Znyx Networks bh5700 Manuale Utente
action that will take place. For example, the rules:
iptables -a FORWARD -i zhp3 -j DROP
iptables -a FORWARD -i zhp3 -o zhp1 -p tcp --dport smtp -j ACCEPT
result in SMTP packets received on any port in zhp3 to be sent for any port in zhp1; all other
packets from zhp3 would be dropped. The order of the two rules in the FORWARD chain does
not matter.
packets from zhp3 would be dropped. The order of the two rules in the FORWARD chain does
not matter.
On the other hand, in the following sequence of rules, the position of the rule that drops SYN
packets is important. Since the set of fields it examines is not a subset of the fields examined by
the ACCEPT rules, and visa versa, the ordering rule given above does not apply. In this case, the
order it is applied will be the same as its position in the FORWARD chain, and all packets which
are TCP SYN packets from zhp5 for zhp3 will be DROPPED, even if they also match one of the
ACCEPT rules.
packets is important. Since the set of fields it examines is not a subset of the fields examined by
the ACCEPT rules, and visa versa, the ordering rule given above does not apply. In this case, the
order it is applied will be the same as its position in the FORWARD chain, and all packets which
are TCP SYN packets from zhp5 for zhp3 will be DROPPED, even if they also match one of the
ACCEPT rules.
iptables -a FORWARD -i zhp5 -o zhp3 -j DROP
iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --sport smtp -j ACCEPT
iptables -a FORWARD -i zhp5 -o zhp3 -p udp --sport domain -j ACCEPT
iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --sport domain -j ACCEPT
iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --sport www -j ACCEPT
iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --sport 23 -j ACCEPT # rsync
iptables -a FORWARD -i zhp5 -o zhp3 -p tcp --syn -j DROP
iptables and filtering
iptables is a firewall management user-space utility used in conjunction with the Linux 2.4
kernels. iptables takes advantage of the netfilter 2.4 kernel code.
kernels. iptables takes advantage of the netfilter 2.4 kernel code.
In addition, the iptables utility is extended with a few more targets to support the hardware
filtering functionality used in the Broadcom BCM5695 silicon on the base switch. Generally, all
of the iptables functionality is usable with a few minor extensions.
filtering functionality used in the Broadcom BCM5695 silicon on the base switch. Generally, all
of the iptables functionality is usable with a few minor extensions.
A more detailed source on IPtables can be found at:
Almost all the contents described here are derived from there.
There are also many tutorials and iptables manipulation tools, both graphical and command
line. This is expressive of the Open Architect concept. A good place to start is:
line. This is expressive of the Open Architect concept. A good place to start is:
Ethernet Switch Blade User's Guide
release 3.2.2j
page 108