Linux防火墙入门:ipchainsmanpage
ipchains 的 manpageIPCHAINS(8) IPCHAINS(8)
NAME
ipchains - IP firewall administration
SYNOPSIS
ipchains -[ADC] chain rule-specification [options]
ipchains -[RI] chain rulenum rule-specification [options]
ipchains -D chain rulenum [options]
ipchains -[LFZNX] [chain] [options]
ipchains -P chain target [options]
ipchains -M [ -L | -S ] [options]
DESCRIPTION
Ipchains is used to set up, maintain, and inspect the IP
firewall rules in the Linux kernel. These rules can be
dividedinto 4 different categories: the IP input chain,
the IP output chain, the IP forwardingchain,and user
defined chains.
For each of these categories, a separate table of rules is
maintained, any of which might refer to one of the user-
defined chains.See ipfw(4) for more details.
TARGETS
A firewall rule specifies criteria for a packet, and a
target.If the packet does not match, the next rule in
the chain is the examined; if it does match, then the next
rule is specified by the value of the target, which can be
the name of a user-defined chain, or one of the special
values ACCEPT, DENY, REJECT, MASQ, REDIRECT, or RETURN.
ACCEPT means to let the packet through. DENYmeans to
drop the packet on the floor. REJECT means the same as
drop, but is more polite and easier todebug,since an
ICMP message is sent back to the sender indicating that
the packet was dropped.(Note that DENY and REJECT are
the same for ICMP packets). [Note: this is incorrect; set-
ting ICMP to REJECT will cause ICMP port unreachables to
be sent!]
MASQ is only legal for theforward and user defined
chains, and can only be used when the kernel is compiled
with CONFIG_IP_MASQUERADE defined. With this, packets
will be masqueraded as if they originated from the local
host. Furthermore, reverse packets will be recognized as
such and they will be demasqueraded automatically, bypass-
ing the forwarding chain.
REDIRECT is only legal for the input and user-defined
chains and can only be used when the Linux kernel is com-
piled with CONFIG_IP_TRANSPARENT_PROXY defined. With
this, packets will be redirected to a local socket, even
if they were sent to a remote host. If the specified
redirection port is 0, which isthe default value, the
destination port of a packet will be used as the redirec-
tion port. When this target is used, an optional extra
argument (the port number) can be supplied.
If theend of a user-defined chain is reached, or a rule
February 8, 19981
IPCHAINS(8) IPCHAINS(8)
with target RETURN is matched, then the next rule in the
previous (calling) chain is examined. If the end of a
builtin chain is reached, or a rule ina builtin chain
with target RETURN is matched, the target specified by the
chain policy determines the fate of the packet.
OPTIONS
The options that are recognized by ipchains can be divided
into several different groups.
COMMANDS
These options specify the specific action to perform; only
one of them can be specified on the command line, unless
otherwise specified below. For all the long versions of
the command and option names, you only need to use enough
lettersto ensure that ipchains can differentiate it from
all other options.
-A, --append
Append one or more rules to the end of the selected
chain. When the source and/or destination names
resolve to more than one address, a rule will be
added for each possible address combination.
-D, --delete
Delete one or more rules from the selected chain.
There are two versions of this command:the rule
can be specified as a number in the chain (starting
at 1 for the first rule) or a rule to match.
-R, --replace
Replace a rule in the selected chain. If the
source and/or destination names resolve to multiple
addresses, the command will fail. Rulesare num-
bered starting at 1.
-I, --insert
Insert one or more rules in the selected chain as
the given rule number. So, if the rule number is
1, the rule or rules are inserted at the head of
the chain.
-L, --list
List all rules in the selected chain. If no chain
is selected, all chains are listed. It is legal to
specify the -Z (zero) option as well, in which case
no chain may be specified. The exact output is
effected by the other arguments given.
-F, --flush
Flush the selected chain. This is equivalent to
deleting all the rules one by one.
February 8, 19982
IPCHAINS(8) IPCHAINS(8)
-Z, --zero
Zero the packet and byte counters in all chains.
It is legal to specify the -L, --list (list) option
as well, to see the counters immediately before
they are cleared; if this is done, then no specific
chain can be specified (they will all be displayed
and cleared.
-N, --new-chain
Create a new user-defined chain of the given name.
There must be no target of that name already.
-X, --delete-chain
Delete the specified user-defined chain. There
must be no references to the chain (if there are
you must delete or replace the referring rules
before the chain can be deleted). If no argument
is given, it will attempt to delete every non-
builtin chain.
-P, --policy
Set the policy for the chain to the given target.
See thesection TARGETS for the legal targets.
Only non-userdefined chains can have policies, and
neither built-in nor user-defined chains can be
policy targets.
-M, --masquerading
This option allows viewing of the currently mas-
queradedconnections (in conjuction with the -L
option) or to set the kernel masqerading parameters
(with the -S option).
-S, --set tcp tcpfin udp
Change the timeout values used for masquerading.
This command always takes 3 parameters, represent-
ing thetimeout values (in seconds) for TCP ses-
sions,