领测软件测试网
iptables manpage 中译
(由 OLS3 翻译,未完,翻得不好,请见谅。)
IPTABLES(8)封包过滤管理语法iptables -[ADC] chain rule-specification [options]iptables -[RI] chain rulenum rule-specification [options]iptables -D chain rulenum [options]iptables -[LFZ] [chain] [options]iptables -[NX] chainiptables -P chain target [options]iptables -E old-chain-name new-chain-nameDESCRIPTION Iptables is used to set up, maintain, and inspect the tables of IP packet fil ter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same table.描述iptables 是用来设定、维护、检验 Linux 核心中的 IP 封包过滤规则表。在核心中,可以定义许多不同的规则表。每一个规则表包含许多内建的规则链和使用者自订的规则链。每一个规则链是许多规则的列表,这些规则可以比对一组封包。每个规则描述符合的封包应该怎么处置。这种处置的动作就是所谓的"目标" (target),这个目标也可以是一个跳入的动作 --- 跳入同一个表中的自订的规则链。TARGETS A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values A
CCEPT, DROP, QUEUE, or RETURN. ACCEPT means to let the packet through. DROP means to drop the packet on the floor. QUEUE means to pass the packet to userspace (if supported by the ker nel). RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.TARGETS一条防火墙规则描述对一个封包及一个目标的判准。如果一个封包不符合这条规则,则同一个链中的下一条规则接着检验;若真的符合,则接下来的规则就是这个目标的内容,它可以是一个自订链名或 ACCEPT、DROP、QUEUE 或 RETURN。ACCEPT 意指让封包通过。DROP 意指丢弃该封包。QUEUE 意指将该封包送入使用者空间。RETURN 意指停止比对这个链,返回呼叫此链时的下一条规则。若内建的链结束或一条规则符合RETURN,则用该链的预设政策来决定封包的最后命运。TABLES There are current three independent tables (which tables are present at any time depends on the kernel configuration options and which modules are pre sent). -t, --table This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not a
lready there. The tables are as follows: filter This is the default table. It contains the built-in chains INPUT (for packets coming into the box itself), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). mangle This table is used for specialized packet alteration. It has two built- in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing).TABLES现有三个独立的规则表。-t, --table这个选项指明命令应作用在那一个封包相符的规则表。若核心设成自动载入模组,且若该表尚未存在,则将会试着去载入适当的模组。规则表如下:filter这是预定的表。它包含内建的链INPUT(针对传入主机本身的封包)、FORWARD(针对经由本主机转换路由的封包)和 OUTPUT(针对本地产生的封包)。nat当产生一个新的连通时,此表会被查及。它由三个内建的链组成:PREROUTING(针对一旦进入即改变的封包)、OUTPUT (针对在路由之前,即改变的本地产生的封包) 及POSTROUTING (针对将要离去时即改变的封包)。mangle此表用于专殊化的封包变更。它有二个内建的链:PREROUTING(针对路由前即改变进入的封包) 和 OUTPUT(针对路由前即改变本地产生的封包)。OPTIONS The options that are recognized by iptables can be divided into several differ ent groups. COMMANDS These options specify the specific action to perform. Only one of them can be specified on the command line unless otherwise specified below. For all the long versions of the command and option names, you need to use only enough let ters to ensure that iptables can differentiate it from all other options. -A, --append Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. -D, --delete Delete one or more rules from the selected chain. There are two ver sions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match. -R, --replace Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1. -I, --insert Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified. -L, --list List all rules in the selected chain. If no chain is selected, all chains are listed. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. -F, --flush Flush the selected chain. This is equivalent to deleting all the rules one by one. -Z, --zero Zero the packet and byte counters in all chains. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared. (See above.) -N, --new-chain Create a new user-defined chain by the given name. There must be no target of that name already. -X, --delete-chain Delete the specified user-defined chain. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. If no argument is given, it will attempt to delete every non-builtin chain in the table. -P, --policy Set the policy for the chain to the given target. See the section TAR GETS for the legal targets. Only non-user-defined chains can have poli cies, and neither built-in nor user-defined chains can be policy tar gets. -E, --rename-chain Rename the user specified chain to the user supplied name. This is cos metic, and has no effect on the structure of the table. -h Help. Give a (currently very brief) description of the command syntax.OPTIONS规则表认得的选项可区分成许多组。那些选项指明执行时的特殊动作。若无特别明讲,以下的选项只有其中一个可以放在命令列中。使用长名或短名时,只要确使iptables 能区分和其它选项的不同即可。-A, --append-D, --delete-R, --replace-I, --insert-L, --list-F, --flush清空某一链中的所有规则。-Z, --zero-N, --new-chain新产生一个使用者自订的链。-X, --delete-chain删除某一个指定的自订的链。若未指明对象,则删除该表中所有非内建的链。-P, --policy只有内建的链才能有预设的政策,而且不管是内建的或自订的链,都不能被拿来当作政策的目标。-E, --rename-chain-h PARAMETERS The following parameters make up a rule specification (as used in the add, delete, insert, replace and append commands). -p, --protocol [!] protocol The protocol of the rule or of the packet to check. The specified pro tocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. A proto col name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Pro tocol all will match with all protocols and is taken as default when this option is omitted. -s, --source [!] address[/mask] Source specification. Address can be either a hostname, a network name, or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argu ment before the address specification inverts the sense of the address. The flag --src is a convenient alias for this option. -d, --destination [!] address[/mask] Destination specification. See the description of the -s (source) flag for a detailed description of the syntax. The flag --dst is an alias for this option. -j, --jump target This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule, then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incre mented. -i, --in-interface [!] [name] Optional name of an interface via which a packet is received (for pack ets entering the INPUT, FORWARD and PREROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, the string "+" is assumed, which will match with any interface name. -o, --out-interface [!] [name] Optional name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, the string "+" is assumed, which will match with any interface name. [!] -f, --fragment This means that the rule only refers to second and further fragments of fragmented packets. Since there is no way to tell the source or desti nation ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the "!" argument precedes the "-f" flag, the rule will only match head fragments, or unfragmented packets. -c, --set-counters PKTS BYTES This enables the administrater to initialize the packet and byte coun ters of a rule (during INSERT, APPEND, REPLACE operations) OTHER OPTIONS The following additional options can be specified: -v, --verbose Verbose output. This option makes the list command show the interface address, the rule options (if any), and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see the -x flag to change this). For appending, insertion, deletion and replace ment, this causes detailed information on the rule or rules to be printed. -n, --numeric Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the program will try to display them as host names, network names, or services (whenever applicable). -x, --exact Expand numbers. Display the exact value of the packet and byte coun ters, instead of only the rounded number in K's (multiples of 1000) M's (multiples of 1000K) or G's (multiples of 1000M). This option is only relevant for the -L command. --line-numbers When listing rules, add line numbers to the beginning of each rule, cor responding to that rule's position in the chain. --modprobe=
When adding or inserting rules into a chain, use command to load any necessary modules (targets, match extensions, etc).MATCH EXTENSIONS iptables can use extended packet matching modules. These are loaded in two ways: implicitly, when -p or --protocol is specified, or with the -m or --match options, followed by the matching module name; after these, various extra com mand line options become available, depending on the specific module. You can specify multiple extended match modules in one line, and you can use the -h or --help options after the module has been specified to receive help specific to that module. The following are included in the base package, and most of these can be pre ceded by a ! to invert the sense of the match. tcp These extensions are loaded if `--protocol tcp' is specified. It provides the following options: --source-port [!] [port[:port]] Source port or port range specification. This can either be a service name or a port number. An inclusive range can also be specified, using the format port:port. If the first port is omitted, "0" is assumed; if the last is omitted, "65535" is assumed. If the second port greater then the first they will be swapped. The flag --sport is an alias for this option. --destination-port [!] [port[:port]] Destination port or port range specification. The flag --dport is an alias for this option. --tcp-flags [!] mask comp Match when the TCP flags are as specified. The first argument is the flags which we should examine, written as a comma-separated list, and the second argument is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. [!] --syn Only match TCP packets with the SYN bit set and the ACK and FIN bits cleared. Such packets are used to request TCP connection initiation; for example, blocking such packets coming in an interface will prevent incoming TCP connections, but outgoing TCP connections will be unaf fected. It is equivalent to --tcp-flags SYN,RST,ACK SYN. If the "!" flag precedes the "--syn", the sense of the option is inverted. --tcp-option [!] number Match if TCP option set. udp These extensions are loaded if `--protocol udp' is specified. It provides the following options: --source-port [!] [port[:port]] Source port or port range specification. See the description of the --source-port option of the TCP extension for details. --destination-port [!] [port[:port]] Destination port or port range specification. See the description of the --destination-port option of the TCP extension for details. icmp This extension is loaded if `--protocol icmp' is specified. It provides the following option: --icmp-type [!] typename This allows specification of the ICMP type, which can be a numeric ICMP type, or one of the ICMP type names shown by the command iptables -p icmp -h mac --mac-source [!] address Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets entering the PREROUTING, FORWARD or INPUT chains for packets coming from an ethernet device.MATCH EXTENSIONStcp--source-port--sport 和上述相同--destination-port--dport 和上述相同--tcp-flags mask comp例:iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN是说: 凡是 SYN 设定,而 ACK、FIN、RST 清除者。[!] --syn只有 tcp 封包中,SYN 旗标设立,而 ACK 和 FIN 旗标清除者,才算符合。此类的封包用于要求连线初始化,若禁制此类封包进入,则可拒绝传入的 tcp连线,但由内部传出的连线则不受影响。它等同于:--tcp-flag SYN,ACK,FINSYN。若在其前头加上 !,则表示意思相反 --- 就是指由内传出的连线回应。--tcp-option [!] numberMatch if TCP option set.(???)udp--source-port--destination-porticmp--icmp-type [!] typenametypename 可用数字来表示,或以 iptables -p icmp -h 来列出可用的typename有效的 icmp type:echo-reply (pong)destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoffsource-quenchredirect network-redirect host-redirect TOS-network-redirect TOS-host-redirectecho-request (ping)router-advertisementrouter-solicitationtime-exceeded (ttl-exceeded) ttl-zero-during-transit ttl-zero-during-reassemblyparameter-problem ip-header-bad required-option-missingtimestamp-requesttimestamp-replyaddress-mask-requestaddress-mask-replymac--mac-source [!] address比对来源 Mac 位址。它必是XX:XX:XX:XX:XX:XX 这种格式。注意:它只对进入PREROUTING、FORWARD 链的封包有效,或是来自一个 ethernet 设备而进入INPUT 链的封包有效。limit This module matches at a limited rate using a token bucket filter: it can be used in combination with the LOG target to give limited logging. A rule using this extension will match until this limit is reached (unless the `!' flag is used). --limit rate Maximum average matching rate: specified as a num ber, with an optional `/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour. --limit-burst number The maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.multiport This module matches a set of source or destination ports. Up to 15 ports can be specified. It can only be used in conjunction with -p tcp or -p udp. --source-port [port[,port]] Match if the source port is one of the given ports. --destination-port [port[,port]] Match if the destination port is one of the given ports. --port [port[,port]] Match if the both the source and destination ports are equal to each other and to one of the given ports.multiport用来比对一组来源埠或目的埠,至多15个埠,必须搭配 -p tcp 或 -p udp 使用。--source-port [port[,port]]--destination-port [port[,port]]--port [port[,port]] 若来源埠和目的埠相同,且等于指定的埠号,则相符。mark This module matches the netfilter mark field associated with a packet (which can be set using the MARK target below). --mark value[/mask] Matches packets with the given unsigned mark value (if a mask is specified, this is logically ANDed with the mask before the comparison).owner This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match. --uid-owner userid Matches if the packet was created by a process with the given effective user id. --gid-owner groupid Matches if the packet was created by a process with the given effective group id. --pid-owner processid Matches if the packet was created by a process with the given process id. --sid-owner sessionid Matches if the packet was created by a process in the given session group.state This module, when combined with connection tracking, allows access to the connection tracking state for this packet. --state state Where state is a comma separated list of the con nection states to match. Possible states are INVALID meaning that the packet is associated with no known connection, ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions, NEW meaning that the packet has started a new connection, or other wise associated with a connection which has not seen packets in both directions, and RELATED mean ing that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.unclear This module takes no options, but attempts to match pack ets which seem malformed or unusual. This is regarded as experimental.tos This module matches the 8 bits of Type of Service field in the IP header (ie. including the precedence bits). --tos tos The argument is either a standard name, (use iptables -m tos -h to see the list), or a numeric value to match.TARGET EXTENSIONSiptables 可以使用扩充的目标模组。LOG把开比对封包的核心记录功能。--log-level level Level of logging (numeric or see syslog.conf(5)). --log-prefix prefix Prefix log messages with the specified prefix; up to 14 letters long, and useful for distinguishing messages in the logs. --log-tcp-sequence Log TCPsequence numbers. This is a security risk if the log is readable by users. --log-tcp-options Log options from the TCP packet header. --log-ip-options Log options from the IP packet header.MARK用来设定封包的 mark 值,只适用于 mangle 表。--set-mark makrREJECT用来送回一个错误的封包给比对相符的封包,其余等同于 DROP。--reject-with type The type given can be icmp-net-unreachable, icmp- host-unreachable, icmp-port-unreachable, icmp- proto-unreachable, icmp-net-prohibitedor icmp-host- prohibited, which return the appropriate ICMP error message (port-unreachable is the default). The option echo-reply is also allowed; it can only be used for rules which specify an ICMP ping packet, and generates a ping reply. Finally, the option tcp-reset can be used on rules in (or called from) the INPUT chain which only match the TCP protocol: this causes a TCP RST packet to be sent back.TOS用来设定 IP 表头的 8-bit Type of Service field--set-tos tosSet Type of Service field to one of the following numeric or descriptive values: Minimize-Delay 16 (0x10) Maximize-Throughput 8 (0x08) Maximize-Reliability 4 (0x04) Minimize-Cost 2 (0x02) Normal-Service 0 (0x00)MIRRORSNAT这个目标仅对 nat 表中的 POSTROUTING链有效。它用来标示来源位址应该被修改,且应该停止检查规则。它有以下一个选项:--to-source [-][:port-port]If no portrange is specified, thensourceports below 512 will be mapped to other ports below 512: those between 1024 will be mapped to ports below 1024, and other ports will be mapped to 1024 or above.DNAT这个目标仅在 nat 表中的 PREROUTING、OUTPUT链和来自前二者而被呼叫的自订链有效。它用来标示目标位址应该被修改,且应该停止检查规则。--to-destination [-][:port-port]MASQUERADE这个目标仅在 nat 表中的 POSTROUTING链中有效,且只用于动态指定IP的连线中(拨接),若有固定IP,应使用 SNAT目标。--to-ports [-]REDIRECT这个目标仅在 nat 表中的 PREROUTING、OUTPUT链及来自前二者而被呼叫的自定链有效。It alters the destina- tion IP address to send the packet to the machine itself (locally-generated packets are mapped to the 127.0.0.1 address)--to-ports [-]EXTRA EXTENSIONS The following extensions are not included by default in the standard distribution. ttl This module matches the time to live field in the IP header. --ttl ttl Matches the given TTL value. TTL This target is used to modify the time to live field in the IP header. It is only valid in the mangle table. --ttl-set ttl Set the TTL to the given value. --ttl-dec ttl Decrement the TTL by the given value. --ttl-inc ttl Increment the TTL by the given value. ULOG This target provides userspace logging of matching pack ets. When this target is set for a rule, the Linux kernel will multicast this packet through a netlink socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets. --ulog-nlgroup This specifies the netlink group (1-32) to which the packet is sent. Default value is 1. --ulog-prefix Prefix log messages with the specified prefix; up to 32 characters long, and useful fro distinguish ing messages in the logs. --ulog-cprange Number of bytes to be copied to userspace. A value of 0 always copies the entire packet, regardless of its size. Default is 0 --ulog-qthreshold Number of packet to queue inside kernel. Setting this value to, e.g. 10 accumulates ten packets inside the kernel and transmits them as one netlink multipart message to userspace. Default is 1 (for backwards compatibility)DIAGNOSTICS Various error messages are printed to standard error. The exit code is 0 for correct functioning. Errors which appear to be caused by invalid or abused command line parameters cause an exit code of 2, and other errors cause an exit code of 1.BUGS Check is not implemented (yet).COMPATIBILITY WITH IPCHAINSiptables 和 ipchains 主要的差异:iptables 和 ipchains 很相似,主要的不同是:在 iptables 中,INPUT 和 OUTPUT 这二个链,只有进来 local 主机的封包和由 local 主机出去的封包,分别地会去那二个链中周游一下,然而,在 ipchains 中,一个被 forward 的封包,却都会进入 INPUT、OUTPUT、FORWARD 三个链中,周游一番。其它主要的差异尚有:在 iptables 中,-i 是指进入的介面 (input interface);-o 是指出去的介面(output interface),而且二者对进入 FORWARD 链中的封包均可以适用。iptables 具有许多扩充的模组,当使用预设的 filter 表时,它是一种纯粹的封包过滤。因此,这可以减少许多与 ipchains 中结合IP伪装和封包过滤的混淆。因此,下列的选项的处置是不同的: -j MASQ -M -S -M -Liptables 和 ipchains 还有许多其它差异。可再参考packet-filtering-HOWTO 这份 HOWTO 文件, 它对封包过滤有更详细的说明。 NAT-HOWTO 这份 HOWTO 文件对 NAT 有详细的说明, 而 netfilter-hacking-HOWTO 则对内部机制有详细的记载。AUTHORS Rusty Russell wrote iptables, in early consultation with Michael Neuling. Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet selection framework in iptables, then wrote the mangle table, the owner match, the mark stuff, and ran around doing cool stuff everywhere. James Morris wrote the TOS target, and tos match. Jozsef Kadlecsik wrote the REJECT target. Harald Welte wrote the ULOG target, TTL match+target and libipulog. The Netfilter Core Team is: Marc Boucher, James Morris, Harald Welte and Rusty Russell.===============================================================* 我把 iptables 和 ipchains 的主要差异,由 Linux 2.4 packet-filtering-HOWTO 节录如下: Differences Between iptables and ipchains* Firstly, the names of the built-in chains have changed from lower case to UPPER case, because the INPUT and OUTPUT chains now only get locally-destined and locally-generated packets. They used to see all incoming and all outgoing packets respectively.* The `-i' flag now means the incoming interface, and only works in the INPUT and FORWARD chains. Rules in the FORWARD or OUTPUT chains that used `-i' should be changed to `-o'.* TCP and UDP ports now need to be spelled out with the --source-port or --sport (or --destination-port/--dport) options, and must be placed after the `-p tcp' or `-p udp' options, as this loads the TCP or UDP extensions respectively.* The TCP -y flag is now --syn, and must be after `-p tcp'.* The DENY target is now DROP, finally.* Zeroing single chains while listing them works.* Zeroing built-in chains also clears policy counters.* Listing chains gives you the counters as an atomic snapshot.* REJECT and LOG are now extended targets, meaning they are separate kernel modules.* Chain names can be up to 31 characters.* MASQ is now MASQUERADE and uses a different syntax. REDIRECT, while keeping the same name, has also undergone a syntax change. See the NAT-HOWTO for more information on how to configure both of these.* The -o option is no longer used to direct packets to the userspace device (see -i above). Packets are now sent to userspace via the QUEUE target.* Probably heaps of other things I forgot. iptables 优于 ipchains 的地方:(节录自 http://www.knowplace.org/netfilter/)Why Netfilter/Iptables instead of Ipchains* State matching - Connection tracking (can you trust the remote host to determine whether your firewall will accept a packet?).* Automatic fragmentation reassembly - Connection tracking automatically reassembles fragmented packets for examination.* Improved matching - Advanced packet matching such as rate limit, string matching (packet data), etc.* Improved logging - Customized logging levels and entries, also allows user space logging.* Allows packet mangling - Allows for the mangling of any information inside a packet.* Userspace queuing - Allows userspace programs access to packets.* Built-in support for port forwarding - obviates IPMASQADM.* Progress - Inexorable fact of life.
文章来源于领测软件测试网 https://www.ltesting.net/
