Ip tables en linux

Solo disponible en BuenasTareas
  • Páginas : 46 (11440 palabras )
  • Descarga(s) : 0
  • Publicado : 14 de junio de 2011
Leer documento completo
Vista previa del texto
IPTABLES(8) iptables 1.4.8 IPTABLES(8)
iptables — administration tool for IPv4 packet filtering and NAT
iptables [-t table] {-A|-D} chain rule-specification
iptables [-t table] -I chain [rulenum] rule-specification
iptables [-t table] -R chain rulenum rule-specification
iptables [-t table] -D chain rulenum
iptables [-t table] -S [chain [rulenum]]
iptables [-t table]{-F|-L|-Z} [chain [rulenum]] [options...]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target
iptables [-t table] -E old-chain-name new-chain-name
rule-specification = [matches...] [target]
match = -m matchname [per-match-options]
target = -j targetname [per-target-options]
Iptables is used to set up, maintain, and inspect the tables ofIPv4
packet filter rules in the Linux kernel. Several different tables may
be defined. Each table contains a number of built-in chains and may
also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each
rule specifies what to do with a packet that matches. This is called a
`target', which may be a jump to a user-defined chain in the same table.TARGETS
A firewall rule specifies criteria for a packet and a target. If the
packet does not match, the next rule in the chain is the examined; if
it does match, then the next rule is specified by the value of the target,
which can be the name of a user-defined chain or one of the special
ACCEPT means to let the packet through. DROP means to drop the packeton the floor. QUEUE means to pass the packet to userspace. (How the
packet can be received by a userspace process differs by the particular
queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the
ip_queue queue handler. Kernels 2.6.14 and later additionally include
the nfnetlink_queue queue handler. Packets with a target of QUEUE will
be sent to queue number '0' in this case. Pleasealso see the NFQUEUE
target as described later in this man page.) RETURN means stop
traversing this chain and resume at the next rule in the previous
(calling) chain. If the end of a built-in chain is reached or a rule
in a built-in chain with target RETURN is matched, the target specified
by the chain policy determines the fate of the packet.
There are currently three independenttables (which tables are present
at any time depends on the kernel configuration options and which modules
are present).
-t, --table table
This option specifies the packet matching table which the command
should operate on. If the kernel is configured with automatic
module loading, an attempt will be made to load the appropriate
module for that table if it is not already there.
The tables areas follows:
This is the default table (if no -t option is passed). It
contains the built-in chains INPUT (for packets destined to
local sockets), FORWARD (for packets being routed through
the box), and OUTPUT (for locally-generated packets).
This table is consulted when a packet that creates a new
connection is encountered. It consists of three built-ins:
PREROUTING (foraltering packets as soon as they come in),
OUTPUT (for altering locally-generated packets before routing),
and POSTROUTING (for altering packets as they are
about to go out).
This table is used for specialized packet alteration. Until
kernel 2.4.17 it had two built-in chains: PREROUTING (for
altering incoming packets before routing) and OUTPUT (for
altering locally-generated packetsbefore routing). Since
kernel 2.4.18, three other built-in chains are also supported:
INPUT (for packets coming into the box itself), FORWARD
(for altering packets being routed through the box),
and POSTROUTING (for altering packets as they are about to
go out).
This table is used mainly for configuring exemptions from
connection tracking in combination with the NOTRACK target.
tracking img