Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-10-2005, 02:47 PM
|
#1
|
Member
Registered: Sep 2003
Location: USA
Distribution: Ubuntu 20.04
Posts: 111
Rep:
|
want to understand iptables
So I want to make my own iptables script -- and actually understand what's going on. So far I've seen a bunch of other examples, and tried cutting and pasting, with some success and some failure.
From what I gather from the man page, tables are made of several chains, and the chains contain rules. The rules are matched from start to end. There are 3 bulit in tables: filter, nat, and mangle. If any of this info is worng please let me know.
Anyway I have a few simple questions:
Q1: The man page says the general format for appending a rule is:
iptables -t table -A chain rule-specification
But I see a lot of stuff in people's iptables scripts that don't seem to meet this format. What is going on with commands like this?:
iptables --flush // No table is mentioned which tables/chains are flushed here?
iptables --policy INPUT DROP // Chain, and rule but no table, is it automatically filter table?
Q2: Does this rule make sense? I don't see why you need the first "state" before "--state"
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Q3: What are common uses for the tables nat, and mangle?
Q4: Any other tips for really understanding how to use iptalbes?
|
|
|
09-10-2005, 03:00 PM
|
#2
|
Moderator
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047
Rep:
|
A1. It will default to the filter table and flush will flush all chains. You can use "-t nat" etc to switch table.
A2. "-m state" tells iptables to match using the state of the connection and "--state" tells iptables which states to match.
A3. The nat table is used for Network Address Translation where as mangle can be used to alter the packets:
http://www.netfilter.org/documentati...T-HOWTO-3.html
http://www.netfilter.org/documentati...T-HOWTO-6.html
A4. The iptables man page should have most information but the netfilter documentation should be in more detail: http://www.netfilter.org/documentation/
|
|
|
09-10-2005, 03:04 PM
|
#3
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
A1. All iptables operations without an explicit table operate on the filter table, as its most common use is as a filter. Therefore iptables --flush flushes all chains in the filter table. iptables --policy INPUT DROP sets the policy of the INPUT chain on the filter table to DROP.
A2. -m state means "match against state". --state specifies which states to match against. Yes, one would think that --state would be sufficient to imply both, but I guess the -m flag is to make sure the proper module is loaded. You'd have to ask the iptables designers about that.
A3. NAT is used when one is firewalling a network using iptables and you want to set up Network Address Translation, port forwarding, etc. Mangle is a packet mangler (it actually changes the packets rather than just rerouting them. I can't say that I've ever seen mangle in real use.
A4. When you read scripts, try to understand what each line does. If you're not clear, post here and ask and we'd be happy to explain things to you.
|
|
|
09-10-2005, 03:53 PM
|
#4
|
Senior Member
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290
|
Also, as general advice, to really understand what's going on, a good understanding of the IP, TCP, UDP, and (probably less importantly) ICMP network protocols is necessary. For instance, TCP packets can have several states set (SYN, ACK, FIN, URG, etc.) that you may want to filter on. You can Google around the Web for guides, and Stevens' Unix Network Programming and TCP/IP Illustrated, Vol. 1 are good resources.
Last edited by btmiller; 09-10-2005 at 03:54 PM.
|
|
|
All times are GMT -5. The time now is 12:21 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|