|
HTML rendering created 2024-06-26 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | SYNOPSIS | DESCRIPTION | TARGETS | TABLES | OPTIONS | LOCK FILE | MATCH AND TARGET EXTENSIONS | DIAGNOSTICS | BUGS | COMPATIBILITY WITH IPCHAINS | SEE ALSO | AUTHORS | VERSION | COLOPHON |
|
|
|
IPTABLES(8) iptables 1.8.10 IPTABLES(8)
IPTABLES(8) iptables 1.8.10 IPTABLES(8)
iptables/ip6tables — administration tool for IPv4/IPv6 packet
filtering and NAT
iptables/ip6tables — IPv4/IPv6 数据包的管理工具
筛选和 NAT
iptables [-t table] {-A|-C|-D|-V} chain rule-specification
iptables [-t 表] {-A|-C|-D|-V}链式规则规范
ip6tables [-t table] {-A|-C|-D|-V} chain rule-specification
ip6tables [-t 表] {-A|-C|-D|-V}链式规则规范
iptables [-t table] -I chain [rulenum] rule-specification
iptables [-t table] -I 链 [rulenum] 规则规范
iptables [-t table] -R chain rulenum rule-specification
iptables [-t table] -R 链规则num 规则规范
iptables [-t table] -D chain rulenum
iptables [-t 表] -D 链规则编号
iptables [-t table] -S [chain [rulenum]]
iptables [-t 表] -S [链 [规则编号]]
iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
iptables [-t 表] {-F|-L|-Z}[链 [规则编号]][选项...]
iptables [-t table] -N chain
iptables [-t 表] -N 链
iptables [-t table] -X [chain]
iptables [-t 表] -X [链]
iptables [-t table] -P chain policy
iptables [-t table] -P 链策略
iptables [-t table] -E old-chain-name new-chain-name
iptables [-t 表] -E 旧链名称 新链名称
rule-specification := [matches...] [target]
规则规范 := [匹配...][目标]
match := -m matchname [per-match-options]
match := -m matchname [每个匹配选项]
target := -j targetname [per-target-options]
目标 := -j 目标名称 [每个目标选项]
Iptables and ip6tables are used to set up, maintain, and inspect
the tables of IPv4 and IPv6 packet filter rules in the Linux
kernel. Several different tables may be defined. Each table
contains a number of built-in chains and may also contain user-
defined chains.
iptables 和 ip6tables 用于设置、维护和检查
Linux 中的 IPv4 和 IPv6 数据包过滤规则表
内核。 可以定义几个不同的表。 每张桌子
包含许多内置链,也可能包含 user-
定义的链。
Each chain is a list of rules which can match a set of packets.
Each rule specifies what to do with a packet that matches. This
is called a `target', which may be a jump to a user-defined chain
in the same table.
每个链都是一个规则列表,可以匹配一组数据包。
每个规则都指定了如何处理匹配的数据包。 这
称为 'target',这可能是对用户定义的链的跳转
在同一个表中。
A firewall rule specifies criteria for a packet and a target. If
the packet does not match, the next rule in the chain is
examined; if it does match, then the next rule is specified by
the value of the target, which can be the name of a user-defined
chain, one of the targets described in iptables-extensions(8), or
one of the special values ACCEPT, DROP or RETURN.
防火墙规则指定数据包和目标的条件。 如果
数据包不匹配,则链中的下一条规则为
检查;如果匹配,则下一条规则由
目标的值,可以是用户定义的
chain,iptables-extensions(8) 中描述的目标之一,或者
特殊值 ACCEPT、DROP 或 RETURN 之一。
ACCEPT means to let the packet through. DROP means to drop the
packet on the floor. RETURN means stop traversing this chain and
resume at the next rule in the previous (calling) chain. If the
end of a built-in chain is reached or a rule in a built-in chain
with target RETURN is matched, the target specified by the chain
policy determines the fate of the packet.
ACCEPT 表示允许数据包通过。 DROP 表示丢弃
袋子。 RETURN 表示停止遍历此链,
在上一个 (调用) 链中的下一个规则处恢复。 如果
到达内置链的末尾或内置链中的规则
与目标 RETURN 匹配,则链
策略确定数据包的命运。
There are currently five independent tables (which tables are
present at any time depends on the kernel configuration options
and which modules are present).
目前有五个独立的表(哪些表是
随时存在取决于内核配置选项
以及存在哪些模块)。
-t, --table table
This option specifies the packet matching table which the
command should operate on. If the kernel is configured
with automatic module loading, an attempt will be made to
load the appropriate module for that table if it is not
already there.
-t, --table 表
此选项指定数据包匹配表,其中
命令应该操作。 如果内核配置了
使用 Automatic Module Loading 时,将尝试
如果不是,则为该表加载适当的模块
已经在那里了。
The tables are as follows:
表格如下:
filter:
This is the default table (if no -t option is passed).
It contains the built-in chains INPUT (for packets
destined to local sockets), FORWARD (for packets being
routed through the box), and OUTPUT (for locally-
generated packets).
过滤器:
这是默认表(如果未传递 -t 选项)。
它包含内置链 INPUT(用于数据包
发送到本地套接字)、FORWARD(对于被
路由)和 OUTPUT(对于本地 -
生成的数据包)。
nat:
This table is consulted when a packet that creates a
new connection is encountered. It consists of four
built-ins: PREROUTING (for altering packets as soon as
they come in), INPUT (for altering packets destined
for local sockets), OUTPUT (for altering locally-
generated packets before routing), and POSTROUTING
(for altering packets as they are about to go out).
IPv6 NAT support is available since kernel 3.7.
nat:
当创建
遇到新连接。 它由四个
内置: PREROUTING (用于在
它们进来)、INPUT(用于更改发往
对于本地套接字)、OUTPUT(用于在本地更改 -
在路由之前生成的数据包)和 POSTROUTING
(用于在数据包即将传出时更改数据包)。
IPv6 NAT 支持从内核 3.7 开始可用。
mangle:
This table is used for specialized packet alteration.
Until kernel 2.4.17 it had two built-in chains:
PREROUTING (for altering incoming packets before
routing) and OUTPUT (for altering locally-generated
packets before routing). Since kernel 2.4.18, three
other built-in chains are also supported: INPUT (for
packets coming into the box itself), FORWARD (for
altering packets being routed through the box), and
POSTROUTING (for altering packets as they are about to
go out).
mangle (mangle) 中:
此表用于专门的数据包更改。
在内核 2.4.17 之前,它有两个内置链:
PREROUTING (用于在
routing) 和 OUTPUT(用于更改本地生成的
数据包)。 从内核 2.4.18 开始,三个
还支持其他内置链:INPUT (对于
数据包进入盒子本身)、FORWARD(对于
更改通过盒子路由的数据包),以及
POSTROUTING (用于在数据包即将
出去)。
raw:
This table is used mainly for configuring exemptions
from connection tracking in combination with the
NOTRACK target. It registers at the netfilter hooks
with higher priority and is thus called before
ip_conntrack, or any other IP tables. It provides the
following built-in chains: PREROUTING (for packets
arriving via any network interface) and OUTPUT (for
packets generated by local processes).
生的:
此表主要用于配置豁免
from 连接跟踪与
NOTRACK 目标。 它在 netfilter 钩子上注册
具有更高的优先级,因此在
ip_conntrack 或任何其他 IP 表。 它提供
以下内置链: PREROUTING (用于数据包
到达)和 OUTPUT(对于
本地进程生成的数据包)。
security:
This table is used for Mandatory Access Control (MAC)
networking rules, such as those enabled by the SECMARK
and CONNSECMARK targets. Mandatory Access Control is
implemented by Linux Security Modules such as SELinux.
The security table is called after the filter table,
allowing any Discretionary Access Control (DAC) rules
in the filter table to take effect before MAC rules.
This table provides the following built-in chains:
INPUT (for packets coming into the box itself), OUTPUT
(for altering locally-generated packets before
routing), and FORWARD (for altering packets being
routed through the box).
安全性:
此表用于强制访问控制 (MAC)
网络规则,例如 SECMARK 启用的规则
和 CONNSECMARK 目标。 强制访问控制是
由 Linux 安全模块(如 SELinux)实现。
安全表在过滤器表之后调用
允许任何自主访问控制 (DAC) 规则
在 filter 表中生效,在 MAC 规则之前生效。
下表提供了以下内置链:
INPUT(用于进入盒子本身的数据包)、OUTPUT
(用于在
routing) 和 FORWARD(用于将数据包更改为
路由)。
The options that are recognized by iptables and ip6tables can be
divided into several different groups.
iptables 和 ip6tables 可识别的选项可以是
分为几个不同的组。
COMMANDS
These options specify the desired action to perform. Only one of
them can be specified on the command line unless otherwise stated
below. For long versions of the command and option names, you
need to use only enough letters to ensure that iptables can
differentiate it from all other options.
命令
这些选项指定要执行的操作。只有其中之一
除非另有说明,否则可以在命令行上指定它们
下面。对于命令和选项名称的长版本,您可以
只需要使用足够的字母,以确保 iptables 可以
将其与所有其他选项区分开来。
-A, --append chain rule-specification
Append one or more rules to the end of the selected chain.
When the source and/or destination names resolve to more
than one address, a rule will be added for each possible
address combination.
-A, --append 链规则规范
将一个或多个规则附加到所选链的末尾。
当源和/或目标名称解析为更多
不是一个地址,则会为每个可能的地址添加一条规则
地址组合。
-C, --check chain rule-specification
Check whether a rule matching the specification does exist
in the selected chain. This command uses the same logic as
-D to find a matching entry, but does not alter the
existing iptables configuration and uses its exit code to
indicate success or failure.
-C, --check 链规则规范
检查是否存在与规范匹配的规则
在选定的链中。此命令使用与
-D 查找匹配的条目,但不会更改
现有的 iptables 配置,并使用其退出代码
表示成功或失败。
-D, --delete chain rule-specification
-D, --delete chain rulenum
Delete one or more rules from the selected chain. There
are two versions of this command: the rule can be
specified as a number in the chain (starting at 1 for the
first rule) or a rule to match.
-D, --delete 链规则规范
-D, --delete 链规则
从所选链中删除一个或多个规则。 那里
是此命令的两个版本:规则可以是
指定为链中的一个数字(从 1 开始表示
first rule) 或要匹配的规则。
-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the
given rule number. So, if the rule number is 1, the rule
or rules are inserted at the head of the chain. This is
also the default if no rule number is specified.
-I, --insert chain [rulenum] 规则规范
在所选链中插入一个或多个规则作为
给定的规则编号。 因此,如果规则编号为 1,则规则
或规则插入到链的头部。 这是
如果未指定规则编号,则也是默认值。
-R, --replace chain rulenum rule-specification
Replace a rule in the selected chain. If the source
and/or destination names resolve to multiple addresses,
the command will fail. Rules are numbered starting at 1.
-R, --replace chain rulenum 规则规范
替换所选链中的规则。 如果源
和/或目标名称解析为多个地址,
该命令将失败。 规则从 1 开始编号。
-L, --list [chain]
List all rules in the selected chain. If no chain is
selected, all chains are listed. Like every other iptables
command, it applies to the specified table (filter is the
default), so NAT rules get listed by
iptables -t nat -n -L
Please note that it is often used with the -n option, in
order to avoid long reverse DNS lookups. It is legal to
specify the -Z (zero) option as well, in which case the
chain(s) will be atomically listed and zeroed. The exact
output is affected by the other arguments given. The exact
rules are suppressed until you use
iptables -L -v
or iptables-save(8).
-L, --list [链]
列出所选链中的所有规则。 如果没有链
selected,则列出所有链。与其他 iptables 一样
命令,它应用于指定的表(filter 是
default),因此 NAT 规则按
iptables -t nat -n -L
请注意,它经常与 -n 选项一起使用,在
以避免长时间的反向 DNS 查找。 合法
同时指定 -Z (零) 选项,在这种情况下,
chain(s) 将被原子列出并归零。 精确
output 受给定的其他参数的影响。精确
规则将禁止显示,直到您使用
iptables -L -v
或 iptables-save(8)。
-S, --list-rules [chain]
Print all rules in the selected chain. If no chain is
selected, all chains are printed like iptables-save. Like
every other iptables command, it applies to the specified
table (filter is the default).
-S, --list-rules [链]
打印所选链中的所有规则。 如果没有链
选中后,所有链都像 iptables-save 一样打印。喜欢
每个其他 iptables 命令,它都会应用于指定的
table (filter 是默认值)。
-F, --flush [chain]
Flush the selected chain (all the chains in the table if
none is given). This is equivalent to deleting all the
rules one by one.
-F, --flush [链]
刷新选定的链(如果
none 未给出)。 这相当于删除了所有
规则。
-Z, --zero [chain [rulenum]]
Zero the packet and byte counters in all chains, or only
the given chain, or only the given rule in a chain. It is
legal to specify the -L, --list (list) option as well, to
see the counters immediately before they are cleared. (See
above.)
-Z, --zero [链 [规则编号]]
将 packet 和 byte counter 归零所有链,或仅将 packet 和 byte counter 归零
给定的链,或者仅链中的给定规则。是的
legal,以指定 -L、--list (list) 选项,以
在清除计数器之前立即查看计数器。(参见
上面。
-N, --new-chain chain
Create a new user-defined chain by the given name. There
must be no target of that name already.
-N, --new-chain 链
按给定名称创建新的用户定义链。 那里
必须已经没有该名称的目标。
-X, --delete-chain [chain]
Delete the chain specified. There must be no references
to the chain. If there are, you must delete or replace
the referring rules before the chain can be deleted. The
chain must be empty, i.e. not contain any rules. If no
argument is given, it will delete all empty chains in the
table. Empty builtin chains can only be deleted with
iptables-nft.
-X, --delete-chain [链]
删除指定的链。 不得有引用
到链。 如果有,您必须删除或替换
可以删除链之前的引用规则。 这
chain 必须为空,即不包含任何规则。 如果没有
参数,它将删除
桌子。空的内置链只能用
iptables-nft 的
-P, --policy chain target
Set the policy for the built-in (non-user-defined) chain
to the given target. The policy target must be either
ACCEPT or DROP.
-P, --策略链目标
为内置 (非用户定义) 链设置策略
添加到给定目标。 策略目标必须是
ACCEPT 或 DROP。
-E, --rename-chain old-chain new-chain
Rename the user specified chain to the user supplied name.
This is cosmetic, and has no effect on the structure of
the table.
-E, --rename-chain 旧链 new-chain
将 user specified chain 重命名为用户提供的名称。
这是装饰性的,对
表。
-h Help. Give a (currently very brief) description of the
command syntax.
-h 帮助。 给出
命令语法。
PARAMETERS
The following parameters make up a rule specification (as used in
the add, delete, insert, replace and append commands).
参数
以下参数构成了规则规范(在
添加、删除、插入、替换和附加命令)。
-4, --ipv4
This option has no effect in iptables and iptables-
restore. If a rule using the -4 option is inserted with
(and only with) ip6tables-restore, it will be silently
ignored. Any other uses will throw an error. This option
allows IPv4 and IPv6 rules in a single rule file for use
with both iptables-restore and ip6tables-restore.
-4, --IPv4
此选项在 iptables 和 iptables 中无效-
恢复。 如果使用 -4 选项插入规则
(且仅与)ip6tables-restore,它将以静默方式
忽视。任何其他用法都会引发错误。此选项
允许在单个规则文件中使用 IPv4 和 IPv6 规则
同时具有 iptables-restore 和 ip6tables-restore。
-6, --ipv6
If a rule using the -6 option is inserted with (and only
with) iptables-restore, it will be silently ignored. Any
other uses will throw an error. This option allows IPv4
and IPv6 rules in a single rule file for use with both
iptables-restore and ip6tables-restore. This option has
no effect in ip6tables and ip6tables-restore.
-6, --IPv6
如果使用 -6 选项插入规则(并且仅
使用 iptables-restore 时,它将被静默忽略。任何
其他用途将引发错误。此选项允许 IPv4
和 IPv6 规则,以便与两者一起使用
iptables-restore 和 ip6tables-restore 的 此选项具有
在 ip6tables 和 ip6tables-restore 中不起作用。
[!] -p, --protocol protocol
The protocol of the rule or of the packet to check. The
specified protocol can be one of tcp, udp, udplite, icmp,
icmpv6, esp, ah, sctp, mh or the special keyword "all", or
it can be a numeric value, representing one of these
protocols or a different one. A protocol name from
/etc/protocols is also allowed. A "!" argument before the
protocol inverts the test. The number zero is equivalent
to all. "all" will match with all protocols and is taken
as default when this option is omitted. Note that, in
ip6tables, IPv6 extension headers except esp are not
allowed. esp and ipv6-nonext can be used with Kernel
version 2.6.11 or later. The number zero is equivalent to
all, which means that you cannot test the protocol field
for the value 0 directly. To match on a HBH header, even
if it were the last, you cannot use -p 0, but always need
-m hbh.
[!]-p, --protocol 协议
要检查的规则或数据包的协议。 这
指定的协议可以是 TCP、UDP、UDPLITE、ICMP 之一,
ICMPv6、ESP、AH、SCTP、MH 或特殊关键字 “all”,或
它可以是一个数值,表示以下值之一
协议或其他协议。 协议名称
/etc/protocols 的 在
协议反转测试。 数字 0 是等效的
给所有人。“all” 将与所有协议匹配并被采用
当省略此选项时,为 default。 请注意,在
ip6表,IPv6 扩展标头(esp 除外)不是
允许。 esp 和 ipv6-nonext 可以与 Kernel 一起使用
版本 2.6.11 或更高版本。 数字 0 相当于
all,这意味着您无法测试 protocol 字段
对于值 0。要在 HBH 标头上匹配,甚至
如果它是最后一个,则不能使用 -p 0,但始终需要
-m hbh.
[!] -s, --source address[/mask][,...]
Source specification. Address can be either a network
name, a hostname, a network IP address (with /mask), or a
plain IP address. Hostnames will be resolved once only,
before the rule is submitted to the kernel. Please note
that specifying any name to be resolved with a remote
query such as DNS is a really bad idea. The mask can be
either an ipv4 network mask (for iptables) or a plain
number, specifying the number of 1's at the left side of
the network mask. Thus, an iptables mask of 24 is
equivalent to 255.255.255.0. A "!" argument before the
address specification inverts the sense of the address.
The flag --src is an alias for this option. Multiple
addresses can be specified, but this will expand to
multiple rules (when adding with -A), or will cause
multiple rules to be deleted (with -D).
[!]-s, --源地址[/mask][,...]
源规范。Address 可以是网络
name、主机名、网络 IP 地址(带 /mask)或
普通 IP 地址。主机名将仅解析一次,
在将规则提交到内核之前。 请注意
指定要使用远程
查询(如 DNS)是一个非常糟糕的主意。 掩码可以是
IPv4 网络掩码(用于 iptables)或普通
number,指定
网络掩码。 因此,iptables 掩码 24 为
相当于 255.255.255.0。 在
地址规范颠倒了地址的含义。
标志 --src 是此选项的别名。 倍数
addresses 可以指定,但这将扩展为
多个规则(使用 -A 添加时),或者将导致
要删除的多个规则(使用 -D)。
[!] -d, --destination address[/mask][,...]
Destination specification. See the description of the -s
(source) flag for a detailed description of the syntax.
The flag --dst is an alias for this option.
[!]-d, --目标地址[/mask][,...]
目标规范。 请参阅 -s 的说明
(source) 标志以获取语法的详细说明。
标志 --dst 是此选项的别名。
-m, --match match
Specifies a match to use, that is, an extension module
that tests for a specific property. The set of matches
make up the condition under which a target is invoked.
Matches are evaluated first to last as specified on the
command line and work in short-circuit fashion, i.e. if
one extension yields false, evaluation will stop.
-m, --match 匹配
指定要使用的匹配项,即扩展模块
测试特定属性。匹配项集
组成调用目标的条件。
匹配项按照
命令行并以短路方式工作,即如果
一个扩展生成 false,评估将停止。
-j, --jump target
This specifies the target of the rule; i.e., what to do if
the packet matches it. The target can be a user-defined
chain (other than the one this rule is in), one of the
special builtin targets which decide the fate of the
packet immediately, or an extension (see MATCH AND TARGET
EXTENSIONS below). If this option is omitted in a rule
(and -g is not used), then matching the rule will have no
effect on the packet's fate, but the counters on the rule
will be incremented.
-j, --jump 目标
这将指定规则的目标;即,如果
数据包匹配它。 目标可以是用户定义的
chain(此规则所在的 chain 除外)中的
特殊的内置目标,它决定了
packet 或扩展(请参阅 MATCH AND TARGET
EXTENSIONS 的 EXTENSIONS 的 Extensions 的 Extensions 如果在规则中省略此选项
(并且 -g 未被使用),则匹配规则将没有
影响数据包的命运,但计数器对规则的影响
将递增。
-g, --goto chain
This specifies that the processing should continue in a
user specified chain. Unlike with the --jump option,
RETURN will not continue processing in this chain but
instead in the chain that called us via --jump.
-g, --goto 链
这指定了处理应在
用户指定的链。与 --jump 选项不同,
RETURN 不会继续在此链中处理,但
而是在通过 --jump 调用我们的链中。
[!] -i, --in-interface name
Name of an interface via which a packet was received (only
for packets entering the INPUT, FORWARD and PREROUTING
chains). When the "!" argument is used before the
interface name, the sense is inverted. If the interface
name ends in a "+", then any interface which begins with
this name will match. If this option is omitted, any
interface name will match.
[!]-i, --in-接口名称
接收数据包的接口的名称(仅
对于进入 INPUT、FORWARD 和 PREROUTING 的数据包
链)。 当 “!” 参数在
interface name 时,sense 是倒置的。 如果接口
name 以 “+” 结尾,则任何以
此名称将匹配。 如果省略此选项,则任何
interface name 将匹配。
[!] -o, --out-interface name
Name of an interface via which a packet is going to be
sent (for packets entering the FORWARD, OUTPUT and
POSTROUTING chains). When the "!" argument is used before
the interface name, the sense is inverted. If the
interface name ends in a "+", then any interface which
begins with this name will match. If this option is
omitted, any interface name will match.
[!]-o, --out-接口名称
数据包将通过其的接口的名称
sented(对于进入 FORWARD、OUTPUT 和
POSTROUTING 链)。 当 “!” 参数在
接口名称,意义是相反的。 如果
interface name 以 “+” 结尾,那么任何
以此名称开头将匹配。 如果此选项为
省略,则任何接口名称都将匹配。
[!] -f, --fragment
This means that the rule only refers to second and further
IPv4 fragments of fragmented packets. Since there is no
way to tell the source or destination ports of such a
packet (or ICMP type), such a packet will not match any
rules which specify them. When the "!" argument precedes
the "-f" flag, the rule will only match head fragments, or
unfragmented packets. This option is IPv4 specific, it is
not available in ip6tables.
[!]-f, --fragment
这意味着该规则仅引用 second 和 further
分片数据包的 IPv4 分片。 由于没有
告诉此类
packet(或 ICMP 类型)的 Packet (或 ICMP 类型),则此类数据包将不匹配任何
规则。 当 “!” 参数位于
“-f” 标志,则规则将仅匹配头部片段,或者
未分段的数据包。此选项特定于 IPv4,即
在 IP6tables 中不可用。
-c, --set-counters packets bytes
This enables the administrator to initialize the packet
and byte counters of a rule (during INSERT, APPEND,
REPLACE operations).
-c, --set-counters 数据包字节
这使管理员能够初始化数据包
和规则的字节计数器(在 INSERT、APPEND、
REPLACE 操作)。
OTHER OPTIONS
The following additional options can be specified:
其他选项
可以指定以下附加选项:
-v, --verbose
Verbose output. This option makes the list command show
the interface name, the rule options (if any), and the TOS
masks. The packet and byte counters are also listed, with
the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and
1,000,000,000 multipliers respectively (but see the -x
flag to change this). For appending, insertion, deletion
and replacement, this causes detailed information on the
rule or rules to be printed. -v may be specified multiple
times to possibly emit more detailed debug statements:
Specified twice, iptables-legacy will dump table info and
entries in libiptc, iptables-nft dumps rules in netlink
(VM code) presentation. Specified three times, iptables-
nft will also dump any netlink messages sent to kernel.
-v, --verbose
详细输出。 此选项使 list 命令显示
接口名称、规则选项(如果有)和 TOS
面具。 还列出了 packet 和 byte 计数器,其中
后缀 'K'、'M' 或 'G' 代表 1000、1,000,000 和
1,000,000,000 乘数(但请参阅 -x
标志来更改此设置)。 用于追加、插入、删除
和 replacement 的 API 中,这会导致
规则或要打印的规则。-v 可以指定为多个
次可能会发出更详细的 debug 语句:
指定两次,iptables-legacy 将转储表信息和
libiptc 中的条目,iptables-nft 转储 netlink 中的规则
(VM 代码) 演示文稿。 指定 3 次,iptables-
NFT 还将转储发送到 kernel 的任何 NetLink 消息。
-V, --version
Show program version and the kernel API used.
-V, --版本
显示程序版本和使用的内核 API。
-w, --wait [seconds]
Wait for the xtables lock. To prevent multiple instances
of the program from running concurrently, an attempt will
be made to obtain an exclusive lock at launch. By
default, the program will exit if the lock cannot be
obtained. This option will make the program wait
(indefinitely or for optional seconds) until the exclusive
lock can be obtained.
-w, --wait [秒]
等待 xtables 锁。 防止多个实例
的
在启动时获取排他锁。 由
default,如果无法锁定,则程序将退出
获得。 此选项将使程序等待
(无限期或可选秒)直到独占
lock 的
-n, --numeric
Numeric output. IP addresses and port numbers will be
printed in numeric format. By default, the program will
try to display them as host names, network names, or
services (whenever applicable).
-n, --数字
数值输出。 IP 地址和端口号将为
以数字格式打印。 默认情况下,程序将
尝试将它们显示为主机名、网络名称或
服务(如适用)。
-x, --exact
Expand numbers. Display the exact value of the packet and
byte counters, instead of only the rounded number in K's
(multiples of 1000), M's (multiples of 1000K) or G's
(multiples of 1000M). This option is only relevant for
the -L command.
-x, --exact
展开数字。 显示数据包的确切值,并且
字节计数器,而不仅仅是 K 的
(1000 的倍数)、M(1000K 的倍数)或 G
(1000M 的倍数)。 此选项仅与
-L 命令。
--line-numbers
When listing rules, add line numbers to the beginning of
each rule, corresponding to that rule's position in the
chain.
--行号
列出规则时,将行号添加到
每个规则对应于该规则在
链。
--modprobe=command
When adding or inserting rules into a chain, use command
to load any necessary modules (targets, match extensions,
etc).
--modprobe=命令
在链中添加或插入规则时,使用 command
要加载任何必要的模块(targets、match 扩展、
等)。
iptables uses the /run/xtables.lock file to take an exclusive
lock at launch.
iptables 使用 /run/xtables.lock 文件来获取
启动时锁定。
The XTABLES_LOCKFILE environment variable can be used to override
the default setting.
XTABLES_LOCKFILE 环境变量可用于覆盖
默认设置。
iptables can use extended packet matching and target modules. A
list of these is available in the iptables-extensions(8) manpage.
iptables 可以使用扩展数据包匹配和目标模块。 一个
这些列表可以在 iptables-extensions(8) 手册页中找到。
Various error messages are printed to standard error. The exit
code is 0 for correct functioning. Errors which appear to be
caused by invalid or abused command line parameters cause an exit
code of 2. Errors which indicate an incompatibility between
kernel and user space cause an exit code of 3. Errors which
indicate a resource problem, such as a busy lock, failing memory
allocation or error messages from kernel cause an exit code of 4.
Finally, other errors cause an exit code of 1.
将各种错误消息打印到标准错误中。 出口
code 为 0 表示正常运行。 看起来是
由无效或滥用的命令行参数导致退出
代码 2。指示
内核和用户空间导致退出代码 3。错误
指示资源问题,例如忙锁、内存故障
来自内核的分配或错误消息导致退出代码 4。
最后,其他错误会导致退出代码为 1。
Bugs? What's this? ;-) Well, you might want to have a look at
https://bugzilla.netfilter.org/ iptables will exit immediately
with an error code of 111 if it finds that it was called as a
setuid-to-root program. iptables cannot be used safely in this
manner because it trusts the shared libraries (matches, targets)
loaded at run time, the search path can be set using environment
variables.
错误? 这是什么?;-)好吧,你可能想看看
https://bugzilla.netfilter.org/ iptables 将立即退出
替换为错误代码 111(如果它发现它是作为
setuid-to-root 程序。 iptables 无法在此
方式,因为它信任共享库 (matches, targets)
在运行时加载,可以使用 Environment 设置 Search Path
变量。
This iptables is very similar to ipchains by Rusty Russell. The
main difference is that the chains INPUT and OUTPUT are only
traversed for packets coming into the local host and originating
from the local host respectively. Hence every packet only passes
through one of the three chains (except loopback traffic, which
involves both INPUT and OUTPUT chains); previously a forwarded
packet would pass through all three.
这个 iptables 与 Rusty Russell 的 ipchains 非常相似。 这
主要区别在于链 INPUT 和 OUTPUT 只有
遍历进入本地主机并发起的数据包
分别从本地主机。 因此,每个数据包都只通过
通过三个链之一(环回流量除外,该
涉及 INPUT 和 OUTPUT 链);以前转发的
packet 将遍历所有三个。
The other main difference is that -i refers to the input
interface; -o refers to the output interface, and both are
available for packets entering the FORWARD chain.
另一个主要区别是 -i 指的是输入
接口;-o 引用 output 接口,两者都是
可用于进入 FORWARD 链的数据包。
The various forms of NAT have been separated out; iptables is a
pure packet filter when using the default `filter' table, with
optional extension modules. This should avoid much of the
confusion over the combination of IP masquerading and packet
filtering seen previously. So the following options are handled
differently:
-j MASQ
-M -S
-M -L
There are several other changes in iptables.
已分离出各种形式的 NAT;iptables 是一个
pure packet filter(使用默认的 'filter' 表时),使用
可选扩展模块。 这应该可以避免大部分
对 IP 伪装和数据包组合的混淆
过滤。 所以处理了以下选项
不同:
-j MASQ
-M -S
-M -L
iptables 中还有其他几个变化。
iptables-apply(8), iptables-save(8), iptables-restore(8),
iptables-extensions(8),
iptables-apply(8)、iptables-save(8)、iptables-restore(8)、
iptables-扩展(8)、
The packet-filtering-HOWTO details iptables usage for packet
filtering, the NAT-HOWTO details NAT, the netfilter-extensions-
HOWTO details the extensions that are not in the standard
distribution, and the netfilter-hacking-HOWTO details the
netfilter internals.
See https://www.netfilter.org/ .
packet-filtering-HOWTO 详细说明了数据包的 iptables 使用情况
filtering、NAT-HOWTO 详细说明 NAT、netfilter-extensions-
HOWTO 详细介绍了标准中没有的扩展
发行版,netfilter-hacking-HOWTO 详细介绍了
netfilter 内部结构。
请参阅 https://www.netfilter.org/ 。
Rusty Russell originally wrote iptables, in early consultation
with Michael Neuling.
Rusty Russell 最初编写了 iptables,当时是早期咨询
与 Michael Neuling 合作。
Marc Boucher made Rusty abandon ipnatctl by lobbying for a
generic packet selection framework in iptables, then wrote the
mangle table, the owner match, the mark stuff, and ran around
doing cool stuff everywhere.
Marc Boucher 通过游说
通用的数据包选择框架,然后编写
破坏桌子、所有者匹配、标记东西,然后四处奔波
到处做很酷的事情。
James Morris wrote the TOS target, and tos match.
詹姆斯·莫里斯 (James Morris) 编写了 TOS 目标和 tos 匹配。
Jozsef Kadlecsik wrote the REJECT target.
Jozsef Kadlecsik 编写了 REJECT 目标。
Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc,
as well as the TTL, DSCP, ECN matches and targets.
Harald Welte 编写了 ULOG 和 NFQUEUE 目标,即新的 libiptc,
以及 TTL、DSCP、ECN 匹配和目标。
The Netfilter Core Team is: Jozsef Kadlecsik, Pablo Neira Ayuso,
Eric Leblond, Florian Westphal and Arturo Borrero Gonzalez.
Emeritus Core Team members are: Marc Boucher, Martin Josefsson,
Yasuyuki Kozakai, James Morris, Harald Welte and Rusty Russell.
Netfilter 核心团队是:Jozsef Kadlecsik、Pablo Neira Ayuso、
埃里克·勒布朗、弗洛里安·韦斯特法尔和阿图罗·博雷罗·冈萨雷斯。
名誉核心团队成员包括:Marc Boucher、Martin Josefsson、
Yasuyuki Kozakai、James Morris、Harald Welte 和 Rusty Russell。
Man page originally written by Herve Eychenne <rv@wallfire.org>.
手册页最初由 Herve Eychenne 撰写 <rv@wallfire.org>.
This manual page applies to iptables/ip6tables 1.8.10.
This page is part of the iptables (administer and maintain packet
filter rules) project. Information about the project can be
found at ⟨http://www.netfilter.org/⟩. If you have a bug report
for this manual page, see ⟨http://bugzilla.netfilter.org/⟩. This
page was obtained from the project's upstream Git repository
⟨git://git.netfilter.org/iptables⟩ on 2024-06-14. (At that time,
the date of the most recent commit that was found in the
repository was 2024-06-12.) If you discover any rendering
problems in this HTML version of the page, or you believe there
is a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to
man-pages@man7.org
iptables 1.8.10 IPTABLES(8)
Pages that refer to this page: iptables-xml(1), proc_pid_net(5), systemd.socket(5), cgroups(7), network_namespaces(7), arptables-nft(8), ebtables-nft(8), flowtop(8), ifconfig(8), ip-link(8), iptables-apply(8), iptables-restore(8), iptables-save(8), mountd(8), netstat(8), ovs-ctl(8), statd(8), tc-bpf(8), tc-fw(8), tc-mqprio(8), wg-quick(8), xtables-monitor(8), xtables-nft(8), xtables-translate(8)
|
HTML rendering created 2024-06-26 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|