Amazon iptables Скачать руководство пользователя страница 21 | Manualshive

Страница: 21 / 49

background image

Manpage of IPTABLES

option is omitted in a rule, then matching the rule will have no effect on the packet's fate, but the
counters on the rule will be incremented.

-i, --in-interface [!] name

Name of an interface via which a packet is going to be received (only for packets entering the
INPUT, FORWARD and PREROUTING chains). When the "!" argument is used before the
interface name, the sense is inverted. If the interface name ends in a "+", then any interface which
begins with this name will match. If this option is omitted, any interface name will match.

-o, --out-interface [!] name

Name of an interface via which a packet is going to be sent (for packets entering the FORWARD,
OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface
name, the sense is inverted. If the interface name ends in a "+", then any interface which begins
with this name will match. If this option is omitted, any interface name will match.

[!] -f, --fragment

This means that the rule only refers to second and further fragments of fragmented packets. Since
there is no way to tell the source or destination ports of such a packet (or ICMP type), such a
packet will not match any rules which specify them. When the "!" argument precedes the "-f" flag,
the rule will only match head fragments, or unfragmented packets.

-c, --set-counters PKTS BYTES

This enables the administrator to initialize the packet and byte counters of a rule (during INSERT,
APPEND, REPLACE operations).

OTHER OPTIONS

The following additional options can be specified:

-v, --verbose

Verbose output. This option makes the list command show the interface name, the rule options (if
any), and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or
'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see the -x flag to change
this). For appending, insertion, deletion and replacement, this causes detailed information on the
rule or rules to be printed.

-n, --numeric

Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the
program will try to display them as host names, network names, or services (whenever applicable).

-x, --exact

Expand numbers. Display the exact value of the packet and byte counters, instead of only the
rounded number in K's (multiples of 1000) M's (multiples of 1000K) or G's (multiples of 1000M).
This option is only relevant for the -L command.

--line-numbers

When listing rules, add line numbers to the beginning of each rule, corresponding to that rule's

http://www.iptablesrocks.org/syntax/man_iptables.htm (5 of 20) [2/13/2004 8:04:51 PM]

«
...
19
20
21
22
23
...
»

Содержание iptables

Страница 1: ...vers the installation of iptables in a Redhat environment the syntax and structure associated with iptables and a collection a pre configured iptables configurations for a variety of applications This...

Страница 2: ...Replace an existing rule from a desired chain in the current configuration iptables I chain that s a capital I as in Insert Insert a new rule into a desired chain of the current configuration iptables...

Страница 3: ...Iptablesrocks org Syntax Structure Site last modified February 13 2004 15 27 51 http www iptablesrocks org syntax 2 of 2 2 13 2004 8 04 43 PM...

Страница 4: ...warded packets COMPLETELY 3 With all incoming packets dropped by default it then grants incoming access to a select number of ports These ports are ports that a typical web server might allow Open inb...

Страница 5: ...Iptablesrocks org Examples http www iptablesrocks org examples 2 of 2 2 13 2004 8 04 44 PM...

Страница 6: ...lat file iptables script into the server s ruleset Q How do I export my server s iptables rulset to flat iptables script A The command iptables save path to firewall_script will export the current ipt...

Страница 7: ...esrocks org If you would like to contact me please fill out the form below and then click Send It Your name Your e mail Comments Questions home syntax structure examples faq contact links Site last mo...

Страница 8: ...www netfilter org Linuxguruz Iptables Tutorial http www linuxguruz com iptables howto iptables HOWTO html Qmailrocks org My qmail installation guide Djbdnsrocks org My djbdns installation guide home...

Страница 9: ...ain unused port What if you want to block someone from your server Get the answers right here What if I want to open another port While it is possible to append rules to your live iptables configurati...

Страница 10: ...ou take a look at the firewall script you will notice that TCP port 3389 is not mentioned anywhere in the script and to be more specific it is not mentioned in the INPUT portion of the script Well sin...

Страница 11: ...make sure you enable your iptables safetynet before you start playing with your firewall setup You don t want to accdientally lock yourself out of your server Starting your fiewall on boot The final p...

Страница 12: ...stions May we post your comments on this website Yes No your name e mail address will not be posted A note on privacy Some people worry about providing their e mail address on the form You don t need...

Страница 13: ...ck myself out of my server I will only need to wait a maximum of 10 minutes before the bad firewall rules will be dropped and I ll be able to shell into my server again If you are a newbie at iptables...

Страница 14: ...up and lock yourself out of your server while you are implementing or testing new iptables configurations With this crontab running should you lock yourself out you will only have to wait a maximum o...

Страница 15: ...TING p tcp m tcp tcp flags FIN SYN FIN SYN j DROP A PREROUTING p tcp m tcp tcp flags FIN SYN RST PSH ACK URG FIN PSH URG j DROP A PREROUTING p tcp m tcp tcp flags FIN SYN RST PSH ACK URG NONE j DROP A...

Страница 16: ...tcp dport 783 j ACCEPT A OUTPUT p tcp m tcp dport 993 j ACCEPT A OUTPUT p tcp m tcp dport 3306 j ACCEPT A OUTPUT p tcp m tcp dport 12000 j ACCEPT A OUTPUT p tcp m tcp dport 15000 j ACCEPT A OUTPUT p t...

Страница 17: ...hain iptables t table X chain iptables t table P chain target options iptables t table E old chain name new chain name DESCRIPTION Iptables is used to set up maintain and inspect the tables of IP pack...

Страница 18: ...is configured with automatic module loading an attempt will be made to load the appropriate module for that table if it is not already there The tables are as follows filter This is the default table...

Страница 19: ...les are inserted at the head of the chain This is also the default if no rule number is specified R replace chain rulenum rule specification Replace a rule in the selected chain If the source and or d...

Страница 20: ...representing one of these protocols or a different one A protocol name from etc protocols is also allowed A argument before the protocol inverts the test The number zero is equivalent to all Protocol...

Страница 21: ...When the argument precedes the f flag the rule will only match head fragments or unfragmented packets c set counters PKTS BYTES This enables the administrator to initialize the packet and byte counte...

Страница 22: ...fied using the format port port If the first port is omitted 0 is assumed if the last is omitted 65535 is assumed If the second port greater then the first they will be swapped The flag sport is a con...

Страница 23: ...ort port port Destination port or port range specification See the description of the destination port option of the TCP extension for details icmp This extension is loaded if protocol icmp is specifi...

Страница 24: ...source or destination ports Up to 15 ports can be specified It can only be used in conjunction with p tcp or p udp source ports port port port Match if the source port is one of the given ports The f...

Страница 25: ...ted by a process with the given command name this option is present only if iptables was compiled under a kernel supporting this feature state This module when combined with connection tracking allows...

Страница 26: ...original source address differs from the reply destination DNAT A virtual state matching if the original destination differs from the reply source ctproto proto Protocol to match by number or name ct...

Страница 27: ...ie including the precedence bits tos tos The argument is either a standard name use iptables m tos h to see the list or a numeric value to match ah This module matches the SPIs in AH header of IPSec...

Страница 28: ...he Linux kernel will print some information on all matching packets like most IP header fields via the kernel log where it can be read with dmesg or syslogd 8 This is a non terminating target i e rule...

Страница 29: ...trols the nature of the error packet returned reject with type The type given can be icmp net unreachable icmp host unreachable icmp port unreachable icmp proto unreachable icmp net prohibited or icmp...

Страница 30: ...rce ports below 512 will be mapped to other ports below 512 those between 512 and 1023 inclusive will be mapped to ports below 1024 and other ports will be mapped to 1024 or above Where possible no po...

Страница 31: ...rts to use overriding the default SNAT source port selection heuristics see above This is only valid if the rule also specifies p tcp or p udp REDIRECT This target is only valid in the nat table in th...

Страница 32: ...usually limiting it to your outgoing interface s MTU minus 40 Of course it can only be used in conjunction with p tcp This target is used to overcome criminally braindead ISPs or servers which block I...

Страница 33: ...rious error messages are printed to standard error The exit code is 0 for correct functioning Errors which appear to be caused by invalid or abused command line parameters cause an exit code of 2 and...

Страница 34: ...NAT HOWTO details NAT the netfilter extensions HOWTO details the extensions that are not in the standard distribution and the netfilter hacking HOWTO details the netfilter internals See http www netfi...

Страница 35: ...COMMANDS PARAMETERS OTHER OPTIONS MATCH EXTENSIONS tcp udp icmp mac limit multiport mark owner state conntrack dscp pkttype tos ah esp length ttl unclean TARGET EXTENSIONS LOG MARK REJECT TOS http ww...

Страница 36: ...LOG TCPMSS DSCP ECN DIAGNOSTICS BUGS COMPATIBILITY WITH IPCHAINS SEE ALSO AUTHORS This document was created by man2html using the manual pages Time 05 21 18 GMT January 07 2004 http www iptablesrocks...

Страница 37: ...by initially blocking all incoming outgoing and forwarded packets COMPLETELY 3 With all incoming packets dropped by default it then grants incoming access to a select number of ports These ports are p...

Страница 38: ...rnel logging configuration so that the firewall will log its activites to a custom logfile Here s how you do it vi etc syslog conf Add the following to the syslog conf file IPTables logging kernel mes...

Страница 39: ...org Preparation Proceed to the next step home syntax structure examples faq contact links Site last modified February 13 2004 15 27 51 http www iptablesrocks org guide preparation php 2 of 2 2 13 200...

Страница 40: ...e will set the script to run at regular intervals In the way should you lock yourself out of your server all you ll have to do is sit back and wait for the script to execute and for the firewall to re...

Страница 41: ...irewall every 15 minutes crontab e 0 15 30 45 sbin iptables restore root firewall_reset That s it Now save and exit out of the crontab editor That s it Until the crontab is disabled your server s ipta...

Страница 42: ...EROUTING p tcp m tcp tcp flags FIN SYN FIN SYN j DROP A PREROUTING p tcp m tcp tcp flags FIN SYN RST PSH ACK URG FIN PSH URG j DROP A PREROUTING p tcp m tcp tcp flags FIN SYN RST PSH ACK URG NONE j DR...

Страница 43: ...m tcp dport 443 j ACCEPT uncomment the next line if you are running Spamassassin on your server A OUTPUT p tcp m tcp dport 783 j ACCEPT A OUTPUT p tcp m tcp dport 993 j ACCEPT A OUTPUT p tcp m tcp dpo...

Страница 44: ...p anywhere anywhere tcp dpt http ACCEPT tcp anywhere anywhere tcp dpt pop3 ACCEPT tcp anywhere anywhere tcp dpt imap ACCEPT tcp anywhere anywhere tcp dpt https ACCEPT tcp anywhere anywhere tcp dpt ima...

Страница 45: ...ning you will want to disable the safetynet crontab so that your firewall will remain up and running Proceed to the next step home syntax structure examples faq contact links Site last modified Februa...

Страница 46: ...L portscans it should block many and make the others a bit more time consuming and troublesome A portion nmap probe s activities should be logged in the var log firewall logfile The log entries will c...

Страница 47: ...gz And now let s start the installation cd iptables Log into mysql and do the database work mysql u root p create a database called iptables mysql create database iptables Now create an admin user for...

Страница 48: ...the database feeder script vi scripts feed_db pl Make sure the following configuration section is set properly Make sure you enter the iptables_user mysql password where the x s are my dsn DBI mysql...

Страница 49: ...our server and then logging in again via SSH The SSH connection will be recorded in the iptables logs and this will appear on the Iptables Log Analyzer screen If you need more help with Iptables Log A...

Отзывы:

Нет отзывов

Похожие инструкции для iptables

Бренд: Cabletron Systems Страницы: 16

Бренд: Yamaha Страницы: 89

Бренд: IBM Страницы: 34

DRAGON NATURALLYSPEAKING 7

Бренд: ScanSoft Страницы: 222

SmartWare R2.00

Бренд: Inalp Networks Страницы: 321

NG Network Access Client SP4

Бренд: Barracuda Networks Страницы: 10

Бренд: AMX Страницы: 12

Бренд: YOKOGAWA Страницы: 29

Бренд: NAPCO Страницы: 2

Бренд: Siemens Страницы: 11

Бренд: Siemens Страницы: 28

Бренд: Siemens Страницы: 32

OpenScape Xpressions PhoneMail

Бренд: Siemens Страницы: 110

Бренд: Billion Страницы: 18

Бренд: Apricorn Страницы: 20

Бренд: Apricorn Страницы: 67

Бренд: TRENDnet Страницы: 21

Бренд: Ulead Страницы: 80

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды