Actions and Transitions on IPtable Firewall

Actions and transitions according to the rule that you want to perform, if the packet is equal to the specified criteria. Most commonly used actions ACCEPT and DROP. However, let’s take a quick look at the notion of transitions.

Description of the navigation rules looks exactly the same as the description of the action, that is the key-j and the name chains to move to. There are several limitations in transitions, the first chain to move must be in the same table as the chain from which the transfer is made, a second chain, is the target of the transition must be created before it will run the transitions. For example, create a filter table tcp_packets chain by using

iptables-N tcp_packets

We can now navigate on this chain like:

iptables-A INPUT-p tcp-j tcp_packets

I.e. when a tcp packet, iptables will transition to chain tcp_packets and will continue moving a package on this thread. If the package has reached the end of the chain, then it will be returned to the calling thread (in this case the INPUT chain) and the package will continue with the rules, following the rule that caused the move. If the package in the nested chain of action applies to ACCEPT, then automatically package will be deemed accepted and in the calling thread and will not continue on the calling thread. However, the package will go to other chains in other tables. For more information about pass order chains and tables you can get chapter order of tables and chains.

The action is a predefined command that describes the action to take when a packet matches the specified criterion. For example, you can apply the DROP or ACCEPT the package, depending on our needs. There are several other steps that are described later in this section. As a result of the implementation of some activities, the package terminates its passage along the chain, such as DROP and ACCEPT the other, after performing certain operations, continues to test, for example, LOG, the third example is even DNAT and SNAT, TTL and TOS, but continues to move up the chain.

6.5.1. The ACCEPT

This operation does not have additional keys. If the package is executed, the ACCEPT the package stops chain movement (and all caused the chains if the current chain has been attached) and is considered to be accepted (I mean is skipped), however, the package will continue moving on chains in other tables and can be rejected there. The action is set using the-j ACCEPT.
6.5.2. DNAT Action

DNAT (Destination Network Address Translation) is used to convert the IP destination address of the packet header. If the package falls under the criterion of the rules making the DNAT, this packet and all subsequent packets in the same flow, will be converting the destination address and sent to the correct device, host, or network. This may, for example, successfully used to grant access to your web server in the local network, and does not have a real IP address. To do this, you build a rule that intercepts packets going to the HTTP port of the firewall and pass them to the DNAT-local web server. For this action, you can specify a range of addresses, then select the destination address for each new thread will be slučajnam way.

The action is DNAT can run only in the PREROUTING and OUTPUT chains in the nat table, and the chains. It is important to remember that the nested podcepočki that implement the DNAT does not need to be called from other chains, besides the PREROUTING and OUTPUT.

Table 6-16. The Action Is DNAT
Example iptables-t nat-A PREROUTING-p tcp-d –dport 80-j DNAT-to-destination
Description of the key-to-destination Specifies what IP address should be substituted as the address of the destination. In the above example, all packets sent to a address, the destination address is changed to one of a range of through As mentioned above, all packets from one thread will be sent to the same address, for each new thread will be one of the addresses in the specified range at random. You can also specify a single IP address. You can optionally specify a port or range of ports to which (are) to be redirected traffic. To do this, after the ip address followed by a colon, for example-to specify the port-to-destination 80, and specify the port range is:–to-destination as you can see, the syntax of the action is DNAT and SNAT in many ways similar. Remember that ports are allowed only when using the TCP or UDP protocol, a protocol in the-criteria.

The action is DNAT is difficult to use and requires further clarification. Let’s look at a simple example. We have a WEB server and we want to allow access to it from the Internet. We have only one real IP address, and the WEB server is on the local network. The real IP address of the firewall, appointed _IP $INET HTTP server has a local address $HTTP _IP and finally the firewall has a local address $LAN _IP. To start, add a simple rule in PREROUTING chain in the nat table:

iptables-t nat-A PREROUTING–dst $INET _IP-p tcp –dport 80-j DNAT \
–to-destination $HTTP _IP

Under the rule, any packets arriving on port 80 addresses $INET _IP are redirected to our internal WEB server. If we now turn to the WEB server from the Internet, then everything will work perfectly. But what happens if you try to connect to it from your network? The connection is simple. Let’s see how routed packets coming from the Internet on our WEB server. For clarity, this will be the address of the customer in the Internet to $EXT _BOX.

The package leaves the client node with address $EXT and is directed to $INET _BOX _IP

The package comes to our firewall.

Firewall, for the purposes of the above rule, replaces the destination address and pass it on to other chains.

A packet is transmitted on $HTTP _IP.

The package goes to the HTTP server, and the server sends the response through the firewall if routing table, it is designated as a gateway for $EXT _BOX. As a rule, it is assigned a default gateway for the HTTP server.

The firewall does the reverse lookup addresses in the packet, now it looks as if the package has been created on the firewall.

A packet is transmitted to the client $EXT _BOX.

Now let’s see what happens if the request is sent from the site, located on the same local area network. For clarity, this will be the address of the client on the local network to $LAN _BOX.

The package leaves the $LAN _BOX.

Arrives at the firewall.

The lookup of the destination address is made, however, the sender’s address is not substituted, i.e. source address remains in the package without change.

The package leaves the firewall and is sent to an HTTP server.

Http server in preparation for sending the response, detects that the client is in local network (because the request packet contained the original IP address that has the destination address) and therefore sends the packet directly to the $LAN _BOX.

The package comes on $LAN _BOX. Client “gets confused” because the answer came not from the site that sent the request. Therefore, the client “resets” response packet and continues to wait for a “real” response.

The problem is solved quite simply using SNAT. Here is a rule that performs this function. This rule forces the HTTP server to send responses to our firewall, which will then be transmitted to the client.

iptables-t nat-A POSTROUTING-p tcp-dst $HTTP _IP–dport 80-j SNAT \
–to-source $LAN _IP

Remember, the chain POSTROUTING handled the latest and so far the package already passed the procedure of conversion of DNAT, so criterion is based on the destination address $HTTP _IP.

If you think that you can stop this, then you are wrong! Imagine a situation where a client is the firewall itself. Then, unfortunately, the packages will be delivered to the local port number 80 of the firewall, not on $HTTP _IP. To resolve this problem, add the rule:

iptables-t nat-A OUTPUT–dst $INET _IP-p tcp –dport 80-j DNAT \
–to-destination $HTTP _IP

Now no problems with access to our WEB server, should no longer occur.

Everyone should understand that these rules are intended only to correctly handle the addressing of packages. In addition to these rules, you may want to write additional rules to FORWARD chain table filter. Don’t forget that the packages have been chain PREROUTING and the destination address is changed by the DNAT.
6.5.3. The DROP

This action simply “resets” package and iptables “forgets” about its existence. “Dropped” packets stop its movement entirely, i.e. they are not transferred to other tables, as in the case of the ACCEPT action. Be aware that this action could have a negative impact, because it can leave unclosed “dead” sockets on both the server and on the client side, the best way would be to use the REJECT especially when protection against port scanning.

6.5.4. The action LOG

Log-activity that is used to log individual packages and events. The magazine can be IP packet headers and other information of interest. Information from the log can then be read by using the dmesg or syslogd or through other programs. Great tool to debug your rules. It would be nice for debugging rules instead of DROP actions use the LOG to make sure that your firewall is working flawlessly. Note also at the ULOG, which will certainly appeal to you its capabilities, as it allows to write journaled information is not written to the system log, and the MySQL database, etc.

Note-If you have a problem with an entry in the system log, then this is a problem not iptables or netfilter, and syslogd. For information on configuring syslogd contact man syslog.CONF.

Action LOG has five keys, which are listed below.

Table 6-17. Keywords: LOG
Example iptables-A FORWARD-p tcp-j LOG-log-level debug
Description is used to specify the level of logging (log level). For a complete list of the levels you will find in the manual (man) on syslog. conf. Usually, you can specify at the following levels: debug, info, notice, warn, err, warning, error, crit, alert, emerg and panic. The error keyword means the same thing as the err, warn-warning and panic, emerg. Important: the last three pairs of words, do not use the error, warn, and panic. The priority determines the differences in how a message will be written to the log. All messages are logged by the kernel. If you select row kern. = info/var/log/iptables in the syslog.conf file, then all your messages from iptables that uses the info will be logged in the file/var/log/iptables in this file get and other reports from other subsystems that use level info. For more information on the syslog and syslog. conf I recommend to refer to the manpages and HOWTO.
Example iptables-A INPUT-p tcp-j LOG-log-prefix “INPUT packets”
Description Key sets the text (prefix), which will be preceded by all the messages of iptables. Messages with a specific prefix then you can easily find, for example, by using the grep. The prefix can contain up to 29 characters, including spaces.
Example iptables-A INPUT-p tcp-j LOG-log-tcp-sequence
Description this key allows you to log TCP Sequence number of the package. TCP Sequence number identifies each packet in the stream and defines how assemblies flow. This key is potentially dangerous for the security of the system, if the system log allows access to “READ” for all users. Like any other magazine containing messages from iptables.
Example iptables-A FORWARD-p tcp-j LOG-log-tcp-options
Description this key enables you to log the system log different information from the header of the TCP packet. This can be useful for debugging. This key has no additional parameters, like most key action LOG.
Example iptables-A FORWARD-p tcp-j LOG-log-ip-options
Description this key enables you to log the system log different information from the header of an IP packet. In many ways similar to the key-log-tcp-options, but only works with the IP header

6.5.5. The MARK

Used to set the labels for certain packages. This action can be performed only within a table mangle. Labeling is typically used for routing packets on various routes, to restrict the traffic, etc. For more information you can refer to the Linux Advanced Routing and Traffic Control how-to. Don’t forget that ‘ label ‘ package exists only within a period of time unless the package left firewall, i.e. a label is not passed across the network. If you want to somehow mark packages to take mark on another machine, you can try to manipulate bits of the TOS field.

Table 6-18. Keywords: MARK
The key-set-mark
Example iptables-t mangle-A PREROUTING-p tcp-dport 22-j MARK-set-mark 2
Description of the Key-set-mark sets the label to the package. After the key-set-mark must be followed by an integer, unsigned integer.

Masquerading (MASQUERADE) is essentially the same as SNAT but has no key-to-source. The reason that masquerading can work with dialup connection or DHCP, that is, where the IP address is assigned to a device dynamically. If you have a dynamic connection, you need to use masquerading, if you have a static IP connection, surely the best way out would be to use the SNAT.

Masquerading involves obtaining IP addresses from a specified network interface, instead of directly specifying it as this is done by using a key-to-source SNAT in action. The MASQUERADE has good property-“forget” when stopping a network interface connection. In the case of SNAT, in this situation, the tracer of lost connections remain, and these data can be saved to a day, consuming valuable memory. The effect of “forgetfulness” is that when you stop a network interface with a dynamic IP address, there is a chance the next time you get a different IP address, but in this case, any communication will be lost, and it would be stupid to keep the resulting trace information.

As you already understood, the MASQUERADE can be used instead of SNAT, even if you have a static IP address, however, despite the positive features, should not be considered a preferred masquerading in this case because it gives a greater load on the system.

The MASQUERADE is allowed only in the POSTROUTING chain in the nat table, as did the SNAT. MASQUERADE is the key described below, the use of which is optional.

Table 6-19. The MASQUERADE
Example iptables-t nat-A POSTROUTING-p TCP-j MASQUERADE–to-ports 1024-31000
Description of the key-to-ports is used to specify the source port or port range for outgoing package. You can specify a single port, such as:–to-ports 1025, or port range here:–to-ports 1024-3000. This key can be used only in the rules, where the criterion is explicitly specifying the TCP or UDP protocol with the wrench–protocol.

6.5.7. MIRROR Effect

The MIRROR may only be used by you for experimentation and demonstration purposes, as this can lead to “go” package and the “denial of service”. As a result of the MIRROR in a package, the source and destination fields are reversed (invert the source and destination fields) and the packet is sent to the network. The use of this command can be quite funny, probably the result of pretty is comical to watch as any kul′hacker attempts to “hack” your own computer!

This action is only allowed in the chains FORWARD and PREROUTING, INPUT, and in chains, caused by one of these three. Packets sent to the network by the MIRROR is no longer subject to filtering a trace or NAT, thereby avoiding the “loop” and other troubles. This does not mean, however, that the problems with this action is not. Let us, for example, imagine that on a host that uses the MIRROR can package with TTL = 255, on the same host and the package falls under the criterion of “zerkaliruûŝego” rule. Package “reflected” on the same host, and as the “sink” and “transmitter” only 1 hop (hop) the packet will be jumping back and forth 255 times. Not bad for a krâkera, after all, the largest package of 1500 bytes, we would lose up to 380 Kb of traffic!
6.5.8. QUEUE Activity

The QUEUE is a package for processing to the user process. It can be used for the purposes of accounting, proxying or additional filtering of packets.

The interpreter: the author further argues at length that the discussion of the topic goes far beyond the document, etc., so, without further ADO, here is an excerpt from translated By virii5 aka Danilchenko,

“… For that goal to be useful, you need two additional components:

“queue handler” handler that performs the work queue for packets between the kernel and user application; and

a custom application that retrieves, possibly handle, and decide the fate of the packet.

Standard queue handler for IPv4 ip module queue, which is distributed with the kernel and is marked as experimental. Below is an example of how you can use iptables to send packets to the user application:

# modprobe iptable_filter
# modprobe ip_queue
# iptables-A OUTPUT-p icmp-j QUEUE

This rule of ICMP packages created locally type (such as are for example the ping command) into the module and then attempting to ip_queue pass them in a custom application. If no such application is not found, the packets are dropped. To write a custom program packet processing, use libipq API. It is distributed with the package iptables. Examples can be found in the testsuite tools (e.g. redirect. c) in CVS. The status can be checked using the ip_queue:/proc/net/ip_queue Maximum length the queue (that is, the number of packets passed to the custom application without confirmation processing) can be controlled by using the default/proc/sys/net/ipv4/ip_queue_maxlen:-maximum queue length is 1024. Once this limit is reached, new packets will be dropped until the queue does not fall below this limit. Good protocols, such as TCP interpret dropped packets as congestion in the transmission channel, and successfully cope with that (as far as I remember, the package will just be sent to the remote side, approx. translation.). However, you might need some kind of èksperementirovanie to determine the optimal length of a queue in each case if the queue is too small by default… ”

6.5.9. REDIRECT Action

Redirects packets and flows to another port on the same machine. For example, packets arriving on port redirect on port HTTP HTTP proxy. The REDIRECT is very useful for “transparent” proxy (transparent proxying), when the machines in the local network are not even aware of the existence of the proxy.

REDIRECT can be used only in the PREROUTING and OUTPUT chains in the nat table, and of course, this operation can be performed in podcepočkah caused by and above. For the REDIRECT has only one key.

Table 6-20. REDIRECT Action
Example iptables-t nat-A PREROUTING-p tcp –dport 80-j REDIRECT-to-ports 8080
Description of the key-to-ports specifies the port or the port range assignment. Without specifying the key-to-ports, redirect does not occur, the package goes to the port, where he was appointed. In the example above, the to-ports 8080 is one destination port. If you want to specify a range of ports, then we should write something similar-to-ports 8080-8090. This key can be used only in the rules, where the criterion is explicitly specifying the TCP or UDP protocol with the wrench–protocol.
6.5.10. REJECT Action

REJECT COMMAND is used, usually in the same situations as the DROP, but in contrast to DROP, REJECT command displays an error message to the host that sent the packet. The REJECT to date can only be used in chains INPUT, FORWARD and OUTPUT (and nested chains). While there is only a single key, managing the behavior of the command REJECT COMMAND.

Table 6-21. The REJECT
Example iptables-A FORWARD-p TCP-dport 22-j REJECT-reject-with tcp-reset
Description indicates which message to reply, if the packet matches the specified criterion. When applying actions to REJECT the package, first on the host will be sent to the sender of the response, and then the package will be “reset”. You can use the following types of responses: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited or icmp-host-prohibited. The default is port-unreachable message. All of the above types of responses are the ICMP error messages. For more information on the types of ICMP messages you can get in an ICMP types. In conclusion, Let’s specify another type of answer-tcp reset, which is used only for TCP. If you specify a tcp reset, the REJECT will give in return TCP RST packet, TCP RST packets are used to close TCP connections. For more information, see RFC 793-Transmission Control Protocol. (A list of the types of ICMP responses and their aliases, you can get by typing the command iptables-j REJECT-h long).
6.5.11. RETURN Action

The ‘ RETURN ‘ stops the movement of the package on the current chain of rules and produces returns to the calling chain if the current chain has been attached, or if the current thread is at the top level (for example, INPUT), the policy will be applied to the package by default. Usually, the default policy assigns the ACCEPT or DROP actions.

For example, let’s say that the package goes to the INPUT chain and encounters a rule that makes the transition into a nested chain-of-jump EXAMPLE_CHAIN. Next in the chain EXAMPLE_CHAIN package meets the rule that performs an action-RETURN-jump. Then the package will be returned to the INPUT chain. Another example, let the Pack encounters a rule that performs an action-RETURN-jump in the INPUT chain. Then the policy will be applied to the package’s default INPUT chain.

Clear All
6.5.12. SNAT Action

SNAT is used for network address translation (Source Network Address Translation), i.e. changing the outgoing IP address in the IP packet header. For example, this action can be used to provide Internet access to other computers in the local network with only one unique IP address. For this purpose. You must enable packet forwarding (forwarding) in the nucleus and then create a rule that will broadcast the outgoing IP addresses of your network in real external address. As a result, the outside world nothing is know about our local network, he would take it that the requests came from our firewall.

SNAT is allowed only in the nat table, in POSTROUTING chain. In other words, only here you can convert outgoing addresses. If the first packet in the connection was the transformation of outgoing addresses, all subsequent packets from the same connection will be converted automatically and will not go through this chain rules.

Table 6-22. The SNAT
Example iptables-t nat-A POSTROUTING-p tcp-o eth0-j SNAT-source-to- 1024-32000
Description of the key-to-source is used to specify the address, prisvaemovogo package. It’s simple, you specify the IP address that will be substituted in the outgoing packet header. If you are going to redistribute the load between multiple firewalls, you can specify a range of addresses, where the starting and ending addresses of the range with a hyphen, for example: If a specific IP address will be chosen randomly from the range for each new thread. Optionally, you can specify the range of ports that will be used only for the needs of SNAT. All outgoing ports are then perekartirovat′sâ in the specified range. iptables is trying, if possible, avoid the perekartirovaniâ ports, but it is not always possible, and then you perekartirovanie. If no port range is specified, the source ports below 512 perekartiruûtsâ in the range 0-511, ports in the range 512-1023 perekartiruûtsâ in the range 512-1023, and 1024 range of ports-65535 perekartiruûtsâ in the range 1024-65535. With regard to the ports of destination, they are not perekartirovaniû.
6.5.13. TOS Action

TOS command is used to set bits in the Type field of the IP header of Service. The TOS field is 8 bits, which are used for routing packets. This is one of several fields used iproute2. It is also important to remember that the field can be handled by different routers to route traffic package. As mentioned above, this field, unlike the MARK retain its value by driving over the network, and therefore can be used to route the packet. To date, most routers on the Internet does not handle it, but there are those who look at it. If you use this field to his needs, such routers can make the wrong decision when choosing a route, so it is best to use it for their own use only within your LAN or WAN.

The TOS perceives only the predefined numeric values and mnemonics, which you can find in linux/ip h. If you really need to set arbitrary values in the TOS field, you can use “patch” to FTOS site Paksecured Linux Kernel patches, supported by Matthew g. Marsh. However, be very careful with this “patch”. Do not use non-default TOS values except in special situations.

This action can be performed only within a table mangle.

In some older versions of iptables (1.2.2 and below) this action is implemented with an error (not corrected the checksum of the package), and this leads to violation of the protocol exchanges and, as a result of such connections are terminated.

TOS team has only one key, which is described below.

Table 6-23. The TOS
The key-set-tos
Example iptables-t mangle-A PREROUTING-p TCP-dport 22-j-set-TOS tos 0x10
Description of the Key-set-tos indicates a numeric value in decimal or hexadecimal form. As the TOS field is 8 bits, then you can specify a number in the range from 0 to 255 (0x00-0xFF). However, most of the values of this field is not used. It is possible that in the future the TCP/IP implementations, numeric values may be changed, so, in order to avoid mistakes, it is better to use a mnemonic symbol: Minimize-Delay (16 or 0x10), Maximize-Throughput (8 or 0x08), Maximize-Reliability (4 or 0x04), Minimize-Cost (2 or 0x02) or Normal-Service (0 or 0x00). By default, most packages are a sign of Normal Service, or 0. List of mnemonics you get by running the command iptables-TOS-h j.
6.5.14. TTL Operation

The TTL is used to change the contents of the Time To Live field in the IP header. One option PR

The-ttl set
Example iptables-t mangle-A PREROUTING-i eth0-j TTL-ttl set 64
Description Sets the TTL field to the specified value. The best value is about 64. It is not too much but not too little, and do not set the value too high, this can have nasty effects for your network. Imagine package “spun up” between two incorrectly configured router, then larger values of TTL, there is the risk of “losing” a large share of the bandwidth.
Example iptables-t mangle-A PREROUTING-i eth0-j TTL-ttl-dec 1
Description reduces the value of the TTL field to the specified number. For example, if an incoming packet has a TTL value of 53 and we perform click-a-ttl-dec 3, then package will leave our host with a TTL equal to 49. Do not forget that the network code is automatically reduce the TTL value to 1, so in fact we get a 53-3-1 = 49.
Example iptables-t mangle-A PREROUTING-i eth0-j TTL-ttl-inc 1
Description increases the value of the TTL field to the specified number. Let’s take the previous example, if we receive a package with TTL = 53, then, after a command-a-ttl-inc 4, to leave our host, the packet will have a TTL = 56, do not forget about automatically reduce the TTL field network kernel code, that is, in fact, we get the expression 53 + 4-1 = 56. Increasing the TTL field can be used in order to make our firewall is less “notable” for tracers (traceroutes). Trace program like for the valuable information when looking for problem areas, and hate for this, because this information can be used krâkerami abused. You can find the sample script Ttl-inc.txt.
6.5.15. ULOG Action

The ULOG provides the ability to log packets in user space. It replaces the traditional action LOG, based on the system log. When you use this action pack, netlink socket is passed the special daemon that can perform very detailed logging in a variety of formats (plain text file, database, MySQL, etc.), and also supports the ability to add-ins (plug-ins) to generate different output formats and network protocols. The custom of ULOGD you can get on the home page for ULOGD project page.

Table 6-25. The ULOG
Example iptables-A INPUT-p TCP-dport 22-j-ULOG ulog-nlgroup-2
Description of the-ulog-nlgroup reports the ULOG to any group package must be passed to the netlink. There are 32 teams (from 1 to 32). If you would like to send the package in 5 group, you can simply specify ulog-nlgroup 5. The default is Group 1.
Example iptables-A INPUT-p TCP-dport 22-j-ULOG ulog-prefix-“SSH connection attempt:”
Description of the-ulog-prefix has the same meaning as the same option in the action LOG. The prefix string length should not exceed 32 characters.
Example iptables-A INPUT-p TCP-dport 22-j-ULOG ulog-cprange-100
Description of the-ulog-cprange determines what share of the package, in bytes, to send the demon ULOG. If you specify the number of 100, as shown in the example, the demon will be only 100 bytes of package, it means that the demon will be transmitted to the packet header and some part of the data package. If you specify 0, the entire package will be passed, regardless of its size. The default value is 0.
Example iptables-A INPUT-p TCP-dport 22-j-ULOG ulog-qthreshold-10
Description of the-ulog-qthreshold sets the size of the buffer in the kernel. For example, if you set the buffer equal to 10, as in the example, the kernel will accumulate journaling packages in an internal buffer and pass in user space in groups of 10 packs. The default buffer size is 1 for backward compatibility with earlier versions of ulogd, who could not take a group of packages.