Blog About Php5 And Php4 Programming Techniques And Developing and Personal Web Hosting

Sponsored by: Search | Newsletter | Conference | Tech Jobs O’Reilly’s Emerging Technology Conference: May 13-16, 2002 Articles Linux Apache MySQL Perl PHP Python BSD Essentials What is LAMP? The Best of ONLamp.com aboutSQL Big Scary Daemons FreeBSD Basics HTTP Wrangler Linux in the Enterprise Linux Network Administration The Linux Professional Perl P5P Digest Archive PHP Admin Basics PHP Phanatics Python_News Security Alerts Alphabetical Directory of Linux Commands This directory of Linux commands is from Linux in a Nutshell, 3rd Edition. Click on any of the 379 commands below to get a description and list of available options. All links in the command summaries point to the online version of the book on Safari Tech Books Online. Buy it now Read it online iptables-restore [file] System administration command. Restore firewall rules. iptables-restore takes commands generated by iptables-save and uses them to restore the firewall rules for each chain. Often used by initialization scripts to restore firewall settings on boot. file is the name of a file whose contents were generated by iptables-save. If not specified, the command takes its input from stdin. This command was not completed at the time this book went to print. There may be options not listed here. Return to: Alphabetical Directory of Linux Commands Sponsored by:

Modify the destination address of the packet and all future packets in the current connection. DNAT is valid only as a part of the POSTROUTING chain in the nat table. –to-destination address[-address][port-port] Specify the new destination address or range of addresses. The arguments for this option are the same as the –to-source argument for the SNAT extension target. MASQUERADE Masquerade the packet so it appears that it originated from the current system. Reverse packets from masqueraded connections are unmasqueraded automatically. This is a legal target only for chains in the nat table that handle incoming packets and should be used only with dynamic IP addresses (like dial-up.) For static addresses use DNAT. –to-ports port[-port] Specify the port or range of ports to use when masquerading. This option is only valid if a tcp or udp protocol has been specified with the -p option. If this option is not used, the masqueraded packet’s port will not be changed. REDIRECT [–to-port port] Redirect the packet to a local port. This is useful for creating transparent proxies. –to-ports port[-port] Specify the port or range of ports on the local system to which the packet should be redirected. This option is valid only if a tcp or udp protocol has been specified with the -p option. If this option is not used, the redirected packet’s port will not be changed. Return to: Alphabetical Directory of Linux Commands Copyright 2000-2002 O’Reilly & Associates, Inc. All Rights Reserved. All trademarks and registered trademarks appearing on the O’Reilly Network are the property of their respective owners. For problems or assistance with this site, email help@oreillynet.com

–log-tcp-options Log options from the TCP packet header. –log-ip-options Log options from the IP packet header. MARK Used to mark packets with an unsigned integer value you can use later with the mark matching extension. Valid only with the mangle table. –set-mark value Mark the packet with value. REJECT Drop the packet and, if appropriate, send an ICMP message back to the sender indicating the packet was dropped. If the packet was an ICMP error message, an unknown ICMP type, or a nonhead fragment, or if too many ICMP messages have already been sent to this address, no message is sent. –reject-with type Send the specified ICMP message type. Valid values are icmpnet- unreachable, icmp-host- unreachable, icmp-portunreachable, or icmp-proto-unreachable. If the packet was an ICMP ping packet, type may also be echo-reply. TOS Set the Type of Service field in the IP header. TOS is a valid target only for rules in the mangle table. –set-tos value Set the TOS field to value. You can specify this as an 8-bit value or as a TOS name. You can get a list of valid names using iptables -j TOS -h. SNAT Modify the source address of the packet and all future packets in the current connection. SNAT is valid only as a part of the POSTROUTING chain in the nat table. –to-source address[-address][port-port] Specify the new source address or range of addresses. If a tcp or udp protocol has been specified with the -p option, source ports may also be specified. If none is specified, map the new source to the same port if possible. If not, map ports below 512 to other ports below 512, those between 512 and 1024 to other ports below 1024, and ports above 1024 to other ports above 1024. DNAT

Match packets created by a process owned by userid. –gid-owner groupid Match packets created by a process owned by groupid. –pid-owner processid Match packets created by process ID processid. –sid-owner sessionid Match packets created by a process in the session sessionid. state Loaded explicitly with the -m option. This module matches the connection state of a packet. –state states Match the packet if it has one of the states in the commaseparated list states. Valid states are INVALID, ESTABLISHED, NEW, and RELATED. tos Loaded explicitly with the -m option. This module matches the Type of Service field in a packet’s header. –tos value Match the packet if it has a TOS of value. value can be a numeric value or a Type of Service name. iptables -m tos -h will give you a list of valid TOS values. Target extensions Extension targets are optional additional targets supported by separate kernel modules. They have their own associated options. LOG Log the packet’s information in the system log. –log-level level Set the syslog level by name or number (as defined by syslog.conf). –log-prefix prefix Begin each log entry with the string prefix. The prefix string may be up to 30 characters long. –log-tcp-sequence Log the TCP sequence numbers. This is a security risk if your log is readable by users.

must be given in colon-separated hexbyte notation (for example, — mac-source 00:60:08:91:CC:B7. limit Loaded explicitly with the -m option. The limit extensions are used to limit the number of packets matched. This is useful when combined with the LOG target. Rules using this extension match until the specified limit is reached. –limit rate Match addresses at the given rate. rate is specified as a number with an optional /second, /minute, hour, or /day suffix. When this option is not set, the default is ‘3/hour’. –limit-burst [number] Set the maximum number of packets to match in a burst. Once the number has been reached, no more packets are matched for this rule until the number has recharged. It recharges at the rate set by the –limit option. When not specified, the default is 5. multiport Loaded explicitly with the -m option. The multiport extensions match sets of source or destination ports. These rules can be used only in conjunction with -p tcp and -p udp. Up to 15 ports can be specified in a comma-separated list. –source-port [ports] Match the given source ports. –destination-port [ports] Match the given destination ports. –port [ports] Match if the packet has the same source and destination port and that port is one of the given ports. mark Loaded explicitly with the -m option. This module works with the MARK extension target: –mark value[/mask] Match the given unsigned mark value. If a mask is specified, it is logically ANDed with the mark before comparison. owner Loaded explicitly with the -m option. The owner extensions match a local packet’s creator’s user, group process, and session IDs. This makes sense only as a part of the OUTPUT chain. –uid-owner userid

Loaded when -p tcp is the only protocol specified. –source-port [!] [port][:port], –sport [!] [port][:port] Match the specified source ports. Using the colon specifies an inclusive range of services to match. If the first port is omitted, 0 is the default. If the second port is omitted, 65535 is the default. You can also use a dash instead of a colon to specify the range. –destination-port [!] [port][:port], –dport [!] [port][:port] Match the specified destination ports. The syntax is the same as for –source-port. –tcp-flags [!] mask comp Match the packets with the TCP flags specified by mask and comp. mask is a comma-separated list of flags that should be examined. comp is a comma-separated list of flags that must be set for the rule to match. Valid flags are SYN, ACK, FIN, RST, URG, PSH, ALL, and NONE. [!] –syn Match packets with the SYN bit set and the ACK and FIN bits cleared. These are packets that request TCP connections; blocking them prevents incoming connections. Shorthand for — tcp-flags SYN,RST,ACK SYN. udp Loaded when -p udp is the only protocol specified. –source-port [!] [port][:port], –sport [!] [port][:port] Match the specified source ports. The syntax is the same as for the –source-port option of the TCP extension. –destination-port [!] [port][:port], –dport [!] [port][:port] Match the specified destination ports. The syntax is the same as for –source-port option of the TCP extension. icmp Loaded when -p icmp is the only protocol specified. –icmp-type [!] type Match the specified icmp type. type may be a numeric ICMP type or one of the ICMP type names shown by the command iptables - p icmp -h. mac Loaded explicitly with the -m option. –mac-source [!] address Match the source address that transmitted the packet. address

specified for a rule, matching the rule only increases the rule’s counters, and the packet is tested against the next rule. -i [!] name[+], –in-interface name[+] Match packets being received from interface name. name is the network interface used by your system (e.g., eth0 or ppp0). A + can be used as a wildcard, so ppp+ would match any interface name beginning with ppp -o [!] name[+], –out-interface name[+] Match packets being sent from interface name. See the description of -i for the syntax for name. [!] -f, [!]–fragment $PARAMETER The rule applies only to the second or further fragments of a fragmented packet. Options -v, –verbose Verbose mode. -n, –numeric Print all IP address and port numbers in numeric form. By default, text names are displayed when possible. -x, –exact Expand all numbers in a listing (-L). Display the exact value of the packet and byte counters instead of rounded figures. -m module, –match Explicitly load matching rule extensions associated with module. See the following section, “Match Extensions.” -h [icmp], –help [icmp] Print help message. If icmp is specified, a list of valid ICMP type names will be printed. -h can also be used with the -m option to get help on an extension module. –line-numbers Used with the -L command. Add the line number to the beginning of each rule in a listing, indicating its position in the chain. Match extensions Several kernel modules come with netfilter to extend matching capabilities of rules. Those associated with particular protocols are loaded automatically when the -p option is used to specify the protocol. Others need to be loaded explicitly with the -m option. tcp

XML -h [icmp] Print a brief help message. If the option icmp is given, print a list of valid ICMP types. Targets A target may be the name of a chain or one of the following special values. ACCEPT Let the packet through. DROP Drop the packet. QUEUE Send packets to the user space for processing. RETURN Stop traversing the current chain and return to the point in the previous chain from which this one was called. If RETURN is the target of a rule in a built-in chain, the built-in chain’s default policy is applied. Rule specification parameters These options are used to create rules for use with the preceding commands. Rules consist of some matching criteria and usually a target to jump to (-j) if the match is made. Many of the parameters for these matching rules can be expressed as a negative with an exclamation point (!) meaning “not.” Those rules will match everything except the given parameter. -p [!] name, –protocol [!]$PARAMETER Match packets of protocol name. The value of name can be given as a name or number as found in the file /etc/protocols. The most common values are tcp, udp, icmp, or the special value all. The number 0 is equivalent to all and this is the default value when this option is not used. If there are extended matching rules associated with the specified protocol, they will be loaded automatically. You need not use the -m option to load them. -s [!] address[/mask] [!] [port], –source [!] address[/mask] [!] [port] Match packets with the source address. The address may be supplied as a hostname, a network name, or an IP address. The optional mask is the netmask to use and may be supplied either in the traditional form (e.g., /255.255.255.0) or in the modern form (e.g., /24). -d [!] address[/mask] [!] [port], –destination [!] address[/mask] [port] Match packets from the destination address. See the description of -s for the syntax of this option. -j target, –jump target Jump to a special target or a user-defined chain. If this option is not