Product SiteDocumentation Site

10.4.3. Shortcut Functions

The iptables module distributes a file to /etc/iptables/ called iptables-functions. The functions available from this file, which is loaded through the /etc/iptables/iptables script, are:
  • allow_certmaster()
    The allow_certmaster() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 51235
    2. The protocol, tcp
    As such, the allow_certmaster() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_cifs()
    The allow_cifs() function is a shortcut function which executes multiple calls to allow_standard_protocol().
    CIFS is a communication and discovery protocol collection that requires multiple ports and multiple protocols to be available, including:
    • netbios-ns, over port 137 using the udp protocol.
    • netbios-dgm, over port 138 using the udp protocol.
    • netbios-ssn, over port 139 using the tcp protocol.
    As such, the allow_cifs() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_dns_queries()
    The allow_dns_queries() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 53
    2. The protocol, udp
    As such, the allow_dns_queries() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_dns_transfers()
    The allow_dns_transfers() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 53
    2. The protocol, tcp
    As such, the allow_dns_transfers() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_ftp()
    The FTP protocol requires a bit more attention compared to the average straight-forward single listener, two-way communication protocol. For one, FTP has asynchronous communication channels of which one is referred to as the "control" channel, while the other is the "data" channel.
    The allow_ftp() function therefor shortcuts one call to allow_standard_protocol() for the incoming connection over port 21 using the tcp protocol. Other rules inserted in the preferred chain include the necessary rule for opening up the data channel (the server communicates such back to the client from source port 20 over the udp protocol), and the final data transfer channel, which is determined in real-time and without prior specification. As such, the ipt_conntrack_ftp module needs to be loaded into the kernel.
  • allow_func()
    The allow_func() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 51234
    2. The protocol, tcp
    As such, the allow_func() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_git()
    The allow_git() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 9418
    2. The protocol, tcp
    As such, the allow_git() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_http()
    The allow_http() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 80
    2. The protocol, tcp
    As such, the allow_http() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_https()
    The allow_https() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 443
    2. The protocol, tcp
    As such, the allow_https() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_icmp()
    The allow_icmp() function is a shortcut function to allowing packages using the ICMP protocol to pass through the firewall.
    As such, the allow_icmp() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
  • allow_imap()
    The allow_imap() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 143
    2. The protocol, tcp
    As such, the allow_imap() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_imaps()
    The allow_imaps() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 993
    2. The protocol, tcp
    As such, the allow_imaps() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_ipp()
    The allow_ipp() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 631
    2. The protocol, tcp
    As such, the allow_ipp() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_kerberos()
    The allow_kerberos() function is a shortcut function to two calls to the allow_standard_protocol() function, each with two parameters already specified:
    1. The port, 88
    2. The protocols, tcp, and udp
    As such, the allow_kerberos() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_ldap()
    The allow_ldap() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 389
    2. The protocol, tcp
    As such, the allow_ldap() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_ldaps()
    The allow_ldaps() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 636
    2. The protocol, tcp
    As such, the allow_ldaps() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_lpd()
    The allow_lpd() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 515
    2. The protocol, tcp
    As such, the allow_lpd() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_microsoft_ds()
    The allow_microsoft_ds() function is a shortcut function to two calls to the allow_standard_protocol() function, each with two parameters already specified:
    1. The port, 445
    2. The protocols, tcp and udp
    As such, the allow_microsoft_ds() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_msds()
    The allow_msds() function is a shortcut to the allow_microsoft_ds() function.
  • allow_mysql()
    The allow_mysql() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 3306
    2. The protocol, tcp
    As such, the allow_mysql() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_nfs()
    The allow_nfs() function allows NFS communication over the standard port 2049, protocols tcp and udp. Of course, it does so through the allow_standard_protocol() function.
    Additionally, it places the following calls to the following non-standard functions, supplying to those functions the very same arguments that were passed to the allow_nfs() function call:
    Each of these functions (except for allow_rpcbind) does some kind of exotic thing, so please make sure you read the details on each (except for allow_rpcbind) before using the allow_nfs() function.
  • allow_nrpe()
    The allow_nrpe() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 5666
    2. The protocol, tcp
    As such, the allow_nrpe() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_ntp()
    The allow_ntp() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 123
    2. The protocol, udp
    As such, the allow_ntp() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_openvpn()
    The allow_openvpn() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified; the port and protocol.
    In order to determine the port and protocol, the allow_openvpn() function attempts to get those settings from /etc/openvpn/server.conf, using the following commands: 
    port=`grep ^port /etc/openvpn/server.conf | awk '{print $2}'`
proto=`grep ^proto /etc/openvpn/server.conf | awk '{print $2}'`
    If the function can discover the port and protocol, these are used in a call to allow_standard_protocol() as the first two parameters.
    Should the function be unable to determine the port and protocol from /etc/openvpn/server.conf, then it ceases (breaks), and you should return to using allow_standard_protocol().
    That said, the allow_openvpn() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_pop()
    The allow_pop() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 110
    2. The protocol, tcp
    As such, the allow_pop() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_pops()
    The allow_pops() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 995
    2. The protocol, tcp
    As such, the allow_pops() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_postgres()
    The allow_postgres() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 5432
    2. The protocol, tcp
    As such, the allow_postgres() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_puppet()
    The allow_puppet() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 8140
    2. The protocol, tcp
    As such, the allow_puppet() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_rpcbind()
    The allow_rpcbind() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 111
    2. The protocol, tcp
    As such, the allow_rpcbind() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_rpclockd()
    The allow_rpclockd() function determines the port the lock daemon is supposed to be running on through parsing /etc/sysconfig/nfs, looking for the settings called LOCKD_TCPPORT and LOCKD_UDPPORT.
    Should the allow_rpclockd() be unable to discover the tcp and udp ports for the NFS lock manager, then this function does not insert any new rules to iptables.

    Using /etc/sysconfig/nfs encouraged!

    The settings in /etc/sysconfig/nfs let you define the ports for services related to NFSv3, as opposed to having these ports assigned to the services through port mapping (the rpcbind or portmap service). As such, it is the only way to control the ports assigned to these services, and thus also the only way to control the firewall opening up certain ports related to these services.
    That said, the allow_rpclockd() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_rpcmountd()
    The allow_rpcmountd() function determines the port the mount daemon is supposed to be running on through parsing /etc/sysconfig/nfs, looking for the setting called MOUNTD_PORT.
    Should the allow_rpcmountd() be unable to discover the port number for the NFS mount daemon, then this function does not insert any new rules to iptables.

    Using /etc/sysconfig/nfs encouraged!

    The settings in /etc/sysconfig/nfs let you define the ports for services related to NFSv3, as opposed to having these ports assigned to the services through port mapping (the rpcbind or portmap service). As such, it is the only way to control the ports assigned to these services, and thus also the only way to control the firewall opening up certain ports related to these services.
    That said, the allow_rpcmountd() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_rpcrquotad()
    The allow_rpcrquotad() function determines the port the quota daemon is supposed to be running on through parsing /etc/sysconfig/nfs, looking for the setting called RQUOTAD_PORT.
    Should the allow_rpcrquotad() be unable to discover the port number for the NFS mount daemon, then this function does not insert any new rules to iptables.

    Using /etc/sysconfig/nfs encouraged!

    The settings in /etc/sysconfig/nfs let you define the ports for services related to NFSv3, as opposed to having these ports assigned to the services through port mapping (the rpcbind or portmap service). As such, it is the only way to control the ports assigned to these services, and thus also the only way to control the firewall opening up certain ports related to these services.
    That said, the allow_rpcrquotad() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_rpcstatd()
    para
  • allow_rsync()
    The allow_rsync() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 873
    2. The protocol, tcp
    As such, the allow_rsync() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_smtp()
    The allow_smtp() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 25
    2. The protocol, tcp
    As such, the allow_smtp() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_snmp()
    The allow_snmp() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 9418
    2. The protocol, tcp
    As such, the allow_snmp() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_snmptrap()
    The allow_snmptrap() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 9418
    2. The protocol, tcp
    As such, the allow_snmptrap() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_ssh()
    The allow_git() function is a shortcut function to the allow_standard_protocol() function, with two paraJeroen: Maybe do this vice-versa. Leave the functional design and technical design open, start out with functional requirements (must-haves, nice-to-haves), oiw. start with "non-technical" "customer demand"meters already specified:
    1. The port, 9418
    2. The protocol, tcp
    As such, the allow_git() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().
  • allow_syslog()
    The allow_git() function is a shortcut function to the allow_standard_protocol() function, with two parameters already specified:
    1. The port, 9418
    2. The protocol, tcp
    As such, the allow_git() function allows only three parameters, all of which are optional:
    1. The source IP address or network (default: 0/0)
    2. The destination IP address or network (default: 0/0)
    3. The chain this rule should be in, using the (default: INPUT)
    For more information about the exact workings of each parameter, please see the documentation on allow_standard_protocol().