Home > Articles > Operating Systems, Server > Linux/UNIX/Open Source

More on Modules

This article continues the Netfilter series by looking at the various Netfilter modules and writing a few basic filter rules.

This article continues the Netfilter series by looking at the various Netfilter modules and writing a few basic filter rules.

Previously, we looked at Netfilter and the built-ins within it, both chains and targets. Remember, there are only four built-in targets, ACCEPT, DROP, QUEUE, and RETURN. Everything else that we want to do with Netfilter, target-wise, has to be created first. Recall that a target is the action to be taken for any packet matching the rule. This target can tell Netfilter to traverse a user-created chain or perform any other action, as long as iptables knows what that action is. For iptables to understand an action that is not built-in, it must exist as a module that is loaded before the rule is created.

A few modules are confusing with regard to their purpose. But most modules are self-explanatory. Not all dependencies are noted here[md]only some of the more important ones:

ip_conntrack

Permits connection tracking and packet defragmentation.

ip_conntrack_ftp

Permits active FTP; requires ip_conntrack.

ip_nat_ftp

Permits active FTP via nat; requires ip_conntrack, iptables_nat.

ip_queue

Allows queuing packets to user space.

ip_tables

Required; all ipv4 modules depend on this one.

ipt_LOG

LOG target.

ipt_MARK

MARK target.

ipt_MASQUERADE

MASQUERADE target.

ipt_MIRROR

MIRROR target.

ipt_REDIRECT

REDIRECT target.

ipt_REJECT

REJECT target.

ipt_TOS

TOS target.

ipt_limit

Allows log limits.

ipt_mac

Allows specifying MAC address.

ipt_mark

Allows using a mark to match in a packet.

ipt_multiport

Allows packet specifications on multiple ports.

ipt_owner

Permits user/group checking on OUTPUT packets.

ipt_state

Permits packet state checking (SYN, SYN-ACK, ACK, and so on).

ipt_tos

Permits TOS checking on a packet.

ipt_unclean

Performs sanity checks on packets.

iptable_filter

Implements the filter table.

iptable_mangle

Implements the mangle table.

iptable_nat

Implements the nat table.

IPv6

ip6_tables

Required; all ipv6 modules depend on this one.

ip6t_MARK

Permits use of MARK target.

ip6t_limit

Implements LOG limits.

ip6t_mark

Allows use of mark match.

ip6table_filter

Implements filter table.

If you study the table, you will notice something: Targets' modules are in upper case, packet-matching modules are in lower case, and both start with either "ipt" or "ip6t." The four modules starting with "iptable" or "ip6table" implement tables. Those that start with "ip_" implement major features of iptables (such as iptables itself, in the case of ip_tables).

Do not count on the automatic loading of modules. In fact, you can deliberately not insert the ip_nat_ftp and ip_conntrack_ftp, and effectively deny use of active FTP connections (only passive FTP will work then).

How the Rules Work

The easiest way to think of the rules is in sections. Each rule has several sections[md]how many depends on exactly what you're doing, but you'll find it easier to start by breaking the rules down into fragments and assembling these fragments.

Each rule can be thought of as being comprised of four fragments. Not all fragments are necessary for all rules or all operations that can be performed with iptables, but you'll see that shortly. A typical rule will look like this:

iptables [-t <table>] COMMAND [MATCH [extended match]] [option <parameter>] [-j TARGET]

The iptables is a required component and is not counted as part of any fragment.

The -t <table> is an optional element. The default is the filter table. As you saw in the last article, specifying -t filter is the same as omitting it. However, if you make it a habit to always put this, you'll know exactly what you're dealing with.

The COMMAND parameter is mandatory. You absolutely must have a command. iptables has 11 single-letter, uppercase commands and one lowercase command. The one lowercase command is used alone, -h for help. These uppercase command letters also have a lowercase but complete word or phrase alternative. If you're interested in using the longer commands, refer to the iptables man page.

The commands can be any of -A (append), -D (delete), -R (replace), -I (insert), -L (list), -F (flush), -Z (zero), -N (new chain), -X (delete chain), -P (chain policy), and -E (rename). As a general rule, only one command is permitted per iptables invocation. The only exception is that you can use -F (flush) and -Z (zero) on a chain at the same time. But you cannot use -F (flush) and -X (delete) on a chain in the same invocation.

The command MATCH can be thought of as rule fragments. These can be simple fragments or extended fragments. A simple fragment might be something like -p tcp for protocol TCP. This would match all TCP packets. But you can have an extended match to this. Matching a TCP packet also allows you to specify only packets with a particular source port (--sport), only packets with a particular destination port (--dport), only packets with certain flags set (--tcp-flags mask match), only SYN packets (--syn), or only packets with certain TCP options set (--tcp-option <number>). Don't worry that some of these matches are foreign to you. Just realize that they're there for your use, if needed.

One relatively universal concept needs to be mentioned at this point. A number of matches, options, extended matches, and so on permit the use of !, which is a logical NOT. When this appears in a rule, the very next reference is negated. So, if you see ! lo, you know that it says "not localhost." This refers to all except lo as a match.

The primary matches allow us general categories to work from, most of which have extensions to allow rule refinement. The primary matches are these:

-p --protocol <protocol>

An ipv4 or ipv6 protocol, such as TCP, UDP, or ICMP

-s --source <address/mask>

A "where it came from" match

-d --destination <address/mask>

A "where it's going" match

-i --in-interface <interface_name>

The incoming interface specified

-p --out-interface <interface_name>

The outgoing interface specified

-f --fragment

Match for second and successive fragments (or with ! to match the first fragment)

At this point, we'll not look at all the extended matches. These are explained in the man page and will be explained as we build a few common rules.

Only a few options are available, principally to provide more or different feedback. As with most utilities, you can always make things verbose by using -v. This means different things based on the command, but generally it expands the information you'll see. The -n provides numeric output rather than trying to do lookups for hostnames and services. This is much faster than waiting for iptables to do lookups and so will be used here. You can expand numbers with -x when you are listing rules. This will provide you an exact number rather than rounded numbers, abbreviated with K, M, or G for thousands, millions, or billions. And --line-numbers will allow you to see line positions if you want to use line numbers for your inserts.

The final part of the iptables command line is the target. Some targets can have extended targets, just as matches can have extended matches. In fact, only ACCEPT, MIRROR, and DROP don't have extensions available. You'll see some of these target extensions when we cover the nat and mangle tables.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020