Iptables

       Iptables  is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel.  Several different tables may be defined.  Each table contains a num‐ber of built-in chains and may also contain user-defined chains.


       Each chain is a list of rules which can match a set of packets.  Each rule specifies what to do with a packet that matches.  This is called a `target', which may be  a  jump  to  a user-defined chain in the same table.


       A  firewall  rule  specifies  criteria for a packet and a target.  If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE or RETURN.



       ACCEPT means to let the packet through.  DROP means to drop the packet on the floor.  QUEUE means to pass the packet to userspace.  (How the packet can be received by  a  userspace process  differs  by  the  particular  queue  handler.   2.4.x and 2.6.x kernels up to 2.6.13 include the ip_queue queue handler.  Kernels 2.6.14 and later additionally include the  nfnetlink_queue queue handler.  Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the NFQUEUE target as  described  later  in  this  man page.)   RETURN  means  stop  traversing  this chain and resume at the next rule in the previous (calling) chain.  If the end of a built-in chain is reached or a rule in a built-inchain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.



Example:


              iptables -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff


              iptables -A PREROUTING -t mangle -i eth2 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff


              iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff -j DROP


              iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff -j DROP


       And the following commands to make all nodes see the same packets:


              ip maddr add 01:00:5e:00:01:01 dev eth1


              ip maddr add 01:00:5e:00:01:02 dev eth2


              arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-s 01:00:5e:00:01:01


              arptables -A INPUT -i eth1 --h-length 6 --destination-mac 01:00:5e:00:01:01 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27


              arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --mangle-mac-s 01:00:5e:00:01:02


              arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27


       In the case of TCP connections, pickup facility has to be disabled to avoid marking TCP ACK packets coming in the reply direction as valid.


              echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose