Index

Symbols

$INET_IP, Configuration options
$LAN_IFACE, FORWARD chain
$LAN_IP, OUTPUT chain
$LOCALHOST_IP, OUTPUT chain
$STATIC_IP, OUTPUT chain
--ahspi, AH/ESP match
--chunk-types, SCTP matches
--clamp-mss-to-pmtu, TCPMSS target
--clustermac, CLUSTERIP target
--cmd-owner, Owner match
--comment, Comment match
--ctexpire, Conntrack match
--ctorigdst, Conntrack match
--ctorigsrc, Conntrack match
--ctproto, Conntrack match
--ctrepldst, Conntrack match
--ctreplsrc, Conntrack match
--ctstate, Conntrack match
--ctstatus, Conntrack match
--destination, Generic matches
--destination-port, TCP matches, UDP matches, SCTP matches, Multiport match
--dscp, Dscp match
--dscp-class, Dscp match
--dst-range, IP range match
--dst-type, Addrtype match
--ecn, Ecn match
--ecn-ip-ect, Ecn match
--ecn-tcp-ece, Ecn match
--ecn-tcp-remove, ECN target
--espspi, AH/ESP match
--fragment, Generic matches
--gid-owner, Owner match
--hash-init, CLUSTERIP target
--hashlimit, Hashlimit match
--hashlimit-burst, Hashlimit match
--hashlimit-htable-expire, Hashlimit match
--hashlimit-htable-expire match, Hashlimit match
--hashlimit-htable-gcinterval, Hashlimit match
--hashlimit-htable-max, Hashlimit match
--hashlimit-htable-size, Hashlimit match
--hashlimit-mode, Hashlimit match
--hashlimit-name, Hashlimit match
--hashmode, CLUSTERIP target
--helper, Helper match
--hitcount, Recent match
--icmp-type, ICMP matches
--in-interface, Generic matches
--length, Length match
--limit, Limit match
--limit-burst, Limit match
--local-node, CLUSTERIP target
--log-ip-options, LOG target options
--log-level, LOG target options
--log-prefix, LOG target options
--log-tcp-options, LOG target options
--log-tcp-sequence, LOG target options
--mac-source, Mac match
--mark, Connmark match, Mark match
--mask, CONNMARK target
--match, Implicit matches
--mss, Tcpmss match
--name, Recent match
--new, CLUSTERIP target
--nodst, SAME target
--out-interface, Generic matches
--pid-owner, Owner match
--pkt-type, Packet type match
--pkt-type match, Packet type match
--port, Multiport match
--protocol, Generic matches
--queue-num, NFQUEUE target
--rcheck, Recent match
--rdest, Recent match
--realm, Realm match
--reject-with, REJECT target
--remove, Recent match
--restore, CONNSECMARK target
--restore-mark, CONNMARK target
--rsource, Recent match
--rttl, Recent match
--save, CONNSECMARK target
--save-mark, CONNMARK target
--seconds, Recent match
--selctx, SECMARK target
--set, Recent match
--set-class, CLASSIFY target
--set-dscp, DSCP target
--set-dscp-class, DSCP target
--set-mark, CONNMARK target, MARK target
--set-mss, TCPMSS target
--set-tos, TOS target
--sid-owner, Owner match
--source, Generic matches
--source-port, TCP matches, UDP matches, SCTP matches, Multiport match
--src-range, IP range match
--src-type, Addrtype match
--state, State match
--syn, TCP matches
--tcp-flags, TCP matches
--tcp-option, TCP matches
--to, NETMAP target, SAME target
--to-destination, DNAT target
--to-destination target, DNAT target
--to-ports, MASQUERADE target, REDIRECT target
--to-source, SNAT target
--tos, Tos match
--total-nodes, CLUSTERIP target
--ttl-dec, TTL target
--ttl-eq, Ttl match
--ttl-gt, Ttl match
--ttl-inc, TTL target
--ttl-lt, Ttl match
--ttl-set, TTL target
--uid-owner, Owner match
--ulog-cprange, ULOG target
--ulog-nlgroup, ULOG target
--ulog-prefix, ULOG target
--ulog-qthreshold, ULOG target
--update, Recent match
[ASSURED], TCP connections
[UNREPLIED], TCP connections

A

Accept, IP filtering terms and expressions
ACCEPT target, ACCEPT target, Displacement of rules to different chains, The UDP chain
ACK, TCP headers
Acknowledgment Number, TCP headers
Addrtype match, Addrtype match
--dst-type, Addrtype match
--src-type, Addrtype match
ANYCAST, Addrtype match
BLACKHOLE, Addrtype match
BROADCAST, Addrtype match
LOCAL, Addrtype match
MULTICAST, Addrtype match
NAT, Addrtype match
PROHIBIT, Addrtype match
THROW, Addrtype match
UNICAST, Addrtype match
UNREACHABLE, Addrtype match
UNSPEC, Addrtype match
XRESOLVE, Addrtype match
Advanced routing, TCP/IP destination driven routing
AH/ESP match, AH/ESP match
--ahspi, AH/ESP match
Ahspi match, AH/ESP match
Amanda, Complex protocols and connection tracking
ANYCAST, Addrtype match
Application layer, TCP/IP Layers
ASSURED, The conntrack entries, TCP connections

B

Bad_tcp_packets, The bad_tcp_packets chain, INPUT chain
Bash, Bash debugging tips
+-sign, Bash debugging tips
-x, Bash debugging tips
Basics, Where to get iptables
Commands, Commands
Compiling iptables, Compiling the user-land applications
Displacement, Displacement of rules to different chains
Drawbacks with restore, Drawbacks with restore
Filter table, Tables
Installation on Red Hat 7.1, Installation on Red Hat 7.1
iptables-restore, Saving and restoring large rule-sets, iptables-restore
iptables-save, Saving and restoring large rule-sets
Mangle table, Tables
Modules, Initial loading of extra modules
see also Modules
NAT, Network Address Translation Introduction
Nat table, Tables
Policy, Setting up default policies
Preparations, Preparations
Proc set up, proc set up
Raw table, Tables
Speed considerations, Speed considerations
State machine, Introduction
Tables, Tables
User specified chains, Setting up user specified chains in the filter table
User-land setup, User-land setup
BLACKHOLE, Addrtype match
BROADCAST, Addrtype match

C

Chain, IP filtering terms and expressions
FORWARD, General, Displacement of rules to different chains, FORWARD chain, PREROUTING chain of the nat table, The structure, The structure
INPUT, General, Displacement of rules to different chains, The ICMP chain, INPUT chain, The structure, The structure
OUTPUT, General, Raw table, Displacement of rules to different chains, OUTPUT chain, The structure, The structure, The structure
POSTROUTING, General, Starting SNAT and the POSTROUTING chain, The structure, The structure
PREROUTING, General, Raw table, PREROUTING chain of the nat table, The structure, The structure
Traversing, Traversing of tables and chains
User specified, User specified chains
Checksum, TCP headers, UDP headers, ICMP headers
Chkconfig, Installation on Red Hat 7.1
Chunk flags (SCTP), SCTP matches
Chunk types (SCTP), SCTP matches
Chunk-types match, SCTP matches
Cisco PIX, How to plan an IP filter
Clamp-mss-to-pmtu target, TCPMSS target
CLASSIFY target, CLASSIFY target
--set-class, CLASSIFY target
CLUSTERIP target, CLUSTERIP target
--clustermac, CLUSTERIP target
--hash-init, CLUSTERIP target
--hashmode, CLUSTERIP target
--local-node, CLUSTERIP target
--new, CLUSTERIP target
--total-nodes, CLUSTERIP target
Clustermac target, CLUSTERIP target
Cmd-owner match, Owner match
cmd.exe, What is an IP filter
Code, ICMP headers
Commands, Commands
--append, Commands
--delete, Commands
--delete-chain, Commands
--flush, Commands
--insert, Commands
--list, Commands
--new-chain, Commands
--policy, Commands
--rename-chain, Commands
--replace, Commands
--zero, Commands
Comment match, Comment match
--comment, Comment match
Commercial products, Commercial products based on Linux, iptables and netfilter
Ingate Firewall 1200, Ingate Firewall 1200
Common problems, Common problems and questions
DHCP, Letting DHCP requests through iptables
IRC DCC, mIRC DCC problems
ISP using private IP's, Internet Service Providers who use assigned IP addresses
Listing rule-sets, Listing your active rule-set
Modules, Problems loading modules
NEW not SYN, State NEW packets but no SYN bit set
SYN/ACK and NEW, SYN/ACK and NEW packets
Updating and flushing, Updating and flushing your tables
Complex protocols
Amanda, Complex protocols and connection tracking
FTP, Complex protocols and connection tracking
IRC, Complex protocols and connection tracking
TFTP, Complex protocols and connection tracking
Connection, Terms used in this document
Connection tracking, IP filtering terms and expressions
connection-oriented, IP characteristics
Connmark match, Connmark match
--mark, Connmark match
CONNMARK target, CONNMARK target
--mask, CONNMARK target
--restore-mark, CONNMARK target
--save-mark, CONNMARK target
--set-mark, CONNMARK target
CONNSECMARK target, Mangle table, CONNSECMARK target
--restore, CONNSECMARK target
--save, CONNSECMARK target
Conntrack, The state machine
Entries, The conntrack entries
Helpers, Complex protocols and connection tracking
ip_conntrack, The conntrack entries
Conntrack match, Conntrack match
--ctexpire, Conntrack match
--ctorigdst, Conntrack match
--ctorigsrc, Conntrack match
--ctproto, Conntrack match
--ctrepldst, Conntrack match
--ctreplsrc, Conntrack match
--ctstate, Conntrack match
--ctstatus, Conntrack match
console, Bash debugging tips
cron, How to plan an IP filter, Bash debugging tips
crontab, System tools used for debugging
Ctexpire match, Conntrack match
Ctorigdst match, Conntrack match
Ctorigsrc match, Conntrack match
Ctproto match, Conntrack match
Ctrepldst match, Conntrack match
Ctreplsrc match, Conntrack match
Ctstate match, Conntrack match
Ctstatus match, Conntrack match
CWR, TCP headers

D

Data Link layer, TCP/IP Layers
Data Offset, TCP headers
De-Militarized Zone (DMZ), rc.DMZ.firewall.txt
Debugging, Debugging your scripts
Bash, Bash debugging tips
Common problems, Common problems and questions
DHCP, Letting DHCP requests through iptables
Echo, Bash debugging tips
Iptables, Iptables debugging
IRC DCC, mIRC DCC problems
ISP using private IP's, Internet Service Providers who use assigned IP addresses
Listing rule-sets, Listing your active rule-set
Modules, Problems loading modules
Nessus, Debugging your scripts
NEW not SYN, State NEW packets but no SYN bit set
Nmap, Debugging your scripts
Other tools, Debugging your scripts
SYN/ACK and NEW, SYN/ACK and NEW packets
System tools, System tools used for debugging
Updating and flushing, Updating and flushing your tables
Deny, IP filtering terms and expressions
Destination address, IP headers, ICMP headers
Destination match, Generic matches
Destination port, TCP headers, UDP headers
Destination Unreachable, ICMP Destination Unreachable
Communication administratively prohibited by filtering, ICMP Destination Unreachable
Destination host administratively prohibited, ICMP Destination Unreachable
Destination host unknown, ICMP Destination Unreachable
Destination network administratively prohibited, ICMP Destination Unreachable
Destination network unknown, ICMP Destination Unreachable
Fragmentation needed and DF set, ICMP Destination Unreachable
Host precedence violation, ICMP Destination Unreachable
Host unreachable, ICMP Destination Unreachable
Host unreachable for TOS, ICMP Destination Unreachable
Network unreachable, ICMP Destination Unreachable
Network unreachable for TOS, ICMP Destination Unreachable
Port unreachable, ICMP Destination Unreachable
Precedence cutoff in effect, ICMP Destination Unreachable
Protocol unreachable, ICMP Destination Unreachable
Source host isolated, ICMP Destination Unreachable
Source route failed, ICMP Destination Unreachable
Destination-port match, TCP matches, UDP matches, SCTP matches, Multiport match
Detailed explanations, Detailed explanations of special commands
Listing rule-sets, Listing your active rule-set
Updating and flushing, Updating and flushing your tables
DHCP, MASQUERADE target, Configuration options, Displacement of rules to different chains
Differentiated Services, IP headers
DiffServ, IP headers
Displacement, Displacement of rules to different chains
Dmesg, LOG target options
DMZ, How to plan an IP filter
DNAT, Terms used in this document, What is an IP filter, What NAT is used for and basic terms and expressions
DNAT target, General, Nat table, DNAT target, PREROUTING chain of the nat table
--to-destination, DNAT target
DNAT target examples, DNAT target
DNS, IP characteristics, The UDP chain
Drawbacks with iptables-restore, Drawbacks with restore
Drop, IP filtering terms and expressions
DROP target, DROP target, The UDP chain, FORWARD chain, OUTPUT chain
DSCP, IP headers
Dscp match, Dscp match
--dscp, Dscp match
--dscp-class, Dscp match
DSCP target, DSCP target
--set-dscp, DSCP target
--set-dscp-class, DSCP target
Dscp-class match, Dscp match
Dst-range match, IP range match
Dst-type match, Addrtype match
Dynamic Host Configuration Protocol (DHCP), rc.DHCP.firewall.txt

E

e-mail, How to plan an IP filter
Easy Firewall Generator, Easy Firewall Generator
ECE, TCP headers
Echo, Bash debugging tips
Echo Request/Reply, ICMP Echo Request/Reply
ECN, IP headers, Source Quench
ECN IP field, Ecn match
Ecn match, Ecn match
--ecn, Ecn match
--ecn-ip-ect, Ecn match
--ecn-tcp-ece, Ecn match
ECN target, ECN target
--ecn-tcp-remove, ECN target
Ecn-ip-ect match, Ecn match
Ecn-tcp-ece match, Ecn match
Ecn-tcp-remove target, ECN target
Errors
Table does not exist, Iptables debugging
Unknown arg, Iptables debugging
ESP match
--espspi, AH/ESP match
Espspi match, AH/ESP match
Example
Hardware requirements, What is needed to build a NAT machine
Machine placement, Placement of NAT machines
Example scripts, Debugging your scripts, Example scripts code-base
biggest, Network Address Translation Introduction
Configuration, The structure
DHCP, The structure
DMZ, The structure
Filter table, The structure
Internet, The structure
iptables, The structure
Iptables-save ruleset, Iptables-save ruleset
iptsave-ruleset.txt, iptables-save
LAN, The structure
Limit-match.txt, Limit-match.txt
Localhost, The structure
Module loading, The structure
NAT, Example NAT machine in theory
Non-required modules, The structure
Non-required proc configuration, The structure
Other, The structure
Pid-owner.txt, Pid-owner.txt
PPPoE, The structure
proc configuration, The structure
rc.DHCP.firewall.txt, rc.DHCP.firewall.txt, Example rc.DHCP.firewall script
rc.DMZ.firewall.txt, rc.DMZ.firewall.txt, Example rc.DMZ.firewall script
rc.firewall.txt, rc.firewall file, rc.firewall.txt script structure, rc.firewall.txt, Example rc.firewall script
rc.flush-iptables.txt, rc.flush-iptables.txt, Example rc.flush-iptables script
rc.test-iptables.txt, rc.test-iptables.txt, Example rc.test-iptables script
rc.UTIN.firewall.txt, rc.UTIN.firewall.txt, Example rc.UTIN.firewall script
Recent-match.txt, Recent match, Recent-match.txt
Required modules, The structure
Required proc configuration, The structure
Rules set up, The structure
Set policies, The structure
Sid-owner.txt, Sid-owner.txt
Structure, example rc.firewall, The structure, example rc.firewall
see also Example structure
TTL-inc.txt, Ttl-inc.txt
User specified chains, The structure
User specified chains content, The structure
Example structure
Configuration, Configuration options
Explicit Congestion Notification, IP headers
Explicit matches, Explicit matches

F

Fast-NAT, What NAT is used for and basic terms and expressions
File
ip_ct_generic_timeout, Untracked connections and the raw table
Ip_dynaddr, proc set up
Ip_forward, proc set up
Files
ip_conntrack, The conntrack entries
ip_conntrack_max, The conntrack entries
ip_conntrack_tcp_loose, TCP connections
Filter table, Tables, The structure
Filtering, TCP/IP Layers
Introduction, IP filtering introduction
Layer 7, What is an IP filter
FIN, TCP characteristics, TCP headers
FIN/ACK, TCP characteristics
Firewall Builder, fwbuilder
Flags, IP headers
Flush iptables, rc.flush-iptables.txt
fragment, IP headers
Fragment match, Generic matches
Fragment Offset, IP headers
FreeSWAN, AH/ESP match
FTP, Complex protocols and connection tracking
fwbuilder, fwbuilder

G

Generic matches, Generic matches
GGP, ICMP characteristics
Gid-owner match, Owner match
Graphical user interfaces, Graphical User Interfaces for Iptables/netfilter
Easy Firewall Generator, Easy Firewall Generator
fwbuilder, fwbuilder
Integrated Secure Communications System, Integrated Secure Communications System
IPmenu, IPMenu
Turtle Firewall Project, Turtle Firewall Project
GRE, TCP/IP Layers

H

Handshake, IP characteristics
Hardware
Machine placement, Placement of NAT machines
Placement, How to place proxies
Requirements, What is needed to build a NAT machine
Structure, How to place proxies
Hash-init target, CLUSTERIP target
Hashlimit match, Hashlimit match
--hashlimit, Hashlimit match
--hashlimit-burst, Hashlimit match
--hashlimit-htable-expire, Hashlimit match
--hashlimit-htable-gcinterval, Hashlimit match
--hashlimit-htable-max, Hashlimit match
--hashlimit-htable-size, Hashlimit match
--hashlimit-mode, Hashlimit match
--hashlimit-name, Hashlimit match
Hashlimit-burst match, Hashlimit match
Hashlimit-htable-gcinterval match, Hashlimit match
Hashlimit-htable-max match, Hashlimit match
Hashlimit-htable-size match, Hashlimit match
Hashlimit-mode match, Hashlimit match
Hashlimit-name match, Hashlimit match
Hashmode target, CLUSTERIP target
Header checksum, IP headers, ICMP headers
Helper match, Helper match
--helper, Helper match
Hitcount match, Recent match
How a rule is built, How a rule is built
Http, Displacement of rules to different chains

I

ICMP, TCP/IP repetition, ICMP characteristics, ICMP connections, The ICMP chain
Characteristics, ICMP characteristics
Checksum, ICMP headers
Code, ICMP headers
Destination Address, ICMP headers
Destination Unreachable, ICMP Destination Unreachable
see also Destination Unreachable
Echo Request/Reply, ICMP Echo Request/Reply
see also Echo Request/Reply
Header Checksum, ICMP headers
Headers, ICMP headers
Identification, ICMP headers
Identifier, ICMP Echo Request/Reply
Information request, Information request/reply
see also Information request
Internet Header Length, ICMP headers
Parameter problem, Parameter problem
see also Parameter problem
Protocol, ICMP headers
Redirect, Redirect
see also Redirect
Sequence number, ICMP Echo Request/Reply
Source Address, ICMP headers
Source Quench, Source Quench
see also Source Quench
Time To Live, ICMP headers
Timestamp, Timestamp request/reply
see also Timestamp
Total Length, ICMP headers
TTL equals zero, TTL equals 0
see also TTL equals zero
Type, ICMP headers
Type of Service, ICMP headers
Types, Listing your active rule-set
Version, ICMP headers
ICMP match, ICMP matches, The ICMP chain
--icmp-type, ICMP matches
Icmp-type match, ICMP matches
icmp_packets, The ICMP chain
ICQ, How to plan an IP filter
Identd, Displacement of rules to different chains
Identification, IP headers, ICMP headers
Identifier, ICMP Echo Request/Reply
IHL, IP headers
Implicit matches, Implicit matches
In-interface match, Generic matches
Information request, Information request/reply
Ingate, Ingate Firewall 1200
Ingate Firewall 1200, Ingate Firewall 1200
Integrated Secure Communications System, Integrated Secure Communications System
Interface, Configuration options
Internet Header Length, ICMP headers
Internet layer, TCP/IP Layers, IP characteristics
Introduction, Introduction
NAT, Network Address Translation Introduction
Intrusion detection system
Host-based, How to plan an IP filter
Network, How to plan an IP filter
IP, TCP/IP repetition
Characteristics, IP characteristics
Destination address, IP headers
DSCP, IP headers
ECN, IP headers
Flags, IP headers
Fragment Offset, IP headers
Header checksum, IP headers
Headers, IP headers
Identification, IP headers
IHL, IP headers
Options, IP headers
Padding, IP headers
Protocol, IP headers
Source address, IP headers
Time to live, IP headers
Total Length, IP headers
Type of Service, IP headers
Version, IP headers
IP filtering, IP filtering introduction
Planning, How to plan an IP filter
IP range match, IP range match
--dst-range, IP range match
--src-range, IP range match
Ipchains, Installation on Red Hat 7.1
IPmenu, IPMenu
IPSEC, Terms used in this document, AH/ESP match
Iptables
Basics, Basics of the iptables command
Iptables debugging, Debugging your scripts
Iptables matches, Iptables matches
see also Match
Iptables targets, Iptables targets and jumps
see also Target
iptables-restore, Saving and restoring large rule-sets, iptables-restore
drawbacks, Drawbacks with restore
Speed considerations, Speed considerations
iptables-save, Saving and restoring large rule-sets, iptables-save, Debugging your scripts
drawbacks, Drawbacks with restore
Speed considerations, Speed considerations
Iptables-save ruleset, Iptables-save ruleset
ipt_*, Iptables debugging
ipt_REJECT.ko, Iptables debugging
ipt_state.ko, Iptables debugging
Ip_conntrack, The conntrack entries
ip_conntrack_max, The conntrack entries
ip_conntrack_tcp_loose, TCP connections
IRC, Complex protocols and connection tracking

J

Jump, IP filtering terms and expressions

K

Kernel setup, Kernel setup
Kernel space, Terms used in this document
kernwarnings, System tools used for debugging

L

LAN, How to plan an IP filter, Configuration options, FORWARD chain
layered security, How to plan an IP filter
Length, UDP headers
Length match, Length match
--length, Length match
Limit match, Limit match, Limit-match.txt
--limit, Limit match
--limit-burst, Limit match
Limit-burst match, Limit match
Limit-match.txt, Limit-match.txt
LOCAL, Addrtype match
Local-node target, CLUSTERIP target
LOG target, LOG target options, The UDP chain, FORWARD chain
--log-ip-options, LOG target options
--log-level, LOG target options
--log-prefix, LOG target options
--log-tcp-options, LOG target options
--log-tcp-sequence, LOG target options
Log-ip-options target, LOG target options
Log-level target, LOG target options
Log-prefix target, LOG target options
Log-tcp-options target, LOG target options
Log-tcp-sequence target, LOG target options

M

Mac match, Mac match
--mac-source, Mac match
Mac-source match, Mac match
Mangle table, Tables
Mark match, Connmark match, Mark match
--mark, Mark match
MARK target, Mangle table, MARK target
--set-mark, MARK target
Mask target, CONNMARK target
MASQUERADE target, Nat table, MASQUERADE target, Starting SNAT and the POSTROUTING chain
--to-ports, MASQUERADE target
Match, IP filtering terms and expressions, Iptables matches
--destination, Generic matches
--fragment, Generic matches
--in-interface, Generic matches
--match, Implicit matches, Explicit matches
--out-interface, Generic matches
--protocol, Generic matches
--source, Generic matches
Addrtype, Addrtype match
see also Addrtype match
AH/ESP, AH/ESP match
see also AH/ESP match
Basics, Basics of the iptables command
Comment, Comment match
see also Comment match
Connmark, Connmark match
see also Connmark match
Conntrack, Conntrack match
see also Conntrack match
Dscp, Dscp match
see also Dscp match
Ecn, Ecn match
see also Ecn match
Explicit, Explicit matches
see also Explicit matches
Generic, Generic matches
Hashlimit, Hashlimit match
see also Hashlimit match
Helper, Helper match
see also Helper match
ICMP, ICMP matches
see also ICMP match
Implicit, Implicit matches
IP range, IP range match
see also IP range match
Length, Length match
see also Length match
Limit, Limit match
see also Limit match
Mac, Mac match
see also Mac match
Mark, Mark match
see also Mark match
Multiport, Multiport match
see also Multiport match
Owner, Owner match
see also Owner match
Packet type, Packet type match
see also Packet type match
Realm, Realm match
see also Realm match
Recent, Recent match
see also Recent match
SCTP, SCTP matches
see also SCTP match
State, State match
see also State match
TCP, TCP matches
see also TCP match
Tcpmss, Tcpmss match
see also Tcpmss match
Tos, Tos match
see also Tos match
Ttl, Ttl match
see also Ttl match
UDP, UDP matches
see also UDP match
Unclean, Unclean match
see also Unclean match
MIRROR target, MIRROR target
Modules, Initial loading of extra modules
FTP, Initial loading of extra modules
H.323, Initial loading of extra modules
IRC, Initial loading of extra modules
Patch-o-matic, Initial loading of extra modules
Mss match, Tcpmss match
MTU, SCTP Generic header format
MULTICAST, Addrtype match
Multiport match, Multiport match
--destination-port, Multiport match
--port, Multiport match
--source-port, Multiport match

N

Name match, Recent match
NAT, How to plan an IP filter, Network Address Translation Introduction, Addrtype match, MASQUERADE target, Starting SNAT and the POSTROUTING chain
Caveats, Caveats using NAT
Examples, Example NAT machine in theory
Hardware, What is needed to build a NAT machine
Placement, Placement of NAT machines
Nat table, Tables
Negotiated ports, How to plan an IP filter
Nessus, Debugging your scripts
Netfilter-NAT, What NAT is used for and basic terms and expressions
NETMAP target, NETMAP target
--to, NETMAP target
Network Access layer, TCP/IP Layers
Network address translation (NAT), Tables
Network layer, TCP/IP Layers
New target, CLUSTERIP target
NFQUEUE target, NFQUEUE target
--queue-num, NFQUEUE target
NIDS, How to plan an IP filter
Nmap, Debugging your scripts
Nmapfe, Nmap
Nodst target, SAME target
non-standards, How to plan an IP filter
NOTRACK target, Raw table, Untracked connections and the raw table, NOTRACK target
NTP, The UDP chain

O

Options, IP headers, TCP headers, Kernel setup
--exact, Commands
--line-numbers, Commands
--modprobe, Commands
--numeric, Commands
--set-counters, Commands
--verbose, Commands
OSI
Application layer, TCP/IP Layers
Data Link layer, TCP/IP Layers
Network layer, TCP/IP Layers
Physical layer, TCP/IP Layers
Presentation layer, TCP/IP Layers
Reference model, TCP/IP Layers
Session layer, TCP/IP Layers
Transport layer, TCP/IP Layers
Other resources, Other resources and links
Out-interface match, Generic matches
Owner match, Owner match, Pid-owner.txt, Sid-owner.txt
--cmd-owner, Owner match
--gid-owner, Owner match
--pid-owner, Owner match
--sid-owner, Owner match
--uid-owner, Owner match
Pid match, Pid-owner.txt
Sid match, Sid-owner.txt

P

Packet, Terms used in this document
Packet type match, Packet type match
--pkt-type, Packet type match
Padding, IP headers, TCP headers
Parameter problem, Parameter problem
IP header bad (catchall error), Parameter problem
Required options missing, Parameter problem
Physical layer, TCP/IP Layers
Pid-owner match, Owner match
Pid-owner.txt, Pid-owner.txt
Planning
IP filters, How to plan an IP filter
PNAT, What NAT is used for and basic terms and expressions
Policy, IP filtering terms and expressions, How to plan an IP filter, Setting up default policies, FORWARD chain
Port
Negotiated, How to plan an IP filter
Port match, Multiport match
POSTROUTING, SNAT target, Displacement of rules to different chains
PPP, Displacement of rules to different chains
PPPoE, Configuration options
precautions, Bash debugging tips
Preparations, Preparations
Where to get, Where to get iptables
PREROUTING, DNAT target
Presentation layer, TCP/IP Layers
Proc set up, proc set up
PROHIBIT, Addrtype match
Protocol, IP headers, ICMP headers
Protocol match, Generic matches
Proxy, TCP/IP Layers, What is an IP filter, How to plan an IP filter
Placement, How to place proxies
PSH, TCP headers
PUSH, TCP headers

Q

Qdisc, MARK target
QoS, Terms used in this document
QUEUE target, QUEUE target
Queue-num target, NFQUEUE target

R

Raw table, Tables
rc.DHCP.firewall.txt, rc.DHCP.firewall.txt
rc.DMZ.firewall.txt, rc.DMZ.firewall.txt
rc.firewall explanation, rc.firewall file
rc.firewall.txt, rc.firewall.txt script structure, rc.firewall.txt
rc.flush-iptables.txt, rc.flush-iptables.txt
rc.test-iptables.txt, rc.test-iptables.txt
rc.UTIN.firewall.txt, rc.UTIN.firewall.txt
Rcheck match, Recent match
Rdest match, Recent match
Realm match, Realm match
--realm, Realm match
Recent match, Recent match, Recent-match.txt
--hitcount, Recent match
--name, Recent match
--rcheck, Recent match
--rdest, Recent match
--remove, Recent match
--rsource, Recent match
--rttl, Recent match
--seconds, Recent match
--set, Recent match
--update, Recent match
Recent match example, Recent match
Recent-match.txt, Recent-match.txt
Redirect, Redirect
Redirect for host, Redirect
Redirect for network, Redirect
Redirect for TOS and host, Redirect
Redirect for TOS and network, Redirect
REDIRECT target, REDIRECT target
--to-ports, REDIRECT target
Reject, IP filtering terms and expressions
REJECT target, REJECT target, The bad_tcp_packets chain
--reject-with, REJECT target
Reject-with target, REJECT target
Remove match, Recent match
Reserved, TCP headers
Restore target, CONNSECMARK target
Restore-mark target, CONNMARK target
Restoring rulesets, Saving and restoring large rule-sets
RETURN target, RETURN target
RFC, IP headers
1122, Tcpmss match
1349, IP headers
1812, CLUSTERIP target
2401, AH/ESP match
2474, IP headers, IP headers, DSCP target
2638, Dscp match
2960, SCTP Characteristics
3168, IP headers, IP headers, Ecn match
3260, IP headers, IP headers
3268, TCP headers, TCP headers
3286, SCTP Characteristics
768, UDP characteristics
791, IP headers, IP headers
792, ICMP headers, The ICMP chain
793, Terms used in this document, TCP headers, TCP connections, Tcpmss match, REJECT target
Routing, TCP/IP destination driven routing, MARK target
ANYCAST, Addrtype match
BLACKHOLE, Addrtype match
BROADCAST, Addrtype match
LOCAL, Addrtype match
MULTICAST, Addrtype match
NAT, Addrtype match
PROHIBIT, Addrtype match
THROW, Addrtype match
UNICAST, Addrtype match
UNREACHABLE, Addrtype match
UNSPEC, Addrtype match
XRESOLVE, Addrtype match
Routing realm, Realm match
Rsource match, Recent match
RST, TCP headers
Rttl match, Recent match
Rule, IP filtering terms and expressions
Rules, How a rule is built
Basics, Basics of the iptables command
Ruleset, IP filtering terms and expressions

S

SACK, IP headers
SAME target, SAME target
--nodst, SAME target
--to, SAME target
Save target, CONNSECMARK target
Save-mark target, CONNMARK target
Saving rulesets, Saving and restoring large rule-sets
Script structure, The structure
SCTP, SCTP Characteristics
ABORT, Shutdown and abort, SCTP Common and generic headers, SCTP ABORT chunk
Advertised Receiver Window Credit, SCTP INIT chunk, SCTP INIT ACK chunk, SCTP SACK chunk
B-bit, SCTP DATA chunk
Characteristics, SCTP Characteristics
Checksum, SCTP Common and generic headers
Chunk Flags, SCTP Common and generic headers, SCTP COOKIE ECHO chunk, SCTP ERROR chunk, SCTP HEARTBEAT chunk, SCTP INIT chunk, SCTP INIT ACK chunk, SCTP SACK chunk, SCTP SHUTDOWN chunk, SCTP SHUTDOWN ACK chunk, SCTP matches
Chunk Length, SCTP Common and generic headers, SCTP HEARTBEAT ACK chunk, SCTP INIT chunk, SCTP INIT ACK chunk, SCTP SACK chunk, SCTP SHUTDOWN chunk, SCTP SHUTDOWN ACK chunk
Chunk types, SCTP matches
Chunk Value, SCTP Common and generic headers
Cookie, SCTP COOKIE ECHO chunk
COOKIE ACK, Initialization and association, SCTP COOKIE ACK chunk
COOKIE ECHO, Initialization and association, SCTP COOKIE ECHO chunk
Cumulative TSN Ack, SCTP SACK chunk, SCTP SHUTDOWN chunk
DATA, Data sending and control session, SCTP Generic header format, SCTP DATA chunk
Data sending and control session, Data sending and control session
Destination port, SCTP Common and generic headers
Duplicate TSN #1, SCTP SACK chunk
Duplicate TSN #X, SCTP SACK chunk
E-bit, SCTP DATA chunk
ECN, SCTP Characteristics
ERROR, Data sending and control session, SCTP ERROR chunk
Cookie Received While Shutting Down, SCTP ERROR chunk
Invalid Mandatory Parameter, SCTP ERROR chunk
Invalid Stream Identifier, SCTP ERROR chunk
Missing Mandatory Parameter, SCTP ERROR chunk
No User Data, SCTP ERROR chunk
Out of Resource, SCTP ERROR chunk
Stale Cookie Error, SCTP ERROR chunk
Unrecognized Chunk Type, SCTP ERROR chunk
Unrecognized Parameters, SCTP ERROR chunk
Unresolvable Address, SCTP ERROR chunk
Error causes, SCTP ERROR chunk
Gap Ack Block #1 End, SCTP SACK chunk
Gap Ack Block #1 Start, SCTP SACK chunk
Gap Ack Block #N End, SCTP SACK chunk
Gap Ack Block #N Start, SCTP SACK chunk
Generic Header format, SCTP Generic header format
Headers, SCTP Headers
HEARTBEAT, Data sending and control session, SCTP HEARTBEAT chunk
HEARTBEAT ACK, Data sending and control session, SCTP HEARTBEAT ACK chunk
Heartbeat Information TLV, SCTP HEARTBEAT chunk, SCTP HEARTBEAT ACK chunk
INIT, Initialization and association, SCTP Generic header format, SCTP Common and generic headers, SCTP INIT chunk
Variable Parameters, SCTP INIT chunk
INIT ACK, Initialization and association, SCTP Generic header format, SCTP INIT ACK chunk
Variable Parameters, SCTP INIT ACK chunk
Initial TSN, SCTP INIT chunk, SCTP INIT ACK chunk
Initialization, Initialization and association
Initiate Tag, SCTP INIT chunk, SCTP INIT ACK chunk
Length, SCTP ABORT chunk, SCTP COOKIE ACK chunk, SCTP COOKIE ECHO chunk, SCTP DATA chunk, SCTP ERROR chunk, SCTP HEARTBEAT chunk, SCTP SHUTDOWN COMPLETE chunk
Message oriented, SCTP Characteristics
MTU, SCTP Generic header format
Multicast, SCTP Characteristics
Number of Duplicate TSNs, SCTP SACK chunk
Number of Gap Ack Blocks, SCTP SACK chunk
Number of Inbound Streams, SCTP INIT chunk, SCTP INIT ACK chunk
Number of Outbound Streams, SCTP INIT chunk, SCTP INIT ACK chunk
Payload Protocol Identifier, SCTP DATA chunk
Rate adaptive, SCTP Characteristics
SACK, SCTP Characteristics, Data sending and control session, SCTP SACK chunk
SHUTDOWN, Shutdown and abort, SCTP SHUTDOWN chunk
SHUTDOWN ACK, Shutdown and abort, SCTP SHUTDOWN ACK chunk
Shutdown and abort, Shutdown and abort
SHUTDOWN COMPLETE, Shutdown and abort, SCTP Generic header format, SCTP Common and generic headers, SCTP SHUTDOWN COMPLETE chunk
Source port, SCTP Common and generic headers
Stream Identifier, SCTP DATA chunk
Stream Sequence Number, SCTP DATA chunk
T-bit, SCTP ABORT chunk, SCTP SHUTDOWN COMPLETE chunk
TCB, SCTP ABORT chunk
TSN, SCTP DATA chunk
Type, SCTP ABORT chunk
U-bit, SCTP DATA chunk
Unicast, SCTP Characteristics
User data, SCTP DATA chunk
Verification tag, SCTP Common and generic headers
SCTP match, SCTP matches
--chunk-types, SCTP matches
--destination-port, SCTP matches
--source-port, SCTP matches
SECMARK target, Mangle table, SECMARK target
--selctx, SECMARK target
Seconds match, Recent match
Segment, Terms used in this document
Selctx target, SECMARK target
SELinux, CONNSECMARK target, SECMARK target
Sequence Number, TCP headers, ICMP Echo Request/Reply
Session layer, TCP/IP Layers
Set match, Recent match
Set-class target, CLASSIFY target
Set-dscp target, DSCP target
Set-dscp-class target, DSCP target
Set-mark target, CONNMARK target, MARK target
Set-mss target, TCPMSS target
Set-tos target, TOS target
Sid-owner match, Owner match
Sid-owner.txt, Sid-owner.txt
SLIP, Displacement of rules to different chains
SNAT, Terms used in this document, What is an IP filter, What NAT is used for and basic terms and expressions
SNAT target, Nat table, SNAT target, Displacement of rules to different chains, Starting SNAT and the POSTROUTING chain
--to-source, SNAT target
Snort, How to plan an IP filter
Source address, IP headers, ICMP headers
Source match, Generic matches
Source port, TCP headers, UDP headers
Source Quench, Source Quench
Source-port match, TCP matches, UDP matches, SCTP matches, Multiport match
Speed considerations, Speed considerations
Spoofing, SYN/ACK and NEW packets
Squid, What is an IP filter, How to plan an IP filter, REDIRECT target
Src-range match, IP range match
Src-type match, Addrtype match
SSH, Bash debugging tips, Displacement of rules to different chains
Standardized, How to plan an IP filter
State
Conntrack match, Conntrack match
see also Conntrack match
State machine, The state machine
Default connections, Default connections
State match, Terms used in this document, IP filtering terms and expressions, The state machine, State match
--state, State match
CLOSED, TCP headers
Complex protocols, Complex protocols and connection tracking
see also Complex protocols
ESTABLISHED, Introduction, User-land states, ICMP connections, The TCP chain, INPUT chain
ICMP, ICMP connections
INVALID, Introduction, User-land states, The bad_tcp_packets chain
NEW, Introduction, User-land states, ICMP connections, The bad_tcp_packets chain
NOTRACK, Untracked connections and the raw table
see also NOTRACK target
RELATED, Introduction, User-land states, TCP connections, The TCP chain, The ICMP chain, INPUT chain
TCP, TCP connections
UDP, UDP connections
UNTRACKED, User-land states
Untracked connections, Untracked connections and the raw table
[ASSURED], UDP connections
[UNREPLIED], UDP connections
Stream, Terms used in this document
SYN, TCP headers, The bad_tcp_packets chain, SYN/ACK and NEW packets
Syn match, TCP matches
SYN_RECV, TCP connections
SYN_SENT, The conntrack entries
Syslog, LOG target options, System tools used for debugging
alert, System tools used for debugging
crit, System tools used for debugging
debug, System tools used for debugging
emerg, System tools used for debugging
err, System tools used for debugging
info, System tools used for debugging
notice, System tools used for debugging
warning, System tools used for debugging
syslog.conf, System tools used for debugging
System tools, Debugging your scripts

T

Table, IP filtering terms and expressions
Filter, General, Filter table
Mangle, General, Mangle table, The structure
Nat, General, Nat table, The structure
Raw, General, Raw table
Traversing, Traversing of tables and chains
Table does not exist error, Iptables debugging
Tables, Tables
Target, IP filtering terms and expressions, Iptables targets and jumps
ACCEPT, ACCEPT target
Basics, Basics of the iptables command
CLASSIFY, CLASSIFY target
see also CLASSIFY target
CLUSTERIP, CLUSTERIP target
see also CLUSTERIP target
CONNMARK, CONNMARK target
see also CONNMARK target
CONNSECMARK, CONNSECMARK target
see also CONNSECMARK target
DNAT, DNAT target
see also DNAT target
DROP, DROP target
see also DROP target
DSCP, DSCP target
see also DSCP target
ECN, ECN target
see also ECN target
LOG, LOG target options
see also LOG target
MARK, MARK target
see also MARK target
MASQUERADE, MASQUERADE target
see also MASQUERADE target
MIRROR, MIRROR target
see also MIRROR target
NETMAP, NETMAP target
see also NETMAP target
NFQUEUE, NFQUEUE target
see also NFQUEUE target
NOTRACK, NOTRACK target
see also NOTRACK target
QUEUE, QUEUE target
see also QUEUE target
REDIRECT, REDIRECT target
see also REDIRECT target
REJECT, REJECT target
see also REJECT target
RETURN, RETURN target
see also RETURN target
SAME, SAME target
see also SAME target
SECMARK, SECMARK target
see also SECMARK target
SNAT, SNAT target
see also SNAT target
TCPMSS, TCPMSS target
see also TCPMSS target
TOS, TOS target
see also TOS target
TTL, TTL target
see also TTL target
ULOG, ULOG target
see also ULOG target
TCP, TCP/IP repetition, TCP connections, The bad_tcp_packets chain, The TCP chain
ACK, TCP headers
Acknowledgment Number, TCP headers
Characteristics, TCP characteristics
Checksum, TCP headers
CWR, TCP headers
Data Offset, TCP headers
Destination port, TCP headers
ECE, TCP headers
FIN, TCP characteristics, TCP headers
FIN/ACK, TCP characteristics
Handshake, TCP characteristics
Headers, TCP headers
Opening, TCP connections
Options, TCP headers, TCP options
Padding, TCP headers
PSH, TCP headers
PUSH, TCP headers
Reserved, TCP headers
RST, TCP headers
Sequence number, TCP headers
Source port, TCP headers
SYN, TCP characteristics, TCP headers
URG, TCP headers, TCP headers
Urgent Pointer, TCP headers
Window, TCP headers
TCP match, TCP matches
--destination-port, TCP matches
--source-port, TCP matches
--syn, TCP matches
--tcp-flags, TCP matches
--tcp-option, TCP matches
Tcp-flags match, TCP matches
Tcp-option match, TCP matches
TCP/IP, TCP/IP repetition
Application layer, TCP/IP Layers
Internet layer, TCP/IP Layers
Layers, TCP/IP Layers
Network Access layer, TCP/IP Layers
Stack, TCP/IP Layers
Transport layer, TCP/IP Layers
TCP/IP routing, TCP/IP destination driven routing
Tcpmss match, Tcpmss match
--mss, Tcpmss match
TCPMSS target, TCPMSS target
--clamp-mss-to-pmtu, TCPMSS target
--set-mss, TCPMSS target
tcp_chain, The TCP chain
Terms, Terms used in this document
NAT, What NAT is used for and basic terms and expressions
TFTP, Complex protocols and connection tracking
THROW, Addrtype match
Time Exceeded Message, TTL equals 0
Time to live, IP headers, ICMP headers
Timestamp, Redirect
To target, NETMAP target, SAME target
To-ports target, MASQUERADE target, REDIRECT target
To-source target, SNAT target
TOS, Mangle table
Tos match, Tos match
--tos, Tos match
TOS target, TOS target
--set-tos, TOS target
Total Length, IP headers, ICMP headers
Total-nodes target, CLUSTERIP target
Transport layer, TCP/IP Layers
Traversing of tables and chains, Traversing of tables and chains
General, General
Tripwire, How to plan an IP filter
TTL, The ICMP chain
TTL equals zero, TTL equals 0
TTL equals 0 during reassembly, TTL equals 0
TTL equals 0 during transit, TTL equals 0
Ttl match, Ttl match
--ttl-eq, Ttl match
--ttl-gt, Ttl match
--ttl-lt, Ttl match
TTL target, Mangle table, TTL target, Ttl-inc.txt
--ttl-dec, TTL target
--ttl-inc, TTL target
--ttl-set, TTL target
Ttl-dec target, TTL target
Ttl-eq match, Ttl match
Ttl-gt match, Ttl match
Ttl-inc target, TTL target
TTL-inc.txt, Ttl-inc.txt
Ttl-lt match, Ttl match
Ttl-set target, TTL target
Turtle Firewall Project, Turtle Firewall Project
Type, ICMP headers
Type of Service, IP headers, ICMP headers

U

UDP, TCP/IP repetition, UDP characteristics, UDP connections, UDP matches, The UDP chain
Characteristics, UDP characteristics
Checksum, UDP headers
Destination port, UDP headers
Length, UDP headers
Source port, UDP headers
UDP match, The UDP chain
--destination-port, UDP matches
--source-port, UDP matches
udp_packets, The UDP chain
Uid-owner match, Owner match
ULOG target, ULOG target
--ulog-cprange, ULOG target
--ulog-nlgroup, ULOG target
--ulog-prefix, ULOG target
--ulog-qthreshold, ULOG target
Ulog-cprange target, ULOG target
Ulog-nlgroup target, ULOG target
Ulog-prefix target, ULOG target
Ulog-qthreshold target, ULOG target
Unclean match, Unclean match
UNICAST, Addrtype match
Unknown arg, Iptables debugging
UNREACHABLE, Addrtype match
unreliable protocol, IP characteristics
UNREPLIED, TCP connections
UNSPEC, Addrtype match
Update match, Recent match
URG, TCP headers, TCP headers
Urgent Pointer, TCP headers
User interfaces, Graphical User Interfaces for Iptables/netfilter
Graphical, Graphical User Interfaces for Iptables/netfilter
see also Graphical user interfaces
User space, Terms used in this document
User specified chains, User specified chains, Setting up user specified chains in the filter table
User-land setup, User-land setup
User-land states, User-land states
Userland, Terms used in this document

V

Version, IP headers, ICMP headers
VPN, Terms used in this document

W

Webproxy, What is an IP filter
see also Proxy
Window, TCP headers
Words, Terms used in this document

X

XRESOLVE, Addrtype match