View Source: ipchains(8) - Waikato Linux Users Group

Edit PageHistory Diff Info LikePages
IPCHAINS
!!!IPCHAINS
NAME
SYNOPSIS
DESCRIPTION
TARGETS
OPTIONS
FILES
DIAGNOSTICS
BUGS
NOTES
SEE ALSO
AUTHOR
----
!!NAME


ipchains - IP firewall administration
!!SYNOPSIS


__ipchains -[[ADC]__ chain rule-specification
[[options]__
ipchains -[[RI]__ chain rulenum rule-specification
[[options]__
ipchains -D__ chain rulenum [[options]__
ipchains -[[LFZNX]__ [[chain] [[options]__
ipchains -P__ chain target [[options]__
ipchains -M__ [[ -L | -S ] [[options]
!!DESCRIPTION


__Ipchains__ is used to set up, maintain, and inspect the
IP firewall rules in the Linux kernel. These rules can be
divided into 4 different categories: the IP input chain, the
IP output chain, the IP forwarding chain, and user defined
chains.


For each of these categories, a separate table of rules is
maintained, any of which might refer to one of the
user-defined chains. See ipfw(4) for more
details.
!!TARGETS


A firewall rule specifies criteria for a packet, and a
target. If the packet does not match, the next rule in the
chain is then examined; if it does match, then the next rule
is specified by the value of the target, which can be the
name of a user-defined chain, or one of the special values
''ACCEPT'', ''DENY'', ''REJECT'', ''MASQ'',
''REDIRECT'', or ''RETURN''.


''ACCEPT'' means to let the packet through. ''DENY''
means to drop the packet on the floor. ''REJECT'' means
the same as drop, but is more polite and easier to debug,
since an ICMP message is sent back to the sender indicating
that the packet was dropped. (Note that ''DENY'' and
''REJECT'' are the same for ICMP packets.)


''MASQ'' is only legal for the forward and user defined
chains, and can only be used when the kernel is compiled
with __CONFIG_IP_MASQUERADE__ defined. With this, packets
will be masqueraded as if they originated from the local
host. Furthermore, reverse packets will be recognized as
such and they will be demasqueraded automatically, bypassing
the forwarding chain.


''REDIRECT'' is only legal for the input and user-defined
chains and can only be used when the Linux kernel is
compiled with __CONFIG_IP_TRANSPARENT_PROXY__ defined.
With this, packets will be redirected to a local socket,
even if they were sent to a remote host. If the specified
redirection port is 0, which is the default value, the
destination port of a packet will be used as the redirection
port. When this target is used, an optional extra argument
(the port number) can be supplied.


If the end of a user-defined chain is reached, or a rule
with target ''RETURN'' is matched, then the next rule in
the previous (calling) chain is examined. If the end of a
builtin chain is reached, or a rule in a builtin chain with
target ''RETURN'' is matched, the target specified by the
chain policy determines the fate of the packet.
!!OPTIONS


The options that are recognized by __ipchains__ can be
divided into several different groups.


__COMMANDS__


These options specify the specific action to perform; only
one of them can be specified on the command line, unless
otherwise specified below. For all the long versions of the
command and option names, you only need to use enough
letters to ensure that __ipchains__ can differentiate it
from all other options.


__-A, --append__


Append one or more rules to the end of the selected chain.
When the source and/or destination names resolve to more
than one address, a rule will be added for each possible
address combination.


__-D, --delete__


Delete one or more rules from the selected chain. There are
two versions of this command: the rule can be specified as a
number in the chain (starting at 1 for the first rule) or a
rule to match.


__-R, --replace__


Replace a rule in the selected chain. If the source and/or
destination names resolve to multiple addresses, the command
will fail. Rules are numbered starting at 1.


__-I, --insert__


Insert one or more rules in the selected chain as the given
rule number. So, if the rule number is 1, the rule or rules
are inserted at the head of the chain.


__-L, --list__


List all rules in the selected chain. If no chain is
selected, all chains are listed. It is legal to specify the
__-Z__ (zero) option as well, in which case no chain may
be specified. The exact output is affected by the other
arguments given.


__-F, --flush__


Flush the selected chain. This is equivalent to deleting all
the rules one by one.


__-Z, --zero__


Zero the packet and byte counters in all chains. It is legal
to specify the __-L, --list__ (list) option as well, to
see the counters immediately before they are cleared; if
this is done, then no specific chain can be specified (they
will ''all'' be displayed and cleared).


__-N, --new-chain__


Create a new user-defined chain of the given name. There
must be no target of that name already.


__-X, --delete-chain__


Delete the specified user-defined chain. There must be no
references to the chain (if there are you must delete or
replace the referring rules before the chain can be
deleted). If no argument is given, it will attempt to delete
every non-builtin chain.


__-P, --policy__


Set the policy for the chain to the given target. See the
section __TARGETS__ for the legal targets. Only
non-userdefined chains can have policies, and neither
built-in nor user-defined chains can be policy
targets.


__-M, --masquerading__


This option allows viewing of the currently masqueraded
connections (in conjuction with the __-L__ option) or to
set the kernel masquerading parameters (with the __-S__
option).


__-S, --set tcp tcpfin udp__


Change the timeout values used for masquerading. This
command always takes 3 parameters, representing the timeout
values (in seconds) for TCP sessions, TCP sessions after
receiving a FIN packet, and UDP packets, respectively. A
timeout value 0 means that the current timeout value of the
corresponding entry is preserved. This option is only
allowed in combination with the __-M__ flag.


__-C, --check__


Check the given packet against the selected chain. This is
extremely useful for testing, as the same kernel routines
used to check
-s__ (source),
__-d__ (destination), __-p__ (protocol), and __-i__
(interface) flags are compulsory.


__-h, --help__


Give a (currently very brief) description of the command
syntax. If followed by the word ''icmp'', then a list of
ICMP names is listed.


__-V, --version__


Simply output the ipchains version number.


__PARAMETERS__


The following parameters make up a rule specification (as
used in the add, delete, replace, append and check
commands).


__-p, --protocol__''[[!] protocol''


The protocol of the rule or of the packet to check. The
specified protocol can be one of ''tcp'', ''udp'',
''icmp'', or ''all'', or it can be a numeric value,
representing one of these protocols or a different one. Also
a protocol name from /etc/protocols is allowed. A
''all''. Protocol
''all'' will match with all protocols and is taken as
default when this option is omitted. ''All'' may not be
used in in combination with the check command.


__-s, --source, --src__ [[!] ''address''[[/''mask'']
[[!] [[''port[[:port]'']


Source specification. ''Address'' can be either a
hostname, a network name, or a plain IP address. The
''mask'' can be either a network mask or a plain number,
specifying the number of 1's at the left side of the network
mask. Thus, a mask of ''24'' is equivalent to
''255.255.255.0''. A
''


The source may include a port specification or ICMP type.
This can either be a service name, a port number, a numeric
ICMP type, or one of the ICMP type names shown by the
command
ipchains -h icmp
Note that many of these ICMP names refer to both a type and
code, meaning that an ICMP code after the __-d__ flag is
illegal. In the rest of this paragraph, a ''port'' means
either a port specification or an ICMP type. An inclusive
range can also be specified, using the format
''port'':''port''. If the first port is omitted,
''


Ports may only be specified in combination with the
''tcp'', ''udp'', or ''icmp'' protocols. A
''-f__ (fragment) flag is
specified, no ports are allowed.


__--source-port__ [[!] [[''port[[:port]'']


This allows separate specification of the source port or
port range. See the description of the __-s__ flag above
for details.The flag __--sport__ is an alias for this
option.


__-d, --destination, --dst__ [[!]
''address''[[/''mask''] [[!]
[[''port[[:port]'']


Destination specification. See the desciption of the
__-s__ (source) flag for a detailed description of the
syntax. For ICMP, which does not have ports, a
__


__--destination-port__ [[!]
[[''port[[:port]'']


This allows separate specification of the ports. See the
description of the __-s__ flag for details. The flag
__--dport__ is an alias for this option.


__--icmp-type__ [[!] typename


This allows specification of the ICMP type (use the __-h
icmp__ option to see valid ICMP type names). This is often
more convenient than appending it to the destination
specification.


__-j, --jump__ ''target''


This specifies the target of the rule; ie. what to do if the
packet matches it. The target can be a user-defined chain
(not the one this rule is in) or one of the special targets
which decide the fate of the packet immediately. If this
option is omitted in a rule, then matching the rule will
have no effect on the packet's fate, but the counters on the
rule will be incremented.


__-i, --interface__ ''[[!] name''


Optional name of an interface via which a packet is received
(for packets entering the input chain), or via which is
packet is going to be sent (for packets entering the forward
or output chains). When this option is omitted, the empty
string is assumed, which has a special meaning and will
match with any interface name. When the


__[[!] -f, --fragment__


This means that the rule only refers to second and further
fragments of fragmented packets. Since there is no way to
tell the source or destination ports of such a packet (or
ICMP type), such a packet will not match any rules which
specify them. When the


__OTHER OPTIONS__


The following additional options can be
specified:


__-b, --bidirectional__


Bidirectional mode. The rule will match with IP packets in
both directions; this has the same effect as repeating the
rule with the source


__-v, --verbose__


Verbose output. This option makes the list command show the
interface address, the rule options (if any), and the TOS
masks. The packet and byte counters are also listed, with
the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and
1,000,000,000 multipliers respectively (but see the
__-x__ flag to change this). When used in combination
with __-M__, information related to delta sequence
numbers will also be listed. For appending, insertion,
deletion and replacement, this causes detailed information
on the rule or rules to be printed.


__-n, --numeric__


Numeric output. IP addresses and port numbers will be
printed in numeric format. By default, the program will try
to display them as host names, network names, or services
(whenever applicable).


__-l, --log__


Turn on kernel logging of matching packets. When this option
is set for a rule, the Linux kernel will print some
information of all matching packets (like most IP header
fields) via ''printk''().


__-o, --output__ ''[[maxsize]''


Copy matching packets to the userspace device. This is
currently mainly for developers who want to play with
firewalling effects in userspace. The optional maxsize
argument can be used to limit the maximum number of bytes
from the packet which are to be copied. This option is only
valid if the kernel has been compiled with
CONFIG_IP_FIREWALL_NETLINK set.


__-m, --mark__ ''markvalue''


Mark matching packets. Packets can be marked with a 32-bit
unsigned value which may (one day) change how they are
handled internally. If you are not a kernel hacker you are
unlikely to care about this. If the string ''markvalue''
begins with a + or -, then this value will be added or
subtracted from the current marked value of the packet
(which starts at zero).


__-t, --TOS__ ''andmask xormask''


Masks used for modifying the TOS field in the IP header.
When a packet matches a rule, its TOS field is first bitwise
and'ed with first mask and the result of this will be
bitwise xor'ed with the second mask. The masks should be
specified as hexadecimal 8-bit values. As the LSB of the TOS
field must be unaltered (RFC 1349), TOS values which would
cause it to be altered are rejected, as are any rules which
always set more than one TOS bit. Rules which might set
multiple TOS bits for certain packets result in warnings
(sent to stdout) which can be ignored if you know that
packets with those TOS values will never reach that rule.
Obviously, manipulating the TOS is a meaningless gesture if
the rule's target is ''DENY'' or
''REJECT''.


__-x, --exact__


Expand numbers. Display the exact value of the packet and
byte counters, instead of only the rounded number in K's
(multiples of 1000) M's (multiples of 1000K) or G's
(multiples of 1000M). This option is only relevant for the
__-L__ command.


__[[!] -y, --syn__


Only match TCP packets with the SYN bit set and the ACK and
FIN bits cleared. Such packets are used to request TCP
connection initiation; for example, blocking such packets
coming in an interface will prevent incoming TCP
connections, but outgoing TCP connections will be
unaffected. This option is only meaningful when the protocol
type is set to TCP. If the


__--line-numbers__


When listing rules, add line numbers to the beginning of
each rule, corresponding to that rule's position in the
chain.


__--no-warnings__


Disable all warnings.
!!FILES


''/proc/net/ip_fwchains
/proc/net/ip_masquerade''
!!DIAGNOSTICS


Various error messages are printed to standard error. The
exit code is 0 for correct functioning. Errors which appear
to be caused by invalid or abused command line parameters
cause an exit code of 2, and other errors cause an exit code
of 1.
!!BUGS


If input is a terminal, and a rule is inserted in, or
appended to, the forward chain, and IP forwarding does not
seem to be enabled, and --no-warnings is not specified, a
message is printed to standard output, warning that no
forwarding will occur until this is rectified. This is to
help users unaware of the requirement (which did not exist
in the 2.0 kernels).


There is no way to reset the packet and byte counters in one
chain only. This is a kernel limitation.


Loop detection is not done in ipchains; packets in a loop
get dropped and logged, but that's the first you'll find out
about it if you inadvertantly create a loop.


The explanation of what effect marking a packet has is
intentionally vague until documentation describing the new
2.1 kernel's packet scheduling routines is
released.


There is no way to zero the policy counters (ie. those on
the built-in chains).
!!NOTES


This __ipchains__ is very different from the ipfwadm by
Jos Vos, as it uses the new IP firewall trees. Its
functionality is a superset of ipfwadm, and there is
generally a 1:1 mapping of commands. I believe the new
command names are more rational. There are, however, a few
changes of which you should be aware.


Fragments are handled differently. All fragments after the
first used to be let through (which is usually safe); they
can now be filtered. This means that you should probably add
an explicit rule to accept fragments if you are converting
over. Also, look for old accounting rules which check for
source and destination ports of 0xFFFF (0xFF for ICMP
packets) which was the old way of doing accounting on
fragments.


Accounting rules are now simply integrated into the input
and output chains; you can simulate the old behaviour like
so:
ipchains -N acctin
ipchains -N acctout
ipchains -N acctio
ipchains -I input -j acctio
ipchains -I input -j acctin
ipchains -I output -j acctio
ipchains -I output -j acctout
This creates three user-defined chains, ''acctin'',
''acctout'' and ''acctio'', which are to contain any
accounting rules (these rules should be specified without a
__-j__ flag, so that the packets simply pass through them
unscathed).


A ''MASQ'' or ''REDIRECT'' target encountered by the
kernel out of place (ie. not during a forward or input rule
respectively) will cause a message to the syslog and the
packet to be dropped.


The old behaviour of SYN and ACK matching (which was
previously ignored for non-TCP packets) has changed; the SYN
option is not valid for non-TCP-specific rules.


The ACK matching option (the __-k__ flag) is no longer
supported; the combination of __!__ and __-y__ will
give the equivalent).


It is now illegal to specify a TOS mask which will set or
alter the least significant TOS bit; previously TOS masks
were silently altered by the kernel if they tried to do
this.


The __-b__ flag is now handled by simply inserting or
deleting a pair of rules, one with the source and
destination specifications reversed.


There is no way to specify an interface by address: use its
name.
!!SEE ALSO


ipfw_chains(4), ipchains-save(8),
ipchains-restore(8)
!!AUTHOR


Rusty Russell. Thanks also to Hans Persson for detailed
proofreading; I want him to read all my future
documents!
----
14 pages link to ipchains(8):
This page is a man page (or other imported legacy content). We are unable to automatically determine the license status of this page.
Last edited on Tuesday, June 4, 2002 12:31:13 am by "perry"
Edit PageHistory Diff Info LikePages