Netfilter/IPtables Rule Editor

David Stes
Email: stes@pandora.be

What is ipmenu ?

It's a user interface to Netfilter/iptables and Linux policy routing or traffic control, allowing you to edit firewall rules and configure the firewall to "mark" packets for policy routing or for class based queueing (CBQ). Netfilter is the Linux 2.4 subsystem for configuring a multi-homed Linux server as a packet filter or as a NAT (network address translation) device.

IPmenu is written in CURSEL, which is available at http://users.pandora.be/stes/compiler.html. The latest version of ipmenu is ipmenu-0.0.3.tar.gz

The server can be managed on the console, or over a serial, terminal or modem dialup, connection, or over SSH, via the command line (with the iptables command) or using IPmenu, which is a more user-friendly alternative.

For example, the command line tool "iptables" allows one to specify various actions to be taken when rejecting (dropping) a packet, such as ICMP host unreachable or TCP reset etc.

IPmenu does the same thing, but IPmenu lists the various possibilities in "menus" and "forms" that can be navigated through using the arrow and function keys (see screenshot below) so that one doesn't have to memorize the various possibilities.

Setting up netfilter and iptables

This is beyond the scope of this document, but you have to configure the Linux 2.4 kernel and enable Netfilter. For example, on my machine I have the following iptable modules loaded :
Module                  Size  Used by
sch_cbq                10768   0  (unused)
cls_fw                  1888   0  (unused)
ipt_state                800   0  (unused)
ipt_limit               1040   0  (unused)
ipt_MASQUERADE          1280   1
ipt_REDIRECT             928   0  (unused)
ipt_REJECT              2016   0  (unused)
ipt_LOG                 3280   0  (unused)
iptable_mangle          1856   0  (unused)
iptable_filter          1856   0  (unused)
iptable_nat            12640   0  [ipt_MASQUERADE ipt_REDIRECT]
ip_conntrack           12672   2  [ipt_state ipt_MASQUERADE ipt_REDIRECT iptable_nat]
ip_tables              10624  11  [ipt_state ipt_limit ipt_MASQUERADE ipt_REDIRECT ipt_REJECT ipt_LOG iptable_mangle iptable_filter iptable_nat]
hisax                 127472   0  (unused)
isdn                   69360   0  [hisax]
3c59x                  23584   2
bsd_comp                4144   0  (unused)
ppp_generic            12672   0  [bsd_comp]
slip                    7968   0  (unused)
lp                      4688   0  (unused)
parport_pc             10656   1<
parport                14240   1  [lp parport_pc]
Obviously the necessary kernel modules must be installed (and loaded if necessary) before iptables or IPmenu can work.

Setting up masquerading with IPmenu

Masquerading is a form of NAT, where the IP addresses of computers on a small LAN are "hidden" by having the gateway of the LAN "pose" for the machine (by substitution of the source IP addresses of the machines on the LAN by the address of the gateway itself).

The word "masquerading" is used in the context of a gateway that has a dial-up (modem) connection or has a dynamic IP (such as with a cable modem or DSL connection).

Start ipmenu by typing "ipmenu" (you may have to add ipmenu to the PATH). Then navigate through the menu's by using the arrow keys and the Enter key. Choose "NAT", then choose "Post-routing", then choose "Append" then choose "Masquerade" :

Note that the labels at the bottom of the page indicate what the function keys (F1,F3,F4,F5,F6 and F7) are supposed to do. If the function keys don't work you can still use Control-f + 7 to obtain the same result as you'd get by pressing F7.

By pressing Control-j and then typing "unix" one can temporarily "escape" to a Unix shell.

To start masquerading private (RFC 1918) addresses in the range, and replace those source addresses, by the dynamically assigned address of some interface, use the F2 function key to select the Outgoing Interface and enter the source IP addresses :

Note that by using the F2 key ("Choices"), one can cycle through a list of possible values (interfaces).

By pressing the Tab key, the cursor moves on the next text field.  When all fields in the form are filled out, press SAVE (F3 or Control-f 3) or CANCEL (F6 or Control-f 6) to close the form without saving.

If you save the rule, the rule is appended to the "Post-routing" chain of the NAT table.  The NAT box starts masquerading immediately; it is possible to use the "Show" item of the Chain menu to display the rules in the chain.

Blocking incoming connections with IPmenu

Choose the 'Filter' table, choose 'Add' and type the name of a new Custom Chain.  Type F3 (SAVE) or Control-f 3 to create the chain.

Choose 'Filter', then choose 'Custom', this lists the custom chains that are defined in the Filter table.

Choose 'BLOCK' (the custom chain we've just created) and then Append.  We will append a REJECT rule to drop packets and send back error packets :

Use the Tab key to go to Connection tracking state, and use F2 (or control-f 2) to choose NEW.  We only want to drop 'new' connections, not established or related connections.

Then go to the reject field, and type F2 once more.  You can choose an ICMP error control packet such as host unreachable.  You may also choose TCP reset but this only works for TCP connections.  If you choose TCP reset, also select the TCP protocol in the field "Protocol selection" (by using F2 for that field).

After defining the BLOCK custom chain, we will now use that Chain in the Input chain.

Choose the 'Filter' table, then go to the Input chain, and choose Append.  Append a Custom rule.

Pick the incoming interface by pressing F2 (choices) in the "Incoming Interface" text field.

The custom target rule "BLOCK" (see last text field in the form) will be applied to any incoming packet on eth1.

It is possible to save your work by using the 'iptables-save' and 'iptables-restore' utilities that come with IPtables.

Alternatively, inspect the /tmp/ipmenu.log file : most iptables commands are logged in that file.

It is possible to copy/paste iptables commands from that /tmp/ipmenu.log file and have them automatically ran when rebooting the machine.

Logging packets with IPmenu

IPtables (and hence IPmenu) allows to log (using syslog) packets that match certain criteria.  Using the limit fields, it is possible to limit the number of matches to, say, 10 per minute  (fill out the field Limit rate and enter : 10/minute) :

Note that the levels (choices for the Log level field) are obtained by pressing F2.  Also F2 is used to toggle the value of the booleans "Log TCP Options" from NO to YES.

Policy Routing with ipmenu

The Linux kernel supports multiple routing tables, the name of this table is called "routing key" in ipmenu.  The normal routing key is "main".  It is possible to check whether your Linux kernel was compiled with the option "multiple routing tables" by trying the "Show ip rule" menu under the Route item.  If this doesn't work, you have to recompile the kernel to support the "ip rule" command (the kernel must support policy routing for these menus to work).

Suppose you want a special routing key for all "email" traffic :

After saving (press F3) that routing key, you can check under "show ip rule" that all traffic that will be "marked" by Netfilter as "email" will use the "email" routing tables.

To configure the "email" routing table, go to the "Route" menu, and add a default route :

You could for example set up the default route for the "email" table to use a different outgoing network interface than for the "main" routing key.

What is left to do, is "mark" using Netfilter, the traffic that should use the "email" routing table.  In the "Mangle" table, it is possible to add a rule that selects all TCP traffic to port 25 (smtp) and select the routing key "email" for it.

Traffic Control (Class Based Queueing) with ipmenu

The necessary kernel modules (sch_tbf, sch_cbq, cls_fw) etc. must be loaded for the Traffic Control (Quality of Service, or QoS) to work.

With ipmenu, assuming the sch_tbf, token bucket queueing discipline is loaded into the Linux kernel, one can easily configure a token bucket filter on a given network interface :

The above screenshot shows how to limit traffic to 256 kilobit on interface eth0 by installing a TBF queueing discipline on it.

ipmenu also allows CBQ (class based queueing) to be configured, to divide a link into "chunks" or "classes" of a given bandwidth.

Select 'Add CBQ' from the menu :

The CBQ configuration asks for the total bandwith of interface eth1 and the average packet size (10Mbit and 1000 bytes) :

After setting up the CBQ qeueuing discipline, one can starts adding multiple classes (use the 'Add class' menu) :

The following is an example where a 8Mbit class is added (bounded and isolated) :

A queueing discipline must then be installed for the class that we created (ipmenu has called the class "8001:8001") :

Simply use the default parameters for the SFQ queueing discipline.

The situation is now as follows : eth1 has a CBQ with a class (called 8001:8001) installed on it with a "leaf" queueing discipline of SFQ.

Go to the Netfilter "Mangle" table and mark traffic to go to class 8001:8001 : select 8001:8001 from the Choices menu (F2) for all traffic to TCP port 8080, for example :

The "Show" item can be used to see whether traffic is "matched" and marked by the rule :

If you go to the queuing statistics you can see traffic distribution over the qdiscs.  Note that incoming traffic on 8080 (although it was "marked" by netfilter) is not displayed (only outgoing traffic , traffic that is "sent" is classified) :

ipmenu also has some support for adding a "subclass" of a class : select the class 8001:8001 and then go to "Subclasses" (Add class) :

The following screenshot shows how to add a 500K class in the 8Mbit class that we've created before :

The class (when saved using F3) will be assigned a name, such as 8001:8002.  Just as before, you can add a SFQ queueing discpline to this class, and configure the Netfilter Mangle table to MARK traffic using thet 8001:8002 class key.