##master-page:HomepageReadWritePageTemplate
##master-date:Unknown-Date
#format wiki
#language en
= IPTABLES =
 * see [[linux/firewall]]
 * update rules for dynamic dns hosts [[linux/iptables/dyndns]]
 * iptables handling overlapping subnets [[linux/iptables/overlap]]

== 2015 Problem redirecting traffic from outside interface to vnc service listening on localhost:127.0.0.1 ==
 * Forwarding should be on - default 
   * #echo 1 > /proc/sys/net/ipv4/ip_forward
    *  in /etc/sysctl.conf: net.ipv4.ip_forward = 1
 * Solutions, linux does not allow routing of traffic to 127.0.0.1/8 subnet by default, have to enable per interface
   {{{
cat /proc/sys/net/ipv4/conf/eth0/route_localnet
   }}}

== Interesting modules 2010 ==
 1. comment -  Allows you to add comments (up to 256 characters) to any rule.
    {{{
       --comment comment
       Example:
              iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A privatized IP block"
    }}}
 1. connlimit
       Allows you to restrict the number of parallel connections to  a  server
       per client IP address (or client address block).
 1. rateest
       The  rate  estimator  can  match on estimated rates as collected by the
       RATEEST target. It supports matching on absolute bps/pps  values,  com‐
       paring  two  rate estimators and matching on the difference between two
       rate estimators.
 1.  recent
       Allows you to dynamically create a list of IP addresses and then  match
       against that list in a few different ways.
       For example, you can create a "badguy" list out of people attempting to
       connect to port 139 on your firewall and then DROP all  future  packets
       from them without considering them.
 1. time
       This matches if the packet arrival time/date is within a  given  range.
       All options are optional, but are ANDed when specified.
 1. TRACE
       This  target  marks packes so that the kernel will log every rule which
       match the packets as those traverse the  tables,  chains,  rules.  (The
       ipt_LOG  or  ip6t_LOG  module is required for the logging.) The packets
       are  logged  with   the   string   prefix:   "TRACE:   tablename:chain‐
       name:type:rulenum  "  where type can be "rule" for plain rule, "return"
       for implicit rule at the end of a user defined chain and  "policy"  for
       the policy of the built in chains.
       It can only be used in the raw table.

== Common Problems and solutions ==
 * Multi-interface setup ignoring/dropping packets on certain interfaces
   * Caused by reverse path filtering.
     * Fix: {{{
       # Enables source route verification
       net.ipv4.conf.default.rp_filter = 2
       # Enable reverse path
       net.ipv4.conf.all.rp_filter = 2
       }}}



...
----
CategoryLinux