flex-fw


iptables

Run an iptables command adapted for the flex-fw environment

Syntax

iptables help | { { [table TABLE] [action ACTION] CHAIN [FILTER] RESTRICTED_IPTABLES_ARGS } | ANY_IPTABLES_ARGS

TABLE := iptables table name: filter, nat or mangle.

Default: filter


ACTION := insert | append | delete

Change the default action defined in the file /etc/flex-fw/vars/base/action (usually append)


CHAIN := input | output | forward | prerouting | postrouting | chain IPTABLES_CHAIN

Define flex-fw chain for adding new rules. The postrouting and prerouting can be used only with nat or mangle tables. See man iptables for details.


FILTER := [FROM] [TO] [proto PROTO] [state STATE]


RESTRICTED_IPTABLES_ARGS := any valid iptables args beginning with a dash, excluding added by the used TABLE, ACTION, CHAIN or FILTER options.


ANY_IPTABLES_ARGS := any valid iptables args beginning with a dash


FROM := { [in-if IFACE] [src IPADDR] } | from ZONE

Source part of filter.


TO := { [out-if IFACE] [dst IPADDR] } | to ZONE

Destination part of filter.


PROTO := any | { tcp [SOURCE_PORT] [DESTINATION_PORT] } | { udp [SOURCE_PORT] [DESTINATION_PORT] } | PROTO_NUMBER

Network protocol and some related info.


STATE := new | established | related

State of connections.

Default: new


IFACE := any | INTERFACE_NAME

Network interface name. any is a synonym for +.


IPADDR := any | IPv4_ADDRESS

IPv4 host or network address. For example: 192.168.0.12, 192.168.0.0/16. any is a synonym for 0.0.0.0/0.


ZONE := name of zone described in the file /etc/flex-fw/zones/zonename

The zonename file contains lines with interface name and IPv4 address per each line and divided by spaces. Look to zones for details.


SOURCE_PORT := sport PORT | sports PORT,PORT,...

Source port(s) for TCP or UDP protocol.


DESTINATION_PORT := dport PORT | dports PORT,PORT,...

Destination port(s) for TCP or UDP protocol.


PORT := any | priv | unpriv | PORT_NUMBER | PORT_NUMBER1:PORT_NUMBER2

Port of TCP or UDP protocol. any is equal 0:65535. priv is equal 0:1023. unpriv is equal 1024:65535.


PROTO_NUMBER := any the numeric value as specified in /etc/protocols.

Examples

Add a new custom chain

iptables --new-chain MAC_FILTER

Add rules to the custome chain

iptables chain MAC_FILTER proto tcp -m mac --mac-source 00:FA:34:DF:22:34 -j DROP
iptables chain MAC_FILTER proto udp -m mac --mac-source 00:FA:34:DF:22:35 -j DROP
iptables chain MAC_FILTER -j RETURN

Add redirect to the new chain from the standard INPUTchain

iptables input -j MAC_FILTER

Add rules to fix MSS

iptables table mangle forward proto tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1396

Copyright (C) 2014 Vitalii Druzhinin
aka VitalShell