In this section, we will attempt to explain the usage of new netfilter targets. The patches will appear in alphabetical order. Additionally, we will not explain patches that break other patches. But this might come later.
Generally speaking, for targets, you can get the help hints from a particular module by typing :
# iptables -j THE_TARGET_YOU_WANT --help
This would display the normal iptables help message, plus the specific ``THE_TARGET_YOU_WANT'' target help message at the end.
This patch by Matthew G. Marsh <[email protected]> adds a new target that allows you to set the TOS of packets to an arbitrary value.
For example, if you want to set the TOS of all the outgoing packets to be 15, you can do as follows :
# iptables -t mangle -A OUTPUT -j FTOS --set-ftos 15
# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
FTOS all -- anywhere anywhere TOS set 0x0f
Supported options for the FTOS target are :
-> Set TOS field in packet header to value. This value can be in decimal (ex: 32)
or in hex (ex: 0x20)
This patch by Fabrice MARIE <[email protected]> adds a new target that allows you to strip all the IP options from an IPv4 packet.
It's simpled loaded as follows :
# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
# iptables -t mangle --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
IPV4OPTSSTRIP all -- anywhere anywhere
This target doesn't support any option.
This patch by Gianni Tedesco <[email protected]> adds a new target that allows you to send dropped packets to userspace via a netlink socket.
For example, if you want to drop all pings and send them to a userland netlink socket instead, you can do as follows :
# iptables -A INPUT -p icmp --icmp-type echo-request -j NETLINK --nldrop
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
NETLINK icmp -- anywhere anywhere icmp echo-request nldrop
Supported options for the NETLINK target are :
-> Drop the packet too
-> Mark the packet
-> Limit packet size
For more information on netlink sockets, you can refer to the Netlink Sockets Tour.
This patch by Svenning Soerensen <[email protected]> adds a new target that allows you create a static 1:1 mapping of the network address, while keeping host addresses intact.
For example, if you want to alter the destination of incoming connections from 1.2.3.0/24 to 5.6.7.0/24, you can do as follows :
# iptables -t nat -A PREROUTING -d 1.2.3.0/24 -j NETMAP --to 5.6.7.0/24
# iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NETMAP all -- anywhere 1.2.3.0/24 5.6.7.0/24
Supported options for NETMAP target are :
-> Network address to map to.
This patch by C�dric de Launois <[email protected]> adds a new target which allows you to setup unusual routes not supported by the standard kernel routing table. The ROUTE target lets you route a received packet through an interface or towards a host, even if the regular destination of the packet is the router itself. The ROUTE target is also able to change the incoming interface of a packet. Packets are directly put on the wire and do not traverse any other table.
This target does not modify the packets and is a final target. It has to be used inside the mangle table.
Whenever possible, you should use the MARK target together with iproute2 instead of this ROUTE target. However, this target is useful to force the use of an interface or a next hop and to change the incoming interface of a packet. People also use it for easiness and to simplify their rules (one rule to route a packet is easier that one MARK rule + one iproute2 rule).
Options supported by the ROUTE target are :
Send the packet out using `ifname' network interface. The destination host must be on the same link or the interface must be a tunnel. Otherwise, arp resolution cannot be performed and the packet is dropped.
Change the packet's incoming interface to `ifname'.
Route the packet via this gateway. The packet is routed as if its destination IP address was this ip.
For example, assume that you want to redirect ssh packets towards a server inside your network, without modifying those packets in any way (this excludes the use of the standard port forwarding mechanism). A solution is to use an ipip tunnel and the ROUTE target to reroute ssh packets to the real ssh server, which has the same IP address as the router. It is not possible to reroute those packets using the standard routing mechanisms, because the kernel locally delivers a packet having a destination address belonging to the router itself.
Time for ASCII art :
eth0 +------+ 192.168.0.1 192.168.0.2 +----+
----------------|router|--------------------------------|host|
IP: 150.150.0.1 +------+ +----+
| | tunl1 IP: 150.150.0.1 | |
| +------------------------------------+ |
+----------------------------------------+
IPIP tunnel
For the example above, you can do as follows :
# iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 22 -j ROUTE --oif tunl1
# iptables -A PREROUTING -t mangle -i tunl1 -j ROUTE --oif eth0
# iptables -L PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ROUTE tcp -- anywhere anywhere tcp dpt:ssh ROUTE oif tunl1
ROUTE all -- anywhere anywhere ROUTE oif eth0
Another example : if you want to quickly and easily balance the load between two gateways 10.0.0.1 and 10.0.0.2, then you can do as follows :
# iptables -A PREROUTING -t mangle -m random --average 50 -j ROUTE --gw 10.0.0.1
# iptables -A PREROUTING -t mangle -j ROUTE --gw 10.0.0.2
# iptables -L PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ROUTE all -- anywhere anywhere random 50% ROUTE gw 10.0.0.1
ROUTE all -- anywhere anywhere ROUTE gw 10.0.0.2
This patch by Martin Josefsson <[email protected]> adds a new target which is similar to SNAT and will gives a client the same address for each connection.
For example, if you want to modify the source address of the connections to be 1.2.3.4-1.2.3.7 you can do as follows :
# iptables -t nat -A POSTROUTING -j SAME --to 1.2.3.4-1.2.3.7
# iptables -t nat --list
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SAME all -- anywhere anywhere same:1.2.3.4-1.2.3.7
Options supported by the SAME target are :
-> Addresses to map source to. May be specified more than once for multiple ranges.
-> Don't use destination-ip in source selection
This patch by Marc Boucher <[email protected]> adds a new target that allows you to examine and alter the MSS value of TCP SYN packets, to control the maximum size for that connection.
As explained by Marc himself, THIS IS A HACK, used to overcome criminally brain-dead ISPs or servers which block ICMP Fragmentation Needed packets.
Typical usage would be :
# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# iptables --list
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Options supported by the tcp-MSS target are (mutually-exclusive) :
explicitly set MSS option to specified value
automatically clamp MSS value to (path_MTU - 40)
This patch by Harald Welte <[email protected]> adds a new target that enables the user to set the TTL value of an IP packet or to increment/decrement it by a given value.
For example, if you want to set the TTL of all outgoing connections to 126, you can do as follows :
# iptables -t mangle -A OUTPUT -j TTL --ttl-set 126
# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TTL all -- anywhere anywhere TTL set to 126
Supported options for the TTL target are :
-> Set TTL to <value>
-> Decrement TTL by <value>
-> Increment TTL by <value>
This patch by Harald Welte <[email protected]> adds a new target which supplies a more advanced packet logging mechanism than the standard LOG target. The `libipulog/' contains a library for receiving the ULOG messages.
Harald maintains a web page containing the proper documentation for ULOG, so there is no point for me to explain this here..
This patch by Tim Vandermeersch <[email protected]> adds a new target that enables the user to encrypt TCP and UDP traffic using a simple xor encryption.
For example, if you want to encrypt all TCP and UDP traffic between host A and host B, you can do as follows :
(on host A, 1.2.3.4)
# iptables -t mangle -A OUTPUT -d 1.2.3.5 -j XOR --key somekey --block-size 3
# iptables -t mangle -A INPUT -s 1.2.3.4 -j XOR --key somekey --block-size 3
# iptables -t mangle -L
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
XOR all -- anywhere 1.2.3.5 key: somekey block-size: 3
XOR all -- 1.2.3.5 anywhere key: somekey block-size: 3
(on host B, 1.2.3.5)
# iptables -t mangle -A OUTPUT -d 1.2.3.4 -j XOR --key somekey --block-size 3
# iptables -t mangle -A INPUT -s 1.2.3.5 -j XOR --key somekey --block-size 3
# iptables -t mangle -L
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
XOR all -- anywhere 1.2.3.4 key: somekey block-size: 3
XOR all -- 1.2.3.4 anywhere key: somekey block-size: 3
Supported options for the TTL target are :
Set the encryption key
Specify the block size