Linux with Operating System Concepts

Network Configuration
◾
513
The value of 
chain
will be one of INPUT, OUTPUT or FORWARD, or a chain that you 
have defined. The value of 
target
will be one of ACCEPT, REJECT, DROP, or LOG that 
indicates what should be done with the message (these four values are described later). The 
–A option indicates that this rule should be 
appended
to the given chain. Thus, we are add-
ing to the chain so that if previous rules do not match, the firewall can continue to examine 
more rules of the chain.
The options in the rule specify the criteria by which the rule will match. You can think 
of these as the conditions of an if-then statement. Some of the most useful and common 
options available for the iptables rules are presented in Table 12.6. Notice --
dport
and 
--
dports
are subtly different. The former is used if you are comparing the message’s port 
to a single port of interest while the latter compares the message’s port against a list of 
ports. Similarly, there is a distinction between 
sport
and 
sports
.
Rules may have any number of options. For the rule to be true, 
all
options specified must 
be true. If a rule is true, the action specified under the target will take place. If any target 
other than LOG is used, chaining will stop. For instance, if a rule causes a packet to be 
accepted, then no more chaining takes place. The four targets are listed below.
• ACCEPT—permit the packet entry to the system
• REJECT—reject the packet and notify the sender
• DROP—reject the packet without notifying the sender
• LOG—log the packet but continue chaining rules to reach one of the other targets
TABLE 12.6 
iptable Rule Options

Download 5,65 Mb.

Do'stlaringiz bilan baham: