1

What does this iptables rule mean?

iptables -t raw -I OUTPUT -j CT -p udp -m udp --dport 69 --helper tftp
Improve this question

2 Answers 2

Reset to default
2

In a less technical explanation:

  • -t raw -I OUTPUT: insert this rule inside OUTPUT chain of raw table. This special table is used only for configuring packets so that they are exempt from connection tracking. It may look obvious but this table only has the PREROUTING and OUTPUT chains, since FORWARD requires some connection tracking.
  • -j CT: Jump to target named CT. This is a custom target, and the sky is the limmit since you can combine ACCEPT and LOG as a simple example on one target. You will need the rest of the rules to get the real meaning of CT target here.
  • -p udp: Protocol to match the rule is udp. As per manpages, the specified protocol can be one of tcp, udp, udplite, icmp, esp, ah, sctp or the special keyword all, or it can be a numeric value, representing one of these protocols or a different one. You can get the list of protocol numbers here.
  • -m udp: Match udp extension options. This is somehow an overkill since the options inside udp match are --sport and --dport and can be omited as iptables-extensions manpage states: If the -p or --protocol was specified and if and only if an unknown option is encountered, iptables will try load a match module of the same name as the protocol, to try making the option available.
  • --dport 69: Destinaton port = 69, and --dport match option from udp
  • --helper tftp: Some protocols behave in a "weird" way and helpers need to be used to manage that behavior. ftp is one example where one port is used for command/signaling and other for data transfer. More on helpers here.
Improve this answer
3
  • 2
    CT is not a custom target Commented Jun 21, 2017 at 23:18
  • 2
    Is not at the default iptables targets so, yeah, is a custom one. Maybe a software you are using or the distribution you are currently using has it, but is not part of the default set of targets: iptables.info/en/iptables-targets-and-jumps.html Commented Jun 21, 2017 at 23:44
  • CT target is used by helpers to specify parameters used during conntrack creation, this target (Conntrack Target) is created by the xt_CT Kernel module Commented Aug 25, 2020 at 15:34
1

This rule seems to be part of a lager set of rules.

  • -t raw -I OUPUT: insert this rule into the beginning of the OUTPUT chain of the table raw
  • -j CT: if the conditions are met jump to target CT

now the conditions

  • -p udp: protocol must be udp
  • -m udp: use the extension udp - needed to be able to filter on udp-ports
  • --dport 69: apply to udp datagrams with destination port 69
  • --helper tftp: for tracking of related datagrams use the expectations for tftp

reference: "helpers" on regit.org

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.