Specifications
ICMP Because ICMP packets do not use any port numbers, other selection
criteria must be used. A list of possible parameters can be obtained
with the command iptables -p icmp --help. Some frequently
used types:
Name Number
echo-reply 0
destination-unreachable 3
source-quench 4
echo-request 8
time-exceed 11
parameter-problem 12
Source and destination address This feature is somewhat critical from a
security point of view, because IP addresses can be reset at any time on
a computer. It is not a particularly machine-dependent feature. Source
and destination addresses may be specified in different ways:
Type Example
fully qualified name www.example.com
IP address 127.0.0.1
network 192.168.10.0/24
192.168.10.0/255.255.255.0
If source and destination addresses are not specified, the current rule
applies to all IP addresses. Normally, private IP addresses are blocked
using this method. For a private masked network, such a restriction
can also be very useful.
Interface If you specify an interface in a rule, you normally intend this rule
to take effect in a specific direction. Rules without specific details of the
interface handle all interfaces in the same way. As soon as the direction
a packet takes becomes an issue, you should take a closer look at the
chain:
Incoming Outgoing
PREROUTING Yes No
INPUT Yes No
FORWARD Yes Yes
POSTROUTING No Yes
OUTPUT (nat and filter) No Yes
Inversion Most criteria allow a negation of their rules. In general, this is
done by placing a ‘!’ in front of the corresponding value. For exam-
ple, -s !localhost matches all packets that do not come from the
local host.
120 Services on the Firewall