LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 09-10-2005, 02:47 PM   #1
mjl3434
Member
 
Registered: Sep 2003
Location: Los Angeles, CA
Distribution: Fedora 8
Posts: 100

Rep: Reputation: 15
want to understand iptables


So I want to make my own iptables script -- and actually understand what's going on. So far I've seen a bunch of other examples, and tried cutting and pasting, with some success and some failure.

From what I gather from the man page, tables are made of several chains, and the chains contain rules. The rules are matched from start to end. There are 3 bulit in tables: filter, nat, and mangle. If any of this info is worng please let me know.

Anyway I have a few simple questions:

Q1: The man page says the general format for appending a rule is:

iptables -t table -A chain rule-specification

But I see a lot of stuff in people's iptables scripts that don't seem to meet this format. What is going on with commands like this?:

iptables --flush // No table is mentioned which tables/chains are flushed here?
iptables --policy INPUT DROP // Chain, and rule but no table, is it automatically filter table?

Q2: Does this rule make sense? I don't see why you need the first "state" before "--state"

iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Q3: What are common uses for the tables nat, and mangle?

Q4: Any other tips for really understanding how to use iptalbes?
 
Old 09-10-2005, 03:00 PM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
A1. It will default to the filter table and flush will flush all chains. You can use "-t nat" etc to switch table.

A2. "-m state" tells iptables to match using the state of the connection and "--state" tells iptables which states to match.

A3. The nat table is used for Network Address Translation where as mangle can be used to alter the packets:
http://www.netfilter.org/documentati...T-HOWTO-3.html
http://www.netfilter.org/documentati...T-HOWTO-6.html

A4. The iptables man page should have most information but the netfilter documentation should be in more detail: http://www.netfilter.org/documentation/
 
Old 09-10-2005, 03:04 PM   #3
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 117Reputation: 117
A1. All iptables operations without an explicit table operate on the filter table, as its most common use is as a filter. Therefore iptables --flush flushes all chains in the filter table. iptables --policy INPUT DROP sets the policy of the INPUT chain on the filter table to DROP.

A2. -m state means "match against state". --state specifies which states to match against. Yes, one would think that --state would be sufficient to imply both, but I guess the -m flag is to make sure the proper module is loaded. You'd have to ask the iptables designers about that.

A3. NAT is used when one is firewalling a network using iptables and you want to set up Network Address Translation, port forwarding, etc. Mangle is a packet mangler (it actually changes the packets rather than just rerouting them. I can't say that I've ever seen mangle in real use.

A4. When you read scripts, try to understand what each line does. If you're not clear, post here and ask and we'd be happy to explain things to you.
 
Old 09-10-2005, 03:53 PM   #4
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,059

Rep: Reputation: 295Reputation: 295Reputation: 295
Also, as general advice, to really understand what's going on, a good understanding of the IP, TCP, UDP, and (probably less importantly) ICMP network protocols is necessary. For instance, TCP packets can have several states set (SYN, ACK, FIN, URG, etc.) that you may want to filter on. You can Google around the Web for guides, and Stevens' Unix Network Programming and TCP/IP Illustrated, Vol. 1 are good resources.

Last edited by btmiller; 09-10-2005 at 03:54 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables; ACK/SYN/etc; understand the bits, and potential firewall entries TheLinuxDuck Linux - Security 2 10-18-2011 09:17 PM
Need help to understand C4bo Debian 2 06-13-2005 06:53 AM
Trying to understand firewalling, why does iptables need to be restarted slackist Linux - Security 1 03-25-2005 05:24 PM
Understand | tuananhbirm Linux - General 3 01-10-2005 05:02 PM
i don't understand... humanveal Linux - Software 17 05-20-2003 03:24 AM


All times are GMT -5. The time now is 12:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration