Iptables 8

中文man手册

目录

Iptables

NAME
æ»è§
说æ
TARGETS
TABLES
OPTIONS
COMMANDS
åæ°
å¶ä»é项
对åºçæ©å±
tcp
udp
icmp
mac
limit
mark
owner
state
unclean
tos
TARGET EXTENSIONS
LOG
MARK
REJECT
TOS
MIRROR
SNAT
MASQUERADE
REDIRECT
è¯æ
èè«
COMPATIBILITY WITH IPCHAINS
åè§
ä½è
[ä¸æçç»´æ¤äºº]
[ä¸æçææ°æ´æ°]
ãä¸å½linux论åmanæå页翻è¯è®¡åã:
è·

NAME

iptables - IPåè¿æ»¤å¨ç®¡ç

æ»è§

iptables -ADC æå®é¾çè§å [-A æ·»å  -D å é¤ -C ä¿®æ¹]
iptables - RI
iptables -D chain rule num[option]
iptables -LFZ é¾å [é项]
iptables -[NX] æå®é¾
iptables -P chain target[options]
iptables -E old-chain-name new-chain-name

说æ

Iptalbes æ¯ç¨æ¥è®¾ç½®ãç»´æ¤åæ£æ¥Linuxåæ ¸çIPåè¿æ»¤è§åçã

å¯ä»¥å®ä¹ä¸åç表ï¼æ¯ä¸ªè¡¨é½åå«å ä¸ªåé¨çé¾ï¼ä¹è½åå«ç¨æ·å®ä¹çé¾ã æ¯ä¸ªé¾é½æ¯ä¸ä¸ªè§åå表ï¼å¯¹å¯¹åºçåè¿è¡å¹éï¼æ¯æ¡è§åæå®åºå½å¦ä½å¤ çä¸ä¹ç¸å¹éçåãè¿è¢«ç§°ä½’target’ï¼ç®æ ï¼ï¼ä¹å¯ä»¥è·³ååä¸ä¸ªè¡¨åçç¨ æ·å®ä¹çé¾ã

TARGETS

é²ç«å¢çè§åæå®ææ£æ¥åçç¹å¾ï¼åç®æ ãå¦æåä¸å¹éï¼å°éå¾è¯¥é¾ä¸ ä¸ä¸æ¡è§åæ£æ¥ï¼å¦æå¹é,é£ä¹ä¸ä¸æ¡è§åç±ç®æ å¼ç¡®å®.该ç®æ å¼å¯ä»¥æ¯ ç¨æ·å®ä¹çé¾å,ææ¯æ个ä¸ç¨å¼,å¦ACCEPT[éè¿], DROP[å é¤], QUEUE[æé],æè RETURN[è¿å]ã

ACCEPT
表示让è¿ä¸ªåéè¿ã
DROP
表示å°è¿ä¸ªå丢å¼ã
QUEUE
表示æè¿ä¸ªåä¼ éå°ç¨æ·ç©ºé´ã
RETURN
表示åæ¢è¿æ¡é¾çå¹éï¼å°åä¸ä¸ªé¾çè§åéæ°å¼å§ãå¦æå°è¾¾äºä¸ä¸ªå建ç
é¾(çæ«ç«¯)ï¼æèéå°å建é¾çè§åæ¯ RETURNï¼åçå½è¿å°ç±é¾ååæå®ç
ç®æ å³å®ã

TABLES

å½åæä¸ä¸ªè¡¨ï¼åªä¸ªè¡¨æ¯å½å表åå³äºåæ ¸éç½®é项åå½å模å)ã
-t table

è¿ä¸ªé项æå®å½ä»¤è¦æä½çå¹éåç表ãå¦æåæ¸è¢«é置为èªå¨å载模åï¼è¿æ¶ è¥æ¨¡å没æå è½½ï¼(ç³»ç»)å°å°è¯(为该表)å è½½éåç模åã

è¿äºè¡¨å¦ä¸ï¼

filter

,è¿æ¯é»è®¤ç表ï¼åå«äºå建çé¾INPUTï¼å¤çè¿å¥çåï¼ãFORWORDï¼å¤çé è¿çåï¼åOUTPUTï¼å¤çæ¬å°çæçåï¼ã

nat

è¿ä¸ªè¡¨è¢«æ¥è¯¢æ¶è¡¨ç¤ºéå°äºäº§çæ°çè¿æ¥çå,ç±ä¸ä¸ªå建çé¾ææï¼PREROUTING

(ä¿®æ¹å°æ¥çå)ãOUTPUTï¼ä¿®æ¹è·¯ç±ä¹åæ¬å°çåï¼ãPOSTROUTING
ï¼ä¿®æ¹åå¤åºå»çåï¼ã

mangle

è¿ä¸ªè¡¨ç¨æ¥å¯¹æå®çåè¿è¡ä¿®æ¹ãå®æ两个å建è§åï¼PREROUTINGï¼ä¿®æ¹è·¯ç±ä¹
åè¿å¥çåï¼åOUTPUTï¼ä¿®æ¹è·¯ç±ä¹åæ¬å°çåï¼ã

OPTIONS

è¿äºå¯è¢«iptablesè¯å«çé项å¯ä»¥åºåä¸åçç§ç±»ã

COMMANDS

è¿äºé项æå®æ§è¡æç¡®çå¨ä½ï¼è¥æ令è¡ä¸æ²¡æå¶ä»è§å®,该è¡åªè½æå®ä¸ä¸ªé项. 对äºé¿æ ¼å¼çå½ä»¤åé项å,æç¨åæ¯é¿åº¦åªè¦ä¿è¯iptablesè½ä»å¶ä»é项ä¸åº ååºè¯¥æ令就è¡äºã
-A -append

å¨æéæ©çé¾æ«æ·»å ä¸æ¡ææ´å¤è§åãå½æºï¼å°åï¼æè/ä¸ ç®çï¼å°åï¼è½¬æ¢ 为å¤äºä¸ä¸ª(å¤ä¸ª)å°åæ¶ï¼è¿æ¡è§åä¼å å°ææå¯è½çå°å(ç»å)åé¢ã

-D -delete

ä»æéé¾ä¸- å é¤ä¸æ¡ææ´å¤è§åãè¿æ¡å½ä»¤å¯ä»¥æ两ç§æ¹æ³ï¼å¯ä»¥æ被å é¤è§å æå®ä¸ºé¾ä¸çåºå·(第ä¸æ¡åºå·ä¸º1),æèæå®ä¸ºè¦å¹éçè§åã

-R -replace

ä»éä¸çé¾ä¸å代ä¸æ¡è§åãå¦ææºï¼å°åï¼æè/ä¸ ç®çï¼å°åï¼è¢«è½¬æ¢ä¸ºå¤å° åï¼è¯¥å½ä»¤ä¼å¤±è´¥ãè§ååºå·ä»1å¼å§ã

-I -insert

æ ¹æ®ç»åºçè§ååºå·åæéé¾ä¸æå¥ä¸æ¡ææ´å¤è§åãæ以ï¼å¦æè§ååºå·ä¸º1ï¼ è§åä¼è¢«æå¥é¾ç头é¨ãè¿ä¹æ¯ä¸æå®è§ååºå·æ¶çé»è®¤æ¹å¼ã

-L -list

æ¾ç¤ºæéé¾çææè§åãå¦æ没æéæ©é¾ï¼ææé¾å°è¢«æ¾ç¤ºãä¹å¯ä»¥åzé项ä¸èµ· 使ç¨ï¼è¿æ¶é¾ä¼è¢«èªå¨ååºåå½é¶ã精确è¾åºåå¶å®æç»åæ°å½±åã

-F -flush

æ¸ç©ºæéé¾ãè¿çäºæææè§åä¸ä¸ªä¸ªçå é¤ã

--Z -zero

æææé¾çåååèç计æ°å¨æ¸ç©ºãå®å¯ä»¥å -Léå使ç¨ï¼å¨æ¸ç©ºåå¯ç计æ°å¨ï¼è¯·åè§åæã

-N -new-chain

æ ¹æ®ç»åºçå称建ç«ä¸ä¸ªæ°çç¨æ·å®ä¹é¾ãè¿å¿é¡»ä¿è¯æ²¡æååçé¾åå¨ã

-X -delete-chain

åé¤æå®çç¨æ·èªå®ä¹é¾ãè¿ä¸ªé¾å¿é¡»æ²¡æ被å¼ç¨ï¼å¦æ被å¼ç¨ï¼å¨åé¤ä¹åä½å¿é¡»å é¤æèæ¿æ¢ä¸ä¹æå³çè§åãå¦æ没æç»åºåæ°ï¼è¿æ¡å½ä»¤å°è¯çå é¤æ¯ä¸ªé å建çé¾ã

-P -policy

设置é¾çç®æ è§åã

-E -rename-chain

æ ¹æ®ç¨æ·ç»åºçåå- 对æå®é¾è¿è¡éå½åï¼è¿ä»ä»æ¯ä¿®é¥°ï¼å¯¹æ´ä¸ªè¡¨çç»æ没æå½±åã TARGETSåæ°ç»åºä¸ä¸ªåæ³çç®æãåªæéç¨æ·èªå®ä¹é¾å¯ä»¥ä½¿ç¨è§åï¼èä¸å建é¾åç¨ æ·èªå®ä¹é¾é½ä¸è½æ¯è§åçç®æ ã

-h Help.

帮å©ãç»åºå½åå½ä»¤è¯æ³é常ç®çç说æã

åæ°

以ä¸åæ°ææè§å详述ï¼å¦ç¨äºaddãdeleteãreplaceãappend å checkå½ä»¤ã
-p -protocal [!]protocol

è§åæèåæ£æ¥(å¾æ£æ¥å)çåè®®ãæå®åè®®å¯ä»¥æ¯tcpãudpãicmpä¸çä¸ä¸ªæ èå¨é¨ï¼ä¹å¯ä»¥æ¯æ°å¼ï¼ä»£è¡¨è¿äºåè®®ä¸- çæä¸ä¸ªãå½ç¶ä¹å¯ä»¥ä½¿ç¨å¨/etc/pro tocolsä¸- å®ä¹çåè®®åãå¨åè®®ååå ä¸"!"表示ç¸åçè§åãæ°å0ç¸å½äºææ allãProtocol allä¼å¹éææåè®®ï¼èä¸è¿æ¯ç¼ºçæ¶çé项ãå¨åcheckå½ä»¤ç»å æ¶ï¼allå¯ä»¥ä¸è¢«ä½¿ç¨ã

-s -source [!] address[/mask]

æå®æºå°åï¼å¯ä»¥æ¯ä¸»æºåãç½ç»ååæ¸æ¥çIPå°åãmask说æå¯ä»¥æ¯ç½ç»æ©ç ææ¸æ¥çæ°åï¼å¨ç½ç»æ©ç ç左边æå®ç½ç»æ©ç å·¦è¾¹â1âç个æ°ï¼å æ- ¤ï¼mask å¼ä¸º24ç- äº255.255.255.0ãå¨æå®å°ååå ä¸"!"说ææå®äºç¸åçå°å段ãæ å¿
--src æ¯è¿ä¸ªé项çç®åã

-d --destination [!] address[/mask]

æå®ç®æ å°åï¼è¦è·å详ç»è¯´æ请åè§ -sæ å¿ç说æãæ å¿ --dst æ¯è¿ä¸ªé项çç®åã

-j --jump target

(-j ç®æ è·³è½¬)æå®è§åçç®æï¼ä¹å°±æ¯è¯´ï¼å¦æåå¹éåºå½åä»ä¹ãç®æå¯ä»¥æ¯ç¨ æ·èªå®ä¹é¾ï¼ä¸æ¯è¿æ¡è§åæå¨çï¼ï¼æ个ä¼ç«å³å³å®åçå½è¿çä¸ç¨å建ç®æï¼ æèä¸ä¸ªæ©å±ï¼åè§ä¸é¢çEXTENSIONSï¼ãå¦æè§åçè¿ä¸ªé项被忽ç¥ï¼é£ä¹å¹ éçè¿ç¨ä¸ä¼å¯¹å产çå½±åï¼ä¸è¿è§åç计æ°å¨ä¼å¢å ã

-i -in-interface [!] [name]

(i -è¿å¥çï¼ç½ç»ï¼æ¥å£ [!][å称])è¿æ¯åç»ç±è¯¥æ¥å£æ¥æ¶çå¯éçå¥å£å称ï¼åéè¿ è¯¥æ¥å£æ¥æ¶ï¼å¨é¾INPUTãFORWORDåPREROUTINGä¸è¿å¥çåï¼ãå½å¨æ¥å£å å使ç¨"!"说æåï¼æçæ¯ç¸åçå称ãå¦ææ¥å£ååé¢å ä¸"+"ï¼åææ以æ¤æ¥å£å å¼å¤´çæ¥å£é½ä¼è¢«å¹éãå¦æè¿ä¸ªé项被忽ç¥ï¼ä¼å设为"+"ï¼é£ä¹å°å¹éä»»ææ¥å£ã

-o --out-interface [!][name]

(-o --è¾åºæ¥å£[å称])è¿æ¯åç»ç±è¯¥æ¥å£éåºçå¯éçåºå£å称ï¼åéè¿è¯¥å£è¾åºï¼å¨ é¾FORWARDãOUTPUTåPOSTROUTINGä¸éåºçåï¼ãå½å¨æ¥å£åå使ç¨"!"说æ åï¼æçæ¯ç¸åçå称ãå¦ææ¥å£ååé¢å ä¸"+"ï¼åææ以æ¤æ¥å£åå¼å¤´çæ¥å£é½ä¼ 被å¹éãå¦æè¿ä¸ªé项被忽ç¥ï¼ä¼å设为"+"ï¼é£ä¹å°å¹éææä»»ææ¥å£ã

[!] -f, --fragment

( [!] -f --åç)è¿æå³çå¨åççåä¸- ï¼è§ååªè¯¢é®ç¬¬äºå以åççãèªé£ä»¥åç±äºæ æ³å¤æ- è¿ç§æåçæºç«¯å£æç®æ ç«¯å£ï¼æèæ¯ICMPç±»åçï¼ï¼è¿ç±»åå°ä¸è½å¹éä»» ä½æå®å¯¹ä»ä»¬è¿è¡å¹éçè§åãå¦æ"!"说æç¨å¨äº"-f"æå¿ä¹åï¼è¡¨ç¤ºç¸åçææã TP -c, --set-counters PKTS BYTES This enables the administrater to initialize the packet and byte counters of a rule (during INSERT, APPEND, REPLACE operations)

å¶ä»é项

è¿å¯ä»¥æå®ä¸åéå é项ï¼
-v --verbose

详ç»è¾åºãè¿ä¸ªé项让listå½ä»¤æ¾ç¤ºæ¥å£å°åãè§åé项ï¼å¦ææï¼åTOS ï¼Type of Serviceï¼æ©ç ãåååè计æ°å¨ä¹å°è¢«æ¾ç¤ºï¼åå«ç¨KãMãG (åç¼)表示1000ã1,000,000å1,000,000,000åï¼ä¸è¿è¯·åç-xæå¿æ¹åå®ï¼ï¼ 对äºæ·»å,æå¥,åé¤åæ¿æ¢å½ä»¤ï¼è¿ä¼ä½¿ä¸ä¸ªæå¤ä¸ªè§åçç¸å³è¯¦ç»ä¿¡æ¯è¢«æå°ã

-n --numeric

æ°åè¾åºãIPå°åå端å£ä¼ä»¥æ°åçå½¢å¼æå°ãé»è®¤æåµä¸ï¼ç¨åºè¯æ¾ 示主æºåãç½ç»åæèæå¡ï¼åªè¦å¯ç¨ï¼ã

-x -exact

æ©å±æ°åãæ¾ç¤ºåååè计æ°å¨ç精确å¼ï¼ä»£æ¿ç¨K,M,G表示ç约æ°ã è¿ä¸ªé项ä»è½ç¨äº -L å½ä»¤ã

--line-numbers

å½å表æ¾ç¤ºè§åæ¶ï¼å¨æ¯ä¸ªè§åçåé¢å ä¸è¡å·ï¼ä¸è¯¥è§åå¨é¾ä¸- çä½ç½®ç¸å¯¹åºã

对åºçæ©å±

iptablesè½å¤ä½¿ç¨ä¸äºä¸æ¨¡åå¹éçæ©å±åã以ä¸å°±æ¯å«äºåºæ¬ååç æ©å±åï¼èä¸ä»ä»¬å¤§å¤æ°é½å¯ä»¥éè¿å¨åé¢å ä¸!æ¥è¡¨ç¤ºç¸åçææã

tcp

å½ --protocol tcp 被æå®,ä¸å¶ä»å¹éçæ©å±æªè¢«æå®æ¶,è¿äºæ©å±è¢«è£è½½ãå®æä¾ä»¥ä¸é项ï¼
--source-port [!] [port[:port]]

æºç«¯å£æ端å£èå´æå®ãè¿å¯ä»¥æ¯æå¡åæ端å£å·ã使ç¨æ¼å¼ç«¯å£ï¼ç«¯å£ä¹å¯ä»¥ æå®åå«çï¼ç«¯å£ï¼èå´ãå¦æé¦ç«¯å£å·è¢«å¿½ç¥ï¼é»è®¤æ¯"0"ï¼å¦ææ«ç«¯å£å·è¢«å¿½ ç¥ï¼é»è®¤æ¯"65535"ï¼å¦æ第äº?é¾ä¸è¯¤ç³¯ç¬¥è¯è°æ¡è§¯?æ²æ- ¤?èå²å¤æ¢å¼§ï¼µé£§é²â ç¾æ¢¢åè¤? --sportçå«åã

--destionation-port [!] [port:[port]]

ç®æ ç«¯å£æ端å£èå´æå®ãè¿ä¸ªé项å¯ä»¥ä½¿ç¨ --dportå«åæ¥ä»£æ¿ã

--tcp-flags [!] mask comp

å¹éæå®çTCPæè®°ã第ä¸ä¸ªåæ°æ¯æ们è¦æ£æ¥çæè®°ï¼ä¸ä¸ªç¨éå·åå¼çåè¡¨ï¼ ç¬¬äºä¸ªåæ°æ¯ç¨éå·åå¼çæ è®°è¡¨,æ¯å¿é¡»è¢«è®¾ç½®çãæ è®°å¦ä¸ï¼SYN ACK FIN
RST URG PSH ALL NONEãå æ¤è¿æ¡å½ä»¤ï¼iptables -A FORWARD -p tcp --tcp-flags SYN, ACK,
FIN, RST SYNåªå¹éé£äºSYNæ è®°è¢«è®¾ç½®èACKãFINåRSTæ è®°æ²¡æ设置çåã

[!] --syn

åªå¹éé£äºè®¾ç½®äºSYNä½èæ¸é¤äºACKåFINä½çTCPåãè¿äºåç¨äºTCPè¿æ¥åå§ åæ¶ååºè¯·æ±ï¼ä¾å¦ï¼å¤§éçè¿ç§åè¿å¥ä¸ä¸ªæ¥å£åçå µå¡æ¶ä¼é»æ- ¢è¿å¥çTCPè¿æ¥ ï¼èåºå»çTCPè¿æ¥ä¸ä¼åå°å½±åãè¿çäº --tcp-flags SYN, RST, ACK SYNãå¦æ "--syn"åé¢æ"!"æ è®°ï¼è¡¨ç¤ºç¸åçææã

--tcp-option [!] number

å¹é设置äºTCPé项çã

udp

å½protocol udp 被æå®,ä¸å¶ä»å¹éçæ©å±æªè¢«æå®æ¶,è¿äºæ©å±è¢«è£è½½,å®æä¾ä»¥ä¸é项ï¼
--source-port [!] [port:[port]]

æºç«¯å£æ端å£èå´æå®ãè¯¦è§ TCPæ©å±ç--source-porté项说æã

--destination-port [!] [port:[port]]

ç®æ ç«¯å£æ端å£èå´æå®ãè¯¦è§ TCPæ©å±ç--destination-porté项说æã

icmp

å½protocol icmp被æå®,ä¸å¶ä»å¹éçæ©å±æªè¢«æå®æ¶,该æ©å±è¢«è£è½½ãå®æä¾ä»¥ä¸é项ï¼
--icmp-type [!] typename

è¿ä¸ªé项å许æå®ICMPç±»åï¼å¯ä»¥æ¯ä¸ä¸ªæ°å¼åçICMP?åå?èå¤ææ£é²æ??
iptables -p icmp -h
ææ¾ç¤ºçICMPç±»ååã

mac

--mac-source [!] address

å¹éç©çå°åãå¿é¡»æ¯XX:XX:XX:XX:XXè¿æ·çæ¼å¼ã注æå®åªå¯¹æ¥èªä»¥å¤ªè®¾å¤å¹¶ è¿å¥PREROUTINGãFORWORDåINPUTé¾çåææã

limit

è¿ä¸ªæ¨¡åå¹éæ å¿ç¨ä¸ä¸ªæ è®°æ¡¶è¿æ»¤å¨ä¸ä¸å®é度è¿è¡å¹é,å®åLOG ç®æ ç»å使ç¨æ¥ç»åºæéçç»éæ°.å½è¾¾å°è¿ä¸ªæéå¼æ¶,使ç¨è¿ä¸ªæ©å± åçè§åå°è¿è¡å¹é.(é¤é使ç¨äº â!âæ è®°)
--limit rate

æ大平åå¹ééçï¼å¯èµçå¼æ’/second’, ’/minute’, ’/hour’, or ’/day’è¿æ ·çåä½ï¼é»è®¤æ¯3/hourã

--limit-burst number

å¾å¹éååå§ä¸ªæ°çæ大å¼:è¥åé¢æå®çæéè¿æ²¡è¾¾å°è¿ä¸ªæ°å¼,åæ¦æ°å- å 1.é»è®¤å¼ä¸º5

multiport

è¿ä¸ªæ¨¡åå¹éä¸ç»æºç«¯å£æç®æ ç«¯å£,æå¤å¯ä»¥æå®15个端å£ãåªè½å-p tcp æè -p udp è¿ç使ç¨ã

--source-port [port[, port]]

å¦ææºç«¯å£æ¯å¶ä¸ä¸ä¸ªç»å®ç«¯å£åå¹é

--destination-port [port[, port]]

å¦æç®æ ç«¯å£æ¯å¶ä¸ä¸ä¸ªç»å®ç«¯å£åå¹é

--port [port[, port]]

è¥æºç«¯å£åç®ç端å£ç¸ç并ä¸æ个ç»å®ç«¯å£ç¸ç,åå¹éã

mark

è¿ä¸ªæ¨¡ååä¸netfilterè¿æ»¤å¨æ è®°å- 段å¹éï¼å°±å¯ä»¥å¨ä¸é¢è®¾ç½®ä¸ºä½¿ç¨MARKæ è®°ï¼ã
--mark value [/mask]

å¹éé£äºæ符å·æè®°å¼çåï¼å¦ææå®maskï¼å¨æ¯è¾ä¹åä¼ç»æ©çåä¸é»è¾çæè®°ï¼ã

owner

æ¤æ¨¡åè¯ä¸ºæ¬å°çæåå¹éåå建èçä¸åç¹å¾ã åªè½ç¨äºOUTPUTé¾ï¼èä¸å³ä½¿è¿æ ·ä¸äºåï¼å¦ICMP pingåºçï¼è¿ å¯è½æ²¡æææèï¼å æ¤æ°¸è¿ä¸ä¼å¹éã
--uid-owner userid

å¦æç»åºææçuser idï¼é£ä¹å¹éå®çè¿ç¨äº§ççåã

--gid-owner groupid

å¦æç»åºææçgroup idï¼é£ä¹å¹éå®çè¿ç¨äº§ççåã

--sid-owner seessionid

æ ¹æ®ç»åºçä¼è¯ç»å¹é该è¿ç¨äº§ççåã

state

æ¤æ¨¡åï¼å½ä¸è¿æ¥è·è¸ªç»å使ç¨æ¶ï¼å许访é®åçè¿æ¥è·è¸ªç¶æã
--state state

è¿éstateæ¯ä¸ä¸ªéå·åå²çå¹éè¿æ¥ç¶æå表ãå¯è½çç¶ææ¯:INVALID 表示åæ¯æªç¥è¿æ¥ï¼ESTABLISHED表示æ¯ååä¼ éçè¿æ¥ï¼NEW表示å 为æ°çè¿æ¥ï¼å¦åæ¯éååä¼ éçï¼èRELATED表示åç±æ°è¿æ¥å¼å§ï¼ä½ æ¯åä¸ä¸ªå·²åå¨çè¿æ¥å¨ä¸èµ·ï¼å¦FTPæ°æ®ä¼ éï¼æèä¸ä¸ªICMPé误ã

unclean

æ¤æ¨¡å没æå¯é项ï¼ä¸è¿å®è¯çå¹éé£äºå¥æªçãä¸å¸¸è§çåãå¤å¨å®éªä¸ã

tos

æ¤æ¨¡åå¹éIPåé¦é¨ç8ä½tosï¼æå¡ç±»åï¼å段ï¼ä¹å°±æ¯è¯´ï¼åå«å¨ä¼åä½ä¸ï¼ã
--tos tos

è¿ä¸ªåæ°å¯ä»¥æ¯ä¸ä¸ªæ åå称ï¼ï¼ç¨iptables -m tos -h å¯ç该å表ï¼ï¼æèæ°å¼ã

TARGET EXTENSIONS

iptableså¯ä»¥ä½¿ç¨æ©å±ç®æ æ¨¡åï¼ä»¥ä¸é½åå«å¨æ åçä¸ã

LOG

为å¹éçåå¼å¯å核记å½ãå½å¨è§åä¸è®¾ç½®äºè¿ä¸é项åï¼linuxåæ ¸ä¼é è¿printk()æå°ä¸äºå³äºå¨é¨å¹éåçä¿¡æ¯ï¼è¯¸å¦IPå头å段çï¼ã
--log-level level

è®°å½çº§å«ï¼æ°åæåç syslog.conf(5)ï¼ã

--log-prefix prefix

å¨çºªå½ä¿¡æ¯åå ä¸ç¹å®çåç¼ï¼æå¤14个åæ¯é¿ï¼ç¨æ¥åè®°å½ä¸- å¶ä»ä¿¡æ¯åºå«ã

--log-tcp-sequence

è®°å½TCPåºåå·ãå¦æè®°å½è½è¢«ç¨æ·è¯»åé£ä¹è¿å°åå¨å®å¨éæ£ã

--log-tcp-options

è®°å½æ¥èªTCPå头é¨çé项ã

--log-ip-options

è®°å½æ¥èªIPå头é¨çé项ã

MARK

ç¨æ¥è®¾ç½®åçnetfilteræ è®°å¼ãåªéç¨äºmangle表ã
--set-mark mark

REJECT

ä½ä¸ºå¯¹å¹éçåçååºï¼è¿åä¸ä¸ªé误çåï¼å¶ä»æåµä¸åDROPç¸åã æ- ¤ç®æ åªéç¨äºINPUTãFORWARDåOUTPUTé¾ï¼åè°ç¨è¿äºé¾çç¨ æ·èªå®ä¹é¾ãè¿å ä¸ªé项æ§å¶è¿åçé误åçç¹æ§ï¼
--reject-with type

Typeå¯ä»¥æ¯icmp-net-unreachableãicmp-host-unreachableãicmp-port-nreachableãicmp-prot o-unreachableã icmp-net-prohibited æè
icmp-host-prohibitedï¼è¯¥ç±»åä¼è¿åç¸åºçICMPé误信æ¯ï¼é»è®¤æ¯port-unreachableï¼ãé项
echo-replyä¹æ¯å许çï¼å®åªè½ç¨äºæå®ICMP
pingåçè§åä¸ï¼çæpingçååºãæåï¼é项tcp-resetå¯ä»¥ç¨äºå¨INPUTé¾ä¸,æ
èªINPUTé¾è°ç¨çè§åï¼åªå¹éTCPåè®®ï¼å°ååºä¸ä¸ªTCP
RSTåã

TOS

ç¨æ¥è®¾ç½®IPåçé¦é¨å«ä½tosãåªè½ç¨äºmangle表ã
--set-tos tos

ä½ å¯ä»¥ä½¿ç¨ä¸ä¸ªæ°å¼åçTOS å¼ï¼æèç¨iptables -j TOS -h æ¥æ¥çææTOSåå表ã

MIRROR

è¿æ¯ä¸ä¸ªè¯éªç¤ºèç®æ ï¼å¯ç¨äºè½¬æ¢IPé¦é¨å段ä¸çæºå°ååç®æ å°åï¼ åä¼é该å,并åªéç¨äºINPUTãFORWARDåOUTPUTé¾ï¼ä»¥ååªè°ç¨å®ä»¬çç¨æ·èªå®ä¹é¾ ã

SNAT

è¿ä¸ªç®æ åªéç¨äºnat表çPOSTROUTINGé¾ãå®è§å®ä¿®æ¹åçæºå° åï¼æ- ¤è¿æ¥ä»¥åææçåé½ä¼è¢«å½±åï¼ï¼åæ¢å¯¹è§åçæ£æ¥ï¼å®åå«é项ï¼
--to-source <ipaddr>[-<ipaddr>][:port-port]

å¯ä»¥æå®ä¸ä¸ªåä¸çæ°çIPå°åï¼ä¸ä¸ªIPå°åèå´ï¼ä¹å¯ä»¥éåä¸ä¸ªç«¯å£èå´ ï¼åªè½å¨æå®-p tcp æè-p udpçè§åéï¼ãå¦ææªæå®ç«¯å£èå´ï¼æºç«¯å£ä¸ 512以ä¸çï¼ç«¯å£ï¼ä¼è¢«å®ç½®ä¸ºå¶ä»ç512以ä¸ç端å£ï¼512å°1024ä¹é´çç«¯å£ ä¼è¢«å®ç½®ä¸º1024以ä¸çï¼å¶ä»ç«¯å£ä¼è¢«å®ç½®ä¸º1024æ以ä¸ãå¦æå¯è½ï¼ 端å£ä¸ä¼è¢«ä¿®æ¹ã

--to-destiontion <ipaddr>[-<ipaddr>][:port-port]

å¯ä»¥æå®ä¸ä¸ªåä¸çæ°çIPå°åï¼ä¸ä¸ªIPå°åèå´ï¼ä¹å¯ä»¥éåä¸ä¸ªç«¯å£èå´ï¼åªè½å¨æå®-p tcp æè-p
udpçè§åéï¼ãå¦ææªæå®ç«¯å£èå´ï¼ç®æ ç«¯å£ä¸ä¼è¢«ä¿®æ¹ã

MASQUERADE

åªç¨äºnat表çPOSTROUTINGé¾ãåªè½ç¨äºå¨æè·åIPï¼æ¨å·ï¼è¿æ¥ï¼å¦æä½ æ¥æéæIP å°åï¼ä½è¦ç¨SNATã伪è£ç¸å½äºç»åååºæ¶æç»è¿æ¥å£çIPå°å设置ä¸ä¸ªæåï¼å½æ¥å£å³ éè¿æ¥ä¼ç»æ- ¢ãè¿æ¯å ä¸ºå½ä¸ä¸æ¬¡æ¨å·æ¶æªå¿æ¯ç¸åçæ¥å£å°åï¼ä»¥åææ建ç«çè¿æ¥é½å° å³é- ï¼ãå®æä¸ä¸ªé项ï¼
--to-ports <port>[-port>]

æå®ä½¿ç¨çæºç«¯å£èå´ï¼è¦çé»è®¤çSNATæºå°åéæ©ï¼è§ä¸é¢ï¼ãè¿ä¸ªé项åªéç¨äºæå® äº-p tcpæè-p udpçè§åã

REDIRECT

åªéç¨äºnat表çPREROUTINGåOUTPUTé¾ï¼ååªè°ç¨å®ä»¬çç¨æ·èªå®ä¹é¾ãå®ä¿®æ¹åç ç®æ IPå°åæ¥åéåå°æºå¨èªèº«ï¼æ¬å°çæçå被å®ç½®ä¸ºå°å127.0.0.1ï¼ãå®åå«ä¸ 个é项ï¼
--to-ports <port>[<port>]

æå®ä½¿ç¨çç®ç端å£æ端å£èå´ï¼ä¸æå®çè¯ï¼ç®æ端å£ä¸ä¼è¢«ä¿®æ¹ãåªè½ç¨äºæå®äº-p tcp æ -p udpçè§åã

è¯æ

ä¸åçé误信æ¯ä¼æå°ææ åé误ï¼éåºä»£ç 0表示æ- £ç¡®ã类似äºä¸å¯¹çæè滥ç¨çå½ä»¤ è¡åæ°é误ä¼è¿åé误代ç 2ï¼å¶ä»é误è¿å代ç ä¸º1ã

èè«

æ£æ¥è¿æªå®æã

COMPATIBILITY WITH IPCHAINS

ä¸ipchainsçå¼å®¹æ§

This iptables is very similar to ipchains by Rusty Russell. The main difference
is that the chains INPUT and OUTPUT are only traversed for packets coming into
the local host and originating from the local host respectively. Hence every
pack only passes through one of the three chains; previously a forwarded packet
would pass through all three. The other main difference is that -I refers to
input interface; -o refers to the output interface, and both are available for
packets entering the FORWARD chain. iptables is a pure packet filter when using
the default filter’ table, with optional extension modules. This should
simplify much of the previous confusion over the combination of IP masquerading
and packet filtering seen previously. So the following options are handled
differently: -j MASQ -M -S -M -L There are several other chaines in iptables iptablesåRusty Russellçipchainsé常ç¸ä¼¼ã主è¦åºå«æ¯INPUT é¾åªç¨äºè¿å¥æ¬ å°ä¸»æºçå,èOUTPUTåªç¨äºèªæ¬å°ä¸»æºçæçåãå æ- ¤æ¯ä¸ªååªç»è¿ä¸ä¸ªé¾ç ä¸ä¸ªï¼ä»¥å转åçåä¼ç»è¿ææä¸ä¸ªé¾ãå¶ä»ä¸»è¦åºå«æ¯ -i å¼ç¨è¿å¥æ¥å£ï¼-oå¼ ç¨è¾åºæ¥å£ï¼ä¸¤èé½éç¨äºè¿å¥FORWARDé¾çåãå½åå¯éæ©å±æ¨¡åä¸èµ·ä½¿ç¨ é»è®¤è¿æ»¤å¨è¡¨æ¶ï¼iptablesæ¯ä¸ä¸ªçº¯ç²¹çåè¿æ»¤å¨ãè¿è½å¤§å¤§åå°ä»¥å对IP伪è£å åè¿æ»¤ç»å使ç¨çæ··æ·ï¼æ以以ä¸é项ä½äºä¸åçå¤çï¼ -j MASQ -M -S -M -L å¨iptablesä¸æå ä¸ªä¸åçé¾ã

åè§

iptables-HOWTOæ详ç»çiptablesç¨æ³,对netfilter-hacking-HOWTOä¹æ详ç»çæ¬è´¨è¯´æã

ä½è

Rusty Russell wrote iptables, in early consultation with Michael Neuling. Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
selection framework in iptables, then wrote the mangle table, the owner match,
the mark stuff, and ranaround doing cool stuff everywhere. James Morris wrote the TOS target, and tos match. Jozsef Kadlecsik wrote the REJECT target. The Netfilter Core Team is: Marc Boucher, Rusty Russell.
Mar 20, 2000

[ä¸æçç»´æ¤äºº]

æ¨é¹Â·NetSnake <netsnake@963.net>

[ä¸æçææ°æ´æ°]

2003.11.20

ãä¸å½linux论åmanæå页翻è¯è®¡åã:

http://cmpp.linuxforum.net

è·

æ¬é¡µé¢ä¸æçç±ä¸æ man æå页计åæä¾ã
ä¸æ man æå页计åï¼https://github.com/man-pages-zh/manpages-zh