update Kernel 2.6.24 เป็น 2.6.24 เพิ่ม pom จาก Netfilter เข้าไป เพื่อทำ Multi-WAN และ Block bit
คุณสมบัติของ iptables ที่เพิ่มเข้ามา กับตัว pom
Reff
http://www.netfilter.org/projects/patch-o-matic/pom-external.htmlpatch-o-matic external repository
ACCOUNT IPMARK condition connlimit geoip ipp2p pknock time
ACCOUNT
Author: Intra2net AG <opensource@intra2net.com>
Status: Stable
This patch adds the ACCOUNT target
The ACCOUNT target is a high performance accounting system for local networks.
It takes two parameters: --addr network/netmask and --tname NAME.
--addr is the subnet which is accounted for
--tname is the table name where the information is stored
The data can be queried later using the libipt_ACCOUNT userspace library
or by the "iptaccount" tool which is part of the libipt_ACCOUNT package.
A special subnet is "0.0.0.0/0": All data is stored in the src_bytes
and src_packets structure of slot "0". This is useful if you want
to account the overall traffic to/from your internet provider.
For more information go to
http://www.intra2net.com/de/produkte/opensource/ipt_account/IPMARK - iptables IPMARK target
Author: Grzegorz Janoszka <Grzegorz@Janoszka.pl>
Status: Stable
This option adds a `IPMARK' target, which allows you to mark
a received packet basing on its IP address. This can replace even
thousands of mangle/mark or tc entries with only one.
This target is to be used inside the mangle table, in the PREROUTING,
POSTROUTING or FORWARD hooks.
IPMARK target options:
--addr src/dst Use source or destination IP address.
--and-mask mask Perform bitwise `and' on the IP address and this mask.
--or-mask mask Perform bitwise `or' on the IP address and this mask.
The order of IP address bytes is reversed to meet "human order of bytes":
192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
`or'.
Examples:
We create a queue for each user, the queue number is adequate
to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.
Earlier we had thousands of tc filter rules:
tc filter add dev eth3 parent 1:0 prio 10 u32 match ip dst 192.168.5.2 flowid 1:502
tc filter add dev eth3 parent 1:0 prio 10 u32 match ip dst 192.168.5.3 flowid 1:503
...
or thousands of MARK rules (with tc fw classifier):
iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
--set-mark 0x10502
iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
--set-mark 0x10503
...
Using IPMARK target we can replace all the mangle/mark rules with ONLY ONE:
iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
--and-mask=0xffff --or-mask=0x10000
and all previous tc filter classifier rules with ONLY ONE:
tc filter add dev eth3 parent 1:0 protocol ip fw
On the routers with hundreds of users there should be significant load
decrease (e.g. twice).
condition
Author: Stephane Ouellette <ouellettes@videotron.ca> and Massimiliano Hofer <max@nucleus.it>
Status: ItWorksForMe(tm)
This option allows you to match firewall rules against condition variables
stored in the /proc/net/ipt_condition directory. Multiple rules can match on a
single condition variable.
Example:
iptables -A INPUT -p tcp -m condition --condition web_ok --dport 80 -j ACCEPT
To allow this rule to match:
echo 1 > /proc/net/nf_condition/web_ok
To disable this rule:
echo 0 > /proc/net/nf_condition/web_ok
NB: it was /proc/net/ipt_condition on 2.4.
connlimit - iptables connlimit match
Author: Gerd Knorr <kraxel@bytesex.org>
Status: ItWorksForMe[tm]
This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).
Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
--connlimit-mask 24 -j REJECT
geoip - iptables geoip match
Author: Samuel Jean <peejix@people.netfilter.org>; Nicolas Bouliane <acidfu@people.netfilter.org>
Status: Stable
This patch makes possible to match a packet
by its source or destination country.
GeoIP options:
[!] --src-cc, --source-country country[,country,country,...]
Match packet coming from (one of)
the specified country(ies)
[!] --dst-cc, --destination-country country[,country,country,...]
Match packet going to (one of)
the specified country(ies)
NOTE: The country is inputed by its ISO3166 code.
The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx).
Take a look at
http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.htmlfor a quick HOWTO.
ipp2p - Detects some P2P packets
Author: Eicke Friedrich <ipp2p@ipp2p.org>
Status: Stable
This option makes possible to match some P2P packets
therefore helps controlling such traffic. Dropping all
matches prohibits P2P networks. Combined with conntrack,
CONNMARK and a packet scheduler it can be used for
accounting or shaping of P2P traffic.
Examples:
iptables -A FORWARD -m ipp2p --edk --kazaa --bit -j DROP
iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP
iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP
pknock - netfilter match for Port Knocking and SPA
Author: J. Federico Hernandez Scarso <fede.hernandez@gmail.com>; Luis A. Floreani <luis.floreani@gmail.com>
Status: Stable
This patch allows you to implement Port Knocking and SPA (Simple Packet
Authentication) in kernel space.
pknock options:
--knockports port[,port,port,...] Matches destination port(s).
--time seconds
--t seconds Time between port match.
--opensecret [secret] hmac must be in the packets.
--closesecret [secret]
--strict Knocks sequence must be exact.
--name [rule_name] Rule name.
--checkip Matches if the source ip is in the list.
--chkip
Example:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW \
-m pknock --knockports 3000,2000,5000 --time 10 --name SSH \
-m tcp --dport 22 -j ACCEPT
For more information go to
http://portknocko.berlios.de/time - iptables ``time'' match
Author: Fabrice MARIE <fabrice@netfilter.org>
Status: Works within it's limitations
This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time/date
(arrival time/date at the machine which the netfilter is running on) or
departure time/date (for locally generated packets).
Supported options are:
[ --timestart value ]
Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).
[ --timestop value ]
Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).
[ --days listofdays ]
Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)
[ --datestart date ]
Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 1970)
[ --datestop date ]
Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 2037)
Example:
-A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
to Friday.
-A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010
will match the packets (locally generated) that have a departure timestamp
in the range 8:00->18:00 on Monday only, until 2010
NOTE: the time match does not track changes in daylight savings time
หัวข้อ: Ubuntu 8.04 (อ่าน 27678 ครั้ง)