DESCRIPTION
Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may
be defined.
Each table contains a number of built-in chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called
a `target',
which may be a jump to a user-defined chain in the same table.
TARGETS
A firewall rule specifies criteria for a packet and a target.
If the packet does not match,; if
it
does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the spe‐
cial values ACCEPT, DROP, QUEUE or RETURN.
ACCEPT means to let the packet through. DROP means to drop the packet on the floor. QUEUE means to pass the packet to userspace. (How the
packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the
ip_queue queue handler. Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler. Packets with a target of QUEUE
will be sent to queue number '0' in this case. Please also see the NFQUEUE target as described later in this man page.) RETURN means stop
traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a
built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.
用法:
iptables [-t TABLE] COMMANDS PARAMETERS [-m MATCHES] [-j TARGET]
TABLE
filter, nat, mangle, raw, security
COMMANDS
-N chain #增加一个用户自定义的chain
-X chain #删除用户自定义的chain
-P chain target #为chain预设policy,只有内建的chains可以有policy, 而且内建的chains和用户自定义的chains都不能做为policy的target.
-A chain rule-specification #添加rule到chain的尾部
-I chain [rulenum] rule-specification #向chain的指定位置插入rule
-D chain rulenum #从chain中删除指定的rule
-L [chain] #列出指定chain的所有的rule,如果没有指定chain,那么所有的chain的rule都会被列出来
PARAMETERS
-p [!] protocol # protocol可以为 tcp, udp, udplite, icmp, esp, ah, sctp or all
-s [!] address[/mask][,...]
-d [!] address[/mask][,...]
-j target #指定rule的target,这个target可以是用户自定义的chain, 可以是内建的target, 或者是一个EXTENSION
-g chain #即使packet和这个rule相符合,也会继续在用户指定的chain中继续进行
-i [!] interface-name
-o [!] interface-name
MATCH EXTENSIONS
iptables can use extended packet matching modules. These are loaded in two ways: implicitly, when -p or --protocol is specified, or with the -m or --match options, followed by the matching module name; after these, various extra command line options become available, depending on the specific module. You can specify multiple extended match modules in one line, and you can use the -h or --help options after the module has been specified to receive help specific to that module.
match modules:
addrtype | ah | cluster | comment | connbytes | connlimit | cpu |
conntrack
This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection.
--ctstate statelist
statelist is a comma separated list of the connection states to match. Possible states are listed below:
INVALID
meaning that the packet is associated with no known connection
NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both
directions, and
ESTABLISHED
meaning that the packet is associated with a connection which has seen packets in both directions,
RELATED
meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or
an ICMP error.
UNTRACKED
meaning that the packet is not tracked at all, which happens if you use the NOTRACK target in raw table.
SNAT A virtual state, matching if the original source address differs from the reply destination.
DNAT A virtual state, matching if the original destination differs from the reply source
icmp
This extension can be used if `--protocol icmp' is specified. It provides the following option:
[!] --icmp-type {type[/code]|typename}
This allows specification of the ICMP type, which can be a numeric ICMP type, type/code pair, or one of the ICMP type names shown by
the command
iptables -p icmp -h
tcp
These extensions can be used if `--protocol tcp' is specified. It provides the following options:
[!] --syn
Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits cleared. Such packets are used to request TCP connection
initiation; for example, blocking such packets coming in an interface will prevent incoming TCP connections, but outgoing TCP connec‐
tions will be unaffected. It is equivalent to --tcp-flags SYN,RST,ACK,FIN SYN. If the "!" flag precedes the "--syn", the sense of
the option is inverted.
tos
ttl
matches the time to live field in the IP header.
--ttl-eq ttl
Matches the given TTL value.
--ttl-gt ttl
Matches if TTL is greater than the given TTL value.
--ttl-lt ttl
Matches if TTL is less than the given TTL value.
udp
TARGET EXTENSIONS
iptables can use extended target modules: the following are included in the standard distribution.
AUDIT | CHECKSUM | CLUSTERIP |
DNAT
This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains.
It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules
should cease being examined. It takes one type of option:
--to-destination [ipaddr[-ipaddr]][:port[-port]]
which can specify a single new destination IP address, an inclusive range of IP addresses, and optionally, a port range (which is
only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then the destination port will never be mod‐
ified. If no IP address is specified then only the destination port will be modified.
In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination
address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load
balancing takes place between these addresses. Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges any‐
more.
--random
If option --random is used then port mapping will be randomized (kernel >= 2.6.22).
--persistent
Gives a client the same source-/destination-address for each connection. This supersedes the SAME target. Support for persistent
mappings is available from 2.6.29-rc2.
| LOG | MARK | NFLOG | NFQUEUE |
MASQUERADE
This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connec‐
tions: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP
address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down. This
is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost
anyway).
--to-ports port[-port]
This specifies a range of source ports to use, overriding the default SNAT source port-selection heuristics (see above). This is
only valid if the rule also specifies -p tcp or -p udp.
--random
Randomize source port mapping If option --random is used then port mapping will be randomized (kernel >= 2.6.21).
REJECT
This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating TAR‐
GET, ending rule traversal. This target is only valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which are only
called from those chains.
SNAT
This target is only valid in the nat table, in the POSTROUTING chain. It specifies that the source address of the packet should be modified
(and all future packets in this connection will also be mangled), and rules should cease being examined.
TTL
This is used to modify the IPv4 TTL header field. The TTL field determines how many hops (routers) a packet can traverse until it's time to
live is exceeded.
Setting or incrementing the TTL field can potentially be very dangerous, so it should be avoided at any cost. This target is only valid in
mangle table.
Don't ever set or increment the value on packets that leave your local network!
--ttl-set value
Set the TTL value to `value'.
--ttl-dec value
Decrement the TTL value `value' times.
--ttl-inc value
Increment the TTL value `value' times.
ULOG
补充
- chain的几种类型
PREROUTING | 存在于nat表中,主要用来修改目的地址 |
INPUT链 | 存在于filter表中,用来处理进入本机的封包 |
FORWARD链 | 存在于filter表中,用来处理转发的封包 |
OUTPUT链 | 存在于filter表中,用来处理离开本机的封包 |
POSTROUTING | 存在nat表中,主要用来修改源地址 |
- 几种nat的区别
NAT | function |
SNAT | 转换源地址,多在包离开时候 |
DNAT | 转换目的地址,多在包进入时候 |
MASQUERADE | 转化源地址为某个接口,不明确指定ip地址 |
- 几种表和链的关系图
参考资料
http://blog.chinaunix.net/uid-11852254-id-3141844.html
man iptables
http://bbs.ywlm.net/thread-482-1-1.html