about summary refs log tree commit diff stats
path: root/core/network.html
diff options
context:
space:
mode:
authorSilvino Silva <silvino@bk.ru>2018-05-06 10:51:32 +0100
committerSilvino Silva <silvino@bk.ru>2018-05-06 10:51:32 +0100
commit2f97ec532422ea22ba1d04ddc683e64863d05234 (patch)
tree7a6bee80cf7418a9a005a152878f8da49db0f5f2 /core/network.html
parent5b331e8145aeeb05ab24cde90e2c554989b16777 (diff)
downloaddoc-2f97ec532422ea22ba1d04ddc683e64863d05234.tar.gz
initial iptables revision
Diffstat (limited to 'core/network.html')
-rw-r--r--core/network.html176


1 files changed, 163 insertions, 13 deletions
diff --git a/core/network.html b/core/network.html
index 9aa5921..3f8a870 100644
--- a/core/network.html
+++ b/core/network.html
@@ -14,7 +14,7 @@
         <dl>
             <dt><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a></dt>
             <dd>Configure <a href="#iptables">iptables</a>, start option
-            loads set of rules from file /etc/iptables/name.v4, open option
+            loads set of rules from file /etc/iptables/net.v4, open option
             allows everything to outside and blocks everything from outside,
             stop will block and log everything.</dd>
             <dt><a href="conf/rc.d/net">/etc/rc.d/net</a></dt>
@@ -114,20 +114,16 @@
 
         <h2 id="iptables">2.3.3. Iptables</h2>
 
-        <p>For more information about iptables read
-        <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>.
-        Iptables can be setup at boot with
-        <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> init script, change
-        <a href="scripts/iptables.sh">iptables.sh</a> with your needs and run
-        to save rules in <a href="conf/iptables/net.v4">/etc/iptables/net.v4</a> 
-        file.</p>
+        <p>For more information about firewall systems read arch wiki
+        <a href="https://wiki.archlinux.org/index.php/Iptables">iptables</a>
+        an <a href="https://wiki.archlinux.org/index.php/nftables">nftables</a>.</p>
 
-        <p>Init script "start" option loads set of rules from file
-        /etc/iptables/rules.v4, "open" option allows everything to outside
+        <p>To setup iptables rules a set of scripts is used, init script
+        <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a>
+        loads set of rules from file /etc/iptables/net.v4 at boot time.
+        Start option "open" option allows everything to outside
         and blocks everything from outside, "stop" will block and log
-        everything.</p>
-
-        <p>Setup init script and rules ;</p>
+        everything. Setup init script and rules ;</p>
 
         <pre>
         # mkdir /etc/iptables
@@ -142,6 +138,150 @@
         SERVICES=(iptables lo net crond)
         </pre>
 
+        <p>Diagram of a package route throw iptables;</p>
+
+        <pre>
+
+                                 XXXXXXXXXXXXXXXXX
+                                 XXXX Network XXXX
+                                 XXXXXXXXXXXXXXXXX
+                                         +
+                                         |
+                                         v
+   +-------------+              +------------------+
+   |table: filter| &gt;---+        | table: nat       |
+   |chain: INPUT |     |        | chain: PREROUTING|
+   +-----+-------+     |        +--------+---------+
+         |             |                 |
+         v             |                 v
+   [local process]     |           ****************          +--------------+
+         |             +---------+ Routing decision +------&lt; |table: filter |
+         v                         ****************          |chain: FORWARD|
+  ****************                                           +------+-------+
+  Routing decision                                                  |
+  ****************                                                  |
+         |                                                          |
+         v                        ****************                  |
+  +-------------+       +------&lt;  Routing decision  &gt;---------------+
+  |table: nat   |       |         ****************
+  |chain: OUTPUT|       |               +
+  +-----+-------+       |               |
+        |               |               v
+        v               |      +-------------------+
+  +--------------+      |      | table: nat        |
+  |table: filter | +----+      | chain: POSTROUTING|
+  |chain: OUTPUT |             +--------+----------+
+  +--------------+                      |
+                                        v
+                                XXXXXXXXXXXXXXXXX
+                                XXXX Network XXXX
+                                XXXXXXXXXXXXXXXXX
+
+        </pre>
+
+        <p>Command line usage;</p>
+
+        <pre>
+        iptables [-t table] {-A|-C|-D} chain rule-specification
+        iptables [-t table] {-A|-C|-D} chain  rule-specification
+        iptables  [-t table] -I chain [rulenum] rule-specification
+        iptables [-t table] -R chain rulenum  rule-specification
+        iptables [-t table] -D chain rulenum
+        iptables [-t table] -S [chain [rulenum]]
+        iptables  [-t  table]  {-F|-L|-Z} [chain [rulenum]] [options...]
+        iptables [-t table] -N chain
+        iptables [-t table] -X [chain]
+        iptables [-t table] -P chain target
+        iptables [-t table]  -E  old-chain-name  new-chain-name
+        rule-specification = [matches...] [target]
+        match = -m matchname [per-match-options]
+        </pre>
+
+        <p>Targets, can be a user defined chain;</p>
+
+        <pre>
+        ACCEPT - accepts the packet
+        DROP   - drop the packet on the floor
+        QUEUE  - packet will be stent to queue
+        RETURN - stop traversing this chain and
+                 resume ate the next rule in the
+                 previeus (calling) chain.
+
+        if packet reach the end of the chain or
+        a target RETURN, default policy for that
+        chain is applayed.
+        </pre>
+
+        <p>Target Extensions</p>
+
+        <pre>
+        AUDIT
+        CHECKSUM
+        CLASSIFY
+        DNAT
+        DSCP
+        LOG
+            Torn on kernel logging, will print some
+            some information on all matching packets.
+            Log data can be read with dmesg or syslogd.
+            This is a non-terminating target and a rule
+            should be created with matching criteria.
+
+            --log-level level
+                  Level of logging (numeric or see sys-
+                  log.conf(5)
+
+            --log-prefix prefix
+                  Prefix log messages with specified prefix
+                  up to 29 chars log
+
+            --log-uid
+                  Log the userid of the process with gener-
+                  ated the packet
+        NFLOG
+            This target pass the packet to loaded logging
+            backend to log the packet. One or more userspace
+            processes may subscribe to the group to receive
+            the packets.
+
+        ULOG
+            This target provides userspace logging of maching
+            packets. One or more userspace processes may then
+            then subscribe to various multicast groups and
+            then receive the packets.
+        </pre>
+
+        <p>Commands</p>
+        <pre>
+         -A, --append chain rule-specification
+         -C, --check chain rule-specification
+         -D, --delete chain rule-specification
+         -D, --delete chain rulenum
+         -I, --insert chain [rulenum] rule-specification
+         -R, --replace chain rulenum rule-specification
+         -L, --list [chain]
+         -P, --policy chain target
+        </pre>
+
+        <p>Parameters</p>
+        <pre>
+         -p, --protocol protocol
+               tcp, udp, udplite, icmp, esp, ah, sctp, all
+         -s, --source address[/mask][,...]
+         -d, --destination address[/mask][,...]
+         -j, --jump target
+         -g, --goto chain
+         -i, --in-interface name
+         -o, --out-interface name
+         -f, --fragment
+         -m, --match options module-name
+               iptables can use extended packet matching
+               modules.
+         -c, --set-counters packets bytes
+        </pre>
+
+        <h3 id="ipt_server">2.3.3.1. Server iptables</h3>
+
         <p>Adjust <a href="scripts/iptables.sh">iptables.sh</a> with
         your network configuration then run it;</p>
 
@@ -149,6 +289,16 @@
         # bash core/scripts/iptables.sh
         </pre>
 
+        <p>
+        <a href="scripts/iptables.sh">iptables.sh</a> with your needs and run
+        to save rules in <a href="conf/iptables/net.v4">/etc/iptables/net.v4</a> 
+        file.</p>
+
+        <h3 id="ipt_client">2.3.3.2. Client iptables </h3>
+
+        <p></p>
+        <h3 id="ipt_client">2.3.3.3. Bridge iptables</h3>
+
         <p>See current rules and packets;</p>
 
         <pre>

 

generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2025-04-11 00:06:31 +0000