Ubuntu Feisty 7.04 manual page repository

Ubuntu is a free computer operating system based on the Linux kernel. Many IT companies, like DeployIS is using it to provide an up-to-date, stable operating system.

Provided by: netscript-2.4_5.1.1_all

 

NAME

        /etc/netscript/ipfilter-defs  directory  - netscript ipfilter-defs com‐
        pile definitions directory.
 

DESCRIPTION

        This manual page documents briefly the compile  definition  files  that
netscript-compile(8)  command  from  the  netscript
        router/firewall network configuration package.  This compiler creates a
        compiled  iptables  rules file in /etc/netscript/ipfilter-defs.conf (it
        is  a  shell  script  portion)  that  is  sourced  by   the   netscript
iptables(8) firewall rules in the
        kernel.
        The rules can be compiled and automatically loaded on boot  by  setting
network.conf(5) to the value of the
Net-compile(8)  creates  this
        function  as  Configure.   If this switch is set, the netscript startup
netscript-compile(8) to make sure everything is up to date and
        load the rules from /etc/netscript/ipfilter-defs.conf, and the relevant
network.conf(5) which are used to establish packet grooming
        and configure the built in kernel netfilter INPUT and FORWARD chains in
        the filter table. If compilation fails, the previous rule  set  is  not
netscript(8) manpage to see
        how to load and use backup copies of the rule set.
iptables(8) filter table is set up by a corresponding
        coonstruction  function  of the same name as the chain.  The chains are
        laced into the iplcl (which is laced in to the INPUT chain)  and  ipfwd
        (laced  into  FORWARD)  chains respectively, and the forwarding control
        chains are set up to take traffic in both directions, with the destina‐
        tion  network/interface and source network/interface being used in  the
        lacing chain, and network protocol and port being  tied  down  in  each
        specific chain.
 
        For  the  new in kernel Linux IPSEC, traffic to and from the VPN can be
        controlled via the iptables policy match module, if you have it patched
        and  compiled  into  your  kernel and iptables.  Future versions of the
        kernel and iptables  should  have  this  included  in  the  distributed
        source.
        All  the  files defining the rules set are in the /etc/netscript/ipfil‐
        ter-defs directory.  The  network-defs  file  is  used  to  define  the
        regions  and  network blocks used in the rest of the rules.  The proto‐
        types-defs file is used to define protoype rules that can be referenced
        elsewhere in the rule set.  The prototypes.sh file is used to construct
netscript-compile(8) command that can  be  used
        in the definitions files. DNAT and SNAT are set up in the dnat-defs and
        masq-defs files respectively.  Any file ending in .def is taken as gen‐
netscript-compile(8).
 
        The  files  generally  take the form of tables, with the columns tab or
        space seperated.  The ´#´ character is supported  for  commenting,  and
        comments  can be on a line by themselves, or at the end of a configura‐
        tion line.  Everything after the ´#´ is treated as  a  comment  by  the
netscript-compile(8) compiler.
        The structure of the rule sets is thus.  Each chain is started by call‐
        ing a shell compilation  function,  (generally  ipv4_compile_chain)  to
        create the chain, with the chain name and source/destination regions as
        arguments, and each rule in the chain by starting a fresh line with the
        chain name in the first column.
 
        Regions are defined as network interface tuples, and are set up in net‐
        work-defs.  They are syntactically the same as shell script  variables,
        and  are used the same way in the .def rule set files. Technically this
netscript-compile(8)  shell
        script.
 
        Any   interface  name  can have either of the keywords =clear or =ipsec
        tied to them by using the ‘=’ character on the  end  of  the  interface
        name.   This  is used to specifically match IPSEC traffic, or non-IPSEC
        traffic going over the interface.  Typically you would  use  this  when
        defining  a region, though the syntax is valid elsewhere as well. It is
        recommended that you use this feature to prevent packet injection  from
        adjacent external sources when setting up iptables rules for VPN tunnel
        traffic.
 
        The regions are given as arguments to the  compilation  function,  with
        the  region  always being 2 arguments in network/interface order to the
        function.
 
        Each chain rule in the chain is defined by  giving  first  of  all  the
        chain  name,  then the rule type, and its direction.  All columns after
        the 3rd one are specific to and are defined  by  the  rule  type.   The
        direction may have a ´-´ in it.
 
        The  rules  produced  by the compiler use the iptables connection based
        state tracking.  Packet by packet rules will be added later.
 

EXAMPLE

        Here is an example of part of a .def file:
 
               # Access from Office to internet
               #          - only allow outgoing tcp and UDP
               # and ping traffic - anything else is most
               # like a tunneling protocol.
               # We have VPNs for tunneling
               ipv4_compile_chain -p 90 offcInet droplog $OFFICE_REGN $INTERNET_REGN
               offcInet       ACCEPT_EST      BOTH
               offcInet       ACCEPT_PING     L2R
               offcInet       ACCEPT_TCP      L2R     1:65535
               offcInet       ACCEPT_UDP      L2R     1:65535
 
        The ACCEPT_EST line accepts packets for ESTABLISHED and RELATED connec‐
        tions  to  the new ones already accepted.  New connections are accepted
        by the ACCEPT_PING, ACCEPT_TCP, and ACCEPT_UDP rules.  Please  see  the
iptables(8) manpage for the details on stateful filtering.
        Unless  a function is defined in prototypes.sh, there is only one func‐
        tion provided.  However this is not limiting as there is a facility for
        rule  macros, as well as the ability to tell the function to use one of
        the default base rule sets.
 
        If you do define a function in prototypes.sh, be careful to handle  all
netscript-compile(8)
        will break, as it runs with set -e set.
 
        The only defined compile function for IPv4 is:
 
        ipv4_compile_chain [-i] [-n] [-b base-chain] [-p priority]  [-s  slave-
        chain]  <chain-name>  <default-target>  <from-net>  <from-if> [<to-net>
        <to-if>]
 
        You can see the source region and destination region on the end of  it.
        The default-target is one of RETURN, DROP, droplog, or log.
 
        The options to this function are as follows:
 
        -i     Create  an  input  chain  for  attaching to iplcl instead of the
               default forward chain for attaching to ipfwd.
 
        -n     Don’t lace the chain into iplcl or ipfwd.
 
        -b base-chain
               Specify an alternate ruleset chain to use.
 
        -s slave-chain
               Configure/deconfigure this chain as well as the  one  specified.
               Useful for adjusting input rule set when manipulating the access
               chain for an IPsec VPN.
 
        -p priority
               Specify the priority of the chain in the lacing rule set.   Pri‐
               ority  is  between  00  and 99, with 00 at the top of the lacing
               chain, and 99 at the bottom. This is useful for making sure that
               host  specific  rule  sets  occur  before  more  general network
               related ones, and for putting Internet related ones at the  bot‐
               tom of the lacing chain.
        The direction is as per FreeS/WAN - it uses left and right terminology.
 
        The possible directions are as follows:
 
        L2R|LEFT2RIGHT|INTERNAL2EXTERNAL|INTERN2EXTERN|I2E|INT2EXT
               Left to Right, Internal to External
 
        R2L|RIGHT2LEFT|EXTERNAL2INTERNAL|EXTERN2INTERN|E2I|EXT2INT
               Right to Left, External to Internal
 
        BOTH|- Both directions, aka none or ´-´.
        Here are the valid chain rules, and the arguments they expect.
 
        COMMENT [word1] [word2] ...
               Insert a comment into the compile shell script.   Fill  the  3rd
               column direction in with ´-´.
 
        MACRO <macro-name>
               Specify  a  macro  rule  set.   Rule  set  must  name start with
               `MACRO_´. Direction again should be `-´.
 
        LOG [word1] [word2] ...
               Insert a logging rule using the given log meesage,  or  if  none
               given, using the curretlog message for the chain.
 
        LOG_MSG [word1] [word2] ...
               Set  the  log  message  for  the  chain away from the default of
               `Chain: <chain-name>´ or from previous LOG_MSG setting. Up to 26
               letters can be used until truncation limit is reached.
 
        RESET_LOG_MSG
               Reset log message to the default of `Chain: <chain-name>´.
 
        REJECT_SMB
               Jump  to  smb  control  chain.  Creates smb chain if it does not
               already exist.
 
        DROP_MARTIANS
               Jump to martian source address control chain.  Creates chain  if
               it does not already exist.
 
        LOG_PORTSCAN
               Use  the  psd  module  to  detect  and  log  portscans.  Creates
               portscan log chain (if not already there) which  puts  `PORTSCAN
               DETECTED - ´ in the log.
 
        DROP_BROADCAST
               Drop ethernet broadcast packets.
 
        LOG_BROADCAST
               Log ethernet broadcast packets with the current log messages for
               the chain.
 
        ACCEPT_EST
iptables(8) state  mod‐
               ule.
 
        ACCEPT_RELATED
iptables(8) state module. Useful
               for ICMP type 3 packets used for maximum MTU detection.
 
        ACCEPT_PROTO <protocol>
               Accept NEW connections for a  protocol.  Accepts one argument in
               the 4th column which is the protocol name from /etc/protocols or
               the protocol number between 0 and 255.
 
        REJECT_PROTO <protocol>
               Reject NEW connections for a  protocol with ICMP reject packets.
               Accepts  one  argument  in  the 4th column which is the protocol
               name from /etc/protocols or the protocol number  between  0  and
               255.
 
        DROP_PROTO <protocol>
               Drop all packets for a  protocol with nothing in reply.  Accepts
               one argument in the 4th column which is the protocol  name  from
               /etc/protocols or the protocol number between 0 and 255.
 
        LOG_PROTO <protocol>
               Log  NEW connections for a protocol with the current log message
               for the chain.  Accepts one argument in the 4th column which  is
               the  protocol  name  from  /etc/protocols or the protocol number
               between 0 and 255.
 
        ACCEPT_TCP [src-port-range] <dst-port-range>
               Accept NEW TCP connections.  If one argument given,  it  is  the
               destinaion  port  (range).   If  2  arguments,  the first is the
               source port (range), and second the  destination  port  (range).
               Port  ranges are specified by separating them with a `:´ charac‐
               ter, and ports must be in the /etc/services file,  or  a  number
               between 0 and 65535.
 
        REJECT_TCP [src-port-range] <dst-port-range>
               Reject  NEW  TCP connections with an ICMP REJECT packet.  If one
               argument given, it is the destination port(range).  If  2  argu‐
               ments,  the  first  is  the  source port (range), and second the
               destination port (range).  Port ranges are specified by separat‐
               ing  them  with  a  `:´  character,  and  ports  must  be in the
               /etc/services file, or a number between 0 and 65535.
 
        DROP_TCP [src-port-range] <dst-port-range>
               Drop all tcp packets, returning nothing at all.  If one argument
               given,  it  is the destinaion port (range).  If 2 arguments, the
               first is the source port (range),  and  second  the  destination
               port (range).  Port ranges are specified by separating them with
               a `:´ character, and ports must be in the /etc/services file, or
               a number between 0 and 65535.
 
        LOG_TCP [src-port-range] <dst-port-range>
               Log NEW TCP connections with the current log text for the chain.
               If one argument given, it is the destination port(range).  If  2
               arguments, the first is the source  port (range), and second the
               destination port (range). Port ranges are specified by  separat‐
               ing  them  with  a  `:´  character,  and  ports  must  be in the
               /etc/services file, or a number between 0 and 65535.
 
        ACCEPT_UDP [src-port-range] <dst-port-range>
               Accept NEW UDP connections.  If one argument given,  it  is  the
               destinaion  port  (range).   If  2  arguments,  the first is the
               source port (range), and second the  destination  port  (range).
               Port  ranges are specified by separating them with a `:´ charac‐
               ter, and ports must be in the /etc/services file,  or  a  number
               between 0 and 65535.
 
        REJECT_UDP [src-port-range] <dst-port-range>
               Reject  NEW  UDP connections with an ICMP REJECT packet.  If one
               argument given, it is the destination port(range).  If  2  argu‐
               ments, the first is the source port (range), and second the des‐
               tination port (range).  Port ranges are specified by  separating
               them  with  a  `:´ character, and ports must be in the /etc/ser‐
               vices file, or a number between 0 and 65535.
 
        DROP_UDP [src-port-range] <dst-port-range>
               DROP all UDP packets, returning nothing at all.  If one argument
               given,  it  is the destinaion port (range).  If 2 arguments, the
               first is the source port (range),  and  second  the  destination
               port (range).  Port ranges are specified by separating them with
               a `:´ character, and ports must be in  the  file,  or  a  number
               between 0 and 65535.
 
        LOG_UDP [src-port-range] <dst-port-range>
               Log  NEW  UDP  connections  with the current log message for the
               chain.   If  one  argument  given,   it   is   the   destination
               port(range).   If  2  arguments,  the  first  is the source port
               (range), and second the destination port (range).   Port  ranges
               are specified by separating them with a `:´ character, and ports
               must be in the /etc/services file, or a  number  between  0  and
               65535.
 
        ACCEPT_PING
               Accept ICMP type 8 echo request packets for network diagnosis.
 
        DROP_PING
               Drop ICMP type 8 packets with no reply.
 
        LOG_PING
               Log  an  ICMP  echo request with the current log message for the
               chain.
 
        ACCEPT_TCP_NET [src_network [src-port-range]] <dst-network>  <dst-port-
        range>
               Accept NEW TCP connections from given source (optional) to  des‐
               tination.    Network   is   given  in  IPv4  address/netmask  or
               address/masklen format. Port ranges are specified by  separating
               them  with  a  `:´ character, and ports must be in the /etc/ser‐
               vices file, or a number between 0 and 65535.
 
        REJECT_TCP_NET [src_network [src-port-range]] <dst-network>  <dst-port-
        range>
               Reject NEW TCP conections with an ICMP reject packet which  come
               from  a  given  source  (optional),  going to given destination.
               Network is given in IPv4 address/netmask or address/masklen for‐
               mat.  Port  ranges  are  specified by separating them with a `:´
               character, and ports must be in the  /etc/services  file,  or  a
               number between 0 and 65535.
 
        DROP_TCP_NET  [src_network  [src-port-range]]  <dst-network> <dst-port-
        range>
               Drop  all TCP packets which come from a given source (optional),
               going  to  given  destination.   Network  is   given   in   IPv4
               address/netmask or address/masklen format. Port ranges are spec‐
               ified by separating them with a `:´ character, and ports must be
               in the /etc/services file, or a number between 0 and 65535.
 
        LOG_TCP_NET  [src_network  [src-port-range]]  <dst-network>  <dst-port-
        range>
               Log all NEW TCP connections from given source (optional) to des‐
               tination, with the current log message for the  chain.   Network
               is given in IPv4 address/netmask or address/masklen format. Port
               ranges are specified by separating them with  a  `:´  character,
               and ports must be in the /etc/services file, or a number between
               0 and 65535.
 
        ACCEPT_UDP_NET [src_network [src-port-range]] <dst-network>  <dst-port-
        range>
               Accept NEW UDP connections from given source (optional) to  des‐
               tination.    Network   is   given  in  IPv4  address/netmask  or
               address/masklen format. Port ranges are specified by  separating
               them  with  a  `:´ character, and ports must be in the /etc/ser‐
               vices file, or a number between 0 and 65535.
 
        REJECT_UDP_NET [src_network [src-port-range]] <dst-network>  <dst-port-
        range>
               Reject NEW UDP conections with an ICMP reject packet which  come
               from  a  given  source  (optional),  going to given destination.
               Network is given in IPv4 address/netmask or address/masklen for‐
               mat.  Port  ranges  are  specified by separating them with a `:´
               character, and ports must be in the  /etc/services  file,  or  a
               number between 0 and 65535.
 
        DROP_UDP_NET  [src_network  [src-port-range]]  <dst-network> <dst-port-
        range>
               Drop  all UDP packets which come from a given source (optional),
               going  to  given  destination.   Network  is   given   in   IPv4
               address/netmask or address/masklen format. Port ranges are spec‐
               ified by separating them with a `:´ character, and ports must be
               in the /etc/services file, or a number between 0 and 65535.
 
        LOG_UDP_NET  [src_network  [src-port-range]]  <dst-network>  <dst-port-
        range>
               Log all NEW UDP connections from given source (optional) to des‐
               tination, with the current log message for the  chain.   Network
               is given in IPv4 address/netmask or address/masklen format. Port
               ranges are specified by separating them with  a  `:´  character,
               and ports must be in the /etc/services file, or a number between
               0 and 65535.
 
        ACCEPT_IFACE <interface>
               Accept all incoming NEW connections from an incoming  interface.
 
        REJECT_IFACE <interface>
               Reject  all  incoming NEW conections with an ICMP reject packet,
               from an interface.
 
        DROP_IFACE <interface>
               Drop all incoming packets from an interface.
 
        LOG_IFACE <interface>
               Log all incoming NEW conections from an interface.
 
        ACCEPT_NET <network>
               Accept all NEW connections from network.  Network  is  given  in
               IPv4 address/netmask or address/masklen format.
 
        REJECT_NET <network>
               Reject  all  NEW  conections  from  network  with an ICMP reject
               packet.   Network  is   given   in   IPv4   address/netmask   or
               address/masklen format.
 
        DROP_NET <network>
               Drop  all  packets  from  network.   Network  is  given  in IPv4
               address/netmask or address/masklen format.
 
        LOG_NET <network>
               Log all NEW conections from network.  Network is given  in  IPv4
               address/netmask or address/masklen format.
 

FILES

        /etc/netscript/ipfilter-defs.conf,
        /etc/netscript/ipfilter-defs-compiled.conf,
        /etc/netscript/ipfilter-defs directory.
netscript(8).
 

AUTHOR

        This     manual     page     was     written     by    Matthew    Grant
        <grantma@anathoth.gen.nz>, for the Debian GNU/Linux system (but may  be
        used by others).
 

BUGS

        I wrote this manpage when I was not half asleep...
 
        Some things are missing from this manpage...
 
        Dnat documentation is missing but obvious from configuration file.
 
        SNAT documentation is missing but obvious from configuration file.
 
IPFILTER-DEFS(5)
 

Sections

What does Ubuntu mean?
Ubuntu is an African word meaning 'Humanity to others', or 'I am what I am because of who we all are'. The Ubuntu distribution brings the spirit of Ubuntu to the software world.