Man Linux: Main Page and Category List

NAME

       /etc/netscript/ipfilter-defs    -   netscript   ipfilter-defs   compile
       definitions directory.

DESCRIPTION

       This manual page documents briefly the compile  definition  files  that
       are  used  by  the  netscript-compile(8)  command  from  the  netscript
       router/firewall network configuration package.  This compiler creates a
       compiled  iptables  rules file in /etc/netscript/ipfilter-defs.conf (it
       is  a  shell  script  portion)  that  is  sourced  by   the   netscript
       netscript(8) command to configure the iptables(8) firewall rules in the
       kernel.

STARTUP COMPILATION

       The rules can be compiled and automatically loaded on boot  by  setting
       the IPV4_CONFIGURE_SWITCH switch in network.conf(5) to the value of the
       function used to configure the  kernel.   Net-compile(8)  creates  this
       function  as  Configure.   If this switch is set, the netscript startup
       will run netscript-compile(8) to make sure everything is up to date and
       load the rules from /etc/netscript/ipfilter-defs.conf, and the relevant
       settings in network.conf(5) which are used to establish packet grooming
       and configure the built in kernel netfilter INPUT and FORWARD chains in
       the filter table. If compilation fails, the previous rule  set  is  not
       replaced  and  it  is used instead. See the netscript(8) manpage to see
       how to load and use backup copies of the rule set.

CHAIN STRUCTURE

       Each chain in the iptables(8) filter table is set up by a corresponding
       coonstruction  function  of the same name as the chain.  The chains are
       laced into the iplcl (which is laced in to the INPUT chain)  and  ipfwd
       (laced  into  FORWARD)  chains respectively, and the forwarding control
       chains are set  up  to  take  traffic  in  both  directions,  with  the
       destination  network/interface  and source network/interface being used
       in  the lacing chain, and network protocol and port being tied down  in
       each specific chain.

       For  the  new in kernel Linux IPSEC, traffic to and from the VPN can be
       controlled via the iptables policy match module, if you have it patched
       and  compiled  into  your  kernel and iptables.  Future versions of the
       kernel and iptables  should  have  this  included  in  the  distributed
       source.

FILE STRUCTURE

       All    the    files    defining    the    rules    set   are   in   the
       /etc/netscript/ipfilter-defs directory.  The network-defs file is  used
       to define the regions and network blocks used in the rest of the rules.
       The prototypes-defs file is used to define protoype rules that  can  be
       referenced  elsewhere  in the rule set.  The prototypes.sh file is used
       to construct shell functions for the netscript-compile(8) command  that
       can  be  used in the definitions files. DNAT and SNAT are set up in the
       dnat-defs and masq-defs files respectively.  Any file ending in .def is
       taken as general rule set input for netscript-compile(8).

       The  files  generally  take the form of tables, with the columns tab or
       space seperated.  The ´#´ character is supported  for  commenting,  and
       comments  can  be  on  a  line  by  themselves,  or  at  the  end  of a
       configuration line.  Everything after the ´#´ is treated as  a  comment
       by the netscript-compile(8) compiler.

RULE STRUCTURE

       The  structure  of  the  rule  sets  is thus.  Each chain is started by
       calling a shell compilation function, (generally ipv4_compile_chain) to
       create the chain, with the chain name and source/destination regions as
       arguments, and each rule in the chain by starting a fresh line with the
       chain name in the first column.

       Regions  are  defined  as  network  interface tuples, and are set up in
       network-defs.   They  are  syntactically  the  same  as  shell   script
       variables,  and  are  used  the  same  way  in the .def rule set files.
       Technically this magic is achieved by using eval within the  netscript-
       compile(8) shell script.

       Any   interface  name  can have either of the keywords =clear or =ipsec
       tied to them by using the ‘=’ character on the  end  of  the  interface
       name.   This  is used to specifically match IPSEC traffic, or non-IPSEC
       traffic going over the interface.  Typically you would  use  this  when
       defining  a region, though the syntax is valid elsewhere as well. It is
       recommended that you use this feature to prevent packet injection  from
       adjacent external sources when setting up iptables rules for VPN tunnel
       traffic.

       The regions are given as arguments to the  compilation  function,  with
       the  region  always being 2 arguments in network/interface order to the
       function.

       Each chain rule in the chain is defined by  giving  first  of  all  the
       chain  name,  then the rule type, and its direction.  All columns after
       the 3rd one are specific to and are defined  by  the  rule  type.   The
       direction may have a ´-´ in it.

       The  rules  produced  by the compiler use the iptables connection based
       state tracking.  Packet by packet rules will be added later.

EXAMPLE

       Here is an example of part of a .def file:

              # Access from Office to internet
              #          - only allow outgoing tcp and UDP
              # and ping traffic - anything else is most
              # like a tunneling protocol.
              # We have VPNs for tunneling
              ipv4_compile_chain -p 90 offcInet droplog $OFFICE_REGN $INTERNET_REGN
              offcInet       ACCEPT_EST      BOTH
              offcInet       ACCEPT_PING     L2R
              offcInet       ACCEPT_TCP      L2R     1:65535
              offcInet       ACCEPT_UDP      L2R     1:65535

       The  ACCEPT_EST  line  accepts  packets  for  ESTABLISHED  and  RELATED
       connections  to  the  new  ones  already accepted.  New connections are
       accepted by the ACCEPT_PING, ACCEPT_TCP, and ACCEPT_UDP rules.   Please
       see the iptables(8) manpage for the details on stateful filtering.

COMPILE FUNCTIONS

       Unless  a  function  is  defined  in  prototypes.sh,  there is only one
       function provided.  However this is not limiting as there is a facility
       for rule macros, as well as the ability to tell the function to use one
       of the default base rule sets.

       If you do define a function in prototypes.sh, be careful to handle  all
       errors  to function and command calls as otherwise netscript-compile(8)
       will break, as it runs with set -e set.

       The only defined compile function for IPv4 is:

       ipv4_compile_chain [-i] [-n] [-b base-chain] [-p priority]  [-s  slave-
       chain]  <chain-name>  <default-target>  <from-net>  <from-if> [<to-net>
       <to-if>]

       You can see the source region and destination region on the end of  it.
       The default-target is one of RETURN, DROP, droplog, or log.

       The options to this function are as follows:

       -i     Create  an  input  chain  for  attaching to iplcl instead of the
              default forward chain for attaching to ipfwd.

       -n     Don’t lace the chain into iplcl or ipfwd.

       -b base-chain
              Specify an alternate ruleset chain to use.

       -s slave-chain
              Configure/deconfigure this chain as well as the  one  specified.
              Useful for adjusting input rule set when manipulating the access
              chain for an IPsec VPN.

       -p priority
              Specify the priority of  the  chain  in  the  lacing  rule  set.
              Priority  is between 00 and 99, with 00 at the top of the lacing
              chain, and 99 at the bottom. This is useful for making sure that
              host  specific  rule  sets  occur  before  more  general network
              related ones, and for  putting  Internet  related  ones  at  the
              bottom of the lacing chain.

DIRECTION STATEMENTS

       The direction is as per FreeS/WAN - it uses left and right terminology.

       The possible directions are as follows:

       L2R|LEFT2RIGHT|INTERNAL2EXTERNAL|INTERN2EXTERN|I2E|INT2EXT
              Left to Right, Internal to External

       R2L|RIGHT2LEFT|EXTERNAL2INTERNAL|EXTERN2INTERN|E2I|EXT2INT
              Right to Left, External to Internal

       BOTH|- Both directions, aka none or ´-´.

AVAILABLE CHAIN RULES

       Here are the valid chain rules, and the arguments they expect.

       COMMENT [word1] [word2] ...
              Insert a comment into the compile shell script.   Fill  the  3rd
              column direction in with ´-´.

       MACRO <macro-name>
              Specify  a  macro  rule  set.   Rule  set  must  name start with
              `MACRO_´. Direction again should be `-´.

       LOG [word1] [word2] ...
              Insert a logging rule using the given log meesage,  or  if  none
              given, using the curretlog message for the chain.

       LOG_MSG [word1] [word2] ...
              Set  the  log  message  for  the  chain away from the default of
              `Chain: <chain-name>´ or from previous LOG_MSG setting. Up to 26
              letters can be used until truncation limit is reached.

       RESET_LOG_MSG
              Reset log message to the default of `Chain: <chain-name>´.

       REJECT_SMB
              Jump  to  smb  control  chain.  Creates smb chain if it does not
              already exist.

       DROP_MARTIANS
              Jump to martian source address control chain.  Creates chain  if
              it does not already exist.

       LOG_PORTSCAN
              Use  the  psd  module  to  detect  and  log  portscans.  Creates
              portscan log chain (if not already there) which  puts  `PORTSCAN
              DETECTED - ´ in the log.

       DROP_BROADCAST
              Drop ethernet broadcast packets.

       LOG_BROADCAST
              Log ethernet broadcast packets with the current log messages for
              the chain.

       ACCEPT_EST
              Accept  ESTABLISH,RELATED  packets  via  the  iptables(8)  state
              module.

       ACCEPT_RELATED
              Accept  RELATED packets via the iptables(8) state module. Useful
              for ICMP type 3 packets used for maximum MTU detection.

       ACCEPT_PROTO <protocol>
              Accept NEW connections for a  protocol.  Accepts one argument in
              the 4th column which is the protocol name from /etc/protocols or
              the protocol number between 0 and 255.

       REJECT_PROTO <protocol>
              Reject NEW connections for a  protocol with ICMP reject packets.
              Accepts  one  argument  in  the 4th column which is the protocol
              name from /etc/protocols or the protocol number  between  0  and
              255.

       DROP_PROTO <protocol>
              Drop all packets for a  protocol with nothing in reply.  Accepts
              one argument in the 4th column which is the protocol  name  from
              /etc/protocols or the protocol number between 0 and 255.

       LOG_PROTO <protocol>
              Log  NEW connections for a protocol with the current log message
              for the chain.  Accepts one argument in the 4th column which  is
              the  protocol  name  from  /etc/protocols or the protocol number
              between 0 and 255.

       ACCEPT_TCP [src-port-range] <dst-port-range>
              Accept NEW TCP connections.  If one argument given,  it  is  the
              destinaion  port  (range).   If  2  arguments,  the first is the
              source port (range), and second the  destination  port  (range).
              Port  ranges  are  specified  by  separating  them  with  a  `:´
              character, and ports must be in the  /etc/services  file,  or  a
              number between 0 and 65535.

       REJECT_TCP [src-port-range] <dst-port-range>
              Reject  NEW  TCP connections with an ICMP REJECT packet.  If one
              argument  given,  it  is  the  destination  port(range).   If  2
              arguments,  the first is the source port (range), and second the
              destination  port  (range).   Port  ranges  are   specified   by
              separating  them  with a `:´ character, and ports must be in the
              /etc/services file, or a number between 0 and 65535.

       DROP_TCP [src-port-range] <dst-port-range>
              Drop all tcp packets, returning nothing at all.  If one argument
              given,  it  is the destinaion port (range).  If 2 arguments, the
              first is the source port (range),  and  second  the  destination
              port (range).  Port ranges are specified by separating them with
              a `:´ character, and ports must be in the /etc/services file, or
              a number between 0 and 65535.

       LOG_TCP [src-port-range] <dst-port-range>
              Log NEW TCP connections with the current log text for the chain.
              If one argument given, it is the destination port(range).  If  2
              arguments, the first is the source  port (range), and second the
              destination  port  (range).  Port  ranges   are   specified   by
              separating  them  with a `:´ character, and ports must be in the
              /etc/services file, or a number between 0 and 65535.

       ACCEPT_UDP [src-port-range] <dst-port-range>
              Accept NEW UDP connections.  If one argument given,  it  is  the
              destinaion  port  (range).   If  2  arguments,  the first is the
              source port (range), and second the  destination  port  (range).
              Port  ranges  are  specified  by  separating  them  with  a  `:´
              character, and ports must be in the  /etc/services  file,  or  a
              number between 0 and 65535.

       REJECT_UDP [src-port-range] <dst-port-range>
              Reject  NEW  UDP connections with an ICMP REJECT packet.  If one
              argument  given,  it  is  the  destination  port(range).   If  2
              arguments,  the first is the source port (range), and second the
              destination  port  (range).   Port  ranges  are   specified   by
              separating  them  with a `:´ character, and ports must be in the
              /etc/services file, or a number between 0 and 65535.

       DROP_UDP [src-port-range] <dst-port-range>
              DROP all UDP packets, returning nothing at all.  If one argument
              given,  it  is the destinaion port (range).  If 2 arguments, the
              first is the source port (range),  and  second  the  destination
              port (range).  Port ranges are specified by separating them with
              a `:´ character, and ports must be in the /etc/services file, or
              a number between 0 and 65535.

       LOG_UDP [src-port-range] <dst-port-range>
              Log  NEW  UDP  connections  with the current log message for the
              chain.   If  one  argument  given,   it   is   the   destination
              port(range).   If  2  arguments,  the  first  is the source port
              (range), and second the destination port (range).   Port  ranges
              are specified by separating them with a `:´ character, and ports
              must be in the /etc/services file, or a  number  between  0  and
              65535.

       ACCEPT_PING
              Accept ICMP type 8 echo request packets for network diagnosis.

       DROP_PING
              Drop ICMP type 8 packets with no reply.

       LOG_PING
              Log  an  ICMP  echo request with the current log message for the
              chain.

       ACCEPT_TCP_NET [src_network [src-port-range]] <dst-network>  <dst-port-
       range>
              Accept NEW TCP  connections  from  given  source  (optional)  to
              destination.   Network  is  given  in  IPv4  address/netmask  or
              address/masklen format. Port ranges are specified by  separating
              them   with   a   `:´  character,  and  ports  must  be  in  the
              /etc/services file, or a number between 0 and 65535.

       REJECT_TCP_NET [src_network [src-port-range]] <dst-network>  <dst-port-
       range>
              Reject NEW TCP conections with an ICMP reject packet which  come
              from  a  given  source  (optional),  going to given destination.
              Network is given  in  IPv4  address/netmask  or  address/masklen
              format.  Port ranges are specified by separating them with a `:´
              character, and ports must be in the  /etc/services  file,  or  a
              number between 0 and 65535.

       DROP_TCP_NET  [src_network  [src-port-range]]  <dst-network> <dst-port-
       range>
              Drop  all TCP packets which come from a given source (optional),
              going  to  given  destination.   Network  is   given   in   IPv4
              address/netmask  or  address/masklen  format.  Port  ranges  are
              specified by separating them with a  `:´  character,  and  ports
              must  be  in  the  /etc/services file, or a number between 0 and
              65535.

       LOG_TCP_NET  [src_network  [src-port-range]]  <dst-network>  <dst-port-
       range>
              Log all NEW TCP connections  from  given  source  (optional)  to
              destination,  with  the  current  log  message  for  the  chain.
              Network is given  in  IPv4  address/netmask  or  address/masklen
              format.  Port ranges are specified by separating them with a `:´
              character, and ports must be in the  /etc/services  file,  or  a
              number between 0 and 65535.

       ACCEPT_UDP_NET  [src_network [src-port-range]] <dst-network> <dst-port-
       range>
              Accept  NEW  UDP  connections  from  given  source (optional) to
              destination.   Network  is  given  in  IPv4  address/netmask  or
              address/masklen  format. Port ranges are specified by separating
              them  with  a  `:´  character,  and  ports  must   be   in   the
              /etc/services file, or a number between 0 and 65535.

       REJECT_UDP_NET  [src_network [src-port-range]] <dst-network> <dst-port-
       range>
              Reject  NEW UDP conections with an ICMP reject packet which come
              from a given source  (optional),  going  to  given  destination.
              Network  is  given  in  IPv4  address/netmask or address/masklen
              format. Port ranges are specified by separating them with a  `:´
              character,  and  ports  must  be in the /etc/services file, or a
              number between 0 and 65535.

       DROP_UDP_NET [src_network  [src-port-range]]  <dst-network>  <dst-port-
       range>
              Drop all UDP packets which come from a given source  (optional),
              going   to   given   destination.   Network  is  given  in  IPv4
              address/netmask  or  address/masklen  format.  Port  ranges  are
              specified  by  separating  them  with a `:´ character, and ports
              must be in the /etc/services file, or a  number  between  0  and
              65535.

       LOG_UDP_NET  [src_network  [src-port-range]]  <dst-network>  <dst-port-
       range>
              Log  all  NEW  UDP  connections  from given source (optional) to
              destination,  with  the  current  log  message  for  the  chain.
              Network  is  given  in  IPv4  address/netmask or address/masklen
              format. Port ranges are specified by separating them with a  `:´
              character,  and  ports  must  be in the /etc/services file, or a
              number between 0 and 65535.

       ACCEPT_IFACE <interface>
              Accept all incoming NEW connections from an incoming  interface.

       REJECT_IFACE <interface>
              Reject  all  incoming NEW conections with an ICMP reject packet,
              from an interface.

       DROP_IFACE <interface>
              Drop all incoming packets from an interface.

       LOG_IFACE <interface>
              Log all incoming NEW conections from an interface.

       ACCEPT_NET <network>
              Accept all NEW connections from network.  Network  is  given  in
              IPv4 address/netmask or address/masklen format.

       REJECT_NET <network>
              Reject  all  NEW  conections  from  network  with an ICMP reject
              packet.   Network  is   given   in   IPv4   address/netmask   or
              address/masklen format.

       DROP_NET <network>
              Drop  all  packets  from  network.   Network  is  given  in IPv4
              address/netmask or address/masklen format.

       LOG_NET <network>
              Log all NEW conections from network.  Network is given  in  IPv4
              address/netmask or address/masklen format.

FILES

       /etc/netscript/ipfilter-defs.conf,
       /etc/netscript/ipfilter-defs-compiled.conf,
       /etc/netscript/ipfilter-defs directory.

SEE ALSO

       netscript-compile(8), iptables(8), ip6tables(8), netscript(8).

AUTHOR

       This     manual     page     was     written     by    Matthew    Grant
       <grantma@anathoth.gen.nz>, for the Debian GNU/Linux system (but may  be
       used by others).

BUGS

       I wrote this manpage when I was not half asleep...

       Some things are missing from this manpage...

       Dnat documentation is missing but obvious from configuration file.

       SNAT documentation is missing but obvious from configuration file.

                                March 25, 2003