Iptables details in Ubuntu7.10

Iptables details overview use iptables-ADC to specify the chain rules, -A Add-D Delete-C modify iptables-[RI] chainrulenumrule-specification [option] Use iptables-RI to specify iptables-Dchainrulenum [option] Delete the specified rule iptables

Iptables details

Overview

Use iptables-ADC to specify the chain rules.-A Add-D Delete-C modify

Iptables-[RI] chain rule num rule-specification [option]

Use iptables-RI to specify the sequence of rules

Iptables-D chain rule num [option]

Deletes a specified rule.

Iptables-[LFZ] [chain] [option]

Use iptables-LFZ chain name [Option]

Iptables-[NX] chain

Use-NX to specify a chain

Iptables-P chain target [options]

Default target of the specified chain

Iptables-E old-chain-name new-chain-name

-E old chain name New Chain name

Replace old chain names with new chain names

Description

Iptalbes is used to set, maintain, and check the IP packet filtering rules of the Linux kernel.

Different tables can be defined. Each table contains several internal chains and user-defined chains. Each chain is a rule list

Matching the corresponding package: each rule specifies how the matching package should be processed. This is called \ 'target \ '(target) or

Jump to the user-defined chain in the same table.

TARGETS

The firewall rules specify the features and targets of the checked packets. If the package does not match, it will be sent to the next rule check in the chain; If yes,

The next rule is determined by the target value. The target value can be a user-defined chain name or a specific value, such as ACCEPT [pass], DROP [

Delete], QUEUE [queuing], or RETURN [RETURN].

ACCEPT indicates that the package passes. DROP indicates dropping this package. QUEUE indicates to pass this package to the user space. RETURN indicates stop

And the rule of the previous chain starts again. If you have reached a built-in chain (the end of the chain), or meet the rules of the built-in chain

RETURN is used, and the fate of the package is determined by the target specified by the chain criterion.

TABLES

There are currently three tables (which table is the current table depends on the Kernel configuration option and the current module ).

-T table

This option specifies the table of matching packages to be operated by the command. If the kernel is configured as an automatic module, if the module is not loaded)

Will try to load the appropriate module (for this table. These tables are as follows: filter, which is the default table and contains the built-in chain INPUT

FORWORD, and OUTPUT ). Nat

A new connection package consists of three built-in chains: PREROUTING (the package to be modified) and OUTPUT (the package to be locally modified before the route is modified)

And POSTROUTING ). The mangle table is used to modify the specified package. It has two built-in rules:

PREROUTING (package before route modification) and OUTPUT (package before route modification ).

OPTIONS

These options that can be recognized by iptables can be different types.

COMMANDS

These options specify to execute a clear action: If there is no other rule under the command line, this row can only specify one option. For long-Format Commands and

Item name. The length of the letter must be ensured that the iptables command can be distinguished from other options.

-A-append

Add one or more rules at the end of the selected chain. When the source (Address) or/and destination (Address) are converted to multiple addresses, this rule

Will be added to all possible addresses (combinations.

-D-delete

Delete one or more rules from the selected chain. This command can be used in two ways: You can specify the deleted rule as the serial number in the chain (the first

The number of entries is 1) or the rule to be matched.

-R-replace

Replaces a rule from the selected chain. If the source (Address) or/and destination (Address) are converted to multiple addresses, this command fails. Rules

The sequence number starts from 1.

-I-insert

Insert one or more rules to the selected Chain Based on the given rule sequence number. Therefore, if the rule number is 1, the rule will be inserted into the chain header.

. This is the default method when no rule serial number is specified.

-L-list

Displays all the rules of the selected chain. If no link is selected, all links are displayed. It can also be used with the z option, and the chain will be automatically

List and return to zero. Precise output is affected by other parameters.

-F-flush

Clear the selected chain. This means that all rules are deleted one by one.

-- Z-zero

Clears the packets and byte counters of all links. It can be used with-L to view the counter before clearing. See the previous article.

-N-new-chain

Create a new user-defined Chain Based on the given name. This must ensure that no chain with the same name exists.

-X-delete-chain

Deletes a specified user-defined chain. This chain must not be referenced. If it is referenced, you must delete or replace it

. If no parameter is provided, this command will try to delete each non-built chain.

-P-policy

Set the target rule of the chain.

-E-rename-chain

Rename the specified Chain Based on the name given by the user. This is only a modifier and does not affect the structure of the entire table. The TARGETS parameter is given.

A valid target. Rules can be used only for non-user-defined chains, and both built-in and user-defined chains cannot be the target of rules.

-H Help.

Help. The syntax of the current command is very short.

PARAMETERS

Parameters

The following parameters constitute detailed rules, such as the add, delete, replace, append, and check commands.

-P-protocal [!] Protocol

Protocol for rule or package check (package to be checked. The specified protocol can be either one or all of tcp, udp, or icmp, or a numerical value,

Represents one of these protocols. You can also use the Protocol name defined in/etc/protocols. Add "! "Indicates

The opposite rule. The number 0 is equivalent to all. Protocol all matches all protocols, and this is a time-saving option. In and check

When the command is combined, all can be disabled.

-S-source [!] Address [/mask]

Specifies the source address, which can be the host name, network name, and clear IP address. The mask description can be a network mask or a clear number, which is hidden in the network.

The number of "1" on the left side of the network mask is specified. Therefore, the value of mask is 24 and the value of mask 255.255.255.0. Add "! "Said

Specify the opposite address segment. Flag -- src is short for this option.

-D -- destination [!] Address [/mask]

Specify the target address. For more information, see the description of the-s flag. The flag-dst is short for this option.

-J -- jump target

-J target jump

Specify the target of the rule, that is, what to do if the package matches. The target can be a user-defined chain (not where this rule is located)

, A private built-in goal that will immediately determine the fate of the package, or an extension (see EXTENSIONS below ). If

If this option is ignored, the matching process will not affect the package, but the rule counter will increase.

-I-in-interface [!] [Name]

I-access (network) interface [!] [Name]

This is the optional entry name received by the package through this interface. The package is received through this interface (in the chain INPUT, FORWORD, and PREROUTING

). Before the Interface Name, use "! "After description, it refers to the opposite name. If the interface name is followed by "+", all

All interfaces starting. If this option is ignored, it is assumed to be "+", then any interface will be matched.

-O -- out-interface [!] [Name]

-O -- output interface [name]

This is the optional exit name sent by the package through this interface. The packet is OUTPUT through this port (in the chain FORWARD, OUTPUT, and POSTROUTING

). Before the Interface Name, use "! "After description, it refers to the opposite name. If the interface name is followed by "+", all

All interfaces starting. If this option is ignored, it is assumed as "+", then all arbitrary interfaces will be matched.

[!] -F, -- fragment

[!] -F -- multipart

This means that in the fragmented package, the rule only asks for the second and later parts. Since then, the source port or target end of the packet cannot be determined.

Port (or ICMP type), which cannot match any rules specified for them. If "! "Description used"-f"

Before the sign, it indicates the opposite.

OTHER OPTIONS

Other options

You can also specify the following additional options:

-V -- verbose

-V -- details

Detailed output. This option allows the list command to display the interface address, rule option (if any), and TOS (Type of Service) mask. Package

And the byte counter will also be displayed, respectively, with K, M, G (prefix) represents 1000, 1,000,000 and 1,000,000,000 times (please refer

-X flag changes it). For the ADD, insert, delete, and replace commands, this will print the details of one or more rules.

-N -- numeric

-N -- number

Digital output. The IP address and port are printed in numbers. By default, the program displays the host name, network name, or service (as long

Available ).

-X-exact

-X-precision

Extended number. Display the exact value of the package and byte counter, instead of the approximate number expressed in K, M, G. This option can only be used for the-L command.

-- Line-numbers

When a rule is displayed in the list, add a row number before each rule to match the rule's position in the chain.

MATCH EXTENSIONS

Corresponding extension

Iptables can use some extension packages that match the module. The following are the extension packages included in the basic package, and most of them can access

Before! To indicate the opposite.

Tcp