tionality can (Unlimited web hosting) be extended without recompiling it. It
tionality can be extended without recompiling it. It manages this trick by using shared libraries. There are standard extensions and we’ll explore some of them in a moment. Before you can use the iptables command, you must load the netfilter kernel module that provides support for it. The easiest way to do this is to use the modprobe command as follows: modprobe ip_tables The iptables command is used to configure both IP filtering and Network Address Translation. To facilitate this, there are two tables of rules called filter and nat. The filter table is assumed if you do not specify the -t option to override it. Five built-in chains are also provided. The INPUT and FORWARD chains are available for the filter table, the PREROUTING and POSTROUTING chains are available for the nat table, and the OUT- PUT chain is available for both tables. In this chapter we’ll discuss only the filter table. We’ll look at the nat table in Chapter 11 The general syntax of most iptables commands is: iptables command rule-specification extensions Now we’ll take a look at some options in detail, after which we’ll review some examples. Commands There are a number of ways we can manipulate rules and rulesets with the iptables command. Those relevant to IP firewalling are: -A chain Append one or more rules to the end of the nominated chain. If a hostname is supplied as either a source or destination and it resolves to more than one IP address, a rule will be added for each address. -I chain rulenum Insert one or more rules to the start of the nominated chain. Again, if a hostname is supplied in the rule specification, a rule will be added for each of the addresses to which it resolves. -D chain Delete one or more rules from the specified chain matching the rule specification. -D chain rulenum Delete the rule residing at position rulenum in the specified chain. Rule positions start at 1 for the first rule in the chain. -R chain rulenum Replace the rule residing at position rulenum in the specific chain with the supplied rule specification. -C chain Check the datagram described by the rule specification against the specific chain. This command will return a message describing how the chain processed the datagram. This is very useful for testing your firewall configuration and we will look at it in detail later. -L [chain] List the rules of the specified chain, or for all chains if no chain is specified. -F [chain] Flush the rules of the specified chain, or for all chains if no chain is specified. -Z [chain] Zero the datagram and byte counters for all rules of the specified chain, or for all chains if no chain is specified. -N chain Create a new chain with the specified name. A chain of the same name must not already exist. This is how user-defined chains are created.