Web server address - This is used to match TCP connect datagrams.
This is used to match TCP connect datagrams. The option causes the rule to match only datagrams that attempt to establish TCP connections. Only datagrams that have their SYN bit set, but their ACK bit unset, will match. This is useful to filter TCP connection attempts and is ignored for other protocols. -k This is used to match TCP acknowledgement datagrams. This option causes the rule to match only datagrams that are acknowledgements to packets attempting to establish TCP connections. Only data- grams that have their ACK bit set will match. This is useful to filter TCP connection attempts and is ignored for all other protocols. ICMP datagram types Each of the firewall configuration commands allows you to specify ICMP datagram types. Unlike TCP and UDP ports, there is no convenient configuration file that lists the datagram types and their meanings. The ICMP datagram types are defined in RFC-1700, the Assigned Numbers RFC. The ICMP datagram types are also listed in one of the standard C library header files. The /usr/include/netinet/ip_icmp.h file, which belongs to the GNU standard library package and is used by C programmers when writing network software that uses the ICMP protocol, also defines the ICMP datagram types. For your convenience, we’ve listed them in Table 9.2. The iptables command interface allows you to specify ICMP types by name, so we’ve listed the mnemonics it uses, as well. Table 9.2: ICMP Datagram Types Type Number iptables Mnemonic Type Description 0 echo-reply Echo Reply 3 destination-unreachable Destination Unreachable 4 source-quench Source Quench 5 redirect Redirect 8 echo-request Echo Request 11 time-exceeded Time Exceeded 12 parameter-problem Parameter Problem 13 timestamp-request Timestamp Request 14 timestamp-reply Timestamp Reply 15 none Information Request 16 none Information Reply 17 address-mask-request Address Mask Request 18 address-mask-reply Address Mask Reply IP Firewall Chains (2.2 Kernels) Most aspects of Linux are evolving to meet the increasing demands of its users; IP firewall is no exception. The traditional IP firewall implementation is fine for most applications, but can be clumsy and inefficient to configure for complex environments. To solve this problem, a new method of configuring IP firewall and related features was developed. This new method was called “IP Firewall Chains” and was first released for general use in the 2.2.0 Linux kernel. The IP Firewall Chains support was developed by Paul Russell and Michael Neuling.63 Paul has documented the IP Firewall Chains software in the IPCHAINS-HOWTO. Paul can be reached at Paul.Russell@rustcorp.com.au.