Iptables modules that aren't in the iptables manpage
I recently discovered that not all of the
iptables
extension modules are documented in the iptables manual
page, at least the versions installed on Debian Sarge or Fedora Core
4; they're only documented in the
netfilter.org extensions HOWTO
here,
or sometimes not even there.
I care about this because this means there's interesting things I could do with iptables that I can't find out by reading the manpage. So for my future reference and anyone else's use, here's a quick summary of the 'missing' extension modules, based on what's in Debian Sarge and Fedora Core 4.
The non-manpage iptables modules documented in the extensions HOWTO are:
connlimit
, which appears to be what netfilter.org callsiplimit
.ipv4options
: match various IP v4 options, like source routing. (Debian only)psd
: attempt to detect port scans. (Debian only)quota
: supports byte transfer quotas. (Debian only)recent
: keep track of and match various sorts of recent packets.string
: match strings anywhere in a packet. (Debian only)u32
: match arbitrary bytes in a packet. (Debian only)IPV4OPTSSTRIP
: strip all IP obtions from an IPv4 packet. (Debian only)NETLINK
: send rejected packets to userspace via a netlink socket. (Debian only)SAME
: remap source addresses down to a narrow range.XOR
: simple XOR-based packet encryption. (Debian only)
(Note that some extension modules, although mentioned in the manpage,
are much better documented at netfilter.org. One example
is the fuzzy
match extension.)
Pretty undocumented (in neither the manual page nor netfilter.org's extensions HOWTO):
comment
: adds comments to any rule; see here. (Fedora Core 4 only)hashlimit
: a more generallimit
matcher; see here. (Fedora Core 4 only)pool
andPOOL
: obsolete; see here. (Debian only)osf
: match based on passive OS fingerprinting. See here. (Debian only)rpc
: some sort of matcher for RPC packets. Apparently obsolete; see here.sctp
: matches sctp packets. See here.set
andSET
: match and modify sets of IP addresses; see here, apparently. You'll need an additional utility or two. (Debian only)IPMARK
: mark a received packet based on IP address; see here. (Debian only)TARPIT
: capture and hold incoming TCP connections using no per-connection resources. See here.TCPFLAG
: passively monitor connections for how lagged they are. See here. (Debian only)
At the user level, extension modules are implemented as shared
libraries in /lib/iptables
, so your system's iptables
may or may
not support all of these netfilter extensions. Even if your iptables
knows about an extension, your kernel may not support it.
You can get basic argument information for any extension from
iptables
by using either '-m <WHAT> --help
' for match extensions
or '-j <WHAT> --help
' for target extensions.
(Disclaimer: all of these URLs worked when I wrote this entry, but netfilter.org may have shuffled some of them by the time you read this. If you can't find something, look through all of the repositories in their patch-o-matic.)
|
|