Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

171

172

173

174

175

176

177

178

179

180

174 Chapter 13. Firewalls and iptables

• INVALID — The matching packet cannot be tied to a known connection.

• NEW — The matching packet is either creating a new connection or is part of a two-way connection

not previously seen.

• RELATED — The matching packet is starting a new connection related in some way to an existing

connection.

These connection states can be used in combination with one another by separating them with com-

mas, such as -m state --state INVALID,NEW.

To speciﬁcally match a hardware MAC address of an Ethernet device, use the mac module, which

accepts --mac-source plus a MAC address as an option. To exclude a MAC address from a rule,

place an exclamation point (!) after the --mac-source match option.

To view other match options available through modules, see the iptables man page.

13.3.6. Target Options

Once a packet has matched a particular rule, the rule can direct the packet to a number of different

targets that decide its fate and, possibly, take additional actions, such as logging the action. Addition-

ally, each chain has a default target, which is used if none of the rules on that chain match a packet or

if none of the rules which match the packet specify a target.

There are only a few standard targets available to decide what happens with the packet:

•

user-defined-chain — The name of a previously created and deﬁned chain within this

table with rules that will be checked against this packet, in addition to any other rules in any other

chains that must be checked against this packet.

• ACCEPT — Allows the packet to successfully move on to its destination or another chain.

• DROP — Drops the packet without responding to the requester. The system that sent the packet

is not notiﬁed of the failure. The packet is simply removed from the rule checking the chain and

discarded.

• QUEUE — The packet is queued for handling by a user-space application.

• RETURN — Stops checking the packet against rules in the current chain. If the packet with a RETURN

target matches a rule in a chain called from another chain, the packet is returned to the ﬁrst chain to

resume rule checking where it left off. If the RETURN rule is used on a built-in chain and the packet

cannot move up to its previous chain, the default target for the current chain decides what action to

take.

In addition to these standard targets, various other targets may be used with extensions called target

modules. For more information about match option modules, see Section 13.3.5.4.

There are many extended target modules, most of which only apply to speciﬁc tables or situations. A

couple of the most popular target modules included by default in Red Hat Linux are:

• LOG Logs all packets that match this rule. Since the packets are logged by the kernel, the

/etc/syslog.conf ﬁle determines where these log entries are written. By default, they are

placed in the /var/log/messages ﬁle.

Various options can be used after the LOG target to specify the way in which logging occurs:

• --log-level — Sets the priority level a of logging event. A list of priority levels can be found

in the syslog.conf man page.

• --log-ip-options — Any options set in the header of a IP packet is logged.