Znyx Networks bh5700 Specifying Source and Destination IP Addresses, Filter Rules Specifications

send to CPU action is specified, it is sent to the INPUT chain for further processing. If there is no valid way to forward the packet, it is dropped. If the switch is configured to forward the packet, it is sent to the FORWARD chain.

Next the hardware FORWARD chain is walked. If there is a rule inserted that matches the packet headers, then it is looked up next. The inserted policy will decide the packets fate.

In essence, a filter rule will be used to scan the packet data for certain characteristics. Upon a match a selected 'target' is executed. The target decides what should happen to the packet.

Filter Rules Specifications

A rule could be added (-a) to a chain, deleted (-D) from a chain, replaced (-R) from a chain or inserted (-I) in a specific position in a chain. Each rule specifies a set of conditions the packet must meet, and what to do if it meets them ('what to do' is referred to as a `target').

Here's an example filter rule:

iptables -a FORWARD -p UDP -s 0/0 -d 10.0.0.1/32 --source-port 53 -j DROP

This adds to the FORWARD chain the rule: "If you see UDP packets (-p UDP) from anywhere (-s 0/0) going to host 10.0.0.1 (-d 10.0.0.1/32) with a source port number 53 (--source-port 53) then the target is to DROP (-j DROP). More details on rule specifications follow.

Specifying Source and Destination IP Addresses

Source ( -s,--source or --src) and destination (-d,--destination or --dst)IP addresses can be specified in four ways. The most common way is to use the full name, such as localhost or www.linuxhq.com. The second way is to specify the IP address such as 127.0.0.1.

Netmasks can be applied to IP addresses to specify ranges, like199.95.207.0/24 or 199.95.207.0/255.255.255.0 Both specify any IP address from 199.95.207.0 to 199.95.207.255 inclusive. To specify an all-inclusive IP address /0 can be used, like: -sor -d 0/0. The example rule we use above applies this trick. Note however that the effect above is the same as not specifying the -soption at all.

Specifying Protocol

The protocol can be specified with the -p(or --protocol) flag. Protocol can be a number (if you know the numeric protocol values for IP) or a name for the special cases of TCP, UDP or ICMP. Case does not matter, so tcp works as well as TCP.

Specifying an ICMP Message Type

If the protocol is ICMP, the --icmp-typeoption can be used to match a specific message type, for example, --icmp-type ping