Linux防火墙入门:iptablesmanpage
iptables manpage 中译(由 OLS3 翻译,未完,翻得不好,请见谅。)
IPTABLES(8)封包过滤管理语法iptables -[ADC] chain rule-specification [options]iptables -[RI] chain rulenum rule-specification [options]iptables -D chain rulenum [options]iptables -[LFZ] [chain] [options]iptables -[NX] chainiptables -P chain target [options]iptables -E old-chain-name new-chain-nameDESCRIPTION Iptables is used to set up, maintain, and inspect the tables of IP packet fil ter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same table.描述iptables 是用来设定、维护、检验 Linux 核心中的 IP 封包过滤规则表。在核心中,可以定义许多不同的规则表。每一个规则表包含许多内建的规则链和使用者自订的规则链。每一个规则链是许多规则的列表,这些规则可以比对一组封包。每个规则描述符合的封包应该怎么处置。这种处置的动作就是所谓的"目标" (target),这个目标也可以是一个跳入的动作 --- 跳入同一个表中的自订的规则链。TARGETS A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE, or RETURN. ACCEPT means to let the packet through. DROP means to drop the packet on the floor. QUEUE means to pass the packet to userspace (if supported by the ker nel). RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.TARGETS一条防火墙规则描述对一个封包及一个目标的判准。如果一个封包不符合这条规则,则同一个链中的下一条规则接着检验;若真的符合,则接下来的规则就是这个目标的内容,它可以是一个自订链名或 ACCEPT、DROP、QUEUE 或 RETURN。ACCEPT 意指让封包通过。DROP 意指丢弃该封包。QUEUE 意指将该封包送入使用者空间。RETURN 意指停止比对这个链,返回呼叫此链时的下一条规则。若内建的链结束或一条规则符合RETURN,则用该链的预设政策来决定封包的最后命运。TABLES There are current three independent tables (which tables are present at any time depends on the kernel configuration options and which modules are pre sent). -t, --table This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there. The tables are as follows: filter This is the default table. It contains the built-in chains INPUT (for packets coming into the box itself), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). mangle This table is used for specialized packet alteration. It has two built- in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing).TABLES现有三个独立的规则表。-t, --table这个选项指明命令应作用在那一个封包相符的规则表。若核心设成自动载入模组,且若该表尚未存在,则将会试着去载入适当的模组。规则表如下:filter这是预定的表。它包含内建的链INPUT(针对传入主机本身的封包)、FORWARD(针对经由本主机转换路由的封包)和 OUTPUT(针对本地产生的封包)。nat当产生一个新的连通时,此表会被查及。它由三个内建的链组成:PREROUTING(针对一旦进入即改变的封包)、OUTPUT (针对在路由之前,即改变的本地产生的封包) 及POSTROUTING (针对将要离去时即改变的封包)。mangle此表用于专殊化的封包变更。它有二个内建的链:PREROUTING(针对路由前即改变进入的封包) 和 OUTPUT(针对路由前即改变本地产生的封包)。OPTIONS The options that are recognized by iptables can be divided into several differ ent groups. COMMANDS These options specify the specific action to perform. Only one of them can be specified on the command line unless otherwise specified below. For all the long versions of the command and option names, you need to use only enough let ters to ensure that iptables can differentiate it from all other options. -A, --append Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. -D, --delete Delete one or more rules from the selected chain. There are two ver sions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match. -R, --replace Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1. -I, --insert Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified. -L, --list List all rules in the selected chain. If no chain is selected, all chains are listed. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. -F, --flush Flush the selected chain. This is equivalent to deleting all the rules one by one. -Z, --zero Zero the packet and byte counters in all chains. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared. (See above.) -N, --new-chain Create a new user-defined chain by the given name. There must be no target of that name already. -X, --delete-chain Delete the specified user-defined chain. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. If no argument is given, it will attempt to delete every non-builtin chain in the table. -P, --policy Set the policy for the chain to the given target. See the section TAR GETS for the legal targets. Only non-user-defined chains can have poli cies, and neither built-in nor user-defined chains can be policy tar gets. -E, --rename-chain Rename the user specified chain to the user supplied name. This is cos metic, and has no effect on the structure of the table. -h Help. Give a (currently very brief) description of the command syntax.OPTIONS规则表认得的选项可区分成许多组。那些选项指明执行时的特殊动作。若无特别明讲,以下的选项只有其中一个可以放在命令列中。使用长名或短名时,只要确使iptables 能区分和其它选项的不同即可。-A, --append-D, --delete-R, --replace-I, --insert-L, --list-F, --flush清空某一链中的所有规则。-Z, --zero-N, --new-chain新产生一个使用者自订的链。-X, --delete-chain删除某一个指定的自订的链。若未指明对象,则删除该表中所有非内建的链。-P, --policy只有内