Chapter 4. Filtering and Manipulation of Packets

Table of Contents

Source and destination IP
Checking for the protocol
TCP specific options
UDP specific options
Multiport Match Extension
Incoming and Outgoing Interface
Source MAC
Limit matches
Statefull Packet Filtering
TOS - Type of Service

Packet filtering and altering is the main task iptables have to perform and they are really good in it. But a highly configurable and flexible packetfilter is nothing trivial so please read this carefully before you start you experiments.

This chapter will show you how the different filter modules of the iptables are used in detail. It may look shocking but it's not that hard to understand and once you've got it, it' really easy to settup highly complex rulesets for big network routers or simple personal firewalls. Some of these advanced filtering options (connection tracking, mac) need extra modules to be either loaded as module or directly compiled into the kernel. Have a look at the Kernel Compiling HOWTO for details about building a custom kernel.

Source and destination IP

iptables -A INPUT --source -j ACCEPT

Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.. A ! argument before the address specification inverts the sense of the address. The flag --src is an alias for this option.

iptables -A INPUT --destination ! -j ACCEPT

Destination specification is similar in usage to the source option.