iptables is used to establish, manage, and query the IP package filtering rule table for the kernel. Each table can contain multiple rule chains. There are multiple rules for each chain. Each rule defines how to handle specific packets. Each rule has a mode and action composition. If the packet does not match the mode, the next rule is continued, otherwise the corresponding processing is performed according to the action. Actions include: Accept Accept, DROP discard, queue forward, return returns the previous layer rule chain. Option: Command Group: Rules: -a chain chain rule-spec to add a removal rule to the rule chain end, if the IP is used, use the resolution-to-use IP to establish rules (possible) -d chain chain rule-specification chain Rulenum Delete a rule -i chain [rulenum] rule-specification Insert a rule (index at 1) -r chain [rulenum] rule-specification replacement rules, the new rules must be single-L [chain] display -f [ CHAIN] Clear rule chain life: -z [chain] Clear Statistics-N Chain New Rule Chain-X Chain Delete Rules Chain, cannot delete the referenced rule chain, can not delete the built-in rule chain -P Chain Target setting rule chain The default action, only the built-in rule chain can be, and Target can't be queue-e old-chain new-chain rename rule chain rule definition parameter: -p [!] Protocol protocol can be the protocol name in / etc / protocols file It can also be numbers, 0 equivalent to ALL, default is all -s [!] Ipaddr / mask source address, Mask can be xxx.xxx.xx.xxx or bit digital format, iPaddr can be host name or network name ( However, it is recommended to use the IP address) -d [!] Ipaddr / mask destination address -j target target action -i [!] Name valid enters the interface name, only on the input, forward, preording rule chain, name indicates starting with NAME interface. The default is valid for all interfaces-O [!] Name, only on the Output, Forward, the PostRouting rule chain, name represents the interface starting with NAME.
By default, all interfaces are valid [!] -F only matching the fractal non-first pack - C PKTS BYTES initializes the package and byte counting other parameters: -v Display Operation Information - N Digitally Display Information - E Displaying the exact statistics - LINE Display Rule Index (INDEX) --Modprobe = Command When you add or insert a rule, load a specific module matching extension can use -P protocol and use the extended matching option, or use -m module and use it. Module Special Option TCP - Source-Port / Sport [!] Port [: port] ignore the former 0, the latter is 65535 - DESTINATION-port / dport [!] Port [: port] --TCP-Flags [! ] Mask CoMP is separated by commas, Mask is those FLAG needs to check, which FLAG needs to set [!] - SYN matching TCP connection, name: SYN setting, ACK, FIN empty - TCP-Option! Number matches Number option TCP package - MSS value [: value] ??? Match the TCP connection negotiation package, and the MSS value or range matching package, MSS control connection maximum UDP - Source-port [!] port [: Port] --Destination-port / dport [!] port [: port] ICMP --ICMP-TYPE [!] TypeName View Help Mac - Mac-Source [!] address only matchs from iptables -p ICMP -H Package of specific MAC addresses, applicable INPUT, PREROUTING, FORWARD rule chain Limit --Limit Rate's largest average hits: valid units are: / second / minute / hour / day, default 3/ hours --limit-burst Num? ?? The default is 5 MultiPort - Source-Ports / Sports Port, Port .... Up to 15, can be used with -p TCP or UDP --Destination-ports / dports port, port ... --ports port, port ... No sources and purpose, match port number Mask - Mark Value / Mask matching Mark properties, Mark values are set by Netfilter Assigned Properties Owner Matching Package Creation, only for the Output rule chain valid - UID-OWNER USERID Matching package creation program EUID --GID-OWNER GROUPID EGUID --PID-OWNER Proccessid - Sid-Owner SessionID ??? --cmd-owner name ??? state matching status --State State INVALID does not follow any connection associated new connection Establish has been established connection Related to other connections,
