- 论坛徽章:
- 33
|
man iptables- TABLES
- There are currently three independent tables (which tables are present at any time depends on the kernel configuration options and which modules are present).
- -t, --table table
- This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to
- load the appropriate module for that table if it is not already there.
- The tables are as follows:
- filter:
- This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed
- through the box), and OUTPUT (for locally-generated packets).
- nat:
- This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they
- come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).
- mangle:
- This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and
- OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the
- box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).
- raw:
- This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher
- priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network
- interface) OUTPUT (for packets generated by local processes)
|
|
免费注册
发表于 2014-08-25 17:00
