Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
So I want to make my own iptables script -- and actually understand what's going on. So far I've seen a bunch of other examples, and tried cutting and pasting, with some success and some failure.
From what I gather from the man page, tables are made of several chains, and the chains contain rules. The rules are matched from start to end. There are 3 bulit in tables: filter, nat, and mangle. If any of this info is worng please let me know.
Anyway I have a few simple questions:
Q1: The man page says the general format for appending a rule is:
iptables -t table -A chain rule-specification
But I see a lot of stuff in people's iptables scripts that don't seem to meet this format. What is going on with commands like this?:
iptables --flush // No table is mentioned which tables/chains are flushed here?
iptables --policy INPUT DROP // Chain, and rule but no table, is it automatically filter table?
Q2: Does this rule make sense? I don't see why you need the first "state" before "--state"
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Q3: What are common uses for the tables nat, and mangle?
Q4: Any other tips for really understanding how to use iptalbes?
A1. All iptables operations without an explicit table operate on the filter table, as its most common use is as a filter. Therefore iptables --flush flushes all chains in the filter table. iptables --policy INPUT DROP sets the policy of the INPUT chain on the filter table to DROP.
A2. -m state means "match against state". --state specifies which states to match against. Yes, one would think that --state would be sufficient to imply both, but I guess the -m flag is to make sure the proper module is loaded. You'd have to ask the iptables designers about that.
A3. NAT is used when one is firewalling a network using iptables and you want to set up Network Address Translation, port forwarding, etc. Mangle is a packet mangler (it actually changes the packets rather than just rerouting them. I can't say that I've ever seen mangle in real use.
A4. When you read scripts, try to understand what each line does. If you're not clear, post here and ask and we'd be happy to explain things to you.
Also, as general advice, to really understand what's going on, a good understanding of the IP, TCP, UDP, and (probably less importantly) ICMP network protocols is necessary. For instance, TCP packets can have several states set (SYN, ACK, FIN, URG, etc.) that you may want to filter on. You can Google around the Web for guides, and Stevens' Unix Network Programming and TCP/IP Illustrated, Vol. 1 are good resources.