User Tools

Site Tools


doc:howto:netfilter

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:netfilter [2014/02/16 09:29]
lorema
doc:howto:netfilter [2015/11/20 09:40] (current)
hnyman remove layer7 due to r45423-45424
Line 1: Line 1:
 +====== Netfilter/​Nftables ======
 +[[http://​www.netfilter.org/​|Netfilter]] is the packet filtering framework inside the [[wp>​Linux kernel]]. It allows for packet filtering, network address [and port] translation (NA[P]T) and other packet manipulations. It is far more than a simple firewall and very powerful! For Nftables, see [[#​Nftables]] further down this wikipage.
  
 +Usually the user space programs <color red>​**''​iptables''​**</​color>,​ <color red>​**''​ip6tables''​**</​color>,​ <color red>​**''​ebtables''​**</​color>​ or <color red>​**''​arptables''​**</​color>​ are utilized to //​configure//​ the handling of network packets. Please see this scheme **[[http://​upload.wikimedia.org/​wikipedia/​commons/​d/​dd/​Netfilter-components.svg|Netfilter Components]]** by Jan Engelhardt about some overview over current and future netfilter components.
 +
 +| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}} | **''​Note1'':​** In OpenWrt bridge firewalling is disabled by default. It can be enabled by editing ''/​etc/​sysctl.conf'':​ <code bash>​net.bridge.bridge-nf-call-arptables=0
 +net.bridge.bridge-nf-call-ip6tables=0
 +net.bridge.bridge-nf-call-iptables=1</​code>​ and then reloading the configuration with <code bash>​sysctl -p</​code>​ This is required by the netfilter module "​physdev"​ and also by ebtables ​ |
 +
 +===== Installation =====
 +Netfilter is included in the kernel and does not have to be installed. The user space programs and the modules are packed into [[doc:​techref:​opkg]] packages. Install the ones you need. Always install ''​iptables-mod-*'',​ that way the corresponding ''​kmod-ipt-*''​ is being installed as well. See for available [[doc:​howto:​netfilter#​OPKG Netfilter Packages]]
 +
 +===== Explanation =====
 +Please have a look at this most excellent scheme: **[[http://​upload.wikimedia.org/​wikipedia/​commons/​3/​37/​Netfilter-packet-flow.svg|Netfilter Packet Flow]]** by Jan Engelhardt to understand how a packet traverses netfilter. The green stuff is the domain of ''​iptables''​ and ''​ip6tables'',​ while the blue stuff is being handled by ''​ebtables''​.
 +
 +Do not make the mistake to place your LAN on the left side and the Internet on the right side in your mind. They are both on both sides! When a packet enters the Linux Kernel (= that is the ingress buffer of the [[wp>​Network interface controller|NIC]] /​[[wp>​Wireless network interface controller|WNIC]]) it always comes in on the left side, regardless on which [[doc:​networking:​network.interfaces|interface]] it arrives. It traverses the network stack and then netfilter and when it leaves, it always leaves at the right side. While the packet traverses netfilter, netfilter looks for rules that match that network packet. When a rule matches a packet, that rule is being applied to that particular packet. This means the packet is being sent to the TARGET specified in that rule. As soon as the network packet matches a rule, this rule is applied to it, and the packet stops traversing that table of netfilter! There are few exceptions to this behavior, e.g. the TARGETs ''​-j LOG'',​ ''​-j CUSTOM_CHAIN''​ or ''​-j MARK''​.
 +
 +===== Configuration =====
 +Netfilter is part of the Linux kernel. The IP packet filter rules in the Linux kernel are being configured by the user space command line tools of netfilter: ''​[[man>​iptables]]'',​ ''​[[man>​ip6tables]]'',​ ''​[[man>​ebtables]]'',​ ''​[[man>​arptables]]''​ and ''​[[man>​ipset]]''​. Utilize them as follows:
 +
 +| <​code>​
 +root@openwrt:​~#​ iptables -A INPUT -j ACCEPT -p tcp --dport ​ 53 #​------------------- accept incoming packets on tcp port 53 (DNS)
 +root@openwrt:​~#​ iptables -A FORWARD -j REJECT -p udp --dport 135:139 #​------------- Block outgoing Windows Share
 +</​code>​ |
 +
 +| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}} | **''​Note:''​** All rules can contain a [[wp>​Fully qualified domain name|FQDN (Fully qualified domain name)]] instead of an IP addresses. But the FQDN will be resolved to IP addresses when the rule is executed and rules will be created using these IP addresses! Thus, if there is a DNS update, the IP addresses resolved at execution time may not longer match the FQDN.\\ However such a functionality could be realized with ''​ipset''​ and ''​[[doc:​uci:​ipset-dns]]''​. |
 +
 +Per invocation you can set up only one //rule//; this will be checked for mistakes and if none are found, the hook will be written to RAM and is active immediately. An iptables/​ip6tables command is composed of two parts: parts one always commits the <color LightSeaGreen>​table</​color>,​ a <color magenta>​command</​color>,​ and the <color green>​chain</​color>​ this particular rule belongs to; part two specifies the <color blue>​match</​color>​ and the <color red>​TARGET</​color>​. There is always exactly one TARGET, but multiple matches are possible.
 +
 +^ <color LightSeaGreen>​Table</​color>​ <color magenta>​Command</​color>​ <color green>​Chain</​color>​ ^ <color blue>​match</​color>​ and <color red>​TARGET</​color>​ ^
 +| ''​**iptables** <color LightSeaGreen>​-t filter</​color>​ <color magenta>​-A</​color>​ <color green>​INPUT</​color>''​|''<​color red>-j ACCEPT</​color> ​ <color blue>-p tcp %%--%%dport ​ 53</​color>​ <color grey>#​%%-------------------%% accept all incoming packets on TCP port 53 (DNS)</​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t filter</​color>​ <color magenta>​-A</​color>​ <color green>​FORWARD</​color>''​|''<​color red>-j REJECT</​color>​ <color blue>-p udp %%-%%-dport 135:​139</​color>​ <color grey>#​%%----------------%% Block outgoing NetBIOS (Windows Share) </​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t filter</​color>​ <color magenta>​-A</​color>​ <color green>​FORWARD</​color>''​|''<​color blue>-p tcp %%-%%-dport 22 -m physdev %%-%%-physdev-in wlan0 %%-%%-physdev-out eth0.3 </​color>​ <color red>-j LOG %%-%%-log-prefix "22 on wlan"</​color>​ <color grey>#​%%----%% log wlan-clients attempts on ssh</​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $LAN -p tcp %%-%%-dport 53</​color>​ <color red>-j REDIRECT %%--%%to-port 53</​color>​ <color grey>#​%%----------------%% redirect DNS queries to self on TCP </​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $LAN -p udp %%-%%-dport 53</​color>​ <color red>-j REDIRECT %%--%%to-port 53</​color>​ <color grey>#​%%----------------%% redirect DNS queries to self on UDP</​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​POSTROUTING</​color>''​|''<​color blue>-o eth0.2 ​ -d 169.254.1.0/​24</​color>​ <color red>-j SNAT %%-%%-to-source 169.254.1.1</​color>​ <color grey>#​%%------%% Source-NAT packets with specified destination to specified IP address</​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​POSTROUTING</​color>''​|''<​color blue>-o $IF_DSL</​color>​ <color red>-j MASQUERADE</​color>​ <color grey>#​%%------------%% Source-NAT all Packet leaving on Interface $IF_DSL to the IP address of the router on that Interface</​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​POSTROUTING</​color>''​|''<​color blue>-o $IF_DSL -s $IP_USER2</​color>​ <color red>-j TC_USER2</​color>​ <color grey>#​%%-------------------------------%% jump to custom user chain TC_USER2</​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​TC_USER4</​color>''​|''<​color red>-j CLASSIFY %%-%%-set-class 1:​101</​color>​ <color blue>-p udp -m length %%-%%-length :​400</​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​TC_USER1</​color>''​|''<​color red>-j CLASSIFY %%-%%-set-class 1:​103</​color>​ <color blue>-m tos %%-%%-tos Maximize-Throughput</​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​POSTROUTING </​color>''​|''<​color blue>-o $IF_DSL ! -s 192.168.0.0/​16</​color>​ <color red>-j TEE %%-%%-gateway 192.168.1.254</​color>​ <color grey>#​%%-----%% forward a copy to gateway-IP</​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $IF_DSL -d 192.168.0.0/​16</​color>​ <color red>-j TEE %%-%%-gateway 192.168.1.254</​color>​ <color grey>#​%%-------%% forward a copy to gateway-IP</​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-m connbytes %%-%%-connbytes 504857: %%-%%-connbytes-dir both %%-%%-connbytes-mode bytes</​color>​ <color red>-j CLASSIFY %%-%%-set-class 1:​303</​color>​ <color grey>#​%%----%% count the Bytes of one connection</​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t raw</​color>​ <color magenta>​-A</​color>​ <color green>​INPUT</​color>''​|''<​color blue>! -i $IF_DSL </​color>​ <color red>-j CT %%--%%notrack</​color>​ <color grey>#​%%--------------%% don't track anything NOT incoming on interface in variable $IF_DSL</​color>''​ |
 +| ''​**iptables** <color LightSeaGreen>​-t raw</​color>​ <color magenta>​-A</​color>​ <color green>​INPUT</​color>''​|''<​color blue>-i $IF_LAN -s $NET_LAN -p tcp %%--%%dport 32777:​32780</​color>​ <color red>-j CT %%--%%notrack</​color>​ <color grey>#​%%------%% don't track NFS</​color>''​ |
 +
 +<color LightSeaGreen>​Table:​ -t filter -t nat -t mangle -t raw</​color>​
 +
 +<color magenta>​COMMAND:​ -A %%-%%-append -D %%-%%-delete -I %%-%%-insert -R %%-%%-replace -L %%-%%-list -F %%-%%-flush -Z %%-%%-zero -N %%-%%-new-chain -X %%-%%-delete-chain -P %%-%%-policy -E %%-%%-rename-chain</​color>​
 +
 +<color green>''​Builtin Chains''​ and ''​user defined chains'':​ INPUT OUTPUT FORWARD PREROUTING POSTROUTING user_defined_CHAIN_1</​color>​
 +
 +<color red>​TARGET:​ ACCEPT DROP QUEUE RETURN BALANCE CLASSIFY CLUSTERIP CONNMARK CONNSECMARK CONNTRACK DNAT DSCP ECN IPMARK IPV4OPSSTRIP LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE CT REDIRECT REJECT ROUTE SAME SECMARK SET SNAT TARPIT TCPMSS TOS TRACE TTL ULOG XOR</​color>​
 +
 +Dependent on the kind of TARGET you need further parameters: <color red>-j MARK %%-%%-set-mark 102\\
 +'' ​   -j TEE''​ reroute a copy of a packet\\
 +'' ​   -j TARPIT''​\\
 +'' ​   -j DELUDE''​ does TCP handshake and the closes connection\\
 +</​color>​
 +
 +<color blue>​match:​
 +'' ​ -i''​ incoming interface, ''​-o''​ outgoing interface\\
 +'' ​ -s''​ source ip address, ''​-d''​ destination ip address\\
 +'' ​ -p''​ protocol, ''​--dport''​ destination port ''​--sport''​ source port\\
 +'' ​ -m''​ match: various matches are in different iptables-mod-* packages!\\
 +'' ​   -m mac --mac-source xx:​xx:​xx:​xx:​xx:​xx''​ source MAC, note that MAC is layer2\\
 +'' ​   -m mark --mark abc''​ match a packet marked with abc\\
 +'' ​   -m length --length :​412''​ match all packets with a length of less then 412 Bytes\\
 +'' ​   -m ttl --ttl-eq 12 -j LOG --log-prefix "IPT TTL=12 "''​\\
 +'' ​   -m ttl --ttl-gt 12 -j LOG --log-prefix "IPT TTL>12 "''​\\
 +'' ​   -m ttl --ttl-lt 12 -j LOG --log-prefix "IPT TTL<12 "''​\\
 +'' ​   -m condition''​ match a flag changeable from userspace\\
 +'' ​   -m geoip''​ match on countries\\
 + </​color>​
 +
 +This were a very few examples only meant to give you the basic grasp of netfilter, which is a huge step! Now for a thorough documentation or for some detailed tutorials, please see the [[#Notes]].
 +
 +
 +===== Examples =====
 +You find some example shell scripts below:
 +  * [[doc:​howto:​netfilter:​netfilter.iptables.example1]] very simple script for setting up NAT (IPv4 only, IPv6 has no NAT)
 +  * [[doc:​howto:​netfilter:​netfilter.iptables.example2]] simple script with filters (such an implementation is usually called a //​firewall//​)
 +  * [[doc:​howto:​netfilter:​netfilter.iptables.example3]] Protocol usage with iptables
 +  * [[doc:​howto:​netfilter:​netfilter.ip6tables.example1]] Basic rules for empty ip6tables (like in firewall_v1) including tunnel support
 +  * [[doc:​howto:​netfilter:​netfilter.ip6tables.example2]]
 +  * [[doc:​howto:​netfilter:​netfilter.ebtables.example1]]
 +
 +===== OPKG Netfilter Packages =====
 +==== User space programs ====
 +=== iptables ===
 +^ Name  ^ Version ^ Size in Bytes ^ Description ​ ^
 +| iptables ​      ​| ​ 1.4.10-1 ​    ​| ​ 41764 | IPv4 firewall administration tool. Manpage: ''​[[man>​iptables]]''​ |
 +| libxtables ​    ​| ​ 1.4.10-1 ​    ​| ​ 10847 | IPv4/IPv6 firewall - shared xtables library ​ |
 +| libiptc ​       |  1.4.10-1 ​    ​| ​ 15689 | IPv4/IPv6 firewall - shared libiptc library ​ |
 +| kmod-ipt-core ​ |  2.6.32.27-1 ​ |  29463 | Netfilter core kernel modules ​ |
 +
 +
 +=== ip6tables ===
 +^ Name  ^ Version ^ Size in Bytes ^ Description ​ ^
 +| ip6tables ​      ​| ​ 1.4.10-1 ​    ​| ​  40255 | IPv6 firewall administration tool. Manpage: ''​[[man>​ip6tables]]'' ​ |
 +| libxtables ​     |  1.4.10-1 ​    ​| ​  10847 | IPv4/IPv6 firewall - shared xtables library ​ |
 +| libiptc ​        ​| ​ 1.4.10-1 ​    ​| ​  15689 | IPv4/IPv6 firewall - shared libiptc library ​ |
 +| kmod-ip6tables ​ |  2.6.32.27-1 ​ |   34789 | Netfilter IPv6 firewalling support ​ |
 +| kmod-ipv6 ​      ​| ​ 2.6.32.27-1 ​ |  156851 | Kernel modules for IPv6 support ​    |
 +
 +=== ebtables ===
 +| {{:​meta:​icons:​tango:​48px-outdated.svg.png?​nolink}} | ''​ebtables''​ is no longer available in official versions due to performance implications ([[https://​forum.openwrt.org/​viewtopic.php?​pid=94379#​p94379]]). Please employ [[about/​toolchain|OpenWrt Buildroot]] if you need ''​ebtables''​ support. |
 +| {{:​meta:​icons:​tango:​48px-outdated.svg.png?​nolink}} | According to [[https://​forum.openwrt.org/​viewtopic.php?​pid=203789#​p203789|jow]] ''​physdev''​-module for iptables is available for 12.09 and any snapshot builds since then |
 +
 +^ Name  ^ Version ^ Size in Bytes ^ Description ​ ^
 +| ebtables ​               |  2.0.9-2-1 ​   |  51727 | The ebtables program is a filtering tool for a bridging firewall. The filtering is focussed on the Link Layer Ethernet frame fields. Apart from filtering, it also gives the ability to alter the Ethernet MAC addresses and implement a brouter. Manpage: ''​[[man>​ebtables]]''​ |
 +| kmod-ebtables ​          ​| ​ 2.6.32.27-1 ​ |  20859 | ebtables is a general, extensible frame/​packet identification framework. It provides you to do Ethernet filtering/​NAT/​brouting on the Ethernet bridge. ​ |
 +| kmod-ebtables-ipv4 ​     |  2.6.32.27-1 ​ |   5376 | This option adds the IPv4 support to ebtables, which allows basic IPv4 header field filtering, ARP filtering as well as SNAT, DNAT targets. ​ |
 +| kmod-ebtables-ipv6 ​     |  2.6.32.27-1 ​ |   2520 | This option adds the IPv6 support to ebtables, which allows basic IPv6 header field filtering and target support. ​ |
 +| kmod-ebtables-watchers ​ |  2.6.32.27-1 ​ |   7289 | This option adds the log watchers, that you can use in any rule in any ebtables table. ​ |
 +
 +  * http://​ebtables.sourceforge.net/​br_fw_ia/​br_fw_ia.html
 +
 +=== arptables ===
 +^ Name  ^ Version ^ Size in Bytes ^ Description ​ ^
 +| arptables ​       |  0.0.3-4-1 ​ |  21321 | ARP firewalling software. Manpage: ''​[[man>​arptables]]'' ​ |
 +| kmod-arptables ​  | 2.6.32.27-1 |   9102 | Kernel modules for ARP firewalling ​ |
 +
 +=== ipset ===
 +^ Name  ^ Version ^ Size in Bytes                ^ Description ​ ^
 +| ipset                |  6.11-2 ​       |  56149 | IPset administration utility. Manpage: ''​[[man>​ipset]]'',​ [[http://​ipset.netfilter.org/​]] ​ |
 +| iptables-mod-ipset ​  ​| ​ 1.4.10-4 ​     |   5787 | IPset iptables extensions ​ |
 +| kmod-ipt-ipset ​      ​| ​ 3.3.8+6.11-2 ​ |  82830 | IPset netfilter modules ​ |
 +
 +===== nftables =====
 +Please see **[[doc/​howto/​nftables]]**.
 +==== Modules for match/​TARGET ====
 +To quickly obtain a current overview type: ''​opkg list iptables-mod-*''​. Install the user space module, kernel modules are listed as dependencies and will be installed as well.
 +
 +| {{:​meta:​icons:​tango:​48px-outdated.svg.png?​nolink}} | Since [[https://​dev.openwrt.org/​changeset/​30676/​trunk|r30676]] ''​iptables-mod-conntrack''​ and ''​iptables-mod-nat''​ are folded into the default package ''​iptables''​ to save on storage memory. |
 +
 +^ Name  ^ Vanilla ^ Size in Bytes ^ Description ​ ^
 +^ User Space Modules ^^^^
 +| iptables-mod-chaos ​           |   ​| ​  2216 | CHAOS iptables extension ​ |
 +| iptables-mod-condition ​       |   ​| ​  2356 | Condition iptables extension ​ |
 +| iptables-mod-conntrack ​       | * |   3228 | Basic iptables extensions for connection tracking. Includes: - state - raw - NOTRACK ​ |
 +| iptables-mod-conntrack-extra ​ |   ​| ​ 15138 | Extra iptables extensions for connection tracking. Includes: - libipt_conntrack - libipt_helper - libipt_connmark/​CONNMARK ​ |
 +| iptables-mod-delude ​          ​| ​  ​| ​  1905 | DELUDE iptables extension ​ |
 +| iptables-mod-extra ​           |   ​| ​  7125 | Other extra iptables extensions. Includes: - libipt_owner - libipt_physdev - libipt_pkttype - libipt_recent [[http://​www.snowman.net/​projects/​ipt_recent/​|recent]] ​ |
 +| iptables-mod-filter ​          ​| ​  ​| ​ 15347 | iptables extensions for packet content inspection. Includes: - libipt_string ​ |
 +| iptables-mod-hashlimit ​       |   ​| ​  5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit ​ |
 +| iptables-mod-imq ​             |   ​| ​  2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]''​ |
 +| iptables-mod-ipopt ​           |   ​| ​ 22438 | iptables extensions for matching/​changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/​DSCP - libipt_ecn/​ECN - libipt_length - libipt_mac - libipt_mark/​MARK - libipt_statistic - libipt_tcpmss - libipt_tos/​TOS - libipt_ttl/​TTL - libipt_unclean ​ |
 +| iptables-mod-ipp2p ​           |   ​| ​  3315 | IPP2P iptables extension ​ |
 +| iptables-mod-iprange ​         |   ​| ​  3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange ​ |
 +| iptables-mod-ipsec ​           |   ​| ​  7002 | iptables extensions for matching ipsec traffic. Includes: - libipt_ah - libipt_esp - libipt_policy ​ |
 +| iptables-mod-ipset ​           |   ​| ​  5673 | IPset iptables extensions. Includes: - libipt_set - libipt_SET ​ |
 +| iptables-mod-nat ​             | * |   5105 | iptables extensions for basic NAT targets. Includes: - MASQUERADE - SNAT - DNAT  |
 +| iptables-mod-nat-extra ​       |   ​| ​  3877 | iptables extensions for extra NAT targets. Includes: - REDIRECT ​ |
 +| iptables-mod-rawnat ​          ​| ​  ​| ​  3179 | RAWNAT iptables extension ​ |
 +| iptables-mod-tarpit ​          ​| ​  ​| ​  1903 | TARPIT iptables extension ​ |
 +| iptables-mod-tproxy ​          ​| ​  ​| ​  3297 | Transparent proxy iptables extensions. Includes: - libxt_socket - libxt_TPROXY ​ |
 +| iptables-mod-ulog ​            ​| ​  ​| ​  3189 | iptables extensions for user-space packet logging. Includes: - libipt_ULOGro ​ |
 +^ Kernel Space Modules ^^^^
 +| kmod-ipt-chaos ​           |   ​| ​  3535 | CHAOS netfilter module ​ |
 +| kmod-ipt-compat-xtables ​  ​| ​  ​| ​  3531 | API compatibilty layer netfilter module ​ |
 +| kmod-ipt-condition ​       |   ​| ​  3750 | Condition netfilter module ​ |
 +| kmod-ipt-conntrack ​       | 1 |  39749 | Netfilter (IPv4) kernel modules for connection tracking Includes: - conntrack - defrag (2.6) - iptables_raw - NOTRACK - state  |
 +| kmod-ipt-conntrack-extra ​ |   ​| ​ 11672 | Netfilter (IPv4) extra kernel modules for connection tracking Includes: - connbytes - connmark/​CONNMARK - conntrack - helper - recent ​ |
 +| kmod-ipt-core ​            | 1 |  29463 | Netfilter core kernel modules Includes: - comment (2.6) - limit - LOG - mac - multiport - REJECT - TCPMSS ​ |
 +| kmod-ipt-delude ​          ​| ​  ​| ​  2775 | DELUDE netfilter module ​ |
 +| kmod-ipt-extra ​           |   ​| ​  4510 | Other Netfilter (IPv4) kernel modules Includes: - condition (2.4 only) - owner - physdev (if bridge support was enabled in kernel) - pkttype - quota  |
 +| kmod-ipt-filter ​          ​| ​  ​| ​ 10648 | Netfilter (IPv4) kernel modules for packet content inspection Includes: - string ​ |
 +| kmod-ipt-hashlimit ​       |   ​| ​  7257 | Kernel modules support for the hashlimit bucket match module ​ |
 +| kmod-ipt-imq ​             |   ​| ​  5418 | Kernel support for Intermediate Queueing devices, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]'' ​ |
 +| kmod-ipt-ipopt ​           |   ​| ​ 11940 | Netfilter (IPv4) modules for matching/​changing IP packet options Includes: - CLASSIFY - dscp/DSCP - ecn/ECN - hl/HL (2.6.30 and later) - length - mark/MARK - statistic (2.6) - tcpmss - time - tos/TOS (prior to 2.6.25) - ttl/TTL (prior to 2.6.30) - unclean ​ |
 +| kmod-ipt-ipp2p ​           |   ​| ​  6606 | IPP2P netfilter module ​ |
 +| kmod-ipt-iprange ​         |   ​| ​  2212 | Netfilter (IPv4) module for matching ip ranges Includes: - iprange ​ |
 +| kmod-ipt-ipsec ​           |   ​| ​  4179 | Netfilter (IPv4) modules for matching IPSec packets Includes: - ah - esp - policy (2.6)  |
 +| kmod-ipt-ipset ​           |   ​| ​ 44012 | IPset netfilter modules ​ |
 +| kmod-ipt-nat ​             | 1 |  13722 | Netfilter (IPv4) kernel modules for basic NAT targets Includes: - MASQUERADE ​ |
 +| kmod-ipt-nat-extra ​       |   ​| ​  2605 | Netfilter (IPv4) kernel modules for extra NAT targets Includes: - MIRROR (2.4) - NETMAP - REDIRECT ​ |
 +| kmod-ipt-nathelper ​       | 1 |  11680 | Default Netfilter (IPv4) Conntrack and NAT helpers Includes: - ftp - irc - tftp  |
 +| kmod-ipt-nathelper-extra ​ |   ​| ​ 55210 | Extra Netfilter (IPv4) Conntrack and NAT helpers Includes: - amanda - h323 - mms - pptp (2.6) - proto_gre (2.6) - rtsp - sip (2.6) - snmp_basic ​ |
 +| kmod-ipt-queue ​           |   ​| ​  5617 | Netfilter (IPv4) module for user-space packet queueing Includes: - QUEUE  |
 +| kmod-ipt-rawnat ​          ​| ​  ​| ​  3690 | RAWNAT netfilter module ​ |
 +| kmod-ipt-rawpost ​         |   ​| ​  2155 | RAWPOST netfilter module ​ |
 +| kmod-ipt-tarpit ​          ​| ​  ​| ​  3101 | TARPIT netfilter module ​ |
 +| kmod-ipt-tproxy ​          ​| ​  ​| ​  4871 | Kernel modules for Transparent Proxying ​ |
 +| kmod-ipt-ulog ​            ​| ​  ​| ​  4673 | Netfilter (IPv4) module for user-space packet logging Includes: - ULOG  |
 +| kmod-iptunnel4 ​           |   ​| ​  2828 | Kernel modules for IPv4 tunneling ​ |
 +| kmod-iptunnel6 ​           |   ​| ​  2856 | Kernel modules for IPv6 tunnelingr ​ |
 +
 +
 +
 +===== Notes =====
 +  * [[https://​forum.openwrt.org/​viewtopic.php?​pid=143700#​p143700|Wlan traffic seems to bypass iptables]]
 +  * Project Hompage ​ [[http://​www.netfilter.org/​]]
 +  * One of the best **Tutorials** [[http://​www.frozentux.net/​iptables-tutorial/​iptables-tutorial.html]] by Oskar Andreasson, incomplete, certain matches are missing
 +  * Another Tutorial [[http://​www.linuxhomenetworking.com/​wiki/​index.php/​Quick_HOWTO_:​_Ch14_:​_Linux_Firewalls_Using_iptables]]
 +  * A short HowTo-like help: [[http://​www.akadia.com/​services/​pppoe_iptables.html]]
 +  * [[http://​www.rigacci.org/​wiki/​lib/​exe/​fetch.php/​doc/​appunti/​linux/​sa/​iptables/​conntrack.html|About Connection tracking]]
 +  * German ​ introduction:​ [[http://​www.linux-community.de/​Internal/​Artikel/​Print-Artikel/​LinuxUser/​2002/​05/​Paketfilter-Firewall]]
 +  * [[http://​freetz.org/​wiki/​packages/​iptables.en|What is the difference between AVM Firewall and Netfilter?​]]
 +  * [[http://​www.linuxhomenetworking.com/​wiki/​index.php/​Quick_HOWTO_:​_Ch14_:​_Linux_Firewalls_Using_iptables#​Figure_14-1_Iptables_Packet_Flow_Diagram|LHN Fig.14]]
 +  * [[http://​www.rigacci.org/​wiki/​lib/​exe/​fetch.php/​doc/​appunti/​linux/​sa/​iptables/​conntrack.html|on conntrack]]
 +  * [[http://​ipset.netfilter.org/​iptables-extensions.man.html|List of available extensions to netfilter/​iptables]]
 +  * The already broken layer7 filtering functionality was removed by [[https://​dev.openwrt.org/​changeset/​45423|r45423]] and [[https://​dev.openwrt.org/​changeset/​45424|r45424]]