歡迎您光臨本站 註冊首頁

Linux 防火牆入門:ipchains manpage

←手機掃碼閱讀     火星人 @ 2014-03-09 , reply:0

  ipchains 的 manpage
  
  IPCHAINS(8) IPCHAINS(8)
  
  
  NAME
   ipchains - IP firewall administration
  
  SYNOPSIS
   ipchains -[ADC] chain rule-specification [options]
   ipchains -[RI] chain rulenum rule-specification [options]
   ipchains -D chain rulenum [options]
   ipchains -[LFZNX] [chain] [options]
   ipchains -P chain target [options]
   ipchains -M [ -L | -S ] [options]
  
  DESCRIPTION
   Ipchains is used to set up, maintain, and inspect the IP
   firewall rules in the Linux kernel. These rules can be
   divided into 4 different categories: the IP input chain,
   the IP output chain, the IP forwarding chain, and user
   defined chains.
  
   For each of these categories, a separate table of rules is
   maintained, any of which might refer to one of the user-
   defined chains. See ipfw(4) for more details.
  
  TARGETS
   A firewall rule specifies criteria for a packet, and a
   target. If the packet does not match, the next rule in
   the chain is the examined; if it does match, then the next
   rule is specified by the value of the target, which can be
   the name of a user-defined chain, or one of the special
   values ACCEPT, DENY, REJECT, MASQ, REDIRECT, or RETURN.
   ACCEPT means to let the packet through. DENY means to
   drop the packet on the floor. REJECT means the same as
   drop, but is more polite and easier to debug, since an
   ICMP message is sent back to the sender indicating that
   the packet was dropped. (Note that DENY and REJECT are
   the same for ICMP packets). [Note: this is incorrect; set-
   ting ICMP to REJECT will cause ICMP port unreachables to
   be sent!]
   MASQ is only legal for the forward and user defined
   chains, and can only be used when the kernel is compiled
   with CONFIG_IP_MASQUERADE defined. With this, packets
   will be masqueraded as if they originated from the local
   host. Furthermore, reverse packets will be recognized as
   such and they will be demasqueraded automatically, bypass-
   ing the forwarding chain.
   REDIRECT is only legal for the input and user-defined
   chains and can only be used when the Linux kernel is com-
   piled with CONFIG_IP_TRANSPARENT_PROXY defined. With
   this, packets will be redirected to a local socket, even
   if they were sent to a remote host. If the specified


   redirection port is 0, which is the default value, the
   destination port of a packet will be used as the redirec-
   tion port. When this target is used, an optional extra
   argument (the port number) can be supplied.
   If the end of a user-defined chain is reached, or a rule
  
  
  
   February 8, 1998 1
  
  
  
  
  
  IPCHAINS(8) IPCHAINS(8)
  
  
   with target RETURN is matched, then the next rule in the
   previous (calling) chain is examined. If the end of a
   builtin chain is reached, or a rule in a builtin chain
   with target RETURN is matched, the target specified by the
   chain policy determines the fate of the packet.
  
  OPTIONS
   The options that are recognized by ipchains can be divided
   into several different groups.
  
   COMMANDS
   These options specify the specific action to perform; only
   one of them can be specified on the command line, unless
   otherwise specified below. For all the long versions of
   the command and option names, you only need to use enough
   letters to ensure that ipchains can differentiate it from
   all other options.
  
   -A, --append
   Append one or more rules to the end of the selected
   chain. When the source and/or destination names
   resolve to more than one address, a rule will be
   added for each possible address combination.
  
   -D, --delete
   Delete one or more rules from the selected chain.
   There are two versions of this command: the rule
   can be specified as a number in the chain (starting
   at 1 for the first rule) or a rule to match.
  
   -R, --replace
   Replace a rule in the selected chain. If the
   source and/or destination names resolve to multiple
   addresses, the command will fail. Rules are num-
   bered starting at 1.
  
   -I, --insert
   Insert one or more rules in the selected chain as
   the given rule number. So, if the rule number is
   1, the rule or rules are inserted at the head of
   the chain.
  
   -L, --list
   List all rules in the selected chain. If no chain
   is selected, all chains are listed. It is legal to
   specify the -Z (zero) option as well, in which case
   no chain may be specified. The exact output is
   effected by the other arguments given.


  
   -F, --flush
   Flush the selected chain. This is equivalent to
   deleting all the rules one by one.
  
  
  
  
  
   February 8, 1998 2
  
  
  
  
  
  IPCHAINS(8) IPCHAINS(8)
  
  
   -Z, --zero
   Zero the packet and byte counters in all chains.
   It is legal to specify the -L, --list (list) option
   as well, to see the counters immediately before
   they are cleared; if this is done, then no specific
   chain can be specified (they will all be displayed
   and cleared.
  
   -N, --new-chain
   Create a new user-defined chain of the given name.
   There must be no target of that name already.
  
   -X, --delete-chain
   Delete the specified user-defined chain. There
   must be no references to the chain (if there are
   you must delete or replace the referring rules
   before the chain can be deleted). If no argument
   is given, it will attempt to delete every non-
   builtin chain.
  
   -P, --policy
   Set the policy for the chain to the given target.
   See the section TARGETS for the legal targets.
   Only non-userdefined chains can have policies, and
   neither built-in nor user-defined chains can be
   policy targets.
  
   -M, --masquerading
   This option allows viewing of the currently mas-
   queraded connections (in conjuction with the -L
   option) or to set the kernel masqerading parameters
   (with the -S option).
  
   -S, --set tcp tcpfin udp
   Change the timeout values used for masquerading.
   This command always takes 3 parameters, represent-
   ing the timeout values (in seconds) for TCP ses-
   sions, TCP sessions after receiving a FIN packet,
   and UDP packets, respectiv


[火星人 ] Linux 防火牆入門:ipchains manpage已經有551次圍觀

http://coctec.com/docs/linux/show-post-55913.html