summaryrefslogtreecommitdiffstats
path: root/extensions
diff options
context:
space:
mode:
authorJonas Berlin <xkr47@outerspace.dyndns.org>2005-04-01 06:54:23 +0000
committerHarald Welte <laforge@gnumonks.org>2005-04-01 06:54:23 +0000
commitf33c46140f0e0a230aba5d739ce40cb14e066b13 (patch)
treee0d8b16f1fe5c33ce1bc2a0e2ab9a68f2e54f96c /extensions
parent4a06cf0bd2f5e18eb0149945724b0b4299eec5ea (diff)
add lots of man pages (Jonas Berlin)
Diffstat (limited to 'extensions')
-rw-r--r--extensions/libipt_IPMARK.man45
-rw-r--r--extensions/libipt_IPV4OPTSSTRIP.man5
-rw-r--r--extensions/libipt_SAME.man11
-rw-r--r--extensions/libipt_TARPIT.man34
-rw-r--r--extensions/libipt_XOR.man7
-rw-r--r--extensions/libipt_account.man47
-rw-r--r--extensions/libipt_comment.man6
-rw-r--r--extensions/libipt_connbytes.man30
-rw-r--r--extensions/libipt_connlimit.man21
-rw-r--r--extensions/libipt_hashlimit.man35
-rw-r--r--extensions/libipt_ipv4options.man32
-rw-r--r--extensions/libipt_osf.man47
-rw-r--r--extensions/libipt_psd.man18
-rw-r--r--extensions/libipt_quota.man7
-rw-r--r--extensions/libipt_recent.man93
-rw-r--r--extensions/libipt_sctp.man28
-rw-r--r--extensions/libipt_u32.man8
17 files changed, 474 insertions, 0 deletions
diff --git a/extensions/libipt_IPMARK.man b/extensions/libipt_IPMARK.man
new file mode 100644
index 00000000..e4659b01
--- /dev/null
+++ b/extensions/libipt_IPMARK.man
@@ -0,0 +1,45 @@
+Allows you to mark a received packet basing on its IP address. This
+can replace many mangle/mark entries with only one, if you use
+firewall based classifier.
+
+This target is to be used inside the mangle table, in the PREROUTING,
+POSTROUTING or FORWARD hooks.
+.TP
+.BI "--addr " "src/dst"
+Use source or destination IP address.
+.TP
+.BI "--and-mask " "mask"
+Perform bitwise `and' on the IP address and this mask.
+.TP
+.BI "--or-mask " "mask"
+Perform bitwise `or' on the IP address and this mask.
+.P
+The order of IP address bytes is reversed to meet "human order of bytes":
+192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
+`or'.
+
+Examples:
+
+We create a queue for each user, the queue number is adequate
+to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
+are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.
+
+We have one classifier rule:
+.IP
+tc filter add dev eth3 parent 1:0 protocol ip fw
+.P
+Earlier we had many rules just like below:
+.IP
+iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
+--set-mark 0x10502
+.IP
+iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
+--set-mark 0x10503
+.P
+Using IPMARK target we can replace all the mangle/mark rules with only one:
+.IP
+iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
+--and-mask=0xffff --or-mask=0x10000
+.P
+On the routers with hundreds of users there should be significant load
+decrease (e.g. twice).
diff --git a/extensions/libipt_IPV4OPTSSTRIP.man b/extensions/libipt_IPV4OPTSSTRIP.man
new file mode 100644
index 00000000..a17d8a25
--- /dev/null
+++ b/extensions/libipt_IPV4OPTSSTRIP.man
@@ -0,0 +1,5 @@
+Strip all the IP options from a packet.
+
+The target doesn't take any option, and therefore is extremly easy to use :
+
+# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
diff --git a/extensions/libipt_SAME.man b/extensions/libipt_SAME.man
new file mode 100644
index 00000000..817c2001
--- /dev/null
+++ b/extensions/libipt_SAME.man
@@ -0,0 +1,11 @@
+Similar to SNAT/DNAT depending on chain: it takes a range of addresses
+(`--to 1.2.3.4-1.2.3.7') and gives a client the same
+source-/destination-address for each connection.
+.TP
+.BI "--to " "<ipaddr>-<ipaddr>"
+Addresses to map source to. May be specified more than once for
+multiple ranges.
+.TP
+.B "--nodst"
+Don't use the destination-ip in the calculations when selecting the
+new source-ip
diff --git a/extensions/libipt_TARPIT.man b/extensions/libipt_TARPIT.man
new file mode 100644
index 00000000..26526b76
--- /dev/null
+++ b/extensions/libipt_TARPIT.man
@@ -0,0 +1,34 @@
+Captures and holds incoming TCP connections using no local
+per-connection resources. Connections are accepted, but immediately
+switched to the persist state (0 byte window), in which the remote
+side stops sending data and asks to continue every 60-240 seconds.
+Attempts to close the connection are ignored, forcing the remote side
+to time out the connection in 12-24 minutes.
+
+This offers similar functionality to LaBrea
+<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
+hardware or IPs. Any TCP port that you would normally DROP or REJECT
+can instead become a tarpit.
+
+To tarpit connections to TCP port 80 destined for the current machine:
+.IP
+iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
+.P
+To significantly slow down Code Red/Nimda-style scans of unused address
+space, forward unused ip addresses to a Linux box not acting as a router
+(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
+forwarding on the Linux box, and add:
+.IP
+iptables -A FORWARD -p tcp -j TARPIT
+.IP
+iptables -A FORWARD -j DROP
+.TP
+NOTE:
+If you use the conntrack module while you are using TARPIT, you should
+also use the NOTRACK target, or the kernel will unnecessarily allocate
+resources for each TARPITted connection. To TARPIT incoming
+connections to the standard IRC port while using conntrack, you could:
+.IP
+iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
+.IP
+iptables -A INPUT -p tcp --dport 6667 -j TARPIT
diff --git a/extensions/libipt_XOR.man b/extensions/libipt_XOR.man
new file mode 100644
index 00000000..712b4723
--- /dev/null
+++ b/extensions/libipt_XOR.man
@@ -0,0 +1,7 @@
+Encrypt TCP and UDP traffic using a simple XOR encryption
+.TP
+.BI "--key " "string"
+Set key to "string"
+.TP
+.BI "--block-size"
+Set block size
diff --git a/extensions/libipt_account.man b/extensions/libipt_account.man
new file mode 100644
index 00000000..fcbb179a
--- /dev/null
+++ b/extensions/libipt_account.man
@@ -0,0 +1,47 @@
+Account traffic for all hosts in defined network/netmask.
+
+Features:
+
+- long (one counter per protocol TCP/UDP/IMCP/Other) and short statistics
+
+- one iptables rule for all hosts in network/netmask
+
+- loading/saving counters (by reading/writting to procfs entries)
+
+.TP
+.BI "--aaddr " "network/netmask"
+defines network/netmask for which make statistics.
+.TP
+.BI "--aname " "name"
+defines name of list where statistics will be kept. If no is
+specified DEFAULT will be used.
+.TP
+.B "--ashort"
+table will colect only short statistics (only total counters
+without splitting it into protocols.
+.P
+Example usage:
+
+account traffic for/to 192.168.0.0/24 network into table mynetwork:
+
+# iptables -A FORWARD -m account --aname mynetwork --aaddr 192.168.0.0/24
+
+account traffic for/to WWW serwer for 192.168.0.0/24 network into table mywwwserver:
+
+# iptables -A INPUT -p tcp --dport 80
+ -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort
+
+# iptables -A OUTPUT -p tcp --sport 80
+ -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort
+
+read counters:
+
+# cat /proc/net/ipt_account/mynetwork
+# cat /proc/net/ipt_account/mywwwserver
+
+set counters:
+
+# echo "ip = 192.168.0.1 packets_src = 0" > /proc/net/ipt_account/mywwserver
+
+Webpage:
+ http://www.barbara.eu.org/~quaker/ipt_account/
diff --git a/extensions/libipt_comment.man b/extensions/libipt_comment.man
new file mode 100644
index 00000000..2f4ce55d
--- /dev/null
+++ b/extensions/libipt_comment.man
@@ -0,0 +1,6 @@
+Allows you to add comments (up to 256 characters) to any rule.
+.TP
+.BI "--comment " "comment"
+.TP
+Example:
+iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A privatized IP block"
diff --git a/extensions/libipt_connbytes.man b/extensions/libipt_connbytes.man
new file mode 100644
index 00000000..ce7b6659
--- /dev/null
+++ b/extensions/libipt_connbytes.man
@@ -0,0 +1,30 @@
+Match by how many bytes or packets a connection (or one of the two
+flows constituting the connection) have tranferred so far, or by
+average bytes per packet.
+
+The counters are 64bit and are thus not expected to overflow ;)
+
+The primary use is to detect long-lived downloads and mark them to be
+scheduled using a lower priority band in traffic control.
+
+The transfered bytes per connection can also be viewed through
+/proc/net/ip_conntrack and accessed via ctnetlink
+.TP
+[\fB!\fR]\fB --connbytes \fIfrom\fB:\fR[\fIto\fR]
+match packets from a connection whose packets/bytes/average packet
+size is more than FROM and less than TO bytes/packets. if TO is
+omitted only FROM check is done. "!" is used to match packets not
+falling in the range.
+.TP
+\fB--connbytes-dir\fR [\fBoriginal\fR|\fBreply\fR|\fBboth\fR]
+which packets to consider
+.TP
+\fB--connbytes-mode\fR [\fBpackets\fR|\fBbytes\fR|\fBavgpkt\fR]
+whether to check the amount of packets, number of bytes transferred or
+the average size (in bytes) of all packets received so far. Note that
+when "both" is used together with "avgpkt", and data is going (mainly)
+only in one direction (for example HTTP), the average packet size will
+be about half of the actual data packets.
+.TP
+Example:
+iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ...
diff --git a/extensions/libipt_connlimit.man b/extensions/libipt_connlimit.man
new file mode 100644
index 00000000..404ee327
--- /dev/null
+++ b/extensions/libipt_connlimit.man
@@ -0,0 +1,21 @@
+Allows you to restrict the number of parallel TCP connections to a
+server per client IP address (or address block).
+.TP
+[\fB!\fR] \fB--connlimit-above \fIn\fR
+match if the number of existing tcp connections is (not) above n
+.TP
+.BI "--connlimit-mask " "bits"
+group hosts using mask
+.P
+Examples:
+.TP
+# allow 2 telnet connections per client host
+iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
+.TP
+# you can also match the other way around:
+iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
+.TP
+# limit the nr of parallel http requests to 16 per class C sized \
+network (24 bit netmask)
+iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
+--connlimit-mask 24 -j REJECT
diff --git a/extensions/libipt_hashlimit.man b/extensions/libipt_hashlimit.man
new file mode 100644
index 00000000..1b0a5d44
--- /dev/null
+++ b/extensions/libipt_hashlimit.man
@@ -0,0 +1,35 @@
+This patch adds a new match called 'hashlimit'.
+The idea is to have something like 'limit', but either per
+destination-ip or per (destip,destport) tuple.
+
+It gives you the ability to express
+.IP
+ '1000 packets per second for every host in 192.168.0.0/16'
+.IP
+ '100 packets per second for every service of 192.168.1.1'
+.P
+with a single iptables rule.
+.TP
+.BI "--hashlimit " "rate"
+A rate just like the limit match
+.TP
+.BI "--hashlimit-burst " "num"
+Burst value, just like limit match
+.TP
+.BI "--hashlimit-mode " "destip | destip-destport"
+Limit per IP or per port
+.TP
+.BI "--hashlimit-name " "foo"
+The name for the /proc/net/ipt_hashlimit/foo entry
+.TP
+.BI "--hashlimit-htable-size " "num"
+The number of buckets of the hash table
+.TP
+.BI "--hashlimit-htable-max " "num"
+Maximum entries in the hash
+.TP
+.BI "--hashlimit-htable-expire " "num"
+After how many miliseconds do hash entries expire
+.TP
+.BI "--hashlimit-htable-gcinterval " "num"
+How many miliseconds between garbage collection intervals
diff --git a/extensions/libipt_ipv4options.man b/extensions/libipt_ipv4options.man
new file mode 100644
index 00000000..122dc68d
--- /dev/null
+++ b/extensions/libipt_ipv4options.man
@@ -0,0 +1,32 @@
+Match on IPv4 header options like source routing, record route,
+timestamp and router-alert.
+.TP
+.B "--ssrr"
+To match packets with the flag strict source routing.
+.TP
+.B "--lsrr"
+To match packets with the flag loose source routing.
+.TP
+.B "--no-srr"
+To match packets with no flag for source routing.
+.TP
+.B "\fR[\fB!\fR]\fB --rr"
+To match packets with the RR flag.
+.TP
+.B "\fR[\fB!\fR]\fB --ts"
+To match packets with the TS flag.
+.TP
+.B "\fR[\fB!\fR]\fB --ra"
+To match packets with the router-alert option.
+.TP
+.B "\fR[\fB!\fR]\fB --any-opt"
+To match a packet with at least one IP option, or no IP option
+at all if ! is chosen.
+.TP
+Examples:
+.TP
+$ iptables -A input -m ipv4options --rr -j DROP
+will drop packets with the record-route flag.
+.TP
+$ iptables -A input -m ipv4options --ts -j DROP
+will drop packets with the timestamp flag.
diff --git a/extensions/libipt_osf.man b/extensions/libipt_osf.man
new file mode 100644
index 00000000..38d25a03
--- /dev/null
+++ b/extensions/libipt_osf.man
@@ -0,0 +1,47 @@
+The idea of passive OS fingerprint matching exists for quite a long time,
+but was created as extension fo OpenBSD pf only some weeks ago.
+Original idea was lurked in some OpenBSD mailing list (thanks
+grange@open...) and than adopted for Linux netfilter in form of this code.
+
+Original fingerprint table was created by Michal Zalewski <lcamtuf@coredump.cx>.
+
+This module compares some data(WS, MSS, options and it's order, ttl,
+df and others) from first SYN packet (actually from packets with SYN
+bit set) with dynamically loaded OS fingerprints.
+.TP
+.B "--log 1/0"
+If present, OSF will log determined genres even if they don't match
+desired one.
+0 - log all determined entries,
+1 - only first one.
+
+In syslog you find something like this:
+.IP
+ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139
+.IP
+ipt_osf: Unknown: 16384:106:1:48:020405B401010402 44.33.22.11:1239 -> 11.22.33.44:80
+.TP
+.B "--smart"
+if present, OSF will use some smartness to determine remote OS.
+OSF will use initial TTL only if source of connection is in our local network.
+.TP
+.B "--netlink"
+If present, OSF will log all events also through netlink NETLINK_NFLOG groupt 1.
+.TP
+.BI "--genre " "[!] string"
+Match a OS genre by passive fingerprinting
+.P
+Example:
+
+#iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 1 --smart
+
+NOTE: -p tcp is obviously required as it is a TCP match.
+
+Fingerprints can be loaded and read through /proc/sys/net/ipv4/osf file.
+One can flush all fingerprints with following command:
+.IP
+echo -en FLUSH > /proc/sys/net/ipv4/osf
+.P
+Only one fingerprint per open/write/close.
+
+Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
diff --git a/extensions/libipt_psd.man b/extensions/libipt_psd.man
new file mode 100644
index 00000000..b73fffc0
--- /dev/null
+++ b/extensions/libipt_psd.man
@@ -0,0 +1,18 @@
+Attempt to detect TCP and UDP port scans. This match was derived from
+Solar Designer's scanlogd.
+.TP
+.BI "--psd-weight-threshold " "threshold"
+Total weight of the latest TCP/UDP packets with different
+destination ports coming from the same host to be treated as port
+scan sequence.
+.TP
+.BI "--psd-delay-threshold " "delay"
+Delay (in hundredths of second) for the packets with different
+destination ports coming from the same host to be treated as
+possible port scan subsequence.
+.TP
+.BI "--psd-lo-ports-weight " "weight"
+Weight of the packet with privileged (<=1024) destination port.
+.TP
+.BI "--psd-hi-ports-weight " "weight"
+Weight of the packet with non-priviliged destination port.
diff --git a/extensions/libipt_quota.man b/extensions/libipt_quota.man
new file mode 100644
index 00000000..8a07ec05
--- /dev/null
+++ b/extensions/libipt_quota.man
@@ -0,0 +1,7 @@
+Implements network quotas by decrementing a byte counter with each
+packet.
+.TP
+.BI "--quota " "bytes"
+The quota in bytes.
+.P
+KNOWN BUGS: this does not work on SMP systems.
diff --git a/extensions/libipt_recent.man b/extensions/libipt_recent.man
new file mode 100644
index 00000000..bf5d7103
--- /dev/null
+++ b/extensions/libipt_recent.man
@@ -0,0 +1,93 @@
+Allows you to dynamically create a list of IP addresses and then match
+against that list in a few different ways.
+
+For example, you can create a `badguy' list out of people attempting
+to connect to port 139 on your firewall and then DROP all future
+packets from them without considering them.
+.TP
+.BI "--name " "name"
+Specify the list to use for the commands. If no name is given then 'DEFAULT'
+will be used.
+.TP
+[\fB!\fR] \fB--set\fR
+This will add the source address of the packet to the list. If the
+source address is already in the list, this will update the existing
+entry. This will always return success (or failure if `!' is passed
+in).
+.TP
+[\fB!\fR] \fB--rcheck\fR
+Check if the source address of the packet is currently in
+the list.
+.TP
+[\fB!\fR] \fB--update\fR
+Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it
+matches.
+.TP
+[\fB!\fR] \fB--remove\fR
+Check if the source address of the packet is currently in the list and
+if so that address will be removed from the list and the rule will
+return true. If the address is not found, false is returned.
+.TP
+[\fB!\fR] \fB--seconds \fIseconds\fR
+This option must be used in conjunction with one of \fB--rcheck\fR or
+\fB--update\fR. When used, this will narrow the match to only happen
+when the address is in the list and was seen within the last given
+number of seconds.
+.TP
+[\fB!\fR] \fB--hitcount \fIhits\fR
+This option must be used in conjunction with one of \fB--rcheck\fR or
+\fB--update\fR. When used, this will narrow the match to only happen
+when the address is in the list and packets had been received greater
+than or equal to the given value. This option may be used along with
+\fB--seconds\fR to create an even narrower match requiring a certain
+number of hits within a specific time frame.
+.TP
+\fB--rttl\fR
+This option must be used in conjunction with one of \fB--rcheck\fR or
+\fB--update\fR. When used, this will narrow the match to only happen
+when the address is in the list and the TTL of the current packet
+matches that of the packet which hit the \fB--set\fR rule. This may be
+useful if you have problems with people faking their source address in
+order to DoS you via this module by disallowing others access to your
+site by sending bogus packets to you.
+.P
+Examples:
+.IP
+# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
+
+# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
+.P
+Official website (http://snowman.net/projects/ipt_recent/) also has
+some examples of usage.
+
+/proc/net/ipt_recent/* are the current lists of addresses and information
+about each entry of each list.
+
+Each file in /proc/net/ipt_recent/ can be read from to see the current list
+or written two using the following commands to modify the list:
+.TP
+echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
+to Add to the DEFAULT list
+.TP
+echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
+to Remove from the DEFAULT list
+.TP
+echo clear > /proc/net/ipt_recent/DEFAULT
+to empty the DEFAULT list.
+.P
+The module itself accepts parameters, defaults shown:
+.TP
+.BI "ip_list_tot=" "100"
+Number of addresses remembered per table
+.TP
+.BI "ip_pkt_list_tot=" "20"
+Number of packets per address remembered
+.TP
+.BI "ip_list_hash_size=" "0"
+Hash table size. 0 means to calculate it based on ip_list_tot, default: 512
+.TP
+.BI "ip_list_perms=" "0644"
+Permissions for /proc/net/ipt_recent/* files
+.TP
+.BI "debug=" "0"
+Set to 1 to get lots of debugging info
diff --git a/extensions/libipt_sctp.man b/extensions/libipt_sctp.man
new file mode 100644
index 00000000..97b467da
--- /dev/null
+++ b/extensions/libipt_sctp.man
@@ -0,0 +1,28 @@
+.TP
+\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
+.TP
+\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
+.TP
+\fB--chunk-types\fR [\fB!\fR] \fBall\fR|\fBany\fR|\fBonly \fIchunktype\fR[\fB:\fIflags\fR] [...]
+The flag letter in upper case indicates that the flag is to match if set,
+in the lower case indicates to match if unset.
+
+Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK
+
+chunk type available flags
+.br
+DATA U B E u b e
+.br
+ABORT T t
+.br
+SHUTDOWN_COMPLETE T t
+
+(lowercase means flag should be "off", uppercase means "on")
+.P
+Examples:
+
+iptables -A INPUT -p sctp --dport 80 -j DROP
+
+iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP
+
+iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT
diff --git a/extensions/libipt_u32.man b/extensions/libipt_u32.man
new file mode 100644
index 00000000..7028bd5f
--- /dev/null
+++ b/extensions/libipt_u32.man
@@ -0,0 +1,8 @@
+U32 allows you to extract quantities of up to 4 bytes from a packet,
+AND them with specified masks, shift them by specified amounts and
+test whether the results are in any of a set of specified ranges.
+The specification of what to extract is general enough to skip over
+headers with lengths stored in the packet, as in IP or TCP header
+lengths.
+
+Details and examples are in the kernel module source.