iptables

Iptables(8)                 System Manager's Manual                Iptables(8)



NAME
       iptables - IPåé濾å¨ç®¡ç


總覽
       iptables -ADC  æå®éçè¦å  [-A  æ·»å  -D åªé¤ -C ä¿®æ¹]
       iptables - RI
       iptables -D chain rule num[option]
       iptables -LFZ éå [é¸é ]
       iptables -[NX] æå®é
       iptables -P chain target[options]
       iptables -E old-chain-name new-chain-name


說æ
       Iptalbes æ¯ç¨ä¾è¨ç½®ãç¶è·å檢æ¥Linuxå§æ ¸çIPåé濾è¦åçã

       å¯ä»¥å®ç¾©ä¸åç表ï¼æ¯å表é½åå«å¹¾åå§é¨çéï¼ä¹è½åå«ç¨æ¶å®ç¾©çéã
       æ¯åéé½æ¯ä¸åè¦åå表ï¼å°å°æçåé²è¡å¹éï¼æ¯æ¢è¦åæå®æç¶å¦ä½è
       çèä¹ç¸å¹éçåãé被稱ä½'target'ï¼ç®æ¨ï¼ï¼ä¹å¯ä»¥è·³ååä¸å表å§çç¨
       æ¶å®ç¾©çéã


TARGETS
       é²ç«ççè¦åæå®æ檢æ¥åçç¹å¾µï¼åç®æ¨ãå¦æåä¸å¹éï¼å°éå¾è©²éä¸
       ä¸ä¸æ¢è¦å檢æ¥ï¼å¦æå¹é,é£éº¼ä¸ä¸æ¢è¦åç±ç®æ¨å¼ç¢ºå®.該ç®æ¨å¼å¯ä»¥æ¯
       ç¨æ¶å®ç¾©çéå,ææ¯æåå°ç¨å¼,å¦ACCEPT[éé], DROP[åªé¤], QUEUE[æé],æè
       RETURN[è¿å]ã

       ACCEPT
        表示è®éååééã
       DROP
        表示å°éååä¸æ£ã
       QUEUE
        表示æéååå³éå°ç¨æ¶ç©ºéã
       RETURN
        表示åæ¢éæ¢éçå¹éï¼å°åä¸åéçè¦åéæ°éå§ãå¦æå°éäºä¸åå§å»ºç
        é(çæ«ç«¯)ï¼æèéå°å§å»ºéçè¦åæ¯ RETURNï¼åçå½éå°ç±éæºåæå®ç
        ç®æ¨æ±ºå®ã


TABLES
       ç¶åæä¸å表ï¼åªå表æ¯ç¶å表å決æ¼å§æ ¸éç½®é¸é åç¶å模å¡)ã

       -t table
              éåé¸é æå®å½ä»¤è¦æä½çå¹éåç表ãå¦æå§æ ¸è¢«éç½®ç²èªåå è¼æ¨¡å¡ï¼éæ
              è¥æ¨¡å¡æ²æå è¼ï¼(系統)å°å試(ç²è©²è¡¨)å è¼é©åç模å¡ã

              éäºè¡¨å¦ä¸ï¼

       filter ,éæ¯é»èªç表ï¼åå«äºå§å»ºçéINPUTï¼èçé²å¥çåï¼ãFORWORDï¼èçé
              éçåï¼åOUTPUTï¼èçæ¬å°çæçåï¼ã

       nat    éå表被æ¥è©¢æ表示éå°äºç¢çæ°çé£æ¥çå,ç±ä¸åå§å»ºçéæ§æï¼PREROUTING
               (ä¿®æ¹å°ä¾çå)ãOUTPUTï¼ä¿®æ¹è·¯ç±ä¹åæ¬å°çåï¼ãPOSTROUTING
               ï¼ä¿®æ¹æºååºå»çåï¼ã

       mangle
               éå表ç¨ä¾å°æå®çåé²è¡ä¿®æ¹ãå®æå©åå§å»ºè¦åï¼PREROUTINGï¼ä¿®æ¹è·¯ç±ä¹
               åé²å¥çåï¼åOUTPUTï¼ä¿®æ¹è·¯ç±ä¹åæ¬å°çåï¼ã


OPTIONS
       éäºå¯è¢«iptablesèå¥çé¸é å¯ä»¥ååä¸åç種é¡ã

   COMMANDS
       éäºé¸é æå®å·è¡æ確çåä½ï¼è¥æ令è¡ä¸æ²æå¶ä»è¦å®,該è¡åªè½æå®ä¸åé¸é .
       å°æ¼é·æ ¼å¼çå½ä»¤åé¸é å,æç¨åæ¯é·åº¦åªè¦ä¿èiptablesè½å¾å¶ä»é¸é ä¸å
       ååºè©²æ令就è¡äºã

       -A -append
              å¨æé¸æçéæ«æ·»å ä¸æ¢ææ´å¤è¦åãç¶æºï¼å°åï¼æè/è ç®çï¼å°åï¼è½æ
              ç²å¤æ¼ä¸å(å¤å)å°åæï¼éæ¢è¦åæå å°ææå¯è½çå°å(çµå)å¾é¢ã

       -D -delete
              å¾æé¸éä¸‐
              åªé¤ä¸æ¢ææ´å¤è¦åãéæ¢å½ä»¤å¯ä»¥æå©ç¨®æ¹æ³ï¼å¯ä»¥æ被åªé¤è¦å
              æå®ç²éä¸çåºè(第ä¸æ¢åºèç²1),æèæå®ç²è¦å¹éçè¦åã

       -R -replace
              å¾é¸ä¸çéä¸å代ä¸æ¢è¦åãå¦ææºï¼å°åï¼æè/è ç®çï¼å°åï¼è¢«è½æç²å¤å°
              åï¼è©²å½ä»¤æ失æãè¦ååºèå¾1éå§ã

       -I -insert
              æ ¹æ給åºçè¦ååºèåæé¸éä¸æå¥ä¸æ¢ææ´å¤è¦åãæ以ï¼å¦æè¦ååºèç²1ï¼
              è¦åæ被æå¥éçé é¨ãéä¹æ¯ä¸æå®è¦ååºèæçé»èªæ¹å¼ã

       -L -list
              顯示æé¸éçææè¦åãå¦ææ²æé¸æéï¼ææéå°è¢«é¡¯ç¤ºãä¹å¯ä»¥åzé¸é ä¸èµ·
              使ç¨ï¼éæéæ被èªåååºåæ¸é¶ã精確輸åºåå¶å®æ給åæ¸å½±é¿ã

       -F -flush
              æ¸ç©ºæé¸éãéçæ¼æææè¦åä¸ååçåªé¤ã

       --Z -zero
              æææéçåååç¯çè¨æ¸å¨æ¸ç©ºãå®å¯ä»¥å
              -Léå使ç¨ï¼å¨æ¸ç©ºåå¯çè¨æ¸å¨ï¼è«åè¦åæã

       -N -new-chain
              æ ¹æ給åºçå稱建ç«ä¸åæ°çç¨æ¶å®ç¾©éãéå¿é ä¿èæ²æååçéåå¨ã

       -X -delete-chain
              åªé¤æå®çç¨æ¶èªå®ç¾©éãéåéå¿é æ²æ被å¼ç¨ï¼å¦æ被å¼ç¨ï¼å¨åªé¤ä¹åä½ å¿é åª
              é¤æèæ¿æèä¹æéçè¦åãå¦ææ²æ給åºåæ¸ï¼éæ¢å½ä»¤å°è©¦çåªé¤æ¯åé å§å»ºçéã

       -P -policy
              è¨ç½®éçç®æ¨è¦åã

       -E -rename-chain
              æ ¹æç¨æ¶çµ¦åºçåå‐
              å°æå®éé²è¡éå½åï¼éååæ¯ä¿®é£¾ï¼å°æ´å表ççµæ§æ²æå½±é¿ã
              TARGETSåæ¸çµ¦åºä¸ååæ³çç®æ¨ãåªæéç¨æ¶èªå®ç¾©éå¯ä»¥ä½¿ç¨è¦åï¼èä¸å§å»ºéåç¨
              æ¶èªå®ç¾©éé½ä¸è½æ¯è¦åçç®æ¨ã

       -h Help.
              幫å©ã給åºç¶åå½ä»¤èªæ³é常簡çç說æã

   åæ¸
       以ä¸åæ¸æ§æè¦å詳述ï¼å¦ç¨æ¼addãdeleteãreplaceãappend å checkå½ä»¤ã

       -p -protocal [!]protocol
              è¦åæèå檢æ¥(å¾æª¢æ¥å)çåè°ãæå®åè°å¯ä»¥æ¯tcpãudpãicmpä¸çä¸åæ
              èå¨é¨ï¼ä¹å¯ä»¥æ¯æ¸å¼ï¼ä»£è¡¨éäºåè°ä¸‐
              çæä¸åãç¶ç¶ä¹å¯ä»¥ä½¿ç¨å¨/etc/pro tocolsä¸å®ç¾©çåè°åãå¨åè‐
              °ååå ä¸"!"表示ç¸åçè¦åãæ¸å0ç¸ç¶æ¼ææ allãProtocol allæå¹éææåè‐
              °ï¼èä¸éæ¯ç¼ºçæçé¸é ãå¨åcheckå½ä»¤çµå æï¼allå¯ä»¥ä¸è¢«ä½¿ç¨ã

       -s -source [!] address[/mask]
              æå®æºå°åï¼å¯ä»¥æ¯ä¸»æ©åã網絡ååæ¸æ¥çIPå°åãmask說æå¯ä»¥æ¯ç¶²çµ¡æ©ç¢¼
              ææ¸æ¥çæ¸åï¼å¨ç¶²çµ¡æ©ç¢¼çå·¦éæå®ç¶²çµ¡æ©ç¢¼å·¦éâ1âçåæ¸ï¼å æ‐
              ¤ï¼mask å¼ç²24ç‐
              æ¼255.255.255.0ãå¨æå®å°ååå ä¸"!"說ææå®äºç¸åçå°å段ãæ¨èª
               --src æ¯éåé¸é ç簡寫ã

       -d --destination [!] address[/mask]
              æå®ç®æ¨å°åï¼è¦ç²å詳細說æè«åè¦ -sæ¨èªç說æãæ¨èª --dst
              æ¯éåé¸é ç簡寫ã

       -j --jump target
              (-j
              ç®æ¨è·³è½)æå®è¦åçç®æ¨ï¼ä¹å°±æ¯èªªï¼å¦æåå¹éæç¶åä»éº¼ãç®æ¨å¯ä»¥æ¯ç¨
              æ¶èªå®ç¾©éï¼ä¸æ¯éæ¢è¦åæå¨çï¼ï¼æåæç«å³æ±ºå®åçå½éçå°ç¨å§å»ºç®æ¨ï¼
              æèä¸åæ´å±ï¼åè¦ä¸é¢çEXTENSIONSï¼ãå¦æè¦åçéåé¸é 被忽ç¥ï¼é£éº¼å¹
              éçéç¨ä¸æå°åç¢çå½±é¿ï¼ä¸éè¦åçè¨æ¸å¨æå¢å ã

       -i -in-interface [!] [name]
              (i -é²å¥çï¼ç¶²çµ¡ï¼æ¥å£
              [!][å稱])éæ¯åç¶ç±è©²æ¥å£æ¥æ¶çå¯é¸çå¥å£å稱ï¼åéé
              該æ¥å£æ¥æ¶ï¼å¨éINPUTãFORWORDåPREROUTINGä¸é²å¥çåï¼ãç¶å¨æ¥å£å
              å使ç¨"!"說æå¾ï¼æçæ¯ç¸åçå稱ãå¦ææ¥å£åå¾é¢å ä¸"+"ï¼åææ以æ¤æ¥å£å
              éé çæ¥å£é½æ被å¹éãå¦æéåé¸é 被忽ç¥ï¼æåè¨‐
              ç²"+"ï¼é£éº¼å°å¹éä»»ææ¥å£ã

       -o --out-interface [!][name]
              (-o
              --輸åºæ¥å£[å稱])éæ¯åç¶ç±è©²æ¥å£éåºçå¯é¸çåºå£å稱ï¼åéé該å£è¼¸åºï¼å¨
              éFORWARDãOUTPUTåPOSTROUTINGä¸éåºçåï¼ãç¶å¨æ¥å£åå使ç¨"!"說æ
              å¾ï¼æçæ¯ç¸åçå稱ãå¦ææ¥å£åå¾é¢å ä¸"+"ï¼åææ以æ¤æ¥å£åéé çæ¥å£é½æ
              被å¹éãå¦æéåé¸é 被忽ç¥ï¼æåè¨ç²"+"ï¼é£éº¼å°å¹éææä»»ææ¥å£ã

       [!] -f, --fragment
              ( [!] -f --åç)éæå³çå¨åççåä¸‐
              ï¼è¦ååªè©¢å第äºå以å¾ççãèªé£ä»¥å¾ç±æ¼ç¡
              æ³å¤æ·é種æåçæºç«¯å£æç®æ¨ç«¯å£ï¼æèæ¯ICMPé¡åçï¼ï¼éé¡åå°ä¸è½å¹éä»»
              ä½æå®å°ä»åé²è¡å¹éçè¦åãå¦æ"!"說æç¨å¨äº"-f"æ¨èªä¹åï¼è¡¨ç¤ºç¸åçææã
              TP -c, --set-counters  PKTS BYTES This enables the administrater
              to initialize the packet and byte counters of a rule (during
              INSERT, APPEND, REPLACE operations)


   å¶ä»é¸é
       éå¯ä»¥æå®ä¸åéå é¸é ï¼

       -v --verbose
              詳細輸åºãéåé¸é è®listå½ä»¤é¡¯ç¤ºæ¥å£å°åãè¦åé¸é ï¼å¦ææï¼åTOS
              ï¼Type of Serviceï¼æ©ç¢¼ãåååç¯è¨æ¸å¨ä¹å°è¢«é¡¯ç¤ºï¼åå¥ç¨KãMãG
              (å綴)表示1000ã1,000,000å1,000,000,000åï¼ä¸éè«åç-xæ¨èªæ¹è®å®ï¼ï¼
              å°æ¼æ·»å ,æå¥,åªé¤åæ¿æå½ä»¤ï¼éæ使ä¸åæå¤åè¦åçç¸é詳細信æ¯è¢«æå°ã

       -n --numeric
              æ¸å輸åºãIPå°åå端å£æ以æ¸åçå½¢å¼æå°ãé»èªææ³ä¸ï¼ç¨åºè©¦é¡¯
              示主æ©åã網絡åæèæåï¼åªè¦å¯ç¨ï¼ã

       -x -exact
              æ´å±æ¸åã顯示åååç¯è¨æ¸å¨ç精確å¼ï¼ä»£æ¿ç¨K,M,G表示çç´æ¸ã
              éåé¸é åè½ç¨æ¼ -L å½ä»¤ã

       --line-numbers
              ç¶å表顯示è¦åæï¼å¨æ¯åè¦åçåé¢å ä¸è¡èï¼è該è¦åå¨éä¸çä½ç½®ç¸å°æã


å°æçæ´å±
       iptablesè½å¤ 使ç¨ä¸äºè模å¡å¹éçæ´å±åã以ä¸å°±æ¯å«æ¼åºæ¬åå§ç
       æ´å±åï¼èä¸ä»å大å¤æ¸é½å¯ä»¥ééå¨åé¢å ä¸!ä¾è¡¨ç¤ºç¸åçææã


   tcp
       ç¶ --protocol tcp
       被æå®,ä¸å¶ä»å¹éçæ´å±æªè¢«æå®æ,éäºæ´å±è¢«è£è¼ãå®æä¾ä»¥ä¸é¸é ï¼

       --source-port [!] [port[:port]]
              æºç«¯å£æ端å£ç¯åæå®ãéå¯ä»¥æ¯æååæ端å£èã使ç¨æ ¼å¼ç«¯å£ï¼ç«¯å£ä¹å¯ä»¥
              æå®åå«çï¼ç«¯å£ï¼ç¯åãå¦æé¦ç«¯å£è被忽ç¥ï¼é»èªæ¯"0"ï¼å¦ææ«ç«¯å£è被忽
              ç¥ï¼é»èªæ¯"65535"ï¼å¦æ第äº?é½ çµ²è«ç³¯ç¬¥è©°è«æ¡è§¶?æ²æ‐
              ¤?èå²åæ弧U飧é®â ç¾æ¢¢åè¤? --sportçå¥åã

       --destionation-port [!] [port:[port]]
              ç®æ¨ç«¯å£æ端å£ç¯åæå®ãéåé¸é å¯ä»¥ä½¿ç¨ --dportå¥åä¾ä»£æ¿ã

       --tcp-flags [!] mask comp
              å¹éæå®çTCPæ¨è¨ã第ä¸ååæ¸æ¯æåè¦æª¢æ¥çæ¨è¨ï¼ä¸åç¨éèåéçå表ï¼
              第äºååæ¸æ¯ç¨éèåéçæ¨è¨è¡¨,æ¯å¿é 被è¨ç½®çãæ¨è¨å¦ä¸ï¼SYN ACK FIN
               RST URG PSH ALL NONEãå æ¤éæ¢å½ä»¤ï¼iptables -A FORWARD -p tcp
              --tcp-flags SYN, ACK,
               FIN, RST SYNåªå¹éé£äºSYNæ¨è¨è¢«è¨ç½®èACKãFINåRSTæ¨è¨æ²æè¨ç½®çåã

       [!] --syn
              åªå¹éé£äºè¨ç½®äºSYNä½èæ¸é¤äºACKåFINä½çTCPåãéäºåç¨æ¼TCPé£æ¥åå§
              åæç¼åºè«æ±ï¼ä¾å¦ï¼å¤§éçé種åé²å¥ä¸åæ¥å£ç¼çå µå¡ææé»æ‐
              ¢é²å¥çTCPé£æ¥ ï¼èåºå»çTCPé£æ¥ä¸æåå°å½±é¿ãéçæ¼ --tcp-flags SYN,
              RST, ACK SYNãå¦æ "--syn"åé¢æ"!"æ¨è¨ï¼è¡¨ç¤ºç¸åçææã

       --tcp-option [!] number
              å¹éè¨ç½®äºTCPé¸é çã


   udp
       ç¶protocol udp
       被æå®,ä¸å¶ä»å¹éçæ´å±æªè¢«æå®æ,éäºæ´å±è¢«è£è¼,å®æä¾ä»¥ä¸é¸é ï¼

       --source-port [!] [port:[port]]
              æºç«¯å£æ端å£ç¯åæå®ãè©³è¦ TCPæ´å±ç--source-porté¸é 說æã

       --destination-port [!] [port:[port]]
              ç®æ¨ç«¯å£æ端å£ç¯åæå®ãè©³è¦ TCPæ´å±ç--destination-porté¸é 說æã


   icmp
       ç¶protocol
       icmp被æå®,ä¸å¶ä»å¹éçæ´å±æªè¢«æå®æ,該æ´å±è¢«è£è¼ãå®æä¾ä»¥ä¸é¸é ï¼

       --icmp-type [!] typename
              éåé¸é å許æå®ICMPé¡åï¼å¯ä»¥æ¯ä¸åæ¸å¼åçICMP?åå?èå¤ææ£é®æ??
              iptables -p icmp -h
              æ顯示çICMPé¡ååã


   mac
       --mac-source [!] address
              å¹éç©çå°åãå¿é æ¯XX:XX:XX:XX:XXé樣çæ ¼å¼ã注æå®åªå°ä¾èªä»¥å¤ªè¨‐
              å並 é²å¥PREROUTINGãFORWORDåINPUTéçåææã


   limit
       éå模å¡å¹éæ¨èªç¨ä¸åæ¨è¨æ¡¶é濾å¨ä¸ä¸å®é度é²è¡å¹é,å®åLOG
       ç®æ¨çµå使ç¨ä¾çµ¦åºæéçç»é¸æ¸.ç¶éå°éå極éå¼æ,使ç¨éåæ´å±
       åçè¦åå°é²è¡å¹é.(é¤é使ç¨äº â!âæ¨è¨)

       --limit rate
              æ大平åå¹ééçï¼å¯è³¦çå¼æ'/second', '/minute', '/hour', or
              '/day'é樣çå®ä½ï¼é»èªæ¯3/hourã

       --limit-burst number
              å¾å¹éååå§åæ¸çæ大å¼:è¥åé¢æå®ç極ééæ²éå°éåæ¸å¼,åæ¦æ¸å‐
              å 1.é»èªå¼ç²5

       multiport
              éå模å¡å¹éä¸çµæºç«¯å£æç®æ¨ç«¯å£,æå¤å¯ä»¥æå®15å端å£ãåªè½å-p tcp
              æè -p udp é£ç使ç¨ã

       --source-port [port[, port]]
              å¦ææºç«¯å£æ¯å¶ä¸ä¸å給å®ç«¯å£åå¹é

       --destination-port [port[, port]]
              å¦æç®æ¨ç«¯å£æ¯å¶ä¸ä¸å給å®ç«¯å£åå¹é

       --port [port[, port]]
              è¥æºç«¯å£åç®ç端å£ç¸ç並èæå給å®ç«¯å£ç¸ç,åå¹éã


   mark
       éå模å¡åènetfilteré濾å¨æ¨è¨å段å¹éï¼å°±å¯ä»¥å¨ä¸é¢è¨‐
       ç½®ç²ä½¿ç¨MARKæ¨è¨ï¼ã

       --mark value [/mask]
              å¹éé£äºç¡ç¬¦èæ¨è¨å¼çåï¼å¦ææå®maskï¼å¨æ¯è¼ä¹åæ給æ©ç¢¼å ä¸é輯çæ¨è¨ï¼ã


   owner
       æ¤æ¨¡å¡è©¦ç²æ¬å°çæåå¹éååµå»ºèçä¸åç¹å¾µã
       åªè½ç¨æ¼OUTPUTéï¼èä¸å³ä½¿é樣ä¸äºåï¼å¦ICMP pingæçï¼é å¯è½æ²æææèï¼å æ‐
       ¤æ°¸é ä¸æå¹éã

       --uid-owner userid
              å¦æ給åºææçuser idï¼é£éº¼å¹éå®çé²ç¨ç¢ççåã

       --gid-owner groupid
              å¦æ給åºææçgroup idï¼é£éº¼å¹éå®çé²ç¨ç¢ççåã

       --sid-owner seessionid
              æ ¹æ給åºçæ話çµå¹é該é²ç¨ç¢ççåã


   state
       æ¤æ¨¡å¡ï¼ç¶èé£æ¥è·è¹¤çµå使ç¨æï¼å許訪ååçé£æ¥è·è¹¤çæã

       --state state
              éè£stateæ¯ä¸åéèåå²çå¹éé£æ¥çæå表ãå¯è½ççææ¯:INVALID
              表示åæ¯æªç¥é£æ¥ï¼ESTABLISHED表示æ¯éåå³éçé£æ¥ï¼NEW表示å
              ç²æ°çé£æ¥ï¼å¦åæ¯ééåå³éçï¼èRELATED表示åç±æ°é£æ¥éå§ï¼ä½
              æ¯åä¸åå·²åå¨çé£æ¥å¨ä¸èµ·ï¼å¦FTPæ¸æå³éï¼æèä¸åICMPé¯èª¤ã


   unclean
       æ¤æ¨¡å¡æ²æå¯é¸é ï¼ä¸éå®è©¦çå¹éé£äºå¥æªçãä¸å¸¸è¦çåãèå¨å¯¦é©ä¸ã


   tos
       æ¤æ¨¡å¡å¹éIPåé¦é¨ç8ä½tosï¼æåé¡åï¼å段ï¼ä¹å°±æ¯èªªï¼åå«å¨åªåä½ä¸ï¼ã

       --tos tos
              éååæ¸å¯ä»¥æ¯ä¸åæ¨æºå稱ï¼ï¼ç¨iptables -m tos -h
              å¯ç該å表ï¼ï¼æèæ¸å¼ã


TARGET EXTENSIONS
       iptableså¯ä»¥ä½¿ç¨æ´å±ç®æ¨æ¨¡å¡ï¼ä»¥ä¸é½åå«å¨æ¨æºçä¸ã


   LOG
       ç²å¹éçåéåå§æ ¸è¨éãç¶å¨è¦åä¸è¨ç½®äºéä¸é¸é å¾ï¼linuxå§æ ¸æé
       éprintk()æå°ä¸äºéæ¼å¨é¨å¹éåçä¿¡æ¯ï¼è«¸å¦IPåé å段çï¼ã

       --log-level level
              è¨éç´å¥ï¼æ¸åæåç syslog.conf(5)ï¼ã

       --log-prefix prefix
              å¨ç´éä¿¡æ¯åå ä¸ç¹å®çå綴ï¼æå¤14ååæ¯é·ï¼ç¨ä¾åè¨éä¸å¶ä»ä¿¡æ¯åå¥ã

       --log-tcp-sequence
              è¨éTCPåºåèãå¦æè¨éè½è¢«ç¨æ¶è®åé£éº¼éå°åå¨å®å¨é±æ£ã

       --log-tcp-options
              è¨éä¾èªTCPåé é¨çé¸é ã

       --log-ip-options
              è¨éä¾èªIPåé é¨çé¸é ã


   MARK
       ç¨ä¾è¨ç½®åçnetfilteræ¨è¨å¼ãåªé©ç¨æ¼mangle表ã

       --set-mark mark


   REJECT
       ä½ç²å°å¹éçåçé¿æï¼è¿åä¸åé¯èª¤çåï¼å¶ä»ææ³ä¸åDROPç¸åã æ‐
       ¤ç®æ¨åªé©ç¨æ¼INPUTãFORWARDåOUTPUTéï¼å調ç¨éäºéçç¨
       æ¶èªå®ç¾©éãéå¹¾åé¸é æ§å¶è¿åçé¯èª¤åçç¹æ§ï¼

       --reject-with type
              Typeå¯ä»¥æ¯icmp-net-unreachableãicmp-host-unreachableãicmp-port-
              nreachableãicmp-prot o-unreachableã icmp-net-prohibited æè
               icmp-host-prohibitedï¼è©²é¡åæè¿åç¸æçICMPé¯èª¤ä¿¡æ¯ï¼é»èªæ¯port-
              unreachableï¼ãé¸é
               echo-replyä¹æ¯å許çï¼å®åªè½ç¨æ¼æå®ICMP
               pingåçè¦åä¸ï¼çæpingçè¿´æãæå¾ï¼é¸é tcp-resetå¯ä»¥ç¨æ¼å¨INPUTéä¸‐
              ,æ
               èªINPUTé調ç¨çè¦åï¼åªå¹éTCPåè°ï¼å°åæä¸åTCP
               RSTåã


   TOS
       ç¨ä¾è¨ç½®IPåçé¦é¨å«ä½tosãåªè½ç¨æ¼mangle表ã

       --set-tos tos
              ä½ å¯ä»¥ä½¿ç¨ä¸åæ¸å¼åçTOS å¼ï¼æèç¨iptables -j TOS -h
              ä¾æ¥çææTOSåå表ã

   MIRROR
       éæ¯ä¸å試é©ç¤ºç¯ç®æ¨ï¼å¯ç¨æ¼è½æIPé¦é¨å段ä¸çæºå°ååç®æ¨å°åï¼
       åå³é該å,並åªé©ç¨æ¼INPUTãFORWARDåOUTPUTéï¼ä»¥ååªèª¿ç¨å®åçç¨æ¶èªå®ç¾©é
       ã


   SNAT
       éåç®æ¨åªé©ç¨æ¼nat表çPOSTROUTINGéãå®è¦å®ä¿®æ¹åçæºå° åï¼æ‐
       ¤é£æ¥ä»¥å¾ææçåé½æ被影é¿ï¼ï¼åæ¢å°è¦åç檢æ¥ï¼å®åå«é¸é ï¼

       --to-source <ipaddr>[-<ipaddr>][:port-port]
              å¯ä»¥æå®ä¸åå®ä¸çæ°çIPå°åï¼ä¸åIPå°åç¯åï¼ä¹å¯ä»¥éå ä¸å端å£ç¯å
              ï¼åªè½å¨æå®-p tcp æè-p udpçè¦åè£ï¼ãå¦ææªæå®ç«¯å£ç¯åï¼æºç«¯å£ä¸
              512以ä¸çï¼ç«¯å£ï¼æ被å®ç½®ç²å¶ä»ç512以ä¸ç端å£ï¼512å°1024ä¹éç端å£
              æ被å®ç½®ç²1024以ä¸çï¼å¶ä»ç«¯å£æ被å®ç½®ç²1024æ以ä¸ãå¦æå¯è½ï¼
              端å£ä¸æ被修æ¹ã

       --to-destiontion <ipaddr>[-<ipaddr>][:port-port]
              å¯ä»¥æå®ä¸åå®ä¸çæ°çIPå°åï¼ä¸åIPå°åç¯åï¼ä¹å¯ä»¥éå ä¸å端å£ç¯åï¼åªè½å¨æå®-p
              tcp æè-p
               udpçè¦åè£ï¼ãå¦ææªæå®ç«¯å£ç¯åï¼ç®æ¨ç«¯å£ä¸æ被修æ¹ã


   MASQUERADE
       åªç¨æ¼nat表çPOSTROUTINGéãåªè½ç¨æ¼åæç²åIPï¼æ¥èï¼é£æ¥ï¼å¦æä½ ææéæIP
       å°åï¼ä½ è¦ç¨SNATãåè£ç¸ç¶æ¼çµ¦åç¼åºææç¶éæ¥å£çIPå°åè¨ç½®ä¸åæ åï¼ç¶æ¥å£é
       éé£æ¥æçµæ¢ãéæ¯å ç²ç¶ä¸ä¸æ¬¡æ¥èææªå¿æ¯ç¸åçæ¥å£å°åï¼ä»¥å¾ææ建ç«çé£æ¥é½å°
       ééï¼ãå®æä¸åé¸é ï¼

       --to-ports <port>[-port>]
              æå®ä½¿ç¨çæºç«¯å£ç¯åï¼è¦èé»èªçSNATæºå°åé¸æï¼è¦ä¸é¢ï¼ãéåé¸é åªé©ç¨æ¼æå®
              äº-p tcpæè-p udpçè¦åã


   REDIRECT
       åªé©ç¨æ¼nat表çPREROUTINGåOUTPUTéï¼ååªèª¿ç¨å®åçç¨æ¶èªå®ç¾©éãå®ä¿®æ¹åç
       ç®æ¨IPå°åä¾ç¼éåå°æ©å¨èªèº«ï¼æ¬å°çæçå被å®ç½®ç²å°å127.0.0.1ï¼ãå®åå«ä¸
       åé¸é ï¼

       --to-ports <port>[<port>]
              æå®ä½¿ç¨çç®ç端å£æ端å£ç¯åï¼ä¸æå®ç話ï¼ç®æ¨ç«¯å£ä¸æ被修æ¹ãåªè½ç¨æ¼æå®äº-p
              tcp æ -p udpçè¦åã


診æ·
       ä¸åçé¯èª¤ä¿¡æ¯ææå°ææ¨æºé¯èª¤ï¼éåºä»£ç¢¼0表示æ‐
       £ç¢ºãé¡ä¼¼æ¼ä¸å°çæèæ¿«ç¨çå½ä»¤
       è¡åæ¸é¯èª¤æè¿åé¯èª¤ä»£ç¢¼2ï¼å¶ä»é¯èª¤è¿å代碼ç²1ã


èè²
       檢æ¥éæªå®æã


COMPATIBILITY WITH IPCHAINS
       èipchainsçå¼å®¹æ§

       This iptables is very similar to ipchains by Rusty Russell. The main
       difference
        is that the chains INPUT and OUTPUT are only traversed for packets
       coming into
        the local host and originating from the local host respectively. Hence
       every
        pack only passes through one of the three chains; previously a
       forwarded packet
        would pass through all three. The other main difference is that -I
       refers to
        input interface; -o refers to the output interface, and both are
       available for
        packets entering the FORWARD chain. iptables is a pure packet filter
       when using
        the default filter' table, with optional extension modules. This
       should
        simplify much of the previous confusion over the combination of IP
       masquerading
        and packet filtering seen previously. So the following options are
       handled
        differently: -j MASQ -M -S -M -L There are several other chaines in
       iptables iptablesåRusty Russellçipchainsé常ç¸ä¼¼ã主è¦åå¥æ¯INPUT
       éåªç¨æ¼é²å¥æ¬ å°ä¸»æ©çå,èOUTPUTåªç¨æ¼èªæ¬å°ä¸»æ©çæçåãå æ¤æ¯åååªç¶éä¸åéç
       ä¸åï¼ä»¥åè½ç¼çåæç¶éææä¸åéãå¶ä»ä¸»è¦åå¥æ¯ -i å¼ç¨é²å¥æ¥å£ï¼-oå¼
       ç¨è¼¸åºæ¥å£ï¼å©èé½é©ç¨æ¼é²å¥FORWARDéçåãç¶åå¯é¸æ´å±æ¨¡å¡ä¸èµ·ä½¿ç¨
       é»èªé濾å¨è¡¨æï¼iptablesæ¯ä¸åç´ç²¹çåé濾å¨ãéè½å¤§å¤§æ¸å°ä»¥åå°IPåè£å
       åé濾çµå使ç¨çæ··æ·ï¼æ以以ä¸é¸é ä½äºä¸åçèçï¼ -j MASQ -M -S -M -L
       å¨iptablesä¸æå¹¾åä¸åçéã


åè¦
       iptables-HOWTOæ詳細çiptablesç¨æ³,å°netfilter-hacking-
       HOWTOä¹æ詳細çæ¬è³ªèªªæã


ä½è
       Rusty Russell wrote iptables, in early consultation with Michael
       Neuling.  Marc  Boucher  made Rusty abandon ipnatctl by lobbying for a
       generic packet
        selection framework in iptables, then wrote the mangle table, the
       owner match,
        the  mark  stuff,  and  ranaround doing cool stuff everywhere.  James
       Morris wrote the TOS target, and tos match.  Jozsef Kadlecsik wrote the
       REJECT target.  The Netfilter Core Team is: Marc Boucher, Rusty
       Russell.

                                  Mar 20, 2000


[ä¸æçç¶è·äºº]
       æ¥éµ¬Â·NetSnake <netsnake@963.net>

[ä¸æçææ°æ´æ°]
       2003.11.20

ãä¸ålinuxè«å£manæåé ç¿»è¯è¨åã:
       http://cmpp.linuxforum.net

è·
       æ¬é é¢ä¸æçç±ä¸æ man æåé è¨åæä¾ã
       ä¸æ man æåé è¨åï¼https://github.com/man-pages-zh/manpages-zh



                                iptables ä¸ææå                     Iptables(8)