Technical data

3. Base conﬁguration

Interface Constraints

A rule can be restricted concerning the Interface on which a packet was received resp. will be

transmitted. The format is as follows: if:in:out

In the INPUT-chain the interface for outbound packets is not restrictable (the packet does not

leave anyway), in the POSTROUTING-chain the interface for received packets is not restrictable,

because the informations about it do not exist anymore. Only in the FORWARD-chain constraints

for both can be deﬁned.

Possible values for in resp. out:

• lo (Loopback-interface, local communication on the router)

• IP_NET_x_DEV

• pppoe (the PPPoE-interface; only with package dsl or pppoe_server activated).

• any

Protocol Constraints

A rule can be restricted concerning the protocol a packet belongs to. The format is as follows:

prot:protocol resp. prot:icmp:icmp-type. protocol can be set to one of the following values:

• tcp

• udp

• gre (Generic Routing Encapsulation)

• icmp (additionally you can specify a name for the ICMP-type to be ﬁlterd (echo-reply

or echo-request), i.e. prot:icmp:echo-request)

• numeric value of the protocol-ID (i.e. 41 for IPv6)

• any

If such a constraint does not exists, but port numbers should be used in a rule, then the rule

is generated twice, once for the tcp and once for the udp protocol.

MAC-Address Constraints

Via mac:mac-address constraints based on the MAC address may be speciﬁed.

Packet State Constraints

ﬂi4l’s packet ﬁlter gathers informations on the state of connections. This informations can be

used to ﬁlter packets, i.e let only packets pass that belong to connections already existing. The

state of a connection can take this values:

see http://www.sns.ias.edu/~jns/files/iptables_talk/x38.htm for a detailed description