In this section, we will attempt to explain the usage of new netfilter targets. The patches will appear in alphabetical order. Additionally, we will not explain patches that break other patches. But this might come later.
Generally speaking, for targets, you can get the help hints from a particular module by typing :
# iptables -j THE_TARGET_YOU_WANT --help
This would display the normal iptables help message, plus the specific ``THE_TARGET_YOU_WANT'' target help message at the end.
This patch by Matthew G. Marsh <mgm@paktronix.com> adds a new target that allows you to set the TOS of packets to an arbitrary value.
For example, if you want to set the TOS of all the outgoing packets to be 15, you can do as follows :
# iptables -t mangle -A OUTPUT -j FTOS --set-ftos 15
# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
FTOS all -- anywhere anywhere TOS set 0x0f
Supported options for the FTOS target are :
-> Set TOS field in packet header to value. This value can be in decimal (ex: 32)
or in hex (ex: 0x20)
This patch by Fabrice MARIE <fabrice@netfilter.org> adds a new target that allows you to strip all the IP options from an IPv4 packet.
It's simpled loaded as follows :
# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
# iptables -t mangle --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
IPV4OPTSSTRIP all -- anywhere anywhere
This target doesn't support any option.
This patch by Gianni Tedesco <gianni@ecsc.co.uk> adds a new target that allows you to send dropped packets to userspace via a netlink socket.
For example, if you want to drop all pings and send them to a userland netlink socket instead, you can do as follows :
# iptables -A INPUT -p icmp --icmp-type echo-request -j NETLINK --nldrop
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
NETLINK icmp -- anywhere anywhere icmp echo-request nldrop
Supported options for the NETLINK target are :
-> Drop the packet too
-> Mark the packet
-> Limit packet size
For more information on netlink sockets, you can refer to the Netlink Sockets Tour.
This patch by Svenning Soerensen <svenning@post5.tele.dk> adds a new target that allows you create a static 1:1 mapping of the network address, while keeping host addresses intact.
For example, if you want to alter the destination of incoming connections from 1.2.3.0/24 to 5.6.7.0/24, you can do as follows :
# iptables -t nat -A PREROUTING -d 1.2.3.0/24 -j NETMAP --to 5.6.7.0/24
# iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NETMAP all -- anywhere 1.2.3.0/24 5.6.7.0/24
Supported options for NETMAP target are :
-> Network address to map to.
This patch by Cédric de Launois <delaunois@info.ucl.ac.be> adds a new target which enables you to setup unusual routes. For example, the ROUTE target lets you route a received packet through an interface or towards a host, even if the regular destination of the packet is the router itself. The ROUTE target is also able to change the incoming interface of a packet.
The target does not modify the packets, and can be or not a final target. It has to be used inside the mangle table.
Whenever possible, you should use the MARK target together with iproute2 instead of this ROUTE target. However, this target is useful to force the use of an interface or a next hop and to change the incoming interface of a packet. People also use it for easiness and to simplify their rules (one rule to route a packet is easier that one MARK rule + one iproute2 rule).
Options supported by the ROUTE target are :
Send the packet out using `ifname' network interface. The destination host must be on the same link or the interface must be a tunnel. Otherwise, arp resolution cannot be performed and the packet is dropped.
Change the packet's incoming interface to `ifname'.
Route the packet via this gateway. The packet is routed as if its destination IP address was `ip'.
Route the packet and continue traversing the rules.
Note that --iif and --continue options can't be used together.
For example, assume that you want to redirect ssh packets towards a server inside your network, without modifying those packets in any way (this excludes the use of the standard port forwarding mechanism). A solution is to use an ipip tunnel and the ROUTE target to reroute ssh packets to the real ssh server, which has the same IP address as the router. It is not possible to reroute those packets using the standard routing mechanisms, because the kernel locally delivers a packet having a destination address belonging to the router itself.
Time for ASCII art :
eth0 +------+ 192.168.0.1 192.168.0.2 +----+
----------------|router|--------------------------------|host|
IP: 150.150.0.1 +------+ +----+
| | tunl1 IP: 150.150.0.1 | |
| +------------------------------------+ |
+----------------------------------------+
IPIP tunnel
For the example above, you can do as follows :
# iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 22 -j ROUTE --oif tunl1
# iptables -A PREROUTING -t mangle -i tunl1 -j ROUTE --oif eth0
# iptables -L PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ROUTE tcp -- anywhere anywhere tcp dpt:ssh ROUTE oif tunl1
ROUTE all -- anywhere anywhere ROUTE oif eth0
If you want to quickly and easily balance the load between two gateways 10.0.0.1 and 10.0.0.2, then you can do as follows :
# iptables -A PREROUTING -t mangle -m random --average 50 -j ROUTE --gw 10.0.0.1
# iptables -A PREROUTING -t mangle -j ROUTE --gw 10.0.0.2
# iptables -L PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ROUTE all -- anywhere anywhere random 50% ROUTE gw 10.0.0.1
ROUTE all -- anywhere anywhere ROUTE gw 10.0.0.2
The teql per-packet round-robin scheduler is used to aggregate the sending bandwidth on several slave interfaces; see the top of linux/net/sched/sch_teql.c for usage and caveats. [For Ethernet, the bonding driver is preferred.]
Per-packet scheduling is most useful when a single flow might exceed the bandwidth of the individual interfaces, as is commonly the case with T1 links.
Using WAN interfaces hdlc[0-3] on a 4 T1/E1 WAN card, one might do the following:
modprobe sch_teql
for i in 0 1 2 3
ip link set dev hdlc${i} up
sysctl -w net.ipv4.conf.hdlc${i}.rp_filter=0
tc qdisc add dev hdlc${i} root teql0
done
ip link set dev teql0 up
sysctl -w net.ipv4.conf.teql0.rp_filter=0
ip address add $IPADDR peer $REMIP dev teql0
ip route add default via $REMIP dev teql0
Since teql0 is a send-only interface, incoming packets appear on the slave hdlc* interfaces, and the usual caveats regarding asymmetric routing apply. E.g., Quagga OSPF implements its own reverse-path filtering neighbor logic; replies from peers that are received on the wrong interface are dropped.
The following rule causes all incoming packets on the hdlc* interfaces to appear to have been received on teql0:
iptables -t mangle -A PREROUTING -i hdlc\+ -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i hdlc\+ -j ROUTE --iif teql0
The TTL increment is required to avoid dropping packets, as multicast and broadcast packets are typically sent with TTL = 1. In this example, Quagga also sets TTL = 1 on packets that it sends to its peers.
This patch by Martin Josefsson <gandalf@wlug.westbo.se> adds a new target which is similar to SNAT and will gives a client the same address for each connection.
For example, if you want to modify the source address of the connections to be 1.2.3.4-1.2.3.7 you can do as follows :
# iptables -t nat -A POSTROUTING -j SAME --to 1.2.3.4-1.2.3.7
# iptables -t nat --list
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SAME all -- anywhere anywhere same:1.2.3.4-1.2.3.7
Options supported by the SAME target are :
-> Addresses to map source to. May be specified more than once for multiple ranges.
-> Don't use destination-ip in source selection
This patch by Marc Boucher <marc+nf@mbsi.ca> adds a new target that allows you to examine and alter the MSS value of TCP SYN packets, to control the maximum size for that connection.
As explained by Marc himself, THIS IS A HACK, used to overcome criminally brain-dead ISPs or servers which block ICMP Fragmentation Needed packets.
Typical usage would be :
# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# iptables --list
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Options supported by the tcp-MSS target are (mutually-exclusive) :
explicitly set MSS option to specified value
automatically clamp MSS value to (path_MTU - 40)
This patch by Harald Welte <laforge@gnumonks.org> adds a new target that enables the user to set the TTL value of an IP packet or to increment/decrement it by a given value.
For example, if you want to set the TTL of all outgoing connections to 126, you can do as follows :
# iptables -t mangle -A OUTPUT -j TTL --ttl-set 126
# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TTL all -- anywhere anywhere TTL set to 126
Supported options for the TTL target are :
-> Set TTL to <value>
-> Decrement TTL by <value>
-> Increment TTL by <value>
This patch by Harald Welte <laforge@gnumonks.org> adds a new target which supplies a more advanced packet logging mechanism than the standard LOG target. The `libipulog/' contains a library for receiving the ULOG messages.
Harald maintains a web page containing the proper documentation for ULOG, so there is no point for me to explain this here..
This patch by Tim Vandermeersch <Tim.Vandermeersch@pandora.be> adds a new target that enables the user to encrypt TCP and UDP traffic using a simple xor encryption.
For example, if you want to encrypt all TCP and UDP traffic between host A and host B, you can do as follows :
(on host A, 1.2.3.4)
# iptables -t mangle -A OUTPUT -d 1.2.3.5 -j XOR --key somekey --block-size 3
# iptables -t mangle -A INPUT -s 1.2.3.4 -j XOR --key somekey --block-size 3
# iptables -t mangle -L
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
XOR all -- anywhere 1.2.3.5 key: somekey block-size: 3
XOR all -- 1.2.3.5 anywhere key: somekey block-size: 3
(on host B, 1.2.3.5)
# iptables -t mangle -A OUTPUT -d 1.2.3.4 -j XOR --key somekey --block-size 3
# iptables -t mangle -A INPUT -s 1.2.3.5 -j XOR --key somekey --block-size 3
# iptables -t mangle -L
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
XOR all -- anywhere 1.2.3.4 key: somekey block-size: 3
XOR all -- 1.2.3.4 anywhere key: somekey block-size: 3
Supported options for the TTL target are :
Set the encryption key
Specify the block size