To make the new rule active, click the Apply Configuration button at the bottom of the page.

The rules in each chain are evaluated in order from top to bottom, and the action taken is deter- mined by whichever one matches first. If none match, then the chain’s default action is taken,

Allowing and Denying Network Traffic 179

which is usually to accept the packet. You can make use of this evaluation order to create a rule that allows a single IP address, followed by a rule to deny an entire network. The final effect will be that every host within the network is denied except one.

Because the ordering of rules is important, you may sometimes want to add a rule in the middle of an existing chain. To do this, use one of the arrow buttons under a chain’s Add column on the module’s main page to create a new rule either before or after an existing one.

The most common actions and their meanings are listed below. Not all are available in all chains and tables.

Do nothing If a rule with this action is matched, nothing will be done and processing will continue to the next rule.

Accept Matching packets will be immediately accepted, and no further processing will be done in the chain. However, rules in other tables may still affect the packet. Drop Matching packets will be silently discarded, as though they were never received at all. No further processing will take place in this chain or any other. Userspace Packets will be passed to a normal userspace process. This action is rarely used.

Exit chain Jump immediately to the end of the chain, and execute its default action instead. If this is used in a user-defined chain, processing will return to the rule that called it.

Masquerade Matching packets will have their source address changed to appear to come from the firewall system, and no further rules in the chain will be processed. When this action is selected, you can use the Source ports for masquerading field to control which ports the firewall will use for masqueraded connections. See Section 19.7 “Setting Up Network Address Translation” for more details.

The Masquerade option is available only in the Network address translation table, in the Packets after routing chain.

Source NAT Similar to the Masquerade option, but better suited to systems that have a fixed Internet IP address. If selected, you can use the IPs and ports for SNAT field to control which addresses and ports are used for NAT, as explained in Section 19.7 “Setting Up Network Address Translation”.

This option is only available in the Network address translation table, in the Packets after routing chain.

Destination NAT Matching packets will have their destination address and port modified based on the IPs and ports for DNAT field. This is the basis for transparent proxying, so to learn more, see Section 19.8 “Setting Up a Transparent Proxy”. This action is available only in the Network address translation table, in the Packets before routing and Output chains.

Redirect This action redirects all matching packets to a port or ports on the firewall box, specified by the Target ports for redirect field. It can also be used for transparent proxying, although Destination NAT is more flexible.

The redirect action is available only in the Network address translation table, in the Packets before routing and Output chains.

You can also choose the Run chain option for the Action to take, which will pass the packet on to the user-defined chain or custom target entered into the field next to it. See Section 19.6 “Cre- ating Your Own Chain” for more information on user-defined chains. Some of the targets avail- able are LOG (for logging packets to syslog), MIRROR (for reflecting packets back to their sender), and MARK (for marking a packet for later conditions).

For each condition, the options <Ignored>, Equals, and Does not equal can be selected. The first means that the condition is not used at all when checking if a packet matches the rule. The second means that a packet must match the condition for it to match the entire rule, and the third means that the packet must NOT match the condition for the rule to be executed. If for example the Incoming interface condition was set to Does not equal and eth0 selected, the rule would match only packets coming in on any interface except the primary Ethernet card.

Because almost all network protocols involve traffic flowing in two directions, attempting to block just incoming traffic from some address using the Source address or network condition will also block connections to the address as well, because reply packets that are part of the con- nection will be dropped. The same goes for blocking incoming data on a particular port using the Destination TCP or UDP port condition—if in the unlikely case that the randomly chosen source port of a connection from your system matches the blocked port, any replies to it will be dropped. For these reasons, it is usually a good idea when creating deny rules to set the Connec- tion state condition to Does not equal and select Existing connection from the menu next to it.

Changing a Chain’s Default Action 181

This will cause IPtables to keep track of outgoing connections made by your server, and not block them.

As you can see, there are many different conditions available which can be combined to cre- ate quite complex rules. To learn more about what each of the available conditions do, see Sec- tion 19.10 “Firewall Rule Conditions”. Because there are so many conditions, Webmin allows you to create new rules that are almost identical to existing ones. To do this, click on an existing rule to edit it and use the Clone rule button at the bottom of the page to go to the rule creation form, with all conditions and actions set based on the original rule.

19.4 Changing a Chain’s Default Action

Packets that do not match any rule in a chain will be processed using the default action, which is usually to accept the packet. On the module’s main page, the default action for each chain is shown next to the Set default action to button. To change it, the steps to follow are:

1. Select the new action from the menu next to the Set default action to button. Only the