iptables "in Chinese

xiaoxiao2021-03-05 36

Summation

Use iptables -adc to specify the rules of the chain, -a Add -D Delete -C Modification

iptables - [ri] chain rule num rule-specification [option]

Use iptables - ri to specify the order of rules

iptables -d chain rule num [option]

Delete Specifies

iptables - [lfz] [chain] [option]

Use iptables -lfz chain name [option]

iptables - [NX] Chain

Use -nx specified chain

iptables -p chain target [options]

Default target of the specified chain

iptables-e old-chain-name new-chain-name

-E old link name new chain name

Replace the old chain name with new chain name

Description

IPTALBES is used to set, maintain, and check the IP package filtering rules for Linux kernels.

Different tables can be defined, each table contains several internal chains, and can also include user-defined chains. Each chain is a list of rules that match the corresponding package: each rule specifies how to process the package that matches it. This is called 'Target' (target), or you can also jump to user-defined chains in the same table.

Targets

The rules of the firewall specify the features, and targets of the checked package. If the package does not match, it will be sent to the next rule check; if match, the next rule is determined by the target value. This target value can be a user-defined chain name, or a dedicated value, such as Accept [via Accept ], DROP [Delete], Queue [Queuing], or Return [Return].

Accept represents this package. DROP indicates that this package is discarded. Queue means that the package is passed to the user space. Return represents the matching of this chain, and restarts to the rules of the previous chain. If it reaches a built-in chain (end), or if the rule encountered is Return, the fate of the package will be determined by the target specified by the chain.

Tables

There are currently three tables (which table is the current table depends on the kernel configuration option and the current module).

-t table

This option specifies the table of the matching package to operate. If the kernel is configured to automatically load the module, if the module is not loaded, (system) will attempt (for this table) to load the appropriate module. These tables are as follows: Filter, this is the default table, including built-in chain INPUT, FORWORD, and Output (Processing local generated packages). NAT, this table is inquiry, indicating a package that produces a new connection, consists of three built-in chains: preording (Modified package), Output (Modify the route, the local package), postrouting (Modify ready package). The Mangle This table is used to modify the specified package. It has two built rules: prerouting (packaged before the route) and Output (Change the route to the local package).

Options

These options identified by iptables can distinguish between different types.

Commands

These options specify a clear action: If there is no other provision in the instruction line, the row can only specify an option. For the command and option name of the long format, the letter used to ensure that iptables can be distinguished from other options. .

-A -append

Add one or more rules to the selected chain. When the source (address) or / with the purpose (address) is converted into multiple addresses, this rule will be added behind all possible addresses (combinations).

-D -ndelete

Remove one or more rules from the selected chain. This command can have two methods: the deleted rule can be specified as the serial number in the chain (the first serial number 1), or specifies the rule to match. -R -replace

Replace a rule from the selected chain. If the source (address) or / with the purpose (address) is converted to a multiplex, the command will fail. The rule serial number starts from 1.

-I -insert

Insert one or more rules in the selected chain according to the given rule serial number. Therefore, if the rule number is 1, the rule will be inserted into the head. This is also the default mode when the rule serial number is not specified.

-L -list

Display all rules of the selected chain. If no chain is selected, all chains will be displayed. It can also be used with the z option, and the chain is automatically listed and zero. Accurate output is affected by other giving parameters.

-F-flush

Clear the selected chain. This is equal to deleting all rules one by one.

--Z -zero

Clear all chain packs and bytes of the counter. It can be used with -l, check the counter before empty, see the forebel.

-N -new-chain

Establish a new user-defined chain based on the name given. This must ensure that there is no chain of the same name.

-X -ndelete-chain

Delete the specified user custom chain. This chain must not be referenced, if referenced, you must delete or replace the rules associated with it before deleting. If a parameter is not given, this command will try to delete each non-built-in chain.

-P -policy

Set the target rules for the chain.

-E -Rename-chain

Rename the specified chain according to the name given by the user, which is only modified and has no effect on the structure of the entire table. The Targets parameter gives an legitimate goal. Only non-user custom chains can use rules, and the built-in chain and user custom strands cannot be the target of the rules.

-h Help.

help. A very short description of the current command syntax is given.

Parameters

parameter

The following parameters constitute a rule, such as used for add, delete, replace, append, and check commands.

-p -protocal [!] Protocol

Rule or package check (to check the package) protocol. The specified protocol can be one or all of TCP, UDP, ICMP, or a value, representing one of these protocols. Of course, you can also use the protocol name defined in / etc / protocols. In the agreement, add "!" To the opposite rule. Number 0 corresponds to all ALLs. The Protocol ALL matches all protocols, and this is the default option. When combined with the check command, ALL may not be used.

-s -source [!] address [/ mask]

Specify the source address, which can be a host name, a network name, and a clear IP address. Mask instructions can be a network mask or a clear number, specify a number of numbers left "1" on the left side of the network mask, and therefore, the MASK value is 24 is equal to 255.255.255.0. Plus "!" Before the specified address specifies the opposite address segment. Sign - SRC is a shorthand of this option.

-d --destination [!] address [/ mask]

Specify the target address, see the description of the -s flag for a detailed description. Sign - DST is a shorthand of this option.

-j --jump target

-j target jump

The target of the specified rule; that is, if the package matches what should be done. The target can be a user-defined chain (not the rule where this rule is located), and some of the dedicated built-in destination of the fate of the package is immediately determined, or an extension (see Extensions below). If this option of the rule is ignored, the matching process does not affect the package, but the rule's counter will increase.

-i -in-interface [!] [Name]

I - Enter (Network) Interface [!] [Name]

This is the optional entry name that is received via the interface, and the package is received (packets entering in Chain Input, Forword, and preording). When the "!" Instructions are used in the interface name, it means the opposite name. If the interface name is added to " ", all interfaces starting with this interface name are matched. If this option is ignored, it is assumed to be " ", then any interface will be matched. -o --Out-interface [!] [name]

-o - Output interface [Name]

This is the optional exit name that is sent via the interface, and the package is output (packaged in the chain forward, Output, and posteing). When the "!" Instructions are used in the interface name, it means the opposite name. If the interface name is added to " ", all interfaces starting with this interface name are matched. If this option is ignored, it will assume " ", and all any interface will be matched.

[!] -f, --fragment

[!] -f - fragmentation

This means that in the package of fragmentation, the rules only ask the second and subsequent sheets. Since then, this package will not match any specified rules that specify them in the future because the source port or target port (or ICMP type) cannot be judged. If "!" Explains the opposite meaning before the "-f" flag is used.

Other Options

other options

You can also specify the following additional options:

-v --verbose

-v - detail

Detailed output. This option allows the list command to display the interface address, the rule option (if any) and TOS (Type of Service) mask. The package and byte counters will also be displayed, with k, m, g (prefix) represent 1000, 1,000,000 and 1,000,000,000 times, respectively (but see the -x flag change it), for adding, inserting, deleting, and replacing the command, this Related details of one or more rules are printed.

-n --Numeric

-n - number

Digital output. IP addresses and ports are printed in the form of numbers. By default, the program is trying to display host name, network name, or service (as long as it is available).

-x -exact

-x - precise

Extended numbers. The exact value of the package and byte counter is displayed instead of the number of processes expressed in K, M, g. This option can only be used for the -l command.

--Line-NumBers

When the list shows the rules, the line number is added to the front of each rule, and the rule corresponds to the position in the chain.

Match extensions

Correspondence

iptables can use some extensions that match modules. The following is an extension package in the basic package, and most of them can express the opposite.

TCP

These extensions are loaded when -Protocol TCP is specified and other matched extensions are not specified. It provides the following options:

- Source-port [!] [port [: port]]

Source port or port range designation. This can be a service name or port number. Use the format port: The port can also specify the included (port) range. If the first-end slogan is ignored, the default is "0", if the end slog is ignored, the default is "65535", if the second port number is greater than the first, then they will be exchanged. This option can be used with the alias of Sport.

--Destionation-port [!] [port: [port]]

Target port or port range designation. This option can be replaced with - DPORT alias.

--TCP-FLAGS [!] MASK COMP

Match the specified TCP tag. The first parameter is the tag we want to check, a list of separated by commas, the second parameter is a comma-separated tag table, which must be set. The tag is as follows: SYN ACK FIN RST URG PSH All None. So this command: iptables -a forward -p tcp --TCP-FLAGS SYN, ACK, FIN, RST SYN only matches those SYN tags that are set and the ACK, FIN and RST tags are not set. [!] --SYN

Only match the TCP packets that set the SYN bit and clear the ACK and FIN bit. These packages are used to issue a request when the TCP connection is initialized; for example, a large number of such packets enters an interface that blocks the entry TCP connection, and the TCP connection does not affect. This is equal to - TCP-Flags SYN, RST, ACK SYN. If "- Syn" has "!" Tag, it means the opposite meaning.

--TCP-OPTION [!] NUMBER

Match Set the TCP option.

UDP

When protocol UDP is specified, and other matched extensions are not specified, these extensions are loaded, which provides the following options:

--Source-port [!] [port: [port]]

Source port or port range designation. See the TCP extension-port option for details.

--Destination-port [!] [port: [port]]

Target port or port range designation. See the TCP extension -Destination-port option for details.

ICMP

This extension is loaded when protocol ICMP is specified and other matching extensions are not specified. It provides the following options:

--ICMP-TYPE [!] TYPENAME

This option allows you to specify the ICMP type, which can be a numeric ICMP type, or a name name that is displayed by the command iptables -p ICMP -H.

Mac

--MAC-Source [!] Address

Match the physical address. Must be XX: XX: XX: XX: XX. Note that it is only valid for packets from the Etheri equipment and enters the preording, the Forword, and Input chains.

Limit

This module matching flag matches a tag filter, which combines the log target to give a limited login number. When this limit value is reached, the rules that use this extension package will match. (Unless Use "!" Tagged)

--Limit Rate

Maximum average matching rate: The value of the value of '/ second', '/ minute', '/ hour', or '/ day', the default is 3 / hour.

--Limit-Burst Number

The maximum number of the initial number of matchpacks: If the limit specified in front is not reached, the number is added 1. The default is 5

MultiPort

This module matches a set of source ports or destination ports, up to 15 ports. Can only be used with the -p TCP or -p UDP.

--Source-port [port [, port]]

If the source port is one of the given ports, it matches

--Destination-port [port [, port]]

If the target port is one of the given ports, match

--Port [port [, port]]]]

If the source port and destination port are equal and equal to a given port, it matches.

Mark

This module matches the NetFilter filter tag field (you can use the Mark tag below).

--Mark Value [/ MASK]

Match the package that is not a symbolic tag value (if Mask is specified, the logical mark is added to the mask before the comparison).

Owner

This module tries to generate different characteristics of the creator of the package. Can only be used for Output chains, and even if such a package (such as an ICMP Ping response) may not have owner, there will never match. --UID-OWNER Userid

If a valid User ID is given, the package generated by matching its process.

--Gid-owner groupid

If a valid group ID is given, then the package generated by the process is matched.

- Sid-Owner SeeessionIDID

The package generated by the process is matched according to the given session group.

State

This module allows the connection status of the access package to be accessed when used in conjunction with the connection tracking.

--State State

Here State is a comma-divided matching connection status list. Possible status is: Invalid indicates that the package is unknown connection, and the Established representation is a two-way transmitted connection. The New represents the package is a new connection, otherwise it is non-two-way transmission, and the Related Indicates the new connection start, but is connected to an existing connection Together, such as FTP data transfer, or an ICMP error.

Unclean

This module has no option, but it tries to match those strange, uncommon packages. In the experiment.

TOS

This module matches the 8-bit TOS (Type of Service) field of the top of the IP package (that is, it is included in the priority).

--tos TOS

This parameter can be a standard name (see the list with iptables -m TOS -H), or a value.

Target Extensions

Iptables can use extended target modules: The following is included in the standard version.

Log

Turn on the kernel record for the matching package. When this option is set in the rule, the Linux kernel will print some information about all matchpacks (such as IP Package Fields, etc.) via printk ().

--Log-Level Level

Recording level (number or see syslog.conf (5)).

--Log-prefix prefix

Adding a specific prefix before a record information: up to 14 letters, the different information is used and other information in the record.

--Log-tcp-sequence

Record the TCP serial number. If the record can be read by the user, this will have a security hazard.

--LOG-TCP-OPTIONS

Record options from the TCP header header.

--Log-IP-Options

Record options from the IP charter.

Mark

The Netfilter tag value used to set the package. Only apply to the mangle table.

--set-mark mark

REJECT

As a response to the matching package, return an error package: other cases the same as DROP.

This goal is only available for the INPUT, Forward, and Output chains, and the user-defined chain that calls these links. These options control the feature of the returned error package:

--Reject-with Type

TYPE can be ICMP-NET-UNREACHABLE, ICMP-HOST-UNREACHABLE, ICMP-PORT-NREACHABLE, ICMP-PROT-NREACHABLE, ICMP-PROTO-UnReachable, ICMP-Net-Prohibited, or ICMP-Host-Prohibited, which returns the corresponding ICMP error message (default) Is Port-unreachable. Option Echo-reply is also allowed; it can only be used to specify the rules of the ICMP PING package to generate a response. Finally, option TCP-RESET can be used in the INPUT chain, or from the INPUT chain call, only match the TCP protocol: a TCP RST package will be responded.

TOS

The first eight TOS used to set the IP package. Can only be used for the mangle table.

--set-Tos TOS

You can use a numeric TOS value, or use iptables -j tos -h to see the active TOS list list.

Mirror

This is a test demonstration target that can be used to convert source addresses and destination addresses in the IP header field, then transfer the package, and only apply to the INPUT, Forward, and Output chains, and only the user-defined chains they are called.

Snat

This goal is only for the postrouting chain of the NAT table. It specifies the source address of the package (all the packages after this connection will be affected), stop the rule check, it contains options:

--to-Source [- ] [: port-port]

You can specify a single new IP address, an IP address range, you can also add a port range (only in the specified -P TCP or the rule of -p UDP). If the port range is not specified, the (port) of 512 or less in the source port will be placed as ports below 512 or less; the port between 512 to 1024 is placed below 1024 or less, and the other ports are placed to 1024 or more. . If possible, the port will not be modified.

--to-degivity [- ] [: port-port]

You can specify a single new IP address, an IP address range, you can also add a port range (only in the specified -P TCP or the rule of -p UDP). If the port range is not specified, the target port will not be modified.

Masquerade

Only for the postrouting chain of the NAT table. Can only be used to dynamically obtain IP (dial-up) connections: If you have a static IP address, you have to use Snat. The disguise is equivalent to setting an image to the IP address of the interface elapsed when the package is sent, and when the interface is closed. This is because when the next dial is not necessarily the same interface address (all established connections will be turned off later). It has an option:

--to-ports [- port>]

Specifies the source port range used to override the default SNAT source address selection (see above). This option applies only to specify the rules for -p TCP or -p UDP.

REDIRECT

Only for the prerouting and output chains of the NAT table, and only their user-defined chains are called. It modifies the target IP address of the package to send packets to the machine itself (local generated package is placed as address 127.0.0.1). It contains an option:

--to-ports []

Specifies the destination port or port range: If you are not specified, the target port will not be modified. Can only be used to specify the rule of the -p TCP or -p UDP.

Diagnostics

diagnosis

Different error messages are printed into a standard error: exit code 0 is correct. Similar to the wrong or abuse of command line parameters will return error code 2, and other errors return code 1.

Bugs

bed bugs

Check is notblemented.

The examination was not completed.

Compatibility with ipchains

Compatibility with Ipchains

Iptables and Rusty Russell IPchains are very similar. The main difference is that the INPUT chain is only used to enter the local host, while Output is only used for packets generated from this local host. So each package is only three chains; the previously forwarded package will pass through all three chains. Other main differences are -i references enter the interface; -O reference output interface, both apply to packets that enter the Forward chain. When using the default filter table with an optional extension module, iptables is a pure package filter. This greatly reduces the confusion of the combination of IP camouflage and package filtration, so the following options have been processed: -j Masq

-M -s

-M -l

There are several different chains in iptables.

9cbs

New Post(0)