drop

Drop connections specifed by the filter using DROP iptables target. The deny is synonim to drop.

Syntax

drop help | { [table TABLE] [action ACTION] CHAIN [FILTER] }
deny help | { [table TABLE] [action ACTION] CHAIN [FILTER] }

TABLE := iptables table name: filter, nat or mangle.

Default: filter


ACTION := insert | append | delete

Change the default action defined in the file /etc/flex-fw/vars/base/action (usually append)


CHAIN := input | output | forward | prerouting | postrouting | chain IPTABLES_CHAIN

Define flex-fw chain for adding new rules. The postrouting and prerouting can be used only with nat or mangle tables. See man iptables for details.


FILTER := [FROM] [TO] [proto PROTO] [state STATE]


FROM := { [in-if IFACE] [src IPADDR] } | from ZONE

Source part of filter.


TO := { [out-if IFACE] [dst IPADDR] } | to ZONE

Destination part of filter.


PROTO := any | { tcp [SOURCE_PORT] [DESTINATION_PORT] } | { udp [SOURCE_PORT] [DESTINATION_PORT] } | PROTO_NUMBER

Network protocol and some related info.


STATE := new | established | related

State of connections.

Default: new


IFACE := any | INTERFACE_NAME

Network interface name. any is a synonym for +.


IPADDR := any | IPv4_ADDRESS

IPv4 host or network address. For example: 192.168.0.12, 192.168.0.0/16. any is a synonym for 0.0.0.0/0.


ZONE := name of zone described in the file /etc/flex-fw/zones/zonename

The zonename file contains lines with interface name and IPv4 address per each line and divided by spaces. Look to zones for details.


SOURCE_PORT := sport PORT | sports PORT,PORT,...

Source port(s) for TCP or UDP protocol.


DESTINATION_PORT := dport PORT | dports PORT,PORT,...

Destination port(s) for TCP or UDP protocol.


PORT := any | priv | unpriv | PORT_NUMBER | PORT_NUMBER1:PORT_NUMBER2

Port of TCP or UDP protocol. any is equal 0:65535. priv is equal 0:1023. unpriv is equal 1024:65535.


PROTO_NUMBER := any the numeric value as specified in /etc/protocols.

Examples

Drop incoming TCP connections to SSH

drop input src any proto tcp dport ssh

Drop transit connections to the Web-server. The variable ipWebServer should be defined somewhere in /etc/flex-fw/vars/.

drop forward src any dst $ipWebServer proto icmp
drop forward src any dst $ipWebServer proto tcp sport upriv dports 8080,8888

Drop transit connections from Internet to LAN. The zone zoneLAN should be defined in the file /etc/flex-fw/zones/zoneLAN.

drop forward from zoneINET to zoneLAN

Copyright (C) 2014 Vitalii Druzhinin
aka VitalShell