Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Iptables in Ubuntu     - Why is the ibdata1 file growing in MySQL? (Database)

- C ++ How to determine the types of constants (Programming)

- JavaScript subarray Deduplication (Programming)

- How to use the process on the desktop xkill end Linux (Linux)

- Linux basis: a comprehensive study pwd command (Linux)

- Android gets the global process information and the memory used by the process (Programming)

- How to update the Linux kernel to improve system performance (Linux)

- Common DDOS attacks (Linux)

- OpenCV 3.0 + Python 2.7 installation and testing under Ubuntu 14.04 (Linux)

- shell script: LVS start simple script (Server)

- Ubuntu 14.04 LTS next upgrade gcc to gcc-4.9, gcc-5 version (Linux)

- Analysis of common mistakes when compiling MySQL installation (Database)

- How to install Nginx on FreeBSD 10.2 as an Apache reverse proxy (Server)

- Oracle create user authorization and in PLSQL (Database)

- CentOS set up FTP server (Server)

- MySQL to manage multiple instances of method (Database)

- Axel install plug under CentOS 5/6 acceleration yum downloads (Linux)

- Installation configuration CUDA under Ubuntu 14.04 (Linux)

- Copy U disk files to the Linux system on a virtual machine (Linux)

- How nodeclub constructed Docker image (Server)

  Iptables in Ubuntu
  Add Date : 2018-11-21      
  Detailed Iptables


To specify rules with iptables -ADC chain, -A -D add delete modify -C

iptables - [RI] chain rule num rule-specification [option]

Specified by the order of the rules RI - Using iptables

iptables -D chain rule num [option]

Delete the specified rule

iptables - [LFZ] [chain] [option]

With iptables -LFZ chain name [options]

iptables - [NX] chain

-NX Designated by chain

iptables -P chain target [options]

Default targeting chain

iptables -E old-chain-name new-chain-name

-E Old-chain new name chain name

Replace the old name with a new chain chain name


Iptalbes is used to set up, maintain and inspect the Linux kernel IP packet filtering rules.

You can define different tables, each table contains several internal chains can contain user-defined chains. Each chain is a list of rules on

Corresponding packet match: Every rule specifies how it should deal with a matching bag. This is called \ 'target \' (target) to be

Jump to a user-defined chain within the table.


Firewall rules specify the package to check the characteristics and objectives. If the package does not match, it will be sent to the next rule in the chain inspection; If they match,

Then the next rule is determined by the target. The target can be a user-defined chain name, or a special value, such as ACCEPT [by], DROP [

Delete], QUEUE [line], or RETURN [return].

ACCEPT allows the packet through representation. DROP the packet that will be discarded. QUEUE indicates pass this packet to user space. RETURN means stop

Match this chain stopper, chain rule to the previous restart. If you reach a built-in chain (the end), or built-in chain encountered Regulation

Is RETURN, the fate of the package by the specified objective criteria decision chain.


There are currently three tables (which table is the current table depends on the kernel configuration options and current module).

-t table

This option specifies a command table to operate matching packages. If the kernel is configured to automatically load the module, then if the module is not loaded (system)

Tries (for the table) to load the appropriate module. These tables are as follows: filter, which is the default table that contains a built-in chains INPUT (processing proceeds

Package), FORWORD (through the packet processing) and OUTPUT (processing locally generated packets). nat, this table when inquiries encountered production

Students new connection package consists of three built-in chains: PREROUTING (modify incoming packets), OUTPUT (local before modifying the route of the package)

, POSTROUTING (modification package ready to go). mangle This table is used to specify the package to be modified. It has two built-in rules:

PREROUTING (before modifying the route incoming packets) and OUTPUT (local before modifying the route of the package).


These options can be recognized by iptables can differentiate between different species.


These options specify the specific action to perform: If the command line is not under other provisions, the bank can specify an option for long-format commands and options.

Item name, length of the letters from the other options as long as iptables distinguish the command line.

-A -append

At the end of the selected chain to add one or more rules. When the source (address) or / and destination (address) is converted to a plurality of addresses, this rule

It will be added to (the combination) behind all possible addresses.

-D -delete

Remove one or more rules from the selected chain. This command allows two methods: delete rules can be specified as the chain number (first

Article No. 1), or to specify the rule to match.

-R -replace

Replace a rule from the selected chain. If the source (address) or / and destination (address) is converted to multi-address, the command will fail. regulation

No. 1 from the beginning.

-I -insert

Insert one or more rules to the selected chain, according to the rules given number. So, if the rule number is 1, the rule will be inserted into the head of the chain

. This is the rule number is not specified, the default mode when.

-L -list

Show all the rules of the selected chain. If no chain is selected, all chains will be displayed. Z options can also be used together, when the chain will be automatically

Lists and zero. The exact output is affected by other parameters that affect a given.

-F -flush

Clear selected chain. This is equivalent to deleting all the rules one by one.

--Z -zero

The packet and byte counters for all chains emptied. It can be used in conjunction with -L, in clear view of the unprecedented counter, please see above.

-N -new-Chain

Establishing a new user-defined chain according to given name. It must ensure that the chain is not the same name exists.

-X -delete-Chain

Delete the specified user-defined chain. The chain must not be quoted, if cited, before deleting you must delete or replace with whom

Off rule. If no arguments are given, this command will attempt to delete every non-built-in chains.

-P -policy

Setting goals rule chain.

-E -rename-Chain

According to the names given by the user to rename the specified chain, which is only modified, no effect on the structure of the entire table. TARGETS parameter gives

A legitimate target. Only non-user-defined chains can use rules, and built-in chains and can not be user-defined chain is the target rule.

-h Help.

help. Given the current command syntax is very brief description.



The following parameters constitute the rules in detail, such as for add, delete, replace, append and check commands.

-p -protocal [!] protocol

Rule or packet inspection (to be examined package) protocol. Specified protocol can be tcp, udp, icmp one or all may be a value,

On behalf of one of these protocols. Of course, you can use the protocol name defined in the / etc / protocols in. Before the protocol name with "!" Means

Instead of the rule. 0 corresponds to all digital all. Protocol all will match all protocols, and this is the default option. And check in

Command combination, all can not be used.

-s -source [!] address [/ mask]

Specify the source address can be a host name, network name and IP address clearly. Description mask can be a network mask or clear numbers, network mask

Left code specifies the network mask left of "1" number, therefore, mask 24 is equal to Before the specified address with "!" Says

Description Specifies the opposite addresses. Flag --src is an abbreviation for this option.

-d --destination [!] address [/ mask]

Specify the destination address, to get more information, see the -s flag description. Flag --dst is an abbreviation for this option.

-j --jump target

-j target Jump

Targeting rule; that is, if the packet matches what should be done. Target can be a user-defined chain (not where this rule)

, A special built-in targets will immediately decide the fate of the packet, or an extension (see below EXTENSIONS). If this rule

Option is omitted, then the matching process will not impact on the package, but the counters on the rule will increase.

-i -in-interface [!] [name]

i - [!] to enter the (network) interface [name]

This package is an optional entry name received via the interface, the interface to receive packets through (enter in the chain INPUT, FORWORD and the PREROUTING

Package). When the interface name before using the "!" After the description, the name refers to the opposite. If the interface name behind the plus "+", then any interface name

The interface will be the beginning of the match. If this option is omitted, it is assumed to be "+", it will match any interface.

-o --out-interface [!] [name]

-o - output interface [name]

This package is optional outlet names sent via the interface, including through the port output (sent in the chain FORWARD, OUTPUT and POSTROUTING in

Package). When the interface name before using the "!" After the description, the name refers to the opposite. If the interface name behind the plus "+", then any interface name

The interface will be the beginning of the match. If this option is omitted, it is assumed to be "+", then all will match any interface.

[!] -f, --fragment

[!] -f - Fragment

This means that the fragmented packet, the rules just ask the second and subsequent sheets. Since then, this inability to determine the source or destination port end package

Port (or ICMP type), such a packet will not match any of them match the specified rules. If the "!" Is used in the description "-f"

Before the flag indicating the opposite.


other options

You can also specify the following additional options:

-v --verbose

-v - Details

Verbose output. This option lets list command to display the interface address, the rule options (if any) and TOS (Type of Service) mask. package

And byte counters will also be displayed, respectively, K, M, G (prefix) and represents 1000,1,000,000 1,000,000,000 times (but see

-x flag to change it), to add, insert, delete and replace command, which causes one or more rules of the relevant details are printed.

-n --numeric

-n - Digital

Digital output. IP address and port will be printed in digital form. By default, the program again shows the hostname, or network name (if your service


-x -exact

-x - Accurate

Extended digital. Display the exact value of the packet and byte counters, instead of using the divisor K, M, G represents. This option can only be used -L command.


When the list display rules, with a line number in front of each rule, the position of the rule in the chain, respectively.


Corresponding extension

iptables can use some matching module expansion pack. The following is included in the basic package of the expansion pack, and most of them can pass

It has been preceded by! To represent the opposite meaning.


When --protocol tcp is specified, and the other match of the extension is not specified, these extensions are loaded. It offers the following options:

[!] --source-Port [port [: port]]

Source port or port range specification. This may be the service name or port number. Using the format port: port can also be included to specify (port) range

. If the first port number is omitted, the default is "0", if the end of the slogan is omitted, the default is "65535". If the second port number is greater than the first

Months, then they will be swapped. This option can be used --sport alias.

[!] --destionation-Port [port: [port]]

Destination port or port range specification. This option can be used --dport alias instead.

--tcp-flags [!] mask comp

Match the specified TCP flags. The first argument is that we want to check mark, a comma-separated list with the second argument is separated by a comma

Open tag table must be set. Labeled as follows: SYN ACK FIN RST URG PSH ALL NONE. So this command:

iptables -A FORWARD -p tcp --tcp-flags SYN, ACK, FIN, RST SYN only matches those SYN flag is set and the ACK,

FIN and RST flag is not set in the package.

[!] --syn

Only those that match the SYN bit set and the ACK and FIN bits cleared TCP packets. These packages for issuing a request TCP connection initiation; for example, large

The amount of such packets into the interface to prevent an incoming TCP connection clogging and outgoing TCP connections will not be affected. This is equivalent to -

tcp-flags SYN, RST, ACK SYN. If "--syn" preceded by "!" Mark indicates the opposite.

--tcp-option [!] number

Matching set of TCP options.


When the protocol udp is specified, and the other match of the extension is not specified, these extensions are loaded, it offers the following options:

[!] --source-Port [port: [port]]

Source port or port range specification. See TCP extensions --source-port option instructions.

[!] --destination-Port [port: [port]]

Destination port or port range specification. See TCP extensions --destination-port option instructions.


When the protocol icmp is specified, and the other match of the extension is not specified, the extension is loaded. It offers the following options:

--icmp-type [!] typename

This option allows you to specify ICMP type, which can be a numeric ICMP type, or one of the command iptables -p icmp -h the

ICMP type names shown.


--mac-source [!] address

Match the physical address. It must be XX: XX: XX: XX: XX this format. Note that it is only coming from the Ethernet device and entering the PREROUTING,

FORWORD and INPUT chain packet payload.


This module matches the mark with a marker filter barrel matched a certain speed, use the LOG target to give limited number of landing.

When this limit is reached, the rule using this extension will match the package. (Unless the "!" Mark)

--limit rate

Maximum average matching rate: can be assigned values are \ '/ second \', \ '/ minute \', \ '/ hour \', or \ '/ day \' such units, default

It is 3 / hour.

--limit-burst number

Maximum initial number of packets to be matched: If the limits specified above not reached this value, the default value is 1. Almost Digital Plus 5


This module matches a set of source or destination ports can specify up to 15 ports. And only -p tcp or -p udp attached to use.

--source-port [port [, port]]

If the source port is the port where a given match

--destination-port [port [, port]]

If the destination port is the port where a given match

--port [port [, port]]

If the source and destination ports are equal to a given port, and with equal, the match.


The tag field matching module and a netfilter filter (can be set to use in the following MARK mark).

--mark value [/ mask]

Tag values match those of unsigned packages (if you specify mask, the mask before the comparison will add logic mark).


This module is locally generated test packet match different features of the package creator. Only for OUTPUT chain, and even then some packages (such as ICMP

ping responses) may have no owner, and therefore will never match.

--uid-owner userid

If given effective user id, then the process of matching its generation package.

--gid-owner groupid

If given effective group id, then the process of matching its generation package.

--sid-owner seessionid

According to the group given the conversation generated by the process matching bag.


This module, when combined with connection tracking, allows access to the package connection tracking state.

--state state

Here is a matching state comma-separated list of connection status. Possible states are: INVALID indicates the package is not known connection, ESTABLISHED

Indicates the connection is bi-directional transmission, NEW expressed package for the new connection, or a non-bidirectional transmission, while RELATED represented by the packet start a new connection,

However, an existing and connected together, such as FTP data transfer, or an ICMP error.


This module is not an option, but it tries to match those strange, unusual packages. In experiments.


This module matches the IP packet header eight tos (Type of Service) field (that is, included in the priority bits).

--tos tos

This parameter can be a standard name, (use iptables -m tos -h View this list), or a value.


iptables can use extended target modules: the following are included in the Standard Edition.


To match the package open core records. When this option is set in the rule, linux kernel through printk (print something about all)

Match packet information (such as IP header fields, etc.).

--log-level level

Record level (numeric or see syslog.conf (5)).

--log-prefix prefix

Before the record information with a specific prefix: Up to 14 characters long, and is used to record other information about the differences.


Record TCP sequence numbers. If the user can read the record then it would be a security risk.


Recording options from the TCP packet header.


Recording options from the IP packet header.


Used to set the netfilter mark value package. It applies only to mangle table.

--set-mark mark


In response to match the package, the package returns an error: DROP and other cases the same.

This goal applies only to INPUT, FORWARD and OUTPUT chains, these chains and calling user-defined chain. This option controls several errors returned

Package features:

--reject-with type

Type can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-nreachable, icmp-proto-

unreachable, icmp-net-prohibited or icmp-host-prohibited, the type will return the appropriate ICMP error message

(The default is port-unreachable). Option echo-reply is also allowed; it can only be used to rule specifies ICMP ping packet, the students

A ping response. Finally, the option tcp-reset can be used in the INPUT chain, or self-rule in the INPUT chain calls, only match the TCP protocol:

We will respond with a TCP RST packet.


To set the IP packet header eight tos. It can only be used mangle table.

--set-tos tos

You can use a numeric TOS values, or use iptables -j TOS -h to see the list of valid TOS names.


This is an experimental demonstration target can be used to convert the IP header field, source address and destination address, and then transmits the packet, and applies only to INPUT,

FORWARD and OUTPUT chains, and just call them user-defined chain.


This target is only applicable in the POSTROUTING chain in the nat table. It provides for modifying the source address (after this connection that all packets will be affected),

Stop checking the rules, it contains options:

--to-source < ipaddr> [- < ipaddr>] [: port-port]

You can specify a single new IP address, a range of IP addresses, you can also attach a range of ports (or only specified -p tcp

-p udp rule in). If you do not specify a port range, the source port (port) 512 or less will be arranged to other ports below 512

; 512-1024 port will be placed between the 1024 or less, other ports will be placed as 1024 or more. If possible, the port will not


--to-destiontion < ipaddr> [- < ipaddr>] [: port-port]

You can specify a single new IP address, a range of IP addresses, you can also attach a range of ports (or only specified -p tcp

-p udp rule in). If you do not specify a port range, destination port will not be modified.


Only for the POSTROUTING chain in the nat table. It can only be used to obtain a dynamic IP (dial-up) connection: If you have a static IP address, you should use SNAT

. Camouflage is equivalent to the package when the issue through the IP address of the interface is provided an image, when the interface closes the connection will be terminated. This is because the next time

It may not be the same interface address (after all connection establishment will be closed) when dialing. It has an option:

--to-ports < port> [- port>]

Specifies the source port range, overriding the default SNAT source address selection (see above). This option applies only to specified -p tcp or -p

The rule udp.


It applies only to nat table PREROUTING and OUTPUT chains, and only call them user-defined chain. It modifies the packet's destination IP address to send

Packet to the machine itself (locally-generated packets are arranged to address It includes an option:

--to-ports < port> [< port>]

Specifies the destination port or port range: not specified, then the destination port will not be modified. It can only be used to specify the -p tcp or -p udp




Different error message will be printed to standard error: exit code 0 means correct. Similar to the command-line arguments wrong or abuse will return an error

Return error code 2, other error return code is 1.


bed bugs

Check is not implemented (yet).

Examination has not been completed.


Compatibility with ipchains

Rusty Russell of ipchains and iptables is very similar. The main difference is only for the INPUT chain to enter the local host package, and OUTPUT

Only for self-generated local host package. So each packet only after a three chains; before forwarding the packet through all three chains. Other main

To enter a reference to the interface difference is that -i; -o reference output interface, suitable for both packages into the FORWARD chain. When the optional expansion module and a

When starting to use the default filter table, iptables is a pure packet filter. This can greatly reduce the former to IP masquerading and packet filtering in combination with

Confusion, the following options were handled differently:


-M -S

-M -L

There are several different chains in iptables.
- expdp reported ORA-39181 Export Processing Method (Database)
- How to run Docker client in Windows operating system (Linux)
- HBase vs Oracle (Database)
- Python Multithreaded Programming (Programming)
- Installation of Ubuntu Make under Ubuntu 15.10 (Linux)
- MySQL5.7 implement virtual column expression index (Database)
- Use Vagrant up a local development environment tutorials (Server)
- Usage sed some of the parameters (Linux)
- How to install Docker and basic usage on Ubuntu 15.04 (Server)
- Install Rubinius testing Ubuntu 14.04 native threads (Linux)
- Compile and install Redis and register as a system service under RedHat5.8 environment (Database)
- Fast Sort Algorithms (Programming)
- VMware Workstation virtual machine cloning (Linux)
- Install MATE desktop environment adjustment tools Mate Tweak 3.3.6 (Linux)
- Use DB2 federated access Oracle (Database)
- Linux system file directory structure Introduction (Linux)
- JSON data normalization (normalize) (Programming)
- MySQL script incremental backups (innobackupex) (Database)
- Linux operation and maintenance engineers face questions Intermediate (Linux)
- OpenWRT environment to build (Linux)
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.