|
About
Coreteam Contributors History License Thanks PGP key Projects iptables libnfnetlink libnetfilter_log libnetfilter_queue libnetfilter_conntrack conntrack-tools ipset nf-hipac patch-o-matic-ng base repository extra repository external repository ulogd Downloads git Repository ftp Server rsync Server News Moving to GIT 6th Netfilter Workshop libnfnetlink release conntrack-tools 0.9.6 release libnetfilter_conntrack release iptables-1.4.0 Michael Rash's book libnetfilter_conntrack release iptables-1.4.0rc1 security announces libnetfilter_queue release libnfnetlink release conntrack-tools-0.9.5 release libnetfilter_conntrack release conntrack-tools-0.9.4 release libnetfilter_conntrack release iptables-1.3.8 conntrack-tools release libnetfilter_conntrack release Netfilter Workshop new PGP key Pablo Neira Ayuso joins core team library releases iptables-1.3.7 iptables-1.3.6 iptables-1.3.5 ulogd-1.24 ulogd-2.00beta1 library releases iptables-1.3.4 Yasuyuki Kozakai joins core team planet.netfilter.org conntrack-0.81 iptables-1.3.3 Documentation FAQ HOWTOs Events Tutorials Various other docs Security Information Mailing Lists List Rules netfilter-announce list netfilter list netfilter-devel list netfilter-failover list Contact bugzilla coreteam webmaster imprint / postal address Supporting netfilter Licensing Events Links Mirrors About website |
netfilter/iptables - Patch-o-Matic Listing - externalACCOUNT IPMARK condition connlimit geoip ipp2p pknock time
This patch adds the ACCOUNT target The ACCOUNT target is a high performance accounting system for local networks. It takes two parameters: --addr network/netmask and --tname NAME. --addr is the subnet which is accounted for --tname is the table name where the information is stored The data can be queried later using the libipt_ACCOUNT userspace library or by the "iptaccount" tool which is part of the libipt_ACCOUNT package. A special subnet is "0.0.0.0/0": All data is stored in the src_bytes and src_packets structure of slot "0". This is useful if you want to account the overall traffic to/from your internet provider. For more information go to http://www.intra2net.com/de/produkte/opensource/ipt_account/
This option adds a `IPMARK' target, which allows you to mark
a received packet basing on its IP address. This can replace even
thousands of mangle/mark or tc entries with only one.
This target is to be used inside the mangle table, in the PREROUTING,
POSTROUTING or FORWARD hooks.
IPMARK target options:
--addr src/dst Use source or destination IP address.
--and-mask mask Perform bitwise `and' on the IP address and this mask.
--or-mask mask Perform bitwise `or' on the IP address and this mask.
The order of IP address bytes is reversed to meet "human order of bytes":
192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
`or'.
Examples:
We create a queue for each user, the queue number is adequate
to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.
Earlier we had thousands of tc filter rules:
tc filter add dev eth3 parent 1:0 prio 10 u32 match ip dst 192.168.5.2 flowid 1:502
tc filter add dev eth3 parent 1:0 prio 10 u32 match ip dst 192.168.5.3 flowid 1:503
...
or thousands of MARK rules (with tc fw classifier):
iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
--set-mark 0x10502
iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
--set-mark 0x10503
...
Using IPMARK target we can replace all the mangle/mark rules with ONLY ONE:
iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
--and-mask=0xffff --or-mask=0x10000
and all previous tc filter classifier rules with ONLY ONE:
tc filter add dev eth3 parent 1:0 protocol ip fw
On the routers with hundreds of users there should be significant load
decrease (e.g. twice).
This option allows you to match firewall rules against condition variables stored in the /proc/net/ipt_condition directory. Multiple rules can match on a single condition variable. Example: iptables -A INPUT -p tcp -m condition --condition web_ok --dport 80 -j ACCEPT To allow this rule to match: echo 1 > /proc/net/nf_condition/web_ok To disable this rule: echo 0 > /proc/net/nf_condition/web_ok NB: it was /proc/net/ipt_condition on 2.4.
This adds an iptables match which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). Examples: # allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT # you can also match the other way around: iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT # limit the nr of parallel http requests to 16 per class C sized # network (24 bit netmask) iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \ --connlimit-mask 24 -j REJECT
This patch makes possible to match a packet
by its source or destination country.
GeoIP options:
[!] --src-cc, --source-country country[,country,country,...]
Match packet coming from (one of)
the specified country(ies)
[!] --dst-cc, --destination-country country[,country,country,...]
Match packet going to (one of)
the specified country(ies)
NOTE: The country is inputed by its ISO3166 code.
The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx).
Take a look at http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.html
for a quick HOWTO.
This option makes possible to match some P2P packets therefore helps controlling such traffic. Dropping all matches prohibits P2P networks. Combined with conntrack, CONNMARK and a packet scheduler it can be used for accounting or shaping of P2P traffic. Examples: iptables -A FORWARD -m ipp2p --edk --kazaa --bit -j DROP iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP
This patch allows you to implement Port Knocking and SPA (Simple Packet Authentication) in kernel space. pknock options: --knockports port[,port,port,...] Matches destination port(s). --time seconds --t seconds Time between port match. --opensecret [secret] hmac must be in the packets. --closesecret [secret] --strict Knocks sequence must be exact. --name [rule_name] Rule name. --checkip Matches if the source ip is in the list. --chkip Example: iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW \ -m pknock --knockports 3000,2000,5000 --time 10 --name SSH \ -m tcp --dport 22 -j ACCEPT For more information go to http://portknocko.berlios.de/
This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time/date
(arrival time/date at the machine which the netfilter is running on) or
departure time/date (for locally generated packets).
Supported options are:
[ --timestart value ]
Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).
[ --timestop value ]
Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).
[ --days listofdays ]
Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)
[ --datestart date ]
Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 1970)
[ --datestop date ]
Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 2037)
Example:
-A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
to Friday.
-A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010
will match the packets (locally generated) that have a departure timestamp
in the range 8:00->18:00 on Monday only, until 2010
NOTE: the time match does not track changes in daylight savings time
|
