Iptables

Solo disponible en BuenasTareas
  • Páginas : 47 (11540 palabras )
  • Descarga(s) : 0
  • Publicado : 31 de mayo de 2011
Leer documento completo
Vista previa del texto
IPTABLES(8)

iptables 1.4.8

IPTABLES(8)

NAME iptables — administration tool for IPv4 packet filtering and NAT SYNOPSIS iptables [-t table] {-A|-D} chain rule-specification iptables [-t table] -I chain [rulenum] rule-specification iptables [-t table] -R chain rulenum rule-specification iptables [-t table] -D chain rulenum iptables [-t table] -S [chain [rulenum]] iptables [-t table]{-F|-L|-Z} [chain [rulenum]] [options...] iptables [-t table] -N chain iptables [-t table] -X [chain] iptables [-t table] -P chain target iptables [-t table] -E old-chain-name new-chain-name rule-specification = [matches...] [target] match = -m matchname [per-match-options] target = -j targetname [per-target-options] DESCRIPTION Iptables is used to set up, maintain, and inspect the tables of IPv4 packetfilter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same ta‐ ble. TARGETS A firewallrule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the tar‐ get, which can be the name of a user-defined chain or one of the spe‐ cial values ACCEPT, DROP, QUEUE or RETURN.

ACCEPT means to let the packet through. DROP means to drop the packet on the floor.QUEUE means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the ip_queue queue handler. Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler. Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the NFQUEUEtarget as described later in this man page.) RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet. TABLES There are currently three independent tables (which tables arepresent at any time depends on the kernel configuration options and which mod‐ ules are present). -t, --table table This option specifies the packet matching table which the com‐ mand should operate on. If the kernel is configured with auto‐ matic module loading, an attempt will be made to load the appro‐ priate module for that table if it is not already there. The tables are as follows: filter: Thisis the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat: This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they comein), OUTPUT (for altering locally-generated packets before rout‐ ing), and POSTROUTING (for altering packets as they are about to go out). mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18,three other built-in chains are also sup‐ ported: INPUT (for packets coming into the box itself), FOR‐ WARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out). raw:

This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with...
tracking img