These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/IPChains Commands

Classnotes | UNIX03 | RecentChanges | Preferences
The main interface for IP Chains is the ipchains userspace command. The basic usage for ipchains (from ipchains -h) is: 

 Usage: ipchains -[ADC] chain rule-specification [options]
        ipchains -[RI] chain rulenum rule-specification [options]
        ipchains -D chain rulenum [options]
        ipchains -[LFZNX] [chain] [options]
        ipchains -P chain target [options]
        ipchains -M [ -L | -S ] [options]
        ipchains -h [icmp] (print this help information, or ICMP list)

There are many different features of ipchains, and I encourage you to consult the man page for ipchains for a full explanation of all of them. However, most of the time you will use some very simple variants of 

 ipchains -P chain target [options]
 ipchains -A chain rule [options]

chains and targets

There are four main chains you can specify: the IP input chain, the IP output chain, the IP forwarding chain, and user defined chains. We have already examined the input, output, and forwarding chains. The user defined chains are beyond the scope of this course, and are only used in very rare circumstances (see the man page for ipfw).

The target is also known as the "default policy", or the policy of the chain. It can be one of ACCEPT, DENY, REJECT, MASQ, REDIRECT, or RETURN.

  • ACCEPT means to let the packet through.
  • DENY means to drop the packet on the floor.
  • REJECT means the same as drop, but is more polite and easier to debug.
  • MASQ is only legal for the forward and user defined chains, and can only be used when the kernel is compiled with CONFIG_IP_MASQUERADE defined.
  • REDIRECT is only legal for the input and user-defined chains and can only be used when the Linux kernel is compiled with CONFIG_IP_TRANSPARENT_PROXY defined. With this, packets will be redirected to a local socket, even if they were sent to a remote host.
  • If the end of a builtin chain is reached, or a rule in a builtin chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.

-P

The '-P' option sets the target for a given chain (or the default policy for a given list). For example, if I wanted to set the default policy for the forward chain to DENY, I would issue the following command: 

 # ipchains -P forward DENY

-A, -D,

The '-A' option adds one or more rules to the given chain. For example, if I wanted to set the interface "eth2" for IP Masqerading in the forward chain, I would use the following: 

 # ipchains -A forward -i eth2 -j MASQ

The '-D' option deletes one or more rules from a given chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match. For example, this command deletes the first rule from output: 

 # ipchains -D output 1

-L

Lists the rules for a from one or more chains. If you use the following: 

 # ipchains -L

it will list all rules for all chains, however you can also specify specific chains thusly: 

 # ipchains -L output


Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited June 21, 2003 12:29 am (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.