iptables 命令详解
iptables -h
iptables v1.4.21Usage: iptables -[ACD] chain rule-specification [options]iptables -I chain [rulenum] rule-specification [options]iptables -R chain rulenum rule-specification [options]iptables -D chain rulenum [options]iptables -[LS] [chain [rulenum]] [options]iptables -[FZ] [chain] [options]iptables -[NX] chainiptables -E old-chain-name new-chain-nameiptables -P chain target [options]iptables -h (print this help information)Commands:Either long or short options are allowed.--append -A chain Append to chain--check -C chain Check for the existence of a rule--delete -D chain Delete matching rule from chain--delete -D chain rulenumDelete rule rulenum (1 = first) from chain--insert -I chain [rulenum]Insert in chain as rulenum (default 1=first)--replace -R chain rulenumReplace rule rulenum (1 = first) in chain--list -L [chain [rulenum]]List the rules in a chain or all chains--list-rules -S [chain [rulenum]]Print the rules in a chain or all chains--flush -F [chain] Delete all rules in chain or all chains--zero -Z [chain [rulenum]]Zero counters in chain or all chains--new -N chain Create a new user-defined chain--delete-chain-X [chain] Delete a user-defined chain--policy -P chain targetChange policy on chain to target--rename-chain-E old-chain new-chainChange chain name, (moving any references)Options:--ipv4 -4 Nothing (line is ignored by ip6tables-restore)--ipv6 -6 Error (line is ignored by iptables-restore)[!] --protocol -p proto protocol: by number or name, eg. `tcp'[!] --source -s address[/mask][...]source specification[!] --destination -d address[/mask][...]destination specification[!] --in-interface -i input name[+]network interface name ([+] for wildcard)--jump -j targettarget for rule (may load target extension)--goto -g chainjump to chain with no return--match -m matchextended match (may load extension)--numeric -n numeric output of addresses and ports[!] --out-interface -o output name[+]network interface name ([+] for wildcard)--table -t table table to manipulate (default: `filter')--verbose -v verbose mode--wait -w [seconds] maximum wait to acquire xtables lock before give up--wait-interval -W [usecs] wait time to try to acquire xtables lockdefault is 1 second--line-numbers print line numbers when listing--exact -x expand numbers (display exact values)[!] --fragment -f match second or further fragments only--modprobe=<command> try to insert modules using this command--set-counters PKTS BYTES set the counter during insert/append[!] --version -V print package version.
常用参数
--table -t table table to manipulate (default: `filter')--list -L [chain [rulenum]]List the rules in a chain or all chains--verbose -v verbose mode
查看filter表中的规则
- iptables -vL INPUT
```
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
473 53337 ACCEPT all — any any anywhere anywhere ctstate RELATED,ESTABLISHED 33 2772 ACCEPT all — lo any anywhere anywhere
722 70195 INPUT_direct all — any any anywhere anywhere
722 70195 INPUT_ZONES_SOURCE all — any any anywhere anywhere
722 70195 INPUT_ZONES all — any any anywhere anywhere
30 2043 DROP all — any any anywhere anywhere ctstate INVALID 692 68152 REJECT all — any any anywhere anywhere reject-with icmp-host-prohibited
```pkts:对应规则匹配到的报文的个数。bytes:对应匹配到的报文包的大小总和。target:规则对应的target,往往表示规则对应的”动作”,即规则匹配成功后需要采取的措施。prot:表示规则对应的协议,是否只针对某些协议应用此规则。opt:表示规则对应的选项。in:表示数据包由哪个接口(网卡)流入,我们可以设置通过哪块网卡流入的报文需要匹配当前规则。out:表示数据包由哪个接口(网卡)流出,我们可以设置通过哪块网卡流出的报文需要匹配当前规则。source:表示规则对应的源头地址,可以是一个IP,也可以是一个网段。destination:表示规则对应的目标地址。可以是一个IP,也可以是一个网段。
若有收获,就点个赞吧
0 人点赞
