검색

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

18.3.4.4. Additional Match Option Modules

download PDF
Additional match options are also available through modules loaded by the iptables command. To use a match option module, load the module by name using the -m option, such as -m <module-name> (replacing <module-name> with the name of the module).
A large number of modules are available by default. It is even possible to create modules that provide additional functionality.
The following is a partial list of the most commonly used modules:
  • limit module — Places limits on how many packets are matched to a particular rule. This is especially beneficial when used in conjunction with the LOG target as it can prevent a flood of matching packets from filling up the system log with repetitive messages or using up system resources. Refer to Section 18.3.5, “Target Options” for more information about the LOG target.
    The limit module enables the following options:
    • --limit — Sets the number of matches for a particular range of time, specified with a number and time modifier arranged in a <number>/<time> format. For example, using --limit 5/hour only lets a rule match 5 times in a single hour.
      If a number and time modifier are not used, the default value of 3/hour is assumed.
    • --limit-burst — Sets a limit on the number of packets able to match a rule at one time. This option should be used in conjunction with the --limit option, and it accepts a number to set the burst threshold.
      If no number is specified, only five packets are initially able to match the rule.
  • state module — Enables state matching.
    The state module enables the following options:
    • --state — match a packet with the following connection states:
      • ESTABLISHED — The matching packet is associated with other packets in an established connection.
      • INVALID — The matching packet cannot be tied to a known connection.
      • NEW — The matching packet is either creating a new connection or is part of a two-way connection not previously seen.
      • RELATED — The matching packet is starting a new connection related in some way to an existing connection.
      These connection states can be used in combination with one another by separating them with commas, such as -m state --state INVALID,NEW.
  • mac module — Enables hardware MAC address matching.
    The mac module enables the following option:
    • --mac-source — Matches a MAC address of the network interface card that sent the packet. To exclude a MAC address from a rule, place an exclamation point character (!) after the --mac-source match option.
To view other match options available through modules, refer to the iptables man page.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.