iptables 命令1

名字(name)

   iptables — administration tool for IPv4 packet filtering and NAT
   IPtables -- 用于IPv4包过滤和NAT的管理工具

简介(SYNOPSIS)

   iptables [-t table] {-A|-D} chain rule-specification       添加/删除链表规范
   iptables [-t table] -I chain [rulenum] rule-specification  插入链表规范
   iptables [-t table] -R chain rulenum rule-specification
   iptables [-t table] -D chain rulenum    删除链表数
   iptables [-t table] -S [chain [rulenum]]  
   iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]  清除/列举链表
   iptables [-t table] -N chain   新建链表
   iptables [-t table] -X [chain] 
   iptables [-t table] -P chain target
   iptables [-t table] -E old-chain-name new-chain-name
   rule-specification = [matches...] [target]	规则规范=[匹配…[目标]
   match = -m matchname [per-match-options]	match=-m matchname[每个匹配选项]
   target = -j targetname [per-target-options]	target=-j targetname[每个目标选项]

说明(DESCRIPTION)

   Iptables  is  used  to set up, maintain, and inspect the tables of IPv4  packet filter rules in the Linux kernel.  Several different tables  may be  defined.   Each  table contains a number of built-in chains and may also contain user-defined chains.
   Each chain is a list of rules which can match a set of  packets.   Each rule specifies what to do with a packet that matches.  This is called a ‘target’, which may be a jump to a user-defined chain in the  same  ta-ble.
   iptables用于在Linux内核中设置、维护和检查IPv4包过滤规则表。可以定义几个不同的表。每个表包含许多内置链，也可以包含用户定义的链。每个链都是可以匹配一组数据包的规则列表。每个规则指定如何处理匹配的数据包。这被称为“目标”，可能是跳转到同一表中用户定义的链。

目标(TARGET)

A  firewall  rule specifies criteria for a packet and a target.  If the packet does not match, the next rule in the chain is the  examined;  if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of  the  special values ACCEPT, DROP, QUEUE or RETURN. ACCEPT  means to let the packet through.  DROP means to drop the packet on the floor.  QUEUE means to pass the packet to userspace.   (How  the packet can be received by a userspace process differs by the particular queue handler.  2.4.x and  2.6.x  kernels  up  to  2.6.13  include  the ip_queue  queue handler.  Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler.  Packets with a target of QUEUE will be  sent  to queue number ’0’ in this case. Please also see the NFQUEUE target as described  later  in  this  man  page.)   RETURN  means  stop traversing  this  chain  and  resume  at  the next rule in the previous (calling) chain.  If the end of a built-in chain is reached or  a  rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.
 	防火墙规则指定包和目标的条件。如果数据包不匹配，则链中的下一个规则是已检查的；如果数据包匹配，则由目标值指定下一个规则，该值可以是用户定义链的名称，也可以是==接受、删除、排队或返回==的特殊值之一。接受意味着让数据包通过。掉意味着把包掉在地上。队列是指将数据包传递给用户空间。（用户空间进程接收数据包的方式因特定队列处理程序而异。2.4.x和2.6.x内核（最多2.6.13）包括IP_队列处理程序。内核2.6.14及更高版本还包括nfnetlink_队列处理程序。在这种情况下，目标为队列的数据包将发送到队列号“0”。请参见本手册后面描述的nfqueue目标。）返回意味着停止遍历此链并在上一个（调用）链中的下一个规则处继续。如果到达了内置链的结尾，或者匹配了带有目标返回的内置链中的规则，则由链策略指定的目标决定包的命运。

TABLES 表

   There are currently three independent tables (which tables are present at any time depends on the kernel configuration options and which modules are present).
   目前有三个独立的表（哪些表在任何时候都存在取决于内核配置选项以及哪些模块存在）。
   -t, --table table
          This  option  specifies the packet matching table which the command should operate on.  If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there. 此选项指定命令应操作的数据包匹配表。如果内核配置了自动模块加载时，如果该表还没有相应的模块，将尝试加载该表的相应模块。
          The tables are as follows:  表如下：
          filter: 过滤表：
              This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).这是默认表（如果未传递-t选项）。它包含内置链输入（用于发送到本地套接字的数据包）。转发（对于通过盒子路由的数据包）和输出（对于本地生成的数据包）。
          nat: 网络地址转换表
              This  table is consulted when a packet that creates a new connection is encountered.  It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated  packets  before  routing),  and  POSTROUTING  (for altering packets as they are about to go out).当遇到创建新连接的数据包时，将查询此表。它由三个内置模块组成：预路由（用于在数据包进入时立即更改数据包）、输出（用于在路由前更改本地生成的数据包）和后路由（用于在数据包即将离开时更改数据包）。
          mangle: 修改表
              This  table  is  used  for  specialized  packet alteration.  Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before  routing).   Since  kernel  2.4.18,  three other  built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).此表用于特殊的数据包更改。在内核2.4.17之前，它有两个内置的链：预路由（用于在路由之前更改传入数据包）和输出（用于在路由之前更改本地生成的数据包）。自内核2.4.18以来，还支持其他三个内置链：输入（对于进入盒子本身的数据包）、转发（用于更改通过盒子路由的数据包）和后路由（用于更改即将传出的数据包）。
          raw:
              This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target.   It  registers at  the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables.  It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)此表主要用于结合notrack目标配置连接跟踪的免除。它以更高的优先级注册在netfilter钩子上，因此在IP集中器或任何其他IP表之前被调用。它提供以下内置链：预路由（对于通过任何网络接口到达的数据包）输出（对于由本地进程生成的数据包）

OPTIONS

   The options that are recognized by iptables can be divided into several different groups.
   IPtables识别的选项可以分为几个不同的组。

COMMANDS
These options specify the desired action to perform. Only one of them can be specified on the command line unless otherwise stated below. For long versions of the command and option names, you need to use only enough letters to ensure that iptables can differentiate it from all other
这些选项指定要执行的操作。除非下面另有说明，否则只能在命令行上指定其中一个。对于长版本的命令和选项名，只需使用足够的字母即可确保iptables可以将其与所有其他名称区分开来。
-A, --append chain rule-specification 追加链表规范规则
Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination.将一个或多个规则附加到所选链的末尾。当源和/或目标名称解析为多个地址时，将为每个可能的地址组合添加一个规则。
-D, --delete chain rule-specification 删除链表规范规则
-D, --delete chain rulenum 删除链规则表号
Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.从所选链中删除一个或多个规则。此命令有两个版本：可以将规则指定为链中的数字（第一个规则从1开始）或要匹配的规则。
-I, --insert chain [rulenum] rule-specification 插入链【序号】规则规范
Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified.在所选链中插入一个或多个规则作为给定的规则编号。因此，如果规则编号为1，则规则将插入链的顶部。如果未指定规则编号，这也是默认值。
-R, --replace chain rulenum rule-specification 替换链规则编号规则规范
Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail.Rules are numbered starting at 1.替换所选链中的规则。因此，如果规则号是1，则规则或规则插入链的头部。
-L, --list [chain] 列表[链]
List all rules in the selected chain. If no chain is selected, all chains are listed. Like every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by iptables -t nat -n -L Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. The exact rules are suppressed until you use iptables -L -v列出所选链中的所有规则。如果未选择链，则列出所有链。与其他所有iptables命令一样，它适用于指定的表（默认为filter），因此，iptables-t nat-n-l列出了nat规则。请注意，它通常与-n选项一起使用，以避免长时间的反向DNS查找。指定-z（零）选项也是合法的，在这种情况下，链将自动列出并归零。确切的输出受给出的其他参数的影响。在使用iptables-l-v之前，精确的规则将被抑制。
-S, --list-rules [chain] 列举链
Print all rules in the selected chain. If no chain is selected, all chains are printed like iptables-save. Like every other iptables command, it applies to the specified table (filter is the default).打印所选链中的所有规则。如果未选择任何链，则所有链的打印方式与iptables save相同。与其他所有iptables命令一样，它应用于指定的表（默认为filter）。
-F, --flush [chain] 刷新链
Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.刷新选定的链（如果没有指定，则刷新表中的所有链）。这相当于逐个删除所有规则。
-Z, --zero [chain [rulenum]]
Zero the packet and byte counters in all chains, or only the given chain, or only the given rule in a chain. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared. (See above.)将所有链中的数据包和字节计数器归零，或者仅将给定链或链中的给定规则归零。也可以指定-l、-list（ list）选项，以便在清除计数器之前立即查看它们。（见上文。）
-N, --new-chain chain 创建新链
Create a new user-defined chain by the given name. There must be no target of that name already.使用给定的名称创建新的用户定义链。必须已经没有该名称的目标。
-X, --delete-chain [chain] 删除链
Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table.删除指定的可选用户定义链。不能引用链。如果存在，则必须先删除或替换引用规则，然后才能删除链。链必须为空，即不包含任何规则。如果没有给出任何参数，它将尝试删除表中的每个非内置链。
-P, --policy chain target
Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.将链的策略设置为给定目标。有关合法目标，请参见“目标”一节。只有内置（非用户定义）链可以有策略，而内置链和用户定义链都不能是策略目标。
-E, --rename-chain old-chain new-chain
Rename the user specified chain to the user supplied name. This is cosmetic, and has no effect on the structure of the table.将用户指定的链重命名为用户提供的名称。这是化妆品，对桌子的结构没有影响。
-h Help.
Give a (currently very brief) description of the command syntax.

选项

IPtables识别的选项可以分为几个不同的组。

命令

这些选项指定要执行的操作。除非下面另有说明，否则只能在命令行上指定其中一个。对于长版本的命令和选项名，只需使用足够的字母即可确保iptables可以将其与所有其他名称区分开来。

选项。

-A，——附加链规则规范

将一个或多个规则附加到所选链的末尾。当源和/或目标名称解析为多个地址时，将为每个可能的地址组合添加一个规则。

-删除链规则规范

-D，——删除链规则编号

从所选链中删除一个或多个规则。此命令有两个版本：可以将规则指定为链中的数字（第一个规则从1开始）或要匹配的规则。

-i，——插入链[rulenum]规则规范

在所选链中插入一个或多个规则作为给定的规则编号。因此，如果规则编号为1，则规则将插入链的顶部。如果未指定规则编号，这也是默认值。

-R，——替换链规则编号规则规范

替换所选链中的规则。如果源和/或目标名称解析为多个地址，则命令将失败。规则从1开始编号。

-L，-—列表[链]

列出所选链中的所有规则。如果未选择链，则列出所有链。与其他所有iptables命令一样，它适用于指定的表（默认为filter），因此，iptables-t nat-n-l列出了nat规则。请注意，它通常与-n选项一起使用，以避免长时间的反向DNS查找。指定-z（零）选项也是合法的，在这种情况下，链将自动列出并归零。确切的输出受给出的其他参数的影响。在使用iptables-l-v之前，精确的规则将被抑制。

-S，——列表规则[链]

打印所选链中的所有规则。如果未选择任何链，则所有链的打印方式与iptables save相同。与其他所有iptables命令一样，它应用于指定的表（默认为filter）。

-F，——齐平[链条]

刷新选定的链（如果没有指定，则刷新表中的所有链）。这相当于逐个删除所有规则。

-Z，-0[链[rulenum]]

将所有链中的数据包和字节计数器归零，或者仅将给定链或链中的给定规则归零。也可以指定-l、-list（list）选项，以便在清除计数器之前立即查看它们。（见上文。）

-N，——新链条

使用给定的名称创建新的用户定义链。必须已经没有该名称的目标。

-X，–删除链[链]

删除指定的可选用户定义链。不能引用链。如果存在，则必须先删除或替换引用规则，然后才能删除链。链必须为空，即不包含任何规则。如果没有给出任何参数，它将尝试删除表中的每个非内置链。

-P，——政策链目标

将链的策略设置为给定目标。有关合法目标，请参见“目标”一节。只有内置（非用户定义）链可以有策略，而内置链和用户定义链都不能是策略目标。

-E，—重命名旧链新链

将用户指定的链重命名为用户提供的名称。这是化妆品，对桌子的结构没有影响。

-H帮助。

给出命令语法的描述（目前非常简短）。