Filter Rules Specifications; Specifying Source And Destination Ip Addresses; Specifying Protocol; Specifying An Icmp Message Type - HP bh5700 User Manual

send to CPU action is specified, it is sent to the INPUT chain for further processing. If there is no
valid way to forward the packet, it is dropped. If the switch is configured to forward the packet, it
is sent to the FORWARD chain.
Next the hardware FORWARD chain is walked. If there is a rule inserted that matches the packet
headers, then it is looked up next. The inserted policy will decide the packets fate.
In essence, a filter rule will be used to scan the packet data for certain characteristics. Upon a
match a selected 'target' is executed. The target decides what should happen to the packet.

Filter Rules Specifications

A rule could be added (-a) to a chain, deleted (-D) from a chain, replaced (-R) from a chain or
inserted (-I) in a specific position in a chain. Each rule specifies a set of conditions the packet
must meet, and what to do if it meets them ('what to do' is referred to as a `target').
Here's an example filter rule:
iptables -a FORWARD -p UDP -s 0/0 -d 10.0.0.1/32 --source-port
53 -j DROP
This adds to the FORWARD chain the rule: "If you see UDP packets (-p UDP) from anywhere
(-s 0/0) going to host 10.0.0.1 (-d 10.0.0.1/32) with a source port number 53 (--source-port 53)
then the target is to DROP (-j DROP). More details on rule specifications follow.

Specifying Source and Destination IP Addresses

Source ( -s, --source or --src) and destination (-d, --destination or --dst) IP addresses can be
specified in four ways. The most common way is to use the full name, such as localhost or
www.linuxhq.com. The second way is to specify the IP address such as 127.0.0.1.
Netmasks can be applied to IP addresses to specify ranges, like199.95.207.0/24 or
199.95.207.0/255.255.255.0 Both specify any IP address from 199.95.207.0 to 199.95.207.255
inclusive. To specify an all-inclusive IP address /0 can be used, like: -s or -d 0/0. The example
rule we use above applies this trick. Note however that the effect above is the same as not
specifying the -s option at all.

Specifying Protocol

The protocol can be specified with the -p (or --protocol) flag. Protocol can be a number (if you
know the numeric protocol values for IP) or a name for the special cases of TCP, UDP or ICMP.
Case does not matter, so tcp works as well as TCP.

Specifying an ICMP Message Type

If the protocol is ICMP, the --icmp-type option can be used to match a specific message type,
for example, --icmp-type ping
Ethernet Switch Blade User's Guide
Downloaded from www.Manualslib.com manuals search engine
release 3.2.2j page 62