Книга: Linux Network Administrator Guide, Second Edition
Rule specification parameters
Rule specification parameters
A number of ipchains parameters create a rule specification by determining what types of packets match. If any of these parameters is omitted from a rule specification, its default is assumed:
- p [!]protocol
Specifies the protocol of the datagram that will match this rule. Valid protocol names are tcp, udp, icmp, or all. You may also specify a protocol number here to match other protocols. For example, you might use 4 to match the ipip encapsulation protocol. If the! is supplied, the rule is negated and the datagram will match any protocol other than the protocol specified. If this parameter isn't supplied, it will default to all.
- s [!]address[/mask] [!] [port]
Specifies the source address and port of the datagram that will match this rule. The address may be supplied as a hostname, a network name, or an IP address. The optional mask is the netmask to use and may be supplied either in the traditional form (e.g., /255.255.255.0) or the modern form (e.g., /24). The optional port specifies the TCP or UDP port, or the ICMP datagram type that will match. You may supply a port specification only if you've supplied the -p parameter with one of the tcp, udp, or icmp protocols. Ports may be specified as a range by specifying the upper and lower limits of the range with a colon as a delimiter. For example, 20:25 described all of the ports numbered from 20 up to and including 25. Again, the! character may be used to negate the values.
- d [!]address[/mask] [!] [port]
Specifies the destination address and port of the datagram that will match this rule. The coding of this parameter is the same as that of the -s parameter.
- j target
Specifies the action to take when this rule matches. You can think of this parameter as meaning "jump to." Valid targets are ACCEPT, DENY, REJECT, REDIR, and RETURN. We described the meanings of each of these targets earlier. However, you may also specify the name of a user-defined chain where processing will continue. If this parameter is omitted, no action is taken on matching rule datagrams at all other than to update the datagram and byte counters.
- i [!]interface-name
Specifies the interface on which the datagram was received or is to be transmitted. Again, the! inverts the result of the match. If the interface name ends with +, then any interface that begins with the supplied string will match. For example, -i ppp+ would match any PPP network device and -i! eth+ would match all interfaces except Ethernet devices.
[!] -f
Specifies that this rule applies to everything but the first fragment of a fragmented datagram.
Оглавление книги
- Chapter 8. Saving and restoring large rule-sets
- Chapter 9. How a rule is built
- Displacement of rules to different chains
- Iptables-save ruleset
- Listing your active rule-set
- Printing Out the Parameters
- Positional Parameters
- 8.2.2. Module Parameters
- 9.9.9 Calculating the Timing Parameters
- Listing our rules
- Parameters
- Listing Our Rules with ipchains