Iptables Tutorial 1.2.2
Добавить в закладки К обложке
- Dedications - Страница 2
- About the author - Страница 3
- How to read - Страница 4
- Prerequisites - Страница 5
- Conventions used in this document - Страница 6
- Chapter 1. Introduction - Страница 7
- How it was written - Страница 8
- Terms used in this document - Страница 9
- What's next? - Страница 10
- Chapter 2. TCP/IP repetition - Страница 11
- TCP/IP Layers - Страница 12
- IP characteristics - Страница 14
- IP headers - Страница 16
- TCP characteristics - Страница 19
- TCP headers - Страница 20
- UDP characteristics - Страница 22
- UDP headers - Страница 23
- ICMP characteristics - Страница 24
- ICMP headers - Страница 25
- ICMP Echo Request/Reply - Страница 26
- ICMP Destination Unreachable - Страница 27
- Source Quench - Страница 28
- Redirect - Страница 29
- TTL equals 0 - Страница 30
- Parameter problem - Страница 31
- Timestamp request/reply - Страница 32
- Information request/reply - Страница 33
- SCTP Characteristics - Страница 34
- Initialization and association - Страница 35
- Data sending and control session - Страница 36
- Shutdown and abort - Страница 37
- SCTP Headers - Страница 38
- SCTP Generic header format - Страница 39
- SCTP Common and generic headers - Страница 40
- SCTP ABORT chunk - Страница 42
- SCTP COOKIE ACK chunk - Страница 43
- SCTP COOKIE ECHO chunk - Страница 44
- SCTP DATA chunk - Страница 45
- SCTP ERROR chunk - Страница 46
- SCTP HEARTBEAT chunk - Страница 47
- SCTP HEARTBEAT ACK chunk - Страница 48
- SCTP INIT chunk - Страница 49
- SCTP INIT ACK chunk - Страница 51
- SCTP SACK chunk - Страница 52
- SCTP SHUTDOWN chunk - Страница 53
- SCTP SHUTDOWN ACK chunk - Страница 54
- SCTP SHUTDOWN COMPLETE chunk - Страница 55
- TCP/IP destination driven routing - Страница 56
- What's next? - Страница 57
- Chapter 3. IP filtering introduction - Страница 58
- What is an IP filter - Страница 59
- IP filtering terms and expressions - Страница 61
- How to plan an IP filter - Страница 63
- What's next? - Страница 65
- Chapter 4. Network Address Translation Introduction - Страница 66
- What NAT is used for and basic terms and expressions - Страница 67
- Caveats using NAT - Страница 68
- Example NAT machine in theory - Страница 69
- What is needed to build a NAT machine - Страница 70
- Placement of NAT machines - Страница 71
- How to place proxies - Страница 72
- The final stage of our NAT machine - Страница 73
- What's next? - Страница 74
- Chapter 5. Preparations - Страница 75
- Where to get iptables - Страница 76
- Kernel setup - Страница 77
- User-land setup - Страница 80
- Compiling the user-land applications - Страница 81
- Installation on Red Hat 7.1 - Страница 82
- What's next? - Страница 84
- Chapter 6. Traversing of tables and chains - Страница 85
- General - Страница 86
- Mangle table - Страница 89
- Nat table - Страница 90
- Raw table - Страница 91
- Filter table - Страница 92
- User specified chains - Страница 93
- What's next? - Страница 94
- Chapter 7. The state machine - Страница 95
- Introduction - Страница 96
- The conntrack entries - Страница 97
- User-land states - Страница 99
- TCP connections - Страница 100
- UDP connections - Страница 102
- ICMP connections - Страница 103
- Default connections - Страница 105
- Untracked connections and the raw table - Страница 106
- Complex protocols and connection tracking - Страница 107
- What's next? - Страница 109
- Chapter 8. Saving and restoring large rule-sets - Страница 110
- Speed considerations - Страница 111
- Drawbacks with restore - Страница 112
- iptables-save - Страница 113
- iptables-restore - Страница 115
- What's next? - Страница 116
- Chapter 9. How a rule is built - Страница 117
- Basics of the iptables command - Страница 118
- Tables - Страница 119
- Commands - Страница 120
- What's next? - Страница 122
- Chapter 10. Iptables matches - Страница 123
- Generic matches - Страница 124
- Implicit matches - Страница 125
- TCP matches - Страница 126
- UDP matches - Страница 127
- ICMP matches - Страница 128
- SCTP matches - Страница 129
- Explicit matches - Страница 131
- Addrtype match - Страница 132
- AH/ESP match - Страница 133
- Comment match - Страница 134
- Connmark match - Страница 135
- Conntrack match - Страница 136
- Dscp match - Страница 137
- Ecn match - Страница 138
- Hashlimit match - Страница 139
- Helper match - Страница 140
- IP range match - Страница 141
- Length match - Страница 142
- Limit match - Страница 143
- Mac match - Страница 144
- Mark match - Страница 145
- Multiport match - Страница 146
- Owner match - Страница 147
- Packet type match - Страница 148
- Realm match - Страница 149
- Recent match - Страница 150
- State match - Страница 152
- Tcpmss match - Страница 153
- Tos match - Страница 154
- Ttl match - Страница 155
- Unclean match - Страница 156
- What's next? - Страница 157
- Chapter 11. Iptables targets and jumps - Страница 158
- ACCEPT target - Страница 159
- CLASSIFY target - Страница 160
- CLUSTERIP target - Страница 161
- CONNMARK target - Страница 163
- CONNSECMARK target - Страница 164
- DNAT target - Страница 165
- DROP target - Страница 168
- DSCP target - Страница 169
- ECN target - Страница 170
- LOG target options - Страница 171
- MARK target - Страница 172
- MASQUERADE target - Страница 173
- MIRROR target - Страница 174
- NETMAP target - Страница 175
- NFQUEUE target - Страница 176
- NOTRACK target - Страница 177
- QUEUE target - Страница 178
- REDIRECT target - Страница 179
- REJECT target - Страница 180
- RETURN target - Страница 181
- SAME target - Страница 182
- SECMARK target - Страница 183
- SNAT target - Страница 184
- TCPMSS target - Страница 185
- TOS target - Страница 186
- TTL target - Страница 187
- ULOG target - Страница 188
- What's next? - Страница 189
- Chapter 12. Debugging your scripts - Страница 190
- Debugging, a necessity - Страница 191
- Bash debugging tips - Страница 192
- System tools used for debugging - Страница 194
- Iptables debugging - Страница 195
- Other debugging tools - Страница 196
- Nmap - Страница 197
- Nessus - Страница 198
- What's next? - Страница 199
- Chapter 13. rc.firewall file - Страница 200
- example rc.firewall - Страница 201
- explanation of rc.firewall - Страница 202
- Initial loading of extra modules - Страница 203
- proc set up - Страница 205
- Displacement of rules to different chains - Страница 206
- Setting up default policies - Страница 208
- Setting up user specified chains in the filter table - Страница 209
- INPUT chain - Страница 212
- FORWARD chain - Страница 214
- OUTPUT chain - Страница 215
- PREROUTING chain of the nat table - Страница 216
- Starting SNAT and the POSTROUTING chain - Страница 217
- What's next? - Страница 218
- Chapter 14. Example scripts - Страница 219
- rc.firewall.txt script structure - Страница 220
- The structure - Страница 221
- rc.firewall.txt - Страница 224
- rc.DMZ.firewall.txt - Страница 225
- rc.DHCP.firewall.txt - Страница 226
- rc.UTIN.firewall.txt - Страница 228
- rc.test-iptables.txt - Страница 229
- rc.flush-iptables.txt - Страница 230
- Limit-match.txt - Страница 231
- Pid-owner.txt - Страница 232
- Recent-match.txt - Страница 233
- Sid-owner.txt - Страница 234
- Ttl-inc.txt - Страница 235
- Iptables-save ruleset - Страница 236
- What's next? - Страница 237
- Chapter 15. Graphical User Interfaces for Iptables/netfilter - Страница 238
- fwbuilder - Страница 239
- Turtle Firewall Project - Страница 240
- Integrated Secure Communications System - Страница 241
- IPMenu - Страница 242
- Easy Firewall Generator - Страница 243
- What's next? - Страница 244
- Chapter 16. Commercial products based on Linux, iptables and netfilter - Страница 245
- Ingate Firewall 1200 - Страница 246
- What's next? - Страница 247
- Appendix A. Detailed explanations of special commands - Страница 248
- Listing your active rule-set - Страница 249
- Updating and flushing your tables - Страница 250
- Appendix B. Common problems and questions - Страница 251
- Problems loading modules - Страница 252
- State NEW packets but no SYN bit set - Страница 253
- SYN/ACK and NEW packets - Страница 254
- Internet Service Providers who use assigned IP addresses - Страница 255
- Letting DHCP requests through iptables - Страница 256
- mIRC DCC problems - Страница 257
- Appendix C. ICMP types - Страница 258
- Appendix D. TCP options - Страница 259
- Appendix E. Other resources and links - Страница 260
- Appendix F. Acknowledgments - Страница 264
- Appendix G. History - Страница 265
- Appendix H. GNU Free Documentation License - Страница 267
- 0. PREAMBLE - Страница 268
- 1. APPLICABILITY AND DEFINITIONS - Страница 269
- 2. VERBATIM COPYING - Страница 270
- 3. COPYING IN QUANTITY - Страница 271
- 4. MODIFICATIONS - Страница 272
- 5. COMBINING DOCUMENTS - Страница 274
- 6. COLLECTIONS OF DOCUMENTS - Страница 275
- 7. AGGREGATION WITH INDEPENDENT WORKS - Страница 276
- 8. TRANSLATION - Страница 277
- 9. TERMINATION - Страница 278
- 10. FUTURE REVISIONS OF THIS LICENSE - Страница 279
- How to use this License for your documents - Страница 280
- Appendix I. GNU General Public License - Страница 281
- 0. Preamble - Страница 282
- 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - Страница 283
- 2. How to Apply These Terms to Your New Programs - Страница 286
- Appendix J. Example scripts code-base - Страница 287
- Example rc.firewall script - Страница 288
- Example rc.DMZ.firewall script - Страница 291
- Example rc.UTIN.firewall script - Страница 294
- Example rc.DHCP.firewall script - Страница 297
- Example rc.flush-iptables script - Страница 300
- Example rc.test-iptables script - Страница 301
- Index - Страница 302
- A - Страница 306
- B - Страница 307
- C - Страница 308
- D - Страница 312
- E - Страница 315
- F - Страница 318
- G - Страница 319
- H - Страница 320
- I - Страница 321
- J - Страница 325
- K - Страница 326
- L - Страница 327
- M - Страница 328
- N - Страница 331
- O - Страница 332
- P - Страница 333
- Q - Страница 335
- R - Страница 336
- S - Страница 339
- T - Страница 347
- U - Страница 352
- V - Страница 354
- W - Страница 355
- X - Страница 356
SCTP INIT ACK chunk
The INIT ACK chunk is sent in response to a INIT chunk and contains basically the same headers, but with values from the recipient of the original INIT chunk. In addition, it has two extra variable length parameters, the State Cookie and the Unrecognized Parameter parameters.
Type - bit 0-7. This header is always set to 2 for INIT ACK chunks.
Chunk flags - bit 8-15. Not used today. Might be applicable for change. See SCTP Common and generic headers for more information.
Chunk Length - bit 16-31. The chunk length is the length of the whole packet, including everything in the headers, and the optional parameters.
Initiate Tag - bit 32-63. The receiver of the Initiate Tag of the INIT ACK chunk must save this value and copy it into the Verification Tag field of every packet that it sends to the sender of the INIT ACK chunk. The Initiate Tag must not be 0, and if it is, the receiver of the INIT ACK chunk must close the connection with an ABORT.
Advertised Receiver Window Credit (a_rwnd) - bit 64-95. The dedicated buffers that the sender of this chunk has located for traffic, counted in bytes. The dedicated buffers should never be lowered to below this value.
Number of Outbound Streams - bit 96-111. How many outbound streams that the sending host wishes to create. Must not be 0, or the receiver of the INIT ACK should ABORT the association. There is no negotiation of the minimum number of outbound or inbound streams, it is simply set to the lowest that either host has set in the header.
Number of Inbound Streams - bit 112-127. How many inbound streams that the sending endpoint is willing to accept. Must not be 0, or the receiver of the INIT ACK should ABORT the association. There is no negotiation of the minimum number of outbound or inbound streams, it is simply set to the lowest that either host has set in the header.
Initial TSN - bit 128-159. This is set to the Initial Transmission Sequence Number (I-TSN) which will be used by the sending party in the association to start with.
After this point, the INIT ACK chunk continues with optional variable-length parameters. The parameters are exactly the same as for the INIT chunk, with the exception of the addition of the State Cookie and the Unrecognized Parameters parameter, and the deletion of the Supported Address Types parameter. The list in other words look like this:
Table 2-4. INIT ACK Variable Parameters
Parameter Name | Status | Type Value |
---|---|---|
IPv4 Address | Optional | 5 |
IPv6 Address | Optional | 6 |
State Cookie | Mandatory | 7 |
Unrecognized Parameters | Optional | 8 |
Cookie Preservative | Optional | 9 |
Host Name Address | Optional | 11 |
Reserved for ECN Capable | Optional | 32768 |
The State Cookie is used in INIT ACK to send a cookie to the other host, and until the receiving host has replied with a COOKIE ECHO chunk, the association is not guaranteed. This is to prevent basically the same as a SYN attack in TCP protocol.
Type - bit 0-15. Always set to 7 for all State Cookie parameters.
Length - bit 16-31. The size of the whole parameter, including the type, length and State Cookie field in bytes.
State Cookie - bit 31-n. This parameter contains a cookie of variable length. For a description on how this cookie is created, see the RFC 2960 - Stream Control Transmission Protocol document.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- 317
- 318
- 319
- 320
- 321
- 322
- 323
- 324
- 325
- 326
- 327
- 328
- 329
- 330
- 331
- 332
- 333
- 334
- 335
- 336
- 337
- 338
- 339
- 340
- 341
- 342
- 343
- 344
- 345
- 346
- 347
- 348
- 349
- 350
- 351
- 352
- 353
- 354
- 355
- 356