diff --git a/extensions/libxt_CHAOS.man b/extensions/libxt_CHAOS.man index 779ac2a..73b828f 100644 --- a/extensions/libxt_CHAOS.man +++ b/extensions/libxt_CHAOS.man @@ -1,3 +1,4 @@ +.PP Causes confusion on the other end by doing odd things with incoming packets. CHAOS will randomly reply (or not) with one of its configurable subtargets: .TP diff --git a/extensions/libxt_DELUDE.man b/extensions/libxt_DELUDE.man index 09c7832..6b90e08 100644 --- a/extensions/libxt_DELUDE.man +++ b/extensions/libxt_DELUDE.man @@ -1,3 +1,4 @@ +.PP The DELUDE target will reply to a SYN packet with SYN-ACK, and to all other packets with an RST. This will terminate the connection much like REJECT, but network scanners doing TCP half-open discovery can be spoofed to make them diff --git a/extensions/libxt_DHCPMAC.man b/extensions/libxt_DHCPMAC.man index f69a5c8..c567782 100644 --- a/extensions/libxt_DHCPMAC.man +++ b/extensions/libxt_DHCPMAC.man @@ -1,3 +1,4 @@ +.PP In conjunction with ebtables, DHCPMAC can be used to completely change all MAC addresses from and to a VMware-based virtual machine. This is needed because VMware does not allow to set a non-VMware MAC address before an operating diff --git a/extensions/libxt_DNETMAP.man b/extensions/libxt_DNETMAP.man index 10c77ac..aa500e7 100644 --- a/extensions/libxt_DNETMAP.man +++ b/extensions/libxt_DNETMAP.man @@ -1,16 +1,16 @@ +.PP The \fBDNETMAP\fR target allows dynamic two-way 1:1 mapping of IPv4 subnets. Single rule can map private subnet to shorter public subnet creating and maintaining unambigeous private-public ip bindings. Second rule can be used to map new flows to private subnet according to maintained bindings. Target allows efficient public IPv4 space usage and unambigeous NAT at the same time. - +.PP Target can be used only in \fBnat\fR table in \fBPOSTROUTING\fR or \fBOUTPUT\fR chains for SNAT and in \fBPREROUTING\fR for DNAT. Only flows directed to bound IPs will be DNATed. Packet continues chain traversal if there is no free postnat-ip to be assigned to prenat-ip. Default binding \fBttl\fR is \fI10 minutes\fR and can be changed using \fBdefault_ttl\fR module option. Default ip hash size is 256 and can be changed using \fBhash_size\fR module option. - .TP \fB\-\-prefix\fR \fIaddr\fR\fB/\fR\fImask\fR Network subnet to map to. If not specified, all existing prefixes are used. @@ -35,7 +35,7 @@ bindings ttl is kept unchanged. If not specified then default ttl value (600s) is used. .PP \fB* /proc interface\fR - +.PP Module creates following entries for each new specified subnet: .TP \fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR @@ -80,71 +80,70 @@ and are available for dynamic bindings. Note! Entries are removed if the last iptables rule for a specific prefix is deleted unless there's persistent flag set. .PP - \fB* Logging\fR - +.PP Module logs binding add/timeout events to klog. This behaviour can be disabled using \fBdisable_log\fR module parameter. - +.PP \fB* Examples\fR - +.PP \fB1.\fR Map subnet 192.168.0.0/24 to subnets 20.0.0.0/26. SNAT only: - +.PP iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 - +.PP Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26. If packet from not yet bound prenat-ip hits the rule and there are no free or timed-out (ttl<0) entries in prefix 20.0.0.0/28, then notice is logged to klog and chain traversal continues. If packet from already bound prenat-ip hits the rule, bindings ttl value is regenerated to default_ttl and SNAT is performed. - +.PP \fB2.\fR Use of \fB\-\-reuse\fR and \fB\-\-ttl\fR switches, multiple rule interaction: - +.PP iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 \-\-reuse \-\-ttl 200 - +.PP iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 30.0.0.0/26 - +.PP Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26 with ttl = 200 seconds. If there are no free addresses in first prefix the next one (30.0.0.0/26) is used with default ttl. It's important to note that the first rule SNATs all flows whose source IP is already actively (ttl>0) bound to ANY prefix. Parameter \fB\-\-reuse\fR makes this functionality work even for inactive (ttl<0) entries. - +.PP If both subnets are exhaused, then chain traversal continues. - +.PP \fB3.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 bidirectional way: - +.PP iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 - +.PP iptables \-t nat \-A PREROUTING \-j DNETMAP - +.PP If host 192.168.0.10 generates some traffic, it gets bound to first free IP in subnet - 20.0.0.0. Now any traffic directed to 20.0.0.0 gets DNATed to 192.168.0.10 as long as there's an active (ttl>0) binding. There's no need to specify \fB\-\-prefix\fR parameter in PREROUTING rule, because this way it DNATs traffic to all active prefixes. You could specify prefix it you'd like to make DNAT work for specific prefix only. - +.PP \fB4.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 with static assignments only: - +.PP iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 \-\-static - +.PP echo "+192.168.0.10:20.0.0.1" > /proc/net/xt_DNETMAP/20.0.0.0_26 .br echo "+192.168.0.11:20.0.0.2" > /proc/net/xt_DNETMAP/20.0.0.0_26 .br echo "+192.168.0.51:20.0.0.3" > /proc/net/xt_DNETMAP/20.0.0.0_26 - +.PP This configuration will allow only preconfigured static bindings to work due to \fBstatic\fR rule option. Without this flag dynamic bindings would be created using non-static entries. - +.PP \fB5.\fR Persistent prefix: - +.PP iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 \-\-persistent .br @@ -153,13 +152,13 @@ iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0. iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 .br echo "+persistent" > /proc/net/xt_DNETMAP/20.0.0.0_26 - +.PP Now we can check persistent flag of the prefix: .br cat /proc/net/xt_DNETMAP/20.0.0.0_26 .br 0 0 64 0 \fBpersistent\fR - +.PP Flush iptables nat table and see that prefix is still in existence: .br iptables \-F \-t nat diff --git a/extensions/libxt_ECHO.man b/extensions/libxt_ECHO.man index 83babdc..6b637b9 100644 --- a/extensions/libxt_ECHO.man +++ b/extensions/libxt_ECHO.man @@ -1,3 +1,4 @@ +.PP The \fBECHO\fP target will send back all packets it received. It serves as an examples for an Xtables target. .PP diff --git a/extensions/libxt_IPMARK.man b/extensions/libxt_IPMARK.man index cac330c..8cb5bdd 100644 --- a/extensions/libxt_IPMARK.man +++ b/extensions/libxt_IPMARK.man @@ -1,7 +1,8 @@ +.PP Allows you to mark a received packet basing on its IP address. This can replace many mangle/mark entries with only one, if you use firewall based classifier. - +.PP This target is to be used inside the \fBmangle\fP table. .TP \fB\-\-addr\fP {\fBsrc\fP|\fBdst\fP} diff --git a/extensions/libxt_LOGMARK.man b/extensions/libxt_LOGMARK.man index d9e4a52..c80bb6c 100644 --- a/extensions/libxt_LOGMARK.man +++ b/extensions/libxt_LOGMARK.man @@ -1,3 +1,4 @@ +.PP The LOGMARK target will log packet and connection marks to syslog. .TP \fB\-\-log\-level\fR \fIlevel\fR diff --git a/extensions/libxt_RAWDNAT.man b/extensions/libxt_RAWDNAT.man index 062ca55..e9262ee 100644 --- a/extensions/libxt_RAWDNAT.man +++ b/extensions/libxt_RAWDNAT.man @@ -1,3 +1,4 @@ +.PP The \fBRAWDNAT\fR target will rewrite the destination address in the IP header, much like the \fBNETMAP\fR target. .TP diff --git a/extensions/libxt_RAWSNAT.man b/extensions/libxt_RAWSNAT.man index aa2dca3..24b8041 100644 --- a/extensions/libxt_RAWSNAT.man +++ b/extensions/libxt_RAWSNAT.man @@ -1,3 +1,4 @@ +.PP The \fBRAWSNAT\fR and \fBRAWDNAT\fP targets provide stateless network address translation. .PP diff --git a/extensions/libxt_STEAL.man b/extensions/libxt_STEAL.man index 7234329..aaead89 100644 --- a/extensions/libxt_STEAL.man +++ b/extensions/libxt_STEAL.man @@ -1,2 +1,3 @@ +.PP Like the DROP target, but does not throw an error like DROP when used in the \fBOUTPUT\fP chain. diff --git a/extensions/libxt_SYSRQ.man b/extensions/libxt_SYSRQ.man index ade9f13..29944b9 100644 --- a/extensions/libxt_SYSRQ.man +++ b/extensions/libxt_SYSRQ.man @@ -1,3 +1,4 @@ +.PP The SYSRQ target allows to remotely trigger sysrq on the local machine over the network. This can be useful when vital parts of the machine hang, for example an oops in a filesystem causing locks to be not released and processes to get diff --git a/extensions/libxt_TARPIT.man b/extensions/libxt_TARPIT.man index 69f47dc..dd47e0e 100644 --- a/extensions/libxt_TARPIT.man +++ b/extensions/libxt_TARPIT.man @@ -1,3 +1,4 @@ +.PP Captures and holds incoming TCP connections using no local per-connection resources. .PP diff --git a/extensions/libxt_condition.man b/extensions/libxt_condition.man index 769e295..a86fac0 100644 --- a/extensions/libxt_condition.man +++ b/extensions/libxt_condition.man @@ -1,3 +1,4 @@ +.PP This matches if a specific condition variable is (un)set. .TP [\fB!\fP] \fB\-\-condition\fP \fIname\fP diff --git a/extensions/libxt_fuzzy.man b/extensions/libxt_fuzzy.man index 28f3d08..f3e6ebc 100644 --- a/extensions/libxt_fuzzy.man +++ b/extensions/libxt_fuzzy.man @@ -1,3 +1,4 @@ +.PP This module matches a rate limit based on a fuzzy logic controller (FLC). .TP \fB\-\-lower\-limit\fP \fInumber\fP diff --git a/extensions/libxt_geoip.man b/extensions/libxt_geoip.man index f5e71c7..2f739b6 100644 --- a/extensions/libxt_geoip.man +++ b/extensions/libxt_geoip.man @@ -1,3 +1,4 @@ +.PP Match a packet by its source or destination country. .TP [\fB!\fP] \fB\-\-src\-cc\fP, \fB\-\-source\-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP] diff --git a/extensions/libxt_gradm.man b/extensions/libxt_gradm.man index 154a4c4..e12ebfb 100644 --- a/extensions/libxt_gradm.man +++ b/extensions/libxt_gradm.man @@ -1,3 +1,4 @@ +.PP This module matches packets based on grsecurity RBAC status. .TP [\fB!\fP] \fB\-\-enabled\fP diff --git a/extensions/libxt_iface.man b/extensions/libxt_iface.man index 810db6b..5b12578 100644 --- a/extensions/libxt_iface.man +++ b/extensions/libxt_iface.man @@ -1,3 +1,4 @@ +.PP Allows you to check interface states. First, an interface needs to be selected for comparison. Exactly one option of the following three must be specified: .TP diff --git a/extensions/libxt_ipp2p.man b/extensions/libxt_ipp2p.man index 5cc1f17..72a75a8 100644 --- a/extensions/libxt_ipp2p.man +++ b/extensions/libxt_ipp2p.man @@ -1,3 +1,4 @@ +.PP This module matches certain packets in P2P flows. It is not designed to match all packets belonging to a P2P connection \(em use IPP2P together with CONNMARK for this purpose. diff --git a/extensions/libxt_ipv4options.man b/extensions/libxt_ipv4options.man index f9317a1..8c16e71 100644 --- a/extensions/libxt_ipv4options.man +++ b/extensions/libxt_ipv4options.man @@ -1,3 +1,4 @@ +.PP The "ipv4options" module allows to match against a set of IPv4 header options. .TP \fB\-\-flags\fP [\fB!\fP]\fIsymbol\fP[\fB,\fP[\fB!\fP]\fIsymbol...\fP] diff --git a/extensions/libxt_length2.man b/extensions/libxt_length2.man index 8da040b..4e5e410 100644 --- a/extensions/libxt_length2.man +++ b/extensions/libxt_length2.man @@ -1,3 +1,4 @@ +.PP This module matches the length of a packet against a specific value or range of values. .TP diff --git a/extensions/libxt_lscan.man b/extensions/libxt_lscan.man index e0408df..88dd9f7 100644 --- a/extensions/libxt_lscan.man +++ b/extensions/libxt_lscan.man @@ -1,3 +1,4 @@ +.PP Detects simple low-level scan attempts based upon the packet's contents. (This is different from other implementations, which also try to match the rate of new diff --git a/extensions/libxt_psd.man b/extensions/libxt_psd.man index 25975fa..5777dbf 100644 --- a/extensions/libxt_psd.man +++ b/extensions/libxt_psd.man @@ -1,3 +1,4 @@ +.PP Attempt to detect TCP and UDP port scans. This match was derived from Solar Designer's scanlogd. .TP diff --git a/extensions/libxt_quota2.man b/extensions/libxt_quota2.man index c2e6b44..7e820e6 100644 --- a/extensions/libxt_quota2.man +++ b/extensions/libxt_quota2.man @@ -1,3 +1,4 @@ +.PP The "quota2" implements a named counter which can be increased or decreased on a per-match basis. Available modes are packet counting or byte counting. The value of the counter can be read and reset through procfs, thereby making