iptables tutorial

[ Pobierz całość w formacie PDF ]

iptables -X allowed
This command deletes the specified chain from the table. For this command to
work, there must be no rules that are referring to the chain that s being deleted. In
other words, you d have to replace or delete all rules referring to the chain before
actually deleting the chain. If this option is used without any options, all non-builtin
chains are deleted from the specified table.
-P, policy
iptables -P INPUT DROP
This command tells the kernel to set a specified default target, or policy, on a chain.
All packets that don t match any rule will then be forced to use the policy of the
chain. Legal targets are: DROP, ACCEPT and REJECT (Might be more, mail me if so)
-E, rename-chain
iptables -E allowed disallowed
The -E command tells iptables to rename the first name of a chain, to the second
name. In the example above we would, in other words, change the name of the
chain from allowed to disallowed. Note that this will not affect the actual way the
table will work. It is, in other words, just a cosmetic change to the table.
A command should always be specified, unless you just want to list the built-in help
for iptables or get the version of the command. To get the version, use the -v option
and to get the help message, use the -h option. As usual, in other words. Here comes
a few options that can be used together with a few different commands. Note that
we tell you with which commands the options can be used and what effect they will
have. Also note that we don t tell you any options here that is only used to affect rules
and matches. The matches and targets are instead looked upon in a later section of
this chapter.
Table 3-3. Options
Option
Commands used with
Explanation
-v, verbose
list, append, insert, delete, replace
11
Chapter 3. How a rule is built
Option
Commands used with
Explanation
This command shows a verbose output and is mainly used together with the list
command. If used together with the list command it makes the output from the
command include the interface address, rule options and TOS masks. The list
command will also include a bytes and packet counter for each rule if the verbose
option is set. These counters uses the K (x1000), M (x1,000,000) and G
(x1,000,000,000) multipliers. To overcome this and to get exact output, you could use
the -x option described later. If this option is used with the append, insert, delete
or replace commands, the program will output detailed information on what
happens to the rules and if it was inserted correctly etcetera.
-x, exact
list
This option expands the numerics. The output from list will in other words not
contain the K, M or G multipliers. Instead we will get an exact output of how many
packets and bytes that has matched the rule in question from the packets and bytes
counters. Note that this option is only usable in the list command and isn t really
relevant for any of the other commands.
-n, numeric
list
This option tells iptables to output numerical values. IP addresses and port numbers
will be printed by using their numerical values and not hostnames, network names
or application names. This option is only applicable to the list command. This
option overrides the default of resolving all numerics to hosts and names if possible.
line-numbers
list
The line-numbers command is used to output line numbers together with the list
command. Each rule is numbered together with this option and it might be easier to
know which rule has which number when you re going to insert rules. This option
only works with the list command.
-c, set-counters
insert, append, replace
This option is used when creating a rule in some way or modifying it. We can then
use the option to initialize the packets and bytes counters of the rule. The syntax
would be something like set-counters 20 4000 and would tell the kernel to set the
packet counter to 20 and byte counter to 4000.
modprobe
All
The modprobe option is used to tell iptables which command to use when probing [ Pobierz całość w formacie PDF ]

Tematy