Command line this section lists the components of the iptables command line (content following the utility name iptables ). Besides the clearly marked parts, the utility iptables has no special requirements on the location of command line parameters. The examples in this chapter reflect a common syntax that makes the command line easier to read, understand, and maintain.
The command line is listed in this section.IptablesComponents of the command lineIptables). Besides the clearly marked parts, the utility iptables has no special requirements on the location of command line parameters. The examples in this chapter reflect a common syntax that makes the command line easier to read, understand, and maintain. Not all commands include all components.
Many symbols in the iptables command line have two forms: short format (a single letter, followed by a hyphen) and long format (a word, followed by two hyphens ). For the sake of simplicity, most scripts use short formats, while command lines in long format are a little bulky. The following two iptables command lines have the same effect. This section uses them as an example:
Table specifies the name of the table operated by the command: Filter, NAT, or Mangle. You can specify the table name in any iptables command. If the table name is not specified, the Filter table is operated by this command. Most examples in this chapter do not specify the table name, so they operate on the Filter table. Use-ttablename or -- tabletablename to specify a table.
The command is used to describe the functions of the remaining part of the command line, such as adding or deleting rules, displaying rules, or adding rule chains. In this example, the command (-A and -- append) adds the rule specified by the command line to the specified table and rule chain. Section 15.7.1 lists all commands.
The name of the rule chain of the rule or command operation to which the rule belongs. The rule chain can be INPUT, OUTPUT, FORWARD, PREROUTING, or POSTROUTING. When a rule chain is specified, the name of the rule chain is directly placed in the command line without any hyphens. The example at the beginning of this section deals with the FORWARD rule chain.
There are two matching conditions: Group matching conditions (matching network groups) and Rule matching conditions (matching existing rules ).
Group matching condition/rule definition: the group matching condition is used to identify network groups, implement rules, and take corresponding actions on groups that match the condition. The combination of group matching conditions and actions is called Rule definition. Rule definitions constitute the basis for grouping and filtering. The first example at the beginning of this section uses the rule match condition -- in-interfaceeth1 -- out-interfaceeth0. The second example uses the same condition, but uses the short format:-ieth1-oeth0. These two rules are used to forward the group received by the device eth1 and send it to the network through the device eth0.
Rule matching condition rule matching condition recognizes existing rules. The iptables command can modify, delete, or place a new rule in a place adjacent to the rule specified by the rule matching condition. There are two ways to specify an existing rule: you can use the same rule definition as you used to create a rule, or you can use the rule sequence number (referred to as the rule number ). The rule number starts from 1. it indicates the first rule in the rule chain, which can be displayed in the results of iptables-L (or -- line-numbers. The first command below deletes the rules listed at the beginning of this section. The second command replaces the rule 3 in the INPUT rule chain with another rule and rejects all groups from the IP address 192.168.0.10:
A jump or target is used to specify the actions taken by the kernel to the group (all matching conditions of the rules they match. Specify the jump or target method as-jtarget or -- jumptarget. The example at the beginning of this section uses commands -- jumpACCEPT and-jACCEPT to specify the target ACCEPT.
The jump control is transferred to different rule chains in the same table. The following command adds a rule (-- append) to the INPUT chain and passes the group using the TCP protocol (-- protocoltcp) to the user-defined chain tcp_rules (-- jumptcp_rules ):
After the group is processed by the tcp_rules chain (assuming it has not been discarded or rejected), it will continue to process the rules after the rule just jumps through the INPUT chain.
The action taken by the target to specify the kernel for the group. The simplest action is ACCEPT, DROP, and REJECT. the following command adds a rule to the FORWARD chain, reject the group from the FTP port (/etc/services -- iptables determines which port is used based on this file -- Display Port 23 used by FTP:
Some goals (such as LOG) are not the final goals: after the target is executed, control is passed to the next rule. For more information about how to use the target, see section 15.7.5.