Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

161

162

163

164

165

166

167

168

169

170

170 Chapter 13. Firewalls and iptables

13.3.2. Structure

Many iptables commands have the following structure:

iptables [-t table-name ] command chain-name parameter-1 \

option-1 parameter-n option-n

In this example, the table-name option allows the user to select a table other than the default

filter table to use with the command. The

command option is the center of the command, dictat-

ing a speciﬁc action to perform, such as appending or deleting a rule from a particular chain, which is

speciﬁed by the

chain-name option. Following the chain-name are pairs of parameters and

options that actually deﬁne the way the rule will work and what will happen when a packet matches

the rule.

When looking at the structure of an iptables command, it is important to remember that, unlike

most other commands, the length and complexity of an iptables command can change based on

its purpose. A simple command to remove a rule from a chain can be very short, while a command

designed to ﬁlter packets from a particular subnet using a variety of speciﬁc parameters and options

can be rather lengthy. When creating iptables commands it is helpful to recognize that some param-

eters and options may create the need for other parameters and options to further specify the previous

option’s request. In order to construct a valid rule, this must continue until every parameter and option

that requires another set of options is satisﬁed.

Type iptables -h to see a comprehensive list of iptables command structures.

13.3.3. Commands

Commands tell iptables to perform a speciﬁc action. Only one command is allowed per iptables

command string. With the exception of the help command, all commands are written in upper-case

characters.

The iptables commands are as follows:

• -A — Appends the iptables rule to the end of the speciﬁed chain. This is the command used to

simply add a rule when rule order in the chain does not matter.

• -C — Checks a particular rule before adding it to the user-speciﬁed chain. This command can

help you construct complicated iptables rules by prompting you for additional parameters and

options.

• -D — Deletes a rule in a particular chain by number (such as 5 for the ﬁfth rule in a chain). You

can also type the entire rule, and iptables will delete the rule in the chain that matches it.

• -E — Renames a user-deﬁned chain. This does not affect the structure of the table. Rather, it just

saves you the trouble of deleting the chain, creating it under the new name, and reconﬁguring all of

your rules for that chain.

• -F — Flushes the selected chain, which effectively deletes every rule in the the chain. If no chain

is speciﬁed, this command ﬂushes every rule from every chain.

• -h — Provides a list of helpful command structures, as well as a quick summary of command

parameters and options.

• -I — Inserts a rule in a chain at a particular point. Assign a number to the rule to be inserted and

iptables will put it there. If no number is speciﬁed, iptables will place your command at the

top of the rule list.