iptables-extensions(8) iptables 1.8.10 iptables-extensions(8) iptables-extensions - iptables ip6tables [-m name [module-options...]] [-j target-name [target-options...] iptables [-m name [module-options...]] [-j target-name [target-options...] iptables can use extended packet matching modules with the -m or --match options, followed by the matching module name; after these, various extra command line options become available, depending on the specific module. You can specify multiple extended match modules in one line, and you can use the -h or --help options after the module has been specified to receive help specific to that module. The extended match modules are evaluated in the order they are specified in the rule. -p --protocol ( ) , iptables , , . addrtype . . () . : UNSPEC - , (.. 0.0.0.0); UNICAST - ; LOCAL - ; BROADCAST - ; ANYCAST - , ; MULTICAST - ; BLACKHOLE - " " ( ; ); UNREACHABLE - ; PROHIBIT - ; THROW - . NAT - . XRESOLVE [!] --src-type type - . [!] --dst-type type - . --limit-iface-in , . PREROUTING, INPUT FORWARD. --limit-iface-out. --limit-iface-out , . POSTROUTING, OUTPUT FORWARD. --limit-iface-in. ah ( IPv6) IPSec. [!] --ahspi spi[:spi] SPI. [!] --ahlen length . --ahres - . ah ( IPv4) SPI IPSec. [!] --ahspi spi[:spi] bpf , Linux. eBPF cBPF . --object-pinned path eBPF. eBPF bpf() BPF_PROG_LOAD BPF_OBJ_PIN. iptables, bpf mount -t bpf bpf ${BPF_MOUNT} iptables: iptables -A OUTPUT -m bpf --object-pinned ${BPF_MOUNT}/{PINNED_PATH} -j ACCEPT --bytecode code - BPF, nfbpf_compile utility. tcpdump -ddd: , , . "u16 u8 u8 u32" . , , , , , "K". . , , "ip proto 6", , : 4 # 48 0 0 9 # ip->proto 21 0 1 6 # IPPROTO_TCP 6 0 0 1 # () 6 0 0 0 # () bpf : iptables -A OUTPUT -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' -j ACCEPT , , nfbpf_compile: iptables -A OUTPUT -m bpf --bytecode "`nfbpf_compile RAW 'ip proto 6'`" -j ACCEPT tcpdump -ddd. BPF, , xtables. Iptables , mac-. RAW, tun: ip tuntap add tun0 mode tun ip link set tun0 up tcpdump -ddd -i tun0 ip proto 6 tcpdump -L -i $dev. , BPF bpf(4) FreeBSD. cgroup [!] --path path 2. v2c. , . 2. [!] --cgroup classid net_cls. classid - , cgroup net_cls. --path . : iptables -A OUTPUT -p tcp --sport 80 -m cgroup ! --path service/http-server -j DROP iptables -A OUTPUT -p tcp --sport 80 -m cgroup ! --cgroup 1 -j DROP IMPORTANT: INPUT cgroup , , , . , INPUT , . Linux 3.14. cluster . , . , , : --cluster-total-nodes num . [!] --cluster-local-node num . [!] --cluster-local-nodemask mask . --cluster-local-node. --cluster-hash-seed value . : : iptables -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff iptables -A PREROUTING -t mangle -i eth2 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff -j DROP iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff -j DROP , : ip maddr add 01:00:5e:00:01:01 dev eth1 ip maddr add 01:00:5e:00:01:02 dev eth2 arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-s 01:00:5e:00:01:01 arptables -A INPUT -i eth1 --h-length 6 --destination-mac 01:00:5e:00:01:01 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27 arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --mangle-mac-s 01:00:5e:00:01:02 arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27 : iptables . arptables-jf, RedHat, CentOS Fedora, . , , arptables-jf. TCP- pickup facility , TCP ACK, , . echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose comment ( 256 ) . --comment comment : iptables -A INPUT -i eth1 -m comment --comment "my local LAN" connbytes , ( , ) . 64- . - . conntrack -L, ctnetlink. : , , false. sysctl "net.netfilter.nf_conntrack_acct" , new. sysctl. [!] --connbytes from[:to] (// ) FROM TO /; TO , FROM. "!" , . --connbytes-dir {original|reply|both} . --connbytes-mode {packets|bytes|avgpkt} , ( ) . : "both" "avgpkt", ( ) , , HTTP) . : iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ... : iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ... connlabel . , , (.. ). 128 . [!] --label name - name. ( , ) . connlabel.conf. --set ( , ). : . , conntrack , , . ( , , --label ). libnetfilter_conntrack 1.0.4 . /etc/xtables/connlabel.conf. : : 0 eth0-in 1 eth0-out 2 ppp-in 3 ppp-out 4 bulk-traffic 5 interactive connlimit . --connlimit-upto n - n. --connlimit-above n - n. --connlimit-mask prefix_length . IPv4 0 32. IPv6 - 0 128. , . --connlimit-saddr . , --connlimit-daddr . --connlimit-daddr Apply the limit onto the destination group. : # 2 telnet : iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT # : iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-upto 2 -j ACCEPT # HTTP- 16 C (24- ): iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT # HTTP- 16 (ipv6): (ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT # : ip6tables -p tcp --syn --dport 49152:65535 -d 2001:db8::1 -m connlimit --connlimit-above 100 -j REJECT connmark , ; CONNMARK, . [!] --mark value[/mask] ( , , , ). conntrack , , . [!] --ctstate statelist statelist - , . . [!] --ctproto l4proto 4 ( ). [!] --ctorigsrc address[/mask] [!] --ctorigdst address[/mask] [!] --ctreplsrc address[/mask] [!] --ctrepldst address[/mask] / / . [!] --ctorigsrcport port[:port] [!] --ctorigdstport port[:port] [!] --ctreplsrcport port[:port] [!] --ctrepldstport port[:port] / / (TCP/UDP/ ..) GRE. 2.6.38. [!] --ctstatus statelist statuslist - , . . [!] --ctexpire time[:time] (). --ctdir {ORIGINAL|REPLY} , . , - . --ctstate: INVALID . NEW , . ESTABLISHED , . RELATED , , FTP ICMP. UNTRACKED ; , , -j CT --notrac raw. SNAT , . DNAT , . --ctstatus: NONE . EXPECTED (.. conntrack helper ). SEEN_REPLY Conntrack . ASSURED Conntrack . CONFIRMED : . cpu [!] --cpu number (cpu), . 0 NR_CPUS-1. RPS ( ) . : : iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j REDIRECT --to-ports 8081 Linux 2.6.36. dccp [!] --source-port,--sport port[:port] [!] --destination-port,--dport port[:port] [!] --dccp-types mask DCCP "mask". "mask"- , . : REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID. [!] --dccp-option number DCCP. devgroup . : [!] --src-group name . [!] --dst-group name . dscp 6- DSCP TOS IP. DSCP TOS IETF (. RFC 2638). [!] --dscp value ( ) (value) [0-63]. [!] --dscp-class class DiffServ. BE, EF, AFxx CSx. . dst ( IPv6) " ". [!] --dst-len length . --dst-opts type[:length][,type[:length]...] . ecn ECN IPv4/IPv6 TCP. ECN - , RFC 3168. [!] --ecn-tcp-cwr , TCP ECN CWR ( ). [!] --ecn-tcp-ece , TCP ECN ECE ( ECN). [!] --ecn-ip-ect num ECT IPv4/IPv6 ( ECN). "0" "3". esp SPI ESP IPSec. [!] --espspi spi[:spi] eui64 ( IPv6) EUI-64 IPv6- . EUI-64, MAC- Ethernet, 64 IPv6. "/ " . PREROUTING, INPUT FORWARD. frag ( IPv6) . [!] --fragid id[:id] . [!] --fraglen length 2.6.10 . . --fragres . --fragfirst . --fragmore , . --fraglast . hashlimit hashlimit - , iptables single ( limit). ( / ) / . "N "N " ( ). . limit . hash limit ((--hashlimit-upto, --hashlimit-above) --hashlimit-name . --hashlimit-upto amount[/second|/minute|/hour|/day] - amount/quantum (/ ). , amountb/second ( ). : 3/hour (3/). --hashlimit-above amount[/second|/minute|/hour|/day] - amount/quantum. --hashlimit-burst amount - -. - , , . : 5. , , . - , . --hashlimit-mode {srcip|srcport|dstip|dstport},... , , . --hashlimit-mode , hashlimit limit, . --hashlimit-srcmask prefix --hashlimit-mode srcip, (prefix) hashlimit. 0 32, . , --hashlimit-srcmask 0 , srcip --hashlimit-mode, . --hashlimit-dstmask prefix , --hashlimit-srcmask, . --hashlimit-name foo /proc/net/ipt_hashlimit/foo. --hashlimit-htable-size buckets -. --hashlimit-htable-max entries . --hashlimit-htable-expire msec . --hashlimit-htable-gcinterval msec "". --hashlimit-rate-match , . / / (above/below). --hashlimit-rate-interval sec --hashlimit-rate-match , . : : : "1000 192.168.0.0/16"=> -s 192.168.0.0/16 --hashlimit-mode srcip --hashlimit-upto 1000/sec : "100 192.168.1.1" => -s 192.168.1.1 --hashlimit-mode srcport --hashlimit-upto 100/sec : "10000 /28 ( 8 ) 10.0.0.0/8" => -s 10.0.0.0/8 --hashlimit-mask 28 --hashlimit-upto 10000/min : ", 512kbyte/s" => --hashlimit-mode srcip,dstip,srcport,dstport --hashlimit-above 512kb/s : ", 512 / 1 / " --hashlimit-mode dstip --hashlimit-above 512kb/s --hashlimit-burst 1mb hbh ( IPv6) Hop-by-Hop ( ). [!] --hbh-len length ( ). . --hbh-opts type[:length][,type[:length]...] ( ). . helper , conntrack-helper. [!] --helper string conntrack-helper. (string) "ftp" , ftp- . "ftp" , .. "ftp-2121". conntrack-helpers. hl ( Pv6) IPv6. [!] --hl-eq value - (value). --hl-lt value - (value). --hl-gt value - (value). icmp ( IPv4) , "--protocol icmp". : [!] --icmp-type {type[/code]|typename} ICMP, ICMP, / (type/code) ICMP, : iptables -p icmp -h icmp6 ( IPv6) , "--protocol ipv6-icmp" "--protocol icmpv6". : [!] --icmpv6-type type[/code]|typename ICMPv6, ICMPv6, (type) (code) ICMPv6, : ip6tables -p ipv6-icmp -h iprange IP-. [!] --src-range from[-to] - IP- . [!] --dst-range from[-to] - IP- . ipv6header ( IPv6) IPv6 / . --soft - (any) , --header. [!] --header header[,header...] - . , ESP, . header : hop|hop-by-hop . dst . route . frag . auth . esp . none , 59 " " ('Next Header field') IPv6 IPv6. prot - . /etc/protocols . 255 prot. ipvs IPVS. [!] --ipvs IPVS. --ipvs ( , . . "!"). [!] --vproto protocol VIP; , "tcp". [!] --vaddr address[/mask] VIP. [!] --vport port VIP; , , "http". --vdir {ORIGINAL|REPLY} . [!] --vmethod {GATE|IPIP|MASQ} IPVS. [!] --vportctl port VIP , , 21 FTP. length 3- (, 4- ) . [!] --length length[:length] limit (.. 1 - 1 , 2 - 2 ). , , , - . , , LOG . xt_limit - -m hashlimit ! --hashlimit rate --hashlimit-mode. --limit rate[/second|/minute|/hour|/day] . "second" (), "minute" (), "hour" () "day" (). : 3/hour (3 /). --limit-burst number - () . , , . : 5 . . : Oskar Andreasson. "Iptables Tutorial 1.2.2", 2001-2006, (https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html) Oskar Andreasson. "Iptables Tutorial 1.1.19", 2001-2003. . . mac [!] --mac-source address - MAC- . XX:XX:XX:XX:XX:XX:XX. , , Ethernet PREROUTING, FORWARD INPUT. mark netfilter, ( MARK, ). [!] --mark value[/mask] - (value) ( (mask), , ). mh ( IPv6) , "--protocol ipv6-mh" "--protocol mh". : [!] --mh-type type[:type] (MH), MH MH, : ip6tables -p mh -h multiport . 15 . (port:port) . :: ttcp, udp, udplite, dccp and sctp. [!] --source-ports,--sports port[,port|,port:port]... - . --sports . , . , 53,1024:65535 , 53 1024 65535. [!] --destination-ports,--dports port[,port|,port:port]... - . --dports . [!] --ports port[,port|,port:port]... - . nfacct nfacct iptables. nfacct(8). , , : --nfacct-name name , , . , , : nfacct add http-traffic iptables: iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic , : nfacct get http-traffic { pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic; nfacct(8) http://www.netfilter.org , , git.netfilter.org. osf osf . ( , MSS, , TTL, DF ) SYN. [!] --genre string - . --ttl level TTL , . (level) : o 0 - (IP- TTL- ). . o 1 - , TTL- IP, . . o 2 - TTL. --log level dmesg, . ( level) : o 0 - . o 1 - . o 2 - . - : Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4 nfnl_osf. : nfnl_osf -f /usr/share/xtables/pf.os : nfnl_osf -f /usr/share/xtables/pf.os -d http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os. owner ; . OUTPUT POSROUTING. . , . [!] --uid-owner username [!] --uid-owner userid[-userid] - ( ) . UID UID. [!] --gid-owner groupname [!] --gid-owner groupid[-groupid] - . GID GID. --suppl-groups , (), --gid-owner, . [!] --socket-exists - . physdev , , . , IP- 2.5.44. [!] --physdev-in name , ( , INPUT, FORWARD PREROUTING). "+", , . "!", . [!] --physdev-out name , ( , FORWARD POSTROUTING). "+", , , . [!] --physdev-is-in - . [!] --physdev-is-out - . [!] --physdev-is-bridged - , , . FORWARD POSTROUTING. pkttype . [!] --pkt-type {unicast|broadcast|multicast} policy , IPSec . --dir {in|out} , , . (in) PREROUTING, INPUT FORWARD, (in) POSTROUTING, OUTPUT FORWARD. --pol {none|ipsec} "--pol ipsec" - IPSec. --pol none --strict. --strict - , - . . --strict, . [!] --reqid id . setkey(8) , ,unique:id. [!] --spi spi - SPI SA. [!] --proto {ah|esp|ipcomp} - . [!] --mode {tunnel|transport} - . [!] --tunnel-src addr[/mask] - , SA, . , "tunnel", .. --mode tunnel. [!] --tunnel-dst addr[/mask] - , SA, . , "tunnel", .. --mode tunnel. --next . --strict. quota . , . (.. , ). [!] --quota bytes (quota) . rateest , RATEEST. : bps/pps, . : o rateest operator rateest-bps o rateest operator rateest-pps o (rateest minus rateest-bps1) operator rateest-bps2 o (rateest minus rateest-pps1) operator rateest-pps2 o rateest1 operator rateest2 rateest-bps(without rate!) o rateest1 operator rateest2 rateest-pps(without rate!) o (rateest1 minus rateest-bps1) operator (rateest2 minus rateest-bps2) o (rateest1 minus rateest-pps1) operator (rateest2 minus rateest-pps2) --rateest-delta ( ) , , BPS/PPS. BPS/PPS, 0. , "max(0, rateest#_rate - rateest#_bps)". [!] --rateest-lt - /. [!] --rateest-gt - /. [!] --rateest-eq Match if rate is equal to given rate/estimator. " " (); " " . --rateest name . --rateest1 name --rateest2 name . --rateest-bps [value] --rateest-pps [value] --rateest-bps1 [value] --rateest-bps2 [value] --rateest-pps1 [value] --rateest-pps2 [value] . , . : , [kmgt], [KMGT]ibit, /, [KMGT]/, [KMGT]iBps. : FTP- : # : iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name eth0 --rateest-interval 250ms --rateest-ewma 0.5s iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name ppp0 --rateest-interval 250ms --rateest-ewma 0.5s # : iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1 2.5mbit --rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK --set-mark 1 iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper ftp -m rateest --rateest-delta --rateest1 ppp0 --rateest-bps1 2mbit --rateest-gt --rateest2 eth0 --rateest-bps2 2.5mbit -j CONNMARK --set-mark 2 iptables -t mangle -A balance -j CONNMARK --restore-mark realm ( IPv4) . , , , BGP. [!] --realm value[/mask] (, , ). , /etc/iproute2/rt_realms ( ). , , , ( "0x") ( ) . recent IP-, . , , 139 , , . , , 139 , , . --set, --rcheck, --update --remove . --name name IP-. , DEFAULT. [!] --set . , . "success" () , !, "failure" (). --rsource - / . . --rdest - / . --mask netmask , . [!] --rcheck , . [!] --update , --rcheck, , " ", . [!] --remove , , , , "true" (). , "false" (). --seconds seconds --rcheck --update. , , . --reap --seconds. , . --hitcount hits --rcheck --update. , , , . --seconds , . --hitcount "ip_pkt_list_tot" xt_recent. . --rttl --rcheck --update. , , , TTL TTL , --set. , , , , , . : iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP /proc/net/xt_recent/* - . /proc/net/xt_recent/ , , : echo +addr >/proc/net/xt_recent/DEFAULT addr - addr DEFAULT echo -addr >/proc/net/xt_recent/DEFAULT addr DEFAULT echo / >/proc/net/xt_recent/DEFAULT DEFAULT ( ). , : ip_list_tot=100 . ip_pkt_list_tot=20 . ip_list_hash_size=0 -. 0 ip_list_tot, : 512. ip_list_perms=0644 /proc/net/xt_recent/*. ip_list_uid=0 /proc/net/xt_recent/*. ip_list_gid=0 /proc/net/xt_recent/*. rpfilter - , , . , , rp_filter, , IPSec, . , . , , , . PREROUTING raw mangle. --loose , , . --validmark nfmark . --accept-local , , , . --invert - , . , : iptables -t raw -N RPFILTER iptables -t raw -A RPFILTER -m rpfilter -j RETURN iptables -t raw -A RPFILTER -m limit --limit 10/minute -j NFLOG --nflog-prefix "rpfilter drop" iptables -t raw -A RPFILTER -j DROP iptables -t raw -A PREROUTING -j RPFILTER : iptables -t raw -A RPFILTER -m rpfilter --invert -j DROP rt ( IPv6) IPv6 . [!] --rt-type type (). [!] --rt-segsleft num[:num] " " (). [!] --rt-len length . --rt-0-res (type=0). --rt-0-addrs addr[,addr...] - =0 . --rt-0-not-strict =0 . sctp . [!] --source-port,--sport port[:port] [!] --destination-port,--dport port[:port] [!] --chunk-types {all|any|only} chunktype[:flags] [...] , ; , . : all - . any - - . only - . : DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE I_DATA RE_CONFIG PAD ASCONF ASCONF_ACK FORWARD_TSN I_FORWARD_TSN DATA I U B E i u b e I_DATA I U B E i u b e ABORT T t SHUTDOWN_COMPLETE T t ( , "off", "on".) : iptables -A INPUT -p sctp --dport 80 -j DROP iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT set IP-, ipset(8). [!] --match-set setname flag[,flag]... - src / dst; . iptables -A FORWARD -m set --match-set test src,dst , ( - ipportmap) . , , ipmap, , . --return-nomatch --return-nomatch nomatch, : , nomatch, true, false. ! --update-counters --update-counters , . . ! --update-subcounters --update-subcounters , . . [!] --packets-eq value , , . --packets-lt value , , . --packets-gt value , , . [!] --bytes-eq value , , . --bytes-lt value , , . --bytes-gt value , , . , , , . --match-set --set . -m set , ipset. Linux 2.6.39. socket TCP/UDP . - (, ). packet TCP/UDP embedded TCP/UDP, ICMP/ICPMv6. --transparent . --nowildcard , "" . , , , , . , , . -, , --transparent. ( , 1 ): -t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1 --restore-skmark . --transparent --nowildcard, . : 2 (IP_TRANSPARENT) SO_MARK. : -t mangle -I PREROUTING -m socket --transparent --restore-skmark -j action -t mangle -A action -m mark --mark 10 -j action2 -t mangle -A action -m mark --mark 11 -j action3 state "state" "conntrack". "state" . [!] --state state state - , . , "conntrack": INVALID, ESTABLISHED, NEW, RELATED UNTRACKED. "conntrack". statistic . , --mode. : --mode mode . : random nth. [!] --probability p . random. p 0,0 1,0. - 1/2147483648. [!] --every n n- . nth ( --packet). --packet p (0 <= p <= n-1, 0) nth. string , . Linux >2.6.14. --algo {bm|kmp} : bm = Boyer-Moore, kmp = Knuth-Pratt-Morris. --from offset , . , 0. --to offset , . offset-1 ( 0) , . , , , . [!] --string pattern . [!] --hex-string pattern . --icase . : # : iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /index.html' -j LOG # , , |0D 0A| |0D0A|: iptables -p udp --dport 53 -m string --algo bm --from 40 --to 57 --hex-string '|03|www|09|netfilter|03|org|00|' : Boyer-Moore (BM) , , , , . , , -- (KMP). : , . , , NIDS , , , KMP. , , , , , (QoS) - , BM. tcp , "--protocol tcp". : [!] --source-port,--sport port[:port] [!] --source-port,--sport port[:port] - . , . first:last. , "0"; , "65535". --sport . [!] --destination-port,--dport port[:port] [!] --destination-port,--dport port[:port] - . --dport . [!] --tcp-flags mask comp - , TCP . , mask - , , , , comp - , . : SYN ACK FIN RST URG PSH ALL NONE. iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN SYN ACK, FIN RST . [!] --syn - SYN ACK, RST FIN. TCP; , , , TCP-, TCP- . --tcp-flags SYN,RST,ACK,FIN SYN. "--syn", "!", . [!] --tcp-option number - , TCP. tcpmss MSS ( ) TCP. SYN TCP SYN/ACK, MSS TCP. [!] --mss value[:value] - MSS TCP. , value () . time - , / (time/date) . , . UTC. --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]] , ISO 8601 "T". : 1970-01-01T00:00:00 2038-01-19T04:17:07. --datestart --datestop, , , 1970-01-01 2038-01-19, . --timestart hh:mm[:ss] --timestop hh:mm[:ss] - . - 00:00:00 23:59:59. (, "06:03"), . [!] --monthdays day[,day...] - . 1 31. , 31, , 31- ; 28- 29- . [!] --weekdays day[,day...] - . : Mon, Tue, Wed, Thu, Fri, Sat, Sun 1 7, . (Mo, Tu ..). --contiguous --timestop --timestart, , . . --kerneltz UTC . : Linux UTC. . , (x86 CMOS RTC) UTC. , UTC, , . - ( ). , TZ. . TZ , UTC, , date(1), . TZ , . , , UTC, FAT, UTC ( ). , , , Linux . , , , - . ntpd , . , , +0000, , . , using --kerneltz . . , : -m time --weekdays Sa,Su , ( ) , : -m time --datestart 2007-12-24 --datestop 2007-12-27 , , : -m time --datestart 2007-01-01T17:00 --datestop 2007-01-01T23:59:59 : -m time --timestart 12:30 --timestop 13:30 : -m time --weekdays Fr --monthdays 22,23,24,25,26,27,28 , . " " . . , , , . , -m time --weekdays Mo --timestart 23:00 --timestop 01:00 00:00 01:00 , , 23:00 . , , " , 23:00 ", --contiguous. tos 8- IPv4 (. . "") ( 8-) IPv6. [!] --tos value[/mask] - TOS. , , TOS. [!] --tos symbol tos IPv4. , iptables -m tos -h. : 0x3F, , ECN. ttl ( IPv4) (time to live) IP. [!] --ttl-eq ttl - TTL. --ttl-gt ttl - , TTL TTL. --ttl-lt ttl - , TTL TTL. u32 , - , ( - 4 ). , - tcp . [!] --u32 tests "tests" , . tests := location "=" value | tests "&&" location "=" value value := range | value "," range range := number | number ":" number (number), n, , n:n, n:m , >=n <=m. location := number | location operator number operator := "&" | "<<" | ">>" | "@" &, <<, >> && , C. = , "value . "@" - , . : * 10 "=" ( "&&"s) (argument) u32; * 10 ( 9 ) value (); * 10 ( 9 ) (location). , , . : A - char * - IP . B C - 32- , - . : number B = number; C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3) &number C = C & number << number C = C << number >> number C = C >> number @number A = A + C; : [skb->data,skb->end] . C. , . , , - , , . , : : - IP >= 256. IP 2-3 . --u32 "0 & 0xFFFF = 0x100:0xFFFF" read bytes 0-3 AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the range [0x100:0xFFFF] ( , , ): - ICMP 0. , - ICMP; true (), 9 () = 1 --u32 "6 & 0xFF = 1 && ... 6-9 & ( ), 6-8 1. , ( , , ). : , - IP-. , 6 6 7 0. , , 5 6. ... 4 & 0x3FFF = 0 && ... : IP ( - ) 0. "@". IP- (IHL) 32- 0 IP-. ... 0 >> 22 & 0x3C @ 0 >> 24 = 0" 0 0-3, >>22 22 . 24 , 22 - . &3C . , IHL=5, IP- 20 (4 x 5). 0-1 ( ) xxxx0101yyzzzzzz, >>22 10- xxxx0101yy, &3C 010100. @ . 4 ICMP, 0 ICMP. 24 , , 0. : : TCP 8-12 ( 1, 2, 5 8). , TCP ( ICMP): --u32 "6 & 0xFF = 6 && ... , ( ): ... 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8" 0>>22&3C, , IP. @ , TCP. TCP ( 32- ) 12 TCP. 12>>26&3C ( IP). "@" , TCP. , 8 8-12 , = , 1, 2, 5 8. udp , "--protocol udp". : [!] --source-port,--sport port[:port] . --source-port TCP. [!] --destination-port,--dport port[:port] . --destination-port TCP. iptables . AUDIT , . , . auditd(8). --type {accept|drop|reject} . linux-4.12, . - iptables, , . : iptables -N AUDIT_DROP iptables -A AUDIT_DROP -j AUDIT iptables -A AUDIT_DROP -j DROP CHECKSUM . mangle. --checksum-fill , . , , dhcp-, , . CLASSIFY skb-> CBQ. --set-class major:minor major minor. , 0x . CLUSTERIP ( IPv4) , IP MAC-, . . , , CLUSTERIP cluster, IPv4. --new IP- . . --hashmode mode . : sourceip, sourceip-sourceport, sourceip-sourceport-destport. --clustermac mac MAC- . . --total-nodes num . --local-node num . --hash-init rnd , . CONNMARK netfilter, . 32 . : --set-xmark value[/mask] mask value ctmark. --save-mark [--nfmask nfmask] [--ctmask ctmask] (nfmark) (ctmark), . ctmark : ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) ..ctmask, , nfmask nfmark ctmark. ctmask nfmask 0xFFFFFFFF. --restore-mark [--nfmask nfmask] [--ctmask ctmask] (ctmark) (nfmark), . nfmark : nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask); .. nfmask , , ctmask ctmark nfmark. ctmask nfmask 0xFFFFFFFF. . : "&" - ; "~" - ; "^" - . --restore-mark mangle. --set-xmark : --and-mark bits "ctmark", bits ( --set-xmark 0/invbits, invbits - bits). --or-mark bits "ctmark", bits ( --set-xmark bits/bits). --xor-mark bits "ctmark", bits ( --set-xmark bits/0). --set-mark value[/mask] (mark) . (mask), , . --save-mark [--mask mask] nfmark ctmark. , . --restore-mark [--mask mask] ctmark nfmark. (mask), . mangle. CONNSECMARK ( ) ( ). , SECMARK, security ( , mangle). : --save , , . --restore , , . CT CT . CT "" ; ct conntrack. "raw". --notrack . --helper name (helper), name . , conntrack helper . --ctevents event[,...] . : new, related, destroy, reply, assured, protoinfo, helper, mark ( ctmark, nfmark), natseqinfo, secmark (ctsecmark). --expevents event[,...] . : new. --zone-orig {id|mark} , ORIGINAL, id . mark, nfmark. --zone-reply {id|mark} , REPLY, id . mark, nfmark. --zone {id|mark} id . id mark, nfmark. 0. . --timeout name - name. -, -, /proc/sys/net/netfilter/nf_conntrack_*_timeout_*. DNAT nat, PREROUTING OUTPUT, , . ; . : --to-destination [ipaddr[-ipaddr]][:port[-port[/baseport]]] IP- IP-. tcp, udp, dccp sctp, . , . IP- , . baseport, baseport . 4.18. baseport , /etc/services. --random ( >= 2.6.22). --persistent / . SAME. 2.6.29-rc2. IPv6 Linux >= 3.7. DNPT ( IPv6) IPv6, , IPv6 ( RFC 6296). mangle. nat . : --src-pfx [prefix/length] . --dst-pfx [prefix/length] . , SNPT. : ip6tables -t mangle -I POSTROUTING -s fd00::/64 -o vboxnet0 -j SNPT --src-pfx fd00::/64 --dst-pfx 2001:e20:2000:40f::/64 ip6tables -t mangle -I PREROUTING -i wlan0 -d 2001:e20:2000:40f::/64 -j DNPT --src-pfx 2001:e20:2000:40f::/64 --dst-pfx fd00::/64 , - IPv6: sysctl -w net.ipv6.conf.all.proxy_ndp=1 NOTRACK, . DSCP DSCP TOS IPv4. , mangle. --set-dscp value DSCP ( ). --set-dscp-class class DSCP DiffServ. ECN ( IPv4) ECN. mangle. --ecn-tcp-remove ECN TCP. , -p tcp. ( IPv6) Hop Limit IPv6. Hop Limit TTL IPv4. Hop Limit , . mangle. Hop Limit , ! --hl-set value Hop Limit "value". --hl-dec value Hop Limit "value". --hl-inc value Hop Limit "value". HMARK MARK, .. fwmark, . () , . ICMP . : --hmark-tuple tuple (tuple) : src - ( IPv4, IPv6), dst - ( IPv4, IPv6), sport - (TCP, UDP, UDPlite, SCTP, DCCP), dport - (TCP, UDP, UDPlite, SCTP, DCCP), spi - (AH, ESP) ct - conntrack. --hmark-mod value ( > 0) ( ). --hmark-offset value , . --hmark-tuple (prefixes) (masks): --hmark-src-prefix cidr CIDR. --hmark-dst-prefix cidr CIDR. --hmark-sport-mask value 16- . --hmark-dport-mask value 16- . --hmark-spi-mask value 32- spi. --hmark-proto-mask value 8- 4. --hmark-rnd value 32- . : iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW -j HMARK --hmark-tuple ct,src,dst,proto --hmark-offset 10000 --hmark-mod 10 --hmark-rnd 0xfeedcafe iptables -t mangle -A PREROUTING -j HMARK --hmark-offset 10000 --hmark-tuple src,dst,proto --hmark-mod 10 --hmark-rnd 0xdeafbeef IDLETIMER . , . - ( ) . , , - . sysfs . , . xt_idletimer: /sys/class/xt_idletimer/timers/