Iptables(8) System Manager's Manual Iptables(8) NAME iptables - IP iptables -ADC [-A -D -C ] iptables - RI iptables -D chain rule num[option] iptables -LFZ [] iptables -[NX] iptables -P chain target[options] iptables -E old-chain-name new-chain-name Iptalbes LinuxIP 'target' TARGETS ,. ,,ACCEPT[], DROP[], QUEUE[], RETURN[] ACCEPT DROP QUEUE RETURN () RETURN TABLES ) -t table ()() filter ,INPUTFORWORD OUTPUT nat ,PREROUTING ()OUTPUTPOSTROUTING mangle PREROUTING OUTPUT OPTIONS iptables COMMANDS ,. ,iptables -A -append / ()() -D -delete (1), -R -replace / 1 -I -insert 1 -L -list z -F -flush --Z -zero -L -N -new-chain -X -delete-chain -P -policy -E -rename-chain TARGETS -h Help. adddeletereplaceappend check -p -protocal [!]protocol ()tcpudpicmp /etc/pro tocols"!"0 allProtocol allcheck all -s -source [!] address[/mask] IPmask "1"mask 24255.255.255.0"!" --src -d --destination [!] address[/mask] -s --dst -j --jump target (-j ) EXTENSIONS -i -in-interface [!] [name] (i - [!][]) INPUTFORWORDPREROUTING "!""+" "+" -o --out-interface [!][name] (-o --[]) FORWARDOUTPUTPOSTROUTING"!" "+" "+" [!] -f, --fragment ( [!] -f --) ICMP "!""-f" TP -c, --set-counters PKTS BYTES This enables the administrater to initialize the packet and byte counters of a rule (during INSERT, APPEND, REPLACE operations) -v --verbose listTOS Type of ServiceKMG ()10001,000,0001,000,000,000-x ,, -n --numeric IP -x -exact K,M,G -L --line-numbers iptables ! tcp --protocol tcp ,, --source-port [!] [port[:port]] "0" "65535"???? --sport --destionation-port [!] [port:[port]] --dport --tcp-flags [!] mask comp TCP ,SYN ACK FIN RST URG PSH ALL NONEiptables -A FORWARD -p tcp --tcp-flags SYN, ACK, FIN, RST SYNSYNACKFINRST [!] --syn SYNACKFINTCPTCP TCP TCP --tcp- flags SYN, RST, ACK SYN "--syn""!" --tcp-option [!] number TCP udp protocol udp ,,, --source-port [!] [port:[port]] TCP--source- port --destination-port [!] [port:[port]] TCP--destination-port icmp protocol icmp,, --icmp-type [!] typename ICMPICMP???? iptables -p icmp -h ICMP mac --mac-source [!] address XX:XX:XX:XX:XX PREROUTINGFORWORDINPUT limit ,LOG ., .( "!") --limit rate '/second', '/minute', '/hour', or '/day'3/hour --limit-burst number :,1.5 multiport ,15-p tcp -p udp --source-port [port[, port]] --destination-port [port[, port]] --port [port[, port]] , mark netfilterMARK --mark value [/mask] mask owner OUTPUTICMP ping --uid-owner userid user id --gid-owner groupid group id --sid-owner seessionid state --state state state:INVALID ESTABLISHEDNEW RELATED FTPICMP unclean tos IP8tos --tos tos iptables -m tos -h TARGET EXTENSIONS iptables LOG linux printk()IP --log-level level syslog.conf(5) --log-prefix prefix 14 --log-tcp-sequence TCP --log-tcp-options TCP --log-ip-options IP MARK netfiltermangle --set-mark mark REJECT DROP INPUTFORWARDOUTPUT --reject-with type Typeicmp-net-unreachableicmp-host- unreachableicmp-port-nreachableicmp-prot o-unreachable icmp-net-prohibited icmp-host- prohibitedICMPport- unreachable echo-replyICMP pingpingtcp- resetINPUT, INPUTTCPTCP RST TOS IPtosmangle --set-tos tos TOS iptables -j TOS -h TOS MIRROR IP ,INPUTFORWARDOUTPUT SNAT natPOSTROUTING --to-source [-][:port-port] IPIP -p tcp -p udp 5125125121024 10241024 --to-destiontion [-][:port-port] IPIP-p tcp -p udp MASQUERADE natPOSTROUTINGIPIP SNATIP --to-ports [-port>] SNAT -p tcp-p udp REDIRECT natPREROUTINGOUTPUT IP127.0.0.1 --to-ports [] -p tcp -p udp 0 21 COMPATIBILITY WITH IPCHAINS ipchains This iptables is very similar to ipchains by Rusty Russell. The main difference is that the chains INPUT and OUTPUT are only traversed for packets coming into the local host and originating from the local host respectively. Hence every pack only passes through one of the three chains; previously a forwarded packet would pass through all three. The other main difference is that -I refers to input interface; -o refers to the output interface, and both are available for packets entering the FORWARD chain. iptables is a pure packet filter when using the default filter' table, with optional extension modules. This should simplify much of the previous confusion over the combination of IP masquerading and packet filtering seen previously. So the following options are handled differently: -j MASQ -M -S -M -L There are several other chaines in iptables iptablesRusty RussellipchainsINPUT ,OUTPUT -i -o FORWARD iptablesIP -j MASQ -M -S -M -L iptables iptables-HOWTOiptables,netfilter-hacking- HOWTO Rusty Russell wrote iptables, in early consultation with Michael Neuling. Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet selection framework in iptables, then wrote the mangle table, the owner match, the mark stuff, and ranaround doing cool stuff everywhere. James Morris wrote the TOS target, and tos match. Jozsef Kadlecsik wrote the REJECT target. The Netfilter Core Team is: Marc Boucher, Rusty Russell. Mar 20, 2000 [] .NetSnake [] 2003.11.20 linuxman: http://cmpp.linuxforum.net man man https://github.com/man-pages-zh/manpages- zh iptables Iptables(8)