7.7. Using iptables
The
iptables command is extensible
through dynamically loaded libraries. It is included in the
netfilter source package available at
http://www.netfilter.org/. It
will also be included in any Linux distribution based on the 2.4
series kernels.
The iptables command is used to configure IP
filtering and NAT (along with other packet-processing applications,
including accounting, logging, and mangling). To facilitate this,
there are two tables of rules called filter and
nat. The filter table is assumed if you do not
specify the -t option to override it. Five
built-in chains are also provided. The
INPUT and
FORWARD chains are available for the
filter table, the PREROUTING
and POSTROUTING chains are available for the
nat table, and the OUTPUT
chain is available for both tables. In this chapter
we'll discuss only the filter
table. We'll look at the nat
table in
Chapter 9.The general syntax of most iptables
commands is:# iptables command rule-specification extensions
Now we'll take a look at some options in detail,
after which we'll review some examples.Most of the options for the iptables command can be grouped into
subcommands and rule match criteria. Table 7-6
describes the other options.Table 7-6. iptables miscellaneous options
Option |
Description |
|---|
-c
packets bytes |
When combined with the -A, -I,
or -R subcommand, sets the packet counter to
packets and the byte counter to
bytes for the new or modified rule. |
--exact |
Synonym for -x. |
-h |
Displays information on iptables usage. If it
appears after -m match
or -j target, then any
additional help related to the extension
match or target
(respectively) is also displayed. |
--help |
Synonym for -h. |
-j
target
[options] |
Determines what to do with packets matching this rule. The
target can be the name of a user-defined
chain, one of the built-in targets, or an
iptables extension (in which case there may be
additional options). |
--jump |
Synonym for -j. |
--line-numbers |
When combined with the -L subcommand, displays
numbers for the rules in each chain, so you can refer to the rules by
index when inserting rules into (via -I) or
deleting rules from (via -D) a chain. Be aware
that the line numbering changes as you add and remove rules in the
chain. |
-m
match
[options] |
Invoke extended match, possibly with
additional options. |
--match |
Synonym for -m. |
-M
cmd |
Used to load an iptables module (with new
targets or match extensions) when appending, inserting, or replacing
rules. |
--modprobe=cmd |
Synonym for -M. |
-n |
Displays numeric addresses and ports, instead of looking up domain
names for the IP addresses and service names for the port numbers.This can be especially useful if your DNS service is slow or down. |
--numeric |
Synonym for -n. |
--set-counters |
Synonym for -c. |
-t table |
Performs the specified subcommand on
table. If this option is not used, the
subcommand operates on the filter table by
default. |
--table |
Synonym for -t. |
-v |
Produces verbose output. |
--verbose |
Synonym for -v. |
-x |
Displays exact numbers for packet and byte counters, rather than the
default abbreviated format with metric suffixes (K, M, or G). |
7.7.1. Getting Help
iptables provides some source of
online help. You can get basic information via the folowing commands:
iptables -h | --help
iptables -m match -h
iptables -j TARGET -h
man iptables
Sometimes there are contradictions among these sources of information. |
|
لطفا منتظر باشید ...
