Iptables Chinese man document

Overview
Use iptables-ADC to specify the chain rules.-A Add-D Delete-C modify

Iptables-[ri] chain rule num rule-specification [Option]
Use iptables-Ri to specify the sequence of rules

Iptables-D chain rule num [Option]
Deletes a specified rule.
Iptables-[lfz] [Chain] [Option]
Use iptables-lfz chain name [Option]

Iptables-[NX] Chain
Use-NX to specify a chain

Iptables-P chain target [Options]
Default target of the specified chain

Iptables-e old-chain-name New-chain-name
-E old chain name New Chain name
Replace old chain names with new chain names
Description
Iptalbes is used to set, maintain, and check the IP packet filtering rules of the Linux kernel.
Different tables can be defined. Each table contains several internal chains and user-defined chains. Each

A chain is a rule list that matches the corresponding package: each rule specifies how to deal with it

Matched package. This is called a 'target'. You can also jump to a user-defined chain in the same table.

.

Targets
The firewall rules specify the features and targets of the checked packets. If the package does not match, it will be sent to the next one in the chain

Rule Check; if matched, the next rule is determined by the target value. The target value can be defined by the user.

Or a specific value, such as accept [pass], drop [delete], queue [queue], or

Return [Return].
Accept indicates that the package passes. Drop indicates dropping this package. Queue indicates to pass this package

User space. Return indicates that the matching of the chain is stopped and the rule of the previous chain starts again. If

When a built-in chain is reached, or the rule of the built-in chain is return, the fate of the package will be

The target specified by the criterion is determined.

Tables
There are currently three tables (which table is the current table depends on the Kernel configuration option and the current module ).
-T table
This option specifies the table of matching packages to be operated by the command. If the kernel is configured to automatically load modules

If the module is not loaded, (the system) tries to load the appropriate module (for this table. These tables are as follows: filter,

This is the default table, including the built-in chain input (the package to be processed), forword (the processed

Package) and output (process locally generated packages ). Nat. When this table is queried, it indicates a new

The connected package consists of three built-in chains: prerouting (the package to be modified) and output (the change path ).

By the local package), postrouting (modify the prepared package ). The mangle table is used

Modify the specified package. It has two built-in rules: prerouting (package entered before the route is modified)

And output (the local package before the route is modified ).
Options
These options that can be recognized by iptables can be different types.

Commands
These options specify to execute a specific action: If there is no other rule under the command line, this row can only specify one option

For long-Format Commands and option names, the letter length must be ensured that iptables can be left in other options.

Just split the command.
-A-append
Add one or more rules at the end of the selected chain. When the source (Address) or/is switched to the target (address)

When there are multiple addresses, this rule will be appended to all possible addresses (combinations.

-D-delete
Delete one or more rules from the selected chain. This command can be used to delete a rule.

Specify the serial number in the chain (the first serial number is 1) or the rule to be matched.

-R-replace
Replaces a rule from the selected chain. If the source (Address) or/and destination (Address) are converted to multiple

Address. This command will fail. The rule sequence number starts from 1.

-I-insert
Insert one or more rules to the selected Chain Based on the given rule sequence number. Therefore, if the rule serial number is 1,

The rule will be inserted into the chain header. This is the default method when no rule serial number is specified.

-L-list
Displays all the rules of the selected chain. If no link is selected, all links are displayed. It can also be used with the Z Option

In this case, the chain is automatically listed and cleared. Precise output is affected by other parameters.

-F-flush
Clear the selected chain. This means that all rules are deleted one by one.

-- Z-zero
Clears the packets and byte counters of all links. It can be used with-L to check the counter before clearing

, See the previous article.

-N-New-chain
Create a new user-defined Chain Based on the given name. This must ensure that no chain with the same name exists.

-X-delete-chain
Deletes a specified user-defined chain. This chain must not be referenced. If it is referenced, you must

The relevant rules must be deleted or replaced. If no parameter is provided, this command will try to delete

Non-built-in links.

-P-Policy
Set the target rule of the chain.

-E-Rename-chain
Rename the specified Chain Based on the name given by the user. This is only a modifier, and the structure of the entire table is not

Impact. The targets parameter provides a valid target. Only custom links can use rules

Both built-in and user-defined chains cannot be the goal of rules.

-H help.
Help. The syntax of the current command is very short.

Parameters
Parameters
The following parameters constitute detailed rules, such as the add, delete, replace, append, and check commands.

-P-protocal [!] Protocol
Protocol for rule or package check (package to be checked. The specified protocol can be one or

It can also be a numerical value, representing one of these protocols. Of course, it can also be used in/etc/prot

The protocol name defined in ocols. Add "! "Indicates the opposite rule. The number 0 is equivalent to all al

L. Protocol all matches all protocols, and this is a time-saving option. In combination with the check Command

All can be disabled.
-S-source [!] Address [/mask]
Specifies the source address, which can be the host name, network name, and clear IP address. The mask can be a network mask.

Or a clear number. specify the number of "1" on the left of the network mask. Therefore, the value of mask is

24 equals 255.255.255.0. Add "! "Indicates that the opposite address segment is specified. Flag

-- SRC is short for this option.

-D -- destination [!] Address [/mask]
Specify the target address. For more information, see the description of the-s flag. Flag -- DST is this option

.

-J -- jump target
-J target jump
Specify the target of the rule, that is, what to do if the package matches. The target can be a user-defined chain.

(Not where this rule is located), a specific built-in goal that will immediately determine the fate of the package, or

Extension (see extensions below ). If this option of the rule is ignored, the matching process

Does not affect the package, but the rule counter will increase.

-I-in-interface [!] [Name]
I-access (network) interface [!] [Name]
This is the optional entry name received by the package through this interface.

And prerouting ). Before the Interface Name, use "! "After description, it refers to the opposite name

Name. If the interface name is followed by "+", all interfaces starting with this interface name will be matched. If

Is ignored, it is assumed as "+", then it will match any interface.

-O -- Out-interface [!] [Name]
-O -- output interface [name]
This is the optional exit name sent by the package through this interface.

Ut and postrouting ). Before the Interface Name, use "! "After description, it refers to the opposite name

Name. If the interface name is followed by "+", all interfaces starting with this interface name will be matched. If

Is ignored. If it is assumed as "+", all arbitrary interfaces will be matched.

[!] -F, -- Fragment
[!] -F -- multipart
This means that in the fragmented package, the rule only asks for the second and later parts. Since then, this cannot be determined

Packet source port or target port (or ICMP type), which cannot match any specified

Matching rules. If "! "The description is used before the"-F "sign to indicate the opposite.

Other options
Other options
You can also specify the following additional options:

-V -- verbose
-V -- details
Detailed output. This option allows the LIST command to display the interface address, rule options (if any), and TOS (Type

Of Service) mask. The package and byte counter will also be displayed, with K, M, g (prefix) representing 1000

, 1,000,000, and 1,000,000,000 times (but see the-x flag to change it). For adding, inserting,

Delete and replace commands. This prints detailed information about one or more rules.

-N -- numeric
-N -- number
Digital output. The IP address and port are printed in numbers. By default, the program displays the Host Name

, Network name or service (as long as available ).

-X-exact
-X-precision
Extended number. Display the exact value of the package and byte counter, instead of the approximate number expressed in K, M, G. This option is only

Can be used for-l commands.

-- Line-Numbers
When a rule is displayed in the list, add a row number before each rule to match the rule's position in the chain.

.

Match extensions
Corresponding extension
Iptables can use some extension packages that match the module. The following are the extension packages included in the basic package,

And most of them can add them in front! To indicate the opposite.

TCP
When -- protocol TCP is specified and other matching extensions are not specified, these extensions are loaded. It

Provides the following options:

-- Source-Port [!] [Port [: Port]
Specifies the source port or port range. This can be the service name or port number. Use the format port: the port can also be

Specifies the range of included ports. If the first port number is ignored, the default value is "0 ".

The default value is 65535. If the second port number is greater than the first port number, it will be exchanged. Select

You can use the -- Sport alias.

-- Destionation-Port [!] [Port: [port]
Specify the target port or port range. This option can be replaced by the -- dport alias.

-- TCP-flags [!] Mask comp
Matches the specified TCP tag. The first parameter is the tag we want to check. It is a list separated by commas,

The second parameter is a comma-separated table, which must be set. Mark as follows: syn ack fin

Rst urg psh all none. Therefore, this command: iptables-a forward-P TCP

-- TCP-flags SYN, ack, FIN, RST

SYN only matches the packets whose SYN mark is set and whose ACK, fin, and RST mark are not set.

[!] -- SYN
Only TCP packets whose SYN bit is set and ACK and fin bit are cleared. These packages are used for TCP connection initialization.

For example, a large number of such packets will block the TCP connection when the interface is blocked.

And the outgoing TCP connection will not be affected. This is equal to -- TCP-flags SYN, RST, and ACK syn. For example

If there is "-- SYN" before "! "Mark, indicating the opposite.

-- TCP-Option [!] Number
Match the TCP option.

UDP
When Protocol UDP is specified and other matching extensions are not specified, these extensions are loaded and provide

The following options:

-- Source-Port [!] [Port: [port]
Specifies the source port or port range. For details, see the description of the TCP extended -- source-port option.

-- Destination-Port [!] [Port: [port]
Specify the target port or port range. For details, see the -- destination-port option of TCP extension.

ICMP
When Protocol ICMP is specified and other matching extensions are not specified, the extension is loaded. It provides

Options:
-- ICMP-type [!] Typename
This option allows you to specify the ICMP type, which can be a numeric ICMP type, or

The ICMP type name displayed by ptables-p icmp-H.

Mac
-- Mac-source [!] Address
Match the physical address. The format must be XX: XX. Note that it only applies

Valid package for prerouting, forword, and input chain.

Limit
This module matching flag matches with a tag bucket filter at a certain speed. It works with log targets to make

It is used to provide a limited number of logins. When this limit value is reached, the rules using this extension package will be matched.

(Unless "! "Mark)

-- Limit rate
Maximum average matching rate: the values that can be assigned include '/second','/minute ','/hour', or '/day'.

The default unit is 3/hour.

-- Limit-burst number
Maximum initial number of packages to be matched: if the limit specified earlier has not reached this value, add 1 to the total number.

The default value is 5.

Multiport
This module matches a group of source or target ports. You can specify up to 15 ports. Only TCP or-P

-P udp connection.

-- Source-Port [port [, port]
If the source port is one of the given ports

-- Destination-Port [port [, port]
If the target port is one of the given ports, it matches

-- Port [port [, port]
If the source port and destination port are the same and are the same as a given port, they match.
Mark
This module matches the netfilter tag field (you can set mark

).

-- Mark value [/mask]
Match those unsigned tag values (if the mask is specified, a logical mark will be added to the mask before comparison

Note ).

Owner
This module generates a local package to match different features of the package creator. It can only be used for the output chain, and even

Such packages (such as ICMP ping responses) may not be owned, so they will never match.

-- UID-owner userid
If a valid user ID is provided, it matches the package generated by the process.

-- GID-owner groupid
If a valid group ID is provided, it matches the package generated by the process.

-- Sid-owner seessionid
Match the packets generated by the process according to the given session group.

State
This module allows the connection trace status of the access package when used in conjunction with the connection trace.

-- State
The State is a comma-separated list of matched connection statuses. The possible status is: Invalid indicates that the package is

Unknown connection. Established indicates a two-way transfer connection. New indicates a new connection. Otherwise, yes

Non-bidirectional transfer, while related indicates that the package starts from a new connection, but is connected with an existing one.

, Such as FTP data transmission or an ICMP error.

Unclean
This module has no options, but it tries to match those strange and uncommon packages. In the lab.

ToS
This module matches the eight-bit ToS (service type) field of the IP packet header (that is, including in the priority)

.

-- TOS
This parameter can be a standard name (view the list with iptables-m tos-h) or

Value.

Target extensions
Iptables can be used to expand the target module: The following are included in the Standard Edition.

Log
Enable the kernel record for the matching package. After this option is set in the rule, the Linux kernel uses the Prin

TK () Prints information about all matching packages (such as IP header fields ).
-- Log-level
Record level (numeric or see syslog. conf (5 )).
-- Log-Prefix prefix
Add a specific prefix before the record information: a maximum of 14 letters are used to distinguish it from other information in the record.

-- Log-TCP-Sequence
Record the TCP serial number. If records can be read by users, this poses a security risk.

-- Log-TCP-Options
Record the options from the TCP header.
-- Log-IP-Options
Record the options from the IP packet header.

Mark
Set the netfilter flag value of the package. Only applicable to mangle tables.

-- Set-mark

Reject
As a response to the matched package, an error package is returned: the package is the same as the drop in other cases.

This target applies only to input, forward, and output chains, and user-defined chains that call these chains. This

Several options control the returned error Package features:

-- Reject-with Type
The type can be ICMP-net-unreachable, ICMP-host-unreachable, and ICMP-Port-nreach.

Able, ICMP-proto-unreachable, ICMP-net-prohibited, or

ICMP-host-prohibited. This type returns the corresponding ICMP error message (default: Port-unreac ).

Hable ). The echo-reply option is also allowed. It can only be used in rules that specify ICMP ping packets,

Generate a ping response. Finally, the TCP-reset option can be used in the input chain or in the Self-input chain call.

Only match the TCP protocol: a tcp rst packet is returned.
ToS
Set the first eight-bit TOS of the IP package. It can only be used for mangle tables.

-- Set-tos TOS
You can use a numeric TOS value or iptables-j tos-h to view the valid TOS name.

List.
Mirror
This is a test demonstration goal. It can be used to convert the source address and target address in the IP address header field, and then transfer

This package is only applicable to input, forward, and output chains, and user-defined chains that only call them.

SNAT
This target only applies to the postrouting chain of the NAT table. It specifies to modify the package source address (after this connection

All packages will be affected.) Stop checking the Rules. It includes the following options:

-- To-source <ipaddr> [-<ipaddr>] [: Port-port]
You can specify a single new IP address, a range of IP addresses, or an additional port range (

It can only be in rules specified for-p tcp or-p udp ). If no port range is specified

The following ports will be placed as other ports below 512; the ports between 512 and 1024 will be installed

If it is set to 1024 or lower, other ports will be placed as 1024 or above. If possible, the port will not be modified

.

-- To-destiontion <ipaddr> [-<ipaddr>] [: Port-port]
You can specify a single new IP address, a range of IP addresses, or an additional port range (

It can only be in rules specified for-p tcp or-p udp ). If no port range is specified, the target port does not

Modified.

Masquerade
Only used for the postrouting chain of the NAT table. It can only be used to dynamically obtain IP (dial-up) connections: If you have

Static IP address. You must use SNAT. Disguise is equivalent to setting

Image, which is terminated when the interface closes the connection. This is because the current dialing request may not be the same interface address.

(All established connections will be closed later ). It has an option:

-- To-ports <port> [-port>]
Specify the source port range to be used, and overwrite the default SNAT source address selection (see the above ). This option only applies

Specifies the-p tcp or-p udp rules.

Redirect
Only applicable to the prerouting and output chains of NAT tables, and user-defined chains that only call them. It modifies

The destination IP address of the package to send the package to the machine itself (the locally generated package is placed at 127.0.0.1 ).

It contains an option:

-- To-ports <port> [<port>]
Specified destination port or port range: If this parameter is not specified, the target port is not modified. Can only be used

-P tcp or-p udp rules are specified.

Diagnostics
Diagnosis
Different error messages are printed as standard errors: Exit code 0 to indicate correct. Similar to incorrect or misuse

If the command line parameter is incorrect, error code 2 is returned. If the other error is returned, the return code is 1.

Bugs
Bugs
Check is not implemented (yet ).
Check is not completed yet.

Compatibility with ipchains
Compatibility with ipchains
Iptables is very similar to Rusty Russell's ipchains. The main difference is that the input chain is only used to enter

The package of the local host, and the output is only used for the package generated from the local host. Therefore, each package only goes through three links

One; the previously forwarded packet goes through all three chains. The other major differences are-I References entering the interface;-o

Reference the output interface, both of which are applicable to the packages that enter the forward chain. When used together with the optional extension module

When a filter table is recognized, iptables is a pure package filter. This can greatly reduce the previous IP camouflage and

Package filtering is used in combination with obfuscation, so the following options are different:
-J masq
-M-S
-M-l
There are several different links in iptables.

See also
See
Iptables-howto has detailed iptables usage, and netfilter-hacking-howto is also detailed

Description.

Authors
Author

Rusty Russell wrote iptables, in early consultation with Michael

Neuling.
Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic

Packet selection framework in iptables, then wrote the mangle table,

The owner match, the mark stuff, And ranaround doing cool stuff

Everywhere.
James Morris wrote the TOS target, and TOS match.
Jozsef kadlecsik wrote the reject target.
The netfilter core team is: Marc Boucher, rusty Russell.

Mar 20,200 0

Maintenance: Yang Peng netsnake
Address: Enshi daily, No. 22 Dongfeng Avenue, Enshi City, Hubei Province
Zip code: 445000 Email: netsnake@963.net Tel: 0718-8260030