[ Pobierz całość w formacie PDF ]
.3.7." -N Creates a new chain with a user-specified name." -P Sets the default policy for a particular chain, so that when packets traverse an entirechain without matching a rule, they will be sent on to a particular target, such as ACCEPTor DROP." -R Replaces a rule in a particular chain.You must use a rule s number after the chain sname to replace that rule.The first rule in a chain relates to rule number1." -X Deletes a user-specified chain.Deleting a built-in chain for any table is not allowed.Chapter 14.Firewalling withiptables 175" -Z Zeros the byte and packet counters in all chains for a particular table.14.3.4.ParametersOnce certain iptables commands are specified, including those used to add, append,delete, insert, or replace rules within a particular chain, parameters are required to beginthe construction of the packet filtering rule." -c Resets the counters for a particular rule.This parameter accepts thePKTSandBYTESoptions to specify what counter to reset." -d Sets the destination hostname, IP address, or network of a packet that will matchthe rule.When matching a network, you can use two different methods for signifying thenetmasks, such as192.168.0/255.255.255.0or192.168.0/24." -f Applies this rule only to fragmented packets.By using the!option after this parameter, only unfragmented packets will be matched." -i Sets the incoming network interface, such as eth0 or ppp0, to use with a particu-lar rule.With iptables, this optional parameter may only be used with the INPUT andFORWARD chains when used with the filter table and the PREROUTING chain withthenatandmangletables.This parameter features several useful options that may be used before specifying thename of an interface:" ! Tells this parameter not to match, meaning that any specified interfaces are specif-ically excluded from this rule." + A wildcard character used to match all interfaces that match a particular string.For example, the parameter -i eth+ would apply this rule to any Ethernet interfaceson your system but exclude any other interfaces, such asppp0.If the-iparameter is used but no interface is specified, then every interface is affected bythe rule." -j Tells iptables to jump to a particular target when a packet matches a particularrule.Valid targets to be used after the -j option include the standard options, ACCEPT,DROP,QUEUE, andRETURN, as well as extended options that are available through modulesloaded by default with the Red Hat LinuxiptablesRPM package, such asLOG,MARK, andREJECT, among others.See the iptables man page for more information on these andother targets, including rules regarding their use.You may also direct a packet matching this rule to a user-defined chain outside of thecurrent chain.This allows you to apply other rules against this packet, further filtering itwith more specific criteria.If no target is specified, the packet moves past the rule with no action taken.However, thecounter for this rule is still increased by 1, as the packet matched the specified rule." -o Sets the outgoing network interface for a particular rule, and may only be used withOUTPUT and FORWARD chains in thefiltertable and the POSTROUTING chain in thenat and mangle tables.This parameter s options are the same as those of the incomingnetwork interface parameter (-i).176 Chapter 14.Firewalling withiptables" -p Sets the IP protocol for the rule, which can be eithericmp,tcp,udp, orall, to matchevery supported protocol.In addition, lesser used protocols listed in/etc/protocolscanalso be utilized.If this option is omitted when creating a rule, thealloption is the default." -s Sets the source for a particular packet, using the same syntax as the destination (-d)parameter.14.3.5.Match OptionsDifferent network protocols provide specialized matching options which may be set in spe-cific ways to match a particular packet using that protocol.Of course, the protocol must firstbe specified in theiptablescommand, such as using-p tcp protocol-name , to makethe options for that protocol available.14.3.5.1.TCP ProtocolThese match options are available for the TCP protocol (-p tcp):" --dport Sets the destination port for the packet.You can use either a network servicename (such as www or smtp), port number, or range of port numbers to configure thisoption.To browse the names and aliases of network services and the port numbers theyuse, view the /etc/services file.You can also use --destination-port to specify thismatch option.To specify a specific range of port numbers, separate the two numbers with a colon (:),such as-p tcp --dport 3000:3200.The largest valid range is0:65535.You may also use an exclamation point character (!) as a flag after the--dport option totelliptablesto match all packets which do not use that network service or port." --sport Sets the source port of the packet, using the same options as --dport.Youcan also use--source-portto specify this match option." --syn Applies to all TCP packets designed to initiate communication, commonly calledSYN packets.Any packets that carry a data payload are not touched.Placing an exclama-tion point character (!) as a flag after the --syn option causes all non-SYN packets to bematched." --tcp-flags Allows TCP packets with specific bits, or flags, set to be matched witha rule.The --tcp-flags match option accepts two parameters after it, which are flagsfor the various bits arranged in a comma-separated list.The first parameter is the mask,which sets the flags to be examined on the packet.The second parameter refers to the flagsthat must be set in the packet to make a match.The possible flags are ACK, FIN, PSH, RST,SYN, and URG.In addition, ALL and NONE can also be used to match every flag or none ofthem.For example, an iptables rule which contains -p tcp --tcp-flags ACK,FIN,SYN SYNwill only match TCP packets that have the SYN flag set and the ACK and FIN flags unset.Like many other options, using the exclamation point character (!) after --tcp-flagsreverses the effect of the match option, so that the second parameter s flags must not beset in order to match." --tcp-option Attempts to match with TCP-specific options that can be set withina particular packet.This match option can also be reversed with the exclamation pointcharacter (!).Chapter 14.Firewalling withiptables 17714.3.5.2.UDP ProtocolThese match options are available for the UDP protocol (-p udp):" --dport Specifies the destination port of the UDP packet, using the service name, portnumber, or range of port numbers.The--destination-portmatch option may be usedinstead of --dport.See the --dport match option in Section 14.3.5.1 for various ways touse this option." --sport Specifies the source port of the UDP packet, using the service name, portnumber, or range of port numbers.The--source-portmatch option may be used insteadof --sport.See the--dportmatch option in Section 14.3.5.1 for various ways to use thisoption.14.3.5.3 [ Pobierz całość w formacie PDF ]
zanotowane.pl doc.pisz.pl pdf.pisz.pl odbijak.htw.pl
.3.7." -N Creates a new chain with a user-specified name." -P Sets the default policy for a particular chain, so that when packets traverse an entirechain without matching a rule, they will be sent on to a particular target, such as ACCEPTor DROP." -R Replaces a rule in a particular chain.You must use a rule s number after the chain sname to replace that rule.The first rule in a chain relates to rule number1." -X Deletes a user-specified chain.Deleting a built-in chain for any table is not allowed.Chapter 14.Firewalling withiptables 175" -Z Zeros the byte and packet counters in all chains for a particular table.14.3.4.ParametersOnce certain iptables commands are specified, including those used to add, append,delete, insert, or replace rules within a particular chain, parameters are required to beginthe construction of the packet filtering rule." -c Resets the counters for a particular rule.This parameter accepts thePKTSandBYTESoptions to specify what counter to reset." -d Sets the destination hostname, IP address, or network of a packet that will matchthe rule.When matching a network, you can use two different methods for signifying thenetmasks, such as192.168.0/255.255.255.0or192.168.0/24." -f Applies this rule only to fragmented packets.By using the!option after this parameter, only unfragmented packets will be matched." -i Sets the incoming network interface, such as eth0 or ppp0, to use with a particu-lar rule.With iptables, this optional parameter may only be used with the INPUT andFORWARD chains when used with the filter table and the PREROUTING chain withthenatandmangletables.This parameter features several useful options that may be used before specifying thename of an interface:" ! Tells this parameter not to match, meaning that any specified interfaces are specif-ically excluded from this rule." + A wildcard character used to match all interfaces that match a particular string.For example, the parameter -i eth+ would apply this rule to any Ethernet interfaceson your system but exclude any other interfaces, such asppp0.If the-iparameter is used but no interface is specified, then every interface is affected bythe rule." -j Tells iptables to jump to a particular target when a packet matches a particularrule.Valid targets to be used after the -j option include the standard options, ACCEPT,DROP,QUEUE, andRETURN, as well as extended options that are available through modulesloaded by default with the Red Hat LinuxiptablesRPM package, such asLOG,MARK, andREJECT, among others.See the iptables man page for more information on these andother targets, including rules regarding their use.You may also direct a packet matching this rule to a user-defined chain outside of thecurrent chain.This allows you to apply other rules against this packet, further filtering itwith more specific criteria.If no target is specified, the packet moves past the rule with no action taken.However, thecounter for this rule is still increased by 1, as the packet matched the specified rule." -o Sets the outgoing network interface for a particular rule, and may only be used withOUTPUT and FORWARD chains in thefiltertable and the POSTROUTING chain in thenat and mangle tables.This parameter s options are the same as those of the incomingnetwork interface parameter (-i).176 Chapter 14.Firewalling withiptables" -p Sets the IP protocol for the rule, which can be eithericmp,tcp,udp, orall, to matchevery supported protocol.In addition, lesser used protocols listed in/etc/protocolscanalso be utilized.If this option is omitted when creating a rule, thealloption is the default." -s Sets the source for a particular packet, using the same syntax as the destination (-d)parameter.14.3.5.Match OptionsDifferent network protocols provide specialized matching options which may be set in spe-cific ways to match a particular packet using that protocol.Of course, the protocol must firstbe specified in theiptablescommand, such as using-p tcp protocol-name , to makethe options for that protocol available.14.3.5.1.TCP ProtocolThese match options are available for the TCP protocol (-p tcp):" --dport Sets the destination port for the packet.You can use either a network servicename (such as www or smtp), port number, or range of port numbers to configure thisoption.To browse the names and aliases of network services and the port numbers theyuse, view the /etc/services file.You can also use --destination-port to specify thismatch option.To specify a specific range of port numbers, separate the two numbers with a colon (:),such as-p tcp --dport 3000:3200.The largest valid range is0:65535.You may also use an exclamation point character (!) as a flag after the--dport option totelliptablesto match all packets which do not use that network service or port." --sport Sets the source port of the packet, using the same options as --dport.Youcan also use--source-portto specify this match option." --syn Applies to all TCP packets designed to initiate communication, commonly calledSYN packets.Any packets that carry a data payload are not touched.Placing an exclama-tion point character (!) as a flag after the --syn option causes all non-SYN packets to bematched." --tcp-flags Allows TCP packets with specific bits, or flags, set to be matched witha rule.The --tcp-flags match option accepts two parameters after it, which are flagsfor the various bits arranged in a comma-separated list.The first parameter is the mask,which sets the flags to be examined on the packet.The second parameter refers to the flagsthat must be set in the packet to make a match.The possible flags are ACK, FIN, PSH, RST,SYN, and URG.In addition, ALL and NONE can also be used to match every flag or none ofthem.For example, an iptables rule which contains -p tcp --tcp-flags ACK,FIN,SYN SYNwill only match TCP packets that have the SYN flag set and the ACK and FIN flags unset.Like many other options, using the exclamation point character (!) after --tcp-flagsreverses the effect of the match option, so that the second parameter s flags must not beset in order to match." --tcp-option Attempts to match with TCP-specific options that can be set withina particular packet.This match option can also be reversed with the exclamation pointcharacter (!).Chapter 14.Firewalling withiptables 17714.3.5.2.UDP ProtocolThese match options are available for the UDP protocol (-p udp):" --dport Specifies the destination port of the UDP packet, using the service name, portnumber, or range of port numbers.The--destination-portmatch option may be usedinstead of --dport.See the --dport match option in Section 14.3.5.1 for various ways touse this option." --sport Specifies the source port of the UDP packet, using the service name, portnumber, or range of port numbers.The--source-portmatch option may be used insteadof --sport.See the--dportmatch option in Section 14.3.5.1 for various ways to use thisoption.14.3.5.3 [ Pobierz całość w formacie PDF ]