Iptables and filtering, Introduction – Znyx Networks bh5700 User Manual

Page 60

Advertising
background image

On the other hand, in the following sequence of rules, the position of the rule that drops SYN
packets is important. Since the set of fields it examines is not a subset of the fields examined by
the ACCEPT rules, and visa versa, the ordering rule given above does not apply. In this case, the
order it is applied will be the same as its position in the FORWARD chain, and all packets which
are TCP SYN packets from zhp5 for zhp3 will be DROPPED, even if they also match one of
the ACCEPT rules.

iptables -a FORWARD -i zhp5 -o zhp3 -j DROP

iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --sport smtp -j
ACCEPT

iptables -a FORWARD -i zhp5 -o zhp3 -p udp --sport domain -j

ACCEPT

iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --sport domain -j
ACCEPT

iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --sport www -j

ACCEPT

iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --sport 23 -j
ACCEPT # rsync

iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --syn -j DROP

iptables and filtering

iptables is a firewall management user-space utility used in conjunction with the Linux 2.4
kernels, and takes advantage of the netfilter 2.4 kernel code. iptables is extended with a few
more targets to support the hardware filtering functionality used in the chips on the Ethernet
Switch Blade (fabric board). Generally, all of the iptables functionality is usable with a few
minor extensions.

A more detailed source on iptables can be found at:

http://www.netfilter.org/

Almost all the contents described here are derived from there.

There are also many tutorials and iptables manipulation tools, both graphical and command
line. This is expressive of the Open Architect concept. A good place to start is:

http://freshmeat.net/search/?q=iptables

Introduction

Firewall rules are stored in tables. These tables are sometimes also known as firewall chains or
just chains. Tables normally store rules for what are known as hooks, which can be looked as
packet-path junctions. There are five defined hooks: PRE-ROUTE, POST-ROUTE, INPUT,
OUTPUT and FORWARDING. The example below illustrates the default chains on boot up.

Ethernet Switch Blade User's Guide

release 3.2.2j

page 60

Advertising
Popular Brands
Popular manuals