📄 how to use ip tables.htm
字号:
</FONT>Insert a new rule <BR><FONT color=blue>-R
</FONT>Replace a rule at a certain position
<BR><FONT color=blue>-D</FONT> Delete a rule at
a certain position <BR><BR><BR>For example:
<BR><BR><FONT color=blue>/sbin/iptables -A INPUT
-p tcp -j ACCEPT</FONT> <BR>This rule would
accept all tcp traffic. This is a little too
broad isn't it? Let's take a look at how we can
specify some other options. <BR><BR>Taking it
one step further: <BR><BR><FONT color=blue>-j
</FONT>Specify the target (--jump) <BR><FONT
color=blue>-i </FONT>Specify the input interface
(--in-interface) <BR><FONT color=blue>-o
</FONT>Specify the output interface
(--out-interface) <BR><FONT color=blue>-p
</FONT>Specify the protocol (--proto) <BR><FONT
color=blue>-s </FONT>Specify the source
(--source) <BR><FONT color=blue>-d
</FONT>Specify the destination (--destination)
<BR><FONT color=blue>! </FONT>Specifies an
inversion (match addresses NOT equal to)
<BR><BR>Now we're talking! Let's try it...
<BR><BR><FONT color=blue>/sbin/iptables -A
FORWARD -s 192.168.1.0/24 -p tcp -j
ACCEPT</FONT> <BR>This rule will allow traffic
to be forwarded, as long as the protocol was
tcp, and the source was a machine on the
192.168.1.0 subnet <BR><BR><FONT
color=blue>/sbin/iptables -t nat -A POSTROUTING
-o ppp0 -j MASQUERADE</FONT> <BR>This rule,
coupled with the one above will allow for
MASQUERADE(ing) your internal network traffic,
via NAT (Network Address Translation), so that
you can share your internet connection with the
rest of your network. <BR><BR>Some useful tcp
options (these also work for udp): <BR><FONT
color=blue>--sport </FONT>Filters on the source
port <BR><FONT color=blue>--dport </FONT>Filters
on the destination port <BR><BR>This is handy.
Let's try it out! <BR><BR>This rule would allow
traffic going to the www port (80) to be
forwarded on. <BR><FONT
color=blue>/sbin/iptables -A FORWARD -p tcp
--dport 80 -j ACCEPT</FONT> <BR><BR>Change
destination addresses of web traffic to 5.6.7.8,
port 8080. <BR><FONT color=blue>/sbin/iptables
-t nat -A PREROUTING -p tcp --dport 80 -i eth0
-j DNAT --to 5.6.7.8:8080
</FONT><BR><BR><BR>--tcp-flags <BR>This allows
you to filter on specific TCP flags. The first
option after "--tcp-flags" specifies which flags
are to be examined, and the second option
specifies which flags are to be set.
<BR><BR>Here is an example of the --tcp-flags in
use: <BR><FONT color=blue>/sbin/iptables -A
INPUT -p tcp --tcp-flags ALL SYN -j DENY
</FONT><BR><BR>Note: The list of possible flags
is as follows <BR>SYN,ACK,FIN,RST,URG,PSH
<BR><BR>One of the other nice features is the
ability to use the "! --syn" option. This is
equivalent to typing: <BR><FONT
color=blue>--tcp-flags
ACK,FIN,RST,URG,PSH</FONT> <BR><BR>This would be
useful in setting up your firewall to accept
only connections that were initiated internally.
</FONT></P><BR><BR>I hope this
helps!<BR><BR>-Krnlpanic
<P>
<CENTER><B>To learn more about IPTables,
Masquerading and NAT, buy this book at <A
href="http://www.amazon.com/exec/obidos/ASIN/0595154832/linuxresource-20">Amazon.com</A>.
<BR><BR><A
href="http://www.amazon.com/exec/obidos/ASIN/0595154832/linuxresource-20"><IMG
alt=cover hspace=3
src="How to use IP Tables.files/ipmasq.jpg"
vspace=3 border=0></ A> </B><BR>
<SCRIPT language=JavaScript>function popUp(URL,NAME) {amznwin=window.open(URL,NAME,'location=yes,scrollbars=yes,status=yes,toolbar=yes,resizable=yes,width=380,height=450,screenX=10,screenY=10,top=10,left=10');amznwin.focus();}document.open();document.write("<a href=javascript:popUp('http://buybox.amazon.com/exec/obidos/redirect?tag=linuxresource-20&link_code=xsc&creative=23424&camp=2025&path=/dt/assoc/tg/aa/xml/assoc/-/0595154832/linuxresource-20/ref=ac_bb3_,_amazon')><b>Buy Me</b></a>");document.close();</SCRIPT>
<NOSCRIPT>
<FORM
action=http://buybox.amazon.com/o/dt/assoc/handle-buy-box=0595154832
method=post><INPUT type=hidden value=1
name=asin.0595154832> <INPUT type=hidden
value=linuxresource-20 name=tag-value> <INPUT
type=hidden value=linuxresource-20
name=tag_value> <INPUT type=image
alt="Buy from Amazon.com"
src="How to use IP Tables.files/add-to-cart.gif"
value="Buy from Amazon.com" border=0
name=submit.add-to-cart>
</FORM></NOSCRIPT></CENTER></A></TD><!-- End of news content --></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><!-------------------- start views content -------------------></TD>
<TD vAlign=top width="50%">
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD bgColor=#000000>
<TABLE cellSpacing=2 cellPadding=2 width="100%"
border=0>
<TBODY>
<TR>
<TD bgColor=#8f8f9b><B><FONT color=#ffffff> '
m a n k r n l p a n i c '
</FONT><BIG><FONT color=#f0f8ff>: : </FONT><FONT
color=#e0f0ff>: : </FONT><FONT color=#d0e0f0>: :
</FONT><FONT color=#c0d0e0>: :
</FONT></BIG></B></TD></TR>
<TR>
<TD bgColor=#d3d3df>
<TABLE cellSpacing=2 cellPadding=2 width="100%">
<TBODY>
<TR>
<TD>
<TABLE cellSpacing=2 cellPadding=2 width="100%"
border=0>
<TBODY>
<TR><!-- Start of views content -->
<TD bgColor=#d3d3df><SMALL><B>What in the hell
is a KrnlPanic?</B> Well, a KrnlPanic is me!
Actually, let's start with "What is a kernel?".
The kernel is the core of your operating system
(OS), whether your OS is linux or windows. The
kernel takes care of all process management
(what program runs and when), memory management
(which parts of memory get used for what) and
also, the kernel takes care of interfacing the
OS with your computer's hardware (disk drives,
sound card, modem, network card, etc).
<BR><BR>Now...since the kernel is doing all of
these extremely important jobs, it stands to
reason that if it has an error, it will be a
<FONT color=red>Bad Thing(tm)</FONT>. If you use
windows, you know a kernel panic as a "BSOD" or
Blue Screen of Death. Or how about <FONT
color=red>"Invalid Page Fault in
KERNEL32.DLL"</FONT>. I'm sure you've probably
seen both of those. In Linux, a Kernel Panic is
normally plainly stated so. At boot time is when
you will see most linux panics. I have yet to
see a linux kernel panic while the system is
running. You may have seen <FONT
color=red>"Kernel Panic: init not found"</FONT>
or <FONT color=red>"Kernel Panic: VFS unable to
mount root fs on 2:00"</FONT>. All of these
previously listed errors are because of
something that happened to the kernel that it
couldn't handle, whether it was an access to an
invalid memory location or the inability to find
the initialization files it requires. <BR><BR>I
hope that sufficiently explains things. Oh
yeah...KrnlPanic is also my name ;-) <BR><BR>-
Rick
</SMALL></TD><!-- End of views content --></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><!------------------- End of views content ---------------------------><BR>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD bgColor=#000000>
<TABLE cellSpacing=2 cellPadding=2 width="100%"
border=0>
<TBODY>
<TR>
<TD bgColor=#8f8f9b><B><FONT color=#ffffff> S
l a s h d o t / F r e s h m e a t
</FONT><BIG><FONT color=#f0f8ff>: : </FONT><FONT
color=#e0f0ff>: : </FONT><FONT color=#d0e0f0>: :
</FONT><FONT color=#c0d0e0>: :
</FONT></BIG></B></TD></TR>
<TR>
<TD bgColor=#d3d3df>
<TABLE cellSpacing=2 cellPadding=2>
<TBODY>
<TR><!-- Start of linux help content -->
<TD><B><FONT color=#006666>Slashdot and
Freshmeat Headlines at 1079358584
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -