Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
So I want to make my own iptables script -- and actually understand what's going on. So far I've seen a bunch of other examples, and tried cutting and pasting, with some success and some failure.
From what I gather from the man page, tables are made of several chains, and the chains contain rules. The rules are matched from start to end. There are 3 bulit in tables: filter, nat, and mangle. If any of this info is worng please let me know.
Anyway I have a few simple questions:
Q1: The man page says the general format for appending a rule is:
iptables -t table -A chain rule-specification
But I see a lot of stuff in people's iptables scripts that don't seem to meet this format. What is going on with commands like this?:
iptables --flush // No table is mentioned which tables/chains are flushed here?
iptables --policy INPUT DROP // Chain, and rule but no table, is it automatically filter table?
Q2: Does this rule make sense? I don't see why you need the first "state" before "--state"
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Q3: What are common uses for the tables nat, and mangle?
Q4: Any other tips for really understanding how to use iptalbes?
A1. All iptables operations without an explicit table operate on the filter table, as its most common use is as a filter. Therefore iptables --flush flushes all chains in the filter table. iptables --policy INPUT DROP sets the policy of the INPUT chain on the filter table to DROP.
A2. -m state means "match against state". --state specifies which states to match against. Yes, one would think that --state would be sufficient to imply both, but I guess the -m flag is to make sure the proper module is loaded. You'd have to ask the iptables designers about that.
A3. NAT is used when one is firewalling a network using iptables and you want to set up Network Address Translation, port forwarding, etc. Mangle is a packet mangler (it actually changes the packets rather than just rerouting them. I can't say that I've ever seen mangle in real use.
A4. When you read scripts, try to understand what each line does. If you're not clear, post here and ask and we'd be happy to explain things to you.
Also, as general advice, to really understand what's going on, a good understanding of the IP, TCP, UDP, and (probably less importantly) ICMP network protocols is necessary. For instance, TCP packets can have several states set (SYN, ACK, FIN, URG, etc.) that you may want to filter on. You can Google around the Web for guides, and Stevens' Unix Network Programming and TCP/IP Illustrated, Vol. 1 are good resources.