Cheapest web hosting - ICMP Extensions: used with -m icmp -p icmp
ICMP Extensions: used with -m icmp -p icmp - -icmp-type [!] typename Specifies the ICMP message type that this rule will match. The type may be specified by number or name. Some valid names are: echo-request, echo-reply, source-quench, time- exceeded, destination-unreachable, network-unreachable, host-unreachable, protocol-unreachable, and port-unreachable. MAC Extensions: used with -m mac - -mac-source [!] address Specifies the host’s Ethernet address that transmitted the datagram that this rule will match. This only makes sense in a rule in the input or forward chains because we will be transmitting any datagram that passes the output chain. Our Na ve Example Revisited, Yet Again To implement our na ve example using the netfilter, you could simply load the ipchains.o module and pretend it is the ipchains version. Instead, we’ll reimplement it using iptables to illustrate how similar it is. Yet again, let’s suppose that we have a network in our organization and that we are using a Linux-based firewall machine to allow our users to be able to access WWW servers on the Internet, but to allow no other traffic to be passed. If our network has a 24-bit network mask (class C) and has an address of 172.16.1.0, then we’d use the following iptables rules: # modprobe ip_tables # iptables -F FORWARD # iptables -P FORWARD DROP # iptables -A FORWARD -m tcp -p tcp -s 0/0 –sport 80 -d 172.16.1.0/24 / –syn -j DROP # iptables -A FORWARD -m tcp -p tcp -s 172.16.1.0/24 –sport / 80 -d 0/0 -j ACCEPT # iptables -A FORWARD -m tcp -p tcp -d 172.16.1.0/24 –dport 80 -s 0/0 -j / ACCEPT In this example the iptables commands are interpreted exactly as the equivalent ipchains commands. The major exception that the ip_tables.o module must load. Note that iptables doesn’t support the -b option, so we must supply a rule for each direction. TOS Bit Manipulation The Type Of Service (TOS) bits are a set of four-bit flags in the IP header. When any one of these bit flags is set, routers may handle the datagram differently than datagrams with no TOS bits set. Each of the four bits has a different purpose and only one of the TOS bits may be set at any time, so combinations are not allowed. The bit flags are called Type of Service bits because they enable the application transmitting the data to tell the network the type of network service it requires. The classes of network service available are: Minimum delay Used when the time it takes for a datagram to travel from the source host to destination host (latency) is most important. A network provider might, for example, use both optical fiber and satellite network connections. Data carried across satellite connections has farther to travel and their latency is generally therefore higher than for terrestrial-based network connections between the same endpoints. A network provider might choose to ensure that datagrams with this type of service set are not carried by satellite.