Jump to content

Talk:Final Destination 2 and Iptables: Difference between pages

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
(Difference between pages)
Content deleted Content added
VisualWikitext
Moved out of "main space" into their own (if somewhat random) section.
 
Toutoune25 (talk | contribs)
169 edits
m update latest version
 
Line 1: Line 1:
{{lowercase}}
{{Film|class=Start|Canadian-task-force=yes}}
{{Infobox_Software
{{HorrorWikiProject|class=Start}}
|name = iptables
|logo =
|screenshot =
|caption =
|author = [[Rusty Russell]]
|developer = Netfilter Core Team
|released = [[1998]]
|latest_release_version = 1.4.2
|latest_release_date = [[October 13]], [[2008]]
|programming language = [[C (programming language)|C]]
|operating_system = [[Linux]]
|genre = Packet filtering
|license = [[GNU General Public License]]
|website = [http://www.netfilter.org/ www.netfilter.org]
}}
'''iptables''' is a [[user space]] application program that allows a system administrator to configure the tables provided by [[Xtables]] (which in turn uses [[Netfilter]]) and the chains and rules it stores. Because iptables requires elevated privileges to operate, it must be executed by user [[Superuser|root]], otherwise it fails to function. On most Linux systems, iptables is installed as <tt>/usr/sbin/iptables</tt> and documented in its [[man page]] [http://dev.medozas.de/files/xtables/iptables.html], which can be opened using "<code>man iptables</code>" when installed. ''iptables'' is also commonly used to inclusively refer to the kernel-level component Xtables that does the actual table traversal and provides an API for kernel-level extensions.


iptables works with [[Linux kernel]]s 2.4 and 2.6. Older Linux kernels use [[ipchains]] (Linux 2.2) and [[ipfwadm]] (Linux 2.0).
== Question about the Clear and Alex Rivers headline ==
"However, Alex pushed Clear out of the way, changing the order and was destined to later die from a flesh-eating virus."


==Operational summary==
What the hell is it talking about when it says "flesh eating virus"!?!?!? <span style="font-size: smaller;" class="autosigned">—Preceding [[Wikipedia:Signatures|unsigned]] comment added by [[Special:Contributions/67.87.69.48|67.87.69.48]] ([[User talk:67.87.69.48|talk]]) 01:49, 13 October 2008 (UTC)</span><!-- Template:UnsignedIP --> <!--Autosigned by SineBot-->


The Xtables framework, used by ip_tables, ip6_tables and arp_tables, allows the [[system administrator]] to define ''tables'' containing ''chains'' of ''rules'' for the treatment of packets. Each table is associated with a different kind of packet processing. Packets are processed by traversing the chains. A rule in a chain can send a packet to another chain, and this can be repeated to whatever level of nesting is desired. Every network packet arriving at or leaving from the computer traverses at least one chain.


The source of the packet determines which chain it traverses initially. There are three ''predefined chains'' (INPUT, OUTPUT, and FORWARD) in the "filter" table. Predefined chains have a ''policy'', for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. These chains have no policy; if a packet reaches the end of the chain it is returned to the chain which called it. A chain may be empty.
== Trivia change: ==


Each rule in a chain contains the specification of which packets it matches. It may also contain a ''target''. As a packet traverses a chain, each rule in turn examines it. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target, which may result in the packet being allowed to continue along the chain or it may not.
If anyone asks, that deserves to be on the deaths page.
08:53, 25 September 2006 (UTC)
Okay, who put that back?


The packet continues to traverse the chain until either (1) a rule matches the packet and decides the ultimate fate of the packet (for example by calling one of the ACCEPT or DROP targets); or (2) a rule calls the RETURN target, in which case processing returns to the calling chain; or (3) the end of the chain is reached.
== Why was the Plot Concerns section moved? ==


==Example==
As someone else asked above, why was it moved? The only thing the person said who removed it was "Bye, original research". What's that supposed to mean? Plot Concerns should be included...
[[User:JackOfHearts|JackOfHearts]] 02:45, 3 October 2006 (UTC)
:Everything needs to be fully sourced. Information can be added if you can supply [[WP:RS|reliable sources]]. Without those sources, then it is [[WP:OR|original research]]. [[User:The JPS|<font color="Purple">The <b>JP</b>S</font>]]<sup>[[User talk:The JPS|'''<font color="Purple"><b>talk</b> to me</font>''']]</sup> 00:36, 15 January 2007 (UTC)


This example shows an already-configured workstation firewall. The command "<tt>iptables -L</tt>" is executed by user root to display the firewall configuration.
==Survivor?==
Kimberly doesn't survive. It shows a newspaper report in the 3rd film which said she was pulled into a wood cutter! [[User:Bubble bunny|Bubble bunny]]


# iptables -L
When does it show that?I never caught it.[[User:Tabbishea|Tabbishea]] 02:08, 19 March 2007 (UTC)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- localhost.localdomain localhost.localdomain
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination


RELATED, ESTABLISHED rule uses statefullness so that most client programs (web browser, ssh...) work.
It Dosent say If They '''Really''' Died. [[User:TaylorLTD|TaylorLTD]] 21:05, 10 August 2007 (UTC)


$ w3m http://en.wikipedia.org/wiki/Main_Page
== evan lewis section ==


(The main Wikipedia web page opens)
evan wasnt just impaled through the eyes he nearly escaped an explosion and slipped on a pasta[[User:63.164.225.201|63.164.225.201]] 14:18, 22 April 2007 (UTC)medayugiohman


Computer does not respond to ping and no services are offered. Connections are rejected (REJECT) or timeout (with DROP) when ports are being scanned.
== Drug Content? ==


$ ping -c 1 10.0.0.1
"In the U.S., the film was rated R for strong violence/gruesome accidents, language, drug content, and some nudity..." The words "drug content" where linked to [[cocaine]], which I changed to [[Recreational drug use]]. -[[User:Saint Ryan|Saint Ryan]] 05:59, 19 May 2007 (UTC)
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
--- 62.78.243.6 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


Trying to connect to [[HTTP]] port ([[Transmission Control Protocol|TCP]] 80)
==Death Page==
What happened to the final destination 2 deaths page? [[User:TaylorLTD|TaylorLTD]] 21:08, 10 July 2007 (UTC)


$ telnet 10.0.0.1 80
do you think we should put the deaths on a separate page to avoid spoilers?
Trying 10.0.0.1...
[[User:Rhetoric2|rhetoric]] 08:23, 21 October 2007 (UTC)
telnet: connect to address 10.0.0.1: Connection refused


== links to 180 ==
=== Redirection example ===


<!-- Moved from [[Netfilter]] -->
eugene's connection still doesn't make sense to me. granted what's been written here is basically all that's said in the movie, but the other people in that scene were alive because the "catch-up" death of the characters in the first film saved them. (ie, if everyone had died on the plane, then the cast in the second film would have already died.) how does the teacher's death in the first movie prevent him from being stabbed? can someone clear this up for me and for the page? [[User:Rhetoric2|rhetoric]] 08:29, 21 October 2007 (UTC)
This simple example of its use illustrates how to redirect all traffic on the default [[HTTP]] port, port 80, to port 8080, allowing the HTTP daemon to run as a non-privileged user, unable to listen on port numbers below 1024.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
Note: if you launch this command on your computer it will only work for external IP addresses connecting to your machine. Connections from localhost do not traverse the PREROUTING chain in the "nat" table. If you also want this feature to work, use the following rule:
iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
which reroutes packets on the loopback (lo) interface from port 80 to port 8080.


===Front-ends===
== One of Kim's clues are wrong ==
[[Image:GUI for Uncomplicated Firewall.png|thumb|300px|[[GUI for Uncomplicated Firewall]]]]
*[[Uncomplicated Firewall|GUI for ufw]], a GUI utility for [[Ubuntu]]
*[http://www.nufw.org/ NuFW] an authenticating firewall using Netfilter
*[http://www.fwbuilder.org/ Firewall Builder]
*[http://dag.wieers.com/home-made/dwall/ dwall] All-purpose firewall generator
*[[Firestarter (firewall)|Firestarter]], a graphical firewall frontend which uses the Netfilter framework
*[http://www.softpedia.com/get/Security/Firewall/Solsoft-NetfilterOne.shtml NetfilterOne] A free graphical tool for managing Netfilter's security policy (This software is no longer available directly from Solsoft)
*[http://kmyfirewall.sourceforge.net/ KMyFirewall] KDE/QT based configuration tool
*[http://developer.berlios.de/projects/abyle/ Abyle] a simple iptables script in Python
*[http://rocky.eld.leidenuniv.nl/ arno-iptables-firewall] Easy to Set-up & Configure Firewall Script for iptables


==See also==
where it says "Kim's dad phones and warns her to stop the car because of fluid leakage..." when actually her Check Engine light flashes and tells her friends that something is wrong with the car. The front passenger (forgot her name) tells Kim that everything is going to be fine. That's what I saw on the DVD.
*[[Netfilter]], the underlying framework for iptables and Xtables
[[User:Mmark089|Mmark089]] 06:32, 22 October 2007 (UTC)
*[[FireHOL]], a GUI-less bash script based firewall which uses a plain text configuration file
*[[NuFW]], a userspace extension to Netfilter
*[[Shorewall]], software to more easily manage iptables
*[[Untangle]], open source software to more easily manage iptables plus many other open source apps like spam blocker, virus blocker, webfilter, & others


==External links==
Kim's dad '''does''' phone and warn her, then somewhere before or after that she noticed the check engine light.
* [http://www.netfilter.org/ The netfilter/iptables project Web page]
That's what I saw on the DVD.
* [http://www.netfilter.org/documentation/index.html The netfilter/iptables documentation page]
[[User:Thatmusic|Thatmusic]]
* [http://myy.helia.fi/~karte/iptables_firewall.html A simple iptables firewall script]
* [http://blog.2blocksaway.com/2007/01/03/iptables-explained-get-started-with-iptables-and-tame-the-monster-of-all-firewalls/ Iptables explained in simple terms (Multipart and very extensive)]
* [http://easyfwgen.morizot.net/gen/iptables-info.html Iptables in the Linux 2.4 kernel]
* [http://freshmeat.net/projects/iptables/ Freshmeat project page]
* [http://www.cipherdyne.org/fwsnort/ Translate Snort rules into iptables rules with fwsnort]
* [http://www.cipherdyne.org/psad/ Detect port scans via iptables log messages]


===Diagrams===
== Questionable writing ==
To better understand how a packet traverses the kernel Xtables tables/chains you may find the following diagrams useful:
*http://jengelh.medozas.de/images/nf-packet-flow.png
*http://ornellas.apanela.com/dokuwiki/pub:firewall_and_adv_routing#data_flow_diagram
*http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png
*http://www.shorewall.net/images/Netfilter.png
*http://dmiessler.com/images/DM_NF.PNG


[[Category:Firewall software]]
As someone who has not yet watched this movie, I found the section on Evan Lewis exceedingly hard to interpret. It seems as if the summary is trying to tell the events backwards, which can be quite perplexing to someone who has not watched the actual scene. In addition, I find the following sentence very confusing:
[[Category:Linux software]]


[[ca:Iptables]]
{{cquote|When Evan arrives in his apartment hall he steps on a doll's head, which is what happens to him."}}
[[de:Iptables]]

[[es:Iptables]]
I thought he was impaled through the eye? I would make a friendly recommendation that someone rewrites this section and makes it a bit more clear. [[User:ChibiKareshi|ChibiKareshi]] 11:20, 5 November 2007 (UTC)
[[fr:Iptables]]

[[it:Iptables]]
To comment on Evan's death, my friend tells me there is a part of that scene involving fridge magnets spelling: H E Y E as in "Hey, Evan".
[[lv:Netfilter/iptables]]
The important part is that the letter H falls off leaving E Y E.
[[mk:Iptables]]
I should also say that I have interpreted the falling H as a ladder.
[[ja:Iptables]]
Point being: "Hey. Evan. Ladder. Fall. Eye", which is exactly what happens to him.
[[no:Iptables]]
I have only seen that film once and don't remember it very well, could someone verify that before adding it?
[[pl:Iptables]]
Thanks.
[[pt:Iptables]]
[[User:Thatmusic|Thatmusic]]
[[ru:Iptables]]

[[fi:Iptables]]
==Link to the Same Page==

Why is there a link on this page to the exact same page? Isn't that redundant and pointless?[[User:Edmonton guy|Edmonton guy]] ([[User talk:Edmonton guy|talk]]) 03:05, 26 May 2008 (UTC)

==Random comments==

Fixed spelling error on Rory's death. It said "threw", instead of "through". [[User:SkinnerIJA|SkinnerIJA]] 21:48 5 January 2006 (UTC)

I added tons more info and detail on the Final Destination 1 and 2 pages all throughout today. I'm sorry if I deleted some info others may have added while I was editing. I'm new here and I have only been editing those two pages.
[[User:Da Letter Jay|Jay]] 01:43, 9 February 2006 (UTC)

Who keeps editing out the death sections? [[User:Da Letter Jay|Jay]] 01:25, 10 February 2006 (UTC)

I removed the comment about Tim's death being the "goriest" as it is subjective. I personally thought that Rory's slicin' and dicin' was the nastiest, but again, that's my opinion. [[User:Jamyskis|Jamyskis]] <font size="-3">[[User_talk:Jamyskis|Whisper]], [[Special:Contributions/Jamyskis|Contribs]]</font> [[Image:Flag_of_Germany.svg|25px|Germany]] 16:09, 24 February 2006 (UTC)

Revision as of 18:07, 13 October 2008

iptables
Original author(s)Rusty Russell
Developer(s)Netfilter Core Team
Initial release1998
Stable release
1.4.2 / October 13, 2008
Repository
Written inC
Operating systemLinux
TypePacket filtering
LicenseGNU General Public License
Websitewww.netfilter.org

iptables is a user space application program that allows a system administrator to configure the tables provided by Xtables (which in turn uses Netfilter) and the chains and rules it stores. Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man page [1], which can be opened using "man iptables" when installed. iptables is also commonly used to inclusively refer to the kernel-level component Xtables that does the actual table traversal and provides an API for kernel-level extensions.

iptables works with Linux kernels 2.4 and 2.6. Older Linux kernels use ipchains (Linux 2.2) and ipfwadm (Linux 2.0).

Operational summary

The Xtables framework, used by ip_tables, ip6_tables and arp_tables, allows the system administrator to define tables containing chains of rules for the treatment of packets. Each table is associated with a different kind of packet processing. Packets are processed by traversing the chains. A rule in a chain can send a packet to another chain, and this can be repeated to whatever level of nesting is desired. Every network packet arriving at or leaving from the computer traverses at least one chain.

The source of the packet determines which chain it traverses initially. There are three predefined chains (INPUT, OUTPUT, and FORWARD) in the "filter" table. Predefined chains have a policy, for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. These chains have no policy; if a packet reaches the end of the chain it is returned to the chain which called it. A chain may be empty.

Each rule in a chain contains the specification of which packets it matches. It may also contain a target. As a packet traverses a chain, each rule in turn examines it. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target, which may result in the packet being allowed to continue along the chain or it may not.

The packet continues to traverse the chain until either (1) a rule matches the packet and decides the ultimate fate of the packet (for example by calling one of the ACCEPT or DROP targets); or (2) a rule calls the RETURN target, in which case processing returns to the calling chain; or (3) the end of the chain is reached.

Example

This example shows an already-configured workstation firewall. The command "iptables -L" is executed by user root to display the firewall configuration. 

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  localhost.localdomain  localhost.localdomain 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
REJECT     all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

RELATED, ESTABLISHED rule uses statefullness so that most client programs (web browser, ssh...) work. 

$ w3m http://en.wikipedia.org/wiki/Main_Page

(The main Wikipedia web page opens)

Computer does not respond to ping and no services are offered. Connections are rejected (REJECT) or timeout (with DROP) when ports are being scanned. 

$  ping -c 1 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
--- 62.78.243.6 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Trying to connect to HTTP port (TCP 80) 

$ telnet 10.0.0.1 80
Trying 10.0.0.1...
telnet: connect to address 10.0.0.1: Connection refused

Redirection example

This simple example of its use illustrates how to redirect all traffic on the default HTTP port, port 80, to port 8080, allowing the HTTP daemon to run as a non-privileged user, unable to listen on port numbers below 1024. 

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

Note: if you launch this command on your computer it will only work for external IP addresses connecting to your machine. Connections from localhost do not traverse the PREROUTING chain in the "nat" table. If you also want this feature to work, use the following rule: 

iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080

which reroutes packets on the loopback (lo) interface from port 80 to port 8080.

Front-ends

GUI for Uncomplicated Firewall
  • GUI for ufw, a GUI utility for Ubuntu
  • NuFW an authenticating firewall using Netfilter
  • Firewall Builder
  • dwall All-purpose firewall generator
  • Firestarter, a graphical firewall frontend which uses the Netfilter framework
  • NetfilterOne A free graphical tool for managing Netfilter's security policy (This software is no longer available directly from Solsoft)
  • KMyFirewall KDE/QT based configuration tool
  • Abyle a simple iptables script in Python
  • arno-iptables-firewall Easy to Set-up & Configure Firewall Script for iptables

See also

  • Netfilter, the underlying framework for iptables and Xtables
  • FireHOL, a GUI-less bash script based firewall which uses a plain text configuration file
  • NuFW, a userspace extension to Netfilter
  • Shorewall, software to more easily manage iptables
  • Untangle, open source software to more easily manage iptables plus many other open source apps like spam blocker, virus blocker, webfilter, & others

External links

Diagrams

To better understand how a packet traverses the kernel Xtables tables/chains you may find the following diagrams useful:

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Final_Destination_2&oldid=245038137"