Blog About Php5 And Php4 Programming Techniques And Developing and Personal Web Hosting

O’Reilly Books Latest LAMP Titles: mod_perl Pocket Reference SQL in a Nutshell Network Printing Books by topic: Linux Open Source Security System and Network Administration Unix Web and Internet O’Reilly Network Technologies: ONJava.com ONLamp.com openp2p.com Perl.com XML.com Apache BSD Java Javascript and CSS Linux Mac Mozilla .NET P2P Perl Policy PHP Python Web Services Wireless iptables is always invoked with one of the following commands: -A chain rules, –append chain rules Append new rules to chain. -I chain number rules, –insert chain number rules Insert rules into chain at the ordinal position given by number. -D chain rules, –delete chain rules Delete rules from chain. Rules can be specified by their ordinal number in the chain as well as by a general rule description. -R chain number rule, –replace chain number rule Replace a rule in chain. The rule to be replaced is specified by its ordinal number. -C chain rule, –check chain rules Check how chain will handle a network packet that matches the given rule. The rule must describe the source, destination, protocol, and interface of the packet to be constructed. -L [chain], –list $PARAMETER List the rules in chain or all chains if chain is not specified. -F [chain], –flush chain Remove all rules from chain or from all chains if chain is not specified. -Z [chain], –zero chain Zero the packet and byte counters in chain. If no chain is specified, all chains will be reset. When used without specifying a chain and combined with the -L command, it lists the current counter values before they are reset chain. -N chain, –new-chain chain Create a new chain. The chain’s name must be unique. This is how userdefined chains are created. -X [chain], –delete-chain chain Delete the specified user-defined chain or all user-defined chains if no chain is specified. -P chain target, –policy chain target Set the default policy for a built-in chain; the target itself cannot be a chain. -E old-chain new-chain, –rename-chain old-chain new-chain Rename old-chain to new-chain.

Sponsored by: Search | Newsletter | Conference | Tech Jobs O’Reilly’s Emerging Technology Conference: May 13-16, 2002 Articles Linux Apache MySQL Perl PHP Python BSD Essentials What is LAMP? The Best of ONLamp.com aboutSQL Big Scary Daemons FreeBSD Basics HTTP Wrangler Linux in the Enterprise Linux Network Administration The Linux Professional Perl P5P Digest Archive PHP Admin Basics PHP Phanatics Python_News Security Alerts Alphabetical Directory of Linux Commands This directory of Linux commands is from Linux in a Nutshell, 3rd Edition. Click on any of the 379 commands below to get a description and list of available options. All links in the command summaries point to the online version of the book on Safari Tech Books Online. Buy it now Read it online iptables command [options] System administration command. Configure netfilter filtering rules. In the 2.4 kernel, the ipchains firewall capabilities are replaced with the netfilter kernel module. netfilter can be configured to work just like ipchains, but it also comes with the module iptables, which is similar to ipchains but extensible. iptables rules consist of some matching criteria and a target, a result to be applied if the packet matches the criteria. The rules are organized into chains. You can use these rules to build a firewall, masquerade your local area network, or just reject certain kinds of network connections. There are three built-in tables for iptables, one for network filtering (filter), one for Network Address Translation (nat), and the last for specialized packet alterations (mangle). Firewall rules are organized into chains, ordered check lists of rules that the kernel works through looking for matches. The filter table has three built-in chains: INPUT, OUTPUT, and FORWARD. The INPUT and OUTPUT chains handle packets originating from or destined for the host system. The FORWARD chain handles mail just passing through the host system. The nat table also has three built-in chains: PREROUTING, POSTROUTING, and OUTPUT. mangle has only two chains: PREROUTING and OUTPUT. netfilter checks packets entering the system. After applying any PREROUTING rules it passes them to the INPUT chain or to the FORWARD chain if the packet is just passing through. Upon leaving, the system packets are passed to the OUTPUT chain and then on to any POSTROUTING rules. Each of these chains has a default target, a policy, in case no match is found. User-defined chains can also be created and used as targets for packets but do not have default policies. If no match can be found in a user-defined chain, the packet is returned to the chain from which it was called and tested against the next rule in that chain. iptables only changes the rules in the running kernel. When the system is powered off, all changes are lost. You can use the iptables-save command to make a script you can run with iptables-restore to restore your firewall settings. Such a script is often called at bootup. Many distributions will have an iptables initialization script that uses the output from iptables-save. Commands Sponsored by:

Copyright 2000-2002 O’Reilly & Associates, Inc. All Rights Reserved. All trademarks and registered trademarks appearing on the O’Reilly Network are the property of their respective owners. For problems or assistance with this site, email help@oreillynet.com

originated from the local host. Recognizes reverse packets and automatically demasquerades them, bypassing the forwarding firewall. This option is valid only in forwarding firewall rules with policy accept. The kernel must have been compiled with CONFIG_IP_MASQUERADE defined. -n Numeric output. Print IP addresses and port numbers in numeric format. -o Log packets that match this rule to the kernel log. This option is valid only with the -a, -i, and -d commands. The kernel must have been compiled with CONFIG_IP_FIREWALL_VERBOSE defined. -r [port] Redirect packets to a local socket, even if they were sent to a remote host. If port is 0 (the default), the packet’s destination port is used. This option is valid only in input firewall rules with policy accept. The kernel must have been compiled with CONFIG_IP_TRANSPARENT_ PROXY defined. -t andmask xormask Specify masks used for modifying the TOS field in the IP header. When a packet is accepted (with or without masquerading) by a firewall rule, its TOS field is bitwise ANDed with andmask, and the result is bitwise XORed with xormask. The masks are specified as 8-bit hexadecimal values. This option is valid only with the -a, -i, and -d commands and has no effect when used with accounting rules or with firewall rules for rejecting or denying a packet. -v Verbose output. Print detailed information about the rule or packet to be added, deleted, or checked. This option is valid only with the -a, -i, -d, and -c commands. -x Expand numbers. Display the exact value of the packet and byte counters, instead of a rounded value. This option is valid only when the counters are being listed anyway (see also the -e option). -y Match TCP packets with the SYN bit set and the ACK bit cleared. This option is ignored for packets of other protocols and is valid only with the -a, -i, and -d commands. Return to: Alphabetical Directory of Linux Commands

The protocol of the rule or packet; possible values are tcp, udp, icmp, or all. Defaults to all, which matches all protocols. -P cannot be specified with the -c command. -S address[/mask] [port …] The source IP address, specified as a hostname, a network name, or an IP address. The source address and mask default to 0.0.0.0/0. If -S is specified, -P must also be specified. The optional mask is specified as a network mask or as the number of 1s on the left of the network mask (e.g., a mask of 24 is equivalent to 255.255.255.0). The mask defaults to 32. One or more values of port may optionally be specified, indicating what ports or ICMP types the rule applies to. The default is all. Ports may be specified by their /etc/ services entry. The syntax for indicating a range of ports is: lowport:highport For example: -S 172.29.16.1/24 ftp:ftp-data -V address The address of the network interface the packet is received from (if category is -I) or is being sent to (if category is -O). address can be a hostname or an IP address, and defaults to 0.0.0.0, which matches any interface address. -V is required with the -c command: -V 172.29.16.1 -W name Identical to -V but takes a device name instead of its address: -W ppp0 Options -b Bidirectional mode. The rule matches IP packets in both directions. This option is valid only with the -a, -i, and -d commands. -e Extended output. Used with the -l command to also show the interface address and any rule options. When listing firewall rules, also shows the packet and byte counters and the TOS (Type of Service) masks. When used with -M, also shows information related to delta sequence numbers. -k Match TCP acknowledgment packets (i.e., only TCP packets with the ACK bit set). This option is ignored for all other protocols and is valid only with the -a, -i, and -d commands. -m Accept masquerade packets for forwarding, making them appear to have

XML removed. Only the first matching rule in the list of rules is deleted. -f Remove (flush) all rules for the category. -h Display a help message with a brief description of the command syntax. Specified with no category: % ipfwadm -h -i [policy] Insert a new rule at the beginning of the selected list for the category. No policy is specified for accounting rules. For firewall rules, a policy is required. When the source and/or destination names resolve to more than one address, a rule is added for each possible address combination. -l List all rules for the category. This option may be combined with the -z option to reset the packet and byte counters after listing their current values. Unless the -x option is also specified, the packet and byte counters are shown as numberK or numberM, rounded to the nearest integer. See also the -e option described under “Options” later. -p policy Change the default policy for the selected type of firewall to policy. The default policy is used when no matching rule is found. Valid only with - I, -O, or -F. -s tcp tcpfin udp Set the masquerading timeout values; valid only with -M. The three parameters are required and represent the timeout value in seconds for TCP sessions, TCP sessions after receiving a FIN packet, and UDP packets, respectively. A timeout value of 0 preserves the current timeout value of the corresponding entry. -z Reset the packet and byte counters for all rules in the category. This command may be combined with the -l command. Parameters The following parameters can be specified with the -a, -i, -d, or -c commands, except as noted. Multiple parameters can be specified on a single ipfwadm command line. -D address[/mask] [port …] The destination specification (optional). See the description of -S for the syntax, default values, and other requirements. ICMP types cannot be specified with -D. -P protocol

O’Reilly Books Latest LAMP Titles: mod_perl Pocket Reference SQL in a Nutshell Network Printing Books by topic: Linux Open Source Security System and Network Administration Unix Web and Internet O’Reilly Network Technologies: ONJava.com ONLamp.com openp2p.com Perl.com XML.com Apache BSD Java Javascript and CSS Linux Mac Mozilla .NET P2P Perl Policy PHP Python Web Services Wireless Count both incoming and outgoing packets; this is the default. -F IP forwarding firewall rules. -I IP input firewall rules. -M IP masquerading administration. Can be used only with the -l or -s command. -O IP output firewall rules. Commands The category is followed by a command indicating the specific action to be taken. Unless otherwise specified, only one action can be given on a command line. For the commands that can include a policy, the valid policies are: accept Allow matching packets to be received, sent, or forwarded. deny Block matching packets from being received, sent, or forwarded. reject Block matching packets from being received, sent, or forwarded and also return an ICMP error message to the sending host. The commands are: -a [policy] Append one or more rules to the end of the rules for the category. No policy is specified for accounting rules. For firewall rules, a policy is required. When the source and/or destination names resolve to more than one address, a rule is added for each possible address combination. -c Check whether this IP packet would be accepted, denied, or rejected by the type of firewall represented by this category. Valid only when the category is -I, -O, or -F. Requires the -V parameter to be specified (see “Parameters,” later). -d [policy] Delete one or more entries from the list of rules for the category. No policy is specified for accounting rules. The parameters specified with this command must exactly match the parameters from an append or insert command, or no match will be found and the rule will not be

Sponsored by: Search | Newsletter | Conference | Tech Jobs O’Reilly’s Emerging Technology Conference: May 13-16, 2002 Articles Linux Apache MySQL Perl PHP Python BSD Essentials What is LAMP? The Best of ONLamp.com aboutSQL Big Scary Daemons FreeBSD Basics HTTP Wrangler Linux in the Enterprise Linux Network Administration The Linux Professional Perl P5P Digest Archive PHP Admin Basics PHP Phanatics Python_News Security Alerts Alphabetical Directory of Linux Commands This directory of Linux commands is from Linux in a Nutshell, 3rd Edition. Click on any of the 379 commands below to get a description and list of available options. All links in the command summaries point to the online version of the book on Safari Tech Books Online. Buy it now Read it online ipfwadm category command parameters [options] ipfwadm -M [ -l | -s ] [options] Administer a firewall and its rules, firewall accounting, and IP masquerading in the 2.0 Linux kernel. This command is replaced with ipchains in the 2.2 kernel, and ipchains is replaced by iptables in the 2.4 kernel. There are four categories of rules: IP packet accounting, IP input firewall, IP output firewall, and IP forwarding firewall. The rules are maintained in lists, with a separate list for each category. See the manpage for ipfw(4) for a more detailed description of how the lists work. Each ipfwadm command specifies only one category and one rule. To create a secure firewall, you issue multiple ipfwadm commands; the combination of their rules work together to ensure that your firewall operates as you intend it to. The second form of the command is for masquerading. The commands -l and -s described in the later list are the only ones that can be used with the masquerading category, -M. Categories One of the following flags is required to indicate the category of rules to which the command that follows the category applies. -A [direction] IP accounting rules. Optionally, a direction can be specified: in Count only incoming packets. out Count only outgoing packets. both Sponsored by:

XML Copyright 2000-2002 O’Reilly & Associates, Inc. All Rights Reserved. All trademarks and registered trademarks appearing on the O’Reilly Network are the property of their respective owners. For problems or assistance with this site, email help@oreillynet.com

O’Reilly Books Latest LAMP Titles: mod_perl Pocket Reference SQL in a Nutshell Network Printing Books by topic: Linux Open Source Security System and Network Administration Unix Web and Internet O’Reilly Network Technologies: ONJava.com ONLamp.com openp2p.com Perl.com XML.com Apache BSD Java Javascript and CSS Linux Mac Mozilla .NET P2P Perl Policy PHP Python Web Services Wireless