(由 OLS3 翻譯,未完,翻得不好,請見諒。)
IPTABLES(8)
封包過濾管理
語法
iptables -[ADC] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -P chain target [options]
iptables -E old-chain-name new-chain-name
DESCRIPTION
Iptables is used to set up, maintain, and inspect the tables of IP packet fil
ter rules in the Linux kernel. Several different tables may be defined. Each
table contains a number of built-in chains and may also contain user-defined
chains.
Each chain is a list of rules which can match a set of packets. Each rule
specifies what to do with a packet that matches. This is called a `target',
which may be a jump to a user-defined chain in the same table.
描述
iptables 是用來設定、維護、檢驗 Linux 核心中的 IP 封包過濾規則表。
在核心中,可以定義許多不同的規則表。
每一個規則表包含許多內建的規則鏈和使用者自訂的規則鏈。
每一個規則鏈是許多規則的列表,這些規則可以比對一組封包。
每個規則描述符合的封包應該怎麼處置。
這種處置的動作就是所謂的"目標" (target),
這個目標也可以是一個跳入的動作 --- 跳入同一個表中的自訂的規則鏈。
TARGETS
A firewall rule specifies criteria for a packet, and a target. If the packet
does not match, the next rule in the chain is the examined; if it does match,
then the next rule is specified by the value of the target, which can be the
name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE,
or RETURN.
ACCEPT means to let the packet through. DROP means to drop the packet on the
floor. QUEUE means to pass the packet to userspace (if supported by the ker
nel). RETURN means stop traversing this chain and resume at the next rule in
the previous (calling) chain. If the end of a built-in chain is reached or a
rule in a built-in chain with target RETURN is matched, the target specified by
the chain policy determines the fate of the packet.
TARGETS
一條防火牆規則描述對一個封包及一個目標的判準。
如果一個封包不符合這條規則,則同一個鏈中的下一條規則接著檢驗;
若真的符合,則接下來的規則就是這個目標的內容,
它可以是一個自訂鏈名或 ACCEPT、DROP、QUEUE 或 RETURN。
ACCEPT 意指讓封包通過。
DROP 意指丟棄該封包。
QUEUE 意指將該封包送入使用者空間。
RETURN 意指停止比對這個鏈,返回呼叫此鏈時的下一條規則。
若內建的鏈結束或一條規則符合RETURN,則用該鏈的預設政策來決定封包的最後命運。
TABLES
There are current three independent tables (which tables are present at any
time depends on the kernel configuration options and which modules are pre
sent).
-t, --table
This option specifies the packet matching table which the command should
operate on. If the kernel is configured with automatic module loading,
an attempt will be made to load the appropriate module for that table if
it is not already there.
The tables are as follows:
filter This is the default table. It contains the built-in chains INPUT (for
packets coming into the box itself), FORWARD (for packets being routed
through the box), and OUTPUT (for locally-generated packets).
nat This table is consulted when a packet that creates a new connection is
encountered. It consists of three built-ins: PREROUTING (for altering
packets as soon as they come in), OUTPUT (for altering locally-generated
packets before routing), and POSTROUTING (for altering packets as they
are about to go out).
mangle This table is used for specialized packet alteration. It has two built-
in chains: PREROUTING (for altering incoming packets before routing) and
OUTPUT (for altering locally-generated packets before routing).
TABLES
現有三個獨立的規則表。
-t, --table
這個選項指明命令應作用在那一個封包相符的規則表。
若核心設成自動載入模組,且若該表尚未存在,則將會試著去載入適當的模組。
規則表如下:
filter
這是預定的表。它包含內建的鏈
INPUT(針對傳入主機本身的封包)、FORWARD(針對經由本主機轉換路由的封包)
和 OUTPUT(針對本地產生的封包)。
nat
當產生一個新的連通時,此表會被查及。它由三個內建的鏈組成:PREROUTING
(針對一旦進入即改變的封包)、OUTPUT (針對在路由之前,即改變的本地產生的封包) 及
POSTROUTING (針對將要離去時即改變的封包)。
mangle
此表用於專殊化的封包變更。它有二個內建的鏈:PREROUTING
(針對路由前即改變進入的封包) 和 OUTPUT
(針對路由前即改變本地產生的封包)。
OPTIONS
The options that are recognized by iptables can be divided into several differ
ent groups.
COMMANDS
These options specify the specific action to perform. Only one of them can be
specified on the command line unless otherwise specified below. For all the
long versions of the command and option names, you need to use only enough let
ters to ensure that iptables can differentiate it from all other options.
-A, --append
Append one or more rules to the end of the selected chain. When the
source and/or destination names resolve to more than one address, a rule
will be added for each possible address combination.
-D, --delete
Delete one or more rules from the selected chain. There are two ver
sions of this command: the rule can be specified as a number in the
chain (starting at 1 for the first rule) or a rule to match.
-R, --replace
Replace a rule in the selected chain. If the source and/or destination
names resolve to multiple addresses, the command will fail. Rules are
numbered starting at 1.
-I, --insert
Insert one or more rules in the selected chain as the given rule number.
So, if the rule number is 1, the rule or rules are inserted at the head
of the chain. This is also the default if no rule number is specified.
-L, --list
List all rules in the selected chain. If no chain is selected, all
chains are listed. It is legal to specify the -Z (zero) option as well,
in which case the chain(s) will be atomically listed and zeroed. The
exact output is affected by the other arguments given.
-F, --flush
Flush the selected chain. This is equivalent to deleting all the rules
one by one.
-Z, --zero
Zero the packet and byte counters in all chains. It is legal to specify
the -L, --list (list) option as well, to see the counters immediately
before they are cleared. (See above.)
-N, --new-chain
Create a new user-defined chain by the given name. There must be no
target of that name already.
-X, --delete-chain
Delete the specified user-defined chain. There must be no references to
the chain. If there are, you must delete or replace the referring rules
before the chain can be deleted. If no argument is given, it will
attempt to delete every non-builtin chain in the table.
-P, --policy
Set the policy for the chain to the given target. See the section TAR
GETS for the legal targets. Only non-user-defined chains can have poli
cies, and neither built-in nor user-defined chains can be policy tar
gets.
-E, --rename-chain
Rename the user specified chain to the user supplied name. This is cos
metic, and has no effect on the structure of the table.
-h Help. Give a (currently very brief) description of the command syntax.
OPTIONS
規則表認得的選項可區分成許多組。那些選項指明執行時的特殊動作。若無特別明講,以下的選項只有其中一個可以放在命令列中。使用長名或短名時,只要確使
iptables 能區分和其它選項的不同即可。
-A, --append
-D, --delete
-R, --replace
-I, --insert
-L, --list
-F, --flush
清空某一鏈中的所有規則。
-Z, --zero
-N, --new-chain
新產生一個使用者自訂的鏈。
-X, --delete-chain
刪除某一個指定的自訂的鏈。
若未指明對象,則刪除該表中所有非內建的鏈。
-P, --policy
只有內建的鏈才能有預設的政策,而且不管是內建的或自訂的鏈,都不能被拿來當作政策的目標。
-E, --rename-chain
-h
PARAMETERS
The following parameters make up a rule specification (as used in the add,
delete, insert, replace and append commands).
-p, --protocol [!] protocol
The protocol of the rule or of the packet to check. The specified pro
tocol can be one of tcp, udp, icmp, or all, or it can be a numeric
value, representing one of these protocols or a different one. A proto
col name from /etc/protocols is also allowed. A "!" argument before the
protocol inverts the test. The number zero is equivalent to all. Pro
tocol all will match with all protocols and is taken as default when
this option is omitted.
-s, --source [!] address[/mask]
Source specification. Address can be either a hostname, a network name,
or a plain IP address. The mask can be either a network mask or a plain
number, specifying the number of 1's at the left side of the network
mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argu
ment before the address specification inverts the sense of the address.
The flag --src is a convenient alias for this option.
-d, --destination [!] address[/mask]
Destination specification. See the description of the -s (source) flag
for a detailed description of the syntax. The flag --dst is an alias
for this option.
-j, --jump target
This specifies the target of the rule; i.e., what to do if the packet
matches it. The target can be a user-defined chain (other than the one
this rule is in), one of the special builtin targets which decide the
fate of the packet immediately, or an extension (see EXTENSIONS below).
If this option is omitted in a rule, then matching the rule will have no
effect on the packet's fate, but the counters on the rule will be incre
mented.
-i, --in-interface [!] [name]
Optional name of an interface via which a packet is received (for pack
ets entering the INPUT, FORWARD and PREROUTING chains). When the "!"
argument is used before the interface name, the sense is inverted. If
the interface name ends in a "+", then any interface which begins with
this name will match. If this option is omitted, the string "+" is
assumed, which will match with any interface name.
-o, --out-interface [!] [name]
Optional name of an interface via which a packet is going to be sent
(for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When
the "!" argument is used before the interface name, the sense is
inverted. If the interface name ends in a "+", then any interface which
begins with this name will match. If this option is omitted, the string
"+" is assumed, which will match with any interface name.
[!] -f, --fragment
This means that the rule only refers to second and further fragments of
fragmented packets. Since there is no way to tell the source or desti
nation ports of such a packet (or ICMP type), such a packet will not
match any rules which specify them. When the "!" argument precedes the
"-f" flag, the rule will only match head fragments, or unfragmented
packets.
-c, --set-counters PKTS BYTES
This enables the administrater to initialize the packet and byte coun
ters of a rule (during INSERT, APPEND, REPLACE operations)
OTHER OPTIONS
The following additional options can be specified:
-v, --verbose
Verbose output. This option makes the list command show the interface
address, the rule options (if any), and the TOS masks. The packet and
byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000,
1,000,000 and 1,000,000,000 multipliers respectively (but see the -x
flag to change this). For appending, insertion, deletion and replace
ment, this causes detailed information on the rule or rules to be
printed.
-n, --numeric
Numeric output. IP addresses and port numbers will be printed in
numeric format. By default, the program will try to display them as
host names, network names, or services (whenever applicable).
-x, --exact
Expand numbers. Display the exact value of the packet and byte coun
ters, instead of only the rounded number in K's (multiples of 1000) M's
(multiples of 1000K) or G's (multiples of 1000M). This option is only
relevant for the -L command.
--line-numbers
When listing rules, add line numbers to the beginning of each rule, cor
responding to that rule's position in the chain.
--modprobe=<command>
When adding or inserting rules into a chain, use command to load any
necessary modules (targets, match extensions, etc).
MATCH EXTENSIONS
iptables can use extended packet matching modules. These are loaded in two
ways: implicitly, when -p or --protocol is specified, or with the -m or --match
options, followed by the matching module name; after these, various extra com
mand line options become available, depending on the specific module. You can
specify multiple extended match modules in one line, and you can use the -h or
--help options after the module has been specified to receive help specific to
that module.
The following are included in the base package, and most of these can be pre
ceded by a ! to invert the sense of the match.
tcp
These extensions are loaded if `--protocol tcp' is specified. It provides the
following options:
--source-port [!] [port[:port]]
Source port or port range specification. This can either be a service
name or a port number. An inclusive range can also be specified, using
the format port:port. If the first port is omitted, "0" is assumed; if
the last is omitted, "65535" is assumed. If the second port greater
then the first they will be swapped. The flag --sport is an alias for
this option.
--destination-port [!] [port[:port]]
Destination port or port range specification. The flag --dport is an
alias for this option.
--tcp-flags [!] mask comp
Match when the TCP flags are as specified. The first argument is the
flags which we should examine, written as a comma-separated list, and
the second argument is a comma-separated list of flags which must be
set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
will only match packets with the SYN flag set, and the ACK, FIN and RST
flags unset.
[!] --syn
Only match TCP packets with the SYN bit set and the ACK and FIN bits
cleared. Such packets are used to request TCP connection initiation;
for example, blocking such packets coming in an interface will prevent
incoming TCP connections, but outgoing TCP connections will be unaf
fected. It is equivalent to --tcp-flags SYN,RST,ACK SYN. If the "!"
flag precedes the "--syn", the sense of the option is inverted.
--tcp-option [!] number
Match if TCP option set.
udp
These extensions are loaded if `--protocol udp' is specified. It provides the
following options:
--source-port [!] [port[:port]]
Source port or port range specification. See the description of the
--source-port option of the TCP extension for details.
--destination-port [!] [port[:port]]
Destination port or port range specification. See the description of
the --destination-port option of the TCP extension for details.
icmp
This extension is loaded if `--protocol icmp' is specified. It provides the
following option:
--icmp-type [!] typename
This allows specification of the ICMP type, which can be a numeric ICMP
type, or one of the ICMP type names shown by the command
iptables -p icmp -h
mac
--mac-source [!] address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
Note that this only makes sense for packets entering the PREROUTING,
FORWARD or INPUT chains for packets coming from an ethernet device.
MATCH EXTENSIONS
tcp
--source-port
--sport 和上述相同
--destination-port
--dport 和上述相同
--tcp-flags mask comp
例:
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
是說: 凡是 SYN 設定,而 ACK、FIN、RST 清除者。
[!] --syn
只有 tcp 封包中,SYN 旗標設立,而 ACK 和 FIN 旗標清除者,才算符合。
此類的封包用於要求連線初始化,若禁制此類封包進入,則可拒絕傳入的 tcp
連線,但由內部傳出的連線則不受影響。它等同於:--tcp-flag SYN,ACK,FIN
SYN。若在其前頭加上 !,則表示意思相反 --- 就是指由內傳出的連線回應。
--tcp-option [!] number
Match if TCP option set.(???)
udp
--source-port
--destination-port
icmp
--icmp-type [!] typename
typename 可用數字來表示,或以 iptables -p icmp -h 來列出可用的
typename
有效的 icmp type:
echo-reply (pong)
destination-unreachable
network-unreachable
host-unreachable
protocol-unreachable
port-unreachable
fragmentation-needed
source-route-failed
network-unknown
host-unknown
network-prohibited
host-prohibited
TOS-network-unreachable
TOS-host-unreachable
communication-prohibited
host-precedence-violation
precedence-cutoff
source-quench
redirect
network-redirect
host-redirect
TOS-network-redirect
TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
ttl-zero-during-transit
ttl-zero-during-reassembly
parameter-problem
ip-header-bad
required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply
mac
--mac-source [!] address
比對來源 Mac 位址。它必是XX:XX:XX:XX:XX:XX 這種格式。注意:它只對進入
PREROUTING、FORWARD 鏈的封包有效,或是來自一個 ethernet 設備而進入
INPUT 鏈的封包有效。
limit
This module matches at a limited rate using a token bucket
filter: it can be used in combination with the LOG target
to give limited logging. A rule using this extension will
match until this limit is reached (unless the `!' flag is
used).
--limit rate
Maximum average matching rate: specified as a num
ber, with an optional `/second', `/minute',
`/hour', or `/day' suffix; the default is 3/hour.
--limit-burst number
The maximum initial number of packets to match:
this number gets recharged by one every time the
limit specified above is not reached, up to this
number; the default is 5.
multiport
This module matches a set of source or destination ports. Up to 15 ports can be
specified. It can only be used in conjunction with -p tcp or -p udp.
--source-port [port[,port]]
Match if the source port is one of the given ports.
--destination-port [port[,port]]
Match if the destination port is one of the given ports.
--port [port[,port]]
Match if the both the source and destination ports are equal to each
other and to one of the given ports.
multiport
用來比對一組來源埠或目的埠,至多15個埠,必須搭配 -p tcp 或 -p udp 使用。
--source-port [port[,port]]
--destination-port [port[,port]]
--port [port[,port]] 若來源埠和目的埠相同,且等於指定的埠號,則相符。
mark
This module matches the netfilter mark field associated
with a packet (which can be set using the MARK target
below).
--mark value[/mask]
Matches packets with the given unsigned mark value
(if a mask is specified, this is logically ANDed
with the mask before the comparison).
owner
This module attempts to match various characteristics of
the packet creator, for locally-generated packets. It is
only valid in the OUTPUT chain, and even this some packets
(such as ICMP ping responses) may have no owner, and hence
never match.
--uid-owner userid
Matches if the packet was created by a process with
the given effective user id.
--gid-owner groupid
Matches if the packet was created by a process with
the given effective group id.
--pid-owner processid
Matches if the packet was created by a process with
the given process id.
--sid-owner sessionid
Matches if the packet was created by a process in
the given session group.
state
This module, when combined with connection tracking,
allows access to the connection tracking state for this
packet.
--state state
Where state is a comma separated list of the con
nection states to match. Possible states are
INVALID meaning that the packet is associated with
no known connection, ESTABLISHED meaning that the
packet is associated with a connection which has
seen packets in both directions, NEW meaning that
the packet has started a new connection, or other
wise associated with a connection which has not
seen packets in both directions, and RELATED mean
ing that the packet is starting a new connection,
but is associated with an existing connection, such
as an FTP data transfer, or an ICMP error.
unclear
This module takes no options, but attempts to match pack
ets which seem malformed or unusual. This is regarded as
experimental.
tos
This module matches the 8 bits of Type of Service field in
the IP header (ie. including the precedence bits).
--tos tos
The argument is either a standard name, (use
iptables -m tos -h
to see the list), or a numeric value to match.
TARGET EXTENSIONS
iptables 可以使用擴充的目標模組。
LOG
把開比對封包的核心記錄功能。
--log-level level
Level of logging (numeric or see syslog.conf(5)).
--log-prefix prefix
Prefix log messages with the specified prefix; up
to 14 letters long, and useful for distinguishing
messages in the logs.
--log-tcp-sequence
Log TCP sequence numbers. This is a security risk
if the log is readable by users.
--log-tcp-options
Log options from the TCP packet header.
--log-ip-options
Log options from the IP packet header.
MARK
用來設定封包的 mark 值,只適用於 mangle 表。
--set-mark makr
REJECT
用來送回一個錯誤的封包給比對相符的封包,其餘等同於 DROP。
--reject-with type
The type given can be icmp-net-unreachable, icmp-
host-unreachable, icmp-port-unreachable, icmp-
proto-unreachable, icmp-net-prohibitedor icmp-host-
prohibited, which return the appropriate ICMP error
message (port-unreachable is the default). The
option echo-reply is also allowed; it can only be
used for rules which specify an ICMP ping packet,
and generates a ping reply. Finally, the option
tcp-reset can be used on rules in (or called from)
the INPUT chain which only match the TCP protocol:
this causes a TCP RST packet to be sent back.
TOS
用來設定 IP 表頭的 8-bit Type of Service field
--set-tos tos
Set Type of Service field to one of the
following numeric or descriptive values:
Minimize-Delay 16 (0x10)
Maximize-Throughput 8 (0x08)
Maximize-Reliability 4 (0x04)
Minimize-Cost 2 (0x02)
Normal-Service 0 (0x00)
MIRROR
SNAT
這個目標僅對 nat 表中的 POSTROUTING
鏈有效。它用來標示來源位址應該被修改,且應該停止檢查規則。它有以下一個選項:
--to-source <ipaddr>[-<ipaddr>][:port-port]
If no port range is
specified, then source ports below 512 will be
mapped to other ports below 512: those between 1024
will be mapped to ports below 1024, and other ports
will be mapped to 1024 or above.
DNAT
這個目標僅在 nat 表中的 PREROUTING、OUTPUT
鏈和來自前二者而被呼叫的自訂鏈有效。它用來標示目標位址應該被修改,且應該停止檢查規則。
--to-destination <ipaddr>[-<ipaddr>][:port-port]
MASQUERADE
這個目標僅在 nat 表中的 POSTROUTING
鏈中有效,且只用於動態指定IP的連線中(撥接),若有固定IP,應使用 SNAT
目標。
--to-ports <port>[-<port>]
REDIRECT
這個目標僅在 nat 表中的 PREROUTING、OUTPUT
鏈及來自前二者而被呼叫的自定鏈有效。It alters the destina-
tion IP address to send the packet to the machine itself
(locally-generated packets are mapped to the 127.0.0.1
address)
--to-ports <port>[-<port>]
EXTRA EXTENSIONS
The following extensions are not included by default in
the standard distribution.
ttl
This module matches the time to live field in the IP
header.
--ttl ttl
Matches the given TTL value.
TTL
This target is used to modify the time to live field in
the IP header. It is only valid in the mangle table.
--ttl-set ttl
Set the TTL to the given value.
--ttl-dec ttl
Decrement the TTL by the given value.
--ttl-inc ttl
Increment the TTL by the given value.
ULOG
This target provides userspace logging of matching pack
ets. When this target is set for a rule, the Linux kernel
will multicast this packet through a netlink socket. One
or more userspace processes may then subscribe to various
multicast groups and receive the packets.
--ulog-nlgroup <nlgroup>
This specifies the netlink group (1-32) to which
the packet is sent. Default value is 1.
--ulog-prefix <prefix>
Prefix log messages with the specified prefix; up
to 32 characters long, and useful fro distinguish
ing messages in the logs.
--ulog-cprange <size>
Number of bytes to be copied to userspace. A value
of 0 always copies the entire packet, regardless of
its size. Default is 0
--ulog-qthreshold <size>
Number of packet to queue inside kernel. Setting
this value to, e.g. 10 accumulates ten packets
inside the kernel and transmits them as one netlink
multipart message to userspace. Default is 1 (for
backwards compatibility)
DIAGNOSTICS
Various error messages are printed to standard error. The
exit code is 0 for correct functioning. Errors which
appear to be caused by invalid or abused command line
parameters cause an exit code of 2, and other errors cause
an exit code of 1.
BUGS
Check is not implemented (yet).
COMPATIBILITY WITH IPCHAINS
iptables 和 ipchains 主要的差異:
iptables 和 ipchains 很相似,主要的不同是:在 iptables 中,INPUT 和 OUTPUT
這二個鏈,只有進來 local 主機的封包和由 local 主機出去的封包,分別地會去那二個
鏈中周遊一下,然而,在 ipchains 中,一個被 forward 的封包,卻都會進入 INPUT、
OUTPUT、FORWARD 三個鏈中,周遊一番。
其它主要的差異尚有:在 iptables 中,-i 是指進入的介面 (input interface);
-o 是指出去的介面(output interface),
而且二者對進入 FORWARD 鏈中的封包均可以適用。
iptables 具有許多擴充的模組,當使用預設的 filter 表時,它是一種純粹的封包過濾。
因此,這可以減少許多與 ipchains 中結合IP偽裝和封包過濾的混淆。
因此,下列的選項的處置是不同的:
-j MASQ
-M -S
-M -L
iptables 和 ipchains 還有許多其它差異。
可再參考
packet-filtering-HOWTO 這份 HOWTO 文件, 它對封包過濾有更詳細的說明。
NAT-HOWTO 這份 HOWTO 文件對 NAT 有詳細的說明,
而 netfilter-hacking-HOWTO 則對內部機制有詳細的記載。
AUTHORS
Rusty Russell wrote iptables, in early consultation with
Michael Neuling.
Marc Boucher made Rusty abandon ipnatctl by lobbying for a
generic packet selection framework in iptables, then wrote
the mangle table, the owner match, the mark stuff, and ran
around doing cool stuff everywhere.
James Morris wrote the TOS target, and tos match.
Jozsef Kadlecsik wrote the REJECT target.
Harald Welte wrote the ULOG target, TTL match+target and
libipulog.
The Netfilter Core Team is: Marc Boucher, James Morris,
Harald Welte and Rusty Russell.
===============================================================
* 我把 iptables 和 ipchains 的主要差異,
由 Linux 2.4 packet-filtering-HOWTO 節錄如下:
Differences Between iptables and ipchains
* Firstly, the names of the built-in chains have changed from
lower case to UPPER case, because the INPUT and OUTPUT chains
now only get locally-destined and locally-generated packets.
They used to see all incoming and all outgoing packets respectively.
* The `-i' flag now means the incoming interface, and only works in
the INPUT and FORWARD chains. Rules in the FORWARD or OUTPUT chains
that used `-i' should be changed to `-o'.
* TCP and UDP ports now need to be spelled out with the
--source-port or --sport (or --destination-port/--dport) options,
and must be placed after the `-p tcp' or `-p udp' options,
as this loads the TCP or UDP extensions respectively.
* The TCP -y flag is now --syn, and must be after `-p tcp'.
* The DENY target is now DROP, finally.
* Zeroing single chains while listing them works.
* Zeroing built-in chains also clears policy counters.
* Listing chains gives you the counters as an atomic snapshot.
* REJECT and LOG are now extended targets, meaning they are separate
kernel modules.
* Chain names can be up to 31 characters.
* MASQ is now MASQUERADE and uses a different syntax.
REDIRECT, while keeping the same name, has also undergone a syntax
change. See the NAT-HOWTO for more information on how to configure
both of these.
* The -o option is no longer used to direct packets to the userspace
device (see -i above). Packets are now sent to userspace
via the QUEUE target.
* Probably heaps of other things I forgot.
iptables 優於 ipchains 的地方:(節錄自 http://www.knowplace.org/netfilter/)
Why Netfilter/Iptables instead of Ipchains
* State matching - Connection tracking (can you trust the remote host
to determine whether your firewall will accept a packet?).
* Automatic fragmentation reassembly - Connection tracking automatically
reassembles fragmented packets for examination.
* Improved matching - Advanced packet matching such as rate limit,
string matching (packet data), etc.
* Improved logging - Customized logging levels and entries, also allows
user space logging.
* Allows packet mangling - Allows for the mangling of any information
inside a packet.
* Userspace queuing - Allows userspace programs access to packets.
* Built-in support for port forwarding - obviates IPMASQADM.
* Progress - Inexorable fact of life.
|