IPTABLES(8) iptables 1.8.13 IPTABLES(8) iptables/ip6tables -- IPv4/IPv6 NAT iptables [-t table] {-A|-C|-D|-V} chain rule-specification ip6tables [-t table] {-A|-C|-D|-V} chain rule-specification iptables [-t table] -I chain [rulenum] rule-specification iptables [-t table] -R chain rulenum rule-specification iptables [-t table] -D chain rulenum iptables [-t table] -S [chain [rulenum]] iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] iptables [-t table] -N chain iptables [-t table] -X [chain] iptables [-t table] -P chain policy iptables [-t table] -E old-chain-name new-chain-name rule-specification := [matches...] [target] match := -m matchname [per-match-options] target := -j targetname [per-target-options] Iptables ip6tables IPv4 IPv6 . . . . . `' . . iptables-extensions(8) ACCEPT DROP RETURN. ACCEPT . DROP . RETURN (). RETURN . ( ). -t, --table . . : filter: ( -t). INPUT ( ) FORWARD ( ) OUTPUT ( ). nat: . : PREROUTING ( ) INPUT ( ) OUTPUT ( ) POSTROUTING ( ). NAT IPv6 3.7. mangle: . 2.4.17 : PREROUTING ( ) OUTPUT ( ). 2.4.18 : INPUT ( ) FORWARD ( ) POSTROUTING ( ). raw: NOTRACK. netfilter ip_conntrack IP . : PREROUTING ( ) OUTPUT ( ). security: (MAC) SECMARK CONNSECMARK. SELinux. (DAC) MAC. : INPUT ( ) OUTPUT ( ) FORWARD ( ). iptables ip6tables . . . iptables . -A, --append . / . -C, --check - . -D iptables . -D, --delete - -D, --delete - . : ( 1 ) . -I, --insert [-] - . 1 . . -R, --replace - - . / . 1. -L, --list [] . . iptables ( ) NAT iptables -t nat -n -L -n DNS . -Z () . . iptables -L -v iptables-save(8). -S, --list-rules [] . iptables-save. iptables ( ). -F, --flush [] ( ). . -Z, --zero [ [-]] . -L --list () . ( .) -N --new-chain . . -X --delete-chain [] . . . . . iptables-nft. -P --policy ( ) . ACCEPT DROP. -E --rename-chain - - . . -h . ( ) . ( ). -4 --ipv4 iptables iptables-restore. -4 ( ) ip6tables-restore . . IPv4 IPv6 iptables-restore ip6tables-restore. -6 --ipv6 -6 ( ) iptables-restore . . IPv4 IPv6 iptables-restore ip6tables-restore. ip6tables ip6tables-restore. [!] -p --protocol . tcp udp udplite icmp icmpv6 esp ah sctp mh "all" . /etc/protocols. "!" . all. "all" . ip6tables IPv6 esp . esp ipv6-nonext 2.6.11 . all 0 . HBH -p 0 -m hbh. [!] -s --source [/][,...] . IP ( /) IP . . DNS . ipv4 ( iptables) . iptables 24 255.255.255.0. "!" . --src . ( -A) ( -D). [!] -d --destination [/][,...] . -s () . --dst . -m --match . . . -j, --jump target . ( ) ( MATCH AND TARGET EXTENSIONS ). ( -g) . -g, --goto chain . --jump RETURN --jump. [!] -i, --in-interface name ( INPUT FORWARD PREROUTING). "!" . "+" . . [!] -o, --out-interface name ( FORWARD OUTPUT POSTROUTING). "!" . "+" . . [!] -f, --fragment IPv4 . ( ICMP) . "!" "-f" . IPv4 ip6tables. -c, --set-counters packets bytes ( INSERT APPEND REPLACE). : -v --verbose . ( ) TOS. 'K' 'M' 'G' 1000 1,000,000 1,000,000,000 ( -x ). . -v : iptables-legacy libiptc iptables-nft netlink ( VM). iptables-nft netlink . -V --version . -w --wait [] xtables. . . ( seconds ) . -n, --numeric . IP . ( ). -x --exact . K ( 1000) M ( 1000K) G ( 1000M). -L. --line-numbers . --modprobe= ( ). iptables /run/xtables.lock . XTABLES_LOCKFILE . iptables . iptables-extensions(8). . 0 . 2. 3. 4. 1. ;-) https://bugzilla.netfilter.org/ iptables 111 setuid-to-root. iptables ( ) . IPCHAINS iptables ipchains Rusty Russell. INPUT OUTPUT . ( INPUT OUTPUT) . -i -o FORWARD. NAT iptables `filter' . IP . : -j MASQ -M -S -M -L iptables. iptables-apply(8), iptables-save(8), iptables-restore(8), iptables-extensions(8), packet-filtering-HOWTO iptables NAT-HOWTO NAT netfilter-extensions-HOWTO netfilter-hacking-HOWTO netfilter. https://www.netfilter.org/. Rusty Russell iptables Michael Neuling. Marc Boucher Rusty ipnatctl iptables mangle owner mark . TOS tos. REJECT. ULOG NFQUEUE libiptc TTL DSCP ECN. Netfilter : . : . . iptables/ip6tables 1.8.13. 3 . . : . iptables 1.8.13 IPTABLES(8)