Android--iptables Common commands

Reprint Please specify source: http://blog.csdn.net/l1028386804/article/details/47356011

Iptables Common Commands

List of commonly used commands:
Command-A,--append
Example Iptables-a INPUT ...
Explain the new rule to a rule that will become the last rule in the rule.
Command-D,--delete
Example iptables-d INPUT--dport 80-j DROP
iptables-d INPUT 1
Note To remove a rule from a rule, you can either enter the complete rule or specify the rule number to delete it directly.
Command-R,--replace
Example Iptables-r INPUT 1-s 192.168.0.1-j DROP
The instructions supersede the existing rules, and the rules are replaced without changing the order.
Command-I,--insert
Example Iptables-i INPUT 1--dport 80-j ACCEPT
Note Insert a rule that the rule at that location will move backward one position.
Command-L,--list
Example Iptables-l INPUT
The description lists all rules in a rule smelting.
Command-F,--flush
Example Iptables-f INPUT
Description deletes all rules in a rule smelting.
Command-Z,--zero
Example Iptables-z INPUT
Description The packet counter is zeroed. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering blocking attacks.
Command-N,--new-chain
Example Iptables-n allowed
Description defines a new rule chain.
Command-X,--delete-chain
Example Iptables-x allowed
Description Delete a rule smelting.
Command-P,--policy
Example Iptables-p INPUT DROP
Description defines the filtering policy. That is, the package that does not meet the filter conditions, the default processing method.
Command-E,--rename-chain
Example IPTABLES-E allowed disallowed
Description modify the name of a custom rule refining.
Common Packet Comparison parameters:
Parameter-P,--protocol
Example Iptables-a input-p TCP
Description is better than the type of communication protocol, you can use! The operator makes a reverse alignment, for example:-P! TCP, which means any type other than TCP, contains UDP, ICMP ... such as If you want to compare all types, you can use the All keyword, for example:-P all.
Parameter-S,--SRC,--source
Example Iptables-a input-s 192.168.1.1
The description is used to compare to the source IP of the packet, can be compared to a single machine or network, compared to the network when the number to represent the mask, for example:-S 192.168.0.0/24, than the IP can also be used! The operator makes a reverse alignment, for example:-S! 192.168.0.0/24.
Parameter-D,--DST,--destination
Example Iptables-a input-d 192.168.1.1
Description used to compare the destination IP of the packet, set the same way.
Parameter-I.,--in-interface
Example Iptables-a input-i eth0
The description is used to match the packet from which card to enter, you can use the wildcard character + to larger range than the pair, for example:-I eth+ for all the Ethernet network card, can also be used! The operator makes a reverse alignment, for example:-I! Eth0.
Parameter-O,--out-interface
Example Iptables-a forward-o eth0
The description is used to send out from which NIC the packet is to be sent, the same way as the setting.
Parameter--sport,--source-port
Example Iptables-a input-p TCP--sport 22
The description is used to compare the source port of the packet, can be compared to a single port, or a range, for example:--sport 22:80, representing from 22 to 80
Ports are eligible, if more than the non-contiguous number of ports, you must use the--multiport parameter, see the following article. When compared to the port number, you can use!
The operator makes a reverse alignment.
Parameter--dport,--destination-port
Example Iptables-a input-p TCP--dport 22
Specify the destination port number to be used in comparison to the packet, set the same way.
Parameter--tcp-flags
Example iptables-p TCP--tcp-flags syn,fin,ack SYN
Description comparison to TCP
The state flag of the package, the parameters are divided into two parts, the first part lists the name of the right to compare, the second part lists which of the preceding flags have been set, the flag that has not been enumerated must be empty. Tcp
Status flags include: SYN (synchronous), ACK (Reply), FIN (end), RST (reset), URG (emergency), PSH (forced push)
Can be used for parameters, in addition to using the keyword all and NONE for comparison. Can be used when compared to the banner! The operator makes a reverse alignment.
Parameter--syn
Example Iptables-p TCP--syn
Describes a TCP packet that is used to match whether it is required to be online, exactly the same as the Iptables-p TCP--tcp-flags syn,fin,ack SYN, if used! operator, which can be used to block packets on-line than on-demand.
Parameter-M multiport--source-port
Example Iptables-a input-p tcp-m multiport--source-port 22,53,80,110
The description is used for multiple source port numbers that are not contiguous, and can be used up to 15 ports at a time! The operator makes a reverse alignment.
Parameter-M multiport--destination-port
Example Iptables-a input-p tcp-m multiport--destination-port 22,53,80,110
The description is used for multiple destination port numbers that are not contiguous and are set up in the same way.
Parameter-M multiport--port
Example Iptables-a input-p tcp-m multiport--port 22,53,80,110
Note that this parameter is special, used in the same way as the source port number and destination port number of the same package, set the same as above. Note: In this example, if the source port number is 80 but the destination port number is 110, the packet is not eligible.
Parameter--icmp-type
Example Iptables-a input-p ICMP--icmp-type 8
The description is used to compare the type number of the ICMP, which can be compared using code or numeric numbers. Please call iptables-p ICMP--help to see what code is available.
Parameter-M limit--limit
Example Iptables-a input-m limit--limit 3/hour
Describes the average amount of traffic that is used to block packets over a certain period of time, the above example being used to compare: whether the average traffic per hour exceeds 3 packets a time.
In addition to an hourly average, the average time per second, per minute, or per day is averaged once per hour, with parameters such as:/second,/minute,/day.
In addition to the number of packets to the external, set this parameter will also be when the condition is reached, suspend the packet alignment action, in order to avoid the hacker use flood attack law, resulting in service interruption.
Parameter--limit-burst
Example Iptables-a input-m limit--limit-burst 5
Describes the number of packets that are used for a larger amount of time than an instant, and the above example is used to exceed 5 packets (which is the default value), and packets exceeding this limit are discarded directly. Use the same effect as above.
Parameter-M Mac--mac-source
Example Iptables-a input-m mac--mac-source 00:00:00:00:00:01
Describes the hardware address used to compare packets to the source network interface, this parameter cannot be used in OUTPUT and postrouting
Rule refining, this is because the packet to send out to the network card, before the network card driver through the ARP communication protocol to isolate the destination MAC address, so iptables
In the case of packet alignment, it is not known which network interface The packet will be sent to.
Parameter--mark
Example Iptables-t mangle-a input-m Mark--mark 1
The description is used to indicate whether the packet is represented by a number, and when the packet is successful, we can use Mark to handle the action, and the packet is marked with a number up to 4294967296.
Parameter-M owner--uid-owner
Example Iptables-a output-m owner--uid-owner 500
The description is used to compare the packets from the machine to a particular user, which prevents the server from using root or other identities to transmit sensitive data, which can reduce the system's terrible loss. Unfortunately, this feature cannot be compared to packets from other hosts.
Parameter-M owner--gid-owner
Example Iptables-a output-m owner--gid-owner 0
The description is used in the same time as if the packet from this machine is generated for a particular user group.
Parameter-M owner--pid-owner
Example Iptables-a output-m owner--pid-owner 78
The description is used to compare the packets coming from this machine to a particular itinerary.
Parameter-M owner--sid-owner
Example Iptables-a output-m owner--sid-owner 100
The description is used as the same time as the response packet for a specific online (Session ID) packet from the native.
Parameter-M State--state
Example Iptables-a input-m State--state related,established
The description is used to compare online status to four types of online status: INVALID, established, NEW, and related.
INVALID indicates that the packet's online number (Session ID) is not recognizable or is incorrectly numbered.
Established indicates that the packet belongs to an already established online.
NEW indicates that the package wants to start one online (reset online or redirect online).
Related indicates that the package belongs to an already established online, and that the new online is established. For example, Ftp-data online must originate from an FTP online.
Common processing actions:
The-J parameter is used to specify the processing action to be performed, and the commonly used processing actions include: ACCEPT, REJECT, DROP, REDIRECT, Masquerade, LOG, DNAT, SNAT, MIRROR, QUEUE, RETURN, MARK, The following are explained separately:
ACCEPT will release the packet, after this processing action, will no longer than the other rules, directly jump down a rule smelting (nat:postrouting).
REJECT blocking the packet and transmitting the packet notifies the other party that the packet can be routed with several options: ICMP port-unreachable, ICMP
Echo-reply or Tcp-reset (this packet will require the other side to close the line), after the processing action, will no longer than the other rules, the direct interruption of the filter program.
Examples are as follows:
Iptables-a forward-p TCP--dport 22-j REJECT--reject-with tcp-reset
The drop discard packet is not processed, and after this processing is done, the filter is no longer directly interrupted than the other rules.
REDIRECT re-directs the packet to another port (Pnat), and after this processing is done, it will continue to be compared to other rules. This function can be used to implement the permeable type Porxy
Or to protect the Web server. Example: Iptables-t nat-a prerouting-p TCP--dport 80-j
REDIRECT--to-ports 8080
Masquerade Overwrite packet source IP as firewall NIC IP, you can specify port
The corresponding range, after this processing action, jump straight down a rule (mangle:postrouting). This feature is slightly different from SNAT when IP
In disguise, you do not need to specify which IP,IP will be read directly from the network card, when using the dial-up line, IP is usually assigned by the ISP's DHCP server, this time
Masquerade is particularly useful. Examples are as follows:
Iptables-t nat-a postrouting-p tcp-j Masquerade--to-ports 1024-31000
Log will record the packet information in the/var/log, detailed location Please check the/etc/syslog.conf configuration file, after this processing action, will continue to compare to other rules. For example:
Iptables-a input-p tcp-j LOG--log-prefix "INPUT packets"
SNAT overwrite the packet source IP to a specific IP or IP range, you can specify the range of port, after this processing action, will jump straight down a rule smelting (mangle:postrouting). Examples are as follows:
Iptables-t nat-a postrouting-p tcp-o eth0-j SNAT--to-source 194.236.50.155-194.236.50.160:1024-32000
DNAT overwrite the packet destination IP for a specific IP or IP range, you can specify a range for port, and after this processing action, you will jump straight down a rule chain (filter:input or Filter:forward). Examples are as follows:
Iptables-t nat-a prerouting-p tcp-d 15.45.23.67--dport 80-j DNAT--to-destination 192.168.1.1-192.168.1.10:80-100
MIRROR the packet, that is, the source IP and destination IP swapped, the packet back, after this processing action, will interrupt the filter program.
The queue interrupts the filtering program, placing the packet in the queue and handing it over to other programs. Other applications, such as calculating online costs, can be done through a self-developed processing program. such as
Return end in the current rule in the process of the filter, return to the main rule to continue filtering, if the custom rule refining as a subroutine, then this action is equivalent to the early end of the subroutine and return to the main program.
Mark marks the package with a designator so that it can be judged by the criteria for subsequent filtering, and will continue to be compared to other rules after the process has been completed. Examples are as follows:

Iptables-t mangle-a prerouting-p tcp--dport 22-j MARK--set-mark 2

Warm tips:

You can go to link http://download.csdn.net/detail/l1028386804/8976209 download android ipables command executable binary file

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Android--iptables Common commands