Книга: Linux Network Administrator Guide, Second Edition
Rule specification parameters
Rule specification parameters
There are a number of iptables parameters that constitute a rule specification. Wherever a rule specification is required, each of these parameters must be supplied or their default will be assumed.
- p [!]protocol
Specifies the protocol of the datagram that will match this rule. Valid protocol names are tcp, udp, icmp, or a number, if you know the IP protocol number.[64] For example, you might use 4 to match the ipip encapsulation protocol. If the! character is supplied, the rule is negated and the datagram will match any protocol other than the specified protocol. If this parameter isn't supplied, it will default to match all protocols.
- s [!]address[/mask]
Specifies the source address of the datagram that will match this rule. The address may be supplied as a hostname, a network name, or an IP address. The optional mask is the netmask to use and may be supplied either in the traditional form (e.g., /255.255.255.0) or in the modern form (e.g., /24).
- d [!]address[/mask]
Specifies the destination address and port of the datagram that will match this rule. The coding of this parameter is the same as that of the -s parameter.
- j target
Specifies what action to take when this rule matches. You can think of this parameter as meaning "jump to." Valid targets are ACCEPT, DROP, QUEUE, and RETURN. We described the meanings of each of these previously in the "Commands" section. You may also specify the name of a user-defined chain where processing will continue. You may also supply the name of a target supplied by an extension. We'll talk about extensions shortly. If this parameter is omitted, no action is taken on matching datagrams at all, other than to update the datagram and byte counters of this rule.
- i [!]interface-name
Specifies the interface on which the datagram was received. Again, the! inverts the result of the match. If the interface name ends with " + " then any interface that begins with the supplied string will match. For example, -i ppp+ would match any PPP network device and -i! eth+ would match all interfaces except ethernet devices.
- o [!]interface-name
Specifies the interface on which the datagram is to be transmitted. This argument has the same coding as the -i argument.
[!] -f
Specifies that this rule applies only to the second and later fragments of a fragmented datagram, not to the first fragment.
Оглавление книги
- Chapter 8. Saving and restoring large rule-sets
- Chapter 9. How a rule is built
- Displacement of rules to different chains
- Iptables-save ruleset
- Listing your active rule-set
- Printing Out the Parameters
- Positional Parameters
- 8.2.2. Module Parameters
- 9.9.9 Calculating the Timing Parameters
- Listing our rules
- Parameters
- Listing Our Rules with ipchains