Questo contenuto non è disponibile nella lingua selezionata.

48.9.3.3. IPTables Parameter Options


Certain iptables commands, including those used to add, append, delete, insert, or replace rules within a particular chain, require various parameters to construct a packet filtering rule.
  • -c — Resets the counters for a particular rule. This parameter accepts the PKTS and BYTES options to specify which counter to reset.
  • -d — Sets the destination hostname, IP address, or network of a packet that matches the rule. When matching a network, the following IP address/netmask formats are supported:
    • N.N.N.N/M.M.M.M — Where N.N.N.N is the IP address range and M.M.M.M is the netmask.
    • N.N.N.N/M — Where N.N.N.N is the IP address range and M is the bitmask.
  • -f — Applies this rule only to fragmented packets.
    You can use the exclamation point character (!) option after this parameter to specify that only unfragmented packets are matched.

    Note

    Distinguishing between fragmented and unfragmented packets is desirable, despite fragmented packets being a standard part of the IP protocol.
    Originally designed to allow IP packets to travel over networks with differing frame sizes, these days fragmentation is more commonly used to generate DoS attacks using mal-formed packets. It's also worth noting that IPv6 disallows fragmentation entirely.
  • -i — Sets the incoming network interface, such as eth0 or ppp0. With iptables, this optional parameter may only be used with the INPUT and FORWARD chains when used with the filter table and the PREROUTING chain with the nat and mangle tables.
    This parameter also supports the following special options:
    • Exclamation point character (!) — Reverses the directive, meaning any specified interfaces are excluded from this rule.
    • Plus character (+) — A wildcard character used to match all interfaces that match the specified string. For example, the parameter -i eth+ would apply this rule to any Ethernet interfaces but exclude any other interfaces, such as ppp0.
    If the -i parameter is used but no interface is specified, then every interface is affected by the rule.
  • -j — Jumps to the specified target when a packet matches a particular rule.
    The standard targets are ACCEPT, DROP, QUEUE, and RETURN.
    Extended options are also available through modules loaded by default with the Red Hat Enterprise Linux iptables RPM package. Valid targets in these modules include LOG, MARK, and REJECT, among others. Refer to the iptables man page for more information about these and other targets.
    This option can also be used to direct a packet matching a particular rule to a user-defined chain outside of the current chain so that other rules can be applied to the packet.
    If no target is specified, the packet moves past the rule with no action taken. The counter for this rule, however, increases by one.
  • -o — Sets the outgoing network interface for a rule. This option is only valid for the OUTPUT and FORWARD chains in the filter table, and the POSTROUTING chain in the nat and mangle tables. This parameter accepts the same options as the incoming network interface parameter (-i).
  • -p <protocol> — Sets the IP protocol affected by the rule. This can be either icmp, tcp, udp, or all, or it can be a numeric value, representing one of these or a different protocol. You can also use any protocols listed in the /etc/protocols file.
    The "all" protocol means the rule applies to every supported protocol. If no protocol is listed with this rule, it defaults to "all".
  • -s — Sets the source for a particular packet using the same syntax as the destination (-d) parameter.
Red Hat logoGithubRedditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita ilBlog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

© 2024 Red Hat, Inc.