当前位置:操作系统 > Unix/Linux >>

Linux防火墙入门:ipchainsmanpage

ipchains 的 manpage

  IPCHAINS(8) IPCHAINS(8)

  NAME

  ipchains - IP firewall administration

  SYNOPSIS

  ipchains -[ADC] chain rule-specification [options]

  ipchains -[RI] chain rulenum rule-specification [options]

  ipchains -D chain rulenum [options]

  ipchains -[LFZNX] [chain] [options]

  ipchains -P chain target [options]

  ipchains -M [ -L | -S ] [options]

  DESCRIPTION

  Ipchains is used to set up, maintain, and inspect the IP

  firewall rules in the Linux kernel. These rules can be

  dividedinto 4 different categories: the IP input chain,

  the IP output chain, the IP forwardingchain,and user

  defined chains.

  For each of these categories, a separate table of rules is

  maintained, any of which might refer to one of the user-

  defined chains.See ipfw(4) for more details.

  TARGETS

  A firewall rule specifies criteria for a packet, and a

  target.If the packet does not match, the next rule in

  the chain is the examined; if it does match, then the next

  rule is specified by the value of the target, which can be

  the name of a user-defined chain, or one of the special

  values ACCEPT, DENY, REJECT, MASQ, REDIRECT, or RETURN.

  ACCEPT means to let the packet through. DENYmeans to

  drop the packet on the floor. REJECT means the same as

  drop, but is more polite and easier todebug,since an

  ICMP message is sent back to the sender indicating that

  the packet was dropped.(Note that DENY and REJECT are

  the same for ICMP packets). [Note: this is incorrect; set-

  ting ICMP to REJECT will cause ICMP port unreachables to

  be sent!]

  MASQ is only legal for theforward and user defined

  chains, and can only be used when the kernel is compiled

  with CONFIG_IP_MASQUERADE defined. With this, packets

  will be masqueraded as if they originated from the local

  host. Furthermore, reverse packets will be recognized as

  such and they will be demasqueraded automatically, bypass-

  ing the forwarding chain.

  REDIRECT is only legal for the input and user-defined

  chains and can only be used when the Linux kernel is com-

  piled with CONFIG_IP_TRANSPARENT_PROXY defined. With

  this, packets will be redirected to a local socket, even

  if they were sent to a remote host. If the specified

  redirection port is 0, which isthe default value, the

  destination port of a packet will be used as the redirec-

  tion port. When this target is used, an optional extra

  argument (the port number) can be supplied.

  If theend of a user-defined chain is reached, or a rule

   February 8, 19981

  IPCHAINS(8) IPCHAINS(8)

  with target RETURN is matched, then the next rule in the

  previous (calling) chain is examined. If the end of a

  builtin chain is reached, or a rule ina builtin chain

  with target RETURN is matched, the target specified by the

  chain policy determines the fate of the packet.

  OPTIONS

  The options that are recognized by ipchains can be divided

  into several different groups.

  COMMANDS

  These options specify the specific action to perform; only

  one of them can be specified on the command line, unless

  otherwise specified below. For all the long versions of

  the command and option names, you only need to use enough

  lettersto ensure that ipchains can differentiate it from

  all other options.

  -A, --append

   Append one or more rules to the end of the selected

   chain. When the source and/or destination names

   resolve to more than one address, a rule will be

   added for each possible address combination.

  -D, --delete

   Delete one or more rules from the selected chain.

   There are two versions of this command:the rule

   can be specified as a number in the chain (starting

   at 1 for the first rule) or a rule to match.

  -R, --replace

   Replace a rule in the selected chain. If the

   source and/or destination names resolve to multiple

   addresses, the command will fail. Rulesare num-

   bered starting at 1.

  -I, --insert

   Insert one or more rules in the selected chain as

   the given rule number. So, if the rule number is

   1, the rule or rules are inserted at the head of

   the chain.

  -L, --list

   List all rules in the selected chain. If no chain

   is selected, all chains are listed. It is legal to

   specify the -Z (zero) option as well, in which case

   no chain may be specified. The exact output is

   effected by the other arguments given.

  -F, --flush

   Flush the selected chain. This is equivalent to

   deleting all the rules one by one.

   February 8, 19982

  IPCHAINS(8) IPCHAINS(8)

  -Z, --zero

   Zero the packet and byte counters in all chains.

   It is legal to specify the -L, --list (list) option

   as well, to see the counters immediately before

   they are cleared; if this is done, then no specific

   chain can be specified (they will all be displayed

   and cleared.

  -N, --new-chain

   Create a new user-defined chain of the given name.

   There must be no target of that name already.

  -X, --delete-chain

   Delete the specified user-defined chain. There

   must be no references to the chain (if there are

   you must delete or replace the referring rules

   before the chain can be deleted). If no argument

   is given, it will attempt to delete every non-

   builtin chain.

  -P, --policy

   Set the policy for the chain to the given target.

   See thesection TARGETS for the legal targets.

   Only non-userdefined chains can have policies, and

   neither built-in nor user-defined chains can be

   policy targets.

  -M, --masquerading

   This option allows viewing of the currently mas-

   queradedconnections (in conjuction with the -L

   option) or to set the kernel masqerading parameters

   (with the -S option).

  -S, --set tcp tcpfin udp

   Change the timeout values used for masquerading.

   This command always takes 3 parameters, represent-

   ing thetimeout values (in seconds) for TCP ses-

   sions,
CopyRight © 2022 站长资源库 编程知识问答 zzzyk.com All Rights Reserved
部分文章来自网络,