Android-iptables Common commands: androidiptables
Reprinted please indicate the source: http://blog.csdn.net/l1028386804/article/details/47356011
Common iptables commands
List of Common commands:
Command-A, -- append
Example iptables-a input...
It indicates that a new rule is added to a Rule refining, And the rule will become the last rule in the Rule refining.
Command-D, -- delete
Example iptables-d input -- dport 80-j DROP
Iptables-d input 1
This indicates that a rule can be deleted from a rule refining process. You can enter a complete rule or directly specify a rule number to delete it.
Command-R, -- replace
Example iptables-r input 1-s 192.168.0.1-j DROP
It indicates that the current rule is replaced, and the order of the rule is not changed after it is replaced.
Command-I, -- insert
Example iptables-I INPUT 1 -- dport 80-j ACCEPT
It indicates that a rule is inserted. The rule at the specified position will move a forward position.
Command-L, -- list
Example iptables-L INPUT
Lists All rules in a rule.
Command-F, -- flush
Example iptables-F INPUT
Delete all rules in a rule refining.
Command-Z, -- zero
Example iptables-Z INPUT
This indicates that the packet counter is set to zero. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering block attacks.
Command-N, -- new-chain
Example iptables-N allowed
Define new rules.
Command-X, -- delete-chain
Example iptables-X allowed
Delete a rule.
Command-P, -- policy
Example iptables-P INPUT DROP
Define a filter policy. That is, the default Processing Method for packets that do not meet the filtering conditions.
Command-E, -- rename-chain
Example iptables-E allowed disallowed
Modifies the name of a custom rule.
Common packet comparison parameters:
Parameter-p, -- protocol
Example iptables-a input-p tcp
It indicates whether the communication protocol type is consistent and can be used! The operator performs reverse comparison, for example,-p! Tcp, which means other types except tcp, including udp, icmp, etc. If you want to compare all types, you can use the all keyword, for example,-p all.
Parameter-s, -- src, -- source
Example iptables-a input-s 192.168.1.1
The description is used to compare the source IP address of the packet. It can be compared to a single machine or network. When comparing the network, use a number to block it. For example,-s 192.168.0.0/24 can also be used to compare the IP address! The operator performs reverse comparison, for example,-s! 192.168.0.0/24.
Parameter-d, -- dst, -- destination
Example iptables-a input-d 192.168.1.1
Description used to compare the destination IP address of the packet. The setting method is the same as above.
Parameter-I, -- in-interface
Example iptables-a input-I eth0
The description is used to compare the network card from which the package enters. You can use wildcard character + to perform large-scale comparison. For example,-I eth + indicates all ethernet network cards. You can also use it! The operator performs reverse comparison, for example,-I! Eth0.
Parameter-o, -- out-interface
Example iptables-a forward-o eth0
Specifies the network card from which the packet is sent.
Parameter -- sport, -- source-port
Example iptables-a input-p tcp -- sport 22
The source port number used to compare the packets. It can be compared to a single port or a range, for example, -- sport 22: 80, which indicates that the port number ranges from 22 to 80.
Ports are both qualified. To compare multiple ports that are not consecutive, you must use the -- multiport parameter. For details, see the following section. You can use it when comparing the port number!
The operator performs reverse comparison.
Parameter -- dport, -- destination-port
Example iptables-a input-p tcp -- dport 22
Description used to compare the destination port number of the package. The setting method is the same as above.
Parameter -- tcp-flags
Example iptables-p tcp -- tcp-flags SYN, FIN, ACK SYN
TCP
The status flag of the package. The parameters are divided into two parts: the first part lists the banners for comparison, and the second part lists which of the aforementioned banners are set and the unlisted banners must be empty. TCP
Status banners include SYN (synchronous), ACK (response), FIN (ended), RST (reset), URG (urgent), and PSH (forced push)
Can be used in parameters. In addition, you can use the keywords ALL and NONE for comparison. You can use it when comparing the banners! The operator performs reverse comparison.
Parameter -- syn
Example iptables-p tcp -- syn
The description is used to compare whether a TCP packet is online. It works exactly the same as iptables-p tcp -- tcp-flags SYN, FIN, and ack syn. If yes! The operator can be used to compare non-required online packets.
Parameter-m multiport -- source-port
Example iptables-a input-p tcp-m multiport -- source-port 80,110
The description is used to compare multiple source ports that are not consecutive. Up to 15 ports can be compared at a time. You can use this description! The operator performs reverse comparison.
Parameter-m multiport -- destination-port
Example iptables-a input-p tcp-m multiport -- destination-port 80,110
The description is used to compare non-consecutive destination port numbers. The setting method is the same as above.
Parameter-m multiport -- port
Example iptables-a input-p tcp-m multiport -- port 80,110
This parameter is special and used to compare packets with the same source port number and destination port number. The setting method is the same as above. Note: In this example, if the source port number is 80 but the destination port number is 110, this packet does not meet the condition.
Parameter -- icmp-type
Example iptables-a input-p icmp -- icmp-type 8
The description is used to compare the type numbers of ICMP. You can use code or number numbers for comparison. Please call iptables-p icmp -- help to check which code can be used.
Parameter-m limit -- limit
Example iptables-a input-m limit -- limit 3/hour
The description is used to compare the average traffic of packets within a certain period of time. The example above is used to compare whether the average traffic per hour exceeds three packets at a time.
In addition to the average time per hour, it can also be an average time per second, every minute or every day. The default value is an average time per hour. parameters such as:/second,/minute,/day.
In addition to comparing the number of packets, setting this parameter will also suspend the packet comparison when conditions are met to avoid service interruption due to the use of the flood attack method by hackers.
Parameter -- limit-burst
Example iptables-a input-m limit -- limit-burst 5
The description is used to compare the quantity of a large number of packets in an instant. The example above is used to compare whether the number of packets that flood in at a time exceeds 5 (this is the default value). packets that exceed this limit will be discarded directly. The usage effect is the same as that.
Parameter-m mac -- mac-source
Example iptables-a input-m mac -- mac-source 00: 00: 00: 00: 01
This parameter is used to compare the hardware address of the packet source network interface. This parameter cannot be used in OUTPUT or Postrouting.
Rule refining, this is because the packet must be sent to the NIC before the NIC driver can identify the destination MAC address through the ARP communication protocol, so iptables
During packet comparison, you do not know the network interface to which the packet will be sent.
Parameter -- mark
Example iptables-t mangle-a input-m mark -- mark 1
The description is used to compare whether a number is indicated by a packet. When the packet is compared successfully, we can MARK a number through the MARK processing action. The maximum number cannot exceed 4294967296.
Parameter-m owner -- uid-owner
Example iptables-a output-m owner -- uid-owner 500
The description is used to compare the packets from the local machine and whether the packets are generated by a specific user. This prevents the server from transmitting sensitive data using root or other identities, and reduces the loss of system hacking. Unfortunately, this function cannot compare the packets from other hosts.
Parameter-m owner -- gid-owner
Example iptables-a output-m owner -- gid-owner 0
The description is used to compare whether the packets from the local machine are generated by a specific user group. The usage time is the same as above.
Parameter-m owner -- pid-owner
Example iptables-a output-m owner -- pid-owner 78
The description is used to compare the packets from the local machine and determine whether the packets are generated for a specific trip.
Parameter-m owner -- sid-owner
Example iptables-a output-m owner -- sid-owner 100
The description is used to compare the response packets from the local machine and whether the packets are the response packets of a specific online (Session ID.
Parameter-m state -- state
Example iptables-a input-m state -- state RELATED, ESTABLISHED
The description is used to compare the online status. There are four online statuses: INVALID, ESTABLISHED, NEW, and RELATED.
INVALID indicates that the package's online number (Session ID) cannot be identified or the number is incorrect.
ESTABLISHED indicates that the package belongs to a ESTABLISHED online network.
NEW indicates that the package wants to start online (reset online or redirect online ).
RELATED indicates that the packet belongs to a newly established online host. For example, FTP-DATA online must be from an FTP online.
Common handling actions:
-The j parameter is used to specify the action to be processed. common actions include: ACCEPT, REJECT, DROP, REDIRECT, MASQUERADE, LOG, DNAT, SNAT, MIRROR, QUEUE, RETURN, and MARK are described as follows:
After the ACCEPT completes the processing, it will not compare other rules and directly jump to the next rule for refining (nat: postrouting ).
The REJECT blocks the packet and sends the packet to notify the other party. You can choose between ICMP port-unreachable and ICMP packets.
Echo-reply or tcp-reset (this packet will require the other party to disable online). After this processing, the filtering program will be directly interrupted without comparing other rules.
Example:
Iptables-a forward-p TCP -- dport 22-j REJECT -- reject-with tcp-reset
DROP discarded packets are not processed. After this operation, the filter program is directly interrupted instead of comparing other rules.
REDIRECT redirects the packet to another port (PNAT). After this action is completed, it will continue to compare with other rules. This function can be used to implement transparent porxy.
Or to protect the web server. For example, iptables-t nat-a prerouting-p tcp -- dport 80-j
REDIRECT -- to-ports 8080
MASQUERADE rewrite the source IP address of the packet to the nic ip address of the firewall. You can specify the port
After the corresponding range is processed, directly jump to the next rule refining (mangle: postrouting ). This function is slightly different from SNAT.
During camouflage, you do not need to specify the IP address to be disguised as. The IP address will be directly read from the NIC. When you use a dial connection, the IP address is usually assigned by the DHCP server of the ISP company.
MASQUERADE is particularly useful. Example:
Iptables-t nat-a postrouting-p TCP-j MASQUERADE -- to-ports 1024-31000
LOG records the packet-related information in/var/log. For detailed location information, see the/etc/syslog. conf configuration file. After this operation is completed, it will continue to compare with other rules. For example:
Iptables-a input-p tcp-j LOG -- log-prefix "INPUT packets"
SNAT modifies the source IP address of the packet to a specific IP address or IP address range. You can specify the port range. After this operation is completed, it will directly jump to the next rule refining (mangle: postrouting ). Example:
Iptables-t nat-a postrouting-p tcp-o eth0-j SNAT -- to-source 194.236.50.155-194.236.50.160: 1024-32000
DNAT rewrite the IP address of the packet destination to a specific IP address or IP address range. You can specify the port range. After this operation is completed, it will directly jump to the next rule (filter: input or filter: forward ). Example:
Iptables-t nat-a prerouting-p tcp-d 15.45.23.67 -- dport 80-j DNAT -- to-destination 192.168.1.1-192.168.1.10: 80-100
MIRROR package, that is, after the source IP address and the destination IP address are reversed, the package is sent back. After this operation, the filter program will be interrupted.
The QUEUE interrupt filtering program puts the packets into the QUEUE and submits them to other programs for processing. Other applications can be implemented through self-developed processing programs, such as calculating the online cost.
The RETURN statement ends with the filtering program in the current rule refining process. It returns the master rule refining to continue filtering. If you think of custom rule refining as a sub-program, this action is performed, it is equivalent to early completion of the subroutine and return to the main program.
MARK marks a code on the package to provide a judgment basis for the filter conditions. After this processing, the MARK will continue to compare with other rules. Example:
Iptables-t mangle-a prerouting-p tcp -- dport 22-j MARK -- set-mark 2
Tip:
You can download the android ipables command to execute a binary file at http://download.csdn.net/detail/l1028410804/8976209.
Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.