iptables简介

DESCRIPTION

       Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel.  Several different tables may

       be defined. 

Each table contains a number of built-in chains and may also contain user-defined chains.

       Each chain is a list of rules which can match a set of packets.  Each rule specifies what to do with a packet that matches.  This is  called

       a `target',

which may be a jump to a user-defined chain in the same table.

TARGETS

       A  firewall rule specifies criteria for a packet and a target. 

If the packet does not match,; if

       it

does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the  spe‐

       cial values ACCEPT, DROP, QUEUE or RETURN.

       ACCEPT means to let the packet through.  DROP means to drop the packet on the floor.  QUEUE means to pass the packet to userspace.  (How the

       packet can be received by a userspace process differs by the particular queue handler.  2.4.x and 2.6.x kernels up  to  2.6.13  include  the

       ip_queue  queue  handler.   Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler.  Packets with a target of QUEUE

       will be sent to queue number '0' in this case. Please also see the NFQUEUE target as described later in this man page.)  RETURN  means  stop

       traversing this chain and resume at the next rule in the previous (calling) chain.  If the end of a built-in chain is reached or a rule in a

       built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.

用法：

iptables [-t TABLE] COMMANDS PARAMETERS [-m MATCHES] [-j TARGET]

TABLE

filter, nat, mangle, raw, security

COMMANDS

-N chain  #增加一个用户自定义的chain

-X chain  #删除用户自定义的chain

-P chain target  #为chain预设policy，只有内建的chains可以有policy, 而且内建的chains和用户自定义的chains都不能做为policy的target.

-A chain  rule-specification  #添加rule到chain的尾部

-I chain [rulenum] rule-specification  #向chain的指定位置插入rule

-D chain rulenum   #从chain中删除指定的rule

-L [chain]  #列出指定chain的所有的rule，如果没有指定chain，那么所有的chain的rule都会被列出来

PARAMETERS

-p [!] protocol  # protocol可以为 tcp, udp, udplite, icmp, esp, ah,  sctp or  all

-s [!] address[/mask][,...]

-d [!] address[/mask][,...]

-j target  #指定rule的target，这个target可以是用户自定义的chain, 可以是内建的target, 或者是一个EXTENSION

-g chain #即使packet和这个rule相符合，也会继续在用户指定的chain中继续进行

-i [!] interface-name

-o [!] interface-name

MATCH EXTENSIONS

iptables can use extended packet matching modules.  These are loaded in two ways: implicitly, when -p or --protocol is  specified,  or  with the -m or --match options, followed by the matching module name; after these, various extra command line options become available, depending on the specific module.  You can specify multiple extended match modules in one line, and you can use the -h or  --help  options  after  the module has been specified to receive help specific to that module.

match modules:

addrtype | ah | cluster | comment | connbytes | connlimit | cpu |

conntrack

    This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection.

    --ctstate statelist

     statelist is a comma separated list of the connection states to match.  Possible states are listed below:

       INVALID
              meaning that the packet is associated with no known connection

       NEW    meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen  packets  in  both
              directions, and

       ESTABLISHED
              meaning that the packet is associated with a connection which has seen packets in both directions,

       RELATED
              meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or
              an ICMP error.

       UNTRACKED
              meaning that the packet is not tracked at all, which happens if you use the NOTRACK target in raw table.

       SNAT   A virtual state, matching if the original source address differs from the reply destination.

       DNAT   A virtual state, matching if the original destination differs from the reply source

icmp

    This extension can be used if `--protocol icmp' is specified. It provides the following option:

       [!] --icmp-type {type[/code]|typename}
              This  allows specification of the ICMP type, which can be a numeric ICMP type, type/code pair, or one of the ICMP type names shown by
              the command
               iptables -p icmp -h

tcp
    These extensions can be used if `--protocol tcp' is specified. It provides the following options:

        [!] --syn
              Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits cleared.  Such packets are used to  request  TCP  connection
              initiation; for example, blocking such packets coming in an interface will prevent incoming TCP connections, but outgoing TCP connec‐
              tions will be unaffected.  It is equivalent to --tcp-flags SYN,RST,ACK,FIN SYN.  If the "!" flag precedes the "--syn", the  sense  of
              the option is inverted.

tos

ttl

matches the time to live field in the IP header.

       --ttl-eq ttl
              Matches the given TTL value.

       --ttl-gt ttl
              Matches if TTL is greater than the given TTL value.

       --ttl-lt ttl
              Matches if TTL is less than the given TTL value.

udp

TARGET EXTENSIONS

iptables can use extended target modules: the following are included in the standard distribution.

AUDIT | CHECKSUM | CLUSTERIP |

DNAT

       This  target  is  only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. 

       It specifies that the destination address of the packet should be modified (and all future packets in this connection will also  be mangled), and rules

       should cease being examined.  It takes one type of option:

       --to-destination [ipaddr[-ipaddr]][:port[-port]]
              which  can  specify  a  single new destination IP address, an inclusive range of IP addresses, and optionally, a port range (which is
              only valid if the rule also specifies -p tcp or -p udp).  If no port range is specified, then the destination port will never be mod‐
              ified. If no IP address is specified then only the destination port will be modified.

              In  Kernels  up  to  2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination
              address, either via an address range or multiple --to-destination options, a simple round-robin (one after  another  in  cycle)  load
              balancing  takes  place between these addresses.  Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges any‐
              more.

       --random
              If option --random is used then port mapping will be randomized (kernel >= 2.6.22).

       --persistent
              Gives a client the same source-/destination-address for each connection.  This supersedes the SAME  target.  Support  for  persistent
              mappings is available from 2.6.29-rc2.
| LOG | MARK | NFLOG | NFQUEUE |

MASQUERADE

This  target is only valid in the nat table, in the POSTROUTING chain.  It should only be used with dynamically assigned IP (dialup) connec‐
       tions: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent  to  specifying  a  mapping  to  the  IP
       address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down.  This
       is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are  lost
       anyway).

       --to-ports port[-port]
              This  specifies  a  range  of source ports to use, overriding the default SNAT source port-selection heuristics (see above).  This is
              only valid if the rule also specifies -p tcp or -p udp.

       --random
              Randomize source port mapping If option --random is used then port mapping will be randomized (kernel >= 2.6.21).

REJECT

This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating  TAR‐
       GET,  ending  rule  traversal.   This  target  is only valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which are only
       called from those chains.

SNAT

This target is only valid in the nat table, in the POSTROUTING chain.  It specifies that the source address of the packet should be modified
       (and all future packets in this connection will also be mangled), and rules should cease being examined.

TTL
       This is used to modify the IPv4 TTL header field.  The TTL field determines how many hops (routers) a packet can traverse until it's time to
       live is exceeded.

       Setting or incrementing the TTL field can potentially be very dangerous, so it should be avoided at any cost. This target is only  valid  in
       mangle table.

       Don't ever set or increment the value on packets that leave your local network!

       --ttl-set value
              Set the TTL value to `value'.

       --ttl-dec value
              Decrement the TTL value `value' times.

       --ttl-inc value
              Increment the TTL value `value' times.

ULOG

补充

• chain的几种类型

• 几种nat的区别

• 几种表和链的关系图

参考资料

http://blog.chinaunix.net/uid-11852254-id-3141844.html

man iptables

http://bbs.ywlm.net/thread-482-1-1.html