Overview uses iptables -adc to specify the rules of the chain, -d -d deletion -C modification
Iptables - [ri] chain rule num rule-specification [option] Use iptables - ri to specify the order of rules
iptables -d chain rule num [option] Delete Specified Rule Iptables - [LFZ] [chain] [option] Use iptables -lfz Name [Option]
iptables - [NX] chain with -nx specified chain
iptables -p chain target [options] Specify the default target of the chain
iptables-E Old-chain-name new-chain-name-e old link name new chain name replaces the old link name Description IPTALBES is used to set, maintain, and check the IP package filtering rules for Linux kernels of. Different tables can be defined, each table contains several internal chains, and can also include user-defined chains. Each
The chain is a list of rules that match the corresponding package: each rule specifies how the phase should be handled
Match the package. This is called 'Target' (target), or you can also jump to user-defined chains in the same table.
.
Targets firewall rules specify the features, and targets of the checked package. If the package does not match, it will be sent to the chain.
Bar rules check; if you match, the next rule is determined by the target value. This target value can be a user-defined
The chain name, or a special value, such as Accept [via], Drop [Delete], Queue [Queuing], or
Return [Return]. Accept represents this package. DROP indicates that this package is discarded. Queue said to pass this package to
User space. Return represents the matching of this chain, and restarts to the rules of the previous chain. If
Up to a built-in chain (end), or the rule encountered in the built-in chain is Return, the fate of the package will be
The target determined by the guideline.
Tables currently have three tables (which table is the current table depends on the kernel configuration option and the current module). -t Table This option specifies the table of the matching package to operate. If the kernel is configured to automatically load the module, then
If the module is not loaded, (system) will attempt (for this table) to load the appropriate module. These tables are as follows: Filter,
This is the default table, which includes built-in chain INPUT (process entered package), forward
Package) and OUTPUT (handling local generated packages). Nat, this table said when the query is encountered to generate new
Connected package, constructed of three built-in chains: preording (Modified package), Output
From previous local packages), PostRouting (modified package). Mangle This table is used
The specified package is modified. It has two built rules: prerouting (the package that can be entered before the route)
And OUTPUT (a local package before modifying the route). Options These can be distinguished by the options identified by iptables.
Commands These options specify a clear action: If there are no other regulations in the instruction line, the row can only specify an option.
For long format commands and option names, the letter used to ensure that iptables can be district from other options
It is done in the order. -A -Append Add one or more rules in the selected chain. When the source (address) or / with the purpose (address) conversion
When multiple addresses, this rule will be added to all possible addresses (combinations).
-Delete removes one or more rules from the selected chain. This command can have two methods: you can delete the rule
Specifies the serial number in the chain (first serial number 1), or specifies the rule to match. -R -Replace replaces a rule from the selected chain. If the source (address) or / with the purpose (address) is converted to
Address, this command will fail. The rule serial number starts from 1.
-I -insert Inserts one or more rules to the selected chain according to the rule serial number given. So, if the rule serial number is 1,
The rules will be inserted into the head of the chain. This is also the default mode when the rule serial number is not specified.
-L -list Displays all rules of the selected chain. If no chain is selected, all chains will be displayed. Can also be together with the z option
Use, this chain is automatically listed and zero. Accurate output is affected by other giving parameters.
-F -flush empty the selected chain. This is equal to deleting all rules one by one.
--Z -zero empties all chain packages and bytes. It can be used with -l, check the counter before emptying
Please refer to the foresight.
-NEW-chain creates a new user-defined chain according to the name given. This must ensure that there is no chain of the same name.
-X -delete-chain deletes the specified user custom chain. This chain must not be referenced, if referenced, before deleting you
You must delete or replace the rules associated therewith. If a parameter is not given, this command will try to delete each
Non-built-in chain.
-P -Policy Sets the target rule of the chain.
-E -Rename-chain renames the specified chain according to the name given by the user, which is just modified, and the structure of the entire table is not
influences. The Targets parameter gives an legitimate goal. Only non-user-defined chains can use rules, and
And the built-in chain and user custom strands cannot be the target of the rules.
--h help. Help. A very short description of the current command syntax is given.
Parameters Parameters The following parameters constitute a rule, such as used for add, delete, replace, append, and check commands.
-p -protocal [!] protocol rule or package check (to check the package) protocol. The specified protocol can be one of TCP, UDP, ICMP or
All, or it can be a value, representing one of these protocols. Of course, you can also use in / etc / prot
The protocol name defined in Ocols. In the agreement, add "!" To the opposite rule. Number 0 is equivalent to all Al
l. The Protocol ALL matches all protocols, and this is the default option. Combine with the check command
When ALL may not be used. -s -source [!] address [/ mask] Specify the source address, which can be the host name, network name, and clear IP address. Mask instructions can be a network mask
Or clear numbers, specify the number of "1" on the left side of the network mask on the left side of the network mask, so the MASK value is
24 is equal to 255.255.255.0. Plus "!" Before the specified address specifies the opposite address segment. Sign
--SRC is a shorthand of this option.
-d --destination [!] address [/ mask] Specifies the destination address, see the description of the -s flag for a detailed description. Sign - DST is this option
Shorthand.
-j --jump target-j target jumps the target of the specified rule; that is, if the package match should do. Target can be a user-defined chain
(Not the rule is located), a dedicated built-in goal of the fate of the package immediately decides, or one
Expansion (see Extensions below). If this option of the rule is ignored, then the process of matching
Do not have an impact on the package, but the rule's counter will increase.
-i -in-interface [!] [Name] i - Enter (Network) Interface [!] [Name] This is to receive the optional entry name received via the interface (in the chain input, FORW
Packages from ORD and preording). When the "!" Instructions are used before the interface, the opposite is
"Said. If the interface name is added to " ", all interfaces starting with this interface name are matched. If this
The option is ignored, it is assumed to be " ", then any interface will be matched.
-o --Out-interface [!] [name] -O - Output interface [Name] This is the optional exit name that is sent via this interface (in the chain Forward, OUTP)
Packages sent in UT and PostRouting). When the "!" Instructions are used before the interface, the opposite is
"Said. If the interface name is added to " ", all interfaces starting with this interface name are matched. If this
The option is ignored, assuming " ", then all arbitrary interfaces will be matched.
[!] -f, --fragment [!] -f - Split This means that in the package of fragmentation, the rules only ask the second and subsequent sheets. Since then, this will not be judged.
Such packets will not match any designation of the source port or target port (or ICMP type)
Match the rules for them. If "!" Explains the opposite meaning before the "-f" flag is used.
Other Options Other options You can also specify the following additional options:
-v --verbose-v - detailed detailed output. This option allows the list command to display the interface address, rule option (if any) and TOS (Type
Of service) mask. The package and byte counters will also be displayed, with k, m, g (prefix), respectively!
1,000,000 and 1,000,000,000 times (but please refer to the -X logo to change it), for adding, insert,
Delete and replace the command, which makes the relevant details of one or more rules are printed.
-n --Numeric-n - digital digital output. IP addresses and ports are printed in the form of numbers. By default, the program is trying to display the host name.
, Network name or service (as long as available).
-x -exact-x - precisely extended numbers. The exact value of the package and byte counter is displayed instead of the number of processes expressed in K, M, g. This option is only
Can be used for the -l command.
--Line-NumBers When the list shows the rules, the line number is added to the front of each rule, and the rule corresponds to the position in the chain.
.
Match Extensions Corresponding to extension iptables can use some extensions that match modules. The following is an expansion package included in the basic package.
And most of them can repay the opposite by adding!
TCP When --Protocol TCP is specified, these extensions are loaded when the extension of other matches is not specified. it
Provide the following options:
- Source-port [!] [port [: port]] source port or port range specified. This can be a service name or port number. Use the format port: port can also
Specify the included (port) range. If the first end number is ignored, the default is "0", if the end slog is ignored
Slightly, the default is "65535", if the second port number is greater than the first, then they will be exchanged. This choice
Items can use - the alias of Sport.
--Destionation-port [!] [port: [port]] target port or port range specified. This option can be replaced with - DPORT alias.
--TCP-FLAGS [!] Mask CoMP matches the specified TCP tag. The first parameter is the tag we have to check, a list of separated by commas,
The second parameter is a macker table with a comma, it must be set. The tag is as follows: SYN ACK FINRST URG PSH All None. So this command: iptables -a forward -p tcp
--TCP-FLAGS SYN, ACK, FIN, RST
SYN only matches those SYN tags that are set and the ACK, FIN and RST tags are not set.
[!] - Syn only matches TCP packets that set the SYN bit to clear the ACK and FIN bit. These packages are used in TCP connection initialization
During the request; for example, a large number of such packages will block the entry TCP connection when blocking an interface.
And the TCP connections that go out will not be affected. This is equal to - TCP-Flags SYN, RST, ACK SYN. Such as
There is "!" Tag in front of "- Syn", indicating the opposite.
--TCP-OPTION [!] Number matches the TCP option.
UDP When protocol UDP is specified, and other matching extensions are not specified, these extensions are loaded, it provides
The following options:
--Source-port [!] [port: [port]] source port or port range is specified. See the TCP extension-port option for details.
--Destination-port [!] [port: [port]] target port or port range is specified. See the TCP extension -Destination-port option for details.
ICMP When protocol ICMP is specified, the extension is loaded when the extension of other matches is not specified. It provides
Next: - ICMP-TYPE [!] TypeName This option allows you to specify the ICMP type, can be a numeric ICMP type, or a command i
PTABLES -P ICMP -H The ICMP type name is displayed.
Mac - Mac-Source [!] Address matches the physical address. Must be XX: XX: XX: XX: XX. Note that it is only pair from Etheri equipment and
Enter the PREROUTING, FORWORD, and INPUT packs are valid.
Limit This module matching mark matches a speed of a tag filter, which combines it with the log target
Used to give a limited number of landings. When this limit is reached, the rules of this expansion package will match.
(Unless "!" Tagged)
--Limit Rate maximum average matching rate: can be assigned with '/ second', '/ minute', '/ hour', or '/ day' this
The unit, the default is 3 / hour.
--Limit-Burst Number The maximum number of initial numbers to be packaged: If the limit specified in front is not reached, the number plus 1.
Default 5
MultiPort This module matches a set of source ports or destination ports, up to 15 ports. Can only be with -p TCP or
-P UDP is used.
--Source-port [port [port]] If the source port is one of the given ports, match
--Destination-port [port [port]] If the target port is one of the given ports, match
--Port [port [, port]] If the source port and destination port are equal and equal to a given port, it matches. Mark this module and match the NetFilter filter tag field (you can set it below to use the Mark tag)
).
--Mark Value [/ Mask] Matches the package without a symbolic tag value (if Mask is specified, you will add logical labels to the mask before comparing
Remember.
Owner This module tries to generate different characteristics of the package creator in the local generation. Can only be used for Output chains, and even if
Such a package (such as an ICMP ping response) may not have owners, so never match.
--UID-OWNER UserId If a valid User ID is given, the package generated by the process is matched. --Gid-owner groupid If a valid Group ID is given, the package that matches its process.
- Sid-Owner SeessionID matches the package generated by the process based on the session group given.
State This module, when used in conjunction with the connection track, the connection status of the access package is allowed.
--State State Here, State is a comma-divided matching connection status list. Possible status is: invalid means package is
Unknown connection, ESTABLISHED is a connection between the two-way transmission, and the New means that the package is a new connection, otherwise it is
Non-two-way transmission, while the RELATED indicates that the package is started by the new connection, but together with an existing connection.
Such as FTP data transfer, or an ICMP error.
Unclean This module has no option, but it tries to match those weird, uncommon packages. In the experiment.
TOS This module matches the 8-bit TOS (Type of Service "field of the top of the IP package (that is, it is included in the priority)
.
--TOS TOS This parameter can be a standard name, (see the list with iptables -m TOS -H), or number
value.
Target ExtensionsipTables can use extended target modules: The following are included in the standard version.
LOG opens the kernel record for the matching package. When this option is set in the rule, the Linux kernel will pass PRIN.
TK () Print some information about all matchpacks (such as IP Package Fields, etc.). --Log-Level Level record level (number or see syslog.conf (5)). --Log-Prefix Prefix adds a specific prefix before a record information: up to 14 letters long, used to distinguish other information in the record.
--Log-TCP-Sequence Record TCP serial number. If the record can be read by the user, this will have a security hazard.
--Log-TCP-Options records options from the TCP header. --Log-ip-options records options from the IP Baodou.
Mark is used to set the package's NetFilter tag value. Only apply to the mangle table.
--set-mark mark
Reject is a response to the matching package, returns an error package: other cases the same as DROP.
This goal is only available for the INPUT, Forward, and Output chains, and the user-defined chain that calls these links. This
Several options control the feature of the error package returned:
--reject-with typepe can be ICMP-NET-Unreachable, ICMP-Host-Unreachable, ICMP-Port-NREACH
Able, ICMP-Proto-unreachable, ICMP-Net-Prohibited or
ICMP-Host-Prohibited, this type will return the corresponding ICMP error message (default is Port-Unreac
HABLE). Option Echo-reply is also allowed; it can only be used to specify the rules of the ICMP ping package,
Generate ping response. Finally, option TCP-RESET can be used in an Input chain, or from an Input chain call
Rules only match TCP protocol: A TCP RST package will be responded. TOS is used to set the first eight TOS for the IP package. Can only be used for the mangle table.
--Set-TOS TOS You can use a numeric TOS value, or use iptables -j tos -h to view effective TOS names
List. Mirror This is a test demonstration goal that can be used to convert the source address and destination address in the IP header field, then transfer the package and only apply to the INPUT, Forward, and Output chains, and only the user custom chain is called.
Snat This goal is only for the postrouting chain of the NAT table. It rules the source address of the package (after this connection
All packs will be affected), stop checking rules, it contains options:
--to-Source
Only in the specified -P TCP or the rule of -p UDP). If you do not specify a port range, 512 in the source port
The following (port) will be placed as ports below 512 or less; the port between 512 to 1024 will be safe
When set to 1024, the other ports are placed in 1024 or more. If possible, the port will not be modified
.
--to-degistiontion
Only in the specified -P TCP or the rule of -p UDP). If the port range is not specified, the target port will not
modified.
Masquerade is only used for the postrouting chain of the NAT table. Can only be used to dynamically get IP (dial-up) connection: if you have
Static IP address, you have to use Snat. The camouflage is equivalent to setting an IP address that interfaces passing through the package.
Image, when the interface is closed. This is because it is not necessarily the same interface address when dialing is one time.
(All established connections will be turned off later). It has an option:
--to-ports
Used to specify the rule of -p TCP or -p UDP.
Redirect is only available for the prerouting and Output chains of the NAT table, and only their user-defined chains are called. It modified
The target IP address of the package is sent to the machine itself (local generated package is placed as address 127.0.0.1).
It contains an option:
--to-ports
Specifies the rules for the -p TCP or -P UDP.
Diagnostics Different error messages are printed to have a standard error: exit code 0 is correct. Similar to wrong or abuse
Command line parameter error will return error code 2, other error returns code 1.
BUGS Bug Check is Not Implement (YET). Check has not been completed.
Compatibility with Ipchains is very similar to Ipchains and Rusty Russell's IPchains and Rusty Russell. The main difference is that the INPUT chain is only used to enter
The local host package, and Output is only used to generate the package from this local host. So each package is only three chains
One; previously forwarded package will pass through all three chains. Other main differences are -i references enter interface; -o
The output interface is referenced, and both apply to the package that enters the Forward chain. Use a default when and optional extension modules
When you recognize the filter table, iptables are a pure package filter. This can greatly reduce the previous IP camouflage and
The confusion of the package filtration is used, so the following options have different processing: -j Masq-m -s-m -l has several different chains in iptables. See Also See Iptables-HOWTO has detailed iptables usage, which also has details on Netfilter-Hacking-HOWTO.
Essential description.
Authors Author
Rusty Russell Wrote iptables, in Early Consultation with Michael
Neuling.marc Boucher Made Rusty Abandon iPnatctl by Lobbying for a Generic
Packet Selection Framework In iptables, Then Wrote The Mangle Table,
The Owner Match, The Mark Stuff, And Ranaround Doing Cool Stuff
Everywhere.james Morris Wrote The TOS TARGET, AND TOS Match.jozsef Kadlecsik Wrote The Reject Target.The Netfilter Core Team IS: Marc Boucher, Rusty Russell.
Mar 20, 2000
Chinese maintenance: Yang Peng · NetSnake Address: No. 22 Dongfeng Avenue, Enshi City, Hubei Province, "Enshi Daily" Social Mall: 445000 Email: Netsnake@963.net Phone: 0718-8260030
