iptables revisited: a not so ordinary rewall

Per Linde, Martynas Pumputis and Guillermo Rodr guez

{Per.Linde.3289, Martynas.Pumputis.0695, Guillermo.Rodriguez.8763}@student.uu.se

Abstract At the present time, security on the internet, and networks in general have evolved, and become an issue that should not be disregarded. It is well known that many experts recommend Linux as the main operating system for the machines that have to be in charge of security (also for a desktop computer). Linux included a basic rewall tool called ipchains in the series of its kernel until 2.4 version, though after that version it switched to iptables. iptables is known for its eciency and functionality, but the enormous functionality means a more complex tool to be congured. This paper will overview some mechanisms to do advanced conguration of iptables based on two main scenarios. The dierent congurations presented will try to prove the remarkable power of iptables as an independent rewall and also as a tool that can work in conjuntion with other tools usually incorporated when included this one.

Contents
1 Introduction 2 Matching patterns 3 Registering and debugging iptables actions 4 Constraining a connection 4.1 Regulating by time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Regulating by quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Limiting resources abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Load balancing 6 Shaping trac ows 6.1 Scenario . . . . . . . . . . . . . . . . . . . . . . . 6.2 (Brief) introduction to tc . . . . . . . . . . . . . 6.3 Flagging packets with iptabless mangle table 6.4 Protection against SYN-oods and ICMP DoS . 7 Conclusion 8 Appendix 2 3 3 3 3 4 4 4 5 5 5 6 7 8 10

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

Introduction

iptables is a rewall developed by the Netlter Project1 . Presently, this rewall is becoming more and more popular (both among end users and network administrators). The popularity of this rewall it closely related to Linux operating system, because iptables works with Linux kernels 2.4 and 2.6 and almost every major Linux distribution comes with pre-installed iptables rewall. This rewall is also known as a stateful packet lter. It is a main dierence between iptables and ipchains (an ancestor of iptables that was used with Linux kernel versions up to 2.4). The rewall supports not only a packet ltering, but it is also able to log, forward packets and it could be used together with such tools as psad, snort, tc. In this paper we will look a bit deeper into more advance iptables congurations, but rst of all, we would like to introduce a reader to a basic usage of iptables. The core of the rewall consists of four parts [7]: tables, chains, matches and targets. A system administrator is able to dene an iptables policy, i.e. tables of chains, which describe how a kernel should react against dierent groups of packets. Rules are used to create a chain - collection of rules that is applied to every packet. There are ve predened chains: INPUT: used for incoming packets before routing. OUTPUT: used for packets coming into the box itself. FORWARD: used for packets being routed through the box. PREROUTING: used for locally-generated packets before routing. POSTROUTING: used for packets as they about to leave iptables. Every rule should have a set of matches, that helps to lter packets (e.g. -d 10.100.1.1 matches a destination IP 10.100.1.1), and it also has to have a target - an action which should be performed when a rule matches on a packet (e.g. ACCEPT, DROP, LOG...). All the examples presented in this paper (excluding the one used at section 6) will be based on the scenario presented in the gure 1. In the following scenario, WebServer#1 (10.100.1.101 assigned to its eth0 interface), WebServer#2 (10.100.1.102 assigned to its eth0 interface) and PC (10.100.1.33 assigned to its eth0 interface) belong to a local network and every packet that comes from the Internet/LAN is ltered by the rewall (eth1 interface for LANs trac, eth0 for Internets trac). PC (212.59.0.1 assigned to eth0 interface) is reachable directly through the Internet.

Figure 1: Main scenario for iptabless congurations

1 http://netfilter.org

The listing 1 shows a couple of rules, the rst one appends a rule to the end of the INPUT chain and it species that every packet from the source with IP address 212.59.0.1 will beDROPed and the second rule logs all outgoing connections from eth1 interface.
, iptables -A INPUT -s 212.59.0.1 -j DROP iptables -A OUTPUT -o eth1 -j LOG

Listing 1: iptables sample rules

Matching patterns

Sometimes we want to lter (drop) packets that contain some bad content (for example .exe les, packets with wrong IP headers). In such case string extension could be used. It allows to match a string with a packets payload, as it shown in the listing 2, where the rst rule is used to drop a packet that contains a bad word string, and the second rule drops a packet that contains an executable le, .exe.
, iptables -A INPUT -m string -- string bad word -- algo bm -j DROP iptables -A INPUT -m string -- string . exe -- algo bm -j DROP

Listing 2: Usage of iptabless string extension When we are ltering les by extensions, we should beware of a few issues: Usually les are splited into multiple packets (because of le size which is usually bigger than one packet size) and only one packet, which contains extension string, will be dropped. Also, some content that containt a string with le extension will be ltered.

Registering and debugging iptables actions

In some cases it can be useful to log network events and in these cases the LOG target comes in handy. The LOG target can be used to log information about packets in a logle, which can be useful for debugging or as evidence for a prohibited network activity. When a rewall script is being tested the administrator can use LOG as target instead of DROP in his rules. Test of the script can then be made fairly easy by observing the log les. The actual logging is handled by the syslogd which log sytem events to the le /var/log/messages, the messages can be read by using the command dmesg. With the LOG argument log-prex it is possible to attach a prex string to every entry, which will make it easier to nd all relevant iptables entries (or automate the process by using the command grep). The log entries consist of packet data, like most of the IP-header and other interesting data. [2].
, iptables -P INPUT LOG -- log - prefix " INPUT packets "

Listing 3: An administrator is testing a new scrip, while testing he uses LOG instead of DROP

4
4.1

Constraining a connection
Regulating by time

In many networks there are regular server maintaining hours, this can include actions like backups, system updates and/or system scans. When these actions are being executed it can be necessary to redirect the trac from the current server to another server. It can also be the case that some types of trac should only be allowed during certain hours, so employees are able to get internet access only during lunch hours and no access or limited access during oce hours. In listing 4, employers are allowed to browse the internet (HTTP(S)) during lunch hours. Note that trac should be dropped by default.
, iptables -A FORWARD -p tcp -m multiport -- dport http , https -o eth0 -i eth3 -m time -- timestart 12:00 -- timestop 13:00 -j ACCEPT

Listing 4: Example of regulation by time

Listing 5 shows how all TCP/UDP trac is dropped by default during service hours (between 02:00 and 03:00), that is for maintenance s tasks which should not be disrupted by incoming trac.
, iptables -A INPUT -p tcp -m time -- timestart 02:00 -- timestop 03:00 -j DROP iptables -A INPUT -p udp -m time -- timestart 02:00 -- timestop 03:00 -j DROP

Listing 5: Another example of regulation by time

4.2

Regulating by quota

In most systems a normal bandwidth usage can easily be calculated, if the bandwidth exceeds this level with some marginal it is possible that the trac is unauthorized and should be limited. When using the quota rule the administrator can specify an amount of data that is allowed/disallowed or if a specic quota should be handled by one server and all other trac by another. Listing 6 shows how a a quota of 10 Gb of HTTP trac is allowed, and once this limit is reached the trac is redirected to 10.100.1.102 which will return a page with the quota warning.
, iptables -A PREROUTING -p tcp -- dport http -m quota 10737418240 -j ACCEPT iptables -A PREROUTING -p tcp -- dport http -j DNAT --to - destination 10.100.1.102

Listing 6: Example of quota handling One problem with iptables bandwidth monitoring is its counter, which is reset if the iptables service is restarted. Note also that the administrator in the example above have to reset the counter every month.

4.3

Limiting resources abuse

Another possibility to limit trac thru the router is to use limit and iplimit. Limit species how many times per time unit an action are targeted, e.g. preventing SYN ooding. iplimit species how many connections from one IP number is targeted, e.g. one IP number should not be allowed to have more than 10 parallel connections to the router.
, iptables -A INPUT -p TCP -- syn -m limit -- limit 5/ second -j ACCEPT

Listing 7: Preventing SYN packet ooding

, iptables -A INPUT -p tcp -m state -- state NEW -m iplimit -- iplimit - under 10 -j ACCEPT

Listing 8: Allowing a maximum of 10 simultaneous IP connections

Load balancing

Presently, web servers should be able to handle lots of incoming connections. Load balancing feature could help for system administrators to cope with this problem. For example, our WebServers mirrors the Linux kernel project and all les could be accessed thru the port 21(ftp). The rewall that forwards packets to the servers, can also balance an incoming web trac in two ways: by using nth (see lsiting 9 extension, which allows the rewall to match a particular received packet (nth ), or random (see listing 10 extension (which in the listing forwards packets randomly, with a probability of 50%, to each servers ip).
, iptables -A PREROUTING -i eth0 -p tcp -- dport 21 -m state -- state NEW -m nth -- counter 0 -- every 2 -- packet 0 -j DNAT --to - destination 10 . 10 0. 1. 1 01 :2 1 iptables -A PREROUTING -i eth0 -p tcp -- dport 21 -m state -- state NEW -m nth -- counter 0 -- every 2 -- packet 1 -j DNAT --to - destination 10 . 10 0. 1. 1 02 :2 1

Listing 9: Usage of iptabless nth extension

, iptables DNAT iptables DNAT

-A PREROUTING -i --to - destination -A PREROUTING -i --to - destination

eth0 -p tcp -- dport 21 -m state -- state NEW -m random -- average 50 -j 10 . 10 0. 1. 1 01 :2 1 eth0 -p tcp -- dport 21 -m state -- state NEW -m random -- average 50 -j 10 . 10 0. 1. 1 02 :2 1

Listing 10: Usage of iptabless random extension

Shaping trac ows

In this section we present a joint-venture between iptables and a set of tools to shape trac called tc (Trac Control). These trac control tools provide the user of a system with the ability to adjust any kind of trac ows. The tools are quite powerfull in the sense that the control over the queues, and dierent components and queuing algorithms involved in a network device is very high. Trac control focuses on QoS (Quality of Service) by categorizing ows of packets into queues according to a set of rules (lter policies). The reasoning behind QoS is that bandwith is a limited resource and an expensive one. Some services and applications need to be prioritized, guaranteed a minimum quality of service to operate as specied by a policy or an agreement, or have their bandwith usage limited. It is important to reect that not all ows can be shaped, outgoing ows can be completely shaped, however, incoming ows can be partially shaped. The explanation is that a user has control over the trac being sent through a netwrok device because its either produced or forwarded from other systems (that use this one as a gateway) but it is not possible to limit the trac received through a network device since there is no way to tell2 the source of this trac to stop or limit the ow. Incoming ows can be partially shaped because the path between the network device and the destination service is within the systems boundaries and so it can virtually be shaped. Trac control not only is useful to shape trac but also to protect a system (or a network) against SYN ood attacks and Denial of Service attacks because it is very dicult to distinguish between legit requests than those aimed to take a service out in a system, and so a shape of the connections abusing the services can help minimize the eects instead of shutting down the service.

6.1

Scenario

The sample set up that will be used for this section is a le server used as a public HTTP/FTP/RSYNC server of open source software. This system has a full-duplex 100mbps link shared with some others systems within a small domain, and this domain is inside a bigger network (Universitys). Given the purpose of this system, anyone can access to it to retrieve a le. However, in the last year, the system has experienced a sudden increase of trac which hogs the system most of the system. Since there was no trac policies, a connection within the internal domain was not distinguished between a connection within the Universitys network nor outside the Universitys. An initial solution to increase performance (and also bandwith) for the other systems within the servers network was put in place, and it consisted in a limit of 70% on the outgoing stream (70mbps). Although this solution was supposed to be temporary, it became a policy and has not changed. However, there is a need to distinguish trac within systems network, trac within Universitys network and trac from outside University. Due to the purpose of the system, many servers within the University use this system to update their operating systems(and also many people use it to get their favourite latest Linux distribution), and so they should be prioritized over other connections. The solution that is going to be presented prioritizes servers network trac over Universitys, and these two are prioritized over trac from outside University (with some exceptions), it also tries to provide a fast response to any establishing connection and fairness between connections shall be a must (if two or more connections are shaped according to a rule, each one will be treated equally).

6.2

(Brief ) introduction to tc

Given the aim of this paper and its focus on iptables, in this subsection tc will not be discussed in detail, we refer to the excellent guide by Hubert et al. about advanced routing and trac control under Linux for the areas not covered here [1]. Since packet-switched networks (widely used nowadays) are stateless, there is no way to distiinguish between ows. Trac control introduces some statefulness using packets properties to administer them and organize them into queues with dierent policies. tc schedules trac into queues called . Each qdisc must have a handler algorithm (FIFO, HTB, SQF, CBQ) [5], called the queueing displicine (FIFO is the default discipline) [3]. There are two types of qdisc, classful and classless, the formers can contain classes and the latters cannot contain classes.
2 TCPs congestion and ow control are two mechanisms that can be useful to have a TCP stream shaped but this is pushing these two methods to the limit

The organisation of queues and classes is usually seen as a tree where the leaf nodes are terminal classes containing a qdisc. tc also provides ltering mechanisms to classify (and also apply a policy) packets based on their attributes (the classier that will be able to do this is called u32). This feature is very important because it is what will let us move packets arriving to root qdisc to the dened classes and qdiscs[4]. In our scenario, shown in gure 2, there are four main classes (each is represented as a green circle) attached to a root3 class node. High priority class will handle ICMP and most of establishing connection packets, Internal class will handle systems network and Universitys network (see their subclasses), External will handle HTTP, FTP and RSYNC trac (see their subclasses) whose source or destination is not within Universitys network (which includes systems network), and Default will handle any other trac. Since tc does not use names, each class has a numerical identier (e.g. RSYNC class has the identier 1:33), and atttached to each class there is a qdisc, though this is not represented in the diagram but the algorithm is (e.g. for the same class RSYNC, the algorithm used is SQF). The range next to each class represents the guaranteed rate and the maximum rate, both in mbps, that each class is allowed to use (e.g. RSYNCs class can use up to 75mbps and has a guaranteed bandwith of 20mbps).

Figure 2: Classes and queues of scenario described in 6.1 An example of the conguration of the class and its attached qdisc for High priority trac is shown in listing 11. Note that it also includes the lter that classies trac at the top of the tree (root) based on the id 5 into the dened qdisc.
, tc class add dev eth0 parent 1:1 classid 1:5 htb rate 5 mbit ceil 100 mbit tc qdisc add dev eth0 parent 1:5 handle 5: sfq perturb 10 tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 5 fw flowid 1:5

Listing 11: Conguration of class, qdisc and lter for High priority trac

6.3

Flagging packets with iptabless mangle table

The introduction described how iptables works and its internals as presented in gure 3. This subsection will focus in the non-default4 table of iptables, mangle, whose use is for specialized packet alteration. mangle table has ve chains (see gure 3) is mostly used to ag packets according to the characteristics we want to mark somehow the packets to match, though they can also be altered with other targets. The target used to ag packets is MARK. The mark is a numerical value (either decimal or hexadecimal) that is set with the option --set-mark value. The characteristics can be obtained from the packet by analysing its parameters (source/destination address/port,
3 There 4 If

is always a default root FIFO qdisc for every network interface no specic table is selected (with -t|--table tablename option), iptables will default to lter table

protocol, ags,...) or using a packet classier module for iptables called layer75 . This kind of classiers analyse packets application layer data instead of analysing what the built-in classiers match: IP, protocol, port, ag,... As of now, this application layer packet shaping is quite accurate but for many protocols, specially those that try to obscure themselves to avoid this shaping, is slow (guring the application used is more processor-consuming than reading a parameter from a packet). This special mark can be later used for rerouting a packet (if used in a chain before being routed), log it,... In our scenario, this mark will be used by the tc lters to classify the packets into the dierent classes so tc can shape the trac according to the tree of classes and qdiscs that was dened in gure 2, and provide a quality of service as it was desired (and needed). The list of iptabless rules used to ag dierent types of trac according to gure 2 is shown in listing 12. To make sure that trac is shaped, its agged in the POSTROUTING chain of the mangle table (the rst rule creates a chain linked to the POSTROUTING chain). Note that ICMP, UDP and TCP-ag rules are considered of high priority, the target RETURN is used to make sure that once the packet matches one entry it returns to the calling chain and the marks values are in hexadecimal.
, 1 iptables -t mangle -A POSTROUTING -o eth0 -j SHAPER 2 iptables -t mangle -A SHAPER -p icmp -m comment -- comment " ICMP ( High priority ) " -j MARK -- set - mark 0 x5 3 iptables -t mangle -A SHAPER -p icmp -j RETURN 4 iptables -t mangle -A SHAPER -p udp -m comment -- comment " UDP ( High priority ) " -j MARK -- set - mark 0 x5 5 iptables -t mangle -A SHAPER -p udp -j RETURN 6 iptables -t mangle -A SHAPER -p tcp -m tcp -- tcp - flags FIN , SYN , RST , ACK FIN , ACK -m comment -comment " FIN , ACK ( High priority ) " -j MARK -- set - mark 0 x5 7 iptables -t mangle -A SHAPER -p tcp -m tcp -- tcp - flags FIN , SYN , RST , ACK FIN , ACK -j RETURN 8 iptables -t mangle -A SHAPER -p tcp -m tcp -- tcp - flags FIN , SYN , RST , ACK SYN , ACK -m comment -comment " SYN , ACK ( High priority ) " -j MARK -- set - mark 0 x5 9 iptables -t mangle -A SHAPER -p tcp -m tcp -- tcp - flags FIN , SYN , RST , ACK SYN , ACK -j RETURN 10 iptables -t mangle -A SHAPER -p tcp -m tcp -- tcp - flags FIN , SYN , RST , ACK RST , ACK -m comment -comment " RST , ACK ( High priority ) " -j MARK -- set - mark 0 x5 11 iptables -t mangle -A SHAPER -p tcp -m tcp -- tcp - flags FIN , SYN , RST , ACK RST , ACK -j RETURN 12 iptables -t mangle -A SHAPER -p tcp -m tcp -- tcp - flags FIN , SYN , RST , ACK RST -m comment -- comment " RST ( High priority ) " -j MARK -- set - mark 0 x5 13 iptables -t mangle -A SHAPER -p tcp -m tcp -- tcp - flags FIN , SYN , RST , ACK RST -j RETURN 14 iptables -t mangle -A SHAPER -p tcp -m tcp -- tcp - flags FIN , SYN , RST , ACK SYN -m comment -- comment " SYN ( High priority ) " -j MARK -- set - mark 0 x5 15 iptables -t mangle -A SHAPER -p tcp -m tcp -- tcp - flags FIN , SYN , RST , ACK SYN -j RETURN 16 iptables -t mangle -A SHAPER -d 1 5 7 . 8 8 . 3 6 . 0 / 2 5 5 . 2 5 5 . 2 5 5 . 0 -m comment -- comment " GUI ( Internal ) " -j MARK -- set - mark 0 x15 17 iptables -t mangle -A SHAPER -d 1 5 7 . 8 8 . 3 6 . 0 / 2 5 5 . 2 5 5 . 2 5 5 . 0 -j RETURN 18 iptables -t mangle -A SHAPER -d 1 5 7 . 8 8 . 0 . 0 / 2 5 5 . 2 5 5 . 0 . 0 -m comment -- comment " UVa ( Internal ) " -j MARK -- set - mark 0 x16 19 iptables -t mangle -A SHAPER -d 1 5 7 . 8 8 . 0 . 0 / 2 5 5 . 2 5 5 . 0 . 0 -j RETURN 20 iptables -t mangle -A SHAPER -p tcp -m tcp -- sport 20:21 -m comment -- comment " FTP ( External ) " -j MARK -- set - mark 0 x1f 21 iptables -t mangle -A SHAPER -p tcp -m tcp -- sport 20:21 -j RETURN 22 iptables -t mangle -A SHAPER -p tcp -m tcp -- sport 49152:65534 -m comment -- comment " FTP ( External ) " -j MARK -- set - mark 0 x1f 23 iptables -t mangle -A SHAPER -p tcp -m tcp -- sport 49152:65534 -j RETURN 24 iptables -t mangle -A SHAPER -p tcp -m tcp -- sport 80 -m comment -- comment " HTTP ( External ) " -j MARK -- set - mark 0 x20 25 iptables -t mangle -A SHAPER -p tcp -m tcp -- sport 80 -j RETURN 26 iptables -t mangle -A SHAPER -p tcp -m tcp -- sport 873 -m comment -- comment " RSYNC ( External ) " -j MARK -- set - mark 0 x21 27 iptables -t mangle -A SHAPER -p tcp -m tcp -- sport 873 -j RETURN 28 iptables -t mangle -A SHAPER -m comment -- comment " Any ( Default ) " -j MARK -- set - mark 0 x4 29 iptables -t mangle -A SHAPER -j RETURN

Listing 12: iptables agging rules

6.4

Protection against SYN-oods and ICMP DoS

tc and iptables can be used to protect a system or a network from a SYN-ood attack or an ICMP DoS6 . Usually, the solution taken is blocking the source IP(s) but this means that there must be some kind of warning system in place. If trac is intercepted before it reaches a certain service of a system, it can be shaped once a threshold has been reached and limited so it does not block the service, though it will likely aect legit connections as well [1].
5 Theres 6 DoS

also another module whose name is ipp2p though its focused on identifying P2P data in IP trac is the acronym for Denial of Service

The following listing, 13, shows how an ICMP DoS can be intercepted and shaped if the threshold established is reached. iptables will accept ICMP packet at a rate of 25 per second, and in bursts of 5, if this threshold is not reached, then these packets are agged with a 5 (and later shaped according to this mark), if the threshold is reached, then they are marked with a 4 (which will probably be a very low priority, and limited bandwith, queue in tc).
, iptables iptables iptables iptables -t -t -t -t mangle mangle mangle mangle -A -A -A -A INPUT INPUT INPUT INPUT -p -p -p -p icmp icmp icmp icmp -m -m -j -j limit -- limit 25/ s -- limit - burst 5 -j MARK -- set - mark 0 x5 limit -- limit 25/ s -- limit - burst 5 -j RETURN MARK -- set - mark 0 x4 RETURN

Listing 13: ICMP DoS attack detection and shaping Similarly, the listing 14 shows what it is done to intercept a SYN-ood attack (instead of using the option --tcp-flags, an option which takes care of matching all SYN packets is used, --syn).
, iptables mark iptables iptables iptables -t mangle 0 x5 -t mangle -t mangle -t mangle -A INPUT -p tcp -- syn -m limit -- limit 150/ s -- limit - burst 10 -j MARK -- set -A INPUT -p tcp -- syn -m limit -- limit 150/ s -- limit - burst 10 -j RETURN -A INPUT -p tcp -- syn -j MARK -- set - mark 0 x4 -A INPUT -p tcp -- syn -j RETURN

Listing 14: SYN-ood attack detection and shaping

Conclusion

Regular rewalls focus on port forwarding and port ltering, but this is not enough for a network connected to the malicious internet. Desktop computers are often equipped with protection applications like anti-virus and antimalware, but many network threats cannot be avoided by these. A good and well congured rewall on the other hand can stop many network threats before they have a chance to get into the local network, such a rewall can even stop some virus threats. It is our opinion that iptables is a good rewall with enormous potential, to secure both small and big networks because it satises all special needs of the networks computers and servers. iptables can be congured in many dierent ways, e.g. to load-balance trac over several mirrored servers (see 9 and 10) to even out trac load; use ow-control to prioritize (among others) trac (see g. 2); use regulation rules to limit all or just some types of trac, for example, the limit can be time (see 4), trac amount (see 6) or occurrences (see 7). When creating a new iptables conguration it can be of good practice using the LOG because this will make debugging and testing easier; and it can also be used later to analyze some minor holes or improve the existing rules. iptables is a complex tool that satises all rewalling needs (almost), but one should notice that a complex tool such as iptables demands know-how. Without proper knowledge on iptables conguration, what it was supposed to secure a network or a system can easily become into a serious security vulnerability; a novice user should always have in mind to set the target DROP by default7 in the INPUT chain, rather than writing specic rules to DROP. There are commercial solutions from many vendors like Cisco, Avaya, Juniper,... but iptables is capable of doing the same job as the tools oered by these companies, which usually are closed source projects, and makes the use of these solutions more expensive than iptables since it is open source tool (free for all).

References
[1] Hubert, B. and Graf, T. and Maxwell, G. and van Mook, R. and van Oosterhout, M. and Schroeder, P. and Spaans, J. and Larroy, P., Linux advanced routing & trac control. Ottawa Linux Symposium, 2003. [2] Andreasson, O., Iptables Tutorial 1.2.2. http://iptables-tutorial.frozentux.net/iptables-tutorial.html [3] Singletary, D., ADSL Bandwidth Management HOWTO. http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
7 This

is called least minimum possible access

[4] Brown, M. A., Trac Control HOWTO. 2006. http://tldp.org/HOWTO/html_single/Traffic-Control-HOWTO/ [5] Devera M., HTB Linux queuing discipline manual. User guide. 2002. http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm [6] Rash, M., Linux Firewalls. No Starch Press, 2007. [7] Russel, R., Linux 2.4 Packet Filtering HOWTO. 2002. http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html [8] Chuvakin, A., IPTables Linux rewall with packet string-matching support. 2001. http://www.securityfocus.com/infocus/1531

Appendix

Figure 3: Scheme of iptables internal tables and chains, and data ow 10