Defining Matching Rules

An important part of every rule is the matching part. Next is a list of the most popular elements that can be used for matching. Note that you don't have to use all of them in a rule; if one of these elements isn't specified, the rule is simply applied to all. For example, if you don't specify a source IP address but you do specify a source port number, the rule applies to the source port number, no matter where the source IP address comes from. You can use the following for matching in a rule:

Interface: Use this to specify the network interface to which the rule applies. -o refers to an output interface, and -i refers to the input interface. It may not surprise you that -o isn't used in the INPUT chain (since it refers to incoming packets only) and -i isn't used in the OUTPUT chain (which refers to outgoing packets only).

Source/destination IP address. You can use -s (source) or -d (destination) to refer to an IP address. Both are IP addresses for individual hosts, because you can use IP addresses for complete networks. For example, use -s 192.168.0.1 to refer to one host only, or use -s 192.168.0.0/16 for all hosts that have a network address starting with 192.168.

Protocol: Use this to refer to protocols as defined in the file /etc/protocols. You can use protocol numbers as well as protocol names, as used in this file. For example, -p TCP refers to all packets in which TCP is used.

Ports: A popular method to filter is based on TCP or UDP port numbers. You can use any port number; check /etc/services for a complete list of services and their default ports if you need more details. For example, use - -sport 1024:65535 if you want to refer to all ports greater than port 1024, or use --dport 25 to refer to the SMTP port. Note that when using a port specification, you should always use a protocol specification. So, don't just use --dport 25, but use -p TCP --dport 25.

Was this article helpful?

0 0

Post a comment