Iptables details overview use iptables-ADC to specify the chain rules, -A Add-D Delete-C modify iptables-[RI] chainrulenumrule-specification [option] Use iptables-RI to specify iptables-Dchainrulenum [option] Delete the specified rule iptables
Iptables details
Overview
Use iptables-ADC to specify the chain rules.-A Add-D Delete-C modify
Iptables-[RI] chain rule num rule-specification [option]
Use iptables-RI to specify the sequence of rules
Iptables-D chain rule num [option]
Deletes a specified rule.
Iptables-[LFZ] [chain] [option]
Use iptables-LFZ chain name [Option]
Iptables-[NX] chain
Use-NX to specify a chain
Iptables-P chain target [options]
Default target of the specified chain
Iptables-E old-chain-name new-chain-name
-E old chain name New Chain name
Replace old chain names with new chain names
Description
Iptalbes is used to set, maintain, and check the IP packet filtering rules of the Linux kernel.
Different tables can be defined. Each table contains several internal chains and user-defined chains. Each chain is a rule list
Matching the corresponding package: each rule specifies how the matching package should be processed. This is called \ 'target \ '(target) or
Jump to the user-defined chain in the same table.
TARGETS
The firewall rules specify the features and targets of the checked packets. If the package does not match, it will be sent to the next rule check in the chain; If yes,
The next rule is determined by the target value. The target value can be a user-defined chain name or a specific value, such as ACCEPT [pass], DROP [
Delete], QUEUE [queuing], or RETURN [RETURN].
ACCEPT indicates that the package passes. DROP indicates dropping this package. QUEUE indicates to pass this package to the user space. RETURN indicates stop
And the rule of the previous chain starts again. If you have reached a built-in chain (the end of the chain), or meet the rules of the built-in chain
RETURN is used, and the fate of the package is determined by the target specified by the chain criterion.
TABLES
There are currently three tables (which table is the current table depends on the Kernel configuration option and the current module ).
-T table
This option specifies the table of matching packages to be operated by the command. If the kernel is configured as an automatic module, if the module is not loaded)
Will try to load the appropriate module (for this table. These tables are as follows: filter, which is the default table and contains the built-in chain INPUT
FORWORD, and OUTPUT ). Nat
A new connection package consists of three built-in chains: PREROUTING (the package to be modified) and OUTPUT (the package to be locally modified before the route is modified)
And POSTROUTING ). The mangle table is used to modify the specified package. It has two built-in rules:
PREROUTING (package before route modification) and OUTPUT (package before route modification ).
OPTIONS
These options that can be recognized by iptables can be different types.
COMMANDS
These options specify to execute a clear action: If there is no other rule under the command line, this row can only specify one option. For long-Format Commands and
Item name. The length of the letter must be ensured that the iptables command can be distinguished from other options.
-A-append
Add one or more rules at the end of the selected chain. When the source (Address) or/and destination (Address) are converted to multiple addresses, this rule
Will be added to all possible addresses (combinations.
-D-delete
Delete one or more rules from the selected chain. This command can be used in two ways: You can specify the deleted rule as the serial number in the chain (the first
The number of entries is 1) or the rule to be matched.
-R-replace
Replaces a rule from the selected chain. If the source (Address) or/and destination (Address) are converted to multiple addresses, this command fails. Rules
The sequence number starts from 1.
-I-insert
Insert one or more rules to the selected Chain Based on the given rule sequence number. Therefore, if the rule number is 1, the rule will be inserted into the chain header.
. This is the default method when no rule serial number is specified.
-L-list
Displays all the rules of the selected chain. If no link is selected, all links are displayed. It can also be used with the z option, and the chain will be automatically
List and return to zero. Precise output is affected by other parameters.
-F-flush
Clear the selected chain. This means that all rules are deleted one by one.
-- Z-zero
Clears the packets and byte counters of all links. It can be used with-L to view the counter before clearing. See the previous article.
-N-new-chain
Create a new user-defined Chain Based on the given name. This must ensure that no chain with the same name exists.
-X-delete-chain
Deletes a specified user-defined chain. This chain must not be referenced. If it is referenced, you must delete or replace it
. If no parameter is provided, this command will try to delete each non-built chain.
-P-policy
Set the target rule of the chain.
-E-rename-chain
Rename the specified Chain Based on the name given by the user. This is only a modifier and does not affect the structure of the entire table. The TARGETS parameter is given.
A valid target. Rules can be used only for non-user-defined chains, and both built-in and user-defined chains cannot be the target of rules.
-H Help.
Help. The syntax of the current command is very short.
PARAMETERS
Parameters
The following parameters constitute detailed rules, such as the add, delete, replace, append, and check commands.
-P-protocal [!] Protocol
Protocol for rule or package check (package to be checked. The specified protocol can be either one or all of tcp, udp, or icmp, or a numerical value,
Represents one of these protocols. You can also use the Protocol name defined in/etc/protocols. Add "! "Indicates
The opposite rule. The number 0 is equivalent to all. Protocol all matches all protocols, and this is a time-saving option. In and check
When the command is combined, all can be disabled.
-S-source [!] Address [/mask]
Specifies the source address, which can be the host name, network name, and clear IP address. The mask description can be a network mask or a clear number, which is hidden in the network.
The number of "1" on the left side of the network mask is specified. Therefore, the value of mask is 24 and the value of mask 255.255.255.0. Add "! "Said
Specify the opposite address segment. Flag -- src is short for this option.
-D -- destination [!] Address [/mask]
Specify the target address. For more information, see the description of the-s flag. The flag-dst is short for this option.
-J -- jump target
-J target jump
Specify the target of the rule, that is, what to do if the package matches. The target can be a user-defined chain (not where this rule is located)
, A private built-in goal that will immediately determine the fate of the package, or an extension (see EXTENSIONS below ). If
If this option is ignored, the matching process will not affect the package, but the rule counter will increase.
-I-in-interface [!] [Name]
I-access (network) interface [!] [Name]
This is the optional entry name received by the package through this interface. The package is received through this interface (in the chain INPUT, FORWORD, and PREROUTING
). Before the Interface Name, use "! "After description, it refers to the opposite name. If the interface name is followed by "+", all
All interfaces starting. If this option is ignored, it is assumed to be "+", then any interface will be matched.
-O -- out-interface [!] [Name]
-O -- output interface [name]
This is the optional exit name sent by the package through this interface. The packet is OUTPUT through this port (in the chain FORWARD, OUTPUT, and POSTROUTING
). Before the Interface Name, use "! "After description, it refers to the opposite name. If the interface name is followed by "+", all
All interfaces starting. If this option is ignored, it is assumed as "+", then all arbitrary interfaces will be matched.
[!] -F, -- fragment
[!] -F -- multipart
This means that in the fragmented package, the rule only asks for the second and later parts. Since then, the source port or target end of the packet cannot be determined.
Port (or ICMP type), which cannot match any rules specified for them. If "! "Description used"-f"
Before the sign, it indicates the opposite.
OTHER OPTIONS
Other options
You can also specify the following additional options:
-V -- verbose
-V -- details
Detailed output. This option allows the list command to display the interface address, rule option (if any), and TOS (Type of Service) mask. Package
And the byte counter will also be displayed, respectively, with K, M, G (prefix) represents 1000, 1,000,000 and 1,000,000,000 times (please refer
-X flag changes it). For the ADD, insert, delete, and replace commands, this will print the details of one or more rules.
-N -- numeric
-N -- number
Digital output. The IP address and port are printed in numbers. By default, the program displays the host name, network name, or service (as long
Available ).
-X-exact
-X-precision
Extended number. Display the exact value of the package and byte counter, instead of the approximate number expressed in K, M, G. This option can only be used for the-L command.
-- Line-numbers
When a rule is displayed in the list, add a row number before each rule to match the rule's position in the chain.
MATCH EXTENSIONS
Corresponding extension
Iptables can use some extension packages that match the module. The following are the extension packages included in the basic package, and most of them can access
Before! To indicate the opposite.
Tcp