Anything But Ordinary

iptable

Posted in work

"iptables -ADC ָĹ´-A" -Dɾ -C -޸

iptables - [RI] chain rule num rule-specification[option]
"iptables - RI ͨ´˳-ָ

iptables -D chain rule num[option]
ɾָ´
iptables -[LFZ] [chain][option]
"iptables -LFZ [-]

iptables -[NX] chain
" -NX ָ

iptables -P chain target[options]
ָĬĿ

iptables -E old-chain-name new-chain-name
-E ɵ -µ
"-µȡɵ
˵
Iptalbes "áάͼLinuxں˵IP˹´ġ
"´"岻ͬı�ÿ��ڲ"ܰ"û"ÿ"´-�´´"İ--.䣺ÿ´ָ"δ"֮.İ´ⱻ'target'Ŀ꣩""´ͬ"ڵ"û"

TARGETS
ǽĹ´ָ´�Ŀꡣ.䣬-"´飻.,ô"´"Ŀֵȷ.Ŀֵ"´"û",ĳר"ֵ,ACCEPT[ͨ], DROP[ɾ], QUEUE[Ŷ"], ´ RETURN[]
ACCEPT ʾ´ͨDROPʾ´QUEUEʾ-´ݵ"û´䡣RETURNʾֹͣ´.䣬ǰ"Ĺ´-¿ʼ"ڽ(ĩ)´"ڽĹ´RETURN´˽"׼´ָĿ�

TABLES
ǰ"-�ĸǵǰȡ"ں-͵ǰģ)
-t table
´-ָ".ı�ں˱Ϊ´"´ģ飬´ʱģû"-"´أ(ϵͳ)´(Ϊñ)"´ʺϵģ顣´-£filter,´Ĭϵı�ڽINPUTİFORWORDͨİOUTPUT�ɵİ nat,´�-ʱʾ"˲-µ"İ,"ڽɣPREROUTING (-޸ĵİ)OUTPUT-޸·"֮ǰصİPOSTROUTING-޸׼.İmangle ´"´ָİ---޸ġ"-ڽ´PREROUTING-޸·"֮ǰİOUTPUT-޸·"֮ǰصİ
OPTIONS
´-ɱiptablesʶ-"´ֲͬࡣ

COMMANDS
´--ִָ--ȷĶָ--û"-涨,--ָֻ"-.´"ڳʽ-,"ĸֻ"֤iptablesܴ"--ֳָ--ˡ
-A -append
´-´ĩ""´򡣵´ַ´/" ĿģַתΪַʱ´´""-ܵĵַ()档

-D -delete
"--ɾ"´´"´"-ַ"´-ɾ´ָΪ--("-Ϊ1),´ָΪ".Ĺ´

-R -replace
"---ȡ"´´ַ´/" ĿģַתΪַʧܡ´-Ŵ"1ʼ

-I -insert
ݸĹ´---"´"´´-Ϊ1´ᱻͷ´"ǲָ´-ʱĬϷʽ

-L -list
´ʾ-"-´û"--´"-´ʾ""´z-"ʹ"ã´ʱᱻ´-͹㡣ȷ"졣

-F -flush
´-´"ڰ-"-´"ɾ

--Z -zero
-"-İֽڵļ´"´ -Lʹ"ã´´ǰ쿴μǰġ

-N -new-chain
ݸƽ"-µ"û"´-뱣֤û"-ͬ´ڡ

-X -delete-chain
ɾָ"û´"´-û"-""ã""ã´ɾ֮ǰ-ɾ´滻"֮"-صĹ´û"-´´ɾÿڽ

-P -policy
Ŀ´

-E -rename-chain
"ûֶ´ָ--´-Σ´´Ľṹû"-"졣TARGETS"ϷĿꡣֻ"-"û´""´ʹ"ù´򣬶"ڽ"û´"ǹ´Ŀꡣ

-h Help.
ǰ"﷨ǳ̵˵

PARAMETERS

"´²ɹ´""adddeletereplaceappend check

-p -protocal [!]protocol
´´߰()-"顣ָ-""´tcpudpicmp-"´ȫ""´ֵ´--"-ĳ"�Ȼ""´ʹ"´/etc/protocols-"-"´-"ǰ""!"ʾ෴Ĺ´0൱""-allProtocol all."--"飬"´ȱʡʱ-´ںcheckʱall"´ʹ"á
-s -source [!] address[/mask]
ָ´ַ"´IPַmask˵"´-֣´-ָ-"1"ĸ"ˣmaskֵΪ24"255.255.255.0´ַָǰ""!"˵ָ෴ĵַΡ־ --src ´-ļ-

-d --destination [!] address[/mask]
ָĿַ"ȡϸ˵μ -s־˵�־ --dst ´-ļ-

-j --jump target
-j Ŀת
ָ´Ŀꣻ"˵."ʲôĿ"´"û´"´´´ڵģĳ�´˵ר"ڽĿ꣬´"´μEXTENSIONS´´-´ô.Ĺ̲´"죬´ļ´"

-i -in-interface [!] [name]
i -ģ磩" [!][]
´ǰ"ɸý"ڽ"´Ŀ-ƣͨý"ڽ"´´INPUTFORWORDPREROUTING-İ�´ڽ"ǰʹ""!"˵ָ෴ơ"""+"´"-"´˽"ͷĽ"ڶᱻ.䡣´-´Ϊ"+"ô.""ڡ

-o --out-interface [!][name]
-o --"[]
´ǰ"ɸý"ͳĿ-ĳƣͨÿ´FORWARDOUTPUTPOSTROUTING-ͳİ�´ڽ"ǰʹ""!"˵ָ෴ơ"""+"´"-"´˽"ͷĽ"ڶᱻ.䡣´-´Ϊ"+"ô."-""ڡ

[!] -f, --fragment
[!] -f --Ƭ
´"ζ´ڷƬİ-´ֻ-ʵڶ"´Ƭ´"´""޷-´ְ-´˿ڻĿ˿ڣ´ICMP-͵ģ´.κָ´ǽ--.Ĺ´"!"˵"´"-f"־֮ǰʾ෴"˼

OTHER OPTIONS
-
"´ָ-"-

-v --verbose
-v --ϸ
ϸ´-list´ʾ"ڵַ´-"-TOSType of Service-롣ֽڼ"´ʾֱ"KMG(ǰ׺)ʾ10001,000,0001,000,000,000ο-x־ı�´"",,ɾ滻´ʹ"´ϸ-Ϣ"

-n --numeric
-n --
IPַͶ˿ڻ"´ֵ-ʽ"Ĭ£-´´ʾ´߷ֻ""ã

-x -exact
-x -ȷ
´֡´ʾֽڼľȷֵ"K,M,Gʾ´´-"" -L 

--line-numbers
-´ʾ´ʱ´ÿ´ǰ"--ţ"ù´´-λ´"

MATCH EXTENSIONS
´"´
iptablesܹʹ""-"ģ.´"´¾Ǻ"ڻڵ´"Ǵ"´ͨ´ǰ"!ʾ෴"˼

tcp
--protocol tcp ָ,".´δָʱ,´-´װ´ءṩ"´-

--source-port [!] [port[:port]]
´˿ڻ˿ڷΧָ´"´Ƿ˿ںšʹ"øʽ˿ڣ˿""´ָģ˿ڣΧ׶˿ںű´Ĭ"0"ĩ˿ںű´Ĭ"65535"ڶ˿ںŴ"ڵ"ôǻᱻ´-"´ʹ" --sportı

--destionation-port [!] [port:[port]]
Ŀ˿ڻ˿ڷΧָ´-"´ʹ" --dport档

--tcp-flags [!] mask comp
.ָTCPǡ"""ıǣ""öŷֿ-�ڶ"öŷֿıǱ,Ǳ-뱻õġ£ SYN ACK FIN RST URG PSH ALL NONE"´iptables -A FORWARD -p tcp --tcp-flags SYN, ACK, FIN, RST SYNֻ.-SYNǱöACKFINRSTû"-õİ

[!] --syn
ֻ.-SYNλACKFINλTCP´-""TCP"ʼʱ磬´ְ""ڷʱֹTCP".TCP"ܵ"졣´" --tcp-flags SYN, RST, ACK SYN"--syn"ǰ"-"!"ǣʾ෴"˼

--tcp-option [!] number
.TCP-ġ

udp
protocol udp ָ,".´δָʱ,´-´װ´,ṩ"´-

--source-port [!] [port:[port]]
´˿ڻ˿ڷΧָ TCP´--source-port-˵

--destination-port [!] [port:[port]]
Ŀ˿ڻ˿ڷΧָ TCP´--destination-port-˵

icmp
protocol icmpָ,".´δָʱ,´װ´ءṩ"´-
--icmp-type [!] typename
´-´-ָICMP-ͣ"´"ֵ-͵ICMP-ͣ´ĳ"iptables -p icmp -h´ʾICMP-

mac
--mac-source [!] address
.ַ-XX:XX:XX:XX:XX´-ĸʽע"ֻ´´"´̫豸PREROUTINGFORWORDINPUTİ"--

limit
´ģ.־""Ͱ""ٶȽ--.,LOGĿʹ""-޵ĵ½.ﵽ´ֵʱ,ʹ"´´Ĺ´򽫽--..(ʹ""!")

--limit rate
ƽ.ʣɸֵ"-'/second', '/minute', '/hour', or '/day'´-ĵ.λĬ3/hour

--limit-burst number
.ʼֵ:ǰָļ޻ûﵽ´ֵ,´ּ"1.ĬֵΪ5

multiport
´ģ."´˿ڻĿ˿,"´ָ15˿ڡֻܺ-p tcp ´ -p udp ʹ"á

--source-port [port[, port]]
´˿-"˿´.

--destination-port [port[, port]]
Ŀ˿-"˿´.

--port [port[, port]]
´˿ںĿĶ˿Ȳ"ĳ˿,´.䡣
mark
´ģ"netfilterֶ.䣨Ϳ"´´Ϊʹ"MARKǣ

--mark value [/mask]
.-޷űֵİָmask´ڱȽ֮ǰ-"߼ıǣ

owner
ģ´Ϊɰ.´ߵĲͬ´ֻ""OUTPUT"ʹ´-"-ICMP ping"𣩻û"-"-´ߣ""´.䡣

--uid-owner userid
"--user idô.Ľ̲İ

--gid-owner groupid
"--group idô.Ľ̲İ

--sid-owner seessionid
ݸĻỰ.ý̲İ

state
ģ飬""ٽʹ"ʱ´-ʰ"״̬

--state state
´state"�ŷָ."״̬-�ܵ״̬:INVALIDʾδ֪"ESTABLISHEDʾ˫͵"NEWʾΪ-µ"´Ƿ˫͵ģRELATEDʾ"-"ʼǺ""-´ڵ"´"FTPݴͣ´" ICMP

unclean
ģû"--´.-ֵġİ´ʵ--

tos
ģ.IPײ8λtos-ֶͣΣ"˵´"λ-

--tos tos
´"´"׼ƣ"iptables -m tos -h 쿴-�´ֵ

TARGET EXTENSIONS
iptables"´ʹ"´Ŀģ飺"´¶´ڱ׼-

LOG
Ϊ.İں˼¼´ڹ´-´"-linuxں˻ͨprintk()""-"ȫ.-ϢIPͷֶεȣ
--log-level level
¼ֻο syslog.conf(5)
--log-prefix prefix
´ڼ¼-Ϣǰ"ضǰ׺14ĸ"ͼ¼--Ϣ

--log-tcp-sequence
¼TCP--š¼ܱ"ûȡô´⽫´ڰȫ"

--log-tcp-options
¼´TCPͷ-
--log-ip-options
¼´IPͷ-

MARK
"ðnetfilterֵֻ""mangle�

--set-mark mark

REJECT
Ϊ´.İ""İºDROPͬ

Ŀֻ""INPUTFORWARDOUTPUT͵"´-"û´"´⼸-ƷصĴ-´

--reject-with type
Type"´icmp-net-unreachableicmp-host-unreachableicmp-port- nreachableicmp-proto-unreachable icmp-net-prohibited ´ icmp-host-prohibited-ͻ᷵"ICMP-ϢĬport-unreachable- echo-reply"´-ģֻ""ָICMP pingĹ´-pingĻ"-tcp-reset"´""´INPUT-,´INPUT"õĹ´ֻ.TCP-"飺""TCP RST
TOS
"IPײλtosֻ""mangle�

--set-tos tos
"´ʹ""ֵ-͵TOS ֵ´"iptables -j TOS -h 鿴"--TOS-�
MIRROR
´"´-ʾĿ꣬""תIPײֶ-´ַĿַ´ٴ͸ð,ֻ""INPUTFORWARDOUTPUT"´ֻ"ǵ"û´"

SNAT
´Ŀֻ""natPOSTROUTING涨-޸İ´ַ""´"-İᱻ"죩ֹͣ´´ļ飬-

--to-source [-][:port-port]
"´ָ"."-µIPַ"IPַΧ""´""˿ڷΧֻ´ָ-p tcp ´-p udpĹ´δָ˿ڷΧ´˿-512"´µģ˿ڣᱻΪ512"´µĶ˿ڣ5121024֮Ķ˿ڻᱻΪ1024 "´µģ˿ڻᱻΪ1024"´ϡܣ˿ڲᱻ-޸ġ

--to-destiontion [-][:port-port]
"´ָ"."-µIPַ"IPַΧ""´""˿ڷΧֻ´ָ-p tcp ´-p udpĹ´δָ˿ڷΧĿ˿ڲᱻ-޸ġ

MASQUERADE
ֻ""natPOSTROUTINGֻ""ڶ̬ȡIPţ"""-̬IPַ""SNATαװ൱"ڸʱ"ڵIPַ""񣬵"ڹر´"´ֹ´"Ϊ"βʱδͬĽ"ڵַ"´"-"ر´"-"-

--to-ports [-port>]
ָʹ"õ´˿ڷΧĬϵSNAT´ַ-´񣨼棩´-ֻ""ָ-p tcp´-p udpĹ´

REDIRECT
ֻ""natPREROUTINGOUTPUTֻ"ǵ"û´"-޸İĿIPַͰ´�ɵİΪַ127.0.0.1"-

--to-ports []
ָʹ"õĿĶ˿ڻ˿ڷΧָĻĿ˿ڲᱻ-޸ġֻ""ָ-p tcp -p udpĹ´

DIAGNOSTICS
´
ͬĴ-Ϣ"ɱ׼˳0ʾ´ȷ"ڲ´Ļ´"õ--᷵ش2󷵻شΪ1

BUGS

Check is not implemented (yet).
黹δɡ

COMPATIBILITY WITH IPCHAINS
"ipchainsļ-´
iptablesRusty Russellipchainsǳơ"INPUT ֻ""ڽ뱾İ,OUTPUTֻ""´ɵİ"ÿֻ""´ǰתİᾭ"-" -i ""ý"ڣ-o"""ڣ´߶""ڽFORWARDİ�Ϳ-´ģ"ʹ"ĬϹʱiptables"�İ´ܴ"´ǰ´IPαװͰ˽ʹ"õĻ"´"´-˲ͬĴ�
-j MASQ
-M -S
-M -L
´iptables-"-ͬ

SEE ALSO
μ
iptables-HOWTO"-ϸiptables"÷,´netfilter-hacking-HOWTO""-ϸı˵