: H.323/netmeeting support module for netfilter
connection tracking and NAT. H.323 uses/relies on the following data streams:
Port Description
389 Internet Locator Server (TCP)
522 User Location Server (TCP)
1503 T.120 Protocol (TCP)
1720 H.323 (H.225 call setup, TCP)
1731 Audio call control (TCP)
Dynamic H.245 call control (TCP)
Dynamic RTCP/RTP streaming (UDP)
The H.323 conntrack/NAT modules support the connection tracking/NATing of
the data streams requested on the dynamic ports. The helpers use the
search/replace hack from the ip_masq_h323.c module for the 2.2 kernel
series.
At the very minimum, H.323/netmeeting (video/audio) is functional by letting
trough the 1720 port and loading these H.323 module(s).
The H.323 conntrack/NAT modules do not support
- H.245 tunnelling
- H.225 RAS (gatekeepers)
- ip_conntrack-timeouts [ip_conntrack-timeouts.patch] [ip_conntrack-timeouts.patch.help]
-
Author: Jay Schulist <jschlst@linux-sna.org>
Status: New
Here is a patch which allows the user to set the connection tracking
timeout values on a per state basis via sysctl.
The sysctl files and their format is described below:
The timeout values are based on connection tracking states and are in
seconds.
cat /proc/sys/net/ipv4/ip_conntrack_tcp_timeouts
300 600 120 60 120 120 10 60 30 120
NONE = 300 (5 minutes)
ESTABLISHED = 600 (10 minutes)
SYN_SENT = 120 (2 minutes)
SYN_RECV = 60 (60 seconds)
FIN_WAIT = 120 (2 minutes)
TIME_WAIT = 120 (2 minutes)
CLOSE = 10 (10 seconds)
CLOSE_WAIT = 60 (60 seconds)
LAST_ACK = 30 (30 seconds)
LISTEN = 120 (2 minutes)
To change the settings for this file example root level syntax would be:
sysctl -w net.ipv4.ip_conntrack_tcp_timeouts="300 600 120 60 120 120 10
60 30 120"
cat /proc/sys/net/ipv4/ip_conntrack_udp_timeouts
60 180
UNREPLIED = 60 (60 seconds)
ASSURED = 180 (3 minutes)
sysctl -w net.ipv4.ip_conntrack_udp_timeouts="60 180"
When any values are changed in these files they only have immediate effect
on new flows, old flows will use the old value until the flow has been
refreshed.
This patch does not work in combination with tcp-window-tracking.patch
(that patch already has this functionality and a lot of other things)
- ip_tables-proc [ip_tables-proc.patch] [ip_tables-proc.patch.help]
-
Author: Patrick McHardy
Status: Working
This patch creates two new files in /proc/net, "ip_tables_matches" and
"iptables_targets" which contain the names of all loaded matches/targets
like the file ip_tables_names already does with loaded tables.
- ipt_TARPIT [ipt_TARPIT.patch] [ipt_TARPIT.patch.config.in] [ipt_TARPIT.patch.help] [ipt_TARPIT.patch.makefile]
-
Author: "Aaron Hopkins" <lists@die.net>
Status: Works for me
Adds a TARPIT target to iptables, which captures and holds incoming TCP
connections using no local per-connection resources. Connections are
accepted, but immediately switched to the persist state (0 byte window), in
which the remote side stops sending data and asks to continue every 60-240
seconds. Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes.
This offers similar functionality to LaBrea
<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated hardware
or IPs. Any TCP port that you would normally DROP or REJECT can instead
become a tarpit.
To tarpit connections to TCP port 80 destined for the current machine:
iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
To significantly slow down Code Red/Nimda-style scans of unused address
space, forward unused ip addresses to a Linux box not acting as a router
(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
forwarding on the Linux box, and add:
iptables -A FORWARD -p tcp -j TARPIT
iptables -A FORWARD -j DROP
You probably don't want the conntrack module loaded while you are using
TARPIT, or you will be using resources per connection.
- mms-conntrack-nat [mms-conntrack-nat.patch] [mms-conntrack-nat.patch.config.in] [mms-conntrack-nat.patch.configure.help] [mms-conntrack-nat.patch.help] [mms-conntrack-nat.patch.makefile]
-
Author: Filip Sneppe <filip.sneppe@cronos.be>
Status: WorksForMe(tm)
This adds CONFIG_IP_NF_MMS: support for Microsoft Streaming Media
Services. This allows client (Windows Media Player) and server
to negotiate protocol (UDP, TCP) and port for the media stream.
A partially reverse engineered protocol analysis is available
from http://get.to/sdp, together with a link to a Linux client.
By default, the helper module tracks TCP traffic over port 1755
and adds the necessary UPD or TCP expectation. It is recommended
to also open UDP port 1755 to the server, as this port is used
for retransmission requests.
This helper has been tested in SNAT and DNAT setups.
Note that this helper has *nothing* to do with ip_masq_mms for
2.2 kernels!
- nfnetlink-ctnetlink-0.11 [nfnetlink-ctnetlink-0.11.patch] [nfnetlink-ctnetlink-0.11.patch.config.in] [nfnetlink-ctnetlink-0.11.patch.help] [nfnetlink-ctnetlink-0.11.patch.makefile]
-
Author: Harald Welte , Jay Schulist <jschlst@samba.org>
Status: Under development, but stabilizing now.
I've finally managed to get the redesign of nfnetlink/ctnetlink done.
There is now the testing version 0.11 in patch-o-matic, it can be found
at patch-o-matic/extra/nfnetlink-ctnetlink.patch.
The next step will be the new iptables kernel<->userspace interface based on
nfnetlink, I'll be concentrating on this during the next week(s).
- pptp-conntrack-nat [pptp-conntrack-nat.patch] [pptp-conntrack-nat.patch.config.in] [pptp-conntrack-nat.patch.configure.help] [pptp-conntrack-nat.patch.help] [pptp-conntrack-nat.patch.makefile]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Beta
This adds CONFIG_IP_NF_PPTP:
Connection tracking and NAT support for PPTP.
Note that this code currently has limitations
- can only NAT connections from PNS to PAC
- doesnt' support multiple calls within one session
- quake3-conntrack [quake3-conntrack.patch] [quake3-conntrack.patch.config.in] [quake3-conntrack.patch.configure.help] [quake3-conntrack.patch.help] [quake3-conntrack.patch.makefile]
-
Author: Filip Sneppe <filip.sneppe@cronos.be>
Status: WorksForMe (tm)
This adds CONFIG_IP_NF_QUAKE3: a Quake III Arena support module for
netfilter connection tracking/NAT.
Quake III Arena Internet multiplayer works by querying an Internet
master server on UDP port 27950 for specific Quake III servers. The
master server responds with the IP addresses and UDP ports of
registered game servers. Those UDP ports can be randomly chosen
(although 27960 is often used).
This connection tracking module will listen for UDP replies
from a master server, and will add the necessary expectations
for connections from client to game servers.
Note: Requires newnat !
- recent [recent.patch] [recent.patch.config.in] [recent.patch.configure.help] [recent.patch.help] [recent.patch.makefile]
-
Author: Stephen Frost <sfrost@snowman.net>
Status: Tested locally, no problems so far.
This module is used for creating one or many list(s) of recently seen IP
addresses and then matching against that/those list(s).
--name Specify the list to use for the commands. If no name is given
then 'DEFAULT' will be used.
--set followed by an optional `!'
This will add the source address of the packet to the list.
If the source address is already in the list, this will update
the existing entry. This will always return success.
--rcheck followed by an optional `!'
This will check if the source address of the packet is currently
in the list and return true if it is, and false otherwise.
--update followed by an optional `!'
This will check if the source address of the packet is currently
in the list. If it is then that entry will be updated and the
rule will return true. If the source address is not in the list
then the rule will return false.
--remove followed by an optional `!'
This will check if the source address of the packet is currently
in the list and if so that address will be removed from the list.
--seconds followed by an optional `!', then the value
This option must be used in conjunction with one of 'rcheck' or
'update'. When used, this will narrow the match to only happen
when the address is in the list and was seen within the last
given number of seconds.
--hitcount followed by an optional `!', then the value
This option must be used in conjunction with one of 'rcheck' or
'update'. When used, this will narrow the match to only happen
when the address is in the list and packets had been received
greater than or equal to the given value. This option may be
used along with 'seconds' to create an even narrower match
requiring a certain number of hits within a specific time frame.
--rttl This option must be used in conjunction with one of 'rcheck' or
'update'. When used, this will narrow the match to only happen
when the address is in the list and the TTL of the current packet
matches that of the packet which hit the --set rule. This may be
useful if you have problems with people faking their source
address in order to DoS you via this module by disallowing others
access to your site by sending bogus packets to you.
--rsource Save the source address of each packet in the recent list
table (default).\n",
--rdest Save the destination address of each packet in the recent list
table.\n",
/proc/net/ipt_recent is a directory which contains the currently active lists.
/proc/net/ipt_recent/* are the current lists of addresses and information
about each entry of each list.
Each file in /proc/net/ipt_recent/ can be read from to see the current list
or written two using the following commands to modify the list:
'echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT' to Add to the DEFAULT list
or 'echo +xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT' for the same result.
'echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT' to Remove from the DEFAULT list
'echo clear > /proc/net/ipt_recent/DEFAULT' to empty the DEFAULT list.
The module itself accepts two parameters:
ip_list_tot=100
ip_pkt_list_tot=10
ip_list_hash_size=0
debug=0
Shown are the defaults.
ip_list_tot is the total number of addresses which will be remembered, note
that the list is searched in-order for every attempted match and so you do
not want to increase this value too much or alot of time will be spent
traversing the list.
ip_pkt_list_tot is the total number of packets which will be remembered for
each address. This list is only used by '--hitcount' and so the default
will probably suffice unless you make extensive use of that option.
ip_list_hash_size is the size of the hash table (positions in the table,
not bytes). If it's '0' then it will be calculated as ip_list_tot*3 and
then rounded up to the next power of 2. So, by default, it's rounded up
to 512 entries or 1k of memory on your normal 4-byte-int machine.
debug is a setting to display debugging messages. No levels yet, just 0
for nothing and 1 for everything. Don't use 1 on production machines,
you'll end up with very full logs before long. Aside from that it
doesn't actually change any way the code works, just adds printk's.
Example #1:
# iptables -A FORWARD -m recent --rcheck --seconds 60 -j DROP
# iptables -A FORWARD -i eth0 -d 127.0.0.0/8 -m recent --set -j DROP
Here we are making a 'bad guy' out of anyone who tries to send data to
127.0.0.0/8 on our eth0 interface (which should never legitimately
happen). The first packet will make it past the first rule and then
be caught by the second rule and that address will be put into the
recent list and the packet dropped.
Any subsequent packets for the next 60 seconds that show up from that
address will be dropped, regardless of destination address, destiation
port, etc.
Example #2:
# iptables -A FORWARD -m recent --update --seconds 60 -j DROP
# iptables -A FORWARD -i eth0 -d 127.0.0.0/8 -m recent --set -j DROP
(The author's favorite method)
This is identical to example #1 except that for every subsequent packet
received from this source address the 'last seen' status will be updated
in the table. Therefore there must be a 'quiet time' of 60 seconds
before another packet from this address will even be considered.
It is the author's intent that all 'DROP' rules be replaced by:
'-m recent --set -j DROP'
and that a:
'-m recent --update --seconds 60 -j DROP'
rule be added very early on in the rule set, though following any:
'--match state --state ! NEW,INVALID -j ACCEPT'
rules. If the '--update' rule is before this check for ! NEW,INVALID
packets then ESTABLISHED connection or those in the process of becoming
ESTABLISHED could be disrupted by a malicious person who can modify
his/her source address.
- rsh [rsh.patch] [rsh.patch.config.in] [rsh.patch.configure.help] [rsh.patch.help] [rsh.patch.makefile]
-
Author: Ian (Larry) Latter <Ian.Latter@mq.edu.au>
Status: request for inclusion
This adds the CONFIG_IP_NF_RSH option, which is the RSH connection
tracker.
An RSH connection tracker is required if the dynamic stderr "Server
to Client" connection is to occur during a normal RSH session. This
typically operates as follows;
Client 0:1023 --> Server 514 (stream 1 - stdin/stdout)
Client 0:1023 <-- Server 0:1023 (stream 2 - stderr)
This connection tracker will identify new RSH sessions, extract the
outbound session details, and notify netfilter of pending "related"
sessions.
Usage:
The intended usage of this modules would be with a ruleset such as;
# New session from client to server (stream 1)
-A PREROUTING -t nat -m state -i eth0 -p tcp -s ${client}
--sport 0:1023 -d ${server} --dport 514 --state
NEW,ESTABLISHED -j ACCEPT
# Continued session from server to client (stream 1)
-A PREROUTING -t nat -m state -i eth1 -p tcp -s ${server}
--sport 514 -d ${client} --dport 0:1023 ! --syn
--state ESTABLISHED -j ACCEPT
# New session from server to client (stream 2)
-A PREROUTING -t nat -m state -i eth1 -p tcp -s ${server}
--sport 0:1023 -d ${client} --dport 0:1023 --state
RELATED,ESTABLISHED -j ACCEPT
# Continued session from client to server (stream 2)
-A PREROUTING -t nat -m state -i eth0 -p tcp -s ${client}
--sport 0:1023 -d ${server} --dport 0:1023 ! --syn
--state ESTABLISHED -j ACCEPT
Warning:
This module could be dangerous. It is not "best practice" to use
RSH, use SSH in all instances. (rfc1244, rfc1948, rfc2179, etc
ad-nauseum)
- string [string.patch] [string.patch.config.in] [string.patch.configure.help] [string.patch.help] [string.patch.makefile]
-
Author: Emmanuel Roger <winfield@freegates.be>
Status: Working, not with kernel 2.4.9
This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to
match a string in a whole packet.
THIS PATCH DOES NOT WORK WITH KERNEL 2.4.9 !!!
- talk-conntrack-nat [talk-conntrack-nat.patch] [talk-conntrack-nat.patch.config.in] [talk-conntrack-nat.patch.configure.help] [talk-conntrack-nat.patch.help] [talk-conntrack-nat.patch.makefile]
-
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Status: Alpha
This adds CONFIG_IP_NF_TALK: talk support module for netfilter
connection tracking and NAT. This allows both the callee client -
caller server and callee client - caller client connections to work
through connection tracking and NAT.
Default both talk (UDP port 517) and ntalk/ntalk2 (UDP port 518) are
supported. talk/ntalk/ntalk2 supports can selectively be enabled/disabled
by the module parameters of the ip_conntrack_talk and ip_nat_talk
modules:
talk=0|1
ntalk=0|1
ntalk2=0|1
where '0' means 'don't support' while '1' means 'do support'
the given protocol flavour.
- tcp-window-tracking [tcp-window-tracking.patch] [tcp-window-tracking.patch.help] [tcp-window-tracking.patch.makefile]
-
Author: Jozsef Kadlecsik
Status: proven to be quite stable, but still experimental
Status: ported to newnat, needs testing.
This patch is an implementation of TCP connection tracking according
to the article 'Real Stateful TCP Packet Filtering in IP Filter' by
Guido van Rooij [1]. It contains the new TCP connection tracking code
with support to handle already established connections. It supports
TCP window scaling too.
Other differences compared to the vanilla TCP connection tracking in
netfilter:
- the default timeout value for the CLOSE_WAIT state is raised to 3 days
- the engine can be fine-tuned by a lot of parameters in
/proc/sys/net/ipv4/netfilter/:
ip_conntrack_*_timeout*
conntrack timeout parameters in seconds
ip_conntrack_max
the maximal number of conntrack entries
ip_conntrack_tcp_be_liberal
when enabled, only out of window reset (RST) segments
are marked as INVALID; when disabled (default), all
out of window packets are marked as INVALID.
ip_conntrack_tcp_log_invalid_scale
log packets with invalid window scaling value (default
enabled)
ip_conntrack_tcp_log_out_of_window
log out of window packets (default enabled)
ip_conntrack_tcp_loose
when a connection is picked up from the middle, how many
packets are required to pass in each direction when the
system may assume to be in sync and window tracking can be
started (default 3).
If it is set to zero, picking up already esteblished
connections is disabled.
ip_conntrack_max_retrans
The number of the retransmitted packets without receiving
an ACK from the destination. If this number is reached
(default 3), the ip_conntrack_timeout_max_retrans.
ip_conntrack_timeout_max_retrans
The timeout value when we have been seeing only
retransmissions. Default value is 5 minutes.
- Beware!!! /proc/sys/net/ipv4/ip_conntrack_max is moved to
/proc/sys/net/ipv4/netfilter/ip_conntrack_max. Update your scripts
which uses this parameter!!!
[1] http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz
- tftp-conntrack-nat [tftp-conntrack-nat.patch] [tftp-conntrack-nat.patch.config.in] [tftp-conntrack-nat.patch.configure.help] [tftp-conntrack-nat.patch.help]
-
Author: Magnus Boden <mb@ozaba.mine.nu>
TFTP connections will not work with NAT and this module makes
that work.
modprobe ip_conntrack_tftp ports=69,70 has the effect of
helping tftp connections on port 69 and 70.
If the ports argument is not supplied to modprobe it defaults
to 69.
If you have trouble please drop me a mail and I will help you.
- CONNMARK [CONNMARK.patch] [CONNMARK.patch.config.in] [CONNMARK.patch.configure.help] [CONNMARK.patch.help] [CONNMARK.patch.makefile]
-
Author: Henrik Nordstrom <hno@marasystems.com>
Status: working
This patch adds per connection marks, and a target (CONNMARK)
respective a match (connmark) for using these.
Usage:
connmark
This module matches the netfilter mark field associated
with a connection (which can be set using the CONNMARK
target below).
--mark value[/mask]
Matches packets in connections with the given
unsigned mark value (if a mask is specified, this
is logically ANDed with the mark before the compar
ison).
CONNMARK
This is used to set the netfilter mark value associated
with the connection
--set-mark mark
Set connection mark
--save-mark
Set connection mark to the same as the one on the
packet
--restore-mark
Set the netfilter packet mark value to the one
associated with the connection. This is only valid
in the mangle table.
- conntrack-tcp-nopickup [conntrack-tcp-nopickup.patch] [conntrack-tcp-nopickup.patch.config.in] [conntrack-tcp-nopickup.patch.configure.help] [conntrack-tcp-nopickup.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Highly Experimental
This patch affects the TCP state tracking machine.
It alters it in a way, that it will only track TCP connections which are
established _after_ loading ip_conntrack.o on the firewall.
This means, after reloading ip_conntrack.o or a firewall reboot, all TCP
connections are gone. No connection pickup is working anymore.
So what's the advantage of this patch? It can help in certain setups,
where you get ACK-flooded and the machine which is ACK-scanned is not
up or in some other way unable to send RST's.
Please give me feedback if you use this patch.
- ctnetlink [ctnetlink.patch] [ctnetlink.patch.config.in] [ctnetlink.patch.configure.help] [ctnetlink.patch.help] [ctnetlink.patch.makefile]
-
Author: Jay Schulist <jschlst@samba.org>
Status: Experimental
This adds CONFIG_IP_NF_CTNETLINK option, which enables connection
tracking via NETLINK. Netfilter has the ability to communicate connection
tracking information to user space. This feature allows the user to
receive connection tracking event notification and provides the
ability to change connection states from user space.
Please not that this is an experimental package which will break other
patch-o-matic patches
- eggdrop-conntrack [eggdrop-conntrack.patch] [eggdrop-conntrack.patch.config.in] [eggdrop-conntrack.patch.configure.help] [eggdrop-conntrack.patch.help] [eggdrop-conntrack.patch.makefile]
-
Author: Magnus Sandin <magnus@sandin.cx>
Status: Development
This adds CONFIG_IP_NF_EGG:
Connection tracking for eggdrop bot networks.
It now also supports eggdrop v1.6.x
- ftp-fxp [ftp-fxp.patch] [ftp-fxp.patch.help]
-
Author: Magnus Sandin <magnus@sandin.cx>
Status: Development
Attached patch adds FXP support to ftp connectiontracking. FXP'ing to NAT'ed
ftp daemons does not work yet.
Load ip_conntrack_ftp.o with modprobe ip_conntrack_ftp fxp=1 to enable FXP
functionality to connectiontracking of ftpsessions.
WARNING: Applying this patch and enabling the feature _WILL_ reduce security
offered by FTP connection tracking significantly. Use with extreme
care - and only if you know what you are doing.
- helper [helper.patch] [helper.patch.config.in] [helper.patch.configure.help] [helper.patch.help] [helper.patch.makefile]
-
Author: Martin Josefsson <gandalf@wlug.westbo.se>
Status: Works for me(tm)
This patch adds the ipt_helper module which is a new match
for iptables. This adds the capability to match packets in a
dynamically allocated connection that's related to a specific
conntrack helper.
If you want to match all packets belonging to ftp-sessions:
(both ftp-command and ftp-data connections)
iptables -A INPUT -m helper --helper ftp -j ACCEPT
use irc for irc-sessions.
It will currently only work with the ftp and irc conntrack-helpers
but it's easy to add support for other helpers (a one-line patch
to the conntrack-helper).
You'll also need the bidirectional irc patch for irc matching to work
properly.
This patch modifies the way helpers are looked up when iptable_nat is
loaded, the behaviour changes slightly, see comment in patch.
Please report any breakage caused by this.
- nat-sack [nat-sack.patch] [nat-sack.patch.help]
-
Author: Harald Welte
- pptp-conntrack-nat [pptp-conntrack-nat.patch] [pptp-conntrack-nat.patch.config.in] [pptp-conntrack-nat.patch.configure.help] [pptp-conntrack-nat.patch.help]
-
Author: ...
Status: Development
This adds CONFIG_IP_NF_PPTP:
Connection tracking and NAT support for PPTP.
- pptp-gre-ct-nat-0.83 [pptp-gre-ct-nat-0.83.patch] [pptp-gre-ct-nat-0.83.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Beta
This patch adds support for real connection tracking
and NAT of GRE and PPTP connecitons.
However, there are some limitations on what this patch
can do in the current netfilter framework:
- can't track multiple calls within one control session
- can't DNAT incoming PAC connections
- only covers the common case, where PNS->PAC connection
is SNAT'ed
- GRE version 0 checksum mangling not tested yet
- incoming call conntrack+NAT testing not supported yet
- assumes all connections are made from PNS->PAC
- record-rpc [record-rpc.patch] [record-rpc.patch.config.in] [record-rpc.patch.configure.help] [record-rpc.patch.help] [record-rpc.patch.makefile]
-
Author: "Marcelo Barbosa Lima" <marcelo.lima@dcc.unicamp.br>
Status: This works now :-)
Status: Ported to 2.4.0-test9-pre2 by Rusty. May be broken.
Status: Fixed by Marc for 2.4.0.
This adds CONFIG_IP_NF_MATCH_RPC, which supplies two modules,
ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, which track portmapper
requests using UDP and TCP respectively. It also adds the record_rpc
match for iptables, which matches if the source of the packet has
requested that port through the portmapper before, or it is a new GET
request to the portmapper, allowing effective RPC filtering.
- talk-conntrack-nat [talk-conntrack-nat.patch] [talk-conntrack-nat.patch.config.in] [talk-conntrack-nat.patch.configure.help] [talk-conntrack-nat.patch.help] [talk-conntrack-nat.patch.makefile]
-
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Status: Alpha
This adds CONFIG_IP_NF_TALK: talk support module for netfilter
connection tracking and NAT. This allows both the callee client -
caller server and callee client - caller client connections to work
through connection tracking and NAT.
Default talk (UDP port 517) and ntalk/ntalk2 (UDP port 518) are
supported. talk/ntalk/ntalk2 supports can selectively be enabled/disabled
by the module parameters of the ip_conntrack_talk and ip_nat_talk
modules:
talk=0|1 disable|enable talk support
ntalk=0|1 disable|enable ntalk support
ntalk2=0|1 disable|enable ntalk2 support
The default is talk=1 ntalk=1 ntalk2=1 i.e. support all talk protocols.
- tcp-window-tracking [tcp-window-tracking.patch] [tcp-window-tracking.patch.help] [tcp-window-tracking.patch.makefile]
-
Author: Jozsef Kadlecsik
Status: proven to be quite stable, but still experimental
This patch is an implementation of TCP connection tracking according
to the article 'Real Stateful TCP Packet Filtering in IP Filter' by
Guido van Rooij [1]. It contains the new TCP connection tracking with
support to handle already established connections. It supports TCP
window scaling.
[1] http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz
- the default timeout value for the CLOSE_WAIT state is raised to 12 hours
- sysctl support added (/proc/sys/net/ipv4/netfilter/), which means:
- all conntrack timeout values can be adjusted via sysctl
- logging of out of window packets and packets with invalid
window scale value can be disabled/enabled via sysctl
- a new flag ip_ct_tcp_be_liberal added: when ip_ct_tcp_be_liberal
is set to 0, all out of window packets are marked as INVALID,
while if it's set to 1, only out of window *RST* segments are
marked as INVALID.
- Beware!!! /proc/sys/net/ipv4/ip_conntrack_max is renamed as
/proc/sys/net/ipv4/netfilter/ip_conntrack_max. Update your scripts
which uses this parameter!!!
- logging of out of window packets are made more verbose
- tftp [tftp.patch] [tftp.patch.config.in] [tftp.patch.configure.help] [tftp.patch.help]
-
Author: Magnus Boden <mb@ozaba.mine.nu>
TFTP connections will not work with NAT and this module makes
that work.
modprobe ip_conntrack_tftp ports=69,70 has the effect of
helping tftp connections on port 69 and 70.
If the ports argument is not supplied to modprobe it defaults
to 69.
If you have trouble please drop me a mail and I will help you.
- DSCP [DSCP.patch] [DSCP.patch.config.in] [DSCP.patch.configure.help] [DSCP.patch.help] [DSCP.patch.makefile]
-
Author: Harald Welte <laforge@gnumonks.org>,
Matthew G. Marsh
Status: Pending for kernel inclusion.
This adds CONFIG_IP_NF_TARGET_DSCP option, which allows setting the
DSCP (formerly called TOS) field within the packet to any value between
0x0 and 0x4f.
- ECN [ECN.patch] [ECN.patch.config.in] [ECN.patch.configure.help] [ECN.patch.help] [ECN.patch.makefile]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Pending for kernel inclusion.
This option adds a `ECN' target, which can be used in the iptables mangle
table.
You can use this target to set the ECN bits from the IPv4 and TCP header
an IP packet. This is particularly useful, if you need to work around
existing ECN blackholes on the internet, but don't want to disable
ECN support in general.
- REJECT-dont_fragment [REJECT-dont_fragment.patch] [REJECT-dont_fragment.patch.help]
-
Author: David Miller <davem@redhat.com>
Status: Submitted to the kernel at 2.4.19-pre time
This patch fixes a bug in ipt_REJECT where we set the IP header's
don't fragment bit for the REJECT-generated ICMP message.
However, there is no PMTU discovery with ICMP - and we should just send
the ICMP error message wit DF cleared, so intermediate routers are allowed
to fragment.
- REJECT_mark [REJECT_mark.patch] [REJECT_mark.patch.help]
-
Author: Henrik Nordstrom <hno@marasystems.com>
Status: working
Don't copy the nfmark value of the old packet into the new RST
packet when rejecting with TCP resets.
ip_route_output is not smart enough to know about nfmark routing,
and having the mark value set from start prevents mangle OUTPUT
from rerouting the packet later..
- TOS-oops-fix [TOS-oops-fix.patch] [TOS-oops-fix.patch.help]
-
Author: Edward Killips <etkillips@hotmail.com>
Status: Submitted for kernel inclusion
This patch fixes an Oops regarded to the TOS manipulation target.
- ahesp-static [ahesp-static.patch] [ahesp-static.patch.help]
-
Author: Paul P Komkoff Jr <i@stingr.net>
Status: working
Make the init and fini functions of ipt_ah.c static.
- arptables [arptables.patch] [arptables.patch.help]
-
Author: David Miller <davem@redhat.com>
Status: Included in kernel 2.4.19-pre4
This adds generic arptables as well as arptable_filter support into the kernel.
The patch needs netfilter-arp.patch to work...
- config-cleanup [config-cleanup.patch] [config-cleanup.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted to the kernel at 2.4.18-
This patch is a cleanup to some header files and Config.in
- conntrack+nat-helper-unregister [conntrack+nat-helper-unregister.patch] [conntrack+nat-helper-unregister.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted to the kernel at 2.4.18-pre3 time
This is a patch fixing some minor problems when
ip_{conntrack,nat}_{irc,ftp}.o are compiled as a module, and
registration of the helper fails.
This is a very rare occasion (somebody would have to try to
register two different helpers for the same port number).
- conntrack [conntrack.patch] [conntrack.patch.config.in] [conntrack.patch.configure.help] [conntrack.patch.help] [conntrack.patch.makefile]
-
Author: Marc Boucher <marc+nf@mbsi.ca>
Status: Works For Me.
This is a general conntrack match module, a superset of the state match.
(Kernel 2.4.18-pre4 or higher is required)
It allows matching on additional conntrack information, which is
useful in complex configurations, such as NAT gateways with multiple
internet links or tunnels.
It presently supports the following options:
conntrack match v1.2.4 options:
[!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|SNAT|DNAT][,...]
State(s) to match
[!] --ctproto proto Protocol to match; by number or name, eg. `tcp'
--ctorigsrc [!] address[/mask]
Original source specification
--ctorigdst [!] address[/mask]
Original destination specification
--ctreplsrc [!] address[/mask]
Reply source specification
--ctrepldst [!] address[/mask]
Reply destination specification
[!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED][,...]
Status(es) to match
[!] --ctexpire time[:time] Match remaining lifetime in seconds against
value or range of values (inclusive)
The "new" SNAT and DNAT states are virtual ones, matching if the original
source address is differs from the reply destination, or if the original
destination differs from the reply source..
- dscp [dscp.patch] [dscp.patch.config.in] [dscp.patch.configure.help] [dscp.patch.help] [dscp.patch.makefile]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Pending for kernel inclusion.
This adds CONFIG_IP_NF_MATCH_DSCP option, which allows matching against
the DSCP (formerly called TOS) field within the IPv4 packet.
- ecn [ecn.patch] [ecn.patch.config.in] [ecn.patch.configure.help] [ecn.patch.help] [ecn.patch.makefile]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Pending for kernel inclusion.
This option adds a `ECN' match, which can be used to match against the
IPv4 and TCP header's ECN bits.
- helper [helper.patch] [helper.patch.config.in] [helper.patch.configure.help] [helper.patch.help] [helper.patch.makefile]
-
Author: Martin Josefsson <gandalf@wlug.westbo.se>,
Harald Welte
Status: Pending for inclusion after newnat
This patch adds the ipt_helper module which is a new match
for iptables. This adds the capability to match packets in a
dynamically allocated connection that's related to a specific
conntrack helper.
If you want to match all packets belonging to ftp data sessions:
(only data connections, no control connections)
iptables -A INPUT -m helper --helper ftp -j ACCEPT
use irc for irc-dcc-sessions.
- ip6tables-export-symbols [ip6tables-export-symbols.patch] [ip6tables-export-symbols.patch.help]
-
Author: Brad Chapman <kakadu@earthlink.net>
Status: Submitted for kernel inclusion
This is a bugfix for the ip6_tables code in the current ( <= 2.4.8-pre3 )
kernel source. It fixes the situation, where ip6_tables.o is statically
linked into the kernel, but some modules (matches/targets/...) want to
register with ip6_tables.
- ip6tables-exthdr-bug [ip6tables-exthdr-bug.patch.ipv6] [ip6tables-exthdr-bug.patch.ipv6.help]
-
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: Included in kernel 2.4.19
The bad extension-header parsing code caused kernel-ops with special packets.
This patch removes the old parser code and replaces with a new one. The new
parser has passed the tests.
- ip_conntrack_protocol_destroy [ip_conntrack_protocol_destroy.patch] [ip_conntrack_protocol_destroy.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Pending for kernel inclusion
This adds support for ip_conntrack_protocol_unregister(), needed if
layer four protocol helpers (GRE, ...) are implemented as modules.
- ip_conntrack_protocol_unregister [ip_conntrack_protocol_unregister.patch] [ip_conntrack_protocol_unregister.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted for kernel inclusion at 2.4.19-pre3 time
This adds support for ip_conntrack_protocol_unregister(), needed if
layer four protocol helpers (GRE, ...) are implemented as modules.
- ip_nat_irc-srcaddr-fix [ip_nat_irc-srcaddr-fix.patch] [ip_nat_irc-srcaddr-fix.patch.help]
-
Author: Bob Hockney <bhockney@ix.netcom.com>
Status: Submitted for kernel inclusion
The IRC nat helper module has a small bug where it NAT's the source address
of a DCC connection to the address of the IRC server instead of the other
client. While this doesn't hurt functionality, it is nonetheless a bug and
it might confuse users who do a netstat on their IRC client machine.
- ipt_MIRROR-ttl [ipt_MIRROR-ttl.patch] [ipt_MIRROR-ttl.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Compiles, yet untested
This adds TTL decrementing (and checking/dropping) in case the MIRROR
target is used in INPUT or PREROUTING chains/hooks. This is to avoid
endless packet loops.
- ipt_REJECT-checkentry [ipt_REJECT-checkentry.patch] [ipt_REJECT-checkentry.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Included in kernel 2.4.11
Minor correction to the REJECT target's checkentry function, which had a
long-term undiscovered bug which was undiscovered because of cacheline
alignment only.
- ipt_unclean-ecn [ipt_unclean-ecn.patch] [ipt_unclean-ecn.patch.help]
-
Author: Guillaume Morin <guillaume@morinfr.org>
Status: Submitted for kernel inclusion
This fixes the unclean match to consider ECN bits in tcp header as clean,
rather than unclean (as it was before).
- ipv6-agr [ipv6-agr.patch.ipv6] [ipv6-agr.patch.ipv6.config.in] [ipv6-agr.patch.ipv6.configure.help] [ipv6-agr.patch.ipv6.help] [ipv6-agr.patch.ipv6.makefile]
-
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: It worked w/o problems
This module is perform checking on the IPv6 source address
Compares the last 64 bits with the EUI64 (delivered
from the MAC address) address
Example:
ip6tables -N ipv6ok
ip6tables -A INPUT -m eui64 -j ipv6ok
ip6tables -A INPUT -s ! 3FFE:2F00:A0::/64 -j ipv6ok
ip6tables -A INPUT -j LOG
ip6tables -A ipv6ok -j ACCEPT
- irc-dcc-mask [irc-dcc-mask.patch] [irc-dcc-mask.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>,
Jozsef Kadlecsik
Status: Included in linux kernel >= 2.4.18-pre9
This patch fixes an important security issue present in all linux kernel
versions from 2.4.14 to 2.4.18-pre8.
Details of this security issue can be found at
http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html
- length [length.patch.ipv6] [length.patch.ipv6.config.in] [length.patch.ipv6.configure.help] [length.patch.ipv6.help] [length.patch.ipv6.makefile]
-
Author: Imran Patel <ipatel@crosswinds.net>, shameless adaption from the
IPv4 match written by James Morris
Status: Should Work.
This module is used for matching the total length of an IPv6
datagram (including the IPv6 header + extension headers, if any)
against a specific value or inclusive range of values. To specify
a single value, use the following form:
--length followed by an optional `!', then the
value, ranging from 0 to 65535 (may also be specified in hex
format).
When specifying a range of values, the first value is taken as the
minimum length and the second value is taken as the maximum length:
--length followed by an optional `!', then the
values in the form of min:max. Values may range from 0 to 65535
but the minimum value cannot be greater than the maximum value.
Examples:
# ip6tables -A FORWARD -p udp -m length --length 85:0xffff -j DROP
# iptables -A FORWARD -p udp -m length --length ! :84 -j DROP
(both do exactly the same thing)
If a range value is missing, its value
is implied: zero for minimum and 0xffff for maximum.
- local-nat [local-nat.patch] [local-nat.patch.config.in] [local-nat.patch.configure.help] [local-nat.patch.help]
-
Author: Henrrik Nordstrom <hno@marasystems.com>,
Harald Welte
Status: Submitted for kernel inclusion at 2.4.19-pre3 time
This adds CONFIG_IP_NF_NAT_LOCAL, which enables the user to do destination
NAT on locally-originated connections.
Locally-originating means originating on the nat box itself.
- log-tunnel-fix [log-tunnel-fix.patch.ipv6] [log-tunnel-fix.patch.ipv6.help]
-
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: Pending for kernel inclusion
When the LOG target used with a tunnel device, it prints out the encapsulator
header instead of the MAC addresses.
This patch is a quick workaround for the SIT-class devices. It prints out the
MAC addresses and the tunnel information. The offsets are hardcoded in this
patch!
- macro-trailing-semicolon-fix [macro-trailing-semicolon-fix.patch] [macro-trailing-semicolon-fix.patch.help]
-
Author: David Miller <davem@redhat.com>
Status: Included in 2.4.19-pre3
Some macros erroneously contained a trailing semicolon. This patch removes
the trailing semicolons.
- mangle5hooks [mangle5hooks.patch] [mangle5hooks.patch.help]
-
Author: Brad Chapman (kakadu_croc@yahoo.com)
Status: pending for kernel inclusion
This patch expands the number of registered hooks for
both the IPv4 and IPv6 versions of the iptables mangle
table.
Also, like the filter table, the table will accept a module
parameter to change the verdict of the FORWARD chain upon
module load.
- nat-export_symbols [nat-export_symbols.patch] [nat-export_symbols.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted to the kernel at 2.4.18-
This patch fixes some missed, unexported symbols in ip_nat_standalone.c
- nat-memoryleak-fix [nat-memoryleak-fix.patch] [nat-memoryleak-fix.patch.help]
-
Author: zhongyu <zhongyu@ecfounder.com>
Status: Submitted for kernel inclusion at 2.4.19-pre10 time
This fixes a memory leak in the iptable_nat load/unload code,
which causes a certain memory chunk not being free'd at module
unload time.
- netfilter-arp [netfilter-arp.patch] [netfilter-arp.patch.help]
-
Author: Rusty Russel <rusty@rustcorp.com.au>
Status: Submitted for kernel inclusion at 2.4.19-pre3 time
This adds netfilter hooks to the ARP sender and receiver code.
An ARP tables kernel module will be published soon
- ownercmd [ownercmd.patch] [ownercmd.patch.help]
-
Author: Marc Boucher <marc+nf@mbsi.ca>
Status: Works For Me.
This patch adds support for local process name matching
to the owner match (--cmd-owner option).
You can use this feature to filter connections forwarded by
your ssh daemon with rules like:
iptables -N CheckSSHSyns
# allow forwarded connections to rsync port on 192.168.1.1
iptables -A CheckSSHSyns -p tcp -d 192.168.1.1 --dport 873 -j RETURN
# refuse everything else
iptables -A CheckSSHSyns -j REJECT --reject-with tcp-reset
iptables -I OUTPUT -p tcp --syn -m owner --cmd-owner sshd -j CheckSSHSyns
- pkttype [pkttype.patch] [pkttype.patch.config.in] [pkttype.patch.configure.help] [pkttype.patch.help] [pkttype.patch.makefile]
-
Author: Michal Ludvig <michal@logix.cz>
Status: It works
This patch allows you to match packet in accrodance
to its "class", eg. BROADCAST, MULTICAST, ...
iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
- remove_no_version [remove_no_version.patch] [remove_no_version.patch.help]
-
Author: Rusty Russell and Keith Owens
Status: Trivial
D: This removes __NO_VERSION__ from 2.5, obsolete since 2.3 days.
- skb_clone_copy [skb_clone_copy.patch] [skb_clone_copy.patch.help]
-
Author: Rusty Russell <rusty@rustcorp.com.au>
Status: Included in 2.4.18-pre7
There are some problems when a raw socket has a cloned skb of a packet
where some netfilter code is doing packet payload modification.
In this case, we have to use skb_copy to unshare the skb. This patch
fixes the problem.
- ulog-module-unload [ulog-module-unload.patch] [ulog-module-unload.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted for kernel inclusion at 2.4.19-pre6 time
This fixes a bug which can potentially cause a kernel Oops to happen when
you unload the ipt_ULOG module.
- ulog-nlgroup-shift-fix [ulog-nlgroup-shift-fix.patch] [ulog-nlgroup-shift-fix.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted for kernel inclusion at 2.4.20-pre4 time
There is another bugfix for the ipt_ULOG.c module. Without this fix, the
module causes an oops if an iptables rule is using the --ulog-nlgroup option
with a value > 4.
It also removes a memory leak when somebody starts throwing packets at
the ulog netlink socket (which is not a normal operation), since the bogus
netlink_rcv() function in ipt_ULOG.c didn't free the received skb().
you unload the ipt_ULOG module.
- unclean-udpchecksum [unclean-udpchecksum.patch] [unclean-udpchecksum.patch.help]
-
Author: Guillaume Morin
Status: Pending for kernel inclusion
This patch fixes the 'unclean' match. Prior to this fix, the unclean
match drops UDP packets with no checksum - but UDP checksums are not
mandatory by the RFC's!
It also fixes the assumption that UDP SPORT cannot be 0 (according to
RFC768, udp sport==0 is correct!)
- z-newnat16 [z-newnat16.patch] [z-newnat16.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>,
Jozsef Kadlecsik
Status: Submitted for 2.4.20-pre1
Implementation of the new nat API for kernel 2.4.19-pre4 and above.
- enables us to have multiple related expectations
(necessarry for H.323, real IRC and PPTP tracking, ...)
- allows expectations to have timeouts
- adds full SACK support to the NAT code (we no longer strip
SACKPERM option out of all SYN patckes for ftp/irc connections)
- z-newnat_assertfix [z-newnat_assertfix.patch] [z-newnat_assertfix.patch.help]
-
Author: Martin Josefsson
Status: Submitted to the kernel at 2.4.20-pre10 time
This patch fixes some erroneously-printed ASSERT statements when
netfilter debugging was switched on. Please note that the running code
was never wrong, just the debug macros ;)
- z-newnat_changeexpect-lockfix [z-newnat_changeexpect-lockfix.patch] [z-newnat_changeexpect-lockfix.patch.help]
-
Author: Martin Josefsson
Status: Submitted to the kernel at 2.4.20-pre10 time
This patch fixes a locking bug in ip_conntrack_change_expect() of newnat.
Patches which need to patch userspace iptables. Use with caution