Technical data

3. Base conﬁguration

• source (source address, source port or both)

• destination (destination address, destination port or both)

• protocol

• interface on which the packet comes in or goes out

• MAC-address of the originating PC

• state of the packet or the connection the packet comes from

If a packet comes in, the entries resp. the resulting rules generated are processed from top

to bottom and the ﬁrst action to which all conditions apply is performed. If none of the rules

matches, the default action is executed, which may be speciﬁed for (almost) any table.

An entry has the following format, bearing in mind that all restrictions are optional:

restriction{0,} [[source] [destination]] action [BIDIRECTIONAL|LOG|NOLOG]

At all points where networks, IP addresses or hosts need to be speciﬁed, you can also refer to

IP_NET_%, IP_NET_%_IPADDR or via @hostname to a host from HOST_%. If OPT_DNS is enabled, then

outside of actions via @fqdn also hosts which are nicht mentioned in HOST_% can be referenced

by their names. This is particularly useful if dealing with external hosts which also possess

many (and changing) IP addresses.

3.10.1. Packet Filter Actions

The following actions appy:

Action chain(s) Meaning

ACCEPT all Accept the packet.

DROP INPUT

FORWARD

OUTPUT

Drop the packet (the sender recognizes that just

because no answer and no error message comes

back).

REJECT INPUT

FORWARD

OUTPUT

Reject the packet (the sender gets a correspond-

ing error message).

LOG all Log the packet and proceed to the next rule.

To distinguish log entries a preﬁx may be used,

speciﬁed by LOG:log-preﬁx.

MASQUERADE POSTROUTING Mask the packet: Replace the source address of

the packet by the own one and make sure that

replies for this connection are redirected to the

correct computer.

SNAT POSTROUTING Replace source address and source port of the

packet by the address speciﬁed as a parameter

for SNAT (for all packets belonging to the con-

nection in consideration).