Chapter 13. Firewalls and
iptables
171
Caution
Be aware of which option ( A or I) you are using when adding a rule. The order of the rules can
be very important when determining if a particular packet applies to one rule or another. Make
sure when adding a rule to the beginning or end of the chain that it does not affect other rules in
that chain.
L
Lists all of the rules in the chain specified after the command. To list all rules in all chains in
the default
filter
table, do not specify a chain or table. Otherwise, the following syntax should
be used to list the rules in a specific chain in a particular table:
iptables L
chain name
t
table name
j
k
j
k
Powerful options for the
L
command that provide rule numbers and allow more verbose rule
descriptions, among others, are described in Section 13.3.7.
N
Creates a new chain with a user specified name.
P
Sets the default policy for a particular chain, so that when packets traverse an entire chain
without matching a rule, they will be sent on to a particular target, such as ACCEPT or DROP.
R
Replaces a rule in a particular chain. You must use a rule's number after the chain's name to
replace that rule. The first rule in a chain relates to rule number
1
.
X
Deletes a user specified chain. Deleting a built in chain for any table is not allowed.
Z
Zeros the byte and packet counters in all chains for a particular table.
13.3.4. Parameters
Once certain
iptables
commands are specified, including those used to add, append, delete, insert,
or replace rules within a particular chain, parameters are required to begin the construction of the
packet filtering rule.
c
Resets the counters for a particular rule. This parameter accepts the
PKTS
and
BYTES
options
to specify what counter to reset.
d
Sets the destination hostname, IP address, or network of a packet that will match the rule.
When matching a network, you can use two different methods for signifying the netmask, such as
192.168.0.0/255.255.255.0
or
192.168.0.0/24
.
f
Applies this rule only to fragmented packets.
By using the
!
option after this parameter, only unfragmented packets will be matched.
i
Sets the incoming network interface, such as
eth0
or
ppp0
, to use with a particular rule.
With
iptables
, this optional parameter may only be used with the INPUT and FORWARD chains
when used with the
filter
table and the PREROUTING chain with the
nat
and
mangle
tables.
This parameter features several useful options that may be used before specifying the name of an
interface:
!
Tells this parameter not to match, meaning that any specified interfaces are specifically
excluded from this rule.
+
A wildcard character used to match all interfaces which match a particular string. For
example, the parameter
i eth+
would apply this rule to any Ethernet interfaces on your system
but exclude any other interfaces, such as
ppp0
.
If the
i
parameter is used but no interface is specified, then every interface is affected by the rule.
j
Tells
iptables
to jump to a particular target when a packet matches a particular rule. Valid
targets to be used after the
j
option include the standard options,
ACCEPT
,
DROP
,
QUEUE
, and
RETURN
, as well as extended options that are available through modules loaded by default with the
Red Hat Linux
iptables
RPM package, such as
LOG
,
MARK
, and
REJECT
, among others. See the
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved