Kernel Korner - The Hidden Treasures of iptables

With these powerful add-ons for iptables you can match strings or port ranges in iptables rules or even create a tar pit for network abusers.
Randomizing

The random match module matches packets based on nothing more than a random choice. You can tune the logic by setting the probability that a packet is matched anywhere between 0% and 100% of the time. Example applications include simulating a faulty connection or server or distributing load across multiple mirrored Web servers. The example below distributes Web traffic among three servers. The first rule sends 33% of the connections to the server at 192.168.0.100. The next 33% is sent to 192.168.0.101 and the last third catches the remainder and passes them to 192.168.0.102:


iptables -t nat -A PREROUTING -i eth0 -p tcp \
   --dport 80 --syn -m random --average 33 \
   -j DNAT --to-destination 192.168.0.100:80

iptables -t nat -A PREROUTING -i eth0 -p tcp \
   --dport 80 --syn -m random --average 50 \
   -j DNAT --to-destination 192.168.0.101:80

iptables -t nat -A PREROUTING -i eth0 -p tcp \
   --dport 80 --syn -j DNAT \
   --to-destination 192.168.0.102:80

As before, this assumes that eth0 is the Internet-facing interface.

A Lot More Where They Came From

Dozens of treasures can be dug up and enjoyed. I have described a small handful here, but there are plenty more. Simply running the runme script and reading the patch descriptions as they are displayed is one way of getting an idea of what is available. Here are a few more examples of what you can find:

  • Connection tracking for RSH, MMS (media streaming), PPTP, Quake, RPC and Talk.

  • Extended support for configuration and status information access through the /proc filesystem.

  • Extended support for IPv6 features.

  • Manipulation of options, TTL and more in IP packets.

  • Finer control over NATed connections.

  • Control over limits on quota and bandwidth usage.

  • Anti-OS fingerprinting logic and port-scan detection.

  • Connection marking (and mark testing).

Sources of Wisdom

The patches added with POM don't add their descriptions to the iptables man page, so we need to turn elsewhere for documentation. The basic syntax used to invoke these extensions can be displayed using the iptables built-in help facility. For example, iptables -m random -help gives the usual help message but with the random module's parameters displayed at the end. The same technique can be applied to the other modules.

You also can refer to the module help files held in the Patch-o-matic directory structure. The file for random is base/random.patch.help. Similar files can be found for the other patches.

Finally, make use of the Netfilter Web site, www.netfilter.org/patch-o-matic, which contains a description of each of the POM patches.

Installing New iptables Modules

The majority of iptables extensions have two parts, a patch to the Linux kernel and a configuration helper library for use by the iptables user-space program. The detailed procedure for adding a POM module to the kernel and the iptables tools is outlined at www.lowth.com/howto/add-iptables-modules.php. In summary, the steps we need to take are bring your system up to date; download the latest Patch-o-matic sources; patch the kernel using the runme script; recompile and install the patched kernel; and recompile and install the iptables software.

Conclusion

We have seen that Linux's Netfilter provides an excellent set of features for building effective firewalls, but not all of these features are installed by default on many Linux distributions. The Patch-o-matic software allows administrators to extend the base functionalities of their firewalls through an automated approach to patching the Linux kernel.

To finish, take this thought with you: we have seen that iptables/Netfilter has a number of exciting possibilities hidden away from initial inspection. The chances are high that the same is true for other packages. This is part of the joy of open-source software; nothing is truly hidden. Everything that exists is waiting there for the skilled seeker to find.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

awsome

Anonymous's picture

great information, thanks alot.

Xtables-addons is the successor to patch-o-matic(-ng)

Danny Rawlins's picture

Xtables-addons is the successor to patch-o-matic(-ng). Likewise, it contains extensions that were not accepted in the main iptables package.

Xtables-addons is different from patch-o-matic in that you do not have to patch or recompile either kernel or Xtables(iptables).

http://jengelh.medozas.de/projects/xtables/

Thanks

Skis's picture

Wonderful ! thank you for this great post ! it really shows the power of iptables ! and this is juste a sample :)

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState