/usr/share/doc/iptables-dev/html/netfilter-extensions-HOWTO-4.html is in iptables-dev 1.4.21-1ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
<TITLE>Netfilter Extensions HOWTO: New netfilter targets</TITLE>
<LINK HREF="netfilter-extensions-HOWTO-5.html" REL=next>
<LINK HREF="netfilter-extensions-HOWTO-3.html" REL=previous>
<LINK HREF="netfilter-extensions-HOWTO.html#toc4" REL=contents>
</HEAD>
<BODY>
<A HREF="netfilter-extensions-HOWTO-5.html">Next</A>
<A HREF="netfilter-extensions-HOWTO-3.html">Previous</A>
<A HREF="netfilter-extensions-HOWTO.html#toc4">Contents</A>
<HR>
<H2><A NAME="s4">4.</A> <A HREF="netfilter-extensions-HOWTO.html#toc4">New netfilter targets</A></H2>
<P>In this section, we will attempt to explain the usage of new netfilter targets.
The patches will appear in alphabetical order. Additionally, we will not explain
patches that break other patches. But this might come later.</P>
<P>Generally speaking, for targets, you can get the help hints from a particular
module by typing :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -j THE_TARGET_YOU_WANT --help
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>This would display the normal iptables help message, plus the specific
``THE_TARGET_YOU_WANT'' target help message at the end.</P>
<H2><A NAME="ss4.1">4.1</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.1">ftos patch</A>
</H2>
<P>This patch by Matthew G. Marsh <mgm@paktronix.com> adds a new target that allows you
to set the TOS of packets to an arbitrary value.</P>
<P>For example, if you want to set the TOS of all the outgoing packets to be 15, you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -t mangle -A OUTPUT -j FTOS --set-ftos 15
# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
FTOS all -- anywhere anywhere TOS set 0x0f
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for the FTOS target are :</P>
<P>
<DL>
<DT><B>--set-ftos value</B><DD>
<P>-> Set TOS field in packet header to value. This value can be in decimal (ex: <CODE>32</CODE>)
or in hex (ex: <CODE>0x20</CODE>)</P>
</DL>
</P>
<H2><A NAME="ss4.2">4.2</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.2">IPV4OPTSSTRIP patch</A>
</H2>
<P>This patch by Fabrice MARIE <fabrice@netfilter.org> adds a new target that allows you
to strip all the IP options from an IPv4 packet.</P>
<P>It's simpled loaded as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
# iptables -t mangle --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
IPV4OPTSSTRIP all -- anywhere anywhere
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>This target doesn't support any option.</P>
<H2><A NAME="ss4.3">4.3</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.3">NETLINK patch</A>
</H2>
<P>This patch by Gianni Tedesco <gianni@ecsc.co.uk> adds a new target that allows you to
send dropped packets to userspace via a netlink socket.</P>
<P>For example, if you want to drop all pings and send them to a userland netlink socket instead,
you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -A INPUT -p icmp --icmp-type echo-request -j NETLINK --nldrop
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
NETLINK icmp -- anywhere anywhere icmp echo-request nldrop
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for the NETLINK target are :</P>
<P>
<DL>
<DT><B>--nldrop</B><DD>
<P>-> Drop the packet too</P>
<DT><B>--nlmark <number></B><DD>
<P>-> Mark the packet</P>
<DT><B>--nlsize <bytes></B><DD>
<P>-> Limit packet size</P>
</DL>
</P>
<P>For more information on netlink sockets, you can refer to the
<A HREF="http://www.skyfree.org/linux/kernel_network/netlink.html">Netlink Sockets Tour</A>.</P>
<H2><A NAME="ss4.4">4.4</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.4">NETMAP patch</A>
</H2>
<P>This patch by Svenning Soerensen <svenning@post5.tele.dk> adds a new target that allows you
create a static 1:1 mapping of the network address, while keeping host addresses intact.</P>
<P>For example, if you want to alter the destination of incoming connections from
1.2.3.0/24 to 5.6.7.0/24, you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -t nat -A PREROUTING -d 1.2.3.0/24 -j NETMAP --to 5.6.7.0/24
# iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NETMAP all -- anywhere 1.2.3.0/24 5.6.7.0/24
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for NETMAP target are :</P>
<P>
<DL>
<DT><B>--to address[/mask]</B><DD>
<P>-> Network address to map to.</P>
</DL>
</P>
<H2><A NAME="ss4.5">4.5</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.5">ROUTE patch</A>
</H2>
<P>This patch by Cédric de Launois <delaunois@info.ucl.ac.be> adds a new
target which allows you to setup unusual routes not supported by the
standard kernel routing table. The ROUTE target lets you route
a received packet through an interface or towards a host, even if the
regular destination of the packet is the router itself. The ROUTE target is
also able to change the incoming interface of a packet. Packets are
directly put on the wire and do not traverse any other table.</P>
<P>This target does not modify the packets and is a final target.
It has to be used inside the mangle table.</P>
<P>Whenever possible, you should use the MARK target together with
iproute2 instead of this ROUTE target. However, this target is useful
to force the use of an interface or a next hop and to change the
incoming interface of a packet. People also use it for easiness
and to simplify their rules (one rule to route a packet is easier
that one MARK rule + one iproute2 rule).</P>
<P>Options supported by the ROUTE target are :</P>
<P>
<DL>
<DT><B>--oif ifname</B><DD>
<P>Send the packet out using `ifname' network interface. The destination
host must be on the same link or the interface must be a tunnel.
Otherwise, arp resolution cannot be performed and the packet is dropped.</P>
<DT><B>--iif ifname</B><DD>
<P>Change the packet's incoming interface to `ifname'.</P>
<DT><B>--gw ip</B><DD>
<P>Route the packet via this gateway. The packet is routed as if
its destination IP address was this ip.</P>
</DL>
</P>
<P>For example, assume that you want to redirect ssh packets towards a
server inside your network, without modifying those packets in any way
(this excludes the use of the standard port forwarding mechanism).
A solution is to use an ipip tunnel and the ROUTE target to reroute ssh
packets to the real ssh server, which has the same IP address as the router.
It is not possible to reroute those packets using the standard routing
mechanisms, because the kernel locally delivers a packet having
a destination address belonging to the router itself.</P>
<P>Time for ASCII art :
<PRE>
eth0 +------+ 192.168.0.1 192.168.0.2 +----+
----------------|router|--------------------------------|host|
IP: 150.150.0.1 +------+ +----+
| | tunl1 IP: 150.150.0.1 | |
| +------------------------------------+ |
+----------------------------------------+
IPIP tunnel
</PRE>
</P>
<P>For the example above, you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 22 -j ROUTE --oif tunl1
# iptables -A PREROUTING -t mangle -i tunl1 -j ROUTE --oif eth0
# iptables -L PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ROUTE tcp -- anywhere anywhere tcp dpt:ssh ROUTE oif tunl1
ROUTE all -- anywhere anywhere ROUTE oif eth0
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Another example : if you want to quickly and easily balance the load between two
gateways 10.0.0.1 and 10.0.0.2, then you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -A PREROUTING -t mangle -m random --average 50 -j ROUTE --gw 10.0.0.1
# iptables -A PREROUTING -t mangle -j ROUTE --gw 10.0.0.2
# iptables -L PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ROUTE all -- anywhere anywhere random 50% ROUTE gw 10.0.0.1
ROUTE all -- anywhere anywhere ROUTE gw 10.0.0.2
</PRE>
</CODE></BLOCKQUOTE>
</P>
<H2><A NAME="ss4.6">4.6</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.6">SAME patch</A>
</H2>
<P>This patch by Martin Josefsson <gandalf@wlug.westbo.se> adds a new target
which is similar to SNAT and will gives a client the same address for each connection.</P>
<P>For example, if you want to modify the source address of the connections
to be 1.2.3.4-1.2.3.7 you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -t nat -A POSTROUTING -j SAME --to 1.2.3.4-1.2.3.7
# iptables -t nat --list
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SAME all -- anywhere anywhere same:1.2.3.4-1.2.3.7
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Options supported by the SAME target are :</P>
<P>
<DL>
<DT><B>--to <ipaddr>-<ipaddr></B><DD>
<P>-> Addresses to map source to.
May be specified more than once for multiple ranges.</P>
<DT><B>--nodst</B><DD>
<P>-> Don't use destination-ip in source selection</P>
</DL>
</P>
<H2><A NAME="ss4.7">4.7</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.7">tcp-MSS patch</A>
</H2>
<P>This patch by Marc Boucher <marc+nf@mbsi.ca> adds a new target that allows you to examine and
alter the MSS value of TCP SYN packets, to control the maximum size
for that connection.</P>
<P>As explained by Marc himself, THIS IS A HACK, used to overcome criminally
brain-dead ISPs or servers which block ICMP Fragmentation Needed
packets.</P>
<P>Typical usage would be :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# iptables --list
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Options supported by the tcp-MSS target are (mutually-exclusive) :</P>
<P>
<DL>
<DT><B>--set-mss value</B><DD>
<P>explicitly set MSS option to specified value</P>
<DT><B>--clamp-mss-to-pmtu</B><DD>
<P>automatically clamp MSS value to (path_MTU - 40)</P>
</DL>
</P>
<H2><A NAME="ss4.8">4.8</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.8">TTL patch</A>
</H2>
<P>This patch by Harald Welte <laforge@gnumonks.org> adds a new target that
enables the user to set the TTL value of an IP packet or to increment/decrement it
by a given value.</P>
<P>For example, if you want to set the TTL of all outgoing connections
to 126, you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -t mangle -A OUTPUT -j TTL --ttl-set 126
# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TTL all -- anywhere anywhere TTL set to 126
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for the TTL target are :</P>
<P>
<DL>
<DT><B>--ttl-set value</B><DD>
<P>-> Set TTL to <value></P>
<DT><B>--ttl-dec value</B><DD>
<P>-> Decrement TTL by <value></P>
<DT><B>--ttl-inc value</B><DD>
<P>-> Increment TTL by <value></P>
</DL>
</P>
<H2><A NAME="ss4.9">4.9</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.9">ulog patch</A>
</H2>
<P>This patch by Harald Welte <laforge@gnumonks.org> adds a new target
which supplies a more advanced packet logging mechanism than the standard LOG target.
The `libipulog/' contains a library for receiving the ULOG messages.</P>
<P>Harald maintains a
<A HREF="http://www.gnumonks.org/projects/ulogd">web page</A> containing the proper documentation
for ULOG, so there is no point for me to explain this here..</P>
<HR>
<A HREF="netfilter-extensions-HOWTO-5.html">Next</A>
<A HREF="netfilter-extensions-HOWTO-3.html">Previous</A>
<A HREF="netfilter-extensions-HOWTO.html#toc4">Contents</A>
</BODY>
</HTML>
|