In this section, we will attempt to explain the usage of new netfilter matches. The patches will appear in alphabetical order. Additionally, we will not explain patches that break other patches. But this might come later.
Generally speaking, for matches, you can get the help hints from a particular module by typing :
# iptables -m the_match_you_want --help
This would display the normal iptables help message, plus the specific ``the_match_you_want'' match help message at the end.
This patch by Yon Uriarte <yon@astaro.de> adds 2 new matches :
This patch can be quite useful for people using IPSEC who are willing to discriminate connections based on their SPI.
For example, we will drop all the AH packets that have a SPI equal to 500 :
# iptables -A INPUT -p 51 -m ah --ahspi 500 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP ipv6-auth-- anywhere anywhere ah spi:500
Supported options for the ah match are :
-> match spi (range)
The esp match works exactly the same :
# iptables -A INPUT -p 50 -m esp --espspi 500 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP ipv6-crypt-- anywhere anywhere esp spi:500
Supported options for the esp match are :
-> match spi (range)
Do not forget to specify the proper protocol through ``-p 50'' or ``-p 51'' (for esp & ah respectively) when you use the ah or esp matches, or else the rule insertion will simply abort for obvious reasons.
This patch by Stephane Ouellette <ouellettes@videotron.ca> adds a new match that is used to enable or disable a set of rules using condition variables stored in `/proc' files.
Notes:
Supported options for the condition match are :
-> match on condition variable.
For example, if you want to prohibit access to your web server while doing maintenance, you can use the following :
# iptables -A FORWARD -p tcp -d 192.168.1.10 --dport http -m condition --condition webdown -j REJECT --reject-with tcp-reset
# echo 1 > /proc/net/ipt_condition/webdown
The following rule will match only if the ``webdown'' condition is set to ``1''.
This patch by Marc Boucher <marc+nf@mbsi.ca> adds a new general conntrack match module (a superset of the state match) that allows you to match on additional conntrack information.
For example, if you want to allow all the RELATED connections for TCP protocols only, then you can proceed as follows :
# iptables -A FORWARD -m conntrack --ctstate RELATED --ctproto tcp -j ACCEPT
# iptables --list
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED
Supported options for the conntrack match are :
-> State(s) to match. The "new" `SNAT' and `DNAT' states are virtual ones, matching if the original source address differs from the reply destination, or if the original destination differs from the reply source.
-> Protocol to match; by number or name, eg. `tcp'.
-> Original source specification.
-> Original destination specification.
-> Reply source specification.
-> Reply destination specification.
-> Status(es) to match.
-> Match remaining lifetime in seconds against value or range of values (inclusive).
This patch by Hime Aguiar e Oliveira Jr. <hime@engineer.com> adds a new module which allows you to match packets according to a dynamic profile implemented by means of a simple Fuzzy Logic Controller (FLC).
This match implements a TSK FLC (Takagi-Sugeno-Kang Fuzzy Logic Controller). The basic idea is that the match is given two parameters that tell it the desired filtering interval.
Taking into account that the sampling rate is variable and is of approximately 100ms (on a busy machine), the author believes that the module presents good responsiveness, adapting fast to changing traffic patterns.
For example, if you wish to avoid Denials Of Service, you could use the following rule:
iptables -A INPUT -m fuzzy --lower-limit 100 --upper-limit 1000 -j REJECT
Supported options for the fuzzy patch are :
-> Desired upper bound for traffic rate matching.
-> Lower bound over which the FLC starts to match.
This patch by Gerd Knorr <kraxel@bytesex.org> adds a new match that will allow you to restrict the number of parallel TCP connections from a particular host or network.
For example, let's limit the number of parallel HTTP connections made by a single IP address to 4 :
# iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-above 4 -j REJECT
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN #conn/32 > 4 reject-with icmp-port-unreachable
Or you might want to limit the number of parallel connections made by a whole class A for example :
# iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-mask 8 --iplimit-above 4 -j REJECT
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN #conn/8 > 4 reject-with icmp-port-unreachable
Supported options for the iplimit patch are :
-> match if the number of existing tcp connections is (not) above n
-> group hosts using mask
This patch by Fabrice MARIE <fabrice@netfilter.org> adds a news match that allows you to match packets based on the IP options they have set.
For example, let's drop all packets that have the record-route or the timestamp IP option set :
# iptables -A INPUT -m ipv4options --rr -j DROP
# iptables -A INPUT -m ipv4options --ts -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere IPV4OPTS RR
DROP all -- anywhere anywhere IPV4OPTS TS
Supported options for the ipv4options match are :
-> match strict source routing flag.
-> match loose source routing flag.
-> match packets with no source routing.
-> match record route flag.
-> match timestamp flag.
-> match router-alert option.
-> Match a packet that has at least one IP option (or that has no IP option at all if ! is chosen).
This patch by James Morris <jmorris@intercode.com.au> adds a new match that allows you to match a packet based on its length.
For example, let's drop all the pings with a packet size greater than 85 bytes :
# iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 86:0xffff -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp echo-request length 86:65535
Supported options for the length match are :
-> Match packet length against value or range of values (inclusive)
Values of the range not present will be implied. The implied value for minimum is 0, and for maximum is 65535.
This patch by Andreas Ferber <af@devcon.net> adds a new match that allows you to specify ports with a mix of port-ranges and single ports for UDP and TCP protocols.
For example, if you want to block ftp, ssh, telnet and http in one line, you can :
# iptables -A INPUT -p tcp -m mport --ports 20:23,80 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere mport ports ftp-data:telnet,http
Supported options for the mport match are :
-> match source port(s)
-> match source port(s)
-> match destination port(s)
-> match destination port(s)
-> match both source and destination port(s)
This patch by Fabrice MARIE <fabrice@netfilter.org> adds a new match that allows you to match a particular Nth packet received by the rule.
For example, if you want to drop every 2 ping packets, you can do as follows :
# iptables -A INPUT -p icmp --icmp-type echo-request -m nth --every 2 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp echo-request every 2th
Extensions by Richard Wagner <rwagner@cloudnet.com> allows you to create an easy and quick method to produce load-balancing for both inbound and outbound connections.
For example, if you want to balance the load to the 3 addresses 10.0.0.5, 10.0.0.6 and 10.0.0.7, then you can do as follows :
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 0 -j SNAT --to-source 10.0.0.5
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 1 -j SNAT --to-source 10.0.0.6
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 2 -j SNAT --to-source 10.0.0.7
# iptables -t nat --list
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere every 3th packet #0 to:10.0.0.5
SNAT all -- anywhere anywhere every 3th packet #1 to:10.0.0.6
SNAT all -- anywhere anywhere every 3th packet #2 to:10.0.0.7
Supported options for the nth match are :
-> Match every Nth packet.
-> Use counter 0-15 (default:0).
-> Initialize the counter at the number `num' instead of 0. Must be between 0 and (Nth-1).
-> Match on the `num' packet. Must be between 0 and Nth-1. If `--packet' is used for a counter, then there must be Nth number of --packet rules, covering all values between 0 and (Nth-1) inclusively.
This patch by Michal Ludvig <michal@logix.cz> adds a new match that allows you to match a packet based on its type : host/broadcast/multicast.
If For example you want to silently drop all the broadcasted packets :
# iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
Supported options for this match are :
-> match packet type where packet type is one of
-> to us
-> to all
-> to group
Patch by Patrick Schaaf <bof@bof.de>. Joakim Axelsson and Patrick are in the process of re-writing it, therefore they will replace this section with the actual explanations once its written.
This patch by Dennis Koslowski <dkoslowski@astaro.de> adds a new match that will attempt to detect port scans.
In its simplest form, psd match can be used as follows :
# iptables -A INPUT -m psd -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-ports-weight: 1
Supported options for psd match are :
-> Portscan detection weight threshold
-> Portscan detection delay threshold
-> Privileged ports weight
-> High ports weight
This patch by Sam Johnston <samj@samj.net> adds a new match that allows you to set quotas. When the quota is reached, the rule doesn't match any more.
For example, if you want to limit put a quota of 50Megs on incoming http data you can do as follows :
# iptables -A INPUT -p tcp --dport 80 -m quota --quota 52428800 -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http quota: 52428800 bytes
DROP tcp -- anywhere anywhere tcp dpt:http
Supported options for quota match are :
-> The quota you want to set.
This patch by Fabrice MARIE <fabrice@netfilter.org> adds a new match that allows you to math a packet randomly based on given probability.
For example, if you want to drop 50% of the pings randomly, you can do as follows :
# iptables -A INPUT -p icmp --icmp-type echo-request -m random --average 50 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp echo-request random 50%
Supported options for random match are :
-> The probability in percentage of the match. If omitted, a probability of 50% percent is set. Percentage must be within : 1 <= percent <= 99.
This patch by Sampsa Ranta <sampsa@netsonic.fi> adds a new match that allows you to use realm key from routing as match criteria similar to the one found in the packet classifier.
For example, to log all the outgoing packet with a realm of 10, you can do the following :
# iptables -A OUTPUT -m realm --realm 10 -j LOG
# iptables --list
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere REALM match 0xa LOG level warning
Supported options for the realm match are :
-> Match realm
This patch by Stephen Frost <sfrost@snowman.net> adds a new match that allows you to dynamically create a list of IP addresses and then match against that list in a few different ways.
For example, you can create a `badguy' list out of people attempting to connect to port 139 on your firewall and then DROP all future packets from them without considering them.
# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
# iptables --list
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere recent: CHECK seconds: 60
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn recent: SET
Supported options for the recent match are :
-> Specify the list to use for the commands. If no name is given then 'DEFAULT' will be used.
-> This will add the source address of the packet to the list. If the source address is already in the list, this will update the existing entry. This will always return success or failure if `!' is passed in.
-> This will check if the source address of the packet is currently in the list and return true if it is, and false otherwise. Opposite is returned if `!' is passed in.
-> This will check if the source address of the packet is currently in the list. If it is then that entry will be updated and the rule will return true. If the source address is not in the list then the rule will return false. Opposite is returned if `!' is passed in.
-> This will check if the source address of the packet is currently in the list and if so that address will be removed from the list and the rule will return true. If the address is not found, false is returned. Opposite is returned if `!' is passed in.
-> This option must be used in conjunction with one of `rcheck' or `update'. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. Opposite is returned if `!' is passed in.
-> This option must be used in conjunction with one of `rcheck' or `update'. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with `seconds' to create an even narrower match requiring a certain number of hits within a specific time frame. Opposite returned if `!' passed in.
-> This option must be used in conjunction with one of `rcheck' or `update'. When used, this will narrow the match to only happen when the address is in the list and the TTL of the current packet matches that of the packet which hit the --set rule. This may be useful if you have problems with people faking their source address in order to DoS you via this module by disallowing others access to your site by sending bogus packets to you.
This patch by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> adds a new match that allows you to match if the source of the packet has requested that port through the portmapper before, or it is a new GET request to the portmapper, allowing effective RPC filtering.
To match RPC connection tracking information, simply do the following :
# iptables -A INPUT -m record_rpc -j ACCEPT
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
The record_rpc match does not take any option.
Do not worry for the match information not printed, it's simply because the print() function of this match is empty :
/* Prints out the union ipt_matchinfo. */
static void
print(const struct ipt_ip *ip,
const struct ipt_entry_match *match,
int numeric)
{
}
This patch by Emmanuel Roger <winfield@freegates.be> adds a new match that allows you to match a string anywhere in the packet.
For example, to match packets containing the string ``cmd.exe'' anywhere in the packet and queue them to a userland IDS, you could use :
# iptables -A INPUT -m string --string 'cmd.exe' -j QUEUE
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
QUEUE all -- anywhere anywhere STRING match cmd.exe
Please do use this match with caution. A lot of people want to use this match to stop worms, along with the DROP target. This is a major mistake. It would be defeated by any IDS evasion method.
In a similar fashion, a lot of people have been using this match as a mean to stop particular functions in HTTP like POST or GET by dropping any HTTP packet containing the string POST. Please understand that this job is better done by a filtering proxy. Additionally, any HTML content with the word POST would get dropped with the former method. This match has been designed to be able to queue to userland interesting packets for better analysis, that's all. Dropping packet based on this would be defeated by any IDS evasion method.
Supported options for the string match are :
-> Match a string in a packet
This patch by Fabrice MARIE <fabrice@netfilter.org> adds a new match that allows you to match a packet based on its arrival or departure (for locally generated packets) timestamp.
for example, to accept packets that have an arrival time from 8:00H to 18:00H from Monday to Friday you can do as follows :
# iptables -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere TIME from 8:0 to 18:0 on Mon,Tue,Wed,Thu,Fri
Supported options for the time match are :
-> minimum HH:MM
-> maximum HH:MM
-> a list of days to apply, from (case sensitive)
This patch by Harald Welte <laforge@gnumonks.org> adds a new match that allows you to match a packet based on its TTL.
For example if you want to log any packet that have a TTL less than 5, you can do as follows :
# iptables -A INPUT -m ttl --ttl-lt 5 -j LOG
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere TTL match TTL < 5 LOG level warning
Options supported by the ttl match are :
-> Match time to live value
-> Match TTL < value
-> Match TTL > value