Iptables瞎乱记:修订间差异
来自三线的随记
(创建页面,内容为“4个默认表 # nat # filter # mangle # raw REJECT --reject-with tcp-reset --reject-with icmp-host-prohibited DROP 分类:Linux”) |
小无编辑摘要 |
||
| 第1行: | 第1行: | ||
=== chains === | |||
4个默认表 | 4个默认表 | ||
# nat | |||
# filter | #nat | ||
# mangle | #filter | ||
# raw | #mangle | ||
#raw | |||
REJECT | REJECT | ||
| 第13行: | 第16行: | ||
DROP | DROP | ||
<br /> | |||
=== destination changed相关 === | |||
DNAT | |||
This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It specifies | |||
that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being | |||
examined. It takes the following options: | |||
--to-destination [ipaddr[-ipaddr]][:port[-port]] | |||
which can specify a single new destination IP address, an inclusive range of IP addresses. Optionally a port range, if the rule also specifies one of | |||
the following protocols: tcp, udp, dccp or sctp. If no port range is specified, then the destination port will never be modified. If no IP address is | |||
specified then only the destination port will be modified. In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if | |||
you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another | |||
in cycle) load balancing takes place between these addresses. Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore. | |||
REDIRECT | |||
This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It redirects | |||
the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the | |||
localhost address, 127.0.0.1 for IPv4 and ::1 for IPv6). | |||
--to-ports port[-port] | |||
This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also | |||
specifies one of the following protocols: tcp, udp, dccp or sctp. | |||
[[分类:Linux]] | [[分类:Linux]] | ||
2019年12月14日 (六) 18:02的最新版本
chains
4个默认表
- nat
- filter
- mangle
- raw
REJECT
--reject-with tcp-reset
--reject-with icmp-host-prohibited
DROP
destination changed相关
DNAT
This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It specifies
that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being
examined. It takes the following options:
--to-destination [ipaddr[-ipaddr]][:port[-port]]
which can specify a single new destination IP address, an inclusive range of IP addresses. Optionally a port range, if the rule also specifies one of
the following protocols: tcp, udp, dccp or sctp. If no port range is specified, then the destination port will never be modified. If no IP address is
specified then only the destination port will be modified. In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if
you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another
in cycle) load balancing takes place between these addresses. Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore.
REDIRECT
This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It redirects
the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the
localhost address, 127.0.0.1 for IPv4 and ::1 for IPv6).
--to-ports port[-port]
This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also
specifies one of the following protocols: tcp, udp, dccp or sctp.
