|
发表于 2004-10-20 00:00:38
|
显示全部楼层
layer7的定义文件详细信息这样写到:Status: Beta This patch adds the ACCOUNT targetThe ACCOUNT target is a high performance accounting system for local networks.It takes two parameters: --addr network/netmask and --tname NAME.--addr is the subnet which is accounted for--tname is the table name where the information is storedThe data can be queried later using the libipt_ACCOUNT userspace libraryor by the "iptaccount" tool which is part of the libipt_ACCOUNT package.A special subnet is "0.0.0.0/0": All data is stored in the src_bytesand src_packets structure of slot "0". This is useful if you wantto account the overall traffic to/from your internet provider.For more information go to http://www.intra2net.com/opensource/ipt_accountAuthor: Patrick McHardy Status: working This patch adds support for the CLASSIFY target which sets skb->priority.Some qdiscs can use this value for classification, among these are- atm- cbq- dsmark- pfifo_fast- htb- prioThis target is only valid in the POST_ROUTING chain of the mangle table.Usage: iptables -t mangle -A POSTROUTING .. -j CLASSIFY --set-class MAJOR:MINORAuthor: Harald Welte Status: working Author: Henrik Nordstrom Status: working This patch adds per connection marks, and a target (CONNMARK)respective a match (connmark) for using these.Usage: connmark This module matches the netfilter mark field associated with a connection (which can be set using the CONNMARK target below). --mark value[/mask] Matches packets in connections with the given unsigned mark value (if a mask is specified, this is logically ANDed with the mark before the comparison). CONNMARK This is used to set the netfilter mark value associated with the connection --set-mark mark Set connection mark --save-mark Set connection mark to the same as the one on the packet --restore-mark Set the netfilter packet mark value to the one associated with the connection. This is only valid in the mangle table.Author: Grzegorz Janoszka Status: Works for me This option adds a `IPMARK' target, which allows you to mark a received packet basing on its IP address. This can replace many mangle/mark entries with only one, if you use firewall based classifier. This target is to be used inside the mangle table, in the PREROUTING, POSTROUTING or FORWARD hooks. IPMARK target options: --addr src/dst Use source or destination IP address. --and-mask mask Perform bitwise `and' on the IP address and this mask. --or-mask mask Perform bitwise `or' on the IP address and this mask. The order of IP address bytes is reversed to meet "human order of bytes": 192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then `or'. Examples: We create a queue for each user, the queue number is adequate to the IP address of the user, e.g.: all packets going to/from 192.168.5.2 are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc. We have one classifier rule: tc filter add dev eth3 parent 1:0 protocol ip fw Earlier we had many rules just like below: iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK --set-mark 0x10502 iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK --set-mark 0x10503 ... Using IPMARK target we can replace all the mangle/mark rules with only one: iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst --and-mask=0xffff --or-mask=0x10000 On the routers with hundreds of users there should be significant load decrease (e.g. twice).MARK operationsAuthor: Fabrice MARIE Status: Working This patch adds support for setting the nfmark bitwise (and & or).Example: iptables -t mangle ... -j MARK --or-mark 0x15 iptables -t mangle ... -j MARK --and-mark 0x15Author: C茅dric de Launois Status: Experimental This option adds a `ROUTE' target, which enables you to setup unusual routes. For example, the ROUTE lets you route a received packet through an interface or towards a host, even if the regular destination of the packet is the router itself. The ROUTE target is also able to change the incoming interface of a packet. The target can be or not a final target. It has to be used inside the mangle table. ROUTE target options: --oif ifname Send the packet out using `ifname' network interface. --iif ifname Change the packet's incoming interface to `ifname'. --gw ip Route the packet via this gateway. --continue Route the packet and continue traversing the rules. Note that --iif and --continue can't be used together. Examples : # To force all outgoing icmp packet to go through the eth1 interface # (final target) : iptables -A POSTROUTING -t mangle -p icmp -j ROUTE --oif eth1 # To tunnel outgoing http packets and continue traversing the rules : iptables -A POSTROUTING -t mangle -p tcp --dport 80 -j ROUTE --oif tunl1 --continue # To forward all ssh packets to gateway w.x.y.z, and continue traversing # the rules : iptables -A POSTROUTING -t mangle -p tcp --dport 22 -j ROUTE --gw w.x.y.z --continue # To change the incoming network interface from eth0 to eth1 for all icmp # packets (final target) : iptables -A PREROUTING -t mangle -p icmp -i eth0 -j ROUTE --iif eth1Author: "Aaron Hopkins" Status: Works for me Adds a TARPIT target to iptables, which captures and holds incoming TCPconnections using no local per-connection resources. Connections areaccepted, but immediately switched to the persist state (0 byte window), inwhich the remote side stops sending data and asks to continue every 60-240seconds. Attempts to close the connection are ignored, forcing the remoteside to time out the connection in 12-24 minutes.This offers similar functionality to LaBrea but doesn't require dedicated hardwareor IPs. Any TCP port that you would normally DROP or REJECT can insteadbecome a tarpit.To tarpit connections to TCP port 80 destined for the current machine: iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPITTo significantly slow down Code Red/Nimda-style scans of unused addressspace, forward unused ip addresses to a Linux box not acting as a router(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IPforwarding on the Linux box, and add: iptables -A FORWARD -p tcp -j TARPIT iptables -A FORWARD -j DROPYou probably don't want the conntrack module loaded while you are usingTARPIT, or you will be using resources per connection.Author: Telford Tendys Status: Sometimes works, testing has been minimal This option adds a `TCPLAG' target, intended for INPUT, OUTPUT and FORWARD chains. This target has no effect on packets but will passively monitor TCP/IP connections and send lag estimates to syslog. Lag estimates are generated by considering the time delay between SEQ and matching ACK, which does not map precisely to any particular network property. We can say that a fast network will typically give smaller lag values than a slow network.Author: Jozsef Kadlecsik Status: Testing. This patch adds the TRACE target to the raw table.The TRACE target can be used to trace how the packet "flows trough" your tables and rules. When a packet marked with the TRACE targetmatches any rule, the system logs the packet with the followingprefix: TRACE: tablename/chainname/rulenum packetBEWARE: if you apply this patch, you loose backward compatibilitywith your current iptables binary, so you *must* recompilethe userspace program as well. Author: Tim Vandermeersch Status: Experimental This adds CONFIG_IP_NF_TARGET_XOR option, which can encrypt TCP and UDP traffic using a simple XOR encryptionAuthor: Piotr Gasido Status: working This match is used for accounting traffic for all hosts indefined network/netmask. Features:- long (one counter per protocol TCP/UDP/IMCP/Other) and short statistics- one iptables rule for all hosts in network/netmask- loading/saving counters (by reading/writting to procfs entries)Example usage:account traffic for/to 192.168.0.0/24 network into table mynetwork:# iptables -A FORWARD -m account --aname mynetwork --aaddr 192.168.0.0/24account traffic for/to WWW serwer for 192.168.0.0/24 network into table mywwwserver:# iptables -A INPUT -p tcp --dport 80 -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort# iptables -A OUTPUT -p tcp --sport 80 -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort read counters:# cat /proc/net/ipt_account/mynetwork# cat /proc/net/ipt_account/mywwwserverset counters:# echo "ip = 192.168.0.1 packets_src = 0" > /proc/net/ipt_account/mywwserver Webpage: http://www.barbara.eu.org/~quaker/ipt_account/ Author: Patrick McHardy Status: Working This match allows you to match address types as seen by the routing code.Valid types (from include/linux/rtnetlink.h) are:UNSPECUNICASTLOCALBROADCASTANYCASTMULTICASTBLACKHOLEUNREACHABLEPROHIBITTHROWNATXRESOLVEUsage: -m addrtype --src-type type[,type..] --dst-type type[,type..]Example: iptables ... -m addrtype --src-type LOCAL ... iptables ... -m addrtype --dst-type ANYCAST ...Add comment match for attaching comments to rulesAuthor: Brad Fisher Status: Stable This option adds CONFIG_IP_NF_MATCH_COMMENT, which supplies a commentmatch module. This match allows you to add comments (up to 256 characters)to any rule.Supported options:--comment COMMENTExample: -A INPUT -s 192.168.0.0/16 -m comment --comment "A privatized IP block"Author: Stephane Ouellette Status: ItWorksForMe This option allows you to match firewall rules against condition variablesstored in the /proc/net/ipt_condition directory. Multiple rules can match on asingle condition variable.Example:iptables -A INPUT -p tcp -m condition --condition web_ok --dport 80 -j ACCEPTTo allow this rule to match:echo 1 > /proc/net/ipt_condition/web_okTo disable this rule: echo 0 > /proc/net/ipt_condition/web_okAuthor: Harald Welte / Martin Devera Status: Experimental The connbytes match is used to match many bytes or packets a connection (or oneof the two flows constituting the connection) have tranferred so far.The counters are 64bit and are thus not expected to overflow The primary use is to detect long-lived downloads and mark them to bescheduled using a lower priority band in traffic control.The transfered bytes per connection can also be viewed through/proc/net/ip_conntrack and accessed via ctnetlinkUsage:[!] --connbytes FROM:[TO] [--direction original|reply|both][!] --connpkts FROM:[TO] [--direction original|reply|both][!] --connavgpkt FROM:[TO] [--direction original|reply|both]will match packets from a connection which transfered more than FROM and lessthan TO bytes/packets. if TO is omitted only FROM check is done. "!" is used tomatch packets not falling in the range.Example:iptables .. -m connbytes --connbytes 10000:100000 ...Author: Nuutti Kotivuori Status: Working, but received only minimal testing The connrate match is used to match against the current transfer speed of aconnection. The algorithm averages transferred bytes over a time sliding windowof constant size. The maximum and minimum rates measurable are explained in thecode, along the algorithm used in the measurements.This match can easily be used to reclassify connections based on their currenttransfer rate, but is not meant for directly dropping packets, because packetdrops affect the rate being estimated.The transfer rate per connection can also be viewed through/proc/net/ip_conntrack.Usage:--connrate [!] [FROM]:[TO]will match packet from a connection which is currently transferring more thanFROM bytes per second and less than TO byte per second. 'inf' can be used tosignify largest measurable transfer rate. If FROM is omitted, it defaults tozero. If TO is omitted, it defaults to infinity. "!" is used to match packetsnot falling in the range.Example:iptables .. -m connrate --connrate 10000:100000 ... => match packets in connections transferring faster than 10kbps, but slower than 100kbps.iptables .. -m tos --tos Minimize-Delay \ -m connrate --connrate 20000:inf \ -j TOS --set-tos Maximize-Throughput => match packets in minimize-delay TOS connections that are transferring faster than 20kbps and change their tos to maximize-throughput instead.Author: Jozsef Kadlecsik Status: Testing The patch implements a revision of the internal reference counting and locking in conntrack: a new expectations hold a refcount on itsmaster conntrack while an expected connections hold a recount on itsparent expectation. ip_conntrack_expect_lock protects exclusively the expectation lists (global/local) and expectation-related data in conntrack entries.The patch depends on the submitted and pending patches.Author: Jozsef Kadlecsik Status: Testing The patch introduces per bucket locking in the conntrack hash.The patch depends on the conntrack_arefcount.patch.Author: Patrick McHardy, Status: Working This patchset reduces conntrack memory usage by 32 bytes per conntrack entry(on x86, about 11%) by removing redundant information and using smaller datatypes where possible.It consists of the following single patches:1. kill-ip_nat_hash.patch:Replace struct ip_nat_hash by struct list_head. Saves twopointers to containing conntrack structure by better useof list macros.2. kill-nf_ct_info-array.patch:Replace struct nf_ct_info array in struct ip_conntrackby new field in struct sk_buff which indicates relation-ship between the packet and the conntrack. Saves fivepointers to containing conntrack structure.3. ip_nat_info-u16.patch:Use u_int16_t for initialized/num_manips fields instruct ip_nat_info. Saves 4 bytes.Author: Jozsef Kadlecsik Status: Testing The patch introduces an optimization in the per bucket lockingfor the conntrack-only (i.e. no NAT at all) case.The patch depends on the conntrack_locking.patch.Author: Patrick McHardy, Status: Testing This patch replaces the conntrack/nat protocol-lists with an array.The patch depends on the conntrack_nonat.patch.Author: Filip Sneppe Status: WorksForMe - has alignment issues on RISC!!! This adds CONFIG_IP_NF_CUSEEME: support for the CuSeeMe messaging protocol. Unlike protocols like FTP or IRC, CuSeeMe doesn't open anyseemingly random ports for data transfers. It does, however, contain IP addresses of clients and server (reflector) inside thepacket payload, making it impossible to use with NATscenario's.There is only a NAT module, ip_nat_cuseeme.o, and no connection tracking helper. By default, the helper module tracks UDP traffic over port 7648.This helper has been tested in SNAT and DNAT setups. Note that this helper requires Brian J. Murrell's newnat-udp-helper.patch (submitted at 2.4.21-pre3 time)DirectX8 Conntrack/NAT helpersAuthor: Eddie Shi Status: untested, ripped from USR9106 source code Author: Rusty Russell Status: Testing This adds a `drop' table to iptables. Packets which are going to be droppedby the NAT or routing code (among others) will traverse this table, allowingthem to be logged.Author: Magnus Sandin Status: Development This adds CONFIG_IP_NF_EGG:Connection tracking for eggdrop bot networks.It now also supports eggdrop v1.6.xAllow goto-style jumps to another chainAuthor: Henrik Nordstrom Status: Stable This patch adds kernel support for goto type jumps.With this type of jump, the calling chain is not added to the call stack when the new chainis called. As a result, when a RETURN target is encountered, or evaluation runs past the end ofthe called chain, rule evaluation will continue at the chain _previous_ to the calling chaininstead of the calling chain.If there is no previous chain (ie. the calling chain is a built-in chain), the chain's defaultpolicy will be enforced.The following new options are added by this patch: -g CHAIN --goto CHAINAuthor: Jozsef Kadlecsik Status: Alpha This adds CONFIG_IP_NF_H323: H.323/netmeeting support module for netfilterconnection tracking and NAT. H.323 uses/relies on the following data streams: Port Description 389 Internet Locator Server (TCP) 522 User Location Server (TCP) 1503 T.120 Protocol (TCP) 1720 H.323 (H.225 call setup, TCP) 1731 Audio call control (TCP) Dynamic H.245 call control (TCP) Dynamic RTCP/RTP streaming (UDP)The H.323 conntrack/NAT modules support the connection tracking/NATing of the data streams requested on the dynamic ports. The helpers use thesearch/replace hack from the ip_masq_h323.c module for the 2.2 kernelseries.At the very minimum, H.323/netmeeting (video/audio) is functional by letting trough the 1720 port and loading these H.323 module(s).The H.323 conntrack/NAT modules do not support- H.245 tunnelling- H.225 RAS (gatekeepers)Add a function to libipq to put a mark on paquet from userspaceAuthor: Eric Leblond Status: It Works For Me. Adds the possibility to change mark of a packet in userspace.The ip_queue module is changed and a new function is added to libipq to decide and change the mark of a packet. This is used by the NuFW project (http://www.nufw.org).***** WARNING ***** This patch breaks compatibility with the preceding version of libipqand ip_queue module.This patch also patch the userspace directory which means that youyou have to recompile and reinstall the iptables package after that.Detects some p2p packetsAuthor: Eicke Friedrich Status: Stable This option makes possible to match some P2P packetstherefore helps controlling such traffic. Dropping allmatches prohibits P2P networks. Combined with conntrack,CONNMARK and a packet scheduler it can be used foraccounting or shaping of P2P traffic.Examples:iptables -A FORWARD -p tcp -m ipp2p --edk --kazaa --dc --gnu --bit --apple -j DROPAuthor: Patrick McHardy Status: Testing, should be fine [NETFILTER+IPSEC 1/4]This patch adds new output hooks for IPsec. Packets traverse the hooks like this:1. -> (plain) FORWARD -> POST_ROUTING -> (encrypted) LOCAL_OUT -> POST_ROUTING2. -> (plain) LOCAL_OUT -> POST_ROUTING -> (encrypted) LOCAL_OUT -> POST_ROUTINGAuthor: Patrick McHardy Status: Testing, should be fine [NETFILTER+IPSEC 2/4]This patch makes packets decapsulated by IPsec traverse the netfilter inputhooks again. Packets traverse the hooks like this:1. -> (encrypted) PRE_ROUTING -> LOCAL_IN -> (plain) PRE_ROUTING -> LOCAL_IN2. -> (encrypted) PRE_ROUTING -> LOCAL_IN -> (plain) PRE_ROUTING -> FORWARDAuthor: Patrick McHardy Status: Testing [NETFILTER+IPSEC 3/4]This patch adds policy lookups to ip_route_me_harder and makesNAT reroute for any change that affects route/policy in LOCAL_OUTand POST_ROUTING.Author: Patrick McHardy Status: Testing [NETFILTER+IPSEC 4/4]This patch makes xfrm_policy_check locate the correct policy after NAT.Author: Patrick McHardy Status: Working This patch adds support for "any" matching to the helper match.Example:iptables .. -m helper --helper any ..iptables .. -m helper ! --helper any ..Author: Chris Wilson , Robert Olsson Status: Experimental, use with extreme care. This is an experimental optimization speeding up the loop detection code inmark_source_chains().Please use with care, since we are yet sure if all loops are still detectedwith this patch.netfilter hooks for layer 2Author: Marc Zyngier Status: Testing This adds netfilter hooks to layer 2 packet processing.Author: Filip Sneppe Status: WorksForMe This adds CONFIG_IP_NF_MMS: support for Microsoft Streaming Media Services. This allows client (Windows Media Player) and serverto negotiate protocol (UDP, TCP) and port for the media stream.A partially reverse engineered protocol analysis is available from http://get.to/sdp, together with a link to a Linux client.By default, the helper module tracks TCP traffic over port 1755and adds the necessary UPD or TCP expectation. It is recommended to also open UDP port 1755 to the server, as this port is used for retransmission requests.This helper has been tested in SNAT and DNAT setups.Note that this helper has *nothing* to do with ip_masq_mms for 2.2 kernels!Author: Krisztian Kovacs Status: Alpha NAT reservations support for NetfilterThis module implements reservation of manips, which won't be allocatedby the Netfilter NAT subsystem except explicitly requested. It can beused in NAT helpers for complicated protocols, for example it may beneeded in case the protocol's command channel requires negotiation ofthe exact endpoints of the data channel, and both of them need to betranslated.Author: Harald Welte Status: Yet inconplete Author: Yasuyuki KOZAKAI @ USAGI/WIDE Project Status: Testing This is new framework of connection tracking, which generalize ip_conntrackin present kernel to track other layer 3 protocol.New connection tracking can track not only IPv4 but also IPv6 connectionssimultaneously. You can see connections at /proc/net/nf_conntrack.Note: The new IPv4 connection tracking module (nf_conntrack_ipv4) cannot work with ip_conntrack. If you want to try nf_conntrack_ipv4, please check off "Connection tracking (required for masq/NAT)". On the other hand, you can use new IPv6 connection tracking module (nf_conntrack_ipv6) with ip_conntrack.TODO: - allocate conntrack with various size dependent on features. (done) - handling fragmented packets (done) - getorigdst() (is this needed ?) - backport recent fixes to ip_conntrack. (done (from linux 2.4.7)). - wrapper for current ip_conntrack and ip_nat - matches and targets working with connection trackingAuthor: Harald Welte , Jay Schulist Status: Under development, but stabilizing now. Patrick McHardy Add recent work by patrick (notifiers, event messages to userspace.Author: Patrick McHardy Status: working The patch allows you to use the owner match in the INPUT chain to match properties of the receiving socket. It is mainly intended to help filter weirdprotocols like H.323 or IIOB without conntrack helpers, but could also comehandy for local user traffic accounting and similar stuff.Usage: iptables -A INPUT -m udp/tcp -m owner ...Example: # Allow packets on eth0 to sockets owned by local user gnugk iptables -A INPUT -i eth0 -p udp -m owner --uid-owner gnugk -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m owner --uid-owner gnugk -j ACCEPTAuthor: Patrick McHardy Status: working This patch adds support to the owner match for matching supplementary group ids.Usage: iptables -A OUTPUT -m owner --gid ...Author: Patrich McHardy Status: Untested, help text stolen from original version, feedback is welcome! Ported from Marc Boucher's ipv4 versionThis patch adds support for local process name matchingto the owner match (--cmd-owner option).You can use this feature to filter connections forwarded byyour ssh daemon with rules like:ip6tables -N CheckSSHSyns# allow forwarded connections to rsync port on 192.168.1.1ip6tables -A CheckSSHSyns -p tcp -d 192.168.1.1 --dport 873 -j RETURN# refuse everything elseip6tables -A CheckSSHSyns -j REJECT --reject-with tcp-resetip6tables -I OUTPUT -p tcp --syn -m owner --cmd-owner sshd -j CheckSSHSynspolicy matchAuthor: Patrick McHardy, Status: Testing This patch adds the policy match to netfilter.The policy match is used to match the IPsec policyused for handling a packet.The 2.4 version is for use with the 2.6 IPsec backport.PPTP connection tracking and NAT helperAuthor: Harald Welte Status: Testing This adds CONFIG_IP_NF_PPTP:Connection tracking and NAT support for PPTP. Using this, you can trackPPTP/GRE connections and do SNAT/DNAT. You have to load the following modulesfor connection tracking: ip_conntrack_proto_gre ip_conntrack_pptpfor NAT: ip_nat_proto_gre ip_nat_pptpThe GRE connection is marked as RELATED to the TCP session on port 1723, so allyou need is something likeiptables -j ACCEPT -m state --state RELATED,ESTABLISHEDiptables -j ACCEPT -d my_pptp_server -p tcp --dport 1723 -m state --state NEWNote that this code currently has limitations- can only NAT connections from PNS to PAC- doesnt' support multiple calls within one session- you have to recompile your iptables userspace program since some structure sizes changeAuthor: Filip Sneppe Status: WorksForMe This adds CONFIG_IP_NF_QUAKE3: a Quake III Arena support module fornetfilter connection tracking/NAT. Quake III Arena Internet multiplayer works by querying an Internetmaster server on UDP port 27950 for specific Quake III servers. Themaster server responds with the IP addresses and UDP ports ofregistered game servers. Those UDP ports can be randomly chosen(although 27960 is often used).This connection tracking module will listen for UDP repliesfrom a master server, and will add the necessary expectationsfor connections from client to game servers.Author: "Marcelo Barbosa Lima" Status: request for permanent inclusion This adds CONFIG_IP_NF_MATCH_RPC, which is the RPC connectionmatcher and tracker.This option supplies two connection tracking modules;ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, which trackportmapper requests using UDP and TCP respectively.This option also adds an RPC match module for iptables, whichmatches both via the old "record match" method and a new"procedure match" method. The older method matches all RPCprocedure packets that relate to previously recorded packetsseen querying a portmapper. The newer method matches onlythose RPC procedure packets explicitly specified by the user,and that can then be related to previously recorded packetsseen querying a portmapper.These three modules are required if RPCs are to be filteredaccurately; as RPCs are allocated pseudo-randomly to UDP andTCP ports as they register with the portmapper.Up to 8 portmapper ports per module, and up to 128 RPCprocedures per iptables rule, may be specified by the user,to enable effective RPC management.Usage: The intended usage of these modules would be with a ruleset like; # New session from client to server (portmapper get) -A PREROUTING -t nat -i eth0 -p udp -m rpc --rpcs 100002 -s ${client} --sport 0:1023 -d ${server} --dport 111 -j ACCEPT # Continued session from client to server (portmapper answer) -A PREROUTING -t nat -i eth1 -m state -p udp -s ${server} --sport 111 -d ${client} --dport 0:1023 --state ESTABLISHED -j ACCEPT # New session from client to server (procedure call) -A PREROUTING -t nat -i eth0 -m state -p udp -s ${client} --sport 0:65535 -d ${server} --dport 32000:34000 --state ESTABLISHED,RELATED -j ACCEPT # Continued session from client to server (procedure response) -A PREROUTING -t nat -i eth1 -m state -p udp -s ${server} --sport 32000:34000 -d ${client} --dport 0:65535 --state ESTABLISHED -j ACCEPT Which would allow rusers to execute from client to server; user@client# rusers $serverWarning: RPCs should not be exposed to the internet - ask the Pentagon; See: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998 URL: http://www.wired.com/news/politics/0,1283,16098,00.htmlAuthor: Ian (Larry) Latter Status: request for inclusion This adds the CONFIG_IP_NF_RSH option, which is the RSH connectiontracker.An RSH connection tracker is required if the dynamic stderr "Serverto Client" connection is to occur during a normal RSH session. Thistypically operates as follows; Client 0:1023 --> Server 514 (stream 1 - stdin/stdout) Client 0:1023 |
|