Blog About Php5 And Php4 Programming Techniques And Developing and Personal Web Hosting

Sponsored by: Search | Newsletter | Conference | Tech Jobs O’Reilly’s Emerging Technology Conference: May 13-16, 2002 Articles Linux Apache MySQL Perl PHP Python BSD Essentials What is LAMP? The Best of ONLamp.com aboutSQL Big Scary Daemons FreeBSD Basics HTTP Wrangler Linux in the Enterprise Linux Network Administration The Linux Professional Perl P5P Digest Archive PHP Admin Basics PHP Phanatics Python_News Security Alerts Alphabetical Directory of Linux Commands This directory of Linux commands is from Linux in a Nutshell, 3rd Edition. Click on any of the 379 commands below to get a description and list of available options. All links in the command summaries point to the online version of the book on Safari Tech Books Online. Buy it now Read it online ipchains-save [chain] [option] System administration command. Print the IP firewall rules currently stored in the kernel to stdout. If no chain is given, all chains will be printed. Output is usually redirected to a file, which can later be used by ipchains-restore to restore the firewall. Option - v Print out rules to stderr as well as stdout, making them easier to see when redirecting output. Return to: Alphabetical Directory of Linux Commands Sponsored by:

XML Copyright 2000-2002 O’Reilly & Associates, Inc. All Rights Reserved. All trademarks and registered trademarks appearing on the O’Reilly Network are the property of their respective owners. For problems or assistance with this site, email help@oreillynet.com

O’Reilly Books Latest LAMP Titles: mod_perl Pocket Reference SQL in a Nutshell Network Printing Books by topic: Linux Open Source Security System and Network Administration Unix Web and Internet O’Reilly Network Technologies: ONJava.com ONLamp.com openp2p.com Perl.com XML.com Apache BSD Java Javascript and CSS Linux Mac Mozilla .NET P2P Perl Policy PHP Python Web Services Wireless

Sponsored by: Search | Newsletter | Conference | Tech Jobs O’Reilly’s Emerging Technology Conference: May 13-16, 2002 Articles Linux Apache MySQL Perl PHP Python BSD Essentials What is LAMP? The Best of ONLamp.com aboutSQL Big Scary Daemons FreeBSD Basics HTTP Wrangler Linux in the Enterprise Linux Network Administration The Linux Professional Perl P5P Digest Archive PHP Admin Basics PHP Phanatics Python_News Security Alerts Alphabetical Directory of Linux Commands This directory of Linux commands is from Linux in a Nutshell, 3rd Edition. Click on any of the 379 commands below to get a description and list of available options. All links in the command summaries point to the online version of the book on Safari Tech Books Online. Buy it now Read it online ipchains-restore [options] System administration command. Restore firewall rules. ipchains-restore takes commands generated by ipchains-save and uses them to restore the firewall rules for each chain. Often used by initialization scripts to restore firewall settings on boot. Options -f Force updates of existing chains without asking. -v Print rules as they are being restored. -p If a nonexisting chain is targeted by a rule, create it. Return to: Alphabetical Directory of Linux Commands Sponsored by:

-l, –log Log information for the matching packet to the system log. -t andmask xormask, –TOS andmask xormask Change the Type of Service field in the packet’s header. The TOS field is first ANDed with the 8-bit hexadecimal mask andmask, then XORed with the 8-bit hexadecimal mask xormask. Rules that would affect the least significant bit (LSB) portion of the TOS field are rejected. -x, –exact Expand all numbers in a listing (-L). Display the exact value of the packet and byte counters instead of rounded figures. [!] -y, –syn Match only incoming TCP connection requests, those with the SYN bit set and the ACK and FIN bits cleared. This blocks incoming TCP connections but leaves outgoing connections unaffected. –line-numbers Used with the -L command. Add the line number to the beginning of each rule in a listing indicating its position in the chain. –no-warnings Disable all warnings Return to: Alphabetical Directory of Linux Commands Copyright 2000-2002 O’Reilly & Associates, Inc. All Rights Reserved. All trademarks and registered trademarks appearing on the O’Reilly Network are the property of their respective owners. For problems or assistance with this site, email help@oreillynet.com

either in the traditional form (e.g., /255.255.255.0) or in the modern form (e.g., /24). The optional port specifies the TCP, UDP, or ICMP type that will match. You may supply a port specification only if you’ve supplied the -p parameter with one of the tcp, udp or icmp protocols. A colon can be used to indicate an inclusive range of ports or ICMP values to be used. (e.g., 20:25 for ports 20 through 25). If the first port parameter is missing, the default value is 0. If the second is omitted, the default value is 65535. -d [!] address[/mask] [!] [port], –destination [!] address[/mask] [port] Match packets with the destination address. The syntax for this command’s parameters is the same as for the -s option. -j target, –jump target Jump to a special target or a user-defined chain. If this option is not specified for a rule, matching the rule only increases the rule’s counters and the packet is tested against the next rule. -i [!] name, –interface name Match packets from interface name[+]. name is the network interface used by your system (e.g., eth0 or ppp0). A + can be used as a wildcard, so ppp+ would match any interface name beginning with ppp. [!] -f, [!]–fragment $PARAMETER The rule applies to everything but the first fragment of a fragmented packet. –source-port [!] port Match packets from the source port. The syntax for specifying ports can be found in the preceding description of the -s option. –destination-port [!] port Match packets with the destination port. The syntax for specifying ports can be found in the preceding description of the -s option. –icmp-type [!] type Match packets with ICMP type name or number of type. Options -b, –bidirectional Put rule in both the input and output chain so packets will be matched in both directions. -v, –verbose Verbose mode. -n, –numeric Print all IP address and port numbers in numeric form. By default, names are displayed when possible.

XML Targets A target can be the name of a chain or one of the following special values: ACCEPT Let the packet through. DENY Drop the packet. MASQ Masquerade the packet so it appears that it originated from the current system. Reverse packets from masqueraded connections are unmasqueraded automatically. This is a legal target for only the forward chain, or user-defined chains used in forwarding packets. To use this target, the kernel must be compiled with support for IP masquerading. REDIRECT [port] Redirect incoming packets to a local port on which you are running a transparent proxy program. If the specified port is 0 or is not given, the destination port of the packet is used as the redirection port. REDIRECT is only a legal target for the input chain or user-defined chains used in handling incoming packets. The kernel must be compiled with support for transparent proxies. REJECT Drop the packet and send an ICMP message back to the sender indicating the packet was dropped. RETURN Return to the chain from which this chain was called and check the next rule. If RETURN is the target of a rule in a built-in chain, then the builtin chain’s default policy is applied. Rule specification parameters These options are used to create rules for use with the preceding commands. Rules consist of some matching criteria and usually a target to jump to (-j) if the match is made. Many of the parameters for these matching rules can be expressed as a negative with an exclamation point (!) meaning “not.” Those rules will match everything except the given parameter. -p [!] name, –protocol [!]$PARAMETER Match packets of protocol name. The value of name can be given as a name or number as found in the file /etc/protocols. The most common values are tcp, udp, icmp, or the special value all. The number 0 is equivalent to all, and this is the default value when this option is not used. -s [!] address[/mask] [!] [port], –source [!] address[/mask] [!] [port] Specifies the source address and port of the packet that will match this rule. The address may be supplied as a hostname, a network name, or an IP address. The optional mask is the netmask to use and may be supplied

O’Reilly Books Latest LAMP Titles: mod_perl Pocket Reference SQL in a Nutshell Network Printing Books by topic: Linux Open Source Security System and Network Administration Unix Web and Internet O’Reilly Network Technologies: ONJava.com ONLamp.com openp2p.com Perl.com XML.com Apache BSD Java Javascript and CSS Linux Mac Mozilla .NET P2P Perl Policy PHP Python Web Services Wireless -D chain rules, –delete chain rules Delete rules from chain. Rules can be specified by their ordinal number in the chain as well as by a general rule description. -R chain number rule, –replace chain number rule Replace a rule in chain. The rule to be replaced is specified by its ordinal number. -C chain rule, –check chain rules Construct a network packet that matches the given rule and check how chain will handle it. The rule must describe the source, destination, protocol, and interface of the packet to be constructed. -L [chain], –list $PARAMETER List the rules in chain. If no chain is specified, list the rules in all chains. -ML, –masquerading –list List masquerading connections. -MS tcp tcpfin udp, –masquerading –set tcp tcpfin udp Set timeout value in seconds for masquerading connections. -MS always takes three parameters specifying the timeout values for TCP sessions, TCP sessions that have received a FIN packet, and UDP packets. -F chain, –flush chain Remove all rules from chain. -Z [chain], –zero [chain] Reset the packet and byte counters in chain. If no chain is specified, all chains will be reset. When used without specifying a chain and combined with the -L command, it lists the current counter values before they are reset. -N chain, –new-chain chain Create a new chain. The chain’s name must be unique. -X [chain], –delete-chain chain Delete chain. Only user-defined chains can be deleted, and there can be no references to the chain to be deleted. If no argument is given, all userdefined chains will be deleted. -P chain target, –policy chain target Set the policy for a built-in chain; the target itself cannot be a chain. -h [icmp] Print a brief help message. If the option icmp is given, print a list of valid ICMP types.

Sponsored by: Search | Newsletter | Conference | Tech Jobs O’Reilly’s Emerging Technology Conference: May 13-16, 2002 Articles Linux Apache MySQL Perl PHP Python BSD Essentials What is LAMP? The Best of ONLamp.com aboutSQL Big Scary Daemons FreeBSD Basics HTTP Wrangler Linux in the Enterprise Linux Network Administration The Linux Professional Perl P5P Digest Archive PHP Admin Basics PHP Phanatics Python_News Security Alerts Alphabetical Directory of Linux Commands This directory of Linux commands is from Linux in a Nutshell, 3rd Edition. Click on any of the 379 commands below to get a description and list of available options. All links in the command summaries point to the online version of the book on Safari Tech Books Online. Buy it now Read it online ipchains command [options] System administration command. Edit IP firewall rules in the 2.2 Linux kernel. A 2.2 Linux kernel compiled with firewall support will examine the headers of all network packets and compare them to matching rules to see what it should do with the packet. A firewall rule consists of some matching criteria and a target, a result to be applied if the packet matches the criteria. The rules are organized into chains. You can use these rules to build a firewall or just reject certain kinds of network connections. Firewall rules are organized into chains, an ordered checklist that the kernel works through looking for matches. There are three built-in chains input, output, and forward. Packets entering the system are tested against the input chain. Those exiting the system are checked against the output chain. If an incoming packet is destined for some other system, it is checked against the forward chain. Each of these chains has a default target, a policy, in case no match is found. User-defined chains can be created and used as targets for packets, but they have no default policies. If no match can be found in a userdefined chain, the packet is returned to the chain from which it was called and tested against the next rule in that chain. ipchains only changes the rules in the running kernel. When the system is powered off, all those changes are lost. You can use the ipchains-save command to make a script you can later run with ipchains-restore to restore your firewall settings. Such a script is often called at boot up and many distributions have an ipchains initialization script that uses the output from ipchains-save. Commands ipchains is always invoked with one of the following commands: -A chain rules, –append chain rules Append new rules to chain. -I chain number rules, –insert

XML Copyright 2000-2002 O’Reilly & Associates, Inc. All Rights Reserved. All trademarks and registered trademarks appearing on the O’Reilly Network are the property of their respective owners. For problems or assistance with this site, email help@oreillynet.com