iptables

Iptables(8)                 System Manager's Manual                Iptables(8)



NAME
       iptables - IPåè¿æ»¤å¨ç®¡ç


æ»è§
       iptables -ADC  æå®é¾çè§å  [-A  æ·»å  -D å é¤ -C ä¿®æ¹]
       iptables - RI
       iptables -D chain rule num[option]
       iptables -LFZ é¾å [é项]
       iptables -[NX] æå®é¾
       iptables -P chain target[options]
       iptables -E old-chain-name new-chain-name


说æ
       Iptalbes æ¯ç¨æ¥è®¾ç½®ãç»´æ¤åæ£æ¥Linuxåæ ¸çIPåè¿æ»¤è§åçã

       å¯ä»¥å®ä¹ä¸åç表ï¼æ¯ä¸ªè¡¨é½åå«å 个åé¨çé¾ï¼ä¹è½åå«ç¨æ·å®ä¹çé¾ã
       æ¯ä¸ªé¾é½æ¯ä¸ä¸ªè§åå表ï¼å¯¹å¯¹åºçåè¿è¡å¹éï¼æ¯æ¡è§åæå®åºå½å¦ä½å¤
       çä¸ä¹ç¸å¹éçåãè¿è¢«ç§°ä½'target'ï¼ç®æ ï¼ï¼ä¹å¯ä»¥è·³ååä¸ä¸ªè¡¨åçç¨
       æ·å®ä¹çé¾ã


TARGETS
       é²ç«å¢çè§åæå®ææ£æ¥åçç¹å¾ï¼åç®æ ãå¦æåä¸å¹éï¼å°éå¾è¯¥é¾ä¸
       ä¸ä¸æ¡è§åæ£æ¥ï¼å¦æå¹é,é£ä¹ä¸ä¸æ¡è§åç±ç®æ å¼ç¡®å®.该ç®æ å¼å¯ä»¥æ¯
       ç¨æ·å®ä¹çé¾å,ææ¯æ个ä¸ç¨å¼,å¦ACCEPT[éè¿], DROP[å é¤], QUEUE[æé],æè
       RETURN[è¿å]ã

       ACCEPT
        表示让è¿ä¸ªåéè¿ã
       DROP
        表示å°è¿ä¸ªå丢å¼ã
       QUEUE
        表示æè¿ä¸ªåä¼ éå°ç¨æ·ç©ºé´ã
       RETURN
        表示åæ¢è¿æ¡é¾çå¹éï¼å°åä¸ä¸ªé¾çè§åéæ°å¼å§ãå¦æå°è¾¾äºä¸ä¸ªå建ç
        é¾(çæ«ç«¯)ï¼æèéå°å建é¾çè§åæ¯ RETURNï¼åçå½è¿å°ç±é¾ååæå®ç
        ç®æ å³å®ã


TABLES
       å½åæä¸ä¸ªè¡¨ï¼åªä¸ªè¡¨æ¯å½å表åå³äºåæ ¸éç½®é项åå½å模å)ã

       -t table
              è¿ä¸ªé项æå®å½ä»¤è¦æä½çå¹éåç表ãå¦æåæ ¸è¢«é置为èªå¨å 载模åï¼è¿æ¶
              è¥æ¨¡å没æå è½½ï¼(ç³»ç»)å°å°è¯(为该表)å è½½éåç模åã

              è¿äºè¡¨å¦ä¸ï¼

       filter ,è¿æ¯é»è®¤ç表ï¼åå«äºå建çé¾INPUTï¼å¤çè¿å¥çåï¼ãFORWORDï¼å¤çé
              è¿çåï¼åOUTPUTï¼å¤çæ¬å°çæçåï¼ã

       nat    è¿ä¸ªè¡¨è¢«æ¥è¯¢æ¶è¡¨ç¤ºéå°äºäº§çæ°çè¿æ¥çå,ç±ä¸ä¸ªå建çé¾ææï¼PREROUTING
               (ä¿®æ¹å°æ¥çå)ãOUTPUTï¼ä¿®æ¹è·¯ç±ä¹åæ¬å°çåï¼ãPOSTROUTING
               ï¼ä¿®æ¹åå¤åºå»çåï¼ã

       mangle
               è¿ä¸ªè¡¨ç¨æ¥å¯¹æå®çåè¿è¡ä¿®æ¹ãå®æ两个å建è§åï¼PREROUTINGï¼ä¿®æ¹è·¯ç±ä¹
               åè¿å¥çåï¼åOUTPUTï¼ä¿®æ¹è·¯ç±ä¹åæ¬å°çåï¼ã


OPTIONS
       è¿äºå¯è¢«iptablesè¯å«çé项å¯ä»¥åºåä¸åçç§ç±»ã

   COMMANDS
       è¿äºé项æå®æ§è¡æç¡®çå¨ä½ï¼è¥æ令è¡ä¸æ²¡æå¶ä»è§å®,该è¡åªè½æå®ä¸ä¸ªé项.
       对äºé¿æ ¼å¼çå½ä»¤åé项å,æç¨åæ¯é¿åº¦åªè¦ä¿è¯iptablesè½ä»å¶ä»é项ä¸åº
       ååºè¯¥æ令就è¡äºã

       -A -append
              å¨æéæ©çé¾æ«æ·»å ä¸æ¡ææ´å¤è§åãå½æºï¼å°åï¼æè/ä¸ ç®çï¼å°åï¼è½¬æ¢
              为å¤äºä¸ä¸ª(å¤ä¸ª)å°åæ¶ï¼è¿æ¡è§åä¼å å°ææå¯è½çå°å(ç»å)åé¢ã

       -D -delete
              ä»æéé¾ä¸‐
              å é¤ä¸æ¡ææ´å¤è§åãè¿æ¡å½ä»¤å¯ä»¥æ两ç§æ¹æ³ï¼å¯ä»¥æ被å é¤è§å
              æå®ä¸ºé¾ä¸çåºå·(第ä¸æ¡åºå·ä¸º1),æèæå®ä¸ºè¦å¹éçè§åã

       -R -replace
              ä»éä¸çé¾ä¸å代ä¸æ¡è§åãå¦ææºï¼å°åï¼æè/ä¸
              ç®çï¼å°åï¼è¢«è½¬æ¢ä¸ºå¤å° åï¼è¯¥å½ä»¤ä¼å¤±è´¥ãè§ååºå·ä»1å¼å§ã

       -I -insert
              æ ¹æ®ç»åºçè§ååºå·åæéé¾ä¸æå¥ä¸æ¡ææ´å¤è§åãæ以ï¼å¦æè§ååºå·ä¸º1ï¼
              è§åä¼è¢«æå¥é¾ç头é¨ãè¿ä¹æ¯ä¸æå®è§ååºå·æ¶çé»è®¤æ¹å¼ã

       -L -list
              æ¾ç¤ºæéé¾çææè§åãå¦æ没æéæ©é¾ï¼ææé¾å°è¢«æ¾ç¤ºãä¹å¯ä»¥åzé项ä¸èµ·
              使ç¨ï¼è¿æ¶é¾ä¼è¢«èªå¨ååºåå½é¶ã精确è¾åºåå¶å®æç»åæ°å½±åã

       -F -flush
              æ¸ç©ºæéé¾ãè¿çäºæææè§åä¸ä¸ªä¸ªçå é¤ã

       --Z -zero
              æææé¾çåååèç计æ°å¨æ¸ç©ºãå®å¯ä»¥å
              -Léå使ç¨ï¼å¨æ¸ç©ºåå¯ç计æ°å¨ï¼è¯·åè§åæã

       -N -new-chain
              æ ¹æ®ç»åºçå称建ç«ä¸ä¸ªæ°çç¨æ·å®ä¹é¾ãè¿å¿é¡»ä¿è¯æ²¡æååçé¾åå¨ã

       -X -delete-chain
              å é¤æå®çç¨æ·èªå®ä¹é¾ãè¿ä¸ªé¾å¿é¡»æ²¡æ被å¼ç¨ï¼å¦æ被å¼ç¨ï¼å¨å é¤ä¹åä½ å¿é¡»å
              é¤æèæ¿æ¢ä¸ä¹æå³çè§åãå¦æ没æç»åºåæ°ï¼è¿æ¡å½ä»¤å°è¯çå é¤æ¯ä¸ªé
              å建çé¾ã

       -P -policy
              设置é¾çç®æ è§åã

       -E -rename-chain
              æ ¹æ®ç¨æ·ç»åºçåå‐
              对æå®é¾è¿è¡éå½åï¼è¿ä»ä»æ¯ä¿®é¥°ï¼å¯¹æ´ä¸ªè¡¨çç»æ没æå½±åã
              TARGETSåæ°ç»åºä¸ä¸ªåæ³çç®æ ãåªæéç¨æ·èªå®ä¹é¾å¯ä»¥ä½¿ç¨è§åï¼èä¸å建é¾åç¨
              æ·èªå®ä¹é¾é½ä¸è½æ¯è§åçç®æ ã

       -h Help.
              帮å©ãç»åºå½åå½ä»¤è¯æ³é常ç®çç说æã

   åæ°
       以ä¸åæ°ææè§å详述ï¼å¦ç¨äºaddãdeleteãreplaceãappend å checkå½ä»¤ã

       -p -protocal [!]protocol
              è§åæèåæ£æ¥(å¾æ£æ¥å)çåè®®ãæå®åè®®å¯ä»¥æ¯tcpãudpãicmpä¸çä¸ä¸ªæ
              èå¨é¨ï¼ä¹å¯ä»¥æ¯æ°å¼ï¼ä»£è¡¨è¿äºåè®®ä¸‐
              çæä¸ä¸ªãå½ç¶ä¹å¯ä»¥ä½¿ç¨å¨/etc/pro tocolsä¸‐
              å®ä¹çåè®®åãå¨åè®®ååå ä¸"!"表示ç¸åçè§åãæ°å0ç¸å½äºææ
              allãProtocol allä¼å¹éææåè®®ï¼èä¸è¿æ¯ç¼ºçæ¶çé项ãå¨åcheckå½ä»¤ç»å
              æ¶ï¼allå¯ä»¥ä¸è¢«ä½¿ç¨ã

       -s -source [!] address[/mask]
              æå®æºå°åï¼å¯ä»¥æ¯ä¸»æºåãç½ç»ååæ¸æ¥çIPå°åãmask说æå¯ä»¥æ¯ç½ç»æ©ç
              ææ¸æ¥çæ°åï¼å¨ç½ç»æ©ç ç左边æå®ç½ç»æ©ç 左边â1âç个æ°ï¼å æ‐
              ¤ï¼mask å¼ä¸º24ç‐
              äº255.255.255.0ãå¨æå®å°ååå ä¸"!"说ææå®äºç¸åçå°å段ãæ å¿
               --src æ¯è¿ä¸ªé项çç®åã

       -d --destination [!] address[/mask]
              æå®ç®æ å°åï¼è¦è·å详ç»è¯´æ请åè§ -sæ å¿ç说æãæ å¿ --dst
              æ¯è¿ä¸ªé项çç®åã

       -j --jump target
              (-j
              ç®æ 跳转)æå®è§åçç®æ ï¼ä¹å°±æ¯è¯´ï¼å¦æåå¹éåºå½åä»ä¹ãç®æ å¯ä»¥æ¯ç¨
              æ·èªå®ä¹é¾ï¼ä¸æ¯è¿æ¡è§åæå¨çï¼ï¼æ个ä¼ç«å³å³å®åçå½è¿çä¸ç¨å建ç®æ ï¼
              æèä¸ä¸ªæ©å±ï¼åè§ä¸é¢çEXTENSIONSï¼ãå¦æè§åçè¿ä¸ªé项被忽ç¥ï¼é£ä¹å¹
              éçè¿ç¨ä¸ä¼å¯¹å产çå½±åï¼ä¸è¿è§åç计æ°å¨ä¼å¢å ã

       -i -in-interface [!] [name]
              (i -è¿å¥çï¼ç½ç»ï¼æ¥å£
              [!][å称])è¿æ¯åç»ç±è¯¥æ¥å£æ¥æ¶çå¯éçå¥å£å称ï¼åéè¿
              该æ¥å£æ¥æ¶ï¼å¨é¾INPUTãFORWORDåPREROUTINGä¸è¿å¥çåï¼ãå½å¨æ¥å£å
              å使ç¨"!"说æåï¼æçæ¯ç¸åçå称ãå¦ææ¥å£ååé¢å ä¸"+"ï¼åææ以æ¤æ¥å£å
              å¼å¤´çæ¥å£é½ä¼è¢«å¹éãå¦æè¿ä¸ªé项被忽ç¥ï¼ä¼å设为"+"ï¼é£ä¹å°å¹éä»»ææ¥å£ã

       -o --out-interface [!][name]
              (-o
              --è¾åºæ¥å£[å称])è¿æ¯åç»ç±è¯¥æ¥å£éåºçå¯éçåºå£å称ï¼åéè¿è¯¥å£è¾åºï¼å¨
              é¾FORWARDãOUTPUTåPOSTROUTINGä¸éåºçåï¼ãå½å¨æ¥å£åå使ç¨"!"说æ
              åï¼æçæ¯ç¸åçå称ãå¦ææ¥å£ååé¢å ä¸"+"ï¼åææ以æ¤æ¥å£åå¼å¤´çæ¥å£é½ä¼
              被å¹éãå¦æè¿ä¸ªé项被忽ç¥ï¼ä¼å设为"+"ï¼é£ä¹å°å¹éææä»»ææ¥å£ã

       [!] -f, --fragment
              ( [!] -f --åç)è¿æå³çå¨åççåä¸‐
              ï¼è§ååªè¯¢é®ç¬¬äºå以åççãèªé£ä»¥åç±äºæ  æ³å¤æ‐
              è¿ç§æåçæºç«¯å£æç®æ 端å£ï¼æèæ¯ICMPç±»åçï¼ï¼è¿ç±»åå°ä¸è½å¹éä»»
              ä½æå®å¯¹ä»ä»¬è¿è¡å¹éçè§åãå¦æ"!"说æç¨å¨äº"-f"æ å¿ä¹åï¼è¡¨ç¤ºç¸åçææã
              TP -c, --set-counters  PKTS BYTES This enables the administrater
              to initialize the packet and byte counters of a rule (during
              INSERT, APPEND, REPLACE operations)


   å¶ä»é项
       è¿å¯ä»¥æå®ä¸åéå é项ï¼

       -v --verbose
              详ç»è¾åºãè¿ä¸ªé项让listå½ä»¤æ¾ç¤ºæ¥å£å°åãè§åé项ï¼å¦ææï¼åTOS
              ï¼Type of Serviceï¼æ©ç ãåååè计æ°å¨ä¹å°è¢«æ¾ç¤ºï¼åå«ç¨KãMãG
              (åç¼)表示1000ã1,000,000å1,000,000,000åï¼ä¸è¿è¯·åç-xæ å¿æ¹åå®ï¼ï¼
              对äºæ·»å ,æå¥,å é¤åæ¿æ¢å½ä»¤ï¼è¿ä¼ä½¿ä¸ä¸ªæå¤ä¸ªè§åçç¸å³è¯¦ç»ä¿¡æ¯è¢«æå°ã

       -n --numeric
              æ°åè¾åºãIPå°åå端å£ä¼ä»¥æ°åçå½¢å¼æå°ãé»è®¤æåµä¸ï¼ç¨åºè¯æ¾
              示主æºåãç½ç»åæèæå¡ï¼åªè¦å¯ç¨ï¼ã

       -x -exact
              æ©å±æ°åãæ¾ç¤ºåååè计æ°å¨ç精确å¼ï¼ä»£æ¿ç¨K,M,G表示ç约æ°ã
              è¿ä¸ªé项ä»è½ç¨äº -L å½ä»¤ã

       --line-numbers
              å½å表æ¾ç¤ºè§åæ¶ï¼å¨æ¯ä¸ªè§åçåé¢å ä¸è¡å·ï¼ä¸è¯¥è§åå¨é¾ä¸‐
              çä½ç½®ç¸å¯¹åºã


对åºçæ©å±
       iptablesè½å¤ä½¿ç¨ä¸äºä¸æ¨¡åå¹éçæ©å±åã以ä¸å°±æ¯å«äºåºæ¬ååç
       æ©å±åï¼èä¸ä»ä»¬å¤§å¤æ°é½å¯ä»¥éè¿å¨åé¢å ä¸!æ¥è¡¨ç¤ºç¸åçææã


   tcp
       å½ --protocol tcp
       被æå®,ä¸å¶ä»å¹éçæ©å±æªè¢«æå®æ¶,è¿äºæ©å±è¢«è£è½½ãå®æä¾ä»¥ä¸é项ï¼

       --source-port [!] [port[:port]]
              æºç«¯å£æ端å£èå´æå®ãè¿å¯ä»¥æ¯æå¡åæ端å£å·ã使ç¨æ ¼å¼ç«¯å£ï¼ç«¯å£ä¹å¯ä»¥
              æå®åå«çï¼ç«¯å£ï¼èå´ãå¦æé¦ç«¯å£å·è¢«å¿½ç¥ï¼é»è®¤æ¯"0"ï¼å¦ææ«ç«¯å£å·è¢«å¿½
              ç¥ï¼é»è®¤æ¯"65535"ï¼å¦æ第äº?é¾ä¸è¯¤ç³¯ç¬¥è¯è°æ¡è§¯?æ²æ‐
              ¤?èå²å¤æ¢å¼§ï¼µé£§é²â ç¾æ¢¢åè¤? --sportçå«åã

       --destionation-port [!] [port:[port]]
              ç®æ 端å£æ端å£èå´æå®ãè¿ä¸ªé项å¯ä»¥ä½¿ç¨ --dportå«åæ¥ä»£æ¿ã

       --tcp-flags [!] mask comp
              å¹éæå®çTCPæ è®°ã第ä¸ä¸ªåæ°æ¯æ们è¦æ£æ¥çæ è®°ï¼ä¸ä¸ªç¨éå·åå¼çå表ï¼
              第äºä¸ªåæ°æ¯ç¨éå·åå¼çæ 记表,æ¯å¿é¡»è¢«è®¾ç½®çãæ è®°å¦ä¸ï¼SYN
              ACK FIN
               RST URG PSH ALL NONEãå æ¤è¿æ¡å½ä»¤ï¼iptables -A FORWARD -p tcp
              --tcp-flags SYN, ACK,
               FIN, RST
              SYNåªå¹éé£äºSYNæ 记被设置èACKãFINåRSTæ 记没æ设置çåã

       [!] --syn
              åªå¹éé£äºè®¾ç½®äºSYNä½èæ¸é¤äºACKåFINä½çTCPåãè¿äºåç¨äºTCPè¿æ¥åå§
              åæ¶ååºè¯·æ±ï¼ä¾å¦ï¼å¤§éçè¿ç§åè¿å¥ä¸ä¸ªæ¥å£åçå µå¡æ¶ä¼é»æ‐
              ¢è¿å¥çTCPè¿æ¥ ï¼èåºå»çTCPè¿æ¥ä¸ä¼åå°å½±åãè¿çäº --tcp-flags SYN,
              RST, ACK SYNãå¦æ "--syn"åé¢æ"!"æ è®°ï¼è¡¨ç¤ºç¸åçææã

       --tcp-option [!] number
              å¹é设置äºTCPé项çã


   udp
       å½protocol udp
       被æå®,ä¸å¶ä»å¹éçæ©å±æªè¢«æå®æ¶,è¿äºæ©å±è¢«è£è½½,å®æä¾ä»¥ä¸é项ï¼

       --source-port [!] [port:[port]]
              æºç«¯å£æ端å£èå´æå®ãè¯¦è§ TCPæ©å±ç--source-porté项说æã

       --destination-port [!] [port:[port]]
              ç®æ 端å£æ端å£èå´æå®ãè¯¦è§ TCPæ©å±ç--destination-porté项说æã


   icmp
       å½protocol
       icmp被æå®,ä¸å¶ä»å¹éçæ©å±æªè¢«æå®æ¶,该æ©å±è¢«è£è½½ãå®æä¾ä»¥ä¸é项ï¼

       --icmp-type [!] typename
              è¿ä¸ªé项å许æå®ICMPç±»åï¼å¯ä»¥æ¯ä¸ä¸ªæ°å¼åçICMP?åå?èå¤ææ£é²æ??
              iptables -p icmp -h
              ææ¾ç¤ºçICMPç±»ååã


   mac
       --mac-source [!] address
              å¹éç©çå°åãå¿é¡»æ¯XX:XX:XX:XX:XXè¿æ ·çæ ¼å¼ã注æå®åªå¯¹æ¥èªä»¥å¤ªè®¾å¤å¹¶
              è¿å¥PREROUTINGãFORWORDåINPUTé¾çåææã


   limit
       è¿ä¸ªæ¨¡åå¹éæ å¿ç¨ä¸ä¸ªæ 记桶è¿æ»¤å¨ä¸ä¸å®é度è¿è¡å¹é,å®åLOG
       ç®æ ç»å使ç¨æ¥ç»åºæéçç»éæ°.å½è¾¾å°è¿ä¸ªæéå¼æ¶,使ç¨è¿ä¸ªæ©å±
       åçè§åå°è¿è¡å¹é.(é¤é使ç¨äº â!âæ è®°)

       --limit rate
              æ大平åå¹ééçï¼å¯èµçå¼æ'/second', '/minute', '/hour', or
              '/day'è¿æ ·çåä½ï¼é»è®¤æ¯3/hourã

       --limit-burst number
              å¾å¹éååå§ä¸ªæ°çæ大å¼:è¥åé¢æå®çæéè¿æ²¡è¾¾å°è¿ä¸ªæ°å¼,åæ¦æ°å‐
              å 1.é»è®¤å¼ä¸º5

       multiport
              è¿ä¸ªæ¨¡åå¹éä¸ç»æºç«¯å£æç®æ 端å£,æå¤å¯ä»¥æå®15个端å£ãåªè½å-p
              tcp æè -p udp è¿ç使ç¨ã

       --source-port [port[, port]]
              å¦ææºç«¯å£æ¯å¶ä¸ä¸ä¸ªç»å®ç«¯å£åå¹é

       --destination-port [port[, port]]
              å¦æç®æ 端å£æ¯å¶ä¸ä¸ä¸ªç»å®ç«¯å£åå¹é

       --port [port[, port]]
              è¥æºç«¯å£åç®ç端å£ç¸ç并ä¸æ个ç»å®ç«¯å£ç¸ç,åå¹éã


   mark
       è¿ä¸ªæ¨¡ååä¸netfilterè¿æ»¤å¨æ è®°å‐
       段å¹éï¼å°±å¯ä»¥å¨ä¸é¢è®¾ç½®ä¸ºä½¿ç¨MARKæ è®°ï¼ã

       --mark value [/mask]
              å¹éé£äºæ 符å·æ è®°å¼çåï¼å¦ææå®maskï¼å¨æ¯è¾ä¹åä¼ç»æ©ç å ä¸é»è¾çæ è®°ï¼ã


   owner
       æ¤æ¨¡åè¯ä¸ºæ¬å°çæåå¹éåå建èçä¸åç¹å¾ã
       åªè½ç¨äºOUTPUTé¾ï¼èä¸å³ä½¿è¿æ ·ä¸äºåï¼å¦ICMP pingåºçï¼è¿
       å¯è½æ²¡æææèï¼å æ¤æ°¸è¿ä¸ä¼å¹éã

       --uid-owner userid
              å¦æç»åºææçuser idï¼é£ä¹å¹éå®çè¿ç¨äº§ççåã

       --gid-owner groupid
              å¦æç»åºææçgroup idï¼é£ä¹å¹éå®çè¿ç¨äº§ççåã

       --sid-owner seessionid
              æ ¹æ®ç»åºçä¼è¯ç»å¹é该è¿ç¨äº§ççåã


   state
       æ¤æ¨¡åï¼å½ä¸è¿æ¥è·è¸ªç»å使ç¨æ¶ï¼å许访é®åçè¿æ¥è·è¸ªç¶æã

       --state state
              è¿éstateæ¯ä¸ä¸ªéå·åå²çå¹éè¿æ¥ç¶æå表ãå¯è½çç¶ææ¯:INVALID
              表示åæ¯æªç¥è¿æ¥ï¼ESTABLISHED表示æ¯ååä¼ éçè¿æ¥ï¼NEW表示å
              为æ°çè¿æ¥ï¼å¦åæ¯éååä¼ éçï¼èRELATED表示åç±æ°è¿æ¥å¼å§ï¼ä½
              æ¯åä¸ä¸ªå·²åå¨çè¿æ¥å¨ä¸èµ·ï¼å¦FTPæ°æ®ä¼ éï¼æèä¸ä¸ªICMPé误ã


   unclean
       æ¤æ¨¡å没æå¯é项ï¼ä¸è¿å®è¯çå¹éé£äºå¥æªçãä¸å¸¸è§çåãå¤å¨å®éªä¸ã


   tos
       æ¤æ¨¡åå¹éIPåé¦é¨ç8ä½tosï¼æå¡ç±»åï¼å段ï¼ä¹å°±æ¯è¯´ï¼åå«å¨ä¼åä½ä¸ï¼ã

       --tos tos
              è¿ä¸ªåæ°å¯ä»¥æ¯ä¸ä¸ªæ åå称ï¼ï¼ç¨iptables -m tos -h
              å¯ç该å表ï¼ï¼æèæ°å¼ã


TARGET EXTENSIONS
       iptableså¯ä»¥ä½¿ç¨æ©å±ç®æ 模åï¼ä»¥ä¸é½åå«å¨æ åçä¸ã


   LOG
       为å¹éçåå¼å¯åæ ¸è®°å½ãå½å¨è§åä¸è®¾ç½®äºè¿ä¸é项åï¼linuxåæ ¸ä¼é
       è¿printk()æå°ä¸äºå³äºå¨é¨å¹éåçä¿¡æ¯ï¼è¯¸å¦IPå头å段çï¼ã

       --log-level level
              è®°å½çº§å«ï¼æ°åæåç syslog.conf(5)ï¼ã

       --log-prefix prefix
              å¨çºªå½ä¿¡æ¯åå ä¸ç¹å®çåç¼ï¼æå¤14个åæ¯é¿ï¼ç¨æ¥åè®°å½ä¸‐
              å¶ä»ä¿¡æ¯åºå«ã

       --log-tcp-sequence
              è®°å½TCPåºåå·ãå¦æè®°å½è½è¢«ç¨æ·è¯»åé£ä¹è¿å°åå¨å®å¨éæ£ã

       --log-tcp-options
              è®°å½æ¥èªTCPå头é¨çé项ã

       --log-ip-options
              è®°å½æ¥èªIPå头é¨çé项ã


   MARK
       ç¨æ¥è®¾ç½®åçnetfilteræ è®°å¼ãåªéç¨äºmangle表ã

       --set-mark mark


   REJECT
       ä½ä¸ºå¯¹å¹éçåçååºï¼è¿åä¸ä¸ªé误çåï¼å¶ä»æåµä¸åDROPç¸åã æ‐
       ¤ç®æ åªéç¨äºINPUTãFORWARDåOUTPUTé¾ï¼åè°ç¨è¿äºé¾çç¨
       æ·èªå®ä¹é¾ãè¿å 个é项æ§å¶è¿åçé误åçç¹æ§ï¼

       --reject-with type
              Typeå¯ä»¥æ¯icmp-net-unreachableãicmp-host-unreachableãicmp-port-
              nreachableãicmp-prot o-unreachableã icmp-net-prohibited æè
               icmp-host-
              prohibitedï¼è¯¥ç±»åä¼è¿åç¸åºçICMPé误信æ¯ï¼é»è®¤æ¯port-
              unreachableï¼ãé项
               echo-replyä¹æ¯å许çï¼å®åªè½ç¨äºæå®ICMP
               pingåçè§åä¸ï¼çæpingçååºãæåï¼é项tcp-resetå¯ä»¥ç¨äºå¨INPUTé¾ä¸,æ
               èªINPUTé¾è°ç¨çè§åï¼åªå¹éTCPåè®®ï¼å°ååºä¸ä¸ªTCP
               RSTåã


   TOS
       ç¨æ¥è®¾ç½®IPåçé¦é¨å«ä½tosãåªè½ç¨äºmangle表ã

       --set-tos tos
              ä½ å¯ä»¥ä½¿ç¨ä¸ä¸ªæ°å¼åçTOS å¼ï¼æèç¨iptables -j TOS -h
              æ¥æ¥çææTOSåå表ã

   MIRROR
       è¿æ¯ä¸ä¸ªè¯éªç¤ºèç®æ ï¼å¯ç¨äºè½¬æ¢IPé¦é¨å段ä¸çæºå°ååç®æ å°åï¼
       åä¼ é该å,并åªéç¨äºINPUTãFORWARDåOUTPUTé¾ï¼ä»¥ååªè°ç¨å®ä»¬çç¨æ·èªå®ä¹é¾
       ã


   SNAT
       è¿ä¸ªç®æ åªéç¨äºnat表çPOSTROUTINGé¾ãå®è§å®ä¿®æ¹åçæºå° åï¼æ‐
       ¤è¿æ¥ä»¥åææçåé½ä¼è¢«å½±åï¼ï¼åæ¢å¯¹è§åçæ£æ¥ï¼å®åå«é项ï¼

       --to-source <ipaddr>[-<ipaddr>][:port-port]
              å¯ä»¥æå®ä¸ä¸ªåä¸çæ°çIPå°åï¼ä¸ä¸ªIPå°åèå´ï¼ä¹å¯ä»¥éå ä¸ä¸ªç«¯å£èå´
              ï¼åªè½å¨æå®-p tcp æè-p udpçè§åéï¼ãå¦ææªæå®ç«¯å£èå´ï¼æºç«¯å£ä¸
              512以ä¸çï¼ç«¯å£ï¼ä¼è¢«å®ç½®ä¸ºå¶ä»ç512以ä¸ç端å£ï¼512å°1024ä¹é´ç端å£
              ä¼è¢«å®ç½®ä¸º1024以ä¸çï¼å¶ä»ç«¯å£ä¼è¢«å®ç½®ä¸º1024æ以ä¸ãå¦æå¯è½ï¼
              端å£ä¸ä¼è¢«ä¿®æ¹ã

       --to-destiontion <ipaddr>[-<ipaddr>][:port-port]
              å¯ä»¥æå®ä¸ä¸ªåä¸çæ°çIPå°åï¼ä¸ä¸ªIPå°åèå´ï¼ä¹å¯ä»¥éå ä¸ä¸ªç«¯å£èå´ï¼åªè½å¨æå®-p
              tcp æè-p
               udpçè§åéï¼ãå¦ææªæå®ç«¯å£èå´ï¼ç®æ 端å£ä¸ä¼è¢«ä¿®æ¹ã


   MASQUERADE
       åªç¨äºnat表çPOSTROUTINGé¾ãåªè½ç¨äºå¨æè·åIPï¼æ¨å·ï¼è¿æ¥ï¼å¦æä½ æ¥æéæIP
       å°åï¼ä½ è¦ç¨SNATã伪è£ç¸å½äºç»åååºæ¶æç»è¿æ¥å£çIPå°å设置ä¸ä¸ªæ åï¼å½æ¥å£å³
       éè¿æ¥ä¼ç»æ‐
       ¢ãè¿æ¯å 为å½ä¸ä¸æ¬¡æ¨å·æ¶æªå¿æ¯ç¸åçæ¥å£å°åï¼ä»¥åææ建ç«çè¿æ¥é½å° å³é‐
       ï¼ãå®æä¸ä¸ªé项ï¼

       --to-ports <port>[-port>]
              æå®ä½¿ç¨çæºç«¯å£èå´ï¼è¦çé»è®¤çSNATæºå°åéæ©ï¼è§ä¸é¢ï¼ãè¿ä¸ªé项åªéç¨äºæå®
              äº-p tcpæè-p udpçè§åã


   REDIRECT
       åªéç¨äºnat表çPREROUTINGåOUTPUTé¾ï¼ååªè°ç¨å®ä»¬çç¨æ·èªå®ä¹é¾ãå®ä¿®æ¹åç
       ç®æ IPå°åæ¥åéåå°æºå¨èªèº«ï¼æ¬å°çæçå被å®ç½®ä¸ºå°å127.0.0.1ï¼ãå®åå«ä¸
       个é项ï¼

       --to-ports <port>[<port>]
              æå®ä½¿ç¨çç®ç端å£æ端å£èå´ï¼ä¸æå®çè¯ï¼ç®æ 端å£ä¸ä¼è¢«ä¿®æ¹ãåªè½ç¨äºæå®äº-p
              tcp æ -p udpçè§åã


è¯æ
       ä¸åçé误信æ¯ä¼æå°ææ åé误ï¼éåºä»£ç 0表示æ‐
       £ç¡®ã类似äºä¸å¯¹çæè滥ç¨çå½ä»¤
       è¡åæ°é误ä¼è¿åé误代ç 2ï¼å¶ä»é误è¿å代ç 为1ã


èè«
       æ£æ¥è¿æªå®æã


COMPATIBILITY WITH IPCHAINS
       ä¸ipchainsçå¼å®¹æ§

       This iptables is very similar to ipchains by Rusty Russell. The main
       difference
        is that the chains INPUT and OUTPUT are only traversed for packets
       coming into
        the local host and originating from the local host respectively. Hence
       every
        pack only passes through one of the three chains; previously a
       forwarded packet
        would pass through all three. The other main difference is that -I
       refers to
        input interface; -o refers to the output interface, and both are
       available for
        packets entering the FORWARD chain. iptables is a pure packet filter
       when using
        the default filter' table, with optional extension modules. This
       should
        simplify much of the previous confusion over the combination of IP
       masquerading
        and packet filtering seen previously. So the following options are
       handled
        differently: -j MASQ -M -S -M -L There are several other chaines in
       iptables iptablesåRusty Russellçipchainsé常ç¸ä¼¼ã主è¦åºå«æ¯INPUT
       é¾åªç¨äºè¿å¥æ¬ å°ä¸»æºçå,èOUTPUTåªç¨äºèªæ¬å°ä¸»æºçæçåãå æ‐
       ¤æ¯ä¸ªååªç»è¿ä¸ä¸ªé¾ç ä¸ä¸ªï¼ä»¥å转åçåä¼ç»è¿ææä¸ä¸ªé¾ãå¶ä»ä¸»è¦åºå«æ¯
       -i å¼ç¨è¿å¥æ¥å£ï¼-oå¼
       ç¨è¾åºæ¥å£ï¼ä¸¤èé½éç¨äºè¿å¥FORWARDé¾çåãå½åå¯éæ©å±æ¨¡åä¸èµ·ä½¿ç¨
       é»è®¤è¿æ»¤å¨è¡¨æ¶ï¼iptablesæ¯ä¸ä¸ªçº¯ç²¹çåè¿æ»¤å¨ãè¿è½å¤§å¤§åå°ä»¥å对IP伪è£å
       åè¿æ»¤ç»å使ç¨çæ··æ·ï¼æ以以ä¸é项ä½äºä¸åçå¤çï¼ -j MASQ -M -S -M -L
       å¨iptablesä¸æå 个ä¸åçé¾ã


åè§
       iptables-HOWTOæ详ç»çiptablesç¨æ³,对netfilter-hacking-
       HOWTOä¹æ详ç»çæ¬è´¨è¯´æã


ä½è
       Rusty Russell wrote iptables, in early consultation with Michael
       Neuling.  Marc  Boucher  made Rusty abandon ipnatctl by lobbying for a
       generic packet
        selection framework in iptables, then wrote the mangle table, the
       owner match,
        the  mark  stuff,  and  ranaround doing cool stuff everywhere.  James
       Morris wrote the TOS target, and tos match.  Jozsef Kadlecsik wrote the
       REJECT target.  The Netfilter Core Team is: Marc Boucher, Rusty
       Russell.

                                  Mar 20, 2000


[ä¸æçç»´æ¤äºº]
       æ¨é¹Â·NetSnake <netsnake@963.net>

[ä¸æçææ°æ´æ°]
       2003.11.20

ãä¸å½linux论åmanæå页翻è¯è®¡åã:
       http://cmpp.linuxforum.net

è·
       æ¬é¡µé¢ä¸æçç±ä¸æ man æå页计åæä¾ã
       ä¸æ man æå页计åï¼https://github.com/man-pages-zh/manpages-zh



                                iptables ä¸ææå                     Iptables(8)