Packet Walk
When a packet comes in via one of the interface ports, the base switch makes a routing decision.
If the packet was destined for the base switch itself or if the send to CPU action is specified, it is
sent to the INPUT chain for further processing. If there is no valid way to forward the packet, it is
dropped. If the switch is configured to forward the packet, it is sent to the FORWARD chain.
Next the hardware FORWARD chain is walked. If there is a rule inserted that matches the packet
headers, then it is looked up next. The inserted policy will decide the packets fate.
In essence, a filter rule will be used to scan the packet data for certain characteristics. Upon a
match a selected 'target' is executed. The target decides what should happen to the packet.
Filter Rules Specifications
A rule could be added (
-a
) to a chain, deleted (
-D
) from a chain, replaced (
-R
) from a chain or
inserted (
-I
) in a specific position in a chain. Each rule specifies a set of conditions the packet
must meet, and what to do if it meets them ('what to do' is referred to as a `target').
Here's an example filter rule:
iptables -a FORWARD -p UDP -s 0/0 -d 10.0.0.1/32 --source-port 53 -j
DROP
This adds to the FORWARD chain the rule: "If you see UDP packets (-p UDP) from anywhere
(-s 0/0) going to host 10.0.0.1 (-d 10.0.0.1/32) with a source port number 53 (--source-port 53)
then the target is to DROP (-j DROP). More details on rule specifications follow.
Specifying Source and Destination IP Addresses
Source (
-s, --source
or
--src
) and destination (
-d, --destination
or
-
-dst
)
IP addresses can
be specified in four ways. The most common way is to use the full name, such as
localhost
or
www.linuxhq.com
. The second way is to specify the IP address such as 127.0.0.1.
Netmasks can be applied to IP addresses to specify ranges, like199.95.207.0/24 or
199.95.207.0/255.255.255.0 Both specify any IP address from 199.95.207.0 to 199.95.207.255
inclusive. To specify an all-inclusive IP address
/ 0
can be used, like:
-s
or
-d 0/0
. The example
rule we use above applies this trick. Note, however, that the effect above is the same as not
specifying the
- s
option at all.
Specifying Protocol
The protocol can be specified with the
-p
(or
--protocol
) flag. Protocol can be a number (if you
know the numeric protocol values for IP) or a name for the special cases of TCP, UDP or ICMP.
Case doesn't matter, so tcp works as well as TCP.
Specifying an ICMP Message Type
If the protocol is ICMP, the --icmp-type option can be used to match a specific message type, for
example:
Ethernet Switch Blade User's Guide
release 3.2.2j
page 110
Downloaded from
www.Manualslib.com
manuals search engine