iptable Chinese learning documentation

xiaoxiao2021-03-06  109

Use iptables -adc to specify the rules of the chain, -A Add -D Delete-C Modify iptables - [RI] Chain Rule Num rule-specification [option] Use iptables - ri to specify iptables -d chain rule num [Option through rules ] Delete Specifies Rule iptables - [LFZ] [chain] [option] Use iptables -lfz Name [Option] iptables - [NX] Chain Use -nx Specify Chain iptables -p chain target [options] Specify the default target iptables - E ild-chain-name new-chain-name-e Name new chain Note Name Replace the old link Name Name Name Name Name Name IPTALBES is used to set, maintain, and check the IP package filtering rules for the Linux kernel. Different tables can be defined, each table contains several internal chains, and can also include user-defined chains. Each chain is a list of rules that match the corresponding package: each rule specifies how to process the package that matches it. This is called 'Target' (target), or you can also jump to user-defined chains in the same table. Targets firewall rules specify the features, and targets of the checked package. If the package does not match, it will be sent to the next rule check; if match, the next rule is determined by the target value. This target value can be a user-defined chain name, or a dedicated value, such as Accept [via Accept ], DROP [Delete], Queue [Queuing], or Return [Return]. Accept represents this package. DROP indicates that this package is discarded. Queue means that the package is passed to the user space. Return represents the matching of this chain, and restarts to the rules of the previous chain. If it reaches a built-in chain (end), or if the rule encountered is Return, the fate of the package will be determined by the target specified by the chain. Tables currently have three tables (which table is the current table depends on the kernel configuration option and the current module). -t Table This option specifies the table of the matching package to operate. If the kernel is configured to automatically load the module, if the module is not loaded, (system) will attempt (for this table) to load the appropriate module. These tables are as follows: Filter, this is the default table, including built-in chain INPUT, FORWORD, and Output (Processing local generated packages). NAT, this table is inquiry, indicating a package that produces a new connection, consists of three built-in chains: preording (Modified package), Output (Modify the route, the local package), postrouting (Modify ready package). The Mangle This table is used to modify the specified package. It has two built rules: prerouting (packaged before the route) and Output (Change the route to the local package). Options These can be distinguished by the options identified by iptables. Commands These options specify a clear action: If there is no other provision in the instruction line, this line can only specify an option. For the command and option name of the long format, the letter length used is guaranteed to distinguish the instruction from other options. . -A -Append Add one or more rules in the selected chain. When the source (address) or / with the purpose (address) is converted into multiple addresses, this rule will be added behind all possible addresses (combinations). -Delete removes one or more rules from the selected chain. This command can have two methods: the deleted rule can be specified as the serial number in the chain (the first serial number 1), or specifies the rule to match. -R -Replace replaces a rule from the selected chain.

If the source (address) or / with the purpose (address) is converted to a multiplex, the command will fail. The rule serial number starts from 1. -I -insert Inserts one or more rules to the selected chain according to the rule serial number given. Therefore, if the rule number is 1, the rule will be inserted into the head. This is also the default mode when the rule serial number is not specified. -L -list Displays all rules of the selected chain. If no chain is selected, all chains will be displayed. It can also be used with the z option, and the chain is automatically listed and zero. Accurate output is affected by other giving parameters. -F -flush empty the selected chain. This is equal to deleting all rules one by one. --Z -zero empties all chain packages and bytes. It can be used with -l, check the counter before empty, see the forebel. -NEW-chain creates a new user-defined chain according to the name given. This must ensure that there is no chain of the same name. -X -delete-chain deletes the specified user custom chain. This chain must not be referenced, if referenced, you must delete or replace the rules associated with it before deleting. If a parameter is not given, this command will try to delete each non-built-in chain. -P -Policy Sets the target rule of the chain. -E -Rename-chain renames the specified chain according to the name given by the user, which is only modified and has no effect on the structure of the entire table. The Targets parameter gives an legitimate goal. Only non-user custom chains can use rules, and the built-in chain and user custom strands cannot be the target of the rules. --h help. Help. A very short description of the current command syntax is given. Parameters Parameters The following parameters constitute a rule, such as used for add, delete, replace, append, and check commands. -p -protocal [!] protocol rule or package check (to check the package) protocol. The specified protocol can be one or all of TCP, UDP, ICMP, or a value, representing one of these protocols. Of course, you can also use the protocol name defined in / etc / protocols. In the agreement, add "!" To the opposite rule. Number 0 corresponds to all ALLs. The Protocol ALL matches all protocols, and this is the default option. When combined with the check command, ALL may not be used. -s -source [!] address [/ mask] Specify the source address, which can be the host name, network name, and clear IP address. Mask instructions can be a network mask or a clear number, specify a number of numbers left "1" on the left side of the network mask, and therefore, the MASK value is 24 is equal to 255.255.255.0. Plus "!" Before the specified address specifies the opposite address segment. Sign - SRC is a shorthand of this option. -d --destination [!] address [/ mask] Specifies the destination address, see the description of the -s flag for a detailed description. Sign - DST is a shorthand of this option. -j --jump target-j target jumps the target of the specified rule; that is, if the package match should do. The target can be a user-defined chain (not the rule where this rule is located), and some of the dedicated built-in destination of the fate of the package is immediately determined, or an extension (see Extensions below). If this option of the rule is ignored, the matching process does not affect the package, but the rule's counter will increase. -i -in-interface [!] [Name] i - Enter (Network) Interface [!] [Name] This is to receive the optional entry name received via the interface (in the chain input, Packages in Forword and preording). When the "!" Instructions are used in the interface name, it means the opposite name. If the interface name is added to " ", all interfaces starting with this interface name are matched.

If this option is ignored, it is assumed to be " ", then any interface will be matched. -O --Out-Interface [!] [name] -O - Output interface [Name] This is the optional exit name that is sent via this interface (in the chain forward, output, and postrouting Send package). When the "!" Instructions are used in the interface name, it means the opposite name. If the interface name is added to " ", all interfaces starting with this interface name are matched. If this option is ignored, it will assume " ", and all any interface will be matched. [!] -f, --fragment [!] -f - Split This means that in the package of fragmentation, the rules only ask the second and subsequent sheets. Since then, this package will not match any specified rules that specify them in the future because the source port or target port (or ICMP type) cannot be judged. If "!" Explains the opposite meaning before the "-f" flag is used. Other Options Other options You can also specify the following additional options: -v --verbose-v - detailed detailed output. This option allows the list command to display the interface address, the rule option (if any) and TOS (Type of Service) mask. The package and byte counters will also be displayed, with k, m, g (prefix) represent 1000, 1,000,000 and 1,000,000,000 times, respectively (but see the -x flag change it), for adding, inserting, deleting, and replacing the command, this Related details of one or more rules are printed. -n --Numeric-n - digital digital output. IP addresses and ports are printed in the form of numbers. By default, the program is trying to display host name, network name, or service (as long as it is available). -x -exact-x - precisely extended numbers. The exact value of the package and byte counter is displayed instead of the number of processes expressed in K, M, g. This option can only be used for the -l command. --Line-NumBers When the list shows the rules, the line number is added to the front of each rule, and the rule corresponds to the position in the chain. Match Extensions Corresponding to extension iptables can use some extensions that match modules. The following is an extension package in the basic package, and most of them can express the opposite. TCP When --Protocol TCP is specified, these extensions are loaded when the extension of other matches is not specified. It provides the following options: - Source-port [!] [Port [: port]] source port or port range specified. This can be a service name or port number. Use the format port: The port can also specify the included (port) range. If the first-end slogan is ignored, the default is "0", if the end slog is ignored, the default is "65535", if the second port number is greater than the first, then they will be exchanged. This option can be used with the alias of Sport. --Destionation-port [!] [port: [port]] target port or port range specified. This option can be replaced with - DPORT alias. --TCP-FLAGS [!] Mask CoMP matches the specified TCP tag. The first parameter is the tag we want to check, a list of separated by commas, the second parameter is a comma-separated tag table, which must be set. The tag is as follows: SYN ACK FIN RST URG PSH All None. So this command: iptables -a forward -p tcp --TCP-FLAGS SYN, ACK, FIN, RST SYN only matches those SYN tags that are set and the ACK, FIN and RST tags are not set.

[!] - Syn only matches TCP packets that set the SYN bit to clear the ACK and FIN bit. These packages are used to issue a request when the TCP connection is initialized; for example, a large number of such packets enters an interface that blocks the entry TCP connection, and the TCP connection does not affect. This is equal to - TCP-Flags SYN, RST, ACK SYN. If "- Syn" has "!" Tag, it means the opposite meaning. --TCP-OPTION [!] Number matches the TCP option. UDP When protocol UDP is specified, and other matched extensions are not specified, these extensions are loaded, which provides the following options: - Source-port [!] [port: [port]] source port or port range specified. See the TCP extension-port option for details. --Destination-port [!] [port: [port]] target port or port range is specified. See the TCP extension -Destination-port option for details. ICMP When protocol ICMP is specified, the extension is loaded when the extension of other matches is not specified. It provides the following options: - ICMP-TYPE [!] TypeName This option allows you to specify the ICMP type, which can be a numeric ICMP type, or a named ICMP type name displayed by the command iptables -p ICMP -H. Mac - Mac-Source [!] Address matches the physical address. Must be XX: XX: XX: XX: XX. Note that it is only valid for packets from the Etheri equipment and enters the preording, the Forword, and Input chains. LIMIT This module matching flag matches a speed of a tap bucket, which is used in combination with the log target to give a limited login number. When this limit value is reached, the rule using this extension package will match. Unless "!" Tagged) - Limit Rate maximum average match rate: can be assignable with '/ second', '/ minute', '/ hour', or '/ day', the default is 3 / Hour. --Limit-Burst Number The maximum number of initial numbers of the matching package: If the limit specified in front has not reached this value, the number plus 1. The default value is 5MultiPort this module matches a set of source ports or target ports, up to Specify 15 ports. Can only be used with the -p TCP or -p UDP. --Source-port [port [port]] If the source port is one of the given ports, matching - DESTINATION-Port [port [port [port]] If the target port is one of the given ports, match - Port [ Port [, port]] If the source port is equal and the destination port is equal to a given port, it matches. Mark this module and match the Netfilter filter tag field (you can use the Mark mark below). --Mark Value [/ MASK] Mars with those unsigned tag values ​​(if Mask is specified, the logical tag is added to the mask before comparison). Owner This module tries to generate different characteristics of the package creator in the local generation. Can only be used for Output chains, and even if such a package (such as an ICMP Ping response) may not have owner, there will never match. --UID-OWNER UserId If a valid User ID is given, the package generated by the process is matched. --Gid-owner groupid If a valid Group ID is given, the package that matches its process. - Sid-Owner SeessionID matches the package generated by the process based on the session group given. State This module, when used in conjunction with the connection track, the connection status of the access package is allowed. --State State Here, State is a comma-divided matching connection status list.

Possible status is: Invalid indicates that the package is unknown connection, and the Established representation is a two-way transmitted connection. The New represents the package is a new connection, otherwise it is non-two-way transmission, and the Related Indicates the new connection start, but is connected to an existing connection Together, such as FTP data transfer, or an ICMP error. Unclean This module has no option, but it tries to match those weird, uncommon packages. In the experiment. TOS This module matches the 8-bit TOS (Type of Service) field of the top of the IP package (that is, included in the priority). --TOS TOS This parameter can be a standard name, and the list is viewed with iptables -m TOS -H, or a value. Target ExtensionsipTables can use extended target modules: The following are included in the standard version. LOG opens the kernel record for the matching package. When this option is set in the rule, the Linux kernel will print some information about all matchpacks (such as IP Package Fields, etc.) via printk (). --Log-Level Level record level (number or see syslog.conf (5)). --Log-Prefix Prefix adds a specific prefix before a record information: up to 14 letters long, used to distinguish other information in the record. --Log-TCP-Sequence Record TCP serial number. If the record can be read by the user, this will have a security hazard. --Log-TCP-Options records options from the TCP header. --Log-ip-options records options from the IP Baodou. Mark is used to set the package's NetFilter tag value. Only apply to the mangle table. --set-mark Markreject As a response to the match, returns an error package: other cases the same as DROP. This goal is only available for the INPUT, Forward, and Output chains, and the user-defined chain that calls these links. These options control the feature of the returned error package: - Reject-with Typetype can be ICMP-NET-UNREACHABLE, ICMP-HOST-UNREACHABLE, ICMP-port- NREACHABLE, ICMP-PORT- NREACHABLE, ICMP-PROT-UNREACHABLE, ICMP-PROTO-Unreachable, ICMP-Net-Prohibited or ICMP-Host-Prohibited, which returns the corresponding ICMP error message (default is port-unreachable). Option Echo-reply is also allowed; it can only be used to specify the rules of the ICMP PING package to generate a response to the ping. Finally, option TCP-RESET can be used in the INPUT chain, or from the INPUT chain call, only match the TCP protocol: a TCP RST package will be responded. TOS is used to set the first eight TOS for the IP package. Can only be used for the mangle table. --set-TOS TOS You can use a numeric TOS value, or use iptables -j tos -h to see a list of valid TOS names. Mirror This is a test demonstration goal that can be used to convert the source address and destination address in the IP header field, then transfer the package and only apply to the INPUT, Forward, and Output chains, and only the user custom chain is called. Snat This goal is only for the postrouting chain of the NAT table.

转载请注明原文地址:https://www.9cbs.com/read-103796.html

New Post(0)