AE: yomoyomo v1.24j 2001 9 6 AE netfilter/iptables FAQ Harald Welte Version $Revision: 1.24 $, $Date: 2001/08/23 17:53:53 $ 1/2netfilter 1/4+-1/4 (Frequently Asked Questions)1/2 / / ' FAQ '1/4AE 1/4 -2- 1. 1/4 1.1 netfilter/iptables AE1/4(C) 1.2 netfilter Linux 2.2 1/4(C) 1.3 ICQ conntrack/NAT 1/41/4(C) 1.4 ip_masq_vdolive ip_masq_quake 1/4(C) 1.5 patch-o-matic (C)1/2(C) 1.6 ipnatctl 1/2'3/43/4(C) 2. 2.1 iptables-1.1.1 1/4 2.4.0-test4 3/4 2.2 iptables 1.1.0 1/4(2.3.99-pre8 ) 2.3 iptables-1.2.1a patch-o-matic AE1/4 2.4.4 AE 2.4 ipt_BALANCE, ip_nat_ftp, ip_nat_irc, ipt_SAME, ipt_NETMAP 2.5 Alan Cox 2.4.x-acXX 1/41/4AE 3. 1/4 3.1 NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> 224.bbb.bbb.bbb 3.2 NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> bbb.bbb.bbb.bbb 3.3 netfilter Linux 1/4AE 3.4 IRC 1/4DCC RESUME 1/2 3.5 SNAT AE(C) 3.6 ip_conntrack: maximum limit of XXX entries exceeded 3.7 2.2.x 1/4 'ipchains -L -M' AE / 1/4AEAE (C) 3.8 AE IP AE1/4(C) 3.9 iptables-1.2 iptables-save iptables-restore Segmentation Fault 1/2 3.10 iptables -L 1/41/21/4' 3.11 LOG 1/41/21/41/2 (C) 3.12 squid iptables AEAE(C)1/2 (C) 3.13 LOG 1/4(C) LOG DROP 3/4(C) 4. netfilter '1/4 4.1 ae1/4' QUEUE 1/4 4.2 1/4 4.3 1/21/21/2' (C) 5. AEAE -3- 1. 1/4 1/4+-AE netfilter '1/4( netfilter '1/4) 3/4 1.1. netfilter/iptables AE1/4(C) Netfilter IPtables Linux 2.4.x 1/4 1/4 1/4AE1/4AE ae1/4'1/4 'iptables' 1/4 netfilter 1/41/4AE1/41/2 1.2. netfilter Linux 2.2 1/4(C) 1/2 1/41/4AE 1/2AE AEaeAE 1.3. ICQ conntrack/NAT 1/41/4(C) Linux 2.2 IP 1/4'AE 3/4 ICQ (R) ip_masq_icq 1/4AE (:AE ip_masq_icq 1/4 AE1/41/2) 1/4 netfilter AE1/4 ICQ +-:) 1/2'AE Rusty(: netfilter 1/41/4 Rusty Russell ) AE1/4 netfilter 1/41/4 1/41/43/4+- ICQ 'AE1/4 '1/2(1/41/4 1/4(free beer)1/4RMS ) 1.4. ip_masq_vdolive ip_masq_quake 1/4(C) 1/2 netfilter AEnetfilter UDP AE'' +-(R)1/4 AEAE 1.5. patch-o-matic (C)1/2(C) 2.4.x 1/41/4ae1/2ae 1/41/4- ae1/4AE netfilter patch-o-matic AE netfilter 1/41/2patch-o- matic 3/4AEAE iptables +-1/4( CVS 1/21/43/4ae) netfilter 1/41/41/4patch-o-matic patch-o-matic ae1/41/4AE make patch-o-matic AE+-1/41/4 /usr/src/linux 3/4iptables +-1/4 make KERNEL_DIR={your-kernel-dir} patch-o-matic AEpatch-o-matic 1/4AE 1/41/21/41/2 '3/43/41/21/4 AE1/4 3/4(R)1/21/4 1.6. ipnatctl 1/2'3/43/4(C) ipnatctl 2.3.x 1/4netfilter '1/2'AE ae1/4' NAT 1/4AE AE1/4 ipatctl 1/2AEiptables 1/4AE Netfilter 1/41/4 NAT HOWTO 3/4 (: NAT HOWTO AE ) 2. 2.1. iptables-1.1.1 1/4 2.4.0-test4 3/4 '1/2 AE"make" "make build" AE iptables 1.1.2 1/4 2.2. iptables 1.1.0 1/4(2.3.99-pre8 ) iptables AE1/2AEiptables 1.1.1 1/4AE -4- 2.3. iptables-1.2.1a patch-o-matic AE1/4 2.4.4 AE iptables-1.2.2 1/4netfilter CVS AE 2.4. ipt_BALANCE, ip_nat_ftp, ip_nat_irc, ipt_SAME, ipt_NETMAP 1/2 ip_nat_setup_info 3/4' 1.2.2 iptables AE'dropped-table' 'ftp-fixes' AE 1.2.2 iptables CVS 1/21/4AE3/4 'dropped-table' AE BALANCE, NETMAP, irc-nat, SAME, talk-nat ' 2.5. Alan Cox 2.4.x-acXX 1/41/4AE netfilter 1/4Linus 1/41/4 AE-ac 1/4'1/4' 3. 1/4 3.1. NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> 224.bbb.bbb.bbb 1/4+- NAT AE1/4 NAT 1/41/2 +-1/2 1/4AE: iptables -t mangle -I PREROUTING -j DROP -d 224.0.0.0/8 3.2. NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> bbb.bbb.bbb.bbb syslog 1/21/41/41/41/21/4: NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> bbb.bbb.bbb.bbb 1/4NAT 1/41/21/4 NAT 3/4+- +-'AE conntrack 3/4+-AE1/41/21/4 AE: conntrack 1/41/4ae3/4 (1/4) kmem_cache_alloc 1/4() (C)AE +-(1/43/4AE) (R) ICMP +- ICMP +-AE ICMP +-'AE +-3/41/4( 1/41/4+-) 1/41/4AE: iptables -t mangle -A PREROUTING -j LOG -m state --state INVALID 1/2+-AE1/4NAT 1/4AE'AE1/4 mangle AE1/4AE 3.3. netfilter Linux 1/4AE ''AE(C)(C)1/41/2+-(C) 1/4netfilter '1/4+-AE '1/41/2AE ' (C)1/41/4 3/41/4AE' 3.4. IRC 1/4DCC RESUME 1/2 1/21/23/4NAT 1/4+- 1/2NAT '- (C)1/4 1/2 -5- 3.5. SNAT AE(C) netfilter +-1/4 ae1/4AE SNAT 1/41/4 1234 3/4netfilter IP +-1/41/4ae1/2AE SNAT IP 3/4AE+-(R)1/4ae AE+-netfilter IP 1/4ae3/41/4AE 1/2 IP 3/4 3/4 IP 1/4+- 3.6. ip_conntrack: maximum limit of XXX entries exceeded 1/4 syslog ae''1/4 conntrack 1/41/41/21/2AE (C)1/2AE+- 3/4 'AE3/4 ( 64MB 4096 128MB 8192 ...) 3/4'+- swap 1/4 350 (C) 3/4 8192 1/4AEAE: echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max 3.7. 2.2.x 1/4 'ipchains -L -M' AE / 1/4AEAE (C) proc AEae/proc/net/ip_conntrack 3/41/4 1/2AE1/21/4 cat /proc/net/ip_conntrack 3.8. AE IP AE1/4(C) AE IP AE1/41/4AE1/21/4 cat /proc/net/ip_tables_names 3.9. iptables-1.2 iptables-save iptables-restore Segmentation Fault 1/2 '+-(R) CVS 1/21/4 1.2.1 iptables 1/4AE 3.10. iptables -L 1/41/21/4' iptables IP DNS AE AE1/4 2 1/2(R)3/4 1/4 2 DNS AE 1/4 IP (10.x.x.x 192.168.x.x ) AE3/4DNS 3/4 '1/4AE AE' DNS -n (numeric)AEAE iptables 3.11. LOG 1/41/21/41/2 (C) syslogd AE - LOG 1/4AE warning(4) AE kern (R) AEAEAE3/4 syslogd.conf man 1/43/4AE (C)AE debug(7) 1/21/41/4AE1/21/4 7 4 3/41/21/43/4 LOG 1/41/21/4 3/41/21/41/21/41/21/4 +-AE (syslog +-AE) 3.12. squid iptables AEAE(C)1/2 (C) DNAT REDIRECT 1/4 squid NAT 1/43/4AEREDIRECT AE : iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.22.33:3128 -6- 1/2squid AE ae3/4AE 3/43/4AEsquid 3/4 Squid 2.3 squid.conf 1/4: http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Squid 2.4 : httpd_accel_single_host off 3.13. LOG 1/4(C) LOG DROP 3/4(C) LOG 1/4ae1/21/4 1/2+-1/4AE1/21/2 LOG 1/4+-(R) 1/41/41/4 1/4AE+-'(C) '+-AE1/4': iptables -N logdrop iptables -A logdrop -j LOG iptables -A logdrop -j DROP +-AE'3/4 "-j logdrop" +- 4. netfilter '1/4 4.1. ae1/4' QUEUE 1/4 libipq ae1/4'+- AE'1/2 man 1/41/4iptables 1/4 1/4: make install-devel 1/4 libipq(3) 3/4 libipq Perl Perlipq 1/21/21/4 1/23/41/4AE: netfilter CVS testsuite/tools/intercept.c ipqmpd( 3/4) netfilter- tools nfqtest( 3/4) 4.2. 1/4 netfilter 1/43/41/2'AE TODO 'AE anonymous CVS AE1/41/21/2 netfilter 1/41/4 CVSweb AE 1/4AE1/2 -7- 4.3. 1/21/21/2'(C) 1/23/4netfilter-devel 1/4AE AE'1/2 1/4: Subject [PATCH] 1/43/4'MIME 1/2 diff cvs-checkin/Changelog +- 1/4 `diff -u old new' 1/4 (3/4AE -p1 ) 5. AEAE AE Linux Japanese FAQ Project (R) '' JF yomoyomo AE AEAE- AE1/4 (R)'1/4(501/2) office 3/4(R) ae 1/2