iptables-extensions(8) iptables 1.8.13 iptables-extensions(8) iptables-extensions -- iptables ip6tables [-m name [module-options...]] [-j target-name [target-options...] iptables [-m name [module-options...]] [-j target-name [target-options...] iptables -m --match . -h --help . . -p --protocol iptables . addrtype . . . : UNSPEC ( 0.0.0.0) UNICAST LOCAL BROADCAST ANYCAST MULTICAST BLACKHOLE UNREACHABLE PROHIBIT THROW FIXME NAT FIXME XRESOLVE [!] --src-type type [!] --dst-type type --limit-iface-in . PREROUTING INPUT FORWARD. --limit-iface-out. --limit-iface-out . POSTROUTING OUTPUT FORWARD. --limit-iface-in. ah ( IPv6) IPsec. [!] --ahspi spi[:spi] SPI. [!] --ahlen length . --ahres . ah ( IPv4) SPIs IPsec. [!] --ahspi spi[:spi] bpf . eBPF cBPF . --object-pinned path eBPF . eBPF bpf() BPF_PROG_LOAD BPF_OBJ_PIN. iptables bpf mount -t bpf bpf ${BPF_MOUNT} iptables : iptables -A OUTPUT -m bpf --object-pinned ${BPF_MOUNT}/{PINNED_PATH} -j ACCEPT --bytecode code BPF nfbpf_compile. tcpdump -ddd: . 'u16 u8 u8 u32' . 'K'. . 'ip proto 6' : 4 # 48 0 0 9 # ip->proto 21 0 1 6 # IPPROTO_TCP 6 0 0 1 # ( ) 6 0 0 0 # () bpf : iptables -A OUTPUT -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' -j ACCEPT nfbpf_compile. iptables -A OUTPUT -m bpf --bytecode "`nfbpf_compile RAW 'ip proto 6'`" -j ACCEPT tcpdump -ddd. BPF xtables. Iptables MAC. RAW tun: ip tuntap add tun0 mode tun ip link set tun0 up tcpdump -ddd -i tun0 ip proto 6 tcpdump -L -i $dev . BPF bpf(4) FreeBSD. cgroup [!] --path path cgroup2. cgroup v2 . . cgroup2. [!] --cgroup classid classid cgroup net_cls. classid cgroup net_cls. --path . : iptables -A OUTPUT -p tcp --sport 80 -m cgroup ! --path service/http-server -j DROP iptables -A OUTPUT -p tcp --sport 80 -m cgroup ! --cgroup 1 -j DROP : INPUT cgroup . INPUT . 3.14. . . : --cluster-total-nodes \fI . [!] --cluster-local-node \fI . [!] --cluster-local-nodemask \fI . --cluster-local-node. --cluster-hash-seed \fI Jenkins. : iptables -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff iptables -A PREROUTING -t mangle -i eth2 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff -j DROP iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff -j DROP : ip maddr add 01:00:5e:00:01:01 dev eth1 ip maddr add 01:00:5e:00:01:02 dev eth2 arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-s 01:00:5e:00:01:01 arptables -A INPUT -i eth1 --h-length 6 --destination-mac 01:00:5e:00:01:01 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27 arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --mangle-mac-s 01:00:5e:00:01:02 arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27 : arptables . arptables-jf RedHat CentOS Fedora . arptables-jf . TCP TCP ACK . echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose ( 256 ) . --comment : iptables -A INPUT -i eth1 -m comment --comment " " ( ) . 64 ;) . `conntrack -L` ctnetlink. false. sysctl "net.netfilter.nf_conntrack_acct" /. / sysctl. [!] --connbytes from[:to] // FROM TO /. TO FROM . "!" . --connbytes-dir {original|reply|both} --connbytes-mode {packets|bytes|avgpkt} () . "both" "avgpkt" ( ) ( HTTP) . : iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ... connlabel (connlabels) . (connmarks) . 128 . [!] --label name name . ( ) . connlabel.conf. --set . . (conntrack label) . ( --label). libnetfilter_conntrack 1.0.4 . /etc/xtables/connlabel.conf. : 0 eth0-in 1 eth0-out 2 ppp-in 3 ppp-out 4 bulk-traffic 5 interactive connlimit IP ( ). --connlimit-upto n n. --connlimit-above n n. --connlimit-mask prefix_length . IPv4 ( ) 0 32. IPv6 0 128. . --connlimit-saddr . --connlimit-daddr. --connlimit-daddr . : o telnet : iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT o : iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-upto 2 -j ACCEPT o HTTP 16 C ( 24 ): iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT o HTTP 16 (IPv6): ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT o : ip6tables -p tcp --syn --dport 49152:65535 -d 2001:db8::1 -m connlimit --connlimit-above 100 -j REJECT connmark netfilter ( CONNMARK ). [!] --mark [/] ( AND ). /. [!] --ctstate _ _ . . [!] --ctproto _4 4 ( ) [!] --ctorigsrc [/] [!] --ctorigdst [/] [!] --ctreplsrc [/] [!] --ctrepldst [/] / / [!] --ctorigsrcport [:] [!] --ctorigdstport [:] [!] --ctreplsrcport [:] [!] --ctrepldstport [:] / / (TCP/UDP/) GRE. 2.6.38. [!] --ctstatus _ _ . . [!] --ctexpire [:] () --ctdir {ORIGINAL|REPLY} . . --ctstate: INVALID . NEW . ESTABLISHED . RELATED FTP ICMP. UNTRACKED -j CT --notrack . SNAT . DNAT . --ctstatus: NONE . EXPECTED ( ). SEEN_REPLY . ASSURED . : . [!] --cpu . 0 NR_CPUS-1. RPS ( ) . : iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j REDIRECT --to-ports 8081 2.6.36. dccp [!] --source-port,--sport [:] [!] --destination-port,--dport [:] [!] --dccp-types DCCP 'mask'. 'mask' . : REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID. [!] --dccp-option number DCCP. devgroup / . [!] --src-group name [!] --dst-group name dscp DSCP 6 TOS IP. DSCP TOS IETF. [!] --dscp value ( ) 0-63. [!] --dscp-class class DiffServ. BE EF AFxx CSx. . dst ( IPv6) [!] --dst-len length . --dst-opts type[:length][,type[:length]...] . ecn ECN IPv4/IPv6 TCP. ECN RFC3168 [!] --ecn-tcp-cwr CWR ( ) TCP ECN . [!] --ecn-tcp-ece ECE ( ECN) TCP ECN . [!] --ecn-ip-ect num ECT ( ECN) IPv4/IPv6. `0' `3'. esp SPIs ESP IPsec. [!] --espspi spi[:spi] eui64 ( IPv6) EUI-64 IPv6 . EUI-64 MAC Ethernet 64 IPv6 . "Universal/Local" . PREROUTING INPUT FORWARD. frag ( IPv6) . [!] --fragid id[:id] . [!] --fraglen length 2.6.10 . . --fragres . --fragfirst . --fragmore . --fraglast . hashlimit hashlimit ( limit) iptables . ( / ) / . "N " "N " ( ). (--hashlimit-upto --hashlimit-above) --hashlimit-name . --hashlimit-upto [/second|/minute|/hour|/day] / . ( 3/) b/second ( ). --hashlimit-above [/second|/minute|/hour|/day] / . --hashlimit-burst : 5. . -- . --hashlimit-mode {srcip|srcport|dstip|dstport},... . --hashlimit-mode hashlimit limit . --hashlimit-srcmask --hashlimit-mode srcip hashlimit. () 0 32. --hashlimit-srcmask 0 srcip --hashlimit-mode . --hashlimit-dstmask --hashlimit-srcmask . --hashlimit-name foo /proc/net/ipt_hashlimit/foo. --hashlimit-htable-size buckets --hashlimit-htable-max entries . --hashlimit-htable-expire msec . --hashlimit-htable-gcinterval msec . --hashlimit-rate-match . / / --hashlimit-rate-interval sec --hashlimit-rate-match : "1000 192.168.0.0/16" => -s 192.168.0.0/16 --hashlimit-mode srcip --hashlimit-upto 1000/sec "100 192.168.1.1" => -s 192.168.1.1 --hashlimit-mode srcport --hashlimit-upto 100/sec "10000 packets per minute for every /28 subnet (groups of 8 addresses) in 10.0.0.0/8" => -s 10.0.0.0/8 --hashlimit-mask 28 --hashlimit-upto 10000/min "flows exceeding 512kbyte/s" => --hashlimit-mode srcip,dstip,srcport,dstport --hashlimit-above 512kb/s "hosts that exceed 512kbyte/s, but permit up to 1Megabytes without matching" --hashlimit-mode dstip --hashlimit-above 512kb/s --hashlimit-burst 1mb hbh ( IPv6) [!] --hbh-len . --hbh-opts [:][,[:]...] . . [!] --helper . "ftp" FTP . --portnr "ftp-2121". . hl ( IPv6) IPv6. [!] --hl-eq . --hl-lt . --hl-gt . icmp ( IPv4) `--protocol icmp`. : [!] --icmp-type {[/]|_} ICMP ICMP / ICMP iptables -p icmp -h icmp6 ( IPv6) `--protocol ipv6-icmp` `--protocol icmpv6`. : [!] --icmpv6-type [/]|_ ICMPv6 ICMPv6 ICMPv6 ip6tables -p ipv6-icmp -h iprange IP. [!] --src-range [-] IP . [!] --dst-range [-] IP . ipv6header ( IPv6) IPv6 / . --soft --header. [!] --header [,...] . ESP . : hop|hop-by-hop dst route frag auth esp none 59 ' ' IPv6 IPv6 prot . /etc/protocols . 255 prot. ipvs IPVS. [!] --ipvs IPVS --ipvs ( ) [!] --vproto protocol VIP "tcp" [!] --vaddr address[/mask] VIP [!] --vport port VIP "http" --vdir {ORIGINAL|REPLY} [!] --vmethod {GATE|IPIP|MASQ} IPVS [!] --vportctl port VIP 21 FTP length 3 ( 4) . [!] --length length[:length] limit . . LOG . xt_limit -- -m hashlimit ! --hashlimit rate --hashlimit-mode. --limit rate[/second|/minute|/hour|/day] : `/second' `/minute' `/hour' `/day' 3/hour. --limit-burst number : 5. mac [!] --mac-source MAC . XX:XX:XX:XX:XX:XX. PREROUTING FORWARD INPUT. netfilter ( MARK ). [!] --mark [/] ( AND ). mh ( IPv6) `--protocol ipv6-mh` `--protocol mh`. : [!] --mh-type [:] (MH) MH MH ip6tables -p mh -h multiport . 15 . (:) . : tcp udp udplite dccp sctp. [!] --source-ports,--sports [,|,:]... . --sports . . 53,1024:65535 53 1024 65535. [!] --destination-ports,--dports [,|,:]... . --dports . [!] --ports [,|,:]... . nfacct nfacct iptables. nfacct(8) : --nfacct-name name . : nfacct add http-traffic iptables: iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic : nfacct get http-traffic { pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic; nfacct(8) https://www.netfilter.org git.netfilter.org. osf osf . ( MSS TTL DF ) SYN. [!] --genre string . --ttl level TTL . level : 0 IP TTL . . 1 TTL IP TTL . . 2 TTL . --log dmesg . : 0 1 2 syslog: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4 nfnl_osf. : nfnl_osf -f /usr/share/xtables/pf.os nfnl_osf -f /usr/share/xtables/pf.os -d http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . . OUTPUT POSTROUTING. . . [!] --uid-owner _ [!] --uid-owner _[-_] ( ) . UID UID. [!] --gid-owner _ [!] --gid-owner _[-_] . GID GID. --suppl-groups () --gid-owner . [!] --socket-exists . physdev . IP 2.5.44. [!] --physdev-in name ( INPUT FORWARD PREROUTING). "+" . '!'. [!] --physdev-out name ( FORWARD POSTROUTING). "+" . [!] --physdev-is-in . [!] --physdev-is-out . [!] --physdev-is-bridged . FORWARD POSTROUTING. pkttype . [!] --pkt-type {unicast|broadcast|multicast} policy IPsec . --dir {in|out} . in PREROUTING, INPUT FORWARD out POSTROUTING, OUTPUT FORWARD. --pol {none|ipsec} IPsec. --pol none --strict. --strict . . --strict . [!] --reqid id reqid . reqid setkey(8) unique:id . [!] --spi spi SPI SA. [!] --proto {ah|esp|ipcomp} . [!] --mode {tunnel|transport} . [!] --tunnel-src addr[/mask] SA . --mode tunnel. [!] --tunnel-dst addr[/mask] SA . --mode tunnel. --next . --strict. quota . . ( ). [!] --quota . RATEEST. bps/pps . : : o rateest rateest-bps o rateest rateest-pps + : o (rateest rateest-bps1) rateest-bps2 o (rateest rateest-pps1) rateest-pps2 : o rateest1 rateest2 rateest-bps( !) o rateest1 rateest2 rateest-pps( !) + : o (rateest1 rateest-bps1) (rateest2 rateest-bps2) o (rateest1 rateest-pps1) (rateest2 rateest-pps2) --rateest-delta ( ) BPS/PPS. BPS/PPS 0 . "max(0, rateest#_rate - rateest#_bps)". [!] --rateest-lt / . [!] --rateest-gt / . [!] --rateest-eq / . " " " " . --rateest . --rateest1 --rateest2 . --rateest-bps [] --rateest-pps [] --rateest-bps1 [] --rateest-bps2 [] --rateest-pps1 [] --rateest-pps2 [] () . . -- : bit, [kmgt]bit, [KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps. : FTP : # iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name eth0 --rateest-interval 250ms --rateest-ewma 0.5s iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name ppp0 --rateest-interval 250ms --rateest-ewma 0.5s # iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1 2.5mbit --rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK --set-mark 1 iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper ftp -m rateest --rateest-delta --rateest1 ppp0 --rateest-bps1 2mbit --rateest-gt --rateest2 eth0 --rateest-bps2 2.5mbit -j CONNMARK --set-mark 2 iptables -t mangle -A balance -j CONNMARK --restore-mark realm ( IPv4) . BGP. [!] --realm [/] ( ). /etc/iproute2/rt_realms ( ). ( "0x") ( ). recent IP . "" 139 . --set --rcheck --update --remove . --name . DEFAULT. [!] --set . . ( !). --rsource / . . --rdest / . --mask netmask . [!] --rcheck . [!] --update --rcheck " " . [!] --remove . . --seconds seconds --rcheck --update. . --reap --seconds. . --hitcount hits --rcheck --update. . --seconds . --rttl --rcheck --update. TTL --set. . : iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP /proc/net/xt_recent/* . /proc/net/xt_recent/ : echo +addr >/proc/net/xt_recent/DEFAULT addr DEFAULT echo -addr >/proc/net/xt_recent/DEFAULT addr DEFAULT echo / >/proc/net/xt_recent/DEFAULT DEFAULT ( ). : ip_list_tot=100 . ip_pkt_list_tot=0 . 3.19 --hitcount . ip_list_hash_size=0 . 0 ip_list_tot ( ip_list_tot 100 ip_list_hash_size 128 ). ip_list_perms=0644 /proc/net/xt_recent/*. ip_list_uid=0 UID /proc/net/xt_recent/*. ip_list_gid=0 GID /proc/net/xt_recent/*. rpfilter . . rp_filter IPSec . . . PREROUTING raw mangle. --loose . --validmark nfmark . --accept-local . --invert . . : iptables -t raw -N RPFILTER iptables -t raw -A RPFILTER -m rpfilter -j RETURN iptables -t raw -A RPFILTER -m limit --limit 10/minute -j NFLOG --nflog-prefix "rpfilter drop" iptables -t raw -A RPFILTER -j DROP iptables -t raw -A PREROUTING -j RPFILTER : iptables -t raw -A RPFILTER -m rpfilter --invert -j DROP rt ( IPv6) IPv6 [!] --rt-type type (). [!] --rt-segsleft num[:num] ` ' (). [!] --rt-len length . --rt-0-res (type=0) --rt-0-addrs addr[,addr...] type=0 (). --rt-0-not-strict type=0 . sctp . [!] --source-port,--sport [:] [!] --destination-port,--dport [:] [!] --chunk-types {all|any|only} chunktype[:flags] [...] . : all . any . . : DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE I_DATA RE_CONFIG PAD ASCONF ASCONF_ACK FORWARD_TSN I_FORWARD_TSN DATA I U B E i u b e I_DATA I U B E i u b e ABORT T t SHUTDOWN_COMPLETE T t ( "" "") : iptables -A INPUT -p sctp --dport 80 -j DROP iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT IP ipset(8). [!] --match-set _ [,]... src / dst . iptables -A FORWARD -m set --match-set test src,dst ( ipportmap) . ( ipmap) . --return-nomatch --return-nomatch nomatch : nomatch true false. ! --update-counters --update-counters . . ! --update-subcounters --update-subcounters . . [!] --packets-eq . --packets-lt . --packets-gt . [!] --bytes-eq . --bytes-lt . --bytes-gt . . --match-set --set . -m set ipset Linux 2.6.39. socket TCP/UDP . ( ). packet TCP/UDP TCP/UDP embedded ICMP/ICPMv6. --transparent . --nowildcard 'any'. . . --transparent . ( 1 ): -t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1 --restore-skmark . --transparent --nowildcard . : (IP_TRANSPARENT) SO_MARK. : -t mangle -I PREROUTING -m socket --transparent --restore-skmark -j action -t mangle -A action -m mark --mark 10 -j action2 -t mangle -A action -m mark --mark 11 -j action3 state "state" "conntrack". "state" . [!] --state state state . "conntrack": INVALID ESTABLISHED NEW RELATED UNTRACKED. "conntrack" . statistic . --mode. : --mode random nth. [!] --probability p . random. p 0.0 1.0. 1/2147483648. [!] --every n n . nth ( --packet). --packet p (0 <= p <= n-1 0) nth. . >= 2.6.14. --algo {bm|kmp} . (bm = Boyer-Moore kmp = Knuth-Pratt-Morris) --from offset . 0. --to offset . offset ( 0) pattern. . [!] --string pattern . [!] --hex-string pattern . --icase . : # . iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /index.html' -j LOG # |0D 0A| |0D0A|. iptables -p udp --dport 53 -m string --algo bm --from 40 --to 57 --hex-string '|03|www|09|netfilter|03|org|00|' : Boyer-Moore (BM) . Knuth-Pratt-Morris (KMP) . . NIDS KMP. -- (QoS) -- BM. tcp `--protocol tcp`. : [!] --source-port,--sport [:] . . first:last. "0" "65535". --sport . [!] --destination-port,--dport [:] . --dport . [!] --tcp-flags mask comp TCP . mask comp . : SYN ACK FIN RST URG PSH ALL NONE. iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN SYN ACK FIN RST . [!] --syn TCP SYN ACK RST FIN. TCP TCP TCP . --tcp-flags SYN,RST,ACK,FIN SYN. "!" "--syn" . [!] --tcp-option number TCP. tcpmss MSS ( ) TCP. TCP SYN SYN/ACK MSS TCP . [!] --mss [:] MSS TCP. . time / . AND . UTC . --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]] ISO 8601 "T". 1970-01-01T00:00:00 2038-01-19T04:17:07. --datestart --datestop 1970-01-01 2038-01-19 . --timestart :[:] --timestop :[:] . 00:00:00 23:59:59. ( "06:03") -10. [!] --monthdays [,...] . 1 31. 31 31 28 29 . [!] --weekdays [,...] . Mon Tue Wed Thu Fri Sat Sun 1 7 . (Mo Tu ). --contiguous --timestop --timestart . . --kerneltz UTC . : UTC . . RTC CMOS x86 UTC. UTC . ( ). TZ. . TZ UTC date(1) . TZ . UTC FAT UTC ( ). . -- -- . ntpd . +0000 . --kerneltz. . : -m time --weekdays Sa,Su ( ) : -m time --datestart 2007-12-24 --datestop 2007-12-27 : -m time --datestart 2007-01-01T17:00 --datestop 2007-01-01T23:59:59 : -m time --timestart 12:30 --timestop 13:30 : -m time --weekdays Fr --monthdays 22,23,24,25,26,27,28 ( . " " . .) . -m time --weekdays Mo --timestart 23:00 --timestop 01:00 1 23:00 . ' 23:00 ' --contiguous . tos 8 IPv4 ( "") ( 8 ) IPv6. [!] --tos [/] TOS . AND TOS . [!] --tos tos IPv4. TOS iptables -m tos -h. 0x3F ECN. ttl ( IPv4) IP. [!] --ttl-eq ttl TTL . --ttl-gt ttl TTL TTL . --ttl-lt ttl TTL TTL . u32 U32 4 . TCP . [!] --u32 . := "=" | "&&" "=" := | "," := | ":" n n:n. n:m >=n <=m. := | := "&" | "<<" | ">>" | "@" & << >> && C. = . @ . : * 10 "=" ( 9 "&&") u32 * 10 ( 9 ) * 10 ( 9 ) . : A char * IP B C 32 : B = ; C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3) & C = C & << C = C << >> C = C >> @ A = A + C; [skb->data,skb->end] . C. . . : IP >= 256 IP 2-3. --u32 "0 & 0xFFFF = 0x100:0xFFFF" 0-3 AND 0xFFFF ( 2-3) [0x100:0xFFFF] : ( ) ICMP icmp 0 ICMP 9 () = 1 --u32 "6 & 0xFF = 1 && ... 6-9 & 6-8 1. . ( .) : IP. 6 6 7 0 ( ). 5 6. ... 4 & 0x3FFF = 0 && ... : IP () 0. @. IP (IHL) 32 0 IP . ... 0 >> 22 & 0x3C @ 0 >> 24 = 0" 0 0-3 >>22 22 . 24 22 . &3C . IHL=5 IP 20 (4 x 5) . 0-1 () xxxx0101 yyzzzzzz >>22 10 xxxx0101yy &3C 010100. @ . 4 ICMP 0 ICMP. 24 0. : 8-12 TCP 1 2 5 8 tcp ( ICMP). --u32 "6 & 0xFF = 6 && ... ( ). ... 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8" 0>>22&3C IP. @ TCP. TCP ( 32 ) 12 TCP. 12>>26&3C ( IP ). "@" TCP. 8 8-12 = 1 2 5 8. udp `--protocol udp`. : [!] --source-port,--sport [:] . --source-port TCP . [!] --destination-port,--dport [:] . --destination-port TCP . iptables : . . . auditd(8) . --type {accept|drop|reject} . linux-4.12 . iptables . : iptables -N AUDIT_DROP iptables -A AUDIT_DROP -j AUDIT iptables -A AUDIT_DROP -j DROP /. mangle. --checksum-fill . dhcp . skb->priority ( CBQ ). --set-class major:minor . 0x. CLUSTERIP ( IPv4) IP MAC . . CLUSTERIP cluster IPv4. --new ClusterIP . ClusterIP . --hashmode mode . sourceip sourceip-sourceport sourceip-sourceport-destport. --clustermac mac MAC ClusterIP. --total-nodes num . --local-node num . --hash-init rnd . CONNMARK netfilter . 32 . --set-xmark value[/mask] mask XOR value ctmark. --save-mark [--nfmask nfmask] [--ctmask ctmask] (nfmark) (ctmark) . nfmark : ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) ctmask nfmask nfmark XOR ctmark. ctmask nfmask 0xFFFFFFFF. --restore-mark [--nfmask nfmask] [--ctmask ctmask] (ctmark) (nfmark) . ctmark : nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask); nfmask ctmask ctmark XOR nfmark. ctmask nfmask 0xFFFFFFFF. --restore-mark mangle. --set-xmark: --and-mark AND ctmark . ( --set-xmark 0/_ _ .) --or-mark OR ctmark . ( --set-xmark /.) --xor-mark XOR ctmark . ( --set-xmark /0.) --set-mark [/] . . --save-mark [--mask ] nfmark ctmark. . --restore-mark [--mask ] ctmark nfmark. . mangle. CONNSECMARK ( ) ( ). SECMARK security ( mangle). --save . --restore . CT CT . "" conntrack ct . "raw". --notrack . --helper name name . conntrack . --ctevents event[,...] conntrack . : new, related, destroy, reply, assured, protoinfo, helper, mark ( ctmark nfmark), natseqinfo, secmark (ctsecmark). --expevents event[,...] . : new. --zone-orig {id|mark} id . mark id nfmark . --zone-reply {id|mark} id . mark id nfmark . --zone {id|mark} id . mark id nfmark . 0. . --timeout name name . /proc/sys/net/netfilter/nf_conntrack_*_timeout_*. DNAT nat PREROUTING OUTPUT . ( ) . : --to-destination [ipaddr[-ipaddr]][:port[-port[/baseport]]] IP IP. : tcp udp dccp sctp. . IP . baseport . 4.18. baseport /etc/services. ipaddr IPv4 ( 127.0.0.0/8) "net.ipv4.conf.*.route_localnet" sysctl 1. "martians". --random ( >= 2.6.22). --persistent / . SAME. 2.6.29-rc2. IPv6 >= 3.7. DNPT ( IPv6) IPv6 IPv6 ( RFC 6296). mangle nat. : --src-pfx [prefix/length] --dst-pfx [prefix/length] SNPT . : ip6tables -t mangle -I POSTROUTING -s fd00::/64 ! -o vboxnet0 -j SNPT --src-pfx fd00::/64 --dst-pfx 2001:e20:2000:40f::/64 ip6tables -t mangle -I PREROUTING -i wlan0 -d 2001:e20:2000:40f::/64 -j DNPT --src-pfx 2001:e20:2000:40f::/64 --dst-pfx fd00::/64 IPv6: sysctl -w net.ipv6.conf.all.proxy_ndp=1 NOTRACK . DSCP DSCP TOS IPv4. mangle. --set-dscp DSCP ( ) --set-dscp-class DSCP DiffServ. ECN ( IPv4) ECN. mangle. --ecn-tcp-remove ECN TCP. -p tcp. HL ( IPv6) IPv6. TTL IPv4. . mangle. ! --hl-set `'. --hl-dec `` . --hl-inc `` . HMARK MARK (fwmark) . . ICMP . : --hmark-tuple : src ( IPv4 IPv6) dst ( IPv4 IPv6) sport (TCP UDP UDPlite SCTP DCCP) dport (TCP UDP UDPlite SCTP DCCP) spi (AH ESP) ct (conntrack) . --hmark-mod ( > 0) ( ) --hmark-offset . --hmark-tuple : --hmark-src-prefix cidr CIDR. --hmark-dst-prefix cidr CIDR. --hmark-sport-mask 16 . --hmark-dport-mask 16 . --hmark-spi-mask 32 spi. --hmark-proto-mask 8 4. --hmark-rnd 32 . : iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW -j HMARK --hmark-tuple ct,src,dst,proto --hmark-offset 10000 --hmark-mod 10 --hmark-rnd 0xfeedcafe iptables -t mangle -A PREROUTING -j HMARK --hmark-offset 10000 --hmark-tuple src,dst,proto --hmark-mod 10 --hmark-rnd 0xdeafbeef IDLETIMER . . () . . sysfs. . xt_idletimer: /sys/class/xt_idletimer/timers/<> sysfs ( ). --timeout . --label . 27 . LED LED . LED SSH . : --led-trigger-id LED. "netfilter-" . --led-delay ( ) LED . 0 ( ). inf LED . ( LED .) --led-always-blink LED LED . ( .) : LED SSH : iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh LED: echo netfilter-ssh >/sys/class/leds/_led/trigger LOG . ( IP/IPv6) ( dmesg(1) syslog). " " . LOG DROP ( REJECT). --log-level ( ) . ( ): emerg alert crit error warning notice info debug. --log-prefix 29 . --log-tcp-sequence TCP. . --log-tcp-options TCP. --log-ip-options IP/IPv6. --log-uid . --log-macdecode MAC . MARK Netfilter . fwmark ( iproute2). PREROUTING OUTPUT mangle . 32 . --set-xmark value[/mask] mask XOR value ("nfmark"). mask 0xFFFFFFFF. --set-mark [/] mask OR value . mask 0xFFFFFFFF. : --and-mark AND nfmark bits. ( --set-xmark 0/invbits invbits bits.) --or-mark OR nfmark bits. ( --set-xmark bits/bits.) --xor-mark XOR nfmark bits. ( --set-xmark bits/0.) MASQUERADE nat POSTROUTING. IP ( ): IP SNAT. IP . ( ). --to-ports port[-port] SNAT ( ). : tcp udp dccp sctp. --random ( >= 2.6.21). 5.0 --random --random-fully. --random-fully ( >= 3.13). IPv6 >= 3.7. NETMAP . nat. --to address[/mask] . : '' `` . . IPv6 >= 3.7. NFLOG . . nfnetlink_log netlink . . LOG . --nflog-group nlgroup netlink (0-2^16-1) ( nfnetlink_log). 0. --nflog-prefix prefix 64 . --nflog-range size --nflog-size --nflog-size size ( nfnetlink_log). nfnetlink_log . --nflog-threshold size ( nfnetlink_log). . 1. NFQUEUE nfnetlink_queue. 16-. . . libnetfilter_queue . nfnetlink_queue 2.6.14. queue-balance 2.6.31 queue-bypass 2.6.39. --queue-num . 0 65535. 0. --queue-balance : . . : x, x+1, .. x+n "--queue-balance x:x+n". nfqueue. 0 65534 65535 . --queue-bypass NFQUEUE . NFQUEUE ACCEPT . --queue-cpu-fanout 3.10. --queue-balance . . --queue-balance. NOTRACK . -j CT --notrack. CT NOTRACK raw. RATEEST RATEEST rateest. --rateest-name . --rateest-interval {s|ms|us} . --rateest-ewmalog . REDIRECT nat PREROUTING OUTPUT . IP ( 127.0.0.1 IPv4 ::1 IPv6 IP ). --to-ports port[-port] : . : tcp udp dccp sctp. /etc/services. --random ( >= 2.6.22). IPv6 Linux >= 3.7. REJECT ( IPv6) : DROP . INPUT FORWARD OUTPUT . : --reject-with type icmp6-no-route no-route icmp6-adm-prohibited adm-prohibited icmp6-addr-unreachable addr-unreach icmp6-port-unreachable ICMPv6 (icmp6-port-unreachable ). tcp-reset TCP : TCP RST . ident (113/tcp) ( ). tcp-reset 2.6.14 . : REJECT INVALID . P P P_2 P_2 . P . . : -A INPUT ... -j REJECT : -A INPUT ... -m conntrack --ctstate INVALID -j DROP -A INPUT ... -j REJECT REJECT ( IPv4) : DROP . INPUT FORWARD OUTPUT . : --reject-with type icmp-net-unreachable icmp-host-unreachable icmp-port-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited icmp-admin-prohibited (*) ICMP (icmp-port-unreachable ). tcp-reset TCP : TCP RST . ident (113/tcp) ( ). (*) icmp-admin-prohibited REJECT : REJECT INVALID . P P P_2 P_2 . P . . : -A INPUT ... -j REJECT : -A INPUT ... -m conntrack --ctstate INVALID -j DROP -A INPUT ... -j REJECT SECMARK SELinux. security ( mangle). 32 . --selctx security_context SET / IP ipset(8). --add-set _ [,...] / --del-set _ [,...] / --map-set _ [,...] [--map-mark] [--map-prio] [--map-queue] ( tc ) () src / dst . --timeout --exist --map-set _ --skbinfo --map-mark --map-prio --map-queue --map-set mangle . --map-prio --map-queue OUTPUT FORWARD POSTROUTING. -j SET ipset Linux 2.6.39. SNAT nat POSTROUTING INPUT . ( ) . : --to-source [_IP[-_IP]][:[-]] IP IP. : tcp udp dccp sctp. 512 512: 512 1023 1024 1024 . . --random ( >= 2.6.21). --random-fully (PRNG) ( >= 3.14). --persistent / . SAME. 2.6.29-rc2. 2.6.36-rc1 SNAT INPUT. IPv6 >= 3.7. SNPT ( IPv6) IPv6 IPv6 ( RFC 6296). mangle nat. : --src-pfx [prefix/length] --dst-pfx [prefix/length] DNPT . : ip6tables -t mangle -I POSTROUTING -s fd00::/64 ! -o vboxnet0 -j SNPT --src-pfx fd00::/64 --dst-pfx 2001:e20:2000:40f::/64 ip6tables -t mangle -I PREROUTING -i wlan0 -d 2001:e20:2000:40f::/64 -j DNPT --src-pfx 2001:e20:2000:40f::/64 --dst-pfx fd00::/64 IPv6: sysctl -w net.ipv6.conf.all.proxy_ndp=1 NOTRACK . SYNPROXY TCP netfilter . . SYNFLOOD Linux 4.4 Linux. --mss . . --wscale . . --sack-perm ( ). --timestamps ( ). : TCP tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)' port 80 & telnet 192.0.2.42 80 18:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757: [S.] 360414582 788841994 14480 [mss 1460,sackOK TS val 1409056151 ecr 9690221 nop,wscale 9] 0 tcp_loose conntrack INVALID. echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose SYN iptables -t raw -A PREROUTING -i eth0 -p tcp --dport 80 --syn -j CT --notrack UNTRACKED ( SYN) INVALID ( ACK ) SYNPROXY. SYN SYN+ACK ESTABLISHED ( ACK ) . ( SYN+FIN SYN+ACK). iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state UNTRACKED,INVALID -j SYNPROXY --sack-perm --timestamp --mss 1460 --wscale 9 SYNPROXY. iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state INVALID -j DROP TCPMSS MSS TCP SYN ( MTU 40 IPv4 60 IPv6 ). -p tcp. "ICMP Fragmentation Needed" "ICMPv6 Packet Too Big". / Linux : 1. . 2. . 3. ssh scp . : : iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu --set-mss MSS . MSS ( Linux 2.6.25) MSS . --clamp-mss-to-pmtu MSS (path_MTU - 40 IPv4 -60 IPv6). MTU -- MTU IP . Linux 2.6.25 MTU IP MTU IP . . TCPOPTSTRIP TCP TCP. ( NO-OPs.) -p tcp. --strip-options [,...] () . TCP . iptables -j TCPOPTSTRIP -h. TEE TEE . nexthop nexthop . --gateway _ip IP . 0.0.0.0 ( IPv4) :: (IPv6) . eth0 : -t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1 TOS IPv4 ( "") IPv6. TOS DSCP ECN. TOS mangle. --set-tos [/] ( ) XOR TOS/. 0xFF. --set-tos TOS IPv4. 0xFF ( ). TOS iptables -j TOS -h. : --and-tos AND TOS . ( --set-tos 0/_ _ . .) --or-tos OR TOS . ( --set-tos /. .) --xor-tos XOR TOS . ( --set-tos /0. .) : 2.6.38 2.6.32 (>=.42) 2.6.33 (>=.15) 2.6.35 (>=.14) TOS IPv6 IPv4. TOS TOS . --set-tos . TPROXY mangle PREROUTING . . . : --on-port . 0 . -p tcp -p udp. --on-ip . IP . -p tcp -p udp. --tproxy-mark [/] / . fwmark . ( : .) TRACE . raw. iptables-legacy ip(6)t_LOG nfnetlink_log . : "TRACE: tablename:chainname:type:rulenum " "rule" "return" "policy" . iptables-nft meta nftrace nftables. netlink xtables-monitor --trace. xtables-monitor(8). TTL ( IPv4) TTL IPv4. TTL () . TTL . mangle. ! --ttl-set TTL `'. --ttl-dec TTL `' . --ttl-inc TTL `' . ULOG ( IPv4) IPv4 NFLOG. . netlink. . LOG " " . --ulog-nlgroup _nl netlink (1-32) . 1. --ulog-prefix 32 . --ulog-cprange . 0 . 0. --ulog-qthreshold . 10 netlink . 1 ( ). 3 . . : . iptables 1.8.13 iptables-extensions(8)