Iptables's iptables command detailed

#iptables [OPTION] COMMAND CHAIN match standard-j TARGET
[OPTION]
-T TABLENAME does not specify default to filter
-j Specify target

COMMAND
Management rules
-a adds a rule at the end of the chain
-I CHAIN [num] inserts the NUM rule on the China chain without specifying num to insert as first
-D CHAIN [num] Delete the NUM rule on the CHAIN chain
-R CHAIN [num] replaces the NUM rule on the CHAIN chain


Management chain
-F [CHAIN] flush empties the specified rule chain, and if no chain is specified, all chains in the corresponding table are deleted
-P CHAIN taregt sets the default policy for the specified chain
-N Customizing an empty chain
-X Delete custom empty chain
-Z Clears the counters for all rules in the specified chain
-e oldchainname newchainname rename a custom chain name

View class
-l list displays rules in the specified table
-N Displays the host address and port number in a numeric format, otherwise the default iptables will reverse the hostname and ports
-V Show More information
-X displays counter exact values without unit swap and rounding
--line-numbers Show rule number

Name of the CHAIN chain

Matching Criteria
Note: Most match conditions can be reversed, that is, use!
Generic match
-S,--SCR Source Address
-D,--DST Destination Address
-P {tcp|udp|icmp} protocol type
-I INTERFACE specifies the interface to which the data packet flows
can only be defined in prerouting INPUT forward chain
-o INTERFACE Specifies the interface for data packets to flow out
can only be defined in the postrouting OUTPUT forward chain

Extended Match
Implicit extension
-P PROTOCOL

PROTOCOL
Tcp
--sport Port[-port] Source port, you can use continuous port
--dport Port[-port] Destination port, you can use continuous port
--tcp-flags Mask COMP The TCP flag bit, specify the mask table, find the COMP table for 1, and the remaining 0 mark bits. Common Mark bits: SYN FIN ACK RST all NONE
--syn matches the first time in a 3-time handshake

Udp
--sport
--dport

Icmp
--icmp-type type
TYPE
0 ICMP Response message
8 ICMP Request message

Display extensions use an additional matching mechanism
-M Extestion special-option

/lib/iptables/libpt_*.so Expansion Module

State status extension, combined with Ip_conntrack to track the status of a session
--state
Connection request initiated by NEW
established the established connection
INVALID Illegal Connection
Related associated with

Multiport discrete multi-port matching extension with up to 15 ports
--source-ports PORT,... Port1:port2,... Source Port
--destination-ports PORT,... Port1:port2,... Destination Port
--ports PORT,... Port1:port2,... Port

IPRange Specifying IPV4 address segments
--src-range IP1-IP2
--dst-range IP1-IP2

Connlimit Limit of connections
--connlimit-above num Specifies that the number of TCP connections that are already present on each client exceeds NUM

Limit token bucket filter mechanism for traffic consolidation, no maximum limit control, only control the unit time rate and the unit time within the peak
--limit Num/rate the request rate in the specified unit time
Rate
Second
Minute
Hour
--limit-burst NUM request Peak per unit time, default value is 5

String matches a character that conforms to a pattern
--algo BM|KMP specifying a matching algorithm
--string pattern Specifies pattern
--hex-string pattern changes pattern to 16 binary

Recent Create IP address lists for matching
--set Add Message source address to manifest, update if source address already exists
--name name creates a manifest named name and does not specify name with default.
--update updates the source address, but does not update the "last seen" timestamp
--seconds num matches the address that is present in the list and appears in the last NUM seconds.
--hitcount num matches an address that exists in the list and receives a packet greater than or equal to Num times

Layer7 install L7 to use this extension
--l7proto PROTOCOL The specific agreement, please refer to/etc/l7-protocols

Time to recompile the kernel before
--datestrat YYYY-MM-DDTHH:MM:SS not specified by default is 1970-01-01
--datestop YYYY-MM-DDTHH:MM:SS not specified by default is 2038-01-19

--timestart Hh:mm:ss
--timestop Hh:mm:ss

--montudayes Day1,[day2 ...]
Day value is 1-31
--weekdays Day1,[day2 ...]
Day value is Mon Tue Wed Thu Fri Sat Sun or 1-7


TARGET Handling Action
Accept Allow
Drop drop
REJECT Discard and return information
REDIRECT Port Redirection
RETURN jumps back to the main chain
Chainname Custom chain name as

Log logging
--log_level NUM Log Level
--log_prefix "STRING" log prefix with a maximum of 29 characters
--log_tcp_sequence TCP Serial Number
--log_tcp_options TCP Report Selections
--log_ip_options IP Report Selections
User ID of the--LOG-UID packet corresponding to the process

Mark set Mark

SNAT Source Address Translation
--to-source ip[-ip][:P Ort1-port2] Specifies to convert the source address to IP

DNAT Destination Address Translation
--to-destination IP Specifies to convert the destination address to IP

Masquerade Address Spoofing
Similar to Snat--to-source, the address is automatically assigned when the source address of the PPPoE is changed at any time. Efficiency is lower than snat.

This article is from "Small Private blog" blog, please be sure to keep this source http://ggvylf.blog.51cto.com/784661/1663823

Iptables's iptables command detailed