From f33c46140f0e0a230aba5d739ce40cb14e066b13 Mon Sep 17 00:00:00 2001 From: Jonas Berlin Date: Fri, 1 Apr 2005 06:54:23 +0000 Subject: add lots of man pages (Jonas Berlin) --- extensions/libipt_IPMARK.man | 45 ++++++++++++++++++ extensions/libipt_IPV4OPTSSTRIP.man | 5 ++ extensions/libipt_SAME.man | 11 +++++ extensions/libipt_TARPIT.man | 34 ++++++++++++++ extensions/libipt_XOR.man | 7 +++ extensions/libipt_account.man | 47 +++++++++++++++++++ extensions/libipt_comment.man | 6 +++ extensions/libipt_connbytes.man | 30 ++++++++++++ extensions/libipt_connlimit.man | 21 +++++++++ extensions/libipt_hashlimit.man | 35 ++++++++++++++ extensions/libipt_ipv4options.man | 32 +++++++++++++ extensions/libipt_osf.man | 47 +++++++++++++++++++ extensions/libipt_psd.man | 18 +++++++ extensions/libipt_quota.man | 7 +++ extensions/libipt_recent.man | 93 +++++++++++++++++++++++++++++++++++++ extensions/libipt_sctp.man | 28 +++++++++++ extensions/libipt_u32.man | 8 ++++ 17 files changed, 474 insertions(+) create mode 100644 extensions/libipt_IPMARK.man create mode 100644 extensions/libipt_IPV4OPTSSTRIP.man create mode 100644 extensions/libipt_SAME.man create mode 100644 extensions/libipt_TARPIT.man create mode 100644 extensions/libipt_XOR.man create mode 100644 extensions/libipt_account.man create mode 100644 extensions/libipt_comment.man create mode 100644 extensions/libipt_connbytes.man create mode 100644 extensions/libipt_connlimit.man create mode 100644 extensions/libipt_hashlimit.man create mode 100644 extensions/libipt_ipv4options.man create mode 100644 extensions/libipt_osf.man create mode 100644 extensions/libipt_psd.man create mode 100644 extensions/libipt_quota.man create mode 100644 extensions/libipt_recent.man create mode 100644 extensions/libipt_sctp.man create mode 100644 extensions/libipt_u32.man (limited to 'extensions') diff --git a/extensions/libipt_IPMARK.man b/extensions/libipt_IPMARK.man new file mode 100644 index 00000000..e4659b01 --- /dev/null +++ b/extensions/libipt_IPMARK.man @@ -0,0 +1,45 @@ +Allows you to mark a received packet basing on its IP address. This +can replace many mangle/mark entries with only one, if you use +firewall based classifier. + +This target is to be used inside the mangle table, in the PREROUTING, +POSTROUTING or FORWARD hooks. +.TP +.BI "--addr " "src/dst" +Use source or destination IP address. +.TP +.BI "--and-mask " "mask" +Perform bitwise `and' on the IP address and this mask. +.TP +.BI "--or-mask " "mask" +Perform bitwise `or' on the IP address and this mask. +.P +The order of IP address bytes is reversed to meet "human order of bytes": +192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then +`or'. + +Examples: + +We create a queue for each user, the queue number is adequate +to the IP address of the user, e.g.: all packets going to/from 192.168.5.2 +are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc. + +We have one classifier rule: +.IP +tc filter add dev eth3 parent 1:0 protocol ip fw +.P +Earlier we had many rules just like below: +.IP +iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK +--set-mark 0x10502 +.IP +iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK +--set-mark 0x10503 +.P +Using IPMARK target we can replace all the mangle/mark rules with only one: +.IP +iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst +--and-mask=0xffff --or-mask=0x10000 +.P +On the routers with hundreds of users there should be significant load +decrease (e.g. twice). diff --git a/extensions/libipt_IPV4OPTSSTRIP.man b/extensions/libipt_IPV4OPTSSTRIP.man new file mode 100644 index 00000000..a17d8a25 --- /dev/null +++ b/extensions/libipt_IPV4OPTSSTRIP.man @@ -0,0 +1,5 @@ +Strip all the IP options from a packet. + +The target doesn't take any option, and therefore is extremly easy to use : + +# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP diff --git a/extensions/libipt_SAME.man b/extensions/libipt_SAME.man new file mode 100644 index 00000000..817c2001 --- /dev/null +++ b/extensions/libipt_SAME.man @@ -0,0 +1,11 @@ +Similar to SNAT/DNAT depending on chain: it takes a range of addresses +(`--to 1.2.3.4-1.2.3.7') and gives a client the same +source-/destination-address for each connection. +.TP +.BI "--to " "-" +Addresses to map source to. May be specified more than once for +multiple ranges. +.TP +.B "--nodst" +Don't use the destination-ip in the calculations when selecting the +new source-ip diff --git a/extensions/libipt_TARPIT.man b/extensions/libipt_TARPIT.man new file mode 100644 index 00000000..26526b76 --- /dev/null +++ b/extensions/libipt_TARPIT.man @@ -0,0 +1,34 @@ +Captures and holds incoming TCP connections using no local +per-connection resources. Connections are accepted, but immediately +switched to the persist state (0 byte window), in which the remote +side stops sending data and asks to continue every 60-240 seconds. +Attempts to close the connection are ignored, forcing the remote side +to time out the connection in 12-24 minutes. + +This offers similar functionality to LaBrea + but doesn't require dedicated +hardware or IPs. Any TCP port that you would normally DROP or REJECT +can instead become a tarpit. + +To tarpit connections to TCP port 80 destined for the current machine: +.IP +iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT +.P +To significantly slow down Code Red/Nimda-style scans of unused address +space, forward unused ip addresses to a Linux box not acting as a router +(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP +forwarding on the Linux box, and add: +.IP +iptables -A FORWARD -p tcp -j TARPIT +.IP +iptables -A FORWARD -j DROP +.TP +NOTE: +If you use the conntrack module while you are using TARPIT, you should +also use the NOTRACK target, or the kernel will unnecessarily allocate +resources for each TARPITted connection. To TARPIT incoming +connections to the standard IRC port while using conntrack, you could: +.IP +iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK +.IP +iptables -A INPUT -p tcp --dport 6667 -j TARPIT diff --git a/extensions/libipt_XOR.man b/extensions/libipt_XOR.man new file mode 100644 index 00000000..712b4723 --- /dev/null +++ b/extensions/libipt_XOR.man @@ -0,0 +1,7 @@ +Encrypt TCP and UDP traffic using a simple XOR encryption +.TP +.BI "--key " "string" +Set key to "string" +.TP +.BI "--block-size" +Set block size diff --git a/extensions/libipt_account.man b/extensions/libipt_account.man new file mode 100644 index 00000000..fcbb179a --- /dev/null +++ b/extensions/libipt_account.man @@ -0,0 +1,47 @@ +Account traffic for all hosts in defined network/netmask. + +Features: + +- long (one counter per protocol TCP/UDP/IMCP/Other) and short statistics + +- one iptables rule for all hosts in network/netmask + +- loading/saving counters (by reading/writting to procfs entries) + +.TP +.BI "--aaddr " "network/netmask" +defines network/netmask for which make statistics. +.TP +.BI "--aname " "name" +defines name of list where statistics will be kept. If no is +specified DEFAULT will be used. +.TP +.B "--ashort" +table will colect only short statistics (only total counters +without splitting it into protocols. +.P +Example usage: + +account traffic for/to 192.168.0.0/24 network into table mynetwork: + +# iptables -A FORWARD -m account --aname mynetwork --aaddr 192.168.0.0/24 + +account traffic for/to WWW serwer for 192.168.0.0/24 network into table mywwwserver: + +# iptables -A INPUT -p tcp --dport 80 + -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort + +# iptables -A OUTPUT -p tcp --sport 80 + -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort + +read counters: + +# cat /proc/net/ipt_account/mynetwork +# cat /proc/net/ipt_account/mywwwserver + +set counters: + +# echo "ip = 192.168.0.1 packets_src = 0" > /proc/net/ipt_account/mywwserver + +Webpage: + http://www.barbara.eu.org/~quaker/ipt_account/ diff --git a/extensions/libipt_comment.man b/extensions/libipt_comment.man new file mode 100644 index 00000000..2f4ce55d --- /dev/null +++ b/extensions/libipt_comment.man @@ -0,0 +1,6 @@ +Allows you to add comments (up to 256 characters) to any rule. +.TP +.BI "--comment " "comment" +.TP +Example: +iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A privatized IP block" diff --git a/extensions/libipt_connbytes.man b/extensions/libipt_connbytes.man new file mode 100644 index 00000000..ce7b6659 --- /dev/null +++ b/extensions/libipt_connbytes.man @@ -0,0 +1,30 @@ +Match by how many bytes or packets a connection (or one of the two +flows constituting the connection) have tranferred so far, or by +average bytes per packet. + +The counters are 64bit and are thus not expected to overflow ;) + +The primary use is to detect long-lived downloads and mark them to be +scheduled using a lower priority band in traffic control. + +The transfered bytes per connection can also be viewed through +/proc/net/ip_conntrack and accessed via ctnetlink +.TP +[\fB!\fR]\fB --connbytes \fIfrom\fB:\fR[\fIto\fR] +match packets from a connection whose packets/bytes/average packet +size is more than FROM and less than TO bytes/packets. if TO is +omitted only FROM check is done. "!" is used to match packets not +falling in the range. +.TP +\fB--connbytes-dir\fR [\fBoriginal\fR|\fBreply\fR|\fBboth\fR] +which packets to consider +.TP +\fB--connbytes-mode\fR [\fBpackets\fR|\fBbytes\fR|\fBavgpkt\fR] +whether to check the amount of packets, number of bytes transferred or +the average size (in bytes) of all packets received so far. Note that +when "both" is used together with "avgpkt", and data is going (mainly) +only in one direction (for example HTTP), the average packet size will +be about half of the actual data packets. +.TP +Example: +iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ... diff --git a/extensions/libipt_connlimit.man b/extensions/libipt_connlimit.man new file mode 100644 index 00000000..404ee327 --- /dev/null +++ b/extensions/libipt_connlimit.man @@ -0,0 +1,21 @@ +Allows you to restrict the number of parallel TCP connections to a +server per client IP address (or address block). +.TP +[\fB!\fR] \fB--connlimit-above \fIn\fR +match if the number of existing tcp connections is (not) above n +.TP +.BI "--connlimit-mask " "bits" +group hosts using mask +.P +Examples: +.TP +# allow 2 telnet connections per client host +iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT +.TP +# you can also match the other way around: +iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT +.TP +# limit the nr of parallel http requests to 16 per class C sized \ +network (24 bit netmask) +iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 +--connlimit-mask 24 -j REJECT diff --git a/extensions/libipt_hashlimit.man b/extensions/libipt_hashlimit.man new file mode 100644 index 00000000..1b0a5d44 --- /dev/null +++ b/extensions/libipt_hashlimit.man @@ -0,0 +1,35 @@ +This patch adds a new match called 'hashlimit'. +The idea is to have something like 'limit', but either per +destination-ip or per (destip,destport) tuple. + +It gives you the ability to express +.IP + '1000 packets per second for every host in 192.168.0.0/16' +.IP + '100 packets per second for every service of 192.168.1.1' +.P +with a single iptables rule. +.TP +.BI "--hashlimit " "rate" +A rate just like the limit match +.TP +.BI "--hashlimit-burst " "num" +Burst value, just like limit match +.TP +.BI "--hashlimit-mode " "destip | destip-destport" +Limit per IP or per port +.TP +.BI "--hashlimit-name " "foo" +The name for the /proc/net/ipt_hashlimit/foo entry +.TP +.BI "--hashlimit-htable-size " "num" +The number of buckets of the hash table +.TP +.BI "--hashlimit-htable-max " "num" +Maximum entries in the hash +.TP +.BI "--hashlimit-htable-expire " "num" +After how many miliseconds do hash entries expire +.TP +.BI "--hashlimit-htable-gcinterval " "num" +How many miliseconds between garbage collection intervals diff --git a/extensions/libipt_ipv4options.man b/extensions/libipt_ipv4options.man new file mode 100644 index 00000000..122dc68d --- /dev/null +++ b/extensions/libipt_ipv4options.man @@ -0,0 +1,32 @@ +Match on IPv4 header options like source routing, record route, +timestamp and router-alert. +.TP +.B "--ssrr" +To match packets with the flag strict source routing. +.TP +.B "--lsrr" +To match packets with the flag loose source routing. +.TP +.B "--no-srr" +To match packets with no flag for source routing. +.TP +.B "\fR[\fB!\fR]\fB --rr" +To match packets with the RR flag. +.TP +.B "\fR[\fB!\fR]\fB --ts" +To match packets with the TS flag. +.TP +.B "\fR[\fB!\fR]\fB --ra" +To match packets with the router-alert option. +.TP +.B "\fR[\fB!\fR]\fB --any-opt" +To match a packet with at least one IP option, or no IP option +at all if ! is chosen. +.TP +Examples: +.TP +$ iptables -A input -m ipv4options --rr -j DROP +will drop packets with the record-route flag. +.TP +$ iptables -A input -m ipv4options --ts -j DROP +will drop packets with the timestamp flag. diff --git a/extensions/libipt_osf.man b/extensions/libipt_osf.man new file mode 100644 index 00000000..38d25a03 --- /dev/null +++ b/extensions/libipt_osf.man @@ -0,0 +1,47 @@ +The idea of passive OS fingerprint matching exists for quite a long time, +but was created as extension fo OpenBSD pf only some weeks ago. +Original idea was lurked in some OpenBSD mailing list (thanks +grange@open...) and than adopted for Linux netfilter in form of this code. + +Original fingerprint table was created by Michal Zalewski . + +This module compares some data(WS, MSS, options and it's order, ttl, +df and others) from first SYN packet (actually from packets with SYN +bit set) with dynamically loaded OS fingerprints. +.TP +.B "--log 1/0" +If present, OSF will log determined genres even if they don't match +desired one. +0 - log all determined entries, +1 - only first one. + +In syslog you find something like this: +.IP +ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139 +.IP +ipt_osf: Unknown: 16384:106:1:48:020405B401010402 44.33.22.11:1239 -> 11.22.33.44:80 +.TP +.B "--smart" +if present, OSF will use some smartness to determine remote OS. +OSF will use initial TTL only if source of connection is in our local network. +.TP +.B "--netlink" +If present, OSF will log all events also through netlink NETLINK_NFLOG groupt 1. +.TP +.BI "--genre " "[!] string" +Match a OS genre by passive fingerprinting +.P +Example: + +#iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 1 --smart + +NOTE: -p tcp is obviously required as it is a TCP match. + +Fingerprints can be loaded and read through /proc/sys/net/ipv4/osf file. +One can flush all fingerprints with following command: +.IP +echo -en FLUSH > /proc/sys/net/ipv4/osf +.P +Only one fingerprint per open/write/close. + +Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os diff --git a/extensions/libipt_psd.man b/extensions/libipt_psd.man new file mode 100644 index 00000000..b73fffc0 --- /dev/null +++ b/extensions/libipt_psd.man @@ -0,0 +1,18 @@ +Attempt to detect TCP and UDP port scans. This match was derived from +Solar Designer's scanlogd. +.TP +.BI "--psd-weight-threshold " "threshold" +Total weight of the latest TCP/UDP packets with different +destination ports coming from the same host to be treated as port +scan sequence. +.TP +.BI "--psd-delay-threshold " "delay" +Delay (in hundredths of second) for the packets with different +destination ports coming from the same host to be treated as +possible port scan subsequence. +.TP +.BI "--psd-lo-ports-weight " "weight" +Weight of the packet with privileged (<=1024) destination port. +.TP +.BI "--psd-hi-ports-weight " "weight" +Weight of the packet with non-priviliged destination port. diff --git a/extensions/libipt_quota.man b/extensions/libipt_quota.man new file mode 100644 index 00000000..8a07ec05 --- /dev/null +++ b/extensions/libipt_quota.man @@ -0,0 +1,7 @@ +Implements network quotas by decrementing a byte counter with each +packet. +.TP +.BI "--quota " "bytes" +The quota in bytes. +.P +KNOWN BUGS: this does not work on SMP systems. diff --git a/extensions/libipt_recent.man b/extensions/libipt_recent.man new file mode 100644 index 00000000..bf5d7103 --- /dev/null +++ b/extensions/libipt_recent.man @@ -0,0 +1,93 @@ +Allows you to dynamically create a list of IP addresses and then match +against that list in a few different ways. + +For example, you can create a `badguy' list out of people attempting +to connect to port 139 on your firewall and then DROP all future +packets from them without considering them. +.TP +.BI "--name " "name" +Specify the list to use for the commands. If no name is given then 'DEFAULT' +will be used. +.TP +[\fB!\fR] \fB--set\fR +This will add the source address of the packet to the list. If the +source address is already in the list, this will update the existing +entry. This will always return success (or failure if `!' is passed +in). +.TP +[\fB!\fR] \fB--rcheck\fR +Check if the source address of the packet is currently in +the list. +.TP +[\fB!\fR] \fB--update\fR +Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it +matches. +.TP +[\fB!\fR] \fB--remove\fR +Check if the source address of the packet is currently in the list and +if so that address will be removed from the list and the rule will +return true. If the address is not found, false is returned. +.TP +[\fB!\fR] \fB--seconds \fIseconds\fR +This option must be used in conjunction with one of \fB--rcheck\fR or +\fB--update\fR. When used, this will narrow the match to only happen +when the address is in the list and was seen within the last given +number of seconds. +.TP +[\fB!\fR] \fB--hitcount \fIhits\fR +This option must be used in conjunction with one of \fB--rcheck\fR or +\fB--update\fR. When used, this will narrow the match to only happen +when the address is in the list and packets had been received greater +than or equal to the given value. This option may be used along with +\fB--seconds\fR to create an even narrower match requiring a certain +number of hits within a specific time frame. +.TP +\fB--rttl\fR +This option must be used in conjunction with one of \fB--rcheck\fR or +\fB--update\fR. When used, this will narrow the match to only happen +when the address is in the list and the TTL of the current packet +matches that of the packet which hit the \fB--set\fR rule. This may be +useful if you have problems with people faking their source address in +order to DoS you via this module by disallowing others access to your +site by sending bogus packets to you. +.P +Examples: +.IP +# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP + +# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP +.P +Official website (http://snowman.net/projects/ipt_recent/) also has +some examples of usage. + +/proc/net/ipt_recent/* are the current lists of addresses and information +about each entry of each list. + +Each file in /proc/net/ipt_recent/ can be read from to see the current list +or written two using the following commands to modify the list: +.TP +echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT +to Add to the DEFAULT list +.TP +echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT +to Remove from the DEFAULT list +.TP +echo clear > /proc/net/ipt_recent/DEFAULT +to empty the DEFAULT list. +.P +The module itself accepts parameters, defaults shown: +.TP +.BI "ip_list_tot=" "100" +Number of addresses remembered per table +.TP +.BI "ip_pkt_list_tot=" "20" +Number of packets per address remembered +.TP +.BI "ip_list_hash_size=" "0" +Hash table size. 0 means to calculate it based on ip_list_tot, default: 512 +.TP +.BI "ip_list_perms=" "0644" +Permissions for /proc/net/ipt_recent/* files +.TP +.BI "debug=" "0" +Set to 1 to get lots of debugging info diff --git a/extensions/libipt_sctp.man b/extensions/libipt_sctp.man new file mode 100644 index 00000000..97b467da --- /dev/null +++ b/extensions/libipt_sctp.man @@ -0,0 +1,28 @@ +.TP +\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR] +.TP +\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR] +.TP +\fB--chunk-types\fR [\fB!\fR] \fBall\fR|\fBany\fR|\fBonly \fIchunktype\fR[\fB:\fIflags\fR] [...] +The flag letter in upper case indicates that the flag is to match if set, +in the lower case indicates to match if unset. + +Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK + +chunk type available flags +.br +DATA U B E u b e +.br +ABORT T t +.br +SHUTDOWN_COMPLETE T t + +(lowercase means flag should be "off", uppercase means "on") +.P +Examples: + +iptables -A INPUT -p sctp --dport 80 -j DROP + +iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP + +iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT diff --git a/extensions/libipt_u32.man b/extensions/libipt_u32.man new file mode 100644 index 00000000..7028bd5f --- /dev/null +++ b/extensions/libipt_u32.man @@ -0,0 +1,8 @@ +U32 allows you to extract quantities of up to 4 bytes from a packet, +AND them with specified masks, shift them by specified amounts and +test whether the results are in any of a set of specified ranges. +The specification of what to extract is general enough to skip over +headers with lengths stored in the packet, as in IP or TCP header +lengths. + +Details and examples are in the kernel module source. -- cgit v1.2.3