== Iptables modules that aren't in the iptables manpage I [[recently discovered|StoppingSshScanning]] that not all of the _iptables_ extension modules are documented in the iptables manual page, at least the versions installed on Debian Sarge or Fedora Core 4; they're only documented in the [[netfilter.org|http://www.netfilter.org]] extensions HOWTO [[here|http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html]], or sometimes not even there. I care about this because this means there's interesting things I could do with iptables that I can't find out by reading the manpage. So for my future reference and anyone else's use, here's a quick summary of the 'missing' extension modules, based on what's in Debian Sarge and Fedora Core 4. The non-manpage iptables modules documented in the [[extensions HOWTO|http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html]] are: * _connlimit_, which appears to be what [[netfilter.org]] calls _iplimit_. * _ipv4options_: match various IP v4 options, like source routing. (Debian only) * _psd_: attempt to detect port scans. (Debian only) * _quota_: supports byte transfer quotas. (Debian only) * _recent_: keep track of and match various sorts of recent packets. * _string_: match strings anywhere in a packet. (Debian only) * _u32_: match arbitrary bytes in a packet. (Debian only) * _IPV4OPTSSTRIP_: strip all IP obtions from an IPv4 packet. (Debian only) * _NETLINK_: send rejected packets to userspace via a netlink socket. (Debian only) * _SAME_: remap source addresses down to a narrow range. * _XOR_: simple XOR-based packet encryption. (Debian only) (Note that some extension modules, although mentioned in the manpage, are much better documented at [[netfilter.org]]. One example is the _fuzzy_ match extension.) Pretty undocumented (in neither the manual page nor [[netfilter.org]]'s extensions HOWTO): * _comment_: adds comments to any rule; see [[here|http://www.netfilter.org/projects/patch-o-matic/pom-submitted.html#pom-submitted-comment]]. (Fedora Core 4 only) * _hashlimit_: a more general _limit_ matcher; see [[here|http://www.netfilter.org/projects/patch-o-matic/pom-submitted.html#pom-submitted-hashlimit]]. (Fedora Core 4 only) * _pool_ and _POOL_: obsolete; see [[here|http://www.netfilter.org/projects/patch-o-matic/pom-obsolete.html#pom-obsolete-pool]]. (Debian only) * _osf_: match based on passive OS fingerprinting. See [[here|http://www.netfilter.org/projects/patch-o-matic/pom-base.html#pom-base-osf]]. (Debian only) * _rpc_: some sort of matcher for RPC packets. Apparently obsolete; see [[here|http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-rpc]]. * _sctp_: matches sctp packets. See [[here|http://www.netfilter.org/projects/patch-o-matic/pom-submitted.html#pom-submitted-sctp]]. * _set_ and _SET_: match and modify sets of IP addresses; see [[here|http://ipset.netfilter.org/]], apparently. You'll need an additional utility or two. (Debian only) * _IPMARK_: mark a received packet based on IP address; see [[here|http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-IPMARK]]. (Debian only) * _TARPIT_: capture and hold incoming TCP connections using no per-connection resources. See [[here|http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-TARPIT]]. * _TCPFLAG_: passively monitor connections for how lagged they are. See [[here|http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-TCPLAG]]. (Debian only) At the user level, extension modules are implemented as shared libraries in _/lib/iptables_, so your system's _iptables_ may or may not support all of these netfilter extensions. Even if your _iptables_ knows about an extension, your kernel may not support it. You can get basic argument information for any extension from _iptables_ by using either '_-m --help_' for match extensions or '_-j --help_' for target extensions. (Disclaimer: all of these URLs worked when I wrote this entry, but [[netfilter.org]] may have shuffled some of them by the time you read this. If you can't find something, look through all of the repositories in their [[patch-o-matic|http://www.netfilter.org/projects/patch-o-matic/]].)