Provided by: netscript-2.4-upstart_5.2.9ubuntu1_all bug

NAME

       /etc/netscript/ipfilter-defs - netscript ipfilter-defs compile definitions directory.

DESCRIPTION

       This  manual  page  documents  briefly  the  compile definition files that are used by the
       netscript-compile(8) command from  the  netscript  router/firewall  network  configuration
       package.  This compiler creates a compiled iptables rules file in /etc/netscript/ipfilter-
       defs.conf (it is a shell script portion) that is sourced  by  the  netscript  netscript(8)
       command to configure the iptables(8) firewall rules in the kernel.

STARTUP COMPILATION

       The   rules   can   be   compiled   and  automatically  loaded  on  boot  by  setting  the
       IPV4_CONFIGURE_SWITCH switch in network.conf(5) to the  value  of  the  function  used  to
       configure  the kernel.  Net-compile(8) creates this function as Configure.  If this switch
       is set, the netscript startup will run netscript-compile(8) to make sure everything is  up
       to  date  and  load  the  rules  from  /etc/netscript/ipfilter-defs.conf, and the relevant
       settings in network.conf(5) which are used to establish packet grooming and configure  the
       built  in  kernel  netfilter  INPUT and FORWARD chains in the filter table. If compilation
       fails, the previous rule set is not replaced and it is used instead. See the  netscript(8)
       manpage to see how to load and use backup copies of the rule set.

CHAIN STRUCTURE

       Each  chain  in  the  iptables(8)  filter table is set up by a corresponding coonstruction
       function of the same name as the chain.  The chains are laced into  the  iplcl  (which  is
       laced  in  to the INPUT chain) and ipfwd (laced into FORWARD) chains respectively, and the
       forwarding control chains are set  up  to  take  traffic  in  both  directions,  with  the
       destination  network/interface  and  source  network/interface  being  used in  the lacing
       chain, and network protocol and port being tied down in each specific chain.

       For the new in kernel Linux IPSEC, traffic to and from the VPN can be controlled  via  the
       iptables  policy  match  module,  if you have it patched and compiled into your kernel and
       iptables.  Future versions of the kernel and iptables should have  this  included  in  the
       distributed source.

FILE STRUCTURE

       All  the  files  defining the rules set are in the /etc/netscript/ipfilter-defs directory.
       The network-defs file is used to define the regions and network blocks used in the rest of
       the  rules.   The  prototypes-defs  file  is  used  to  define  protoype rules that can be
       referenced elsewhere in the rule set.  The prototypes.sh file is used to  construct  shell
       functions  for the netscript-compile(8) command that can be used in the definitions files.
       DNAT and SNAT are set up in the dnat-defs and  masq-defs  files  respectively.   Any  file
       ending in .def is taken as general rule set input for netscript-compile(8).

       The files generally take the form of tables, with the columns tab or space seperated.  The
       ´#´ character is supported for commenting, and comments can be on a line by themselves, or
       at  the  end of a configuration line.  Everything after the ´#´ is treated as a comment by
       the netscript-compile(8) compiler.

RULE STRUCTURE

       The structure of the rule sets is  thus.   Each  chain  is  started  by  calling  a  shell
       compilation  function,  (generally ipv4_compile_chain) to create the chain, with the chain
       name and source/destination regions as arguments, and each rule in the chain by starting a
       fresh line with the chain name in the first column.

       Regions are defined as network interface tuples, and are set up in network-defs.  They are
       syntactically the same as shell script variables, and are used the same way  in  the  .def
       rule  set  files.  Technically  this magic is achieved by using eval within the netscript-
       compile(8) shell script.

       Any  interface name can have either of the keywords =clear or =ipsec tied to them by using
       the  `='  character  on the end of the interface name.  This is used to specifically match
       IPSEC traffic, or non-IPSEC traffic going over the interface.   Typically  you  would  use
       this  when  defining  a  region,  though  the  syntax  is  valid  elsewhere as well. It is
       recommended that you use this feature to prevent packet injection from  adjacent  external
       sources when setting up iptables rules for VPN tunnel traffic.

       The  regions  are  given  as arguments to the compilation function, with the region always
       being 2 arguments in network/interface order to the function.

       Each chain rule in the chain is defined by giving first of all the chain  name,  then  the
       rule  type,  and  its  direction.   All  columns after the 3rd one are specific to and are
       defined by the rule type.  The direction may have a ´-´ in it.

       The rules produced by the compiler use  the  iptables  connection  based  state  tracking.
       Packet by packet rules will be added later.

EXAMPLE

       Here is an example of part of a .def file:

              # Access from Office to internet
              #          - only allow outgoing tcp and UDP
              # and ping traffic - anything else is most
              # like a tunneling protocol.
              # We have VPNs for tunneling
              ipv4_compile_chain -p 90 offcInet droplog $OFFICE_REGN $INTERNET_REGN
              offcInet       ACCEPT_EST      BOTH
              offcInet       ACCEPT_PING     L2R
              offcInet       ACCEPT_TCP      L2R     1:65535
              offcInet       ACCEPT_UDP      L2R     1:65535

       The  ACCEPT_EST  line  accepts  packets for ESTABLISHED and RELATED connections to the new
       ones already accepted.  New connections are accepted by the ACCEPT_PING,  ACCEPT_TCP,  and
       ACCEPT_UDP  rules.   Please  see  the  iptables(8)  manpage  for  the  details on stateful
       filtering.

COMPILE FUNCTIONS

       Unless a function is defined in  prototypes.sh,  there  is  only  one  function  provided.
       However  this  is  not  limiting  as  there  is a facility for rule macros, as well as the
       ability to tell the function to use one of the default base rule sets.

       If you do define a function in prototypes.sh, be careful to handle all errors to  function
       and  command  calls  as  otherwise netscript-compile(8) will break, as it runs with set -e
       set.

       The only defined compile function for IPv4 is:

       ipv4_compile_chain [-i] [-n] [-b base-chain] [-p priority] [-s  slave-chain]  <chain-name>
       <default-target> <from-net> <from-if> [<to-net> <to-if>]

       You can see the source region and destination region on the end of it.  The default-target
       is one of RETURN, DROP, droplog, or log.

       The options to this function are as follows:

       -i     Create an input chain for attaching to iplcl instead of the default  forward  chain
              for attaching to ipfwd.

       -n     Don't lace the chain into iplcl or ipfwd.

       -b base-chain
              Specify an alternate ruleset chain to use.

       -s slave-chain
              Configure/deconfigure  this  chain  as  well  as  the  one  specified.   Useful for
              adjusting input rule set when manipulating the access chain for an IPsec VPN.

       -p priority
              Specify the priority of the chain in the lacing rule set.  Priority is  between  00
              and  99,  with  00  at  the  top of the lacing chain, and 99 at the bottom. This is
              useful for making sure that host specific  rule  sets  occur  before  more  general
              network  related  ones,  and for putting Internet related ones at the bottom of the
              lacing chain.

DIRECTION STATEMENTS

       The direction is as per FreeS/WAN - it uses left and right terminology.

       The possible directions are as follows:

       L2R|LEFT2RIGHT|INTERNAL2EXTERNAL|INTERN2EXTERN|I2E|INT2EXT
              Left to Right, Internal to External

       R2L|RIGHT2LEFT|EXTERNAL2INTERNAL|EXTERN2INTERN|E2I|EXT2INT
              Right to Left, External to Internal

       BOTH|- Both directions, aka none or ´-´.

AVAILABLE CHAIN RULES

       Here are the valid chain rules, and the arguments they expect.

       COMMENT [word1] [word2] ...
              Insert a comment into the compile shell script.  Fill the 3rd column  direction  in
              with ´-´.

       MACRO <macro-name>
              Specify  a macro rule set.  Rule set must name start with `MACRO_´. Direction again
              should be `-´.

       LOG [word1] [word2] ...
              Insert a logging rule using the given log meesage, or  if  none  given,  using  the
              curretlog message for the chain.

       LOG_MSG [word1] [word2] ...
              Set the log message for the chain away from the default of `Chain: <chain-name>´ or
              from previous LOG_MSG setting. Up to 26 letters can be used until truncation  limit
              is reached.

       RESET_LOG_MSG
              Reset log message to the default of `Chain: <chain-name>´.

       REJECT_SMB
              Jump to smb control chain. Creates smb chain if it does not already exist.

       DROP_MARTIANS
              Jump to martian source address control chain.  Creates chain if it does not already
              exist.

       LOG_PORTSCAN
              Use the psd module to detect and log portscans.  Creates portscan log chain (if not
              already there) which puts `PORTSCAN DETECTED - ´ in the log.

       DROP_BROADCAST
              Drop ethernet broadcast packets.

       LOG_BROADCAST
              Log ethernet broadcast packets with the current log messages for the chain.

       ACCEPT_EST
              Accept ESTABLISH,RELATED packets via the iptables(8) state module.

       ACCEPT_RELATED
              Accept  RELATED  packets  via  the iptables(8) state module. Useful for ICMP type 3
              packets used for maximum MTU detection.

       ACCEPT_PROTO <protocol>
              Accept NEW connections for a  protocol.  Accepts one argument  in  the  4th  column
              which is the protocol name from /etc/protocols or the protocol number between 0 and
              255.

       REJECT_PROTO <protocol>
              Reject NEW connections for a  protocol  with  ICMP  reject  packets.   Accepts  one
              argument  in  the  4th column which is the protocol name from /etc/protocols or the
              protocol number between 0 and 255.

       DROP_PROTO <protocol>
              Drop all packets for a  protocol with nothing in reply.  Accepts  one  argument  in
              the  4th  column  which  is  the  protocol name from /etc/protocols or the protocol
              number between 0 and 255.

       LOG_PROTO <protocol>
              Log NEW connections for a protocol with the current  log  message  for  the  chain.
              Accepts   one  argument  in  the  4th  column  which  is  the  protocol  name  from
              /etc/protocols or the protocol number between 0 and 255.

       ACCEPT_TCP [src-port-range] <dst-port-range>
              Accept NEW TCP connections.  If one argument  given,  it  is  the  destinaion  port
              (range).   If  2  arguments,  the  first is the source port (range), and second the
              destination port (range).  Port ranges are specified by separating them with a  `:´
              character,  and  ports must be in the /etc/services file, or a number between 0 and
              65535.

       REJECT_TCP [src-port-range] <dst-port-range>
              Reject NEW TCP connections with an ICMP REJECT packet.  If one argument  given,  it
              is  the  destination  port(range).   If  2  arguments, the first is the source port
              (range), and second the destination port (range).  Port  ranges  are  specified  by
              separating  them with a `:´ character, and ports must be in the /etc/services file,
              or a number between 0 and 65535.

       DROP_TCP [src-port-range] <dst-port-range>
              Drop all tcp packets, returning nothing at all.  If one argument given, it  is  the
              destinaion port (range).  If 2 arguments, the first is the source port (range), and
              second the destination port (range).  Port ranges are specified by separating  them
              with  a  `:´  character,  and  ports must be in the /etc/services file, or a number
              between 0 and 65535.

       LOG_TCP [src-port-range] <dst-port-range>
              Log NEW TCP connections with the current log text for the chain.  If  one  argument
              given,  it is the destination port(range).  If 2 arguments, the first is the source
              port (range), and second the destination port (range). Port ranges are specified by
              separating  them with a `:´ character, and ports must be in the /etc/services file,
              or a number between 0 and 65535.

       ACCEPT_UDP [src-port-range] <dst-port-range>
              Accept NEW UDP connections.  If one argument  given,  it  is  the  destinaion  port
              (range).   If  2  arguments,  the  first is the source port (range), and second the
              destination port (range).  Port ranges are specified by separating them with a  `:´
              character,  and  ports must be in the /etc/services file, or a number between 0 and
              65535.

       REJECT_UDP [src-port-range] <dst-port-range>
              Reject NEW UDP connections with an ICMP REJECT packet.  If one argument  given,  it
              is  the  destination  port(range).   If  2  arguments, the first is the source port
              (range), and second the destination port (range).  Port  ranges  are  specified  by
              separating  them with a `:´ character, and ports must be in the /etc/services file,
              or a number between 0 and 65535.

       DROP_UDP [src-port-range] <dst-port-range>
              DROP all UDP packets, returning nothing at all.  If one argument given, it  is  the
              destinaion port (range).  If 2 arguments, the first is the source port (range), and
              second the destination port (range).  Port ranges are specified by separating  them
              with  a  `:´  character,  and  ports must be in the /etc/services file, or a number
              between 0 and 65535.

       LOG_UDP [src-port-range] <dst-port-range>
              Log NEW UDP connections with the  current  log  message  for  the  chain.   If  one
              argument  given,  it  is the destination port(range).  If 2 arguments, the first is
              the source port (range), and second the destination port (range).  Port ranges  are
              specified  by  separating  them  with  a  `:´  character,  and ports must be in the
              /etc/services file, or a number between 0 and 65535.

       ACCEPT_PING
              Accept ICMP type 8 echo request packets for network diagnosis.

       DROP_PING
              Drop ICMP type 8 packets with no reply.

       LOG_PING
              Log an ICMP echo request with the current log message for the chain.

       ACCEPT_TCP_NET [src_network [src-port-range]] <dst-network> <dst-port-range>
              Accept NEW TCP connections from given source (optional) to destination.  Network is
              given  in IPv4 address/netmask or address/masklen format. Port ranges are specified
              by separating them with a `:´ character, and ports must  be  in  the  /etc/services
              file, or a number between 0 and 65535.

       REJECT_TCP_NET [src_network [src-port-range]] <dst-network> <dst-port-range>
              Reject NEW TCP conections with an ICMP reject packet which come from a given source
              (optional), going to given destination.  Network is given in  IPv4  address/netmask
              or  address/masklen format. Port ranges are specified by separating them with a `:´
              character, and ports must be in the /etc/services file, or a number between  0  and
              65535.

       DROP_TCP_NET [src_network [src-port-range]] <dst-network> <dst-port-range>
              Drop  all  TCP  packets  which  come from a given source (optional), going to given
              destination.  Network is given in IPv4 address/netmask or  address/masklen  format.
              Port  ranges  are specified by separating them with a `:´ character, and ports must
              be in the /etc/services file, or a number between 0 and 65535.

       LOG_TCP_NET [src_network [src-port-range]] <dst-network> <dst-port-range>
              Log all NEW TCP connections from given source (optional) to destination,  with  the
              current  log  message  for  the chain.  Network is given in IPv4 address/netmask or
              address/masklen format. Port ranges are specified by separating  them  with  a  `:´
              character,  and  ports must be in the /etc/services file, or a number between 0 and
              65535.

       ACCEPT_UDP_NET [src_network [src-port-range]] <dst-network> <dst-port-range>
              Accept NEW UDP connections from given source (optional) to destination.  Network is
              given  in IPv4 address/netmask or address/masklen format. Port ranges are specified
              by separating them with a `:´ character, and ports must  be  in  the  /etc/services
              file, or a number between 0 and 65535.

       REJECT_UDP_NET [src_network [src-port-range]] <dst-network> <dst-port-range>
              Reject NEW UDP conections with an ICMP reject packet which come from a given source
              (optional), going to given destination.  Network is given in  IPv4  address/netmask
              or  address/masklen format. Port ranges are specified by separating them with a `:´
              character, and ports must be in the /etc/services file, or a number between  0  and
              65535.

       DROP_UDP_NET [src_network [src-port-range]] <dst-network> <dst-port-range>
              Drop  all  UDP  packets  which  come from a given source (optional), going to given
              destination.  Network is given in IPv4 address/netmask or  address/masklen  format.
              Port  ranges  are specified by separating them with a `:´ character, and ports must
              be in the /etc/services file, or a number between 0 and 65535.

       LOG_UDP_NET [src_network [src-port-range]] <dst-network> <dst-port-range>
              Log all NEW UDP connections from given source (optional) to destination,  with  the
              current  log  message  for  the chain.  Network is given in IPv4 address/netmask or
              address/masklen format. Port ranges are specified by separating  them  with  a  `:´
              character,  and  ports must be in the /etc/services file, or a number between 0 and
              65535.

       ACCEPT_IFACE <interface>
              Accept all incoming NEW connections from an incoming interface.

       REJECT_IFACE <interface>
              Reject all incoming NEW conections with an ICMP reject packet, from an interface.

       DROP_IFACE <interface>
              Drop all incoming packets from an interface.

       LOG_IFACE <interface>
              Log all incoming NEW conections from an interface.

       ACCEPT_NET <network>
              Accept all NEW connections from network.  Network is given in IPv4  address/netmask
              or address/masklen format.

       REJECT_NET <network>
              Reject  all  NEW  conections  from  network with an ICMP reject packet.  Network is
              given in IPv4 address/netmask or address/masklen format.

       DROP_NET <network>
              Drop all packets from  network.   Network  is  given  in  IPv4  address/netmask  or
              address/masklen format.

       LOG_NET <network>
              Log  all  NEW conections from network.  Network is given in IPv4 address/netmask or
              address/masklen format.

FILES

       /etc/netscript/ipfilter-defs.conf,
       /etc/netscript/ipfilter-defs-compiled.conf,
       /etc/netscript/ipfilter-defs directory.

SEE ALSO

       netscript-compile(8), iptables(8), ip6tables(8), netscript(8).

AUTHOR

       This manual page was written by Matthew Grant <grantma@anathoth.gen.nz>,  for  the  Debian
       GNU/Linux system (but may be used by others).

BUGS

       I wrote this manpage when I was not half asleep...

       Some things are missing from this manpage...

       Dnat documentation is missing but obvious from configuration file.

       SNAT documentation is missing but obvious from configuration file.

                                          March 25, 2003                         IPFILTER-DEFS(5)