Iptables modules that aren't in the iptables manpage

December 2, 2005

I recently discovered that not all of the iptables extension modules are documented in the iptables manual page, at least the versions installed on Debian Sarge or Fedora Core 4; they're only documented in the netfilter.org extensions HOWTO here, or sometimes not even there.

I care about this because this means there's interesting things I could do with iptables that I can't find out by reading the manpage. So for my future reference and anyone else's use, here's a quick summary of the 'missing' extension modules, based on what's in Debian Sarge and Fedora Core 4.

The non-manpage iptables modules documented in the extensions HOWTO are:

  • connlimit, which appears to be what netfilter.org calls iplimit.
  • ipv4options: match various IP v4 options, like source routing. (Debian only)
  • psd: attempt to detect port scans. (Debian only)
  • quota: supports byte transfer quotas. (Debian only)
  • recent: keep track of and match various sorts of recent packets.
  • string: match strings anywhere in a packet. (Debian only)
  • u32: match arbitrary bytes in a packet. (Debian only)
  • IPV4OPTSSTRIP: strip all IP obtions from an IPv4 packet. (Debian only)
  • NETLINK: send rejected packets to userspace via a netlink socket. (Debian only)
  • SAME: remap source addresses down to a narrow range.
  • XOR: simple XOR-based packet encryption. (Debian only)

(Note that some extension modules, although mentioned in the manpage, are much better documented at netfilter.org. One example is the fuzzy match extension.)

Pretty undocumented (in neither the manual page nor netfilter.org's extensions HOWTO):

  • comment: adds comments to any rule; see here. (Fedora Core 4 only)
  • hashlimit: a more general limit matcher; see here. (Fedora Core 4 only)
  • pool and POOL: obsolete; see here. (Debian only)
  • osf: match based on passive OS fingerprinting. See here. (Debian only)
  • rpc: some sort of matcher for RPC packets. Apparently obsolete; see here.
  • sctp: matches sctp packets. See here.
  • set and SET: match and modify sets of IP addresses; see here, apparently. You'll need an additional utility or two. (Debian only)
  • IPMARK: mark a received packet based on IP address; see here. (Debian only)
  • TARPIT: capture and hold incoming TCP connections using no per-connection resources. See here.
  • TCPFLAG: passively monitor connections for how lagged they are. See here. (Debian only)

At the user level, extension modules are implemented as shared libraries in /lib/iptables, so your system's iptables may or may not support all of these netfilter extensions. Even if your iptables knows about an extension, your kernel may not support it.

You can get basic argument information for any extension from iptables by using either '-m <WHAT> --help' for match extensions or '-j <WHAT> --help' for target extensions.

(Disclaimer: all of these URLs worked when I wrote this entry, but netfilter.org may have shuffled some of them by the time you read this. If you can't find something, look through all of the repositories in their patch-o-matic.)

Written on 02 December 2005.
« Stopping brute-force ssh scans the easy way
How to do TCP keepalives in Python »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Dec 2 03:04:05 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.