iptables
¶
A custom iptables
binary is required to use with bpfilter
, but it can be build directly from the bpfilter
source tree: make iptables
. Once you have build iptables
, you can force it to communicate with bpfilter
instead of the kernel using --bpf
.
The following filters are supported:
Source IPv4 address and mask.
Destination IPv4 address and mask.
Layer 4 protocol.
Filtering rules can be defined for any table, and ACCEPT
and DROP
action are supported. The ruleset can also be fetched back from bpfilter
. For example:
# Start bpfilter daemon
$ sudo bpfilter
# Add a new rule to block ping requests
$ sudo iptables -I INPUT --bpf -p icmp -j DROP
# Show the rules and counters after the host was pinged
$ sudo iptables --bpf -nv -L
Chain INPUT (policy ACCEPT 327 packets, 42757 bytes)
pkts bytes target prot opt in out source destination
2 196 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination