Next Previous Contents

4. New netfilter targets

In this section, we will attempt to explain the usage of new netfilter targets. The patches will appear in alphabetical order. Additionally, we will not explain patches that break other patches. But this might come later.

Generally speaking, for targets, you can get the help hints from a particular module by typing :

# iptables -j THE_TARGET_YOU_WANT --help

This would display the normal iptables help message, plus the specific ``THE_TARGET_YOU_WANT'' target help message at the end.

4.1 ftos patch

This patch by Matthew G. Marsh <mgm@paktronix.com> adds a new target that allows you to set the TOS of packets to an arbitrary value.

For example, if you want to set the TOS of all the outgoing packets to be 15, you can do as follows :

# iptables -t mangle -A OUTPUT -j FTOS --set-ftos 15

# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
FTOS       all  --  anywhere             anywhere           TOS set 0x0f 

Supported options for the FTOS target are :

--set-ftos value

-> Set TOS field in packet header to value. This value can be in decimal (ex: 32) or in hex (ex: 0x20)

4.2 IPV4OPTSSTRIP patch

This patch by Fabrice MARIE <fabrice@netfilter.org> adds a new target that allows you to strip all the IP options from an IPv4 packet.

It's simpled loaded as follows :

# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP

# iptables -t mangle --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
IPV4OPTSSTRIP  all  --  anywhere             anywhere

This target doesn't support any option.

4.3 NETLINK patch

This patch by Gianni Tedesco <gianni@ecsc.co.uk> adds a new target that allows you to send dropped packets to userspace via a netlink socket.

For example, if you want to drop all pings and send them to a userland netlink socket instead, you can do as follows :

# iptables -A INPUT -p icmp --icmp-type echo-request -j NETLINK --nldrop

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NETLINK    icmp --  anywhere             anywhere           icmp echo-request nldrop 

Supported options for the NETLINK target are :

--nldrop

-> Drop the packet too

--nlmark <number>

-> Mark the packet

--nlsize <bytes>

-> Limit packet size

For more information on netlink sockets, you can refer to the Netlink Sockets Tour.

4.4 NETMAP patch

This patch by Svenning Soerensen <svenning@post5.tele.dk> adds a new target that allows you create a static 1:1 mapping of the network address, while keeping host addresses intact.

For example, if you want to alter the destination of incoming connections from 1.2.3.0/24 to 5.6.7.0/24, you can do as follows :

# iptables -t nat -A PREROUTING -d 1.2.3.0/24 -j NETMAP --to 5.6.7.0/24

# iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
NETMAP     all  --  anywhere             1.2.3.0/24         5.6.7.0/24

Supported options for NETMAP target are :

--to address[/mask]

-> Network address to map to.

4.5 ROUTE patch

This patch by Cédric de Launois <delaunois@info.ucl.ac.be> adds a new target which enables you to setup unusual routes. For example, the ROUTE target lets you route a received packet through an interface or towards a host, even if the regular destination of the packet is the router itself. The ROUTE target is also able to change the incoming interface of a packet.

The target does not modify the packets, and can be or not a final target. It has to be used inside the mangle table.

Whenever possible, you should use the MARK target together with iproute2 instead of this ROUTE target. However, this target is useful to force the use of an interface or a next hop and to change the incoming interface of a packet. People also use it for easiness and to simplify their rules (one rule to route a packet is easier that one MARK rule + one iproute2 rule).

Options supported by the ROUTE target are :

--oif ifname

Send the packet out using `ifname' network interface. The destination host must be on the same link or the interface must be a tunnel. Otherwise, arp resolution cannot be performed and the packet is dropped.

--iif ifname

Change the packet's incoming interface to `ifname'.

--gw ip

Route the packet via this gateway. The packet is routed as if its destination IP address was `ip'.

--continue

Route the packet and continue traversing the rules.

Note that --iif and --continue options can't be used together.

Example for --oif option

For example, assume that you want to redirect ssh packets towards a server inside your network, without modifying those packets in any way (this excludes the use of the standard port forwarding mechanism). A solution is to use an ipip tunnel and the ROUTE target to reroute ssh packets to the real ssh server, which has the same IP address as the router. It is not possible to reroute those packets using the standard routing mechanisms, because the kernel locally delivers a packet having a destination address belonging to the router itself.

Time for ASCII art :

              eth0  +------+ 192.168.0.1        192.168.0.2 +----+
    ----------------|router|--------------------------------|host|
    IP: 150.150.0.1 +------+                                +----+
                       | | tunl1              IP: 150.150.0.1 | |
                       | +------------------------------------+ |
                       +----------------------------------------+
                                      IPIP tunnel

For the example above, you can do as follows :

# iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 22 -j ROUTE --oif tunl1
# iptables -A PREROUTING -t mangle -i tunl1 -j ROUTE --oif eth0

# iptables -L PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
ROUTE      tcp  --  anywhere             anywhere           tcp dpt:ssh ROUTE oif tunl1
ROUTE      all  --  anywhere             anywhere           ROUTE oif eth0

Example for --gw option

If you want to quickly and easily balance the load between two gateways 10.0.0.1 and 10.0.0.2, then you can do as follows :

# iptables -A PREROUTING -t mangle -m random --average 50 -j ROUTE --gw 10.0.0.1
# iptables -A PREROUTING -t mangle -j ROUTE --gw 10.0.0.2

# iptables -L PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
ROUTE      all  --  anywhere             anywhere           random 50% ROUTE gw 10.0.0.1
ROUTE      all  --  anywhere             anywhere           ROUTE gw 10.0.0.2

Example for --iif option

The teql per-packet round-robin scheduler is used to aggregate the sending bandwidth on several slave interfaces; see the top of linux/net/sched/sch_teql.c for usage and caveats. [For Ethernet, the bonding driver is preferred.]

Per-packet scheduling is most useful when a single flow might exceed the bandwidth of the individual interfaces, as is commonly the case with T1 links.

Using WAN interfaces hdlc[0-3] on a 4 T1/E1 WAN card, one might do the following:

modprobe sch_teql
for i in 0 1 2 3
        ip link set dev hdlc${i} up
        sysctl -w net.ipv4.conf.hdlc${i}.rp_filter=0
        tc qdisc add dev hdlc${i} root teql0
done
ip link set dev teql0 up
sysctl -w net.ipv4.conf.teql0.rp_filter=0
ip address add $IPADDR peer $REMIP dev teql0
ip route add default via $REMIP dev teql0

Since teql0 is a send-only interface, incoming packets appear on the slave hdlc* interfaces, and the usual caveats regarding asymmetric routing apply. E.g., Quagga OSPF implements its own reverse-path filtering neighbor logic; replies from peers that are received on the wrong interface are dropped.

The following rule causes all incoming packets on the hdlc* interfaces to appear to have been received on teql0:

iptables -t mangle -A PREROUTING -i hdlc\+ -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i hdlc\+ -j ROUTE --iif teql0

The TTL increment is required to avoid dropping packets, as multicast and broadcast packets are typically sent with TTL = 1. In this example, Quagga also sets TTL = 1 on packets that it sends to its peers.

4.6 SAME patch

This patch by Martin Josefsson <gandalf@wlug.westbo.se> adds a new target which is similar to SNAT and will gives a client the same address for each connection.

For example, if you want to modify the source address of the connections to be 1.2.3.4-1.2.3.7 you can do as follows :

# iptables -t nat -A POSTROUTING -j SAME --to 1.2.3.4-1.2.3.7

# iptables -t nat --list
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SAME       all  --  anywhere             anywhere           same:1.2.3.4-1.2.3.7 

Options supported by the SAME target are :

--to <ipaddr>-<ipaddr>

-> Addresses to map source to. May be specified more than once for multiple ranges.

--nodst

-> Don't use destination-ip in source selection

4.7 tcp-MSS patch

This patch by Marc Boucher <marc+nf@mbsi.ca> adds a new target that allows you to examine and alter the MSS value of TCP SYN packets, to control the maximum size for that connection.

As explained by Marc himself, THIS IS A HACK, used to overcome criminally brain-dead ISPs or servers which block ICMP Fragmentation Needed packets.

Typical usage would be :

# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# iptables --list
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere           tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 

Options supported by the tcp-MSS target are (mutually-exclusive) :

--set-mss value

explicitly set MSS option to specified value

--clamp-mss-to-pmtu

automatically clamp MSS value to (path_MTU - 40)

4.8 TTL patch

This patch by Harald Welte <laforge@gnumonks.org> adds a new target that enables the user to set the TTL value of an IP packet or to increment/decrement it by a given value.

For example, if you want to set the TTL of all outgoing connections to 126, you can do as follows :

# iptables -t mangle -A OUTPUT -j TTL --ttl-set 126

# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
TTL        all  --  anywhere             anywhere           TTL set to 126 

Supported options for the TTL target are :

--ttl-set value

-> Set TTL to <value>

--ttl-dec value

-> Decrement TTL by <value>

--ttl-inc value

-> Increment TTL by <value>

4.9 ulog patch

This patch by Harald Welte <laforge@gnumonks.org> adds a new target which supplies a more advanced packet logging mechanism than the standard LOG target. The `libipulog/' contains a library for receiving the ULOG messages.

Harald maintains a web page containing the proper documentation for ULOG, so there is no point for me to explain this here..

4.10 XOR patch

This patch by Tim Vandermeersch <Tim.Vandermeersch@pandora.be> adds a new target that enables the user to encrypt TCP and UDP traffic using a simple xor encryption.

For example, if you want to encrypt all TCP and UDP traffic between host A and host B, you can do as follows :

(on host A, 1.2.3.4)
# iptables -t mangle -A OUTPUT -d 1.2.3.5 -j XOR --key somekey --block-size 3
# iptables -t mangle -A INPUT -s 1.2.3.4 -j XOR --key somekey --block-size 3

# iptables -t mangle -L
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
XOR        all  --  anywhere             1.2.3.5            key: somekey block-size: 3
XOR        all  --  1.2.3.5              anywhere           key: somekey block-size: 3

(on host B, 1.2.3.5)
# iptables -t mangle -A OUTPUT -d 1.2.3.4 -j XOR --key somekey --block-size 3
# iptables -t mangle -A INPUT -s 1.2.3.5 -j XOR --key somekey --block-size 3

# iptables -t mangle -L
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
XOR        all  --  anywhere             1.2.3.4            key: somekey block-size: 3
XOR        all  --  1.2.3.4              anywhere           key: somekey block-size: 3

Supported options for the TTL target are :

--key string

Set the encryption key

--block-size value

Specify the block size


Next Previous Contents