| Checking for the protocol |
| Prev | Filtering and Manipulation of Packets | Next |
iptables -A INPUT --protocol tcp -j ACCEPT
iptables -A INPUT --protocol ! udp -j LOG
The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A ! argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted.
TCP specific are all filter options that have a deeper look into the TCP header of the packet. This includes checking for source-, destination port, real tcp connection tracking, tcp flags etc.
iptables -A INPUT --protocol tcp --source-port 22:12 -j LOG
iptables -A POSTROUTING --protocol tcp --destination-port ! 21232 -j DROP
Source/Destination port or port range specification. This can either be a service name or a port number. An inclusive range can also be specified, using the format port:port. If the first port is omitted, "0" is assumed; if the last is omitted, 65535 is assumed. If the second port greater then the first they will be swapped. The flag --sport is a convenient alias for this option.
iptables -A INPUT --protocol tcp --tcp-flags ! SYN,ACK,FIN SYN,ACK -j LOG
Match when the TCP flags are as specified. The first argument is the flags which we should examine, written as a comma-separated list, and the second argument is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE . Hence the command:
iptables -A FORWARD -p tcp --tcp-option SYN,ACK,FIN,RST SYN -j ACCEPT will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
UDP is the second big protocol in the internet. The main difference to TCP is that it does not provide a stateful connection to the peer host. In other words UDP packets are anonymous and easy to fake. On the other hand is it extremely fast (no overhead of establishing connections) and therefore it's used by lots of protocols. Most important UDP protocols are DNS (hostname <---> ip address ) and NFS (Standard *NIX filesharing protocol).
iptables -A INPUT --protocol udp --source-port 22:12 -j LOG
iptables -A POSTROUTING --protocol udp --destination-port ! 21232 -j DROP
Source/Destination port or port range specification. This can either be a service name or a port number. An inclusive range can also be specified, using the format port:port. If the first port is omitted, "0" is assumed; if the last is omitted, 65535 is assumed. If the second port greater then the first they will be swapped. The flag --sport is a convenient alias for this option.
The Internet Control Message Protocol (ICMP) is the control and message protocol for the underlying IP protocol. Often needed messages and commands are defined in this protocol like “host-unreachable” when an ip address was not found,“echo-request” the normal ping and “source-quench” tells the receiver to slow down the traffic -> !!!Denial of Service!!!,
The Multiport match extension allows you to define a comma-separated list of up to 15 ports in an TCP or UDP specific rule. This is mostly useful to save some typing by specifying mor that one port per rule.
iptables -A INPUT --protocol tcp --match multiport --source-ports 22,21,20,80 -j LOG
This rule will match all tcp packets that have a source port contained in the given port list.
iptables -A INPUT --protocol udp --match multiport --destination-ports 20,80,10 -j LOG
This rule will match all udp packets that have a destination port contained in the given port list.
iptables -A INPUT --protocol tcp --match multiport --ports 20,50,1660 -j LOG
Match if the both the source and destination ports are equal to each other and to one of the given ports.
| Prev | Home | Next |
| Filtering and Manipulation of Packets | Up | Incoming and Outgoing Interface |