mirror of
git://git.code.sf.net/p/xtables-addons/xtables-addons
synced 2025-09-06 20:55:13 +02:00
doc: lint man pages (hyphens and spelling)
* hyphen-used-as-minus-sign * spelling-error-in-manpage
This commit is contained in:
Dmitry Smirnov
committed by
Jan Engelhardt
Jan Engelhardt
parent
d582cc04df
commit
fe7a30c746
@@ -64,12 +64,12 @@ Removes binding with \fIIP\fR as prenat or postnat address. If removed binding
|
||||
is currently static, it'll make entry available for dynamic allocation.
|
||||
.TP
|
||||
echo "+persistent" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
|
||||
Sets persistent flag for prefix. It's usefull if you don't want bindings to get
|
||||
Sets persistent flag for prefix. It's useful if you don't want bindings to get
|
||||
flushed when firewall is restarted. You can check if prefix is persistent by
|
||||
printing \fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR
|
||||
contents.
|
||||
.TP
|
||||
echo "-persistent" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
|
||||
echo "\-persistent" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
|
||||
Unsets persistent flag for prefix. In this mode prefix will be deleted if the
|
||||
last iptables rule for that prefix is removed.
|
||||
.TP
|
||||
@@ -90,7 +90,7 @@ using \fBdisable_log\fR module parameter.
|
||||
|
||||
\fB1.\fR Map subnet 192.168.0.0/24 to subnets 20.0.0.0/26. SNAT only:
|
||||
|
||||
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
|
||||
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
|
||||
|
||||
Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26. If packet
|
||||
from not yet bound prenat-ip hits the rule and there are no free or timed-out
|
||||
@@ -101,10 +101,10 @@ bindings ttl value is regenerated to default_ttl and SNAT is performed.
|
||||
\fB2.\fR Use of \fB\-\-reuse\fR and \fB\-\-ttl\fR switches, multiple rule
|
||||
interaction:
|
||||
|
||||
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix
|
||||
20.0.0.0/26 --reuse --ttl 200
|
||||
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix
|
||||
20.0.0.0/26 \-\-reuse \-\-ttl 200
|
||||
|
||||
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 30.0.0.0/26
|
||||
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 30.0.0.0/26
|
||||
|
||||
Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26 with ttl =
|
||||
200 seconds. If there are no free addresses in first prefix the next one
|
||||
@@ -117,9 +117,9 @@ If both subnets are exhaused, then chain traversal continues.
|
||||
|
||||
\fB3.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 bidirectional way:
|
||||
|
||||
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
|
||||
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
|
||||
|
||||
iptables -t nat -A PREROUTING -j DNETMAP
|
||||
iptables \-t nat \-A PREROUTING \-j DNETMAP
|
||||
|
||||
If host 192.168.0.10 generates some traffic, it gets bound to first free IP in
|
||||
subnet - 20.0.0.0. Now any traffic directed to 20.0.0.0 gets DNATed to
|
||||
@@ -130,8 +130,8 @@ DNAT work for specific prefix only.
|
||||
|
||||
\fB4.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 with static assignments only:
|
||||
|
||||
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
|
||||
--static
|
||||
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
|
||||
\-\-static
|
||||
|
||||
echo "+192.168.0.10:20.0.0.1" > /proc/net/xt_DNETMAP/20.0.0.0_26
|
||||
.br
|
||||
@@ -145,12 +145,12 @@ using non-static entries.
|
||||
|
||||
\fB5.\fR Persistent prefix:
|
||||
|
||||
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
|
||||
--persistent
|
||||
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
|
||||
\-\-persistent
|
||||
.br
|
||||
\fBor\fR
|
||||
.br
|
||||
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
|
||||
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
|
||||
.br
|
||||
echo "+persistent" > /proc/net/xt_DNETMAP/20.0.0.0_26
|
||||
|
||||
@@ -162,11 +162,11 @@ cat /proc/net/xt_DNETMAP/20.0.0.0_26
|
||||
|
||||
Flush iptables nat table and see that prefix is still in existence:
|
||||
.br
|
||||
iptables -F -t nat
|
||||
iptables \-F \-t nat
|
||||
.br
|
||||
ls -l /proc/net/xt_DNETMAP
|
||||
ls \-l /proc/net/xt_DNETMAP
|
||||
.br
|
||||
-rw-r--r-- 1 root root 0 06-10 09:01 20.0.0.0_26
|
||||
\-rw\-r\-\-r\-\- 1 root root 0 06\-10 09:01 20.0.0.0_26
|
||||
.br
|
||||
-rw-r--r-- 1 root root 0 06-10 09:01 20.0.0.0_26_stat
|
||||
\-rw\-r\-\-r\-\- 1 root root 0 06\-10 09:01 20.0.0.0_26_stat
|
||||
.
|
||||
|
||||
@@ -15,8 +15,8 @@ with the source package, and which should be available in compiled packages in
|
||||
/usr/lib(exec)/xtables-addons/. The first command retrieves CSV files from
|
||||
MaxMind, while the other two build packed bisectable range files:
|
||||
.PP
|
||||
mkdir -p /usr/share/xt_geoip; cd /tmp; $path/to/xt_geoip_dl;
|
||||
mkdir \-p /usr/share/xt_geoip; cd /tmp; $path/to/xt_geoip_dl;
|
||||
.PP
|
||||
$path/to/xt_geoip_build -D /usr/share/xt_geoip GeoIP*.csv;
|
||||
$path/to/xt_geoip_build \-D /usr/share/xt_geoip GeoIP*.csv;
|
||||
.PP
|
||||
The shared library is hardcoded to look in these paths, so use them.
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
Detects simple low-level scan attemps based upon the packet's contents.
|
||||
Detects simple low-level scan attempts based upon the packet's contents.
|
||||
(This is
|
||||
different from other implementations, which also try to match the rate of new
|
||||
connections.) Note that an attempt is only discovered after it has been carried
|
||||
|
||||
@@ -15,10 +15,10 @@ modprobe xt_pknock
|
||||
.PP
|
||||
Example 1 (TCP mode, manual closing of opened port not possible):
|
||||
.IP
|
||||
iptables -P INPUT DROP
|
||||
iptables \-P INPUT DROP
|
||||
.IP
|
||||
iptables -A INPUT -p tcp -m pknock --knockports 4002,4001,4004 --strict
|
||||
--name SSH --time 10 --autoclose 60 --dport 22 -j ACCEPT
|
||||
iptables \-A INPUT \-p tcp \-m pknock \-\-knockports 4002,4001,4004 \-\-strict
|
||||
\-\-name SSH \-\-time 10 \-\-autoclose 60 \-\-dport 22 \-j ACCEPT
|
||||
.PP
|
||||
The rule will allow tcp port 22 for the attempting IP address after the successful reception of TCP SYN packets
|
||||
to ports 4002, 4001 and 4004, in this order (a.k.a. port-knocking).
|
||||
@@ -33,10 +33,10 @@ Example 2 (UDP mode \(em non-replayable and non-spoofable, manual closing
|
||||
of opened port possible, secure, also called "SPA" = Secure Port
|
||||
Authorization):
|
||||
.IP
|
||||
iptables -A INPUT -p udp -m pknock --knockports 4000 --name FTP
|
||||
--opensecret foo --closesecret bar --autoclose 240 -j DROP
|
||||
iptables \-A INPUT \-p udp \-m pknock \-\-knockports 4000 \-\-name FTP
|
||||
\-\-opensecret foo \-\-closesecret bar \-\-autoclose 240 \-j DROP
|
||||
.IP
|
||||
iptables -A INPUT -p tcp -m pknock --checkip --name FTP --dport 21 -j ACCEPT
|
||||
iptables \-A INPUT \-p tcp \-m pknock \-\-checkip \-\-name FTP \-\-dport 21 \-j ACCEPT
|
||||
.PP
|
||||
The first rule will create an "ALLOWED" record in /proc/net/xt_pknock/FTP after
|
||||
the successful reception of an UDP packet to port 4000. The packet payload must be
|
||||
|
||||
@@ -29,7 +29,7 @@ Specify a target directory into which the files are to be put.
|
||||
.PP
|
||||
Shell commands to build the databases and put them to where they are expected:
|
||||
.PP
|
||||
xt_geoip_build -D /usr/share/xt_geoip
|
||||
xt_geoip_build \-D /usr/share/xt_geoip
|
||||
.SH See also
|
||||
.PP
|
||||
xt_geoip_dl(1)
|
||||
|
||||
Reference in New Issue
Block a user