Use iptables -ADC to specify the rules of the chain, -A to add -D to delete -C to modify.

Iptables-[RI] Chain Rules Numbering Rules-Specifications [Options]

Use iptables-RI to specify the order of the rules.

Iptables -D chain rule number [option]

Delete the specified rule

Iptables-[LFZ][ chain] [option]

Use iptables -LFZ chain name [option]

Iptables -[NX] chain

Specify the chain with -NX.

Iptables -P chain target [options]

Specifies the default target for the chain.

Iptables -E old chain name new chain name

-E old chain name, new chain name

Replace the old chain name with the new name.

explain

Iptalbes is used to set, maintain and check the IP packet filtering rules of Linux kernel.

You can define different tables, each containing several internal chains or user-defined chains. Each chain is a list of rules that match the corresponding package: each rule specifies how to handle the matching package. This is called a target, or you can jump to a user-defined chain in the same table.

target

The rules of the firewall specify the characteristics of the inspected packages and targets. If the packet does not match, it will be sent to the next rule check in the chain; If there is a match, the next rule is determined by the target value. Target values can be user-defined chain names or special values, such as ACCEPT[ pass], DROP[ delete], QUEUE[ queue] or RETURN[ return].

Accepting means letting the package pass. Dropping means dropping the packet. Queuing means passing this packet to user space. Return means to stop the matching of this chain and restart the rules of the last chain. If a built-in chain is reached, or the rule of the built-in chain is RETURN, then the fate of the package will be determined by the goal specified by the chain criterion.

table

There are currently three tables (which table is the current table depends on the kernel configuration options and the current module).

-t-table

This option specifies the table of matching packages that the command will operate on. If the kernel is configured to automatically load the module, then if the module is not loaded, the system will try to load the appropriate module (for the table). These tables are as follows: filter, which is the default table and contains built-in chains INPUT (processing incoming packets), FORWORD (processing delivered packets) and OUTPUT (processing locally generated packets). When queried, Nat indicates that a packet generating a new connection has been encountered, which consists of three built-in chains: pre-routing (modifying incoming packets), output (modifying local packets before routing) and post-routing (modifying packets to be sent). This table is used to modify the specified package. It has two built-in rules: pre-routing (packets that enter before the route is modified) and output (packets that are local before the route is modified).

select

These options that iptables can recognize can distinguish different kinds.

order

These options specify specific actions to be performed: unless otherwise specified on the command line, only one option can be specified on the line. For long-form command and option names, the length of letters used only needs to ensure that iptables can distinguish the command from other options.

-A- Addition

Adds one or more rules at the end of the selected chain. When the source (address) or/and destination (address) are converted into multiple addresses, the rule will be added after all possible addresses (combinations).

-D- delete

Delete one or more rules from the selected chain. There are two methods for this command: you can specify the deleted rule as the serial number in the chain (the first serial number is 1) or as the rule to be matched.

-R- replacement

Replace the rule in the selected chain. If the source (address) or/and destination (address) are translated into multiple addresses, the command will fail. Rule numbers start with 1.

-I- insert

Inserts one or more rules into the selected chain according to the given rule number. Therefore, if the rule number is 1, then the rule will be inserted into the head of the chain. This is also the default method when the rule sequence number is not specified.

-L -list

Displays all the rules for the selected chain. If no chain is selected, all chains will be displayed. It can also be used with the z option, in which case, the chain will be automatically listed and zeroed. Accurate output is affected by other given parameters.

-F straight flush

Empty the selected chain. This is equivalent to deleting all the rules one by one.

Zero zero

Clear the counters of all chain packets and bytes. It can be used with -L to check the counter before clearing it. Please refer to the previous article.

-N- new chain

Creates a new user-defined chain with the given name. This must ensure that no chain with the same name exists.

-X- delete-chain

Deletes the specified user-defined chain. This chain must not be referenced. If it is referenced, the related rules must be deleted or replaced before deletion. If no parameters are given, the command will try to delete each unbuilt chain.

-Public policy

Set the target rules of the chain.

-E- rename-chain

Renaming the specified chain according to the name given by the user is just a decoration and has no influence on the structure of the whole table. The TARGETS parameter gives a legal target. Only non-custom chains can use rules, and neither built-in chain nor custom chain can be the target of rules.

-Help.

Help! Give a brief description of the current command syntax.

factor

parameter

The following parameters constitute detailed rules, such as parameters for adding, deleting, replacing, appending and checking commands.

-p-protocol[！ ] protocol

Rules or protocols for packet inspection (packets to be inspected). The specified protocol can be one or all of tcp, udp and icmp, or a numerical value representing one of these protocols. Of course, you can also use the protocol name defined in /etc/protocols. Add "!" Before the agreement name. Represents the opposite rule. The number 0 equals all. All protocols match all protocols, which is the default option. When combined with the check command, all may not be available.

-s -source [！ ] Address [/Mask]

Specify the source address, which can be host name, network name and clear IP address. The description of the mask can be a network mask or plain code. The number "1" is specified on the left side of the network mask, so the mask value of 24 is equal to 255.255.255.0. Add "!" Before the specified address. The description specifies the opposite address segment. Flag-src is the abbreviation of this option.

-d-destination [! ] Address [/Mask]

Specify the destination address. For detailed instructions, please refer to the description of the -s flag. Flag-dst is the abbreviation of this option.

-j-jump target

-j target jump

Specify the target of the rule; That is, what if the package matches. The target can be a user-defined chain (this rule does not exist), a dedicated built-in target that will immediately determine the fate of the package, or an extension (see the extension below). If this option of the rule is omitted, the matching process will not affect the package, but the counter of the rule will be increased.

-i -in-interface [！ ] [name]

I- incoming (network) interface [! ] [name]

This is the optional entry name of the packet received through this interface, and the packet is received through this interface (packet input in input chain, forwarding and pre-routing). When "!" Used before the interface name. After describing, it refers to the opposite name. If the interface name is followed by "+",all interfaces starting with the interface name will match. If this option is omitted, "+"will be assumed to match any interface.

-o - out-interface [！ ] [name]

-o- output interface [name]

This is the optional exit name of the packet sent through this interface, and the packet is output through this interface (the packet sent in the forwarding, output and post-routing chain). When "!" Used before the interface name. After describing, it refers to the opposite name. If the interface name is followed by "+",all interfaces starting with the interface name will match. If this option is omitted, "+"will be assumed and all arbitrary interfaces will be matched.

[! ] -f,-fragment

[! ] -f slice

This means that in a fragmented packet, the rule only requires the second and subsequent fragments. After that, because it is impossible to determine the source port or destination port (or ICMP type) of these packets, these packets will not be able to match any rules that specify matching them. If "!" Interpretation is used before the "-f" symbol to indicate the opposite meaning.

Other options

Other options

You can also specify the following additional options:

-v-detailed

-v- detailed

Detailed output. This option allows the list command to display the interface address, rule options (if any), and TOS (service type) mask. Packet and byte counters are also displayed, with k, m and g (prefixes) representing 1000, 1 000,000 and 1 000,000 times respectively (please refer to the -x symbol for changes). For Add, Insert, Delete and Replace commands,

-n-number

-n numbers

Digital output. The IP address and port will be printed in digital form. By default, the program tries to display the host name, network name or service (as long as it is available).

-x- accuracy

-x accuracy

Expand the quantity. Displays the exact values of packet and byte counters, instead of divisors represented by k, m, g, m and g. This option can only be used with the -L command.

-Line number

When the list shows rules, a line number is added before each rule, which corresponds to the position of the rule in the chain.

Matching extension

Corresponding extension

Iptables can use some expansion packages that match the module. The following are the extension packages included in the basic package, most of which can be added in front! To express the opposite meaning.

transmission control protocol (TCP)

When -protocoltcp is specified and no other matching extensions are specified, these extensions are loaded. It provides the following options:

-Source-Port [! ] [Port [:Port]]

Source port or port range specification. This can be a service name or a port number. Use Format Ports: Ports can also specify the included (port) range. If the first port number is omitted, it defaults to "0", if the closing slogan is omitted, it defaults to "65535", and if the second port number is greater than the first one, they will be exchanged. For this option, you can use the alias of-sport.

-destination-port[！ ] [Port: [Port]]

Target port or port range specification. This option can be replaced by the-dport alias.

- tcp-flags [！ ] mask patterning

Matches the specified TCP tag. The first parameter is the label we want to check, a comma-separated list, and the second parameter is a comma-separated label list, which must be set. The tag is as follows: Synack FinrstrugPshalone. Therefore, this command: iptables-a forward-ptcp-TCP-flags SYN, ACK, FIN, RST syn only matches those packets with the syn flag set but without the ack, fin and RST flags.

[! ] - syn

Only those TCP packets with SYN bit set and ACK and FIN bits cleared match. These packets are used to make requests when TCP connections are initialized; For example, when a large number of such packets enter the interface and are blocked, the incoming TCP connection will be blocked, while the outgoing TCP connection will not be affected. This is equal to -TCP-tcp-flags SYN, RST, ACK SYN. If "-syn" is preceded by "!" Mark, indicating the opposite meaning.

- tcp-option [！ ] number

Will match the TCP option set.

User datagram protocol

When the protocol udp is specified and no other matching extensions are specified, these extensions are loaded, which provides the following options:

-Source-Port [! ] [Port: [Port]]

Source port or port range specification. See the description of-source-port option of TCP extension for details.

-Destination-Port [! ] [Port: [Port]]

Target port or port range specification. See the description of-destination-port option of TCP extension for details.

nternet Control Message Protocol

When the protocol icmp is specified and no other matching extension is specified, the extension will be loaded. It provides the following options:

- icmp-type [！ ] Type a name.

This option allows you to specify the ICMP type, which can be a numeric ICMP type or an ICMP type name displayed by the command iptables -p icmp -h h h.

man

- mac-source [！ ] address

Match the physical address. Its format must be XX:XX:XX:XX:XX. Please note that it is only valid for packets coming from Ethernet devices and entering the pre-routing, forwarding and input chains.

limit

This module matching flag matches a label bucket filter at a certain speed, and is used in combination with the LOG target to give a limited number of logins. When this limit is reached, the rules that use this expansion pack will be matched. (unless "!" Has been used. Mark)

-Limit rate

Maximum average matching rate: it can be assigned as "/second", "minute", "hour" and "day", and the default value is 3/ hour.

-Limit burst number

Maximum value of the initial number of packages to match: If the previously specified limit does not reach this value, add 1 to the approximate value. The default value is 5.

Multi-port

The module matches a set of source or destination ports, and at most 15 ports can be specified. Can only be used with -p tcp or -p udp.

- source-port [port[，port]]

Match if the source port is one of the given ports.

-Destination-Port [Port [,Port]]

Match if the destination port is one of the given ports.

- port [port[，port]]

If the source port and the destination port are equal and both are equal to the given port, they match.

mark

This module matches the netfilter filter tag field (you can set it to use the tag tag below).

-Tag value [/mask]

Match these packets with unsigned tag values (if a mask is specified, it will be logically tagged before comparison).

owner

This module attempts to match the different characteristics of the package creator for locally generated packages. It can only be used in the output chain, and even such packets (such as ICMP ping replies) may have no owner, so they will never match.

-uid- owner user id

If a valid user id is given, the package generated by the process that matches it.

-GID- owner group id

If a valid group id is given, the package generated by the process that matches it.

-sid- owner seessionid

Match the packets generated by this process according to the given conversation group.

condition

When used in conjunction with connection tracing, this module allows access to the connection tracing status of the package.

-State.

The state here is a comma-separated list of matching connection states. Possible states are: INVALID means that the packet is an unknown connection, ESTABLISHED means a two-way connection, NEW means that the packet is a new connection, otherwise it is not a two-way connection, and RELATED means that the packet starts from a new connection but is connected to an existing connection, such as FTP data transmission or ICMP error.

dirty

This module has no options, but it tries to match those strange and unusual packages. In the experiment.

Ibm software

This module matches the 8-bit tos (Type of Service) field of the IP packet header (that is, it is included in the priority bit).

- tos tos

This parameter can be a standard name (use iptables -m tos -h to view the list) or a numerical value.

Target expansion

Iptables can use extended object modules: The standard version includes the following contents.

log

Open the kernel log for matching packages. When this option is set in the rule, the linux kernel will print some information (such as IP header fields) of all matching packages through printk ().

-Log level

Record level (number or see syslog.conf(5)).

-log prefix prefix

Add a specific prefix before the recorded information: 14 letters at most to distinguish it from other information in the record.

-log-TCP- sequence

Record the TCP sequence number. If the records can be read by users, there will be security risks.

- log-tcp-options

Record the options in the TCP packet header.

-log-ip option

Record the options in the IP packet header.

mark

Used to set the netfilter tag value of the package. Applies only to mangle tables.

-Set the tag tag

refuse

In response to a matching package, an incorrect package is returned: otherwise, it is the same as DROP.

This goal applies only to input, forwarding, and output chains, as well as user-defined chains that call these chains. These options control the characteristics of the returned error packets:

-Reject-Type

The type can be ICMP-net-unreachable, ICMP-host-unreachable, icmp-port-nreachable, icmp-proto-unreachable, icmp-net-prohibited or icmp-host-prohibited, which will return the corresponding icmp error message (default is port-unreachable). The option echo-reply is also allowed, which can only be used in rules that specify ICMP ping packets to generate ping responses. Finally, the tcp-reset option can be used for rules called in or from the input chain, which only match the tcp protocol: TCP RST packets will get a response.

Ibm software

Used to set the first eight bits of the IP packet tos. Can only be used for mangle tables.

-set-tos-tos

You can use numeric TOS values or iptables -j TOS -h to view a list of valid TOS names.

mirror

This is an experimental demonstration goal, which can be used to convert the source address and destination address in the IP header field, and then transmit the data packet, and it is only applicable to the input, forwarding and output chains and the custom chains that only call them.

SNAT

This target only applies to the routing back chain of nat table. It stipulates to modify the source address of packets (all packets will be affected after this connection) and stop checking rules. It contains options:

-to-source & lt； ipaddr & gt[-& lt； Ipaddr & gt][: port-port]

You can specify a single new IP address, IP address range or additional port range (only in rules that specify -p tcp or -p udp). If the port range is not specified, the ports below 5 12 in the source ports will be placed as other ports below 5 12; The ports between 5 12 and 1024 will be set below 1024, and other ports will be set above 1024. If possible, the port will not be modified.

-to-destion & lt； ipaddr & gt[-& lt； Ipaddr & gt][: port-port]

You can specify a single new IP address, IP address range or additional port range (only in rules that specify -p tcp or -p udp). If a port range is not specified, the destination port will not be modified.

pretend

Only used for routing back chain of nat table. Can only be used to dynamically obtain an IP (dial-up) connection: if you have a static IP address, you should use SNAT. Camouflage is equivalent to setting a mirror image of the IP address of the interface that sends the packet, and the connection will be terminated when the interface is closed. This is because the next dial may not be the same interface address (all established connections will be closed in the future). It has an option:

-to the port & lt port & gt [-port > ]

Specify the source port range to use, overriding the default SNAT source address selection (see above). This option only applies to rules that specify -p tcp or -p udp.

Direct again

It only applies to the routing and output chains of nat tables and user-defined chains that only call them. It modifies the destination IP address of the packet and sends the packet to the machine itself (the locally generated packet is set to the address 127.0.0. 1). It contains an option:

-To the port & lt Port & gt[& lt；; Port & gt]

Specify the target port or port range to use: If not specified, the target port will not be modified. Rules that can only be used to specify -p tcp or -p udp.

diagnostics

diagnose

Different error messages are printed as standard errors: exit code 0 means correct. Incorrect or abused command line parameter errors will return error code 2, and other errors will return code 1.

crazy

bedbug

The check has not been implemented.

The inspection is not over yet.

Compatibility with IPCHAINS

Compatibility with ipchains

Iptables is very similar to Rusty Russell's ipchains. The main difference is that the input chain is only used for packets entering the local host, while the output chain is only used for packets generated from the local host. So each packet only passes through one of the three chains; Previously forwarded packets will go through all three chains. Other major differences are that -i references enter the interface; -o references the output interface, both of which apply to packets entering the forward chain. Iptables is a pure packet filter when the default filter table is used with optional extension modules. This can greatly reduce the confusion of the previous combination of IP masquerading and packet filtering, so the following options are treated differently:

-MASQ

M -S

-M -L

There are several different chains in iptables.

See.

see

Iptables-HOWTO has detailed usage of iptables and detailed explanation of the essence of netfilter-hacking-HOWTO.