Anatomy of an iptables Command

Previous page
Table of content
Next page

Anatomy of an iptables Command

Command line


This section lists the components of an iptables command line that follow the name of the utility, iptables. Except as noted, the iptables utility is not sensitive to the position of arguments on the command line. The examples in this chapter reflect a generally accepted syntax that allows commands to be easily read, understood, and maintained. Not all commands have all components.

Many tokens on an iptables command line have two forms: a short form, consisting of a single letter preceded by a single hyphen, and a long form, consisting of a word preceded by two hyphens. Most scripts use the short forms for brevity; lines using the long forms can get unwieldy. The following iptables command lines are equivalent and are used as examples in this section:

# iptables --append FORWARD --in-interface eth1 --out-interface eth0 --jump ACCEPT # iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT


Table


Specifies the name of the table the command operates on: Filter, NAT, or Mangle. You can specify a table name in any iptables command. When you do not specify a table name, the command operates on the Filter table. Most of the examples in this chapter do not specify table names and, therefore, work on the Filter table. Specify a table as t tablename or table tablename.

Command


Tells iptables what to do with the rest of the command linefor example, add or delete a rule, display rules, or add a chain. The example commands, A and append, append the rule specified by the command line to the specified table and chain. See page 771 for a list of commands.

Chain


Specifies the name of the chain that this rule belongs to or that this command works on. The chain is INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING, or the name of a user-defined chain. Specify a chain by putting the name of the chain on the command line without any preceding hyphens. The examples at the beginning of this section work with the FORWARD chain.

There are two kinds of match criteria: packet match criteria, which match a network packet, and rule match criteria, which match an existing rule.

Rule specifications


Packet match criteria identify network packets and implement rules that take action on packets that match the criteria. The combination of packet match criteria and an action is called a rule specification. Rule specifications form the basis for packet filtering. The first example at the beginning of this section uses the in-interface eth1 out-interface eth0 rule match criteria. The second example uses the short form of the same criteria: i eth1 o eth0. Both of these rules forward packets that come in on device eth1 and go out on device eth0.

Rule match criteria


Rule match criteria identify existing rules. An iptables command can modify, remove, or position a new rule adjacent to a rule specified by a rule match criterion. There are two ways to identify an existing rule: You can use the same rule specification that was used to create the rule or you can use the rule's ordinal number, called a rule number. Rule numbers begin with 1, signifying the first rule in a chain, and can be displayed with iptables L (or line-numbers). The first command below deletes the rule listed at the beginning of this section; the second replaces rule number 3 in the INPUT chain with a rule that rejects all packets from IP address 192.168.0.10:

# iptables --delete -A FORWARD -i eth1 -o eth0 -j ACCEPT # iptables -R INPUT 3 --source 192.168.0.10 --jump REJECT


A jump or target specifies what action the kernel takes on packets that match all match criteria for a rule. Specify a jump or target as j target or jump target. The examples at the beginning of this section specify the ACCEPT target using the following commands: jump ACCEPT and j ACCEPT.

Jumps


A jump transfers control to a different chain within the same table. The following command adds (append) a rule to the INPUT chain that transfers packets that use the TCP protocol (protocol tcp) to a user-defined chain named tcp_rules (jump tcp_rules):

# iptables --append INPUT --protocol tcp --jump tcp_rules


When the packet finishes traversing the tcp_rules chain, assuming it has not been dropped or rejected, it continues traversing the INPUT chain from the rule following the one it jumped from.

Targets


A target specifies an action the kernel takes on the packet; the simplest actions are ACCEPT, DROP, and REJECT. The following command adds a rule to the FORWARD chain that rejects packets coming from the FTP port (/etc/services, the file iptables consults to determine which port to use, shows that FTP uses port 21):

# iptables --append FORWARD --sport ftp --jump REJECT


Some targets, such as LOG, are nonterminating: Control passes to the next rule after the target is executed. See page 775 for information on how to use targets.



Previous page
Table of content
Next page
A Practical Guide to Red Hat Linux
A Practical Guide to Red HatВ® LinuxВ®: Fedoraв„ў Core and Red Hat Enterprise Linux (3rd Edition)
ISBN: 0132280272
EAN: 2147483647
Year: 2006
Pages: 383
Authors: Mark G. Sobell
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Developing Tablet PC Applications (Charles River Media Programming)
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy