Iptables modules that aren't in the iptables manpage
I recently discovered that not all of the
iptables extension modules are documented in the iptables manual
page, at least the versions installed on Debian Sarge or Fedora Core
4; they're only documented in the
netfilter.org extensions HOWTO
here,
or sometimes not even there.
I care about this because this means there's interesting things I could
do with iptables that I can't find out by reading the manpage. So for my
future reference and anyone else's use, here's a quick summary of the
'missing' extension modules, based on what's in Debian Sarge and Fedora
Core 4.
The non-manpage iptables modules documented in the
extensions HOWTO
are:
connlimit, which appears to be what netfilter.org calls
iplimit.ipv4options: match various IP v4 options, like source routing.
(Debian only)psd: attempt to detect port scans. (Debian only)quota: supports byte transfer quotas. (Debian only)recent: keep track of and match various sorts of recent packets.string: match strings anywhere in a packet. (Debian only)u32: match arbitrary bytes in a packet. (Debian only)IPV4OPTSSTRIP: strip all IP obtions from an IPv4 packet. (Debian
only)NETLINK: send rejected packets to userspace via a netlink
socket. (Debian only)SAME: remap source addresses down to a narrow range.XOR: simple XOR-based packet encryption. (Debian only)
(Note that some extension modules, although mentioned in the manpage,
are much better documented at netfilter.org. One example
is the fuzzy match extension.)
Pretty undocumented (in neither the manual page nor
netfilter.org's extensions HOWTO):
comment: adds comments to any rule; see
here.
(Fedora Core 4 only)hashlimit: a more general limit matcher; see
here.
(Fedora Core 4 only)pool and POOL: obsolete; see
here.
(Debian only)osf: match based on passive OS fingerprinting. See
here.
(Debian only)rpc: some sort of matcher for RPC packets. Apparently obsolete; see
here.sctp: matches sctp packets. See
here.set and SET: match and modify sets of IP addresses; see
here, apparently. You'll need an
additional utility or two. (Debian only)IPMARK: mark a received packet based on IP address; see
here.
(Debian only)TARPIT: capture and hold incoming TCP connections using no
per-connection resources. See
here.TCPFLAG: passively monitor connections for how lagged they
are. See
here.
(Debian only)
At the user level, extension modules are implemented as shared
libraries in /lib/iptables, so your system's iptables may or may
not support all of these netfilter extensions. Even if your iptables
knows about an extension, your kernel may not support it.
You can get basic argument information for any extension from
iptables by using either '-m <WHAT> --help' for match extensions
or '-j <WHAT> --help' for target extensions.
(Disclaimer: all of these URLs worked when I wrote this entry, but
netfilter.org may have shuffled some of them by the time you read
this. If you can't find something, look through all of the
repositories in their
patch-o-matic.)