Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to set iptables rules in the linux system. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

1. Iptables-L

View the iptables rules of the filter table, including all chains. The filter table contains three rule chains: INPUT, OUTPUT and FORWARD.

Description:-L is the abbreviation of-- list, the function is to list the rules.

2. Iptables-L [- t table name]

View only the rules in a table.

Note: there are three table names: filter,nat,mangle. If you do not specify a table name, you will view the list of rules of the filter table by default (equivalent to the first command).

Example: iptables-L-t filter

3. Iptables-L [- t table name] [chain name]

There is an extra chain name, which is the name of the rule chain.

Description: iptables has five rule chains: INPUT, OUTPUT, FORWARD, PREROUTING and POSTROUTING.

Example: iptables-L INPUT

Note: the chain name must be capitalized. On Linux systems, commands are case-sensitive.

4. Iptables-n-L

Description: displays rules in digital form. If there is no-n, anywhere may appear in the rule, and with-n, it will become 0.0.0.0alpha 0

5. Iptables-nv-L

Note: you can also use "iptables-L-nv" to view this list, which looks more detailed and more technician-friendly.

If you want to delete the iptables rule, we can do the following

Delete with-D parameter

Delete the previously added rule (iptables-An INPUT-s 192.168.1.5-j DROP):

[root@test] # iptables-D INPUT-s 192.168.1.5-j DROP

Sometimes the rule to be deleted is too long, and you have to write a long list when you delete it, which is not only a waste of time but also easy to make mistakes.

First use-line-number to find the line number of the rule, and then delete the rule by the line number.

[root@test] # iptables-nv-- line-number

Iptables v1.4.7: no command specified

Try `iptables-h' or 'iptables-- help' for more information.

[root@test] # iptables-nL-- line-number

Chain INPUT (policy ACCEPT)

Num target prot opt source destination

1 DROP all-192.168.1.1 0.0.0.0 Universe 0

2 DROP all-192.168.1.2 0.0.0.0 Universe 0

3 DROP all-192.168.1.3 0.0.0.0 Universe 0

Delete the second line rule

[root@test ~] # iptables-D INPUT 2

[root@tp] # iptables-An INPUT-p tcp-- dport 22-j ACCEPT

[root@tp] # iptables-An OUTPUT-p tcp-- sport 22-j ACCEPT

Note: this rule, if you set OUTPUT to DROP, you should write this one. Many people forget to write this rule, and they can't SSH it all the time. Let's take a look at the remote, isn't it? The same is true for other ports. If the web server is enabled and OUTPUT is set to DROP, a chain should also be added:

[root@tp] # iptables-An OUTPUT-p tcp-- sport 80-j ACCEPT)

If you make a WEB server, open port 80.

[root@tp] # iptables-An INPUT-p tcp-- dport 80-j ACCEPT

If you do a mail server, open port 25110.

[root@tp] # iptables-An INPUT-p tcp-- dport 110j ACCEPT

[root@tp] # iptables-An INPUT-p tcp-- dport 25-j ACCEPT

If you make a FTP server, open port 21

[root@tp] # iptables-An INPUT-p tcp-- dport 21-j ACCEPT

[root@tp] # iptables-An INPUT-p tcp-- dport 20-j ACCEPT

If you make a DNS server, open port 53

[root@tp] # iptables-An INPUT-p tcp-- dport 53-j ACCEPT

What is written above is mainly INPUT chain, and all those that are not in the above rules are DROP.

Allow icmp packets to pass, that is, allow ping

[root@tp ~] # iptables-An OUTPUT-p icmp-j ACCEPT (if OUTPUT is set to DROP)

[root@tp ~] # iptables-An INPUT-p icmp-j ACCEPT (if INPUT is set to DROP)

Allow loopback! (otherwise, it will cause problems such as DNS not shutting down normally.)

IPTABLES-An INPUT-I lo-p all-j ACCEPT (if INPUT DROP)

IPTABLES-An OUTPUT-o lo-p all-j ACCEPT (if OUTPUT DROP)

Next write the OUTPUT chain, the default rule of the OUTPUT chain is ACCEPT, so we write the chain that needs DROP.

Reduce insecure port connections

[root@tp] # iptables-An OUTPUT-p tcp-- sport 31337-j DROP

[root@tp] # iptables-An OUTPUT-p tcp-- dport 31337-j DROP

.

Let's write down a more detailed rule, which is limited to a certain machine.

For example, we only allow 192.168.0.3 machines to make SSH connections

[root@tp] # iptables-An INPUT-s 192.168.0.3-p tcp-- dport 22-j ACCEPT

If you want to allow or restrict a segment of IP address, you can use 192.168.0. 0.

24 represents the number of subnet masks. But remember to delete this line from / etc/sysconfig/iptables.

-An INPUT-p tcp-m tcp-- dport 22-j ACCEPT because it means that all addresses can be logged in.

Or by command:

[root@tp] # iptables-D INPUT-p tcp-- dport 22-j ACCEPT

[root@tp ~] # / etc/rc.d/init.d/iptables save

Write this way! 192.168.0.3 means except for the ip address of 192.168.0.3

The same is true for other regular connections.

Below is the FORWARD chain, and the default rule of the forward chain is DROP, so we write the chain that needs ACCETP (through) to monitor the forwarding chain.

Enable forwarding. (when doing NAT, the default rule of FORWARD is DROP.)

[root@tp] # iptables-A FORWARD-I eth0-o eth2-m state-- state RELATED,ESTABLISHED-j ACCEPT

[root@tp] # iptables-A FORWARD-I eth2-o eh0-j ACCEPT

Discard bad TCP packets

[root@tp] # iptables-A FORWARD-p TCP!-- syn-m state-- state NEW-j DROP

Handle the number of IP fragments to prevent attacks, allowing 100s per second

[root@tp] # iptables-A FORWARD-f-m limit--limit 100max s-limit-burst 100-j ACCEPT

Set ICMP packet filtering to allow 1 packet per second and limit the trigger condition to 10 packets.

[root@tp] # iptables-A FORWARD-p icmp-m limit--limit 1 ACCEPT s-limit-burst 10-j

I only allow ICMP packets to pass in front because I have restrictions here.

3. Delete

Delete with-D parameter

Delete the previously added rule (iptables-An INPUT-s 192.168.1.5-j DROP):

[root@test ~] # iptables-D INPUT-s 192.168.1.5-j DROP sometimes deletes a rule that is too long, which is a waste of time and easy to make mistakes. In this case, we can first use-line-number to find out the line number of the rule, and then delete the rule by the line number.

[root@test] # iptables-nv-- line-number

Iptables v1.4.7: no command specified

Try `iptables-h' or 'iptables-- help' for more information.

[root@test] # iptables-nL-- line-number

Chain INPUT (policy ACCEPT)

Num target prot opt source destination

1 DROP all-192.168.1.1 0.0.0.0 Universe 0

2 DROP all-192.168.1.2 0.0.0.0 Universe 0

3 DROP all-192.168.1.3 0.0.0.0 Universe 0

Delete the second line rule

[root@test] # iptables-D INPUT 24,

Whether or not you start the firewall when you install linux, if you want to configure your own firewall, clear all current filter rules.

[root@tp ~] # iptables-F clears all rule chains in the preset table filter

[root@tp ~] # iptables-X clears the rules in the user customized chain in the preset table filter

Let's take a look.

[root@tp] # iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

[root@tp ~] # / etc/rc.d/init.d/iptables save

So you can write it in the / etc/sysconfig/iptables file. Remember to restart the firewall after writing in order to work.

[root@tp ~] # service iptables restart

Now that there is no configuration in the IPTABLES configuration table, let's start our configuration.

(3) set preset rules

[root@tp ~] # iptables-p INPUT DROP

[root@tp ~] # iptables-p OUTPUT ACCEPT

[root@tp ~] # iptables-p FORWARD DROP

The above means that when the two chain rules (INPUT,FORWARD) in the filter table in IPTABLES are exceeded, how to deal with the packets that are not in these two rules, that is, DROP. It should be said that this configuration is very safe. We need to control the inflow of packets.

As for the OUTPUT chain, that is, we do not have to do too many restrictions on the outflow of the package, but adopt ACCEPT, that is, what to do if the package is not in the rule, that is, through.

You can see what packets are allowed in the INPUT,FORWARD chain and what packets are not allowed in the OUTPUT chain.

Modify the use-R parameter

Let's take a look at the current rules:

[root@test] # iptables-nL-- line-number

Chain INPUT (policy ACCEPT)

Num target prot opt source destination

1 DROP all-192.168.1.1 0.0.0.0 Universe 0

2 DROP all-192.168.1.2 0.0.0.0 Universe 0

3 DROP all-192.168.1.5 0.0.0.0 Universe 0

Change the third rule to ACCEPT:

[root@test ~] # iptables-R INPUT 3-j ACCEPT check again:

[root@test] # iptables-nL-- line-number

Chain INPUT (policy ACCEPT)

Num target prot opt source destination

1 DROP all-192.168.1.1 0.0.0.0 Universe 0

2 DROP all-192.168.1.2 0.0.0.0 Universe 0

3 ACCEPT all-0. 0. 0. 0. 0. 0. 0. 0

The target of the third rule has been changed to ACCEPT.

Iptables-E old-chain-name new-chain-name

-E old chain name, new chain name

Replace the old chain name with a new chain name

Description

Iptalbes is used to set, maintain, and examine the IP packet filtering rules of the Linux kernel.

You can define different tables, each containing several internal chains or user-defined chains. Each chain is a list of rules that match the corresponding packages: each rule specifies how the matching package should be handled. This is called a 'target'' and can also jump to a user-defined chain within the same table.

TARGETS

The rules of the firewall specify the characteristics and targets of the packets being checked. If the packet does not match, it is sent to the next rule check in the chain; if so, the next rule is determined by the target value. The target value can be a user-defined chain name, or a specific value, such as ACCEPT [pass], DROP [delete], QUEUE [queue], or RETURN [return].

ACCEPT says to let the package pass. DROP says to discard the packet. QUEUE means to pass the package to user space. RETURN means to stop the matching of this chain and restart the rule of the previous chain. If a built-in chain is reached, or if the rule of the built-in chain is RETURN, the fate of the package will be determined by the goal specified by the chain guidelines.

TABLES

There are currently three tables (which table is current depending on the kernel configuration options and the current module).

-t table

This option specifies the table of the matching package that the command operates on. If the kernel is configured to load the module automatically, if the module is not loaded, it will try to load the appropriate module. These tables are as follows:

Filter, which is the default table, contains built-in chains INPUT (processing incoming packages), FORWORD (processing passed packages), and OUTPUT (processing locally generated packages).

Nat, which is queried to indicate that a packet producing a new connection has been encountered, consists of three built-in chains: PREROUTING (modify incoming packet), OUTPUT (local packet before routing modification), and POSTROUTING (modify outgoing packet).

The mangle table is used to modify the specified package. It has two built-in rules: PREROUTING (packets entered before routing modification) and OUTPUT (local packets before routing modification).

OPTIONS

These options that can be recognized by iptables can distinguish between different categories.

COMMANDS

These options specify to perform an explicit action: if there is no other provision under the instruction line, the line can specify only one option. For long-format commands and option names, the letter length is as long as ensuring that iptables can distinguish the instruction from other options.

-A-append

Add one or more rules to the end of the selected chain. When the source (address) or / and destination (address) are converted to multiple addresses, this rule is added to all possible addresses (combinations).

-D-delete

Removes one or more rules from the selected chain. This command can be done in two ways: you can specify the deleted rule as the sequence number in the chain (the first sequence number is 1), or you can specify the rule to match.

-R-replace

Replaces a rule from the selected chain. If the source (address) or / and destination (address) is converted to multiple addresses, the command will fail. The rule number starts with 1.

-I-insert

Inserts one or more rules into the selected chain according to the given rule number. So, if the rule number is 1, the rule is inserted into the head of the chain. This is also the default way when you do not specify a rule number.

-L-list

Displays all rules for the selected chain. If there is no selection chain, all chains will be displayed. It can also be used with the z option, where the chain is automatically listed and zeroed. The exact output is affected by other given parameters.

-F-flush

Empty the selected chain. This is tantamount to deleting all the rules one by one.

-Z-zero

Clear all the packets and byte counters of all chains. It can be used in conjunction with-L to view the counter in an unprecedented way, see above.

-N-new-chain

Create a new chain of user definitions based on the given name. This must ensure that no chain of the same name exists.

-X-delete-chain

Deletes the specified user custom chain. This chain must not be referenced, and if so, you must delete or replace the rules associated with it before deleting it. If no arguments are given, this command will try to delete each non-built-in chain.

-P-policy

Sets the target rule for the chain.

-E-rename-chain

Renaming the specified chain according to the name given by the user is only a modification and has no effect on the structure of the entire table. The TARGETS parameter gives a legal target. Only non-user custom chains can use rules, and neither the built-in chain nor the user custom chain can be the target of the rule.

-h Help.

Help. Give a very brief description of the current command syntax.

PARAMETERS

Parameters.

The following parameters make up the rule details, such as for the add, delete, replace, append, and check commands.

-p-protocal [!] protocol

The protocol for rules or packet checks (packets to be checked). The specified protocol can be one or all of tcp, udp, icmp, or a numeric value that represents one of these protocols. Of course, you can also use the protocol name defined in / etc/protocols. Add "!" before the name of the agreement. A rule that indicates the opposite. The number 0 is equivalent to all all. Protocol all matches all protocols, and this is the default option. All may not be used when combined with the check command.

-s-source [!] Address[ / mask]

Specify the source address, which can be a hostname, a network name, and a clear IP address. The mask description can be a netmask or a clear number, specifying the number of "1s" to the left of the netmask on the left side of the netmask, so a value of 24 equals 255.255.255.0. Add "!" before the specified address. Indicates that the opposite address field is specified. Flag-src is an abbreviation for this option.

-d-- destination [!] Address[ / mask]

Specify the destination address. For more information, see the description of the-s flag. Flag-dst is an abbreviation for this option.

-j-- jump target

-j target jump

Specify the goal of the rule; that is, what should be done if the package matches. The goal can be a user-defined chain (which is not the rule), a dedicated built-in goal that immediately determines the fate of the package, or an extension (see EXTENSIONS below). If this option of the rule is ignored, the matching process will not affect the package, but the counter of the rule will be increased.

-I-in-interface [!] [name]

I-incoming (network) interface [!] [name]

This is the optional entry name that the packet receives via the interface, and the packet is received through the interface (packets entered in chains INPUT, FORWORD, and PREROUTING). When using "!" before the interface name When explained, it refers to the opposite name. If the interface name is followed by "+", all interfaces that begin with this interface name will be matched. If this option is ignored, it will be assumed to be "+" and will match any interface.

-o-- out-interface [!] [name]

-o-- output interface [name]

This is the optional exit name of the packet sent through this interface, and the packet is output through this port (packets sent in chains FORWARD, OUTPUT, and POSTROUTING). When using "!" before the interface name When explained, it refers to the opposite name. If the interface name is followed by "+", all interfaces that begin with this interface name will be matched. If this option is ignored, it will be assumed to be "+" and all interfaces will be matched.

[!]-f,-- fragment

[!]-f-- fragmentation

This means that in a sliced package, the rule asks only the second and subsequent films. Since then, since it is impossible to determine the source or destination port (or ICMP type) of such packets, such packets will not be able to match any rules specified to match them. If "!" The explanation is used before the "- f" sign to express the opposite meaning.

OTHER OPTIONS

Other options

You can also specify the following additional options:

-v-- verbose

-v-- detailed

Detailed output. This option allows the list command to display the interface address, rule options (if any), and TOS (Type of Service) mask. Packets and byte counters will also be displayed, using K, M, G (prefix) for 1000, 1000000, and 1000000000 times, respectively (but see the-x flag to change it), for add, insert, delete, and replace commands, this causes the relevant details of one or more rules to be printed.

-n-- numeric

-n-- number

Digital output. IP addresses and ports are printed as numbers. By default, the program tries to display the hostname, network name, or service (as long as it is available).

-x-exact

-x-accurate

Expand the number. Displays the exact values of packets and byte counters instead of the divisor represented by K _ M _ M _ G. This option can only be used with the-L command.

-- line-numbers

When the list displays rules, precede each rule with a line number that corresponds to the position of the rule in the chain.

MATCH EXTENSIONS

Corresponding extension

Iptables can use some expansion packs that match the module. Here are the extension packages included in the basic package, and most of them can be added in front of them! To express the opposite meaning.

Tcp

When-- protocol tcp is specified and other matching extensions are not specified, these extensions are loaded. It provides the following options:

-- source-port [!] [port [: port]]

Source port or port range specified. This can be the service name or port number. Use format port: the port can also specify the included (port) range. If the first port number is ignored, the default is "0", if the end number is ignored, the default is "65535", if the second port number is greater than the first, then they will be swapped. You can use an alias for-- sport for this option.

-- destionation-port [!] [port: [port]]

Destination port or port range specified. This option can be replaced with the-- dport alias.

-- tcp-flags [!] Mask comp

Matches the specified TCP tag. The first parameter is the tag we want to check, a list separated by commas, and the second parameter is a table of tags separated by commas, which must be set. The tag is as follows: SYN ACK FIN RST URG PSH ALL NONE. So this command: iptables-A FORWARD-p tcp--tcp-flags SYN, ACK, FIN, RST SYN matches only those packages where the SYN tag is set and the ACK, FIN, and RST tags are not set.

[!]-syn

Matches only those TCP packets that have the SYN bit set and the ACK and FIN bits cleared. These packets are used to make requests when TCP connections are initialized; for example, a large number of such packets blocking incoming TCP connections when entering an interface, while outgoing TCP connections are not affected. This equals-- tcp-flags SYN, RST, ACK SYN. If "--syn" is preceded by "!" The mark indicates the opposite meaning.

-- tcp-option [!] Number

Matches those with the TCP option set.

Udp

When protocol udp is specified and other matching extensions are not specified, these extensions are loaded, which provides the following options:

-- source-port [!] [port: [port]]

Source port or port range specified. For more information, see the-- source-port option description of the TCP extension.

-- destination-port [!] [port: [port]]

Destination port or port range specified. For more information, see the-- destination-port option description of the TCP extension.

Icmp

When protocol icmp is specified and other matching extensions are not specified, the extension is loaded. It provides the following options:

-- icmp-type [!] Typename

This option allows you to specify an ICMP type, which can be a numeric ICMP type or an ICMP type name displayed by the command iptables-p icmp-h.

Mac

-- mac-source [!] Address

Matches the physical address. It must be in a format like XX:XX:XX:XX:XX. Note that it is only valid for packets from Ethernet devices that enter the PREROUTING, FORWORD, and INPUT chains.

Limit

This module matching flag is matched by a marker bucket filter one by one at a fixed speed, which is used in conjunction with LOG targets to give a limited number of landings. When this limit is reached, the rules that use this extension package will match. (unless "!" is used. Mark)

-- limit rate

Maximum average matching rate: the value that can be assigned is'/ second','/ minute','/ hour', or'/ day'. The default is 3/hour.

-- limit-burst number

The maximum of the initial number of packets to be matched: if the previously specified limit has not reached this value, the approximate number will be increased by 1. Default value is 5

Multiport

This module matches a set of source or destination ports and can specify up to 15 ports. Can only be used with-p tcp or-p udp.

-- source-port [port [, port]]

Match if the source port is one of the given ports

-- destination-port [port [, port]]

Match if the destination port is one of the given ports

-- port [port [, port]]

If the source port and destination port are equal and equal to a given port, then match.

Mark

This module matches the netfilter filter tag field (which can be set below to use the MARK tag).

-- mark value [/ mask]

Matches packages with unsigned tag values (if mask is specified, the mask is logically marked before comparison).

Owner

This module tries to generate packages locally to match the different characteristics of the package creator. It can only be used for OUTPUT chains, and even such packets (such as ICMP ping replies) may not have an owner, so they will never match.

-- uid-owner userid

If a valid user id is given, it matches the package generated by its process.

-- gid-owner groupid

If a valid group id is given, it matches the package generated by its process.

-- sid-owner seessionid

Matches the packets generated by the process according to the given session group.

State

This module, when used in conjunction with connection tracking, allows access to the connection tracking status of the package.

-- state state

Where state is a comma-separated list of matching connection states. The possible states are: INVALID indicates that the packet is an unknown connection, ESTABLISHED indicates a bi-directional connection, NEW indicates that the packet is a new connection, otherwise it is non-bidirectional, and RELATED indicates that the packet starts with a new connection but is associated with an existing connection, such as FTP data transfer, or an ICMP error.

Unclean

There is no option for this module, but it tries to match strange, unusual packages. In the middle of an experiment.

Tos

This module matches the 8-bit tos (type of service) field in the header of the IP package (that is, included in the priority bit).

-- tos tos

This parameter can be a standard name (see the list with iptables-m tos-h), or a numeric value.

TARGET EXTENSIONS

Iptables can use the extended target module: the following are included in the standard edition.

LOG

Open kernel logging for matching packages. When this option is set in the rule, the linux kernel prints some information about all matching packets (such as the IP header field, etc.) through printk ().

-- log-level level

Record level (numbers or see syslog.conf (5)).

-- log-prefix prefix

Prefix the recording information with a specific prefix: up to 14 letters long to distinguish it from other information in the record.

-- log-tcp-sequence

Record the TCP serial number. If the record can be read by the user, there will be a security risk.

-- log-tcp-options

Record the options from the TCP package header.

-- log-ip-options

Record the options from the IP package header.

MARK

Used to set the netfilter tag value of the package. Applies only to mangle tables.

-- set-mark mark

REJECT

In response to a matching package, an incorrect package is returned: otherwise, it is the same as DROP.

This goal applies only to INPUT, FORWARD, and OUTPUT chains, and to user-defined chains that call these chains. These options control the characteristics of the returned error packets:

-- reject-with type

Type can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-nreachable, icmp-proto-unreachable, icmp-net-prohibited, or icmp-host-prohibited, which returns the corresponding ICMP error message (the default is port-unreachable). The option echo-reply is also allowed; it can only be used to generate a ping response in a rule that specifies the ICMP ping package. Finally, the option tcp-reset can be used for rules invoked in or from the INPUT chain that match only the TCP protocol: a TCP RST packet will be responded to.

TOS

Used to set the first eight-bit tos of the IP package. Can only be used with mangle tables.

-- set-tos tos

You can use a numeric TOS value, or use iptables-j TOS-h to view a list of valid TOS names.

MIRROR

This is a pilot demonstration target that can be used to translate the source and destination addresses in the IP header field, then deliver the packet, and apply only to INPUT, FORWARD, and OUTPUT chains, as well as user-defined chains that only call them.

SNAT

This goal applies only to the POSTROUTING chain of nat tables. It specifies that the source address of the packet is modified (all packets will be affected after this connection), stops checking the rule, and it contains options:

-- to-source [-] [: port-port]

You can specify a single new IP address, a range of IP addresses, or you can attach a range of ports (only in the rules that specify-p tcp or-p udp). If no port range is specified, ports below 512 in the source port will be placed as other ports below 512; ports between 512 and 1024 will be placed below 1024, and other ports will be placed 1024 or above. If possible, the port will not be modified.

-- to-destiontion [-] [: port-port]

You can specify a single new IP address, a range of IP addresses, or you can attach a range of ports (only in the rules that specify-p tcp or-p udp). If no port range is specified, the destination port is not modified.

MASQUERADE

Used only for POSTROUTING chains of nat tables. Can only be used to dynamically obtain IP (dial-up) connections: if you have a static IP address, you need to use SNAT. Camouflage is equivalent to setting an image to the IP address of the interface through which the packet is sent, and terminates when the interface closes the connection. This is because the current dial-up may not be the same interface address (all connections established later will be closed). It has an option:

-- to-ports [- port >]

Specify the range of source ports to use, overriding the default SNAT source address selection (see above). This option applies only to rules that specify-p tcp or-p udp.

REDIRECT

Applies only to PREROUTING and OUTPUT chains of nat tables, and user-defined chains that only call them. It modifies the destination IP address of the packet to send the packet to the machine itself (the locally generated packet is placed at the address 127.0.0.1). It contains an option:

-- to-ports []

Specify the destination port or port range to use: if not specified, the destination port will not be modified. Can only be used for rules that specify-p tcp or-p udp.

DIAGNOSTICS

Diagnosis

Different error messages are printed as standard error: exit code 0 indicates correct. Similar to incorrect or abusive command-line parameter errors return error code 2, and other error return codes are 1.

BUGS

Bug

Check is not implemented (yet).

The check is not finished yet.

COMPATIBILITY WITH IPCHAINS

Compatibility with ipchains

The ipchains of iptables and Rusty Russell is very similar. The main difference is that the INPUT chain is only used for packages that enter the local host, while OUTPUT is only used for packages generated from the local host. So each packet goes through only one of three chains; previously forwarded packets go through all three chains. The other major differences are-I references into the interface and-o references the output interface, both of which apply to packages that enter the FORWARD chain. Iptables is a pure packet filter when using the default filter table with optional extension modules. This greatly reduces the previous confusion about the combination of IP masquerading and packet filtering, so the following options are handled differently:

-j MASQ

-M-S

-M-L

On how to set iptables rules in the linux system to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.