iptables manpage 中譯 (由 OLS3 翻譯,未完,翻得不好,請見諒.) IPTABLES(8)封包過濾管理語法 iptables -[ADC] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -P chain target [options] iptables -E old-chain-name new-chain-nameDESCRIPTION Iptables is used to set up, maintain, and inspect the tables of IP packet fil ter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same table.描述 iptables 是用來設定、維護、檢驗 Linux 核心中的 IP 封包過濾規則表. 在核心中,可以定義許多不同的規則表. 每一個規則表包含許多內建的規則鏈和使用者自訂的規則鏈. 每一個規則鏈是許多規則的列表,這些規則可以比對一組封包. 每個規則描述符合的封包應該怎麼處置. 這種處置的動作就是所謂的"目標" (target), 這個目標也可以是一個跳入的動作 --- 跳入同一個表中的自訂的規則鏈.TARGETS A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE, or RETURN. ACCEPT means to let the packet through. DROP means to drop the packet on the floor. QUEUE means to pass the packet to userspace (if supported by the ker nel). RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.TARGETS 一條防火牆規則描述對一個封包及一個目標的判准. 如果一個封包不符合這條規則,則同一個鏈中的下一條規則接著檢驗; 若真的符合,則接下來的規則就是這個目標的內容, 它可以是一個自訂鏈名或 ACCEPT、DROP、QUEUE 或 RETURN. ACCEPT 意指讓封包通過. DROP 意指丟棄該封包. QUEUE 意指將該封包送入使用者空間. RETURN 意指停止比對這個鏈,返回呼叫此鏈時的下一條規則. 若內建的鏈結束或一條規則符合RETURN,則用該鏈的預設政策來決定封包的最后命運.TABLES There are current three independent tables (which tables are present at any time depends on the kernel configuration options and which modules are pre sent). -t, --table This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there. The tables are as follows: filter This is the default table. It contains the built-in chains INPUT (for packets coming into the box itself), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). mangle This table is used for specialized packet alteration. It has two built- in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing).TABLES 現有三個獨立的規則表. -t, --table 這個選項指明命令應作用在那一個封包相符的規則表. 若核心設成自動載入模組,且若該表尚未存在,則將會試著去載入適當的模組. 規則表如下: filter 這是預定的表.它包含內建的鏈 INPUT(針對傳入主機本身的封包)、FORWARD(針對經由本主機轉換路由的封包) 和 OUTPUT(針對本地產生的封包). nat 當產生一個新的連通時,此表會被查及.它由三個內建的鏈組成:PREROUTING (針對一旦進入即改變的封包)、OUTPUT (針對在路由之前,即改變的本地產生的封包) 及 POSTROUTING (針對將要離去時即改變的封包). mangle 此表用於專殊化的封包變更.它有二個內建的鏈:PREROUTING (針對路由前即改變進入的封包) 和 OUTPUT (針對路由前即改變本地產生的封包). OPTIONS The options that are recognized by iptables can be divided into several differ ent groups. COMMANDS These options specify the specific action to perform. Only one of them can be specified on the command line unless otherwise specified below. For all the long versions of the command and option names, you need to use only enough let ters to ensure that iptables can differentiate it from all other options. -A, --append Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. -D, --delete Delete one or more rules from the selected chain. There are two ver sions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match. -R, --replace Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1. -I, --insert Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified. -L, --list List all rules in the selected chain. If no chain is selected, all chains are listed. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. -F, --flush Flush the selected chain. This is equivalent to deleting all the rules one by one. -Z, --zero Zero the packet and byte counters in all chains. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared. (See above.) -N, --new-chain Create a new user-defined chain by the given name. There must be no target of that name already. -X, --delete-chain Delete the specified user-defined chain. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. If no argument is given, it will attempt to delete every non-builtin chain in the table. -P, --policy Set the policy for the chain to the given target. See the section TAR GETS for the legal targets. Only non-user-defined chains can have poli cies, and neither built-in nor user-defined chains can be policy tar gets. -E, --rename-chain Rename the user specified chain to the user supplied name. This is cos metic, and has no effect on the structure of the table. -h Help. Give a (currently very brief) description of the command syntax.OPTIONS 規則表認得的選項可區分成許多組.那些選項指明執行時的特殊動作.若無特別明講,以下的選項只有其中一個可以放在命令列中.使用長名或短名時,只要確使 iptables 能區分和其它選項的不同即可. -A, --append -D, --delete -R, --replace -I, --insert -L, --list -F, --flush 清空某一鏈中的所有規則. -Z, --zero -N, --new-chain 新產生一個使用者自訂的鏈. -X, --delete-chain 刪除某一個指定的自訂的鏈. 若未指明對象,則刪除該表中所有非內建的鏈. -P, --policy 只有內
