このコンテンツは選択した言語では利用できません。

18.3.5. Target Options


Once a packet has matched a particular rule, the rule can direct the packet to a number of different targets that decide its fate and, possibly, take additional actions. Each chain has a default target, which is used if none of the rules on that chain match a packet or if none of the rules which match the packet specify a target.
The following are the standard targets:
  • <user-defined-chain> — Replace <user-defined-chain> with the name of a user-defined chain within the table. This target passes the packet to the target chain.
  • ACCEPT — Allows the packet to successfully move on to its destination or another chain.
  • DROP — Drops the packet without responding to the requester. The system that sent the packet is not notified of the failure.
  • QUEUE — The packet is queued for handling by a user-space application.
  • RETURN — Stops checking the packet against rules in the current chain. If the packet with a RETURN target matches a rule in a chain called from another chain, the packet is returned to the first chain to resume rule checking where it left off. If the RETURN rule is used on a built-in chain and the packet cannot move up to its previous chain, the default target for the current chain decides what action to take.
In addition to these standard targets, various other targets may be used with extensions called target modules. For more information about match option modules, refer to Section 18.3.4.4, “Additional Match Option Modules”.
There are many extended target modules, most of which only apply to specific tables or situations. A couple of the most popular target modules included by default in Red Hat Enterprise Linux are:
  • LOG — Logs all packets that match this rule. Since the packets are logged by the kernel, the /etc/syslog.conf file determines where these log entries are written. By default, they are placed in the /var/log/messages file.
    Additional options can be used after the LOG target to specify the way in which logging occurs:
    • --log-level — Sets the priority level of a logging event. A list of priority levels can be found within the syslog.conf man page.
    • --log-ip-options — Logs any options set in the header of a IP packet.
    • --log-prefix — Places a string of up to 29 characters before the log line when it is written. This is useful for writing syslog filters for use in conjunction with packet logging.
    • --log-tcp-options — Logs any options set in the header of a TCP packet.
    • --log-tcp-sequence — Writes the TCP sequence number for the packet in the log.
  • REJECT — Sends an error packet back to the remote system and drops the packet.
    The REJECT target accepts --reject-with <type> (where <type> is the rejection type) allowing more detailed information to be sent back with the error packet. The message port-unreachable is the default <type> error given if no other option is used. For a full list of <type> options, refer to the iptables man page.
Other target extensions, including several that are useful for IP masquerading using the nat table or with packet alteration using the mangle table, can be found in the iptables man page.
Red Hat logoGithubRedditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

© 2024 Red Hat, Inc.