.PP
Here is an example of use:
.PP
-iptables \-A FORWARD \-j ACCOUNT \-\-addr 0.0.0.0/0 \-\-tname all_outgoing
-iptables \-A FORWARD \-j ACCOUNT \-\-addr 192.168.1.0/24 \-\-tname sales
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 0.0.0.0/0 \-\-tname all_outgoing;
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 192.168.1.0/24 \-\-tname sales;
.PP
This creates two tables called "all_outgoing" and "sales" which can be
queried using the userspace library/iptaccount tool.
Causes confusion on the other end by doing odd things with incoming packets.
CHAOS will randomly reply (or not) with one of its configurable subtargets:
.TP
-\fB--delude\fP
+\fB\-\-delude\fP
Use the REJECT and DELUDE targets as a base to do a sudden or deferred
connection reset, fooling some network scanners to return non-deterministic
(randomly open/closed) results, and in case it is deemed open, it is actually
closed/filtered.
.TP
-\fB--tarpit\fP
+\fB\-\-tarpit\fP
Use the REJECT and TARPIT target as a base to hold the connection until it
times out. This consumes conntrack entries when connection tracking is loaded
(which usually is on most machines), and routers inbetween you and the Internet
system is booted (and the MAC be changed with `ip link set eth0 address
aa:bb..`).
.TP
-\fB--set-mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
+\fB\-\-set\-mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
Replace the client host MAC address field in the DHCP message with the given
MAC address. This option is mandatory. The \fImask\fP parameter specifies the
prefix length of bits to change.
EXAMPLE, replacing all addresses from one of VMware's assigned vendor IDs
(00:50:56) addresses with something else:
.PP
-iptables -t mangle -A FORWARD -p udp --dport 67 -m physdev --physdev-in vmnet1
--m dhcpmac --mac 00:50:56:00:00:00/24 -j DHCPMAC --set-mac
-ab:cd:ef:00:00:00/24
+iptables \-t mangle \-A FORWARD \-p udp \-\-dport 67 \-m physdev
+\-\-physdev\-in vmnet1 \-m dhcpmac \-\-mac 00:50:56:00:00:00/24 \-j DHCPMAC
+\-\-set\-mac ab:cd:ef:00:00:00/24
.PP
-iptables -t mangle -A FORWARD -p udp --dport 68 -m physdev --physdev-out vmnet1
--m dhcpmac --mac ab:cd:ef:00:00:00/24 -j DHCPMAC --set-mac
-00:50:56:00:00:00/24
+iptables \-t mangle \-A FORWARD \-p udp \-\-dport 68 \-m physdev
+\-\-physdev\-out vmnet1 \-m dhcpmac \-\-mac ab:cd:ef:00:00:00/24 \-j DHCPMAC
+\-\-set\-mac 00:50:56:00:00:00/24
.PP
(This assumes there is a bridge interface that has vmnet1 as a port. You will
also need to add appropriate ebtables rules to change the MAC address of the
This target is to be used inside the \fBmangle\fP table.
.TP
-\fB--addr\fP {\fBsrc\fP|\fBdst\fP}
+\fB\-\-addr\fP {\fBsrc\fP|\fBdst\fP}
Select source or destination IP address as a basis for the mark.
.TP
-\fB--and-mask\fP \fImask\fP
+\fB\-\-and\-mask\fP \fImask\fP
Perform bitwise AND on the IP address and this bitmask.
.TP
-\fB--or-mask\fP \fImask\fP
+\fB\-\-or\-mask\fP \fImask\fP
Perform bitwise OR on the IP address and this bitmask.
.TP
-\fB--shift\fP \fIvalue\fP
+\fB\-\-shift\fP \fIvalue\fP
Shift addresses to the right by the given number of bits before taking it
as a mark. (This is done before ANDing or ORing it.) This option is needed
to select part of an IPv6 address, because marks are only 32 bits in size.
.PP
Earlier we had many rules just like below:
.IP
-iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
---set-mark 0x10502
+iptables \-t mangle \-A POSTROUTING \-o eth3 \-d 192.168.5.2 \-j MARK
+\-\-set\-mark 0x10502
.IP
-iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
---set-mark 0x10503
+iptables \-t mangle \-A POSTROUTING \-o eth3 \-d 192.168.5.3 \-j MARK
+\-\-set\-mark 0x10503
.PP
Using IPMARK target we can replace all the mangle/mark rules with only one:
.IP
-iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr dst
---and-mask 0xffff --or-mask 0x10000
+iptables \-t mangle \-A POSTROUTING \-o eth3 \-j IPMARK \-\-addr dst
+\-\-and\-mask 0xffff \-\-or\-mask 0x10000
.PP
On the routers with hundreds of users there should be significant load
decrease (e.g. twice).
2001:db8:45:1d:20d:93ff:fe9b:e443 and the resulting mark should be 0x93ff,
then a right-shift of 16 is needed first:
.IP
--t mangle -A PREROUTING -s 2001:db8::/32 -j IPMARK --addr src --shift 16
---and-mask 0xFFFF
+\-t mangle \-A PREROUTING \-s 2001:db8::/32 \-j IPMARK \-\-addr src \-\-shift
+16 \-\-and\-mask 0xFFFF
The LOGMARK target will log packet and connection marks to syslog.
.TP
-\fB--log-level\fR \fIlevel\fR
+\fB\-\-log\-level\fR \fIlevel\fR
A logging level between 0 and 8 (inclusive).
.TP
-\fB--log-prefix\fR \fIstring\fR
+\fB\-\-log\-prefix\fR \fIstring\fR
Prefix log messages with the specified prefix; up to 29 bytes long, and useful
for distinguishing messages in the logs.
.TP
-\fB--log-nfmark\fR
+\fB\-\-log\-nfmark\fR
Include the packet mark in the log.
.TP
-\fB--log-ctmark\fR
+\fB\-\-log\-ctmark\fR
Include the connection mark in the log.
.TP
-\fB--log-secmark\fR
+\fB\-\-log\-secmark\fR
Include the packet secmark in the log.
The \fBRAWDNAT\fR target will rewrite the destination address in the IP header,
much like the \fBNETMAP\fR target.
.TP
-\fB--to-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR]
+\fB\-\-to\-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR]
Network address to map to. The resulting address will be constructed the
following way: All 'one' bits in the \fImask\fR are filled in from the new
\fIaddress\fR. All bits that are zero in the mask are filled in from the
enters the machine or when it leaves it. The reason for this table constraint
is that RAWNAT must happen outside of connection tracking.
.TP
-\fB--to-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
+\fB\-\-to\-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
Network address to map to. The resulting address will be constructed the
following way: All 'one' bits in the \fImask\fR are filled in from the new
\fIaddress\fR. All bits that are zero in the mask are filled in from the
As an example, changing the destination for packets forwarded from an internal
LAN to the internet:
.IP
--t raw -A PREROUTING -i lan0 -d 212.201.100.135 -j RAWDNAT --to-destination 199.181.132.250
--t rawpost -A POSTROUTING -o lan0 -s 199.181.132.250 -j RAWSNAT --to-source 212.201.100.135
+\-t raw \-A PREROUTING \-i lan0 \-d 212.201.100.135 \-j RAWDNAT \-\-to\-destination 199.181.132.250;
+\-t rawpost \-A POSTROUTING \-o lan0 \-s 199.181.132.250 \-j RAWSNAT \-\-to\-source 212.201.100.135;
.PP
Note that changing addresses may influence the route selection! Specifically,
it statically NATs packets, not connections, like the normal DNAT/SNAT targets
-would do. Also note that it can transform already-NATed connections -- as said,
-it is completely external to Netfilter's connection tracking/NAT.
+would do. Also note that it can transform already-NATed connections \(em as
+said, it is completely external to Netfilter's connection tracking/NAT.
.PP
If the machine itself generates packets that are to be rawnat'ed, you need a
rule in the OUTPUT chain instead, just like you would with the stateful NAT
The SYSRQ target allows to remotely trigger sysrq on the local machine over the
network. This can be useful when vital parts of the machine hang, for example
an oops in a filesystem causing locks to be not released and processes to get
-stuck as a result - if still possible, use /proc/sysrq-trigger. Even when
+stuck as a result \(em if still possible, use /proc/sysrq-trigger. Even when
processes are stuck, interrupts are likely to be still processed, and as such,
sysrq can be triggered through incoming network packets.
.PP
have a small window of vulnerability should time go backwards at a reboot.
However, the file /sys/module/xt_SYSREQ/seqno can be used to both query and
update the current sequence number. Also, you should limit as to who can issue
-commands using \fB-s\fP and/or \fB-m mac\fP, and also that the destination is
-correct using \fB-d\fP (to protect against potential broadcast packets), noting
-that it is still short of MAC/IP spoofing:
+commands using \fB\-s\fP and/or \fB\-m mac\fP, and also that the destination is
+correct using \fB\-d\fP (to protect against potential broadcast packets),
+noting that it is still short of MAC/IP spoofing:
.IP
--A INPUT -s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
--p udp --dport 9 -j SYSRQ
+\-A INPUT \-s 10.10.25.1 \-m mac \-\-mac\-source aa:bb:cc:dd:ee:ff \-d
+10.10.25.7 \-p udp \-\-dport 9 \-j SYSRQ
.IP
-(with IPsec) -A INPUT -s 10.10.25.1 -d 10.10.25.7 -m policy --dir in --pol
-ipsec --proto esp --tunnel-src 10.10.25.1 --tunnel-dst 10.10.25.7
--p udp --dport 9 -j SYSRQ
+(with IPsec) \-A INPUT \-s 10.10.25.1 \-d 10.10.25.7 \-m policy \-\-dir in
+\-\-pol ipsec \-\-proto esp \-\-tunnel\-src 10.10.25.1 \-\-tunnel\-dst
+10.10.25.7 \-p udp \-\-dport 9 \-j SYSRQ
.PP
You should also limit the rate at which connections can be received to limit
the CPU time taken by illegal requests, for example:
.IP
--A INPUT -s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
--p udp --dport 9 -m limit --limit 5/minute -j SYSRQ
+\-A INPUT \-s 10.10.25.1 \-m mac \-\-mac\-source aa:bb:cc:dd:ee:ff \-d
+10.10.25.7 \-p udp \-\-dport 9 \-m limit \-\-limit 5/minute \-j SYSRQ
.PP
-This extension does not take any options. The \fB-p udp\fP options are
+This extension does not take any options. The \fB\-p udp\fP options are
required.
.PP
The SYSRQ password can be changed through
/sys/module/xt_SYSRQ/parameters/password, for example:
.IP
-echo -n "password" >/sys/module/xt_SYSRQ/parameters/password
+echo \-n "password" >/sys/module/xt_SYSRQ/parameters/password
.PP
Alternatively, the password may be specified at modprobe time, but this is
insecure as people can possible see it through ps(1). You can use an option
password="password"
seqno="$(date +%s)"
salt="$(dd bs=12 count=1 if=/dev/urandom 2>/dev/null |
- openssl enc -base64)"
+ openssl enc \-base64)"
req="$sysrq_key,$seqno,$salt"
-req="$req,$(echo -n "$req,$password" | sha1sum | cut -c1-40)"
+req="$req,$(echo \-n "$req,$password" | sha1sum | cut \-c1\-40)"
-echo "$req" | socat stdin udp-sendto:10.10.25.7:9
+echo "$req" | socat stdin udp\-sendto:10.10.25.7:9
# or
-echo "$req" | netcat -uw1 10.10.25.7 9
+echo "$req" | netcat \-uw1 10.10.25.7 9
.fi
.PP
See the Linux docs for possible sysrq keys. Important ones are: re(b)oot,
-power(o)ff, (s)ync filesystems, (u)mount and remount readonly. More than one
+power(o)ff, (s)ync filesystems, (u)mount and remount readonly. More than one
sysrq key can be used at once, but bear in mind that, for example, a sync may
not complete before a subsequent reboot or poweroff.
.PP
To tarpit connections to TCP port 80 destined for the current machine:
.IP
--A INPUT -p tcp -m tcp --dport 80 -j TARPIT
-.P
+\-A INPUT \-p tcp \-m tcp \-\-dport 80 \-j TARPIT
+.PP
To significantly slow down Code Red/Nimda-style scans of unused address space,
forward unused ip addresses to a Linux box not acting as a router (e.g. "ip
route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP forwarding on
the Linux box, and add:
.IP
--A FORWARD -p tcp -j TARPIT
+\-A FORWARD \-p tcp \-j TARPIT
.IP
--A FORWARD -j DROP
+\-A FORWARD \-j DROP
.PP
NOTE:
If you use the conntrack module while you are using TARPIT, you should also use
each TARPITted connection. To TARPIT incoming connections to the standard IRC
port while using conntrack, you could:
.IP
--t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
+\-t raw \-A PREROUTING \-p tcp \-\-dport 6667 \-j NOTRACK
.IP
--A INPUT -p tcp --dport 6667 -j TARPIT
+\-A INPUT \-p tcp \-\-dport 6667 \-j TARPIT
must be the target, or you will have to configure the nexthop to forward it
further if so desired.
.TP
-\fB--gw\fP \fIipaddr\fP
+\fB\-\-gw\fP \fIipaddr\fP
Send the cloned packet to the host reachable at the given IP address.
Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.
This matches if a specific condition variable is (un)set.
.TP
-[\fB!\fP] \fB--condition\fP \fIname\fP
+[\fB!\fP] \fB\-\-condition\fP \fIname\fP
Match on boolean value stored in /proc/net/nf_condition/\fIname\fP.
.TP
-\fB--mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
+\fB\-\-mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
Matches the DHCP "Client Host" address (a MAC address) in a DHCP message.
\fImask\fP specifies the prefix length of the initial portion to match.
This module matches a rate limit based on a fuzzy logic controller (FLC).
.TP
-\fB--lower-limit\fP \fInumber\fP
+\fB\-\-lower\-limit\fP \fInumber\fP
Specifies the lower limit, in packets per second.
.TP
-\fB--upper-limit\fP \fInumber\fP
+\fB\-\-upper\-limit\fP \fInumber\fP
Specifies the upper limit, also in packets per second.
Match a packet by its source or destination country.
.TP
-[\fB!\fP] \fB--src-cc\fP, \fB--source-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP]
+[\fB!\fP] \fB\-\-src\-cc\fP, \fB\-\-source\-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP]
Match packet coming from (one of) the specified country(ies)
.TP
-[\fB!\fP] \fB--dst-cc\fP, \fB--destination-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP]
+[\fB!\fP] \fB\-\-dst\-cc\fP, \fB\-\-destination\-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP]
Match packet going to (one of) the specified country(ies)
.TP
NOTE:
[\fB!\fP] \fB\-\-dynamic\fP
Check the DYNAMIC flag.
.TP
-[\fB!\fP] \fB\-\-lower-up\fP
+[\fB!\fP] \fB\-\-lower\-up\fP
Check the LOWER_UP flag.
.TP
[\fB!\fP] \fB\-\-dormant\fP
This module matches certain packets in P2P flows. It is not
-designed to match all packets belonging to a P2P connection -
+designed to match all packets belonging to a P2P connection \(em
use IPP2P together with CONNMARK for this purpose.
.PP
-Use it together with -p tcp or -p udp to search these protocols
-only or without -p switch to search packets of both protocols.
+Use it together with \-p tcp or \-p udp to search these protocols
+only or without \-p switch to search packets of both protocols.
.PP
IPP2P provides the following options, of which one or more may be specified
on the command line:
.TP
-.B "--edk "
+\fB\-\-edk\fP
Matches as many eDonkey/eMule packets as possible.
.TP
-.B "--kazaa "
+\fB\-\-kazaa\fP
Matches as many KaZaA packets as possible.
.TP
-.B "--gnu "
+\fB\-\-gnu\fP
Matches as many Gnutella packets as possible.
.TP
-.B "--dc "
+\fB\-\-dc\fP
Matches as many Direct Connect packets as possible.
.TP
-.B "--bit "
+\fB\-\-bit\fP
Matches BitTorrent packets.
.TP
-.B "--apple "
+\fB\-\-apple\fP
Matches AppleJuice packets.
.TP
-.B "--soul "
+\fB\-\-soul\fP
Matches some SoulSeek packets. Considered as beta, use careful!
.TP
-.B "--winmx "
+\fB\-\-winmx\fP
Matches some WinMX packets. Considered as beta, use careful!
.TP
-.B "--ares "
-Matches Ares and AresLite packets. Use together with -j DROP only.
+\fB\-\-ares\fP
+Matches Ares and AresLite packets. Use together with \-j DROP only.
.TP
-.B "--debug "
+\fB\-\-debug\fP
Prints some information about each hit into kernel logfile. May
produce huge logfiles so beware!
.PP
.PP
There is more information on http://ipp2p.org/ , but it has not been updated
since September 2006, and the syntax there is different from the ipp2p.c
-provided in Xtables-addons; most importantly, the --ipp2p flag was removed due
-to its ambiguity to match "all known" protocols.
+provided in Xtables-addons; most importantly, the \-\-ipp2p flag was removed
+due to its ambiguity to match "all known" protocols.
.PP
Known symbol names (and their number):
.PP
-1 - \fBnop\fP
+1 \(em \fBnop\fP
.PP
-2 - \fBsecurity\fP - RFC 1108
+2 \(em \fBsecurity\fP \(em RFC 1108
.PP
-3 - \fBlsrr\fP - Loose Source Routing, RFC 791
+3 \(em \fBlsrr\fP \(em Loose Source Routing, RFC 791
.PP
-4 - \fBtimestamp\fP - RFC 781, 791
+4 \(em \fBtimestamp\fP \(em RFC 781, 791
.PP
-7 - \fBrecord\-route\fP - RFC 791
+7 \(em \fBrecord\-route\fP \em RFC 791
.PP
-9 - \fBssrr\fP - Strict Source Routing, RFC 791
+9 \(em \fBssrr\fP \(em Strict Source Routing, RFC 791
.PP
-11 - \fBmtu\-probe\fP - RFC 1063
+11 \(em \fBmtu\-probe\fP \(em RFC 1063
.PP
-12 - \fBmtu\-reply\fP - RFC 1063
+12 \(em \fBmtu\-reply\fP \(em RFC 1063
.PP
-18 - \fBtraceroute\fP - RFC 1393
+18 \(em \fBtraceroute\fP \(em RFC 1393
.PP
-20 - \fBrouter-alert\fP - RFC 2113
+20 \(em \fBrouter-alert\fP \(em RFC 2113
.PP
Examples:
.PP
This module matches the length of a packet against a specific value or range of
values.
.TP
-[\fB!\fR] \fB--length\fR \fIlength\fR[\fB:\fR\fIlength\fR]
+[\fB!\fR] \fB\-\-length\fR \fIlength\fR[\fB:\fR\fIlength\fR]
Match exact length or length range.
.TP
-\fB--layer3\fR
+\fB\-\-layer3\fR
Match the layer3 frame size (e.g. IPv4/v6 header plus payload).
.TP
-\fB--layer4\fR
+\fB\-\-layer4\fR
Match the layer4 frame size (e.g. TCP/UDP header plus payload).
.TP
-\fB--layer5\fR
+\fB\-\-layer5\fR
Match the layer5 frame size (e.g. TCP/UDP payload, often called layer7).
.PP
-If no --layer* option is given, --layer3 is assumed by default. Note that using
---layer5 may not match a packet if it is not one of the recognized types
-(currently TCP, UDP, UDPLite, ICMP, AH and ESP) or which has no 5th layer.
+If no \-\-layer* option is given, \-\-layer3 is assumed by default. Note that
+using \-\-layer5 may not match a packet if it is not one of the recognized
+types (currently TCP, UDP, UDPLite, ICMP, AH and ESP) or which has no 5th
+layer.
the remote host's future connections. So this match module will match on the
(probably) last packet the remote side will send to your machine.
.TP
-\fB--stealth\fR
+\fB\-\-stealth\fR
Match if the packet did not belong to any known TCP connection
(Stealth/FIN/XMAS/NULL scan).
.TP
-\fB--synscan\fR
+\fB\-\-synscan\fR
Match if the connection was a TCP half-open discovery (SYN scan), i.e. the
connection was torn down after the 2nd packet in the 3-way handshake.
.TP
-\fB--cnscan\fR
+\fB\-\-cnscan\fR
Match if the connection was a TCP full open discovery (connect scan), i.e. the
connection was torn down after completion of the 3-way handshake.
.TP
-\fB--grscan\fR
+\fB\-\-grscan\fR
Match if data in the connection only flew in the direction of the remote side,
e.g. if the connection was terminated after a locally running daemon sent its
identification. (E.g. openssh, smtp, ftpd.) This may falsely trigger on
Attempt to detect TCP and UDP port scans. This match was derived from
Solar Designer's scanlogd.
.TP
-.BI "--psd-weight-threshold " "threshold"
+\fB\-\-psd\-weight\-threshold\fP \fIthreshold\fP
Total weight of the latest TCP/UDP packets with different
destination ports coming from the same host to be treated as port
scan sequence.
.TP
-.BI "--psd-delay-threshold " "delay"
+\fB\-\-psd\-delay\-threshold\fP \fIdelay\fP
Delay (in hundredths of second) for the packets with different
destination ports coming from the same host to be treated as
possible port scan subsequence.
.TP
-.BI "--psd-lo-ports-weight " "weight"
+\fB\-\-psd\-lo\-ports\-weight\fP \fIweight\fP
Weight of the packet with privileged (<=1024) destination port.
.TP
-.BI "--psd-hi-ports-weight " "weight"
+\fB\-\-psd\-hi\-ports\-weight\fP \fIweight\fP
Weight of the packet with non-priviliged destination port.
the match will return false, just like the original "quota" match. In growing
(upcounting) mode, it will always return true.
.TP
-\fB--grow\fP
+\fB\-\-grow\fP
Count upwards instead of downwards.
.TP
-\fB--name\fP \fIname\fP
+\fB\-\-name\fP \fIname\fP
Assign the counter a specific name. This option must be present, as an empty
name is not allowed. Names starting with a dot or names containing a slash are
prohibited.
.TP
-[\fB!\fP] \fB--quota\fP \fIiq\fP
+[\fB!\fP] \fB\-\-quota\fP \fIiq\fP
Specify the initial quota for this counter. If the counter already exists,
it is not reset. An "!" may be used to invert the result of the match. The
-negation has no effect when \fB--grow\fP is used.
+negation has no effect when \fB\-\-grow\fP is used.
.TP
-\fB--packets\fP
+\fB\-\-packets\fP
Count packets instead of bytes that passed the quota2 match.
.PP
Because counters in quota2 can be shared, you can combine them for various
purposes, for example, a bytebucket filter that only lets as much traffic go
out as has come in:
.PP
--A INPUT -p tcp --dport 6881 -m quota --name bt --grow
--A OUTPUT -p tcp --sport 6881 -m quota --name bt
+\-A INPUT \-p tcp \-\-dport 6881 \-m quota \-\-name bt \-\-grow;
+\-A OUTPUT \-p tcp \-\-sport 6881 \-m quota \-\-name bt;
projects / thirdparty / xtables-addons.git / commitdiff
