Iptables
Here is a packet flow diagram for iptables, omitting the Prerouting and
Postrouting chains for simplicity. It also assumes all traffic through
the OUTPUT chain leaves the host, but packets addressed to loopback may
circulate back to the "packet in" point.
Packet rules can be added with the form
iptables --add chain_name packet-description --jump [ACCEPT | DROP]
Here are a few examples for the packet-description
part. You can select by source/destination address, protocol
(TCP/UDP/etc), src/dest port, input or output interface, Ethernet
address (no examples here), or any other header bits. You can mix and
match.
--destination lamp.cslabs.luc.edu
--source 10.2.3.0/24
--protocol tcp --source-port 80 # must have
--protocol tcp before you can have any tcp-specific match
--protocol tcp --destination-port 25 --out-interface eth2
--protocol icmp --icmp-type echo-request --in-interface eth0
--protocol udp
--match state
--state ESTABLISHED,RELATED # --match
has several modules; here we use state
--match state --state NEW
--protocol tcp --syn # for TCP, same as --state NEW: first TCP SYN packet
When iptables is used to mark packets for iproute2 or tc, usually
the prerouting chain / mangle table is used. Iptables also has a classify option for tagging packets for a given tc-htb queue.