Iptables and filtering – Znyx Networks bh5700 User Manual

Page 108

Advertising
background image

action that will take place. For example, the rules:

iptables -a FORWARD -i zhp3 -j DROP

iptables -a FORWARD -i zhp3 -o zhp1 -p tcp --dport smtp -j ACCEPT

result in SMTP packets received on any port in zhp3 to be sent for any port in zhp1; all other
packets from zhp3 would be dropped. The order of the two rules in the FORWARD chain does
not matter.

On the other hand, in the following sequence of rules, the position of the rule that drops SYN
packets is important. Since the set of fields it examines is not a subset of the fields examined by
the ACCEPT rules, and visa versa, the ordering rule given above does not apply. In this case, the
order it is applied will be the same as its position in the FORWARD chain, and all packets which
are TCP SYN packets from zhp5 for zhp3 will be DROPPED, even if they also match one of the
ACCEPT rules.

iptables -a FORWARD -i zhp5 -o zhp3 -j DROP

iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --sport smtp -j ACCEPT

iptables -a FORWARD -i zhp5 -o zhp3 -p udp --sport domain -j ACCEPT

iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --sport domain -j ACCEPT

iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --sport www -j ACCEPT

iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --sport 23 -j ACCEPT # rsync

iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --syn -j DROP

iptables and filtering

iptables is a firewall management user-space utility used in conjunction with the Linux 2.4
kernels. iptables takes advantage of the netfilter 2.4 kernel code.

In addition, the iptables utility is extended with a few more targets to support the hardware
filtering functionality used in the Broadcom BCM5695 silicon on the base switch. Generally, all
of the iptables functionality is usable with a few minor extensions.

A more detailed source on IPtables can be found at:

http://www.netfilter.org/

Almost all the contents described here are derived from there.

There are also many tutorials and iptables manipulation tools, both graphical and command
line. This is expressive of the Open Architect concept. A good place to start is:

http://freshmeat.net/search/?q=iptables

Ethernet Switch Blade User's Guide

release 3.2.2j

page 108

Advertising
Popular Brands
Popular manuals