Chapter 43. Securing Your Network
714
This is especially important when adding rules using the
-I
with an integer argument. If
you specify an existing number when adding a rule to a chain,
iptables
adds the new
rule
before
(or above) the existing rule.
•
-L
— Lists all of the rules in the chain specified after the command. To list all rules in all chains in
the default
filter
table, do not specify a chain or table. Otherwise, the following syntax should be
used to list the rules in a specific chain in a particular table:
iptables -L
<chain-name>
-t
<table-name>
Additional options for the
-L
command option, which provide rule numbers and allow more verbose
rule descriptions, are described in
Section 43.9.3.6, “Listing Options”
.
•
-N
— Creates a new chain with a user-specified name. The chain name must be unique, otherwise
an error message is displayed.
•
-P
— Sets the default policy for the specified chain, so that when packets traverse an entire chain
without matching a rule, they are sent to the specified target, such as ACCEPT or DROP.
•
-R
— Replaces a rule in the specified chain. The rule's number must be specified after the chain's
name. The first rule in a chain corresponds to rule number one.
•
-X
— Deletes a user-specified chain. You cannot delete a built-in chain.
•
-Z
— Sets the byte and packet counters in all chains for a table to zero.
43.9.3.3. IPTables Parameter Options
Certain
iptables
commands, including those used to add, append, delete, insert, or replace rules
within a particular chain, require various parameters to construct a packet filtering rule.
•
-c
— Resets the counters for a particular rule. This parameter accepts the
PKTS
and
BYTES
options
to specify which counter to reset.
•
-d
— Sets the destination hostname, IP address, or network of a packet that matches the rule.
When matching a network, the following IP address/netmask formats are supported:
•
N.N.N.N
/
M.M.M.M
— Where
N.N.N.N
is the IP address range and
M.M.M.M
is the netmask.
•
N.N.N.N
/
M
— Where
N.N.N.N
is the IP address range and
M
is the bitmask.
•
-f
— Applies this rule only to fragmented packets.
You can use the exclamation point character (
!
) option after this parameter to specify that only
unfragmented packets are matched.
Note
Distinguishing between fragmented and unfragmented packets is desirable, despite
fragmented packets being a standard part of the IP protocol.
Содержание ENTERPRISE LINUX 5 - VIRTUAL SERVER ADMINISTRATION
Страница 22: ...xxii ...
Страница 28: ......
Страница 36: ...10 ...
Страница 40: ...14 ...
Страница 96: ...70 ...
Страница 116: ...90 ...
Страница 144: ...118 ...
Страница 146: ......
Страница 158: ...132 ...
Страница 165: ...Installing and Removing Packages 139 Figure 11 7 Installing and removing packages simultaneously ...
Страница 166: ...140 ...
Страница 172: ...146 ...
Страница 178: ......
Страница 228: ...202 ...
Страница 264: ...238 ...
Страница 318: ...292 ...
Страница 330: ...304 ...
Страница 388: ...362 ...
Страница 428: ...402 ...
Страница 452: ......
Страница 458: ...432 ...
Страница 476: ...450 ...
Страница 478: ...452 ...
Страница 494: ...468 ...
Страница 498: ...472 ...
Страница 530: ...504 ...
Страница 536: ...510 ...
Страница 544: ...Chapter 36 Log Files 518 Figure 36 7 Log file contents after five seconds ...
Страница 546: ......
Страница 550: ...524 ...
Страница 576: ......
Страница 584: ...558 ...
Страница 608: ......
Страница 776: ...750 ...
Страница 796: ...770 ...
Страница 800: ...774 ...
Страница 804: ......
Страница 806: ...780 ...
Страница 808: ...782 ...
Страница 816: ...790 ...
Страница 820: ...794 ...
Страница 822: ...796 ...
Страница 830: ...804 ...
Страница 836: ...810 ...
Страница 844: ...818 ...
Страница 848: ...822 ...