这篇博客介绍iptables和netfilter中所有可用的匹配,章节比较厂,没必要去学习每个匹配的具体细节,大致了解下即可,后续要用到再深入掌握它。
在本篇中,我们将讨论更多关于匹配的内容。我选择将匹配范围缩小到五个不同的子类别。首先我们有通用匹配,它可以在所有规则中使用。然后我们有TCP匹配,它只能应用于TCP数据包。UDP匹配只适用于UDP报文,ICMP匹配只适用于ICMP报文。最后,我们有特殊的匹配,例如状态、所有者和限制匹配等等。
前面几篇内容中,我们已经了解过,匹配是在包中指定一个必须为真(或假)的特殊条件。一条规则可以包含任意类型的多个匹配。例如,我们可能想要匹配来自本地网络上特定主机的数据包,而在此基础上只匹配来自该主机上特定端口的数据包。然后,我们可以使用匹配来告诉规则只对具有特定源地址的数据包应用目标(或跳转)规范,这些数据包从连接到LAN的接口进入,并且数据包必须是指定的端口之一。如果其中任何一个匹配失败(例如,源地址不正确,但其他一切都是正确的),整个规则失败,并在包上测试下一个规则。但是,如果所有匹配都为真,则应用规则指定的目标。
通用匹配(generic match )指不管是什么协议,或者加载了什么插件,通用匹配项一直有效。通用匹配项也不需要什么特殊的参数。换句话说。我们在这里还包括–protocol 匹配,尽管它更特定于协议匹配。例如,如果我们想使用TCP匹配,我们需要使用–protocol匹配并将TCP作为一个选项发送给匹配。然而,–protocol本身也是一个匹配,因为它可以用来匹配特定的协议。
表1
匹配(match) | -p, --protocol |
内核(kernel) | 2.3, 2.4, 2.5 and 2.6 |
示例(example) | iptables -A INPUT -p tcp |
释义 | 该项匹配用于检查某些协议,协议的例子有TCP、UDP和ICMP。协议必须是内部指定的TCP、UDP或ICMP之一。也可以用数值定义,ICMP为1,TCP为6,UDP为17,取0意味着所有协议。该匹配可以用!表示取反,即–protoclol ! tcp表示匹配UDP和ICMP |
匹配(match) | -s, --src, --source |
内核(kernel) | 2.3, 2.4, 2.5 and 2.6 |
示例(example) | iptables -A INPUT -s 192.168.1.1 |
释义 | 源地址匹配,基于数据包的源地址进行匹配。主表单可用于匹配单个IP地址,如192.168.1.1。它还可以与CIDR“位”形式的网络掩码一起使用,具体方法是在网络掩码左侧指定1(1)的数量。这意味着,例如我们可以添加/24来使用255.255.255.0的网络掩码。然后我们可以匹配整个IP范围,例如我们的本地网络或防火墙后的网段。 比如192.168.0.0/24,将匹配192.168.0.x范围。另一种方法是使用255.255.255.255形式的常规网络掩码(即192.168.0.0/255.255.255.0)。!表示取非,即–source !192.168.0.0/24,我们将匹配所有源地址不在192.168.0.X内的包。默认情况是匹配所有IP地址的包 |
匹配(match) | -d, --dst, --destination |
内核(kernel) | 2.3, 2.4, 2.5 and 2.6 |
示例(example) | iptables -A INPUT -d 192.168.1.1 |
释义 | 基于目的地址进行匹配数据包。它的工作原理与——source匹配非常相似,并且具有相同的语法,除了匹配是基于包的去向。为了匹配一个IP范围,我们可以添加一个精确的网络掩码形式的网络掩码,或者添加一个从网络掩码位左侧计数的1(1)的数量。例如:192.168.0.0/255.255.255.0和192.168.0.0/24。另外:–d destination ! 192.168.0.1将匹配除192.168.0.1 IP地址外的所有数据包 |
匹配(match) | -i, --in-interface |
内核(kernel) | 2.3, 2.4, 2.5 and 2.6 |
示例(example) | iptables -A INPUT -i eth0 |
释义 | 用于匹配数据包进入时的接口。注意,此选项仅在INPUT、FORWARD和PREROUTING链中合法,在其他任何地方使用时将返回错误消息。如果没有指定特定的接口,此匹配的默认行为是假定字符串值为+。+值用于匹配由字母和数字组成的字符串。换句话说,一个+将告诉内核匹配所有数据包,而不考虑它是从哪个接口进入的。字符串+还可以附加到接口类型后,因此eth+将是所有以太网设备。-i !eth0表示匹配所有进入接口,除了eth0 |
匹配(match) | -o, --out-interface |
内核(kernel) | 2.3, 2.4, 2.5 and 2.6 |
示例(example) | iptables -A FORWARD -o eth0 |
释义 | –out-interface匹配用于配数据包离开时所在的接口。它与–in-interface相反,因此只能用在OUTPUT、FORWARD和POSTROUTING链。扩展名+被理解为匹配所有类似类型的设备,因此eth+将匹配所有eth设备。如果没有指定–out-interface,默认匹配所有设备,不管数据包去往何处 |
匹配(match) | -f, --fragment |
内核(kernel) | 2.3, 2.4, 2.5 and 2.6 |
示例(example) | iptables -A INPUT -f |
释义 | 该匹配用于匹配分片报文的第二和第三部分。这样做的原因是,在分片报文的情况下,没有办法告诉分片的源端口或目的端口,也没有ICMP类型等。此外,在相当特殊的情况下,碎片包可能被用于对其他计算机的复合攻击。像这样的数据包片段将不会被其他规则匹配,因此创建了这个匹配。该选项还可以与!标志;然而,在这种情况下!符号必须在匹配项之前,即!- f。当这个匹配颠倒时,我们匹配所有头片段和/或未片段的包。这意味着,我们匹配碎片化数据包的所有第一个片段,而不是第二个、第三个等等。我们还匹配在传输过程中没有被分片的所有数据包。还要注意,内核中有非常好的碎片整理选项,您可以使用它们来代替。另外需要注意的是,如果使用连接跟踪,则不会看到任何碎片化数据包,因为它们是在到达iptables中的任何链或表之前处理的。 |
这一节将描述那些自动匹配项。比如我们匹配–protocol tcp不需要任何其它条件。像TCP匹配、UDP匹配、ICMP匹配都是自动匹配类型。基于TCP的匹配包含一组仅对TCP数据包可用的惟一标准。基于UDP的匹配包含另一组仅对UDP包可用的标准。ICMP报文也是一样。另一方面,可以加载显式匹配。显式匹配就是要专门地指定,这个在下一节介绍。
这些匹配是特定于协议的,仅在处理TCP包和流时可用。要使用这些匹配项,在尝试使用它们之前,需要在命令行上指定–protocol tcp。注意–protocol tcp匹配必须在特定于协议的匹配的左侧。从某种意义上说,这些匹配是隐式加载的,就像UDP和ICMP匹配是隐式加载的一样。在TCP匹配部分之后,我们将在本节的后续部分中讨论其他匹配。
Match | –sport, --source-port |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp --sport 22 |
Explanation | The --source-port match is used to match packets based on their source port. Without it, we imply all source ports. This match can either take a service name or a port number. If you specify a service name, the service name must be in the /etc/services file, since iptables uses this file in which to find. If you specify the port by its number, the rule will load slightly faster, since iptables don’t have to check up the service name. However, the match might be a little bit harder to read than if you use the service name. If you are writing a rule-set consisting of a 200 rules or more, you should definitely use port numbers, since the difference is really noticeable. (On a slow box, this could make as much as 10 seconds’ difference, if you have configured a large rule-set containing 1000 rules or so). You can also use the --source-port match to match any range of ports, --source-port 22:80 for example. This example would match all source ports between 22 and 80. If you omit specifying the first port, port 0 is assumed (is implicit). --source-port :80 would then match port 0 through 80. And if the last port specification is omitted, port 65535 is assumed. If you were to write --source-port 22:, you would have specified a match for all ports from port 22 through port 65535. If you invert the port range, iptables automatically reverses your inversion. If you write --source-port 80:22, it is simply interpreted as --source-port 22:80. You can also invert a match by adding a ! sign. For example, --source-port ! 22 means that you want to match all ports but port 22. The inversion could also be used together with a port range and would then look like --source-port ! 22:80, which in turn would mean that you want to match all ports but ports 22 through 80. Note that this match does not handle multiple separated ports and port ranges. For more information about those, look at the multiport match extension. |
Match | –dport, --destination-port |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp --dport 22 |
Explanation | This match is used to match TCP packets, according to their destination port. It uses exactly the same syntax as the --source-port match. It understands port and port range specifications, as well as inversions. It also reverses high and low ports in port range specifications, as above. The match will also assume values of 0 and 65535 if the high or low port is left out in a port range specification. In other words, exactly the same as the --source-port syntax. Note that this match does not handle multiple separated ports and port ranges. For more information about those, look at the multiport match extension. |
Match | –tcp-flags |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -p tcp --tcp-flags SYN,FIN,ACK SYN |
Explanation | This match is used to match on the TCP flags in a packet. First of all, the match takes a list of flags to compare (a mask) and secondly it takes list of flags that should be set to 1, or turned on. Both lists should be comma-delimited. The match knows about the SYN, ACK, FIN, RST, URG, PSH flags, and it also recognizes the words ALL and NONE. ALL and NONE is pretty much self describing: ALL means to use all flags and NONE means to use no flags for the option. --tcp-flags ALL NONE would in other words mean to check all of the TCP flags and match if none of the flags are set. This option can also be inverted with the ! sign. For example, if we specify ! SYN,FIN,ACK SYN, we would get a match that would match packets that had the ACK and FIN bits set, but not the SYN bit. Also note that the comma delimitation should not include spaces. You can see the correct syntax in the example above. |
Match | –syn |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -p tcp --syn |
Explanation | The --syn match is more or less an old relic from the ipchains days and is still there for backward compatibility and for and to make transition one to the other easier. It is used to match packets if they have the SYN bit set and the ACK and RST bits unset. This command would in other words be exactly the same as the --tcp-flags SYN,RST,ACK SYN match. Such packets are mainly used to request new TCP connections from a server. If you block these packets, you should have effectively blocked all incoming connection attempts. However, you will not have blocked the outgoing connections, which a lot of exploits today use (for example, hacking a legitimate service and then installing a program or suchlike that enables initiating an existing connection to your host, instead of opening up a new port on it). This match can also be inverted with the ! sign in this, ! --syn, way. This would match all packets with the RST or the ACK bits set, in other words packets in an already established connection. |
Match | –tcp-option |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -p tcp --tcp-option 16 |
Explanation | This match is used to match packets depending on their TCP options. A TCP Option is a specific part of the header. This part consists of 3 different fields. The first one is 8 bits long and tells us which Options are used in this stream, the second one is also 8 bits long and tells us how long the options field is. The reason for this length field is that TCP options are, well, optional. To be compliant with the standards, we do not need to implement all options, but instead we can just look at what kind of option it is, and if we do not support it, we just look at the length field and can then jump over this data. This match is used to match different TCP options depending on their decimal values. It may also be inverted with the ! flag, so that the match matches all TCP options but the option given to the match. For a complete list of all options, take a closer look at the Internet Engineering Task Force who maintains a list of all the standard numbers used on the Internet. |
本节描述UDP协议报文匹配。当你指定–protocol UDP匹配时,这些匹配会隐式加载,并在此规范之后可用。注意,UDP包不是面向连接的,因此没有在包中设置不同的标志来提供关于数据包应该做什么的数据,例如打开或关闭连接,或者它们只是简单地应该发送数据。UDP包也不需要任何形式的确认。如果它们丢失了,它们只是丢失了(不考虑ICMP错误消息等)。这意味着UDP包上的匹配要比TCP包上的少得多。请注意,即使UDP或ICMP数据包被视为无连接协议,状态机也可以处理所有类型的数据包。状态机在UDP包和TCP包上的工作原理基本相同。
Match | –sport, --source-port |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p udp --sport 53 |
Explanation | This match works exactly the same as its TCP counterpart. It is used to perform matches on packets based on their source UDP ports. It has support for port ranges, single ports and port inversions with the same syntax. To specify a UDP port range, you could use 22:80 which would match UDP ports 22 through 80. If the first value is omitted, port 0 is assumed. If the last port is omitted, port 65535 is assumed. If the high port comes before the low port, the ports switch place with each other automatically. Single UDP port matches look as in the example above. To invert the port match, add a ! sign, --source-port ! 53. This would match all ports but port 53. The match can understand service names, as long as they are available in the /etc/services file. Note that this match does not handle multiple separated ports and port ranges. For more information about this, look at the multiport match extension. |
Match | –dport, --destination-port |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p udp --dport 53 |
Explanation | The same goes for this match as for --source-port above. It is exactly the same as for the equivalent TCP match, but here it applies to UDP packets. It matches packets based on their UDP destination port. The match handles port ranges, single ports and inversions. To match a single port you use, for example, --destination-port 53, to invert this you would use --destination-port ! 53. The first would match all UDP packets going to port 53 while the second would match packets but those going to the destination port 53. To specify a port range, you would, for example, use --destination-port 9:19. This example would match all packets destined for UDP port 9 through 19. If the first port is omitted, port 0 is assumed. If the second port is omitted, port 65535 is assumed. If the high port is placed before the low port, they automatically switch place, so the low port winds up before the high port. Note that this match does not handle multiple ports and port ranges. For more information about this, look at the multiport match extension. |
ICMP数据包甚至比UDP数据包更短暂,也就是说更短的寿命,因为它们是无连接的。ICMP协议主要用于错误报告和连接控制等。ICMP不是IP协议的附属协议,而是IP协议的补充协议,有助于处理错误。ICMP报文的报头与IP报文的报头非常相似,但在许多方面有所不同。该协议的主要特征是类型报头,它告诉我们数据包的目的。一个例子是,如果我们试图访问一个不可访问的IP地址,我们通常会返回一个不可访问的ICMP主机。有关ICMP类型的完整列表,请参阅ICMP类型附录。对于ICMP包,只有一个ICMP特定匹配可用,希望这应该足够了。当我们使用–protocol ICMP匹配时,这个匹配是隐式加载的,我们可以自动访问它。请注意,还可以使用所有的通用匹配,这样我们就可以在源地址和目的地址上进行匹配。
Match | –icmp-type |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p icmp --icmp-type 8 |
Explanation | This match is used to specify the ICMP type to match. ICMP types can be specified either by their numeric values or by their names. Numerical values are specified in RFC 792. To find a complete listing of the ICMP name values, do an iptables --protocol icmp --help, or check the ICMP types appendix. This match can also be inverted with the ! sign in this, --icmp-type ! 8, fashion. Note that some ICMP types are obsolete, and others again may be “dangerous” for an unprotected host since they may, among other things, redirect packets to the wrong places. The type and code may also be specified by their typename, numeric type, and type/code as well. For example --icmp-type network-redirect, --icmp-type 8 or --icmp-type 8/0. For a complete listing of the names, type iptables -p icmp --help. |
与TCP和UDP协议相比,SCTP或流控制传输协议在网络领域是一个相对较新。SCTP特性一章更详细地解释了该协议。通过向iptables的命令行添加-p SCTP匹配来加载隐式SCTP匹配。
SCTP协议是由一些较大的电信和交换机/网络制造商开发的,该协议特别适合于具有高可靠性和高吞吐量的大型同时事务。
Match | –source-port, --sport |
Kernel | 2.6 |
Example | iptables -A INPUT -p sctp --source-port 80 |
Explanation | The --source-port match is used to match an SCTP packet based on the source port in the SCTP packet header. The port can either be a single port, as in the example above, or a range of ports specified as --source-port 20:100, or it can also be inverted with the !-sign. This looks, for example, like --source-port ! 25. The source port is an unsigned 16 bit integer, so the maximum value is 65535 and the lowest value is 0. |
Match | –destination-port, --dport |
Kernel | 2.6 |
Example | iptables -A INPUT -p sctp --destination-port 80 |
Explanation | This match is used for the destination port of the SCTP packets. All SCTP packets contain a destination port, just as it does a source port, in the headers. The port can be either specified as in the example above, or with a port range such as --destination-port 6660:6670. The command can also be inverted with the !-sign, for example, --destination-port ! 80. This example would match all packets but those to port 80. The same applies for destination ports as for source ports, the highest port is 65535 and the lowest is 0. |
Match | –chunk-types |
Kernel | 2.6 |
Example | iptables -A INPUT -p sctp --chunk-types any INIT,INIT_ACK |
Explanation | This matches the chunk type of the SCTP packet. Currently there are a host of different chunk types available. For a complete list, see below. The match begins with the --chunk-types keyword, and then continues with a flag noting if we are to match all, any or none. After this, you specify the SCTP Chunk Types to match for. The Chunk Types are available in the separate list below. Additionally, the flags can take some Chunk Flags as well. This is done for example in the form --chunk-types any DATA:Be. The flags are specific for each SCTP Chunk type and must be valid according to the separate list after this table.If an upper case letter is used, the flag must be set, and if a lower case flag is set it must be unset to match. The whole match can be inversed by using an ! sign just after the --chunk-types keyword. For example, --chunk-types ! any DATA:Be would match anything but this pattern. |
SCTP Chunk types as used in --chunk-types
ABORT
ASCONF
ASCONF_ACK
COOKIE_ACK
COOKIE_ECHO
DATA
ECN_CWR
ECN_ECNE
ERROR
HEARTBEAT
HEARTBEAT_ACK
INIT
INIT_ACK
SACK
SHUTDOWN
SHUTDOWN_ACK
SHUTDOWN_COMPLETE
下面的标志可以与上面看到的–chunk-types匹配一起使用。根据RFC 2960 -流控制传输协议,所有剩余的标志都被保留或不使用,并且必须设置为0。幸运的是,Iptables目前没有包含任何强制执行这一点的措施,因为它很容易成为另一个问题,就像以前在IP协议中实现ECN时遇到的问题一样。
SCTP Chunk flags as used in --chunk-types
DATA - U or u for Unordered bit, B or b for Beginning fragment bit and E or e for Ending fragment bit.
ABORT - T or t for TCB destroy flag.
SHUTDOWN_COMPLETE - T or t for TCB destroyed flag.
显示匹配指的是需要-m或者-match来加载的匹配项。例如,状态匹配要求在输入您想要使用的实际匹配之前使用指令-m State。其中一些匹配可能是特定于协议的。有些可能不与任何特定协议连接—例如连接状态。这些可能是NEW(尚未建立的连接的第一个包)、ESTABLISHED(已经在内核中注册的连接)、RELATED(由已建立的旧连接创建的新连接)等等。有一些可能只是为了测试或实验目的而进化的,或者只是为了说明iptables的能力。这反过来又意味着,并非所有这些匹配乍一看都是有用的。尽管如此,您个人很可能会发现特定的显式匹配的用途。随着每一个新的iptables发布,总会有新的出现。你是否发现它们的用处取决于你的想象力和你的需求。隐式加载的匹配和显式加载的匹配之间的区别在于,隐式加载的匹配将自动加载,例如,当您匹配TCP包的属性时,而显式加载的匹配永远不会自动加载——这取决于您如何发现和激活显式匹配。
addrtype模块根据地址类型匹配报文。在内核内部使用地址类型将不同的数据包放入不同的类别。有了这个匹配,您将能够根据内核的地址类型匹配所有数据包。应该注意的是,不同地址类型与第三层协议不同,下表是个简单的解释,详细的介绍参考Linux Advanced Routing and Traffic Control HOW-TO 和Policy Routing using Linux
表3-1
Type | Description |
---|---|
ANYCAST | This is a one-to-many associative connection type, where only one of the many receiver hosts actually receives the data. This is for example implemented in DNS. You have single address to a root server, but it actually has several locations and your packet will be directed to the closest working server. Not implemented in Linux IPv4. |
BLACKHOLE | A blackhole address will simply delete the packet and send no reply. It works as a black hole in space basically. This is configured in the routing tables of linux. |
BROADCAST | A broadcast packet is a single packet sent to everyone in a specific network in a one-to-many relation. This is for example used in ARP resolution, where a single packet is sent out requesting information on how to reach a specific IP, and then the host that is authoritative replies with the proper MAC address of that host. |
LOCAL | An address that is local to the host we are working on. 127.0.0.1 for example. |
MULTICAST | A multicast packet is sent to several hosts using the shortest distance and only one packet is sent to each waypoint where it will be multiple copies for each host/router subscribing to the specific multicast address. Commonly used in one way streaming media such as video or sound. |
NAT | An address that has been NAT’ed by the kernel. |
PROHIBIT | Same as blackhole except that a prohibited answer will be generated. In the IPv4 case, this means an ICMP communication prohibited (type 3, code 13) answer will be generated. |
THROW | Special route in the Linux kernel. If a packet is thrown in a routing table it will behave as if no route was found in the table. In normal routing, this means that the packet will behave as if it had no route. In policy routing, another route might be found in another routing table. |
UNICAST | A real routable address for a single address. The most common type of route. |
UNREACHABLE | This signals an unreachable address that we do not know how to reach. The packets will be discarded and an ICMP Host unreachable (type 3, code 1) will be generated. |
UNSPEC | An unspecified address that has no real meaning. |
XRESOLVE | This address type is used to send route lookups to userland applications which will do the lookup for the kernel. This might be wanted to send ugly lookups to the outside of the kernel, or to have an application do lookups for you. Not implemented in Linux. |
addrtype匹配是使用-m addrtype关键字加载的。完成此操作后,下表中的额外匹配选项将可供使用。
表3-2 addrtype match options
Match | –src-type |
Kernel | 2.6 |
Example | iptables -A INPUT -m addrtype --src-type UNICAST |
Explanation | The --src-type match option is used to match the source address type of the packet. It can either take a single address type or several separated by coma signs, for example --src-type BROADCAST,MULTICAST. The match option may also be inverted by adding an exclamation sign before it, for example ! --src-type BROADCAST,MULTICAST. |
Match | –dst-type |
Kernel | 2.6 |
Example | iptables -A INPUT -m addrtype --dst-type UNICAST |
Explanation | The --dst-type works exactly the same way as --src-type and has the same syntax. The only difference is that it will match packets based on their destination address type. |
这些匹配用于IPSEC AH和ESP协议。IPSEC用于在不安全的Internet连接上建立安全的隧道。IPSEC使用AH和ESP协议来创建这些安全连接。AH和ESP匹配实际上是两个独立的匹配,但在这里都进行了描述,因为它们看起来非常相似,而且都在同一个函数中使用。
相关资料:
“-m ah” 加载AH匹配项
“-m esp” 加载ESP匹配项
表3-3 AH 匹配项和 ESP 匹配项
Match | –ahspi |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p 51 -m ah --ahspi 500 |
Explanation | This matches the AH Security Parameter Index (SPI) number of the AH packets. Please note that you must specify the protocol as well, since AH runs on a different protocol than the standard TCP, UDP or ICMP protocols. The SPI number is used in conjunction with the source and destination address and the secret keys to create a security association (SA). The SA uniquely identifies each and every one of the IPSEC tunnels to all hosts. The SPI is used to uniquely distinguish each IPSEC tunnel connected between the same two peers. Using the --ahspi match, we can match a packet based on the SPI of the packets. This match can match a whole range of SPI values by using a : sign, such as 500:520, which will match the whole range of SPI’s. |
Match | –espspi |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p 50 -m esp --espspi 500 |
Explanation | The ESP counterpart Security Parameter Index (SPI) is used exactly the same way as the AH variant. The match looks exactly the same, with the esp/ah difference. Of course, this match can match a whole range of SPI numbers as well as the AH variant of the SPI match, such as --espspi 200:250 which matches the whole range of SPI’s. |
注释匹配用于在iptables规则集和内核中添加注释。这可以使理解您的规则集和简化调试变得更加容易。例如,您可以添加注释,记录哪个bash函数向netfilter添加了特定的规则集以及原因。需要注意的是,这实际上并不是一个匹配。注释匹配是使用-m注释关键字加载的。此时可以使用以下选项。
表3-4
Match | –comment |
Kernel | 2.6 |
Example | iptables -A INPUT -m comment --comment “A comment” |
Explanation | The --comment option specifies the comment to actually add to the rule in kernel. The comment can be a maximum of 256 characters. |
连接标记匹配的使用方式与mark /mark目标和匹配组合中的标记匹配非常相似。连接标记匹配用于匹配已在与connmark目标的连接上设置的标记。它只需要一个选项。
** 要匹配与第一个创建连接标记的同一包上的标记,必须在connmark目标在第一个包上设置了标记之后使用connmark匹配。 **
表3-5
Match | –mark |
Kernel | 2.6 |
Example | iptables -A INPUT -m connmark --mark 12 -j ACCEPT |
Explanation | The mark option is used to match a specific mark associated with a connection. The mark match must be exact, and if you want to filter out unwanted flags from the connection mark before actually matching anything, you can specify a mask that will be anded to the connection mark. For example, if you have a connection mark set to 33 (10001 in binary) on a connection, and want to match the first bit only, you would be able to run something like --mark 1/1. The mask (00001) would be masked to 10001, so 10001 && 00001 equals 1, and then matched against the 1. |
conntrack匹配是状态匹配的扩展版本,这使得以更细粒度的方式匹配包成为可能。它可以让您查看连接跟踪系统中直接可用的信息,而不需要任何“前端”系统,比如状态匹配。有关连接跟踪系统的更多信息,请参阅状态机一章。对于连接跟踪系统中的几个不同字段,conntrack匹配中将有许多不同的匹配放在一起。这些被一起编译成下面的列表。要加载这些匹配项,您需要指定-m conntrack。
表3-6
Match | –ctstate |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctstate RELATED |
Explanation | This match is used to match the state of a packet, according to the conntrack state. It is used to match pretty much the same states as in the original state match. The valid entries for this match are: INVALID、ESTABLISHED、NEW、RELATED、SNAT、DNATThe entries can be used together with each other separated by a comma. For example, -m conntrack --ctstate ESTABLISHED,RELATED. It can also be inverted by putting a ! in front of --ctstate. For example: -m conntrack ! --ctstate ESTABLISHED,RELATED, which matches all but the ESTABLISHED and RELATED states. |
Match | –ctproto |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctproto TCP |
Explanation | This matches the protocol, the same as the --protocol does. It can take the same types of values, and is inverted using the ! sign. For example, -m conntrack ! --ctproto TCP matches all protocols but the TCP protocol. |
Match | –ctorigsrc |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctorigsrc 192.168.0.0/24 |
Explanation | –ctorigsrc matches based on the original source IP specification of the conntrack entry that the packet is related to. The match can be inverted by using a ! between the --ctorigsrc and IP specification, such as --ctorigsrc ! 192.168.0.1. It can also take a netmask of the CIDR form, such as --ctorigsrc 192.168.0.0/24. |
Match | –ctorigdst |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctorigdst 192.168.0.0/24 |
Explanation | This match is used exactly as the --ctorigsrc, except that it matches on the destination field of the conntrack entry. It has the same syntax in all other respects. |
Match | –ctreplsrc |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctreplsrc 192.168.0.0/24 |
Explanation | The --ctreplsrc match is used to match based on the original conntrack reply source of the packet. Basically, this is the same as the --ctorigsrc, but instead we match the reply source expected of the upcoming packets. This target can, of course, be inverted and address a whole range of addresses, just the same as the the previous targets in this class. |
Match | –ctrepldst |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctrepldst 192.168.0.0/24 |
Explanation | The --ctrepldst match is the same as the --ctreplsrc match, with the exception that it matches the reply destination of the conntrack entry that matched the packet. It too can be inverted, and accept ranges, just as the --ctreplsrc match. |
Match | –ctstatus |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctstatus RELATED |
Explanation | This matches the status of the connection, as described in the The state machine chapter. It can match the following statuses. NONE - The connection has no status at all. EXPECTED - This connection is expected and was added by one of the expectation handlers. SEEN_REPLY - This connection has seen a reply but isn’t assured yet. ASSURED - The connection is assured and will not be removed until it times out or the connection is closed by either end. This can also be inverted by using the ! sign. For example -m conntrack ! --ctstatus ASSURED which will match all but the ASSURED status. |
Match | –ctexpire |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctexpire 100:150 |
Explanation | This match is used to match on packets based on how long is left on the expiration timer of the conntrack entry, measured in seconds. It can either take a single value and match against, or a range such as in the example above. It can also be inverted by using the ! sign, such as this -m conntrack ! --ctexpire 100. This will match every expiration time, which does not have exactly 100 seconds left to it. |
该匹配用于基于数据包的DSCP(差异化服务代码点)字段进行匹配。通过指定-m dscp显式加载匹配项。匹配可以采用两个互斥选项,如下所述。参考 RFC 2638 - A Two-bit Differentiated Services Architecture for the Internet RFC
表3-7
Match | –dscp |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m dscp --dscp 32 |
Explanation | This option takes a DSCP value in either decimal or in hex. If the option value is in decimal, it would be written like 32 or 16, et cetera. If written in hex, it should be prefixed with 0x, like this: 0x20. It can also be inverted by using the ! character, like this: -m dscp ! --dscp 32. |
Match | –dscp-class |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m dscp --dscp-class BE |
Explanation | The --dscp-class match is used to match on the DiffServ class of a packet. The values can be any of the BE, EF, AFxx or CSx classes as specified in the various RFC’s. This match can be inverted just the same way as the --dscp option. |
注意:–dscp和–dscp-class是互斥的,不能同时使用
ecn匹配用于匹配TCP和IPv4报头中的不同ecn字段。通过在命令行中使用-m ecn显式加载匹配项。ecn匹配需要三个不同的选项,如下所述。 RFC 3168 - The Addition of Explicit Congestion Notification (ECN) to IP RFC
表3-8-1
Match | –ecn |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m ecn --ecn-tcp-cwr |
Explanation | This match is used to match the CWR (Congestion Window Received) bit, if it has been set. The CWR flag is set to notify the other endpoint of the connection that they have received an ECE, and that they have reacted to it. Per default this matches if the CWR bit is set, but the match may also be inversed using an exclamation point. |
Match | –ecn-tcp-ece |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m ecn --ecn-tcp-ece |
Explanation | This match can be used to match the ECE (ECN-Echo) bit. The ECE is set once one of the endpoints has received a packet with the CE bit set by a router. The endpoint then sets the ECE in the returning ACK packet, to notify the other endpoint that it needs to slow down. The other endpoint then sends a CWR packet as described in the --ecn-tcp-cwr explanation. This matches per default if the ECE bit is set, but may be inversed by using an exclamation point. |
Match | –ecn-ip-ect |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m ecn --ecn-ip-ect 1 |
Explanation | The --ecn-ip-ect match is used to match the ECT (ECN Capable Transport) codepoints. The ECT codepoints has several types of usage. Mainly, they are used to negotiate if the connection is ECN capable by setting one of the two bits to 1. The ECT is also used by routers to indicate that they are experiencing congestion, by setting both ECT codepoints to 1. The ECT values are all available in the in the ECN Field in IP table below. The match can be inversed using an exclamation point, for example ! --ecn-ip-ect 2 which will match all ECN values but the ECT(0) codepoint. The valid value range is 0-3 in iptables. See the above table for their values. |
表3-8-2
Iptables | value | ECT | CE |
0 | 0 | 0 | Not-ECT, ie. non-ECN capable connection. |
1 | 0 | 1 | ECT(1), New naming convention of ECT codepoints in RFC 3168. |
2 | 1 | 0 | ECT(0), New naming convention of ECT codepoints in RFC 3168. |
3 | 1 | 1 | CE (Congestion Experienced), Used to notify endpoints of congestion |
它不只是设置一个令牌桶,而是为每个目的IP、源IP、目的端口和源端口元组设置一个指向令牌桶的哈希表。例如,可以设置每个IP地址每秒最多接收1000个数据包,也可以设置在某个IP地址上的每个业务每秒最多接收200个数据包。通过指定-m hashlimit关键字加载hashlimit匹配。
每个使用hashlimit匹配的规则创建一个单独的哈希表,该哈希表具有特定的最大大小和最大桶数。此哈希表包含单个或多个值的哈希。可以是目的IP、源IP、目的端口和源端口的任意和/或全部。然后,每个条目都指向一个作为限制匹配的令牌桶。
表3-9
Match | –hashlimit |
Kernel | 2.6 |
Example | iptables -A INPUT -p tcp --dst 192.168.0.3 -m hashlimit --hashlimit 1000/sec --hashlimit-mode dstip,dstport --hashlimit-name hosts |
Explanation | The --hashlimit specifies the limit of each bucket. In this example the hashlimit is set to 1000. In this example, we have set up the hashlimit-mode to be dstip,dstport and destination 192.168.0.3. Hence, for every port or service on the destination host, it can receive 1000 packets per second. This is the same setting as the limit option for the limit match. The limit can take a /sec, /minute, /hour or /day postfix. If no postfix is specified, the default postfix is per second. |
Important This option is mandatory for all hashlimit matches. |
|
Match | –hashlimit-mode |
Kernel | 2.6 |
Example | iptables -A INPUT -p tcp --dst 192.168.0.0/16 -m hashlimit --hashlimit 1000/sec --hashlimit-mode dstip --hashlimit-name hosts |
Explanation | The --hashlimit-mode option specifies which values we should use as the hash values. In this example, we use only the dstip (destination IP) as the hashvalue. So, each host in the 192.168.0.0/16 network will be limited to receiving a maximum of 1000 packets per second in this case. The possible values for the --hashlimit-mode is dstip (Destination IP), srcip (Source IP), dstport (Destination port) and srcport (Source port). All of these can also be separated by a comma sign to include more than one hashvalue, such as for example --hashlimit-mode dstip,dstport. Important This option is mandatory for all hashlimit matches. |
Match | –hashlimit-name |
Kernel | 2.6 |
Example | iptables -A INPUT -p tcp --dst 192.168.0.3 -m hashlimit --hashlimit 1000 --hashlimit-mode dstip,dstport --hashlimit-name hosts |
Explanation | This option specifies the name that this specific hash will be available as. It can be viewed inside the /proc/net/ipt_hashlimit directory. The example above would be viewable inside the /proc/net/ipt_hashlimit/hosts file. Only the filename should be specified. Important This option is mandatory for all hashlimit matches. |
Match | –hashlimit-burst |
Kernel | 2.6 |
Example | iptables -A INPUT -p tcp --dst 192.168.0.3 -m hashlimit --hashlimit 1000 --hashlimit-mode dstip,dstport --hashlimit-name hosts --hashlimit-burst 2000 |
Explanation | This match is the same as the --limit-burst in that it sets the maximum size of the bucket. Each bucket will have a burst limit, which is the maximum amount of packets that can be matched during a single time unit. For an example on how a token bucket works, take a look at the Limit match. |
Match | –hashlimit-htable-size |
Kernel | 2.6 |
Example | iptables -A INPUT -p tcp --dst 192.168.0.3 -m hashlimit --hashlimit 1000 --hashlimit-mode dstip,dstport --hashlimit-name hosts --hashlimit-htable-size 500 |
Explanation | This sets the maximum available buckets to be used. In this example, it means that a maximum of 500 ports can be open and active at the same time. |
Match | –hashlimit-htable-max |
Kernel | 2.6 |
Example | iptables -A INPUT -p tcp --dst 192.168.0.3 -m hashlimit --hashlimit 1000 --hashlimit-mode dstip,dstport --hashlimit-name hosts --hashlimit-htable-max 500 |
Explanation | The --hashlimit-htable-max sets the maximum number of hashtable entries. This means all of the connections, including the inactive connections that doesn’t require any token buckets for the moment. |
Match | –hashlimit-htable-gcinterval |
Kernel | 2.6 |
Example | iptables -A INPUT -p tcp --dst 192.168.0.3 -m hashlimit --hashlimit 1000 --hashlimit-mode dstip,dstport --hashlimit-name hosts --hashlimit-htable-gcinterval 1000 |
Explanation | How often should the garbage collection function be run. Generally speaking this value should be lower than the expire value. The value is measured in milliseconds. If it is set too low it will be taking up unnecessary system resources and processing power, but if it’s too high it can leave unused token buckets lying around for too long and leaving other connections impossible. In this example the garbage collector will run every second. |
Match | –hashlimit-htable-expire |
Kernel | 2.6 |
Example | iptables -A INPUT -p tcp --dst 192.168.0.3 -m hashlimit --hashlimit 1000 --hashlimit-mode dstip,dstport --hashlimit-name hosts --hashlimit-htable-expire 10000 |
Explanation | This value sets after how long time an idle hashtable entry should expire. If a bucket has been unused for longer than this, it will be expired and the next garbage collection run will remove it from the hashtable, as well as all of the information pertaining to it. |
与其他匹配相比,这是一个相当非传统的匹配,因为它使用了一些特定的语法。该匹配用于匹配数据包,根据数据包与哪个conntrack helper相关。例如,让我们看看FTP会话。打开Control会话,为Control会话中的Data会话协商端口/连接。ip_conntrack_ftp助手模块将找到这些信息,并在conntrack表中创建相关条目。现在,当数据包进入时,我们可以看到它与哪个协议相关,并且可以根据使用的帮助器在规则集中匹配数据包。使用-m helper关键字加载匹配项。
Match | –helper |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m helper --helper ftp-21 |
Explanation | The --helper option is used to specify a string value, telling the match which conntrack helper to match. In the basic form, it may look like --helper irc. This is where the syntax starts to change from the normal syntax. We can also choose to only match packets based on which port that the original expectation was caught on. For example, the FTP Control session is normally transferred over port 21, but it may as well be port 954 or any other port. We may then specify upon which port the expectation should be caught on, like --helper ftp-954. |
IP范围匹配用于匹配IP范围,就像–source和–destination匹配一样。然而,这种匹配增加了一种不同类型的匹配,它能够以某一段IP地址范围的方式进行匹配,这是–source和–destination匹配所不能做到的。这在某些特定的网络设置中可能是需要的,而且它相当灵活。使用-m iprange关键字加载IP范围匹配。
Match | –src-range |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m iprange --src-range 192.168.1.13-192.168.2.19 |
Explanation | This matches a range of source IP addresses. The range includes every single IP address from the first to the last, so the example above includes everything from 192.168.1.13 to 192.168.2.19. The match may also be inverted by adding an !. The above example would then look like -m iprange ! --src-range 192.168.1.13-192.168.2.19, which would match every single IP address, except the ones specified. |
Match | –dst-range |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m iprange --dst-range 192.168.1.13-192.168.2.19 |
Explanation | The --dst-range works exactly the same as the --src-range match, except that it matches destination IP’s instead of source IP’s. |
基于包的长度进行匹配,如果出于某种奇怪的原因想要限制包的长度,或者想要阻止类似ping-of-death的行为,请使用长度匹配。
Match | –length |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m length --length 1400:1500 |
Explanation | The example --length will match all packets with a length between 1400 and 1500 bytes. The match may also be inversed using the ! sign, like this: -m length ! --length 1400:1500 . It may also be used to match only a specific length, removing the : sign and onwards, like this: -m length --length 1400. The range matching is, of course, inclusive, which means that it includes all packet lengths in between the values you specify. |
限制匹配扩展必须使用-m limit选项显式加载。例如,这种匹配可以用于提供特定规则的有限日志记录等。例如,您可以使用它来匹配所有不超过给定值的数据包,并且在超过该值之后,限制记录相关事件。考虑一个时间限制:您可以限制在某个时间框架内可以匹配某条规则的次数,例如,减少DoS syn flood攻击的影响。这是它的主要用法,当然还有更多的用法。极限匹配也可以通过添加!标志在限制匹配前。然后它将被表示为-m limit! --limit 5 / s。这意味着所有数据包都将在超过限值后被匹配。为了进一步解释限制匹配,它基本上是一个令牌桶过滤器。考虑有一个泄漏桶,其中桶每个时间单位泄漏X个包。X的定义取决于我们得到多少匹配的数据包,所以如果我们得到3个数据包,桶每一个时间单位泄漏3个数据包。limit选项告诉我们每个时间单位要向桶中填充多少包,而limit-burst选项告诉我们桶最初有多大。所以,设置—limit 3/分钟—limit-burst 5,然后接收5个匹配将清空桶。20秒后,桶被重新填充另一个令牌,以此类推,直到再次达到–limit-burst或直到它们被使用。
先看看下面的示例:
Match | –limit |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -m limit --limit 3/hour |
Explanation | This sets the maximum average match rate for the limit match. You specify it with a number and an optional time unit. The following time units are currently recognized: /second /minute /hour /day. The default value here is 3 per hour, or 3/hour. This tells the limit match how many times to allow the match to occur per time unit (e.g. per minute). |
Match | –limit-burst |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -m limit --limit-burst 5 |
Explanation | This is the setting for the burst limit of the limit match. It tells iptables the maximum number of tokens available in the bucket when we start, or when the bucket is full. This number gets decremented by one for every packet that arrives, down to the lowest possible value, 1. The bucket will be refilled by the limit value every time unit, as specified by the --limit option. The default --limit-burst value is 5. For a simple way of checking out how this works, you can use the example Limit-match.txt one-rule-script. Using this script, you can see for yourself how the limit rule works, by simply sending ping packets at different intervals and in different burst numbers. All echo replies will be blocked when the burst value has been exceeded, and then be refilled by the limit value every second. |
通过数据包的MAC地址进行匹配
Match | –mac-source |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01 |
Explanation | This match is used to match packets based on their MAC source address. The MAC address specified must be in the form XX:XX:XX:XX:XX:XX, else it will not be legal. The match may be reversed with an ! sign and would look like --mac-source ! 00:00:00:00:00:01. This would in other words reverse the meaning of the match, so that all packets except packets from this MAC address would be matched. Note that since MAC addresses are only used on Ethernet type networks, this match will only be possible to use for Ethernet interfaces. The MAC match is only valid in the PREROUTING, FORWARD and INPUT chains and nowhere else. |
标记匹配扩展用于匹配报文所设置的标记。标记是一种特殊的字段,只在内核中维护,当信息包通过计算机时,它与信息包相关联。不同的内核例程可以使用标记来执行诸如流量整形和过滤等任务。到目前为止,在Linux中只有一种设置标记的方法,即iptables中的mark目标。这是以前在ipchain中使用FWMARK目标完成的,这也是为什么人们仍然在高级路由领域引用FWMARK的原因。标记字段当前被设置为无符号整数,或者在32位系统中设置为4294967296个可能的值。换句话说,您可能在相当长的一段时间内都不会碰到这个极限。
Match | –mark |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -t mangle -A INPUT -m mark --mark 1 |
Explanation | This match is used to match packets that have previously been marked. Marks can be set with the MARK target which we will discuss in the next section. All packets traveling through Netfilter get a special mark field associated with them. Note that this mark field is not in any way propagated, within or outside the packet. It stays inside the computer that made it. If the mark field matches the mark, it is a match. The mark field is an unsigned integer, hence there can be a maximum of 4294967296 different marks. You may also use a mask with the mark. The mark specification would then look like, for example, --mark 1/1. If a mask is specified, it is logically AND ed with the mark specified before the actual comparison. |
多端口匹配扩展可以用于指定多个目标端口和端口范围。如果没有这种匹配提供的可能性,您将不得不使用相同类型的多个规则来匹配不同的端口。
注意:不能同时使用标准端口匹配和多端口匹配,例如你不能写:–sport 1024:63353 -m multiport --dport 21,23,80。这根本行不通。实际上,如果您这样做了,iptables会遵循规则中的第一个元素,而忽略多端口指令。
Match | –source-port |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110 |
Explanation | This match matches multiple source ports. A maximum of 15 separate ports may be specified. The ports must be comma delimited, as in the above example. The match may only be used in conjunction with the -p tcp or -p udp matches. It is mainly an enhanced version of the normal --source-port match. |
Match | –destination-port |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m multiport --destination-port 22,53,80,110 |
Explanation | This match is used to match multiple destination ports. It works exactly the same way as the above mentioned source port match, except that it matches destination ports. It too has a limit of 15 ports and may only be used in conjunction with -p tcp and -p udp. |
Match | –port |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m multiport --port 22,53,80,110 |
Explanation | This match extension can be used to match packets based both on their destination port and their source port. It works the same way as the --source-port and --destination-port matches above. It can take a maximum of 15 ports and can only be used in conjunction with -p tcp and -p udp. Note that the --port match will only match packets coming in from and going to the same port, for example, port 80 to port 80, port 110 to port 110 and so on. |
所有者匹配扩展用于根据创建数据包的进程的标识匹配数据包。可以将所有者指定为发出相关命令的用户的进程ID、组的进程ID、进程ID、会话ID或命令本身的进程ID。这个扩展最初是作为iptables可以用来做什么的示例编写的。所有者匹配只在OUTPUT链内工作,原因很明显:几乎不可能找到关于从另一端发送数据包的实例的身份的任何信息,或者在有到真正目的地的中间跳的地方。即使在OUTPUT链中,它也不是很可靠,因为某些包可能没有所有者。这类臭名昭著的数据包(除其他外)是不同的ICMP响应。ICMP响应永远不会匹配。
Match | –cmd-owner |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A OUTPUT -m owner --cmd-owner httpd |
Explanation | This is the command owner match, and is used to match based on the command name of the process that is sending the packet. In the example, httpd is matched. This match may also be inverted by using an exclamation sign, for example -m owner ! --cmd-owner ssh. |
Match | –uid-owner |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A OUTPUT -m owner --uid-owner 500 |
Explanation | This packet match will match if the packet was created by the given User ID (UID). This could be used to match outgoing packets based on who created them. One possible use would be to block any other user than root from opening new connections outside your firewall. Another possible use could be to block everyone but the http user from sending packets from the HTTP port. |
Match | –gid-owner |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A OUTPUT -m owner --gid-owner 0 |
Explanation | This match is used to match all packets based on their Group ID (GID). This means that we match all packets based on what group the user creating the packets is in. This could be used to block all but the users in the network group from getting out onto the Internet or, as described above, only to allow members of the http group to create packets going out from the HTTP port. |
Match | –pid-owner |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A OUTPUT -m owner --pid-owner 78 |
Explanation | This match is used to match packets based on the Process ID (PID) that was responsible for them. This match is a bit harder to use, but one example would be only to allow PID 94 to send packets from the HTTP port (if the HTTP process is not threaded, of course). Alternatively we could write a small script that grabs the PID from a ps output for a specific daemon and then adds a rule for it. For an example, you could have a rule as shown in the Pid-owner.txt example. |
Match | –sid-owner |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A OUTPUT -m owner --sid-owner 100 |
Explanation | This match is used to match packets based on the Session ID used by the program in question. The value of the SID, or Session ID of a process, is that of the process itself and all processes resulting from the originating process. These latter could be threads, or a child of the original process. So, for example, all of our HTTPD processes should have the same SID as their parent process (the originating HTTPD process), if our HTTPD is threaded (most HTTPDs are, Apache and Roxen for instance). To show this in example, we have created a small script called Sid-owner.txt. This script could possibly be run every hour or so together with some extra code to check if the HTTPD is actually running and start it again if necessary, then flush and re-enter our OUTPUT chain if needed. |
**注意:在SMP内核中,pid、sid和命令匹配失效了,因为它们为每个处理器使用不同的进程列表。不过,这个问题将来可能会得到解决 **
报文类型匹配用于根据报文的类型进行匹配。也就是说,它们是特定的人,每个人,还是特定的机器或用户群体。这三组通常称为单播、广播和多播,如TCP/IP repetition所述。使用-m pkttype加载匹配。
Match | –pkt-type |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A OUTPUT -m pkttype --pkt-type unicast |
Explanation | The --pkt-type match is used to tell the packet type match which packet type to match. It can either take unicast , broadcast or multicast as an argument, as in the example. It can also be inverted by using a ! like this: -m pkttype --pkt-type ! broadcast, which will match all other packet types. |
域匹配用于根据数据包所属的路由域来匹配数据包。在Linux中,路由域用于复杂的路由场景和设置,例如使用BGP等。通过向命令行添加-m realm关键字来加载域匹配。在Linux中,路由域用于将路由划分为逻辑路由组。在当今大多数专用路由器中,路由信息库(RIB)和转发引擎彼此非常接近。例如,在内核内部。因为Linux并不是一个真正的专用路由系统,它被迫将它的RIB和转发信息库(FIB)分开。RIB位于用户空间中,FIB位于内核空间中。由于这种分离,在RIB中进行快速搜索变得非常占资源。路由领域是解决这个问题的Linux解决方案,它实际上使系统更加灵活和丰富。Linux领域可以与BGP和其他提供大量路由的路由协议一起使用。然后,路由守护进程可以根据前缀、路径或源等对路由进行排序,并将它们放在不同的领域。领域是数字的,但也可以通过/etc/iproute2/rt_realms文件命名。
Match | –realm |
Kernel | 2.6 |
Example | iptables -A OUTPUT -m realm --realm 4 |
Explanation | This option matches the realm number and optionally a mask. If this is not a number, it will also try and resolve the realm from the /etc/iproute2/rt_realms file also. If a named realm is used, no mask may be used. The match may also be inverted by setting an exclamation sign, for example --realm ! cosmos. |
基于最近的匹配事件来匹配数据包。例如,如果我们将看到一个传出的IRC连接,我们可以将IP地址设置为一个主机列表,并拥有另一个规则,允许在看到原始包的15秒内从IRC服务器返回识别请求。在我们更深入地研究匹配选项之前,让我们试着解释一下它是如何工作的。首先,我们使用几个不同的规则来完成最近匹配的使用。最近的匹配使用了几个不同的最近事件列表。正在使用的默认列表是default列表。我们用set选项在列表中创建一个新条目,因此一旦规则完全匹配(set选项总是匹配的),我们还在指定的最近列表中添加一个条目。列表项包含时间戳和触发set选项的报文中使用的源IP地址。一旦发生这种情况,我们可以使用一系列不同的最近选项来匹配该信息,以及更新条目的时间戳,等等。最后,如果我们出于某种原因想要删除一个列表条目,我们可以使用——remove match选项从最近的匹配中删除。所有使用最近匹配的规则,必须像往常一样加载最近模块(-m recent)。在我们继续讨论最近的比赛之前,让我们看看所有的选项。
Match | –name |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A OUTPUT -m recent --name examplelist |
Explanation | The name option gives the name of the list to use. Per default the DEFAULT list is used, which is probably not what we want if we are using more than one list. |
Match | –set |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A OUTPUT -m recent --set |
Explanation | This creates a new list entry in the named recent list, which contains a timestamp and the source IP address of the host that triggered the rule. This match will always return success, unless it is preceded by a ! sign, in which case it will return failure. |
Match | –rcheck |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A OUTPUT -m recent --name examplelist --rcheck |
Explanation | The --rcheck option will check if the source IP address of the packet is in the named list. If it is, the match will return true, otherwise it returns false. The option may be inverted by using the ! sign. In the later case, it will return true if the source IP address is not in the list, and false if it is in the list. |
Match | –update |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A OUTPUT -m recent --name examplelist --update |
Explanation | This match is true if the source combination is available in the specified list and it also updates the last-seen time in the list. This match may also be reversed by setting the ! mark in front of the match. For example, ! --update. |
Match | –remove |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -m recent --name example --remove |
Explanation | This match will try to find the source address of the packet in the list, and returns true if the packet is there. It will also remove the corresponding list entry from the list. The command is also possible to inverse with the ! sign. |
Match | –seconds |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -m recent --name example --check --seconds 60 |
Explanation | This match is only valid together with the --check and --update matches. The --seconds match is used to specify how long since the “last seen” column was updated in the recent list. If the last seen column was older than this amount in seconds, the match returns false. Other than this the recent match works as normal, so the source address must still be in the list for a true return of the match. |
Match | –hitcount |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -m recent --name example --check --hitcount 20 |
Explanation | The --hitcount match must be used together with the --check or --update matches and it will limit the match to only include packets that have seen at least the hitcount amount of packets. If this match is used together with the --seconds match, it will require the specified hitcount packets to be seen in the specific timeframe. This match may also be reversed by adding a ! sign in front of the match. Together with the --seconds match, this means that a maximum of this amount of packets may have been seen during the specified timeframe. If both of the matches are inversed, then a maximum of this amount of packets may have been seen during the last minumum of seconds. |
Match | –rttl |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -m recent --name example --check --rttl |
Explanation | The --rttl match is used to verify that the TTL value of the current packet is the same as the original packet that was used to set the original entry in the recent list. This can be used to verify that people are not spoofing their source address to deny others access to your servers by making use of the recent match. |
Match | –rsource |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -m recent --name example --rsource |
Explanation | The --rsource match is used to tell the recent match to save the source address and port in the recent list. This is the default behavior of the recent match. |
Match | –rdest |
Kernel | 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -m recent --name example --rdest |
Explanation | The --rdest match is the opposite of the --rsource match in that it tells the recent match to save the destination address and port to the recent list. |
参考脚本:Recent-match.txt
简单地说,这是对netfilter中可用的状态引擎的糟糕替代。这个版本在创建时考虑了http服务器,但是可以与任何TCP连接一起工作。首先,我们创建了两个名为http-recent和http-recent-final的链。http-recent链用于连接的开始阶段和实际的数据传输,而http-recent-final链用于最后的FIN/ACK, FIN握手。
注意:这对于内置的状态引擎来说是一个非常糟糕的替代,并且不能处理状态引擎所能处理的所有可能性。然而,这是一个很好的例子,可以在不太具体的情况下处理最近的匹配。不要在真实环境中使用此示例。它很慢,处理特殊情况很糟糕,通常只作为示例使用。例如,它不处理连接时的关闭端口、异步FIN握手(其中被连接的一方关闭,而另一方继续发送数据)等。
让我们通过示例规则集跟踪一个包。首先一个数据包进入INPUT链,然后我们将它发送到http-recent链。
正如你所看到的,最近的列表会变得非常复杂,但如果需要的话,它会提供给你大量的可能性。不过,要记住不要白费力气。如果您需要的能力已经实现了,请尝试使用它,而不是尝试创建您自己的解决方案。
状态匹配扩展与内核中的连接跟踪代码一起使用。状态匹配访问来自连接跟踪机的报文的连接跟踪状态。这允许我们知道连接处于什么状态,并且适用于几乎所有协议,包括无状态协议,如ICMP和UDP。在所有情况下,连接都会有一个默认超时,然后它将从连接跟踪数据库中删除。需要通过向规则中添加-m state语句来显式加载此匹配。然后,您将可以访问一个名为state的新匹配项。由于主题比较大,状态匹配的概念在状态机一章中有更全面的介绍。
Match | –state |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -m state --state RELATED,ESTABLISHED |
Explanation | This match option tells the state match what states the packets must be in to be matched. There are currently 4 states that can be used. INVALID, ESTABLISHED, NEW and RELATED. INVALID means that the packet is associated with no known stream or connection and that it may contain faulty data or headers. ESTABLISHED means that the packet is part of an already established connection that has seen packets in both directions and is fully valid. NEW means that the packet has or will start a new connection, or that it is associated with a connection that has not seen packets in both directions. Finally, RELATED means that the packet is starting a new connection and is associated with an already established connection. This could for example mean an FTP data transfer, or an ICMP error associated with a TCP or UDP connection. Note that the NEW state does not look for SYN bits in TCP packets trying to start a new connection and should, hence, not be used unmodified in cases where we have only one firewall and no load balancing between different firewalls. However, there may be times where this could be useful. For more information on how this could be used, read the The state machine chapter. |
tcpmss匹配用于匹配TCP中基于“最大段大小”的报文。该匹配只对SYN和SYN/ACK报文有效。
Match | –mss |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp --tcp-flags SYN,ACK,RST SYN -m tcpmss --mss 2000:2500 |
Explanation | The --mss option tells the tcpmss match which Maximum Segment Sizes to match. This can either be a single specific MSS value, or a range of MSS values separated by a :. The value may also be inverted as usual using the ! sign, as in the following example: -m tcpmss ! --mss 2000:2500 This example will match all MSS values, except for values in the range 2000 through 2500. |
可以通过TOS字段匹配报文。TOS代表服务类型,由8位组成,位于IP报头中。通过向规则中添加-m tos来显式加载此匹配。TOS通常用于通知中间主机流的优先级及其内容(实际上并不是这样,但它通知了对流的任何特定需求,例如必须尽可能快地发送它,或者它需要能够发送尽可能多的有效负载)。不同的路由器和管理员如何处理这些值取决于具体情况。大多数人根本不在乎,而另一些人则尽最大努力对有问题的包及其提供的数据做一些有益的事情。
Match | –tos |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m tos --tos 0x16 |
Explanation | This match is used as described above. It can match packets based on their TOS field and their value. This could be used, among other things together with the iproute2 and advanced routing functions in Linux, to mark packets for later usage. The match takes a hex or numeric value as an option, or possibly one of the names resulting from ‘iptables -m tos -h’. At the time of writing it contained the following named values: Minimize-Delay 16 (0x10), Maximize-Throughput 8 (0x08), Maximize-Reliability 4 (0x04), Minimize-Cost 2 (0x02), and Normal-Service 0 (0x00). Minimize-Delay means to minimize the delay in putting the packets through - example of standard services that would require this include telnet, SSH and FTP-control. Maximize-Throughput means to find a path that allows as big a throughput as possible - a standard protocol would be FTP-data. Maximize-Reliability means to maximize the reliability of the connection and to use lines that are as reliable as possible - a couple of typical examples are BOOTP and TFTP. Minimize-Cost means minimizing the cost of packets getting through each link to the client or server; for example finding the route that costs the least to travel along. Examples of normal protocols that would use this would be RTSP (Real Time Stream Control Protocol) and other streaming video/radio protocols. Finally, Normal-Service would mean any normal protocol that has no special needs. |
TTL匹配用于根据IP报头中的TTL (Time to Live)字段匹配数据包。TTL字段包含8位数据,当客户端和接收主机之间的中间主机处理它时,TTL字段会减少一次。如果TTL达到0,则向发送报文的一方发送ICMP类型11代码0(在传输过程中TTL为0)或代码1(在重组过程中TTL为0),并通知其问题。这种匹配只用于基于它们的TTL匹配数据包,而不更改任何内容。顺便说一句,后者适用于所有类型的比赛。要加载此匹配,需要向规则中添加-m ttl。
Match | –ttl-eq |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A OUTPUT -m ttl --ttl-eq 60 |
Explanation | This match option is used to specify the TTL value to match exactly. It takes a numeric value and matches this value within the packet. There is no inversion and there are no other specifics to match. It could, for example, be used for debugging your local network - e.g. LAN hosts that seem to have problems connecting to hosts on the Internet - or to find possible ingress by Trojans etc. The usage is relatively limited, however; its usefulness really depends on your imagination. One example would be to find hosts with bad default TTL values (could be due to a badly implemented TCP/IP stack, or simply to misconfiguration). |
Match | –ttl-gt |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A OUTPUT -m ttl --ttl-gt 64 |
Explanation | This match option is used to match any TTL greater than the specified value. The value can be between 0 and 255 and the match can not be inverted. It could, for example, be used for matching any TTL greater than a specific value and then force them to a standardized value. This could be used to overcome some simple forms of spying by ISP’s to find out if you are running multiple machines behind a firewall, against their policies. |
Match | –ttl-lt |
Kernel | 2.3, 2.4, 2.5 and 2.6 |
Example | iptables -A OUTPUT -m ttl --ttl-lt 64 |
Explanation | The --ttl-lt match is used to match any TTL smaller than the specified value. It is pretty much the same as the --ttl-gt match, but as already stated; it matches smaller TTL’s. It could also be used in the same way as the --ttl-gt match, or to simply homogenize the packets leaving your network in general. |
Unclean match 不需要任何选项,并且只需要在需要使用它时显式加载它。请注意,这个选项被认为是实验性的,可能不会一直有效,也不会解决所有不干净的包或问题。不清洁匹配试图匹配格式不正常或不正常的包,例如具有错误头或校验和的包等等。这可以用于DROP连接和检查坏的流,例如;然而,你应该意识到这可能会破坏法律联系。