| Server IP : 209.38.156.173 / Your IP : 216.73.216.122 [ Web Server : Apache/2.4.52 (Ubuntu) System : Linux lakekumayuhotel 5.15.0-136-generic #147-Ubuntu SMP Sat Mar 15 15:53:30 UTC 2025 x86_64 User : root ( 0) PHP Version : 8.1.2-1ubuntu2.22 Disable Function : NONE Domains : 2 Domains MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /usr/share/doc/iptables/html/ |
Upload File : |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<TITLE>Netfilter Extensions HOWTO: New netfilter targets</TITLE>
<LINK HREF="netfilter-extensions-HOWTO-5.html" REL=next>
<LINK HREF="netfilter-extensions-HOWTO-3.html" REL=previous>
<LINK HREF="netfilter-extensions-HOWTO.html#toc4" REL=contents>
</HEAD>
<BODY>
<A HREF="netfilter-extensions-HOWTO-5.html">Next</A>
<A HREF="netfilter-extensions-HOWTO-3.html">Previous</A>
<A HREF="netfilter-extensions-HOWTO.html#toc4">Contents</A>
<HR>
<H2><A NAME="s4">4.</A> <A HREF="netfilter-extensions-HOWTO.html#toc4">New netfilter targets</A></H2>
<P>In this section, we will attempt to explain the usage of new netfilter targets.
The patches will appear in alphabetical order. Additionally, we will not explain
patches that break other patches. But this might come later.</P>
<P>Generally speaking, for targets, you can get the help hints from a particular
module by typing :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -j THE_TARGET_YOU_WANT --help
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>This would display the normal iptables help message, plus the specific
``THE_TARGET_YOU_WANT'' target help message at the end.</P>
<H2><A NAME="ss4.1">4.1</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.1">ftos patch</A>
</H2>
<P>This patch by Matthew G. Marsh <mgm@paktronix.com> adds a new target that allows you
to set the TOS of packets to an arbitrary value.</P>
<P>For example, if you want to set the TOS of all the outgoing packets to be 15, you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -t mangle -A OUTPUT -j FTOS --set-ftos 15
# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
FTOS all -- anywhere anywhere TOS set 0x0f
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for the FTOS target are :</P>
<P>
<DL>
<DT><B>--set-ftos value</B><DD>
<P>-> Set TOS field in packet header to value. This value can be in decimal (ex: <CODE>32</CODE>)
or in hex (ex: <CODE>0x20</CODE>)</P>
</DL>
</P>
<H2><A NAME="ss4.2">4.2</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.2">IPV4OPTSSTRIP patch</A>
</H2>
<P>This patch by Fabrice MARIE <fabrice@netfilter.org> adds a new target that allows you
to strip all the IP options from an IPv4 packet.</P>
<P>It's simpled loaded as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
# iptables -t mangle --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
IPV4OPTSSTRIP all -- anywhere anywhere
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>This target doesn't support any option.</P>
<H2><A NAME="ss4.3">4.3</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.3">NETLINK patch</A>
</H2>
<P>This patch by Gianni Tedesco <gianni@ecsc.co.uk> adds a new target that allows you to
send dropped packets to userspace via a netlink socket.</P>
<P>For example, if you want to drop all pings and send them to a userland netlink socket instead,
you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -A INPUT -p icmp --icmp-type echo-request -j NETLINK --nldrop
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
NETLINK icmp -- anywhere anywhere icmp echo-request nldrop
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for the NETLINK target are :</P>
<P>
<DL>
<DT><B>--nldrop</B><DD>
<P>-> Drop the packet too</P>
<DT><B>--nlmark <number></B><DD>
<P>-> Mark the packet</P>
<DT><B>--nlsize <bytes></B><DD>
<P>-> Limit packet size</P>
</DL>
</P>
<P>For more information on netlink sockets, you can refer to the
<A HREF="http://www.skyfree.org/linux/kernel_network/netlink.html">Netlink Sockets Tour</A>.</P>
<H2><A NAME="ss4.4">4.4</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.4">NETMAP patch</A>
</H2>
<P>This patch by Svenning Soerensen <svenning@post5.tele.dk> adds a new target that allows you
create a static 1:1 mapping of the network address, while keeping host addresses intact.</P>
<P>For example, if you want to alter the destination of incoming connections from
1.2.3.0/24 to 5.6.7.0/24, you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -t nat -A PREROUTING -d 1.2.3.0/24 -j NETMAP --to 5.6.7.0/24
# iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NETMAP all -- anywhere 1.2.3.0/24 5.6.7.0/24
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for NETMAP target are :</P>
<P>
<DL>
<DT><B>--to address[/mask]</B><DD>
<P>-> Network address to map to.</P>
</DL>
</P>
<H2><A NAME="ss4.5">4.5</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.5">ROUTE patch</A>
</H2>
<P>This patch by C�dric de Launois <delaunois@info.ucl.ac.be> adds a new
target which allows you to setup unusual routes not supported by the
standard kernel routing table. The ROUTE target lets you route
a received packet through an interface or towards a host, even if the
regular destination of the packet is the router itself. The ROUTE target is
also able to change the incoming interface of a packet. Packets are
directly put on the wire and do not traverse any other table.</P>
<P>This target does not modify the packets and is a final target.
It has to be used inside the mangle table.</P>
<P>Whenever possible, you should use the MARK target together with
iproute2 instead of this ROUTE target. However, this target is useful
to force the use of an interface or a next hop and to change the
incoming interface of a packet. People also use it for easiness
and to simplify their rules (one rule to route a packet is easier
that one MARK rule + one iproute2 rule).</P>
<P>Options supported by the ROUTE target are :</P>
<P>
<DL>
<DT><B>--oif ifname</B><DD>
<P>Send the packet out using `ifname' network interface. The destination
host must be on the same link or the interface must be a tunnel.
Otherwise, arp resolution cannot be performed and the packet is dropped.</P>
<DT><B>--iif ifname</B><DD>
<P>Change the packet's incoming interface to `ifname'.</P>
<DT><B>--gw ip</B><DD>
<P>Route the packet via this gateway. The packet is routed as if
its destination IP address was this ip.</P>
</DL>
</P>
<P>For example, assume that you want to redirect ssh packets towards a
server inside your network, without modifying those packets in any way
(this excludes the use of the standard port forwarding mechanism).
A solution is to use an ipip tunnel and the ROUTE target to reroute ssh
packets to the real ssh server, which has the same IP address as the router.
It is not possible to reroute those packets using the standard routing
mechanisms, because the kernel locally delivers a packet having
a destination address belonging to the router itself.</P>
<P>Time for ASCII art :
<PRE>
eth0 +------+ 192.168.0.1 192.168.0.2 +----+
----------------|router|--------------------------------|host|
IP: 150.150.0.1 +------+ +----+
| | tunl1 IP: 150.150.0.1 | |
| +------------------------------------+ |
+----------------------------------------+
IPIP tunnel
</PRE>
</P>
<P>For the example above, you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 22 -j ROUTE --oif tunl1
# iptables -A PREROUTING -t mangle -i tunl1 -j ROUTE --oif eth0
# iptables -L PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ROUTE tcp -- anywhere anywhere tcp dpt:ssh ROUTE oif tunl1
ROUTE all -- anywhere anywhere ROUTE oif eth0
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Another example : if you want to quickly and easily balance the load between two
gateways 10.0.0.1 and 10.0.0.2, then you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -A PREROUTING -t mangle -m random --average 50 -j ROUTE --gw 10.0.0.1
# iptables -A PREROUTING -t mangle -j ROUTE --gw 10.0.0.2
# iptables -L PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ROUTE all -- anywhere anywhere random 50% ROUTE gw 10.0.0.1
ROUTE all -- anywhere anywhere ROUTE gw 10.0.0.2
</PRE>
</CODE></BLOCKQUOTE>
</P>
<H2><A NAME="ss4.6">4.6</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.6">SAME patch</A>
</H2>
<P>This patch by Martin Josefsson <gandalf@wlug.westbo.se> adds a new target
which is similar to SNAT and will gives a client the same address for each connection.</P>
<P>For example, if you want to modify the source address of the connections
to be 1.2.3.4-1.2.3.7 you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -t nat -A POSTROUTING -j SAME --to 1.2.3.4-1.2.3.7
# iptables -t nat --list
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SAME all -- anywhere anywhere same:1.2.3.4-1.2.3.7
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Options supported by the SAME target are :</P>
<P>
<DL>
<DT><B>--to <ipaddr>-<ipaddr></B><DD>
<P>-> Addresses to map source to.
May be specified more than once for multiple ranges.</P>
<DT><B>--nodst</B><DD>
<P>-> Don't use destination-ip in source selection</P>
</DL>
</P>
<H2><A NAME="ss4.7">4.7</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.7">tcp-MSS patch</A>
</H2>
<P>This patch by Marc Boucher <marc+nf@mbsi.ca> adds a new target that allows you to examine and
alter the MSS value of TCP SYN packets, to control the maximum size
for that connection.</P>
<P>As explained by Marc himself, THIS IS A HACK, used to overcome criminally
brain-dead ISPs or servers which block ICMP Fragmentation Needed
packets.</P>
<P>Typical usage would be :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# iptables --list
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Options supported by the tcp-MSS target are (mutually-exclusive) :</P>
<P>
<DL>
<DT><B>--set-mss value</B><DD>
<P>explicitly set MSS option to specified value</P>
<DT><B>--clamp-mss-to-pmtu</B><DD>
<P>automatically clamp MSS value to (path_MTU - 40)</P>
</DL>
</P>
<H2><A NAME="ss4.8">4.8</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.8">TTL patch</A>
</H2>
<P>This patch by Harald Welte <laforge@gnumonks.org> adds a new target that
enables the user to set the TTL value of an IP packet or to increment/decrement it
by a given value.</P>
<P>For example, if you want to set the TTL of all outgoing connections
to 126, you can do as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# iptables -t mangle -A OUTPUT -j TTL --ttl-set 126
# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TTL all -- anywhere anywhere TTL set to 126
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for the TTL target are :</P>
<P>
<DL>
<DT><B>--ttl-set value</B><DD>
<P>-> Set TTL to <value></P>
<DT><B>--ttl-dec value</B><DD>
<P>-> Decrement TTL by <value></P>
<DT><B>--ttl-inc value</B><DD>
<P>-> Increment TTL by <value></P>
</DL>
</P>
<H2><A NAME="ss4.9">4.9</A> <A HREF="netfilter-extensions-HOWTO.html#toc4.9">ulog patch</A>
</H2>
<P>This patch by Harald Welte <laforge@gnumonks.org> adds a new target
which supplies a more advanced packet logging mechanism than the standard LOG target.
The `libipulog/' contains a library for receiving the ULOG messages.</P>
<P>Harald maintains a
<A HREF="http://www.gnumonks.org/projects/ulogd">web page</A> containing the proper documentation
for ULOG, so there is no point for me to explain this here..</P>
<HR>
<A HREF="netfilter-extensions-HOWTO-5.html">Next</A>
<A HREF="netfilter-extensions-HOWTO-3.html">Previous</A>
<A HREF="netfilter-extensions-HOWTO.html#toc4">Contents</A>
</BODY>
</HTML>