Examining packets on specific interfaces
For brevity,
we'll now omit the use of the -t filter options,
as the filtering table is the obvious default.
In each of these examples, we append some specific rules to our
named chain myrules:
- accept existing, established, connections arriving over the external
interface:
iptables -A myrules -i $EXT -m state \
--state ESTABLISHED,RELATED -j ACCEPT
|
- permit (we say ACCEPT)
new packet sequences to leave our machine if
they have not come from the external interface
(i.e. they are from the internal interface, or from local processes):
iptables -A myrules -i ! $EXT -m state --state NEW -j ACCEPT
|
- do not permit (we say DROP) new packets,
or ones with invalid option bits in their headers (such as the XMAS
port-scan), that arrive via the external interface.
In addition, we log the details before the packet is dropped:
iptables -A myrules -i $EXT -m state \
--state NEW,INVALID -j LOG --log-prefix "dropped"
iptables -A myrules -i $EXT -m state \
--state NEW,INVALID -j DROP
|
CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p24, 15th May 2024.
|
CITS3002