{"id":494,"date":"2014-06-03T15:52:16","date_gmt":"2014-06-04T00:52:16","guid":{"rendered":"\/blog\/?p=494"},"modified":"2023-09-21T09:38:43","modified_gmt":"2023-09-21T00:38:43","slug":"iptables-manpage","status":"publish","type":"post","link":"https:\/\/hasu0707.duckdns.org\/blog\/?p=494","title":{"rendered":"iptables manpage"},"content":{"rendered":"\n

NAME<\/h2>\n\niptables - IPv4 \uae30\ubc18 \ud328\ud0b7 \ud544\ud130\ub9c1 \ubc0f NAT \ub97c \uc704\ud55c \uad00\ub9ac\uc790 \ud234\n <\/a>\n

SYNOPSIS<\/h2>\n\niptables [-t table] -[AD] <\/b>chain rule-specification [options]\n\n
\n\niptables [-t table] -I <\/b>chain [rulenum] rule-specification [options]\n\n
\n\niptables [-t table] -R <\/b>chain rulenum rule-specification [options]\n\n
\n\niptables [-t table] -D <\/b>chain rulenum [options]\n\n
\n\niptables [-t table] -[LFZ] <\/b>[chain] [options]\n\n
\n\niptables [-t table] -N <\/b>chain\n\n
\n\niptables [-t table] -X <\/b>[chain]\n\n
\n\niptables [-t table] -P <\/b>chain target [options]\n\n
\n\niptables [-t table] -E <\/b>old-chain-name new-chain-name\n\n <\/a>\n

DESCRIPTION<\/h2>\n\nIptables<\/b>\n\n\uc740 \ub9ac\ub205\uc2a4 \ucee4\ub110\uc5d0 \uc788\ub294 IP \ud328\ud0b7 \ud544\ud130 \uaddc\uce59 \ud14c\uc774\ube14\uc744 \uc14b\uc5c5\ud558\uace0, \uad00\ub9ac\ud558\uace0, \n\uc870\uc0ac\ud558\ub294 \ub370 \uc0ac\uc6a9\ub41c\ub2e4. \uc5ec\ub7ec \ub2e4\ub978 \ud14c\uc774\ube14\ub4e4\uc774 \uc815\uc758\ub420 \uc218 \uc788\ub2e4. \uac01 \ud14c\uc774\ube14\uc740\n\ub9ce\uc740 \ub0b4\uc7a5 \uccb4\uc778\ub4e4\uc744 \uac16\uace0 \uc788\uc73c\uba70 \uc0ac\uc6a9\uc790-\uc815\uc758 \uccb4\uc778\ub4e4\uc744 \uac16\uace0 \uc788\uc744 \uc218\ub3c4 \uc788\ub2e4.\n

\n\uac01 \uccb4\uc778\uc740 \ud328\ud0b7\uacfc \ube44\uad50\ud560 \uc218 \uc788\ub294 \uaddc\uce59\ub4e4\uc758 \ub9ac\uc2a4\ud2b8\uc774\ub2e4.\n\uac01 \uaddc\uce59\uc740 \ube44\uad50\ud574\uc11c \uc77c\uce58\ud558\ub294 \ud328\ud0b7\uc744 \uc5b4\ub5bb\uac8c \ud560 \uac83\uc778\uac00\ub97c \uc9c0\uc815\ud55c\ub2e4.\n\uc774\uac83\uc740 `\ud0c0\uac9f'\uc774\ub77c\uace0 \ubd88\ub9ac\uba70 \uc774\uac83\uc740 \ub3d9\uc77c\ud55c \ud14c\uc774\ube14\uc5d0 \uc788\ub294 \uc0ac\uc6a9\uc790-\uc815\uc758 \uccb4\uc778\uc73c\ub85c\n\uc810\ud504\ud560 \uc218\ub3c4 \uc788\ub2e4.\n<\/p>

\n <\/a>\n<\/p>

TARGETS<\/h2>\n\n\ubc29\ud654\ubcbd \uaddc\uce59\uc740 \uc5b4\ub5a4 \ud328\ud0b7, \uadf8\ub9ac\uace0 \uc5b4\ub5a4 \ud0c0\uac9f\uc5d0 \ub300\ud55c \ud310\ub2e8 \uae30\uc900\uc744 \uc9c0\uc815\ud55c\ub2e4.\n\uadf8 \ud328\ud0b7\uc774 \ube44\uad50\ud574\uc11c \uc77c\uce58\ud558\uc9c0 \uc54a\uc73c\uba74 \uadf8 \uccb4\uc778\uc5d0 \uc788\ub294 \ub2e4\uc74c \uaddc\uce59\uc774 \uc2dc\ud5d8\ub41c\ub2e4;\n\ub610 \uc77c\uce58\ud55c\ub2e4\uba74 \ud0c0\ucf13\uc758 \uac12\uacfc \ub3d9\uc77c\ud55c \uadf8 \ub2e4\uc74c\uc758 \uaddc\uce59\uc774 \uac80\uc0ac\ub41c\ub2e4.\n\uadf8 \uac12\uc740 \uc0ac\uc6a9\uc790-\uc815\uc758 \uccb4\uc778\uc758 \uc774\ub984\uc774\uac70\ub098 \uc544\ub798 \uc5f4\uac70\ub41c \uac83\uacfc \uac19\uc740 \ud2b9\uc218 \uac12\ub4e4 \uc911 \ud558\ub098\uac00 \ub420 \uc218 \uc788\ub2e4.\n
ACCEPT<\/i>\n\n<\/dt>
\n\uc740 \ud328\ud0b7\uc774 \ud1b5\uacfc\ud558\ub294 \uac83\uc744 \uc758\ubbf8\ud55c\ub2e4.\n<\/dd>
DROP<\/i>\n\n<\/dt>
\n\uc740 \ud328\ud0b7\uc774 \ud1b5\uacfc\ud558\uc9c0 \ubabb\ud55c\ub2e4\ub294 \uac83\uc744 \uc758\ubbf8\ud55c\ub2e4.\n<\/dd>
QUEUE<\/i>\n\n<\/dt>
\n\uc740 \ud328\ud0b7\uc744 \uc0ac\uc6a9\uc790 \uacf5\uac04(userspace; \ucee4\ub110\uc774 \uc9c0\uc6d0\ud558\ub294 \uacbd\uc6b0)\uc5d0 \uc804\ub2ec\ud558\ub294 \uac83\uc744 \uc758\ubbf8\ud55c\ub2e4.\n<\/dd>
RETURN<\/i>\n\n<\/dt>
\n\uc740 \uc774 \uccb4\uc778\uc744 \ub354\uc774\uc0c1 \uc9c0\ub098\uac00\uc9c0 \ubabb\ud558\ub3c4\ub85d \ud558\uace0 \uc774\uc804\uc5d0 (\ud638\ucd9c\ud55c) \uccb4\uc778 \ub0b4 \ub2e4\uc74c \uaddc\uce59\uc73c\ub85c\n\ubcf5\uadc0\ud558\ub3c4\ub85d \ud558\ub294 \uac83\uc744 \uc758\ubbf8\ud55c\ub2e4. \ub0b4\uc7a5 \uccb4\uc778\uc758 \ub05d\uc5d0 \ub3c4\ub2ec\ud558\uac70\ub098\n\ub0b4\uc7a5 \uccb4\uc778\uc5d0 \uc788\ub294 \uc5b4\ub5a4 \uaddc\uce59\uc774\n\ud0c0\uac9f\uacfc \uc77c\uce58\ud558\ub294 \uacbd\uc6b0,\n\uadf8 \uccb4\uc778 \uc815\ucc45\uc5d0 \uc758\ud574\uc11c \uc9c0\uc815\ub41c \ud0c0\uac9f\uc774 \uadf8 \ud328\ud0b7\uc758 \uc6b4\uba85\uc744 \uacb0\uc815\ud55c\ub2e4.\n<\/dd><\/dl>\n <\/a>\n

TABLES<\/h2>\n\n\ud604\uc7ac 3\uac1c\uc758 \ub3c5\ub9bd \ud14c\uc774\ube14\ub4e4\uc774 \uc788\ub2e4(\uc5b4\ub5a4 \ud14c\uc774\ube14\ub4e4\uc774 \uc874\uc7ac\ud558\ub294\uac00\ub294\n\ucee4\ub110\uc758 \uc124\uc815 \uc635\uc158\ub4e4\uacfc \uc5b4\ub5a4 \ubaa8\ub4c8\ub4e4\uc774 \uc874\uc7ac\ud558\ub294\uac00\uc5d0 \ub530\ub77c \ub2e4\ub974\ub2e4).\n
-t, --table <\/b>table<\/i>\n\n<\/dt>
\n\uc774 \uc635\uc169\uc740 \uba85\ub839\uc774 \ub3d9\uc791\ud574\uc57c \ud558\ub294 \ud328\ud0b7 \ube44\uad50 \ud14c\uc774\ube14\uc744 \uc9c0\uc815\ud55c\ub2e4.\n\ucee4\ub110\uc774 \uc790\ub3d9 \ubaa8\ub4c8 \ub85c\ub529 \uc635\uc158\uc744 \uac00\uc9c0\ub3c4\ub85d \uc124\uc815\ub418\uc5c8\ub2e4\uba74,\n\uc5c6\ub294 \ud14c\uc774\ube14\uc744 \uc704\ud55c \uc801\uc808\ud55c \ubaa8\ub4c8\uc744 \ub85c\ub529\ud558\ub824\ub294 \uc2dc\ub3c4\uac00 \uc774\ub8e8\uc5b4\uc9c8 \uac83\uc774\ub2e4.\n

\n\ud14c\uc774\ube14\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4:\n<\/p>


<\/dt>
\n
filter<\/b>:\n\n<\/dt>
\n\uc774\uac83\uc740 \ub514\ud3f4\ud2b8 \ud14c\uc774\ube14(\ub9cc\uc77c -t \uc635\uc158\uc774 \uc8fc\uc5b4\uc9c0\uc9c0 \uc54a\uc73c\uba74 \uc0ac\uc6a9\ub41c\ub2e4)\uc774\ub2e4.\n\uc774\uac83\uc740 \ub2e4\uc74c\uacfc \uac19\uc740 \ub0b4\uc7a5 \uccb4\uc778\ub4e4\uc744 \uac16\uace0 \uc788\ub2e4.\nINPUT<\/b>\n\n(\ub9ac\ub205\uc2a4 \ubc15\uc2a4 \uc790\uc2e0\uc5d0\uac8c \ub4e4\uc5b4\uc628 \ud328\ud0b7\ub4e4\uc744 \uc704\ud55c \uac83),\nFORWARD<\/b>\n\n(\ub9ac\ub205\uc2a4 \ubc15\uc2a4\ub97c \ud1b5\uacfc\ud574\uc11c \ub77c\uc6b0\ud305\ub420 \ud328\ud0b7\ub4e4\uc744 \uc704\ud55c \uac83), \uadf8\ub9ac\uace0\nOUTPUT<\/b>\n\n(\ub9ac\ub205\uc2a4 \ubc15\uc2a4 \ub0b4\ubd80\uc5d0\uc11c \uc0dd\uc131\ub41c \ud328\ud0b7\ub4e4\uc744 \uc704\ud55c \uac83).\n<\/dd>
nat<\/b>:\n\n<\/dt>
\n\uc774 \ud14c\uc774\ube14\uc740 \uc0c8\ub85c\uc6b4 \ucee4\ub125\uc158\uc744 \ub9cc\ub4dc\ub294 \ud328\ud0b7\uc774 \ub3c4\ub2ec\ud560 \ub54c \uc0ac\uc6a9\ub41c\ub2e4.\n\uc774\uac83\uc740 \ub2e4\uc74c\uacfc \uac19\uc740 3\uac1c\uc758 \ub0b4\uc7a5\ub4e4\ub85c \uad6c\uc131\ub41c\ub2e4:\nPREROUTING<\/b>\n\n(\ud328\ud0b7\ub4e4\uc774 \ub4e4\uc5b4\uc624\uc790\ub9c8\uc790 \ubc14\uafb8\uae30 \uc704\ud55c),\nOUTPUT<\/b>\n\n(\ub77c\uc6b0\ud305\ud558\uae30 \uc804\uc5d0 \ub0b4\ubd80\uc5d0\uc11c \uc0dd\uc131\ub41c \ud328\ud0b7\ub4e4\uc744 \ubc14\uafb8\uae30 \uc704\ud55c), \uadf8\ub9ac\uace0\nPOSTROUTING<\/b>\n\n(\ud328\ud0b7\ub4e4\uc774 \ub098\uac00\uae30 \uc9c1\uc804\uc5d0 \ubc14\uafb8\uae30 \uc704\ud55c).\n<\/dd>
mangle<\/b>:\n\n<\/dt>
\n\uc774 \ud14c\uc774\ube14\uc740 \ud2b9\ubcc4\ud55c \ud328\ud0b7 \ubcc0\uacbd\uc744 \uc704\ud574\uc11c \uc0ac\uc6a9\ub41c\ub2e4. \ucee4\ub110 2.4.17\uae4c\uc9c0\n\uc774\uac83\uc740 \ub2e4\uc74c 2\uac1c\uc758 \ub0b4\uc7a5 \uccb4\uc778\ub4e4\uc744 \uac00\uc9c0\uace0 \uc788\uc5c8\ub2e4:\nThis table is used for specialized packet alteration. Until kernel\nPREROUTING<\/b>\n\n(\ub77c\uc6b0\ud305 \ud558\uae30 \uc804 \ub4e4\uc5b4\uc624\ub294 \ud328\ud0b7\ub4e4\uc744 \ubc14\uafb8\uae30 \uc704\ud55c) \uadf8\ub9ac\uace0\nOUTPUT<\/b>\n\n(\ub77c\uc6b0\ud305 \ud558\uae30 \uc804 \ub0b4\ubd80\uc801\uc73c\ub85c \uc0dd\uc131\ub41c \ud328\ud0b7\ub4e4\uc744 \ubc14\uafb8\uae30 \uc704\ud55c).\n\ucee4\ub110 2.4.18 \ubd80\ud130\ub294 \ub2e4\uc74c \uc138\uac1c\uc758 \ub2e4\ub978 \ub0b4\uc7a5 \uccb4\uc778\ub4e4\ub3c4 \uc9c0\uc6d0\ub418\uc5c8\ub2e4:\nINPUT<\/b>\n\n(\ubc15\uc2a4 \ub0b4\ubd80\ub85c \uc2a4\uc2a4\ub85c \ub4e4\uc5b4\uc624\ub294 \ud328\ud0b7\ub4e4\uc744 \uc704\ud55c),\nFORWARD<\/b>\n\n(\ubc15\uc2a4\ub97c \ud1b5\ud574 \ub77c\uc6b0\ud305 \ub418\uace0 \uc788\ub294 \ud328\ud0b7\ub4e4\uc744 \ubc14\uafb8\uae30 \uc704\ud55c),\uadf8\ub9ac\uace0\nPOSTROUTING<\/b>\n\n(\ub9c9 \ub098\uac00\ub824\uace0 \ud558\ub294 \ud328\ud0b7\ub4e4\uc744 \ubc14\uafb8\uae30 \uc704\ud55c).\n<\/dd><\/dl>\n<\/dd><\/dl>\n\n<\/dd><\/dl>\n <\/a>\n

OPTIONS<\/h2>\n\niptables<\/b>\n\n\uc5d0 \uc758\ud574 \uc778\uc2dd\ub418\ub294 \uc774 \uc635\uc158\ub4e4\uc740 \uba87\uac1c\uc758 \ub2e4\ub978 \uadf8\ub8f9\ub4e4\ub85c \ub098\ub258\uc5b4 \uc9c8 \uc218 \uc788\ub2e4.\n <\/a>\n

COMMANDS<\/h3>\n\n\uc544\ub798\uc758 \uc635\uc158\ub4e4\uc740 \uc2e4\ud589\ud574\uc57c \ud560 \ud2b9\uc815\ud55c \ud65c\ub3d9\uc744 \uc9c0\uc815\ud55c\ub2e4. \uc544\ub798\uc5d0 \ubcc4\ub3c4\ub85c \uc9c0\uc815\ub418\uc5b4 \uc788\uc9c0 \uc54a\ub294 \ud55c, \uc774\ub4e4 \uc911 \ub2e8 \ud558\ub098\ub9cc\uc774 \uc2e4\ud589\ub77c\uc778\uc5d0\uc11c \uc9c0\uc815\ub420 \uc218 \uc788\ub2e4. \ubaa8\ub4e0 \uba85\ub839\uc774\ub098 \uc635\uc158\uc774\ub984\ub4e4\uc758 \uae34 \ubc84\uc83c\ub4e4\uc5d0 \ub300\ud574, \ub2f9\uc2e0\uc740 \uc624\uc9c1\niptables<\/b>\n\n\uac00 \ub2e4\ub978 \ubaa8\ub4e0 \uc635\uc158\ub4e4\ub85c\ubd80\ud130 \ucc28\ubcc4\ud654\ub420 \uc218 \uc788\ub2e4\ub294 \uac83\uc744 \ud655\uc2e4\ud788 \ud558\uae30\uc5d0 \ucda9\ubd84\ud55c \ubb38\uc790\ub4e4 \ub9cc\uc744 \uc0ac\uc6a9\ud574\uc57c \ud560 \uac83\uc774\ub2e4.\n(\ud55c\ub9c8\ub514\ub85c, \ub2e4\ub978 \uc635\uc158\uacfc \ucc28\ubcc4\ub420 \uc218 \uc788\ub294 \ubb38\uc790\ub9cc\uc73c\ub85c iptable \uba85\ub839\uc5b4\ub294 \ud574\ub2f9\uc635\uc158 \uc778\uc2dd\uc774 \uac00\ub2a5\ud558\ub2e4\ub294 \uac83\uc774\ub2e4.)\n
-A, --append <\/b>chain rule-specification<\/i>\n\n<\/dt>
\n\uc120\ud0dd\ub41c \uccb4\uc778\uc758 \ub9c8\uc9c0\ub9c9\uc5d0 \ud558\ub098 \uc774\uc0c1\uc758 \uaddc\uce59\ub4e4\uc744 \ucd94\uac00\ud55c\ub2e4. \ucd9c\ubc1c\uc9c0 \uc640\/\ub610\ub294 \ubaa9\uc801\uc9c0 \uc774\ub984\ub4e4\uc744 \ud558\ub098 \uc774\uc0c1\uc758 \uc8fc\uc18c\ub85c \ubd84\ud574\ud560 \ub54c, \uac01\uac01\uc758 \uac00\ub2a5\ud55c \uc8fc\uc18c \uc870\ud569\uc5d0 \ud558\ub098\uc758 \uaddc\uce59\uc774 \ucd94\uac00\ub420 \uac83\uc774\ub2e4.\n<\/dd>
-D, --delete <\/b>chain rule-specification<\/i>\n\n<\/dt>
\n\n
<\/dd>
-D, --delete <\/b>chain rulenum<\/i>\n\n<\/dt>
\n\uc120\ud0dd\ub41c \uccb4\uc778\uc758 \ud558\ub098 \uc774\uc0c1\uc758 \uaddc\uce59\ub4e4\uc744 \uc0ad\uc81c\ud55c\ub2e4. \uc774 \uba85\ub839\uc5d0\ub294 \ub450\uac00\uc9c0 \uc885\ub958\uc758 \ubc84\uc83c\uc774 \uc788\ub2e4: \uaddc\uce59\uc740 \uccb4\uc778 \ub0b4\uc758 \uc22b\uc790\ub85c(\uccab\ubc88\uc9f8 \uaddc\uce59\uc774 1\ubd80\ud130 \uc2dc\uc791\ub41c\ub2e4) \ub610\ub294 \ub9e4\uce58\ub418\ub294 \uaddc\uce59\uc73c\ub85c \uc9c0\uc815\ub420 \uc218 \uc788\ub2e4.\n<\/dd>
-I, --insert <\/b>chain<\/i> [rulenum<\/i>] rule-specification<\/i>\n\n<\/dt>
\n\uc120\ud0dd\ub41c \uccb4\uc778 \ub0b4\uc5d0 \uc8fc\uc5b4\uc9c4 Rule Number \uc758 \ud615\ud0dc\ub85c \ud558\ub098 \uc774\uc0c1\uc758 \uaddc\uce59\uc744 \uc0bd\uc785\ud55c\ub2e4. \uadf8\ub7ec\ubbc0\ub85c Rule Number \uac00 \n1\uc774\uba74, \ud558\ub098\uc758 \uaddc\uce59 \ub610\ub294 \uc5ec\ub7ec\uac1c\uc758 \uaddc\uce59\uc774 \uccb4\uc778\uc758 \uc55e\uba38\ub9ac\uc5d0 \uc0bd\uc785\ub41c\ub2e4. \uc774\uac83 \ub610\ud55c Rule Number \uac00 \uc9c0\uc815\ub418\uc9c0 \uc54a\ub294 \uacbd\uc6b0 \nDefault\uac12\uc774 \ub41c\ub2e4.\n<\/dd>
-R, --replace <\/b>chain rulenum rule-specification<\/i>\n\n<\/dt>
\n\uc120\ud0dd\ub41c \uccb4\uc778 \ub0b4\uc758 \uaddc\uce59\uc744 \uad50\uccb4\ud55c\ub2e4. \ucd9c\ubc1c\uc9c0 \uc640\/\ub610\ub294 \ub3c4\ucc29\uc9c0 \uc774\ub984\ub4e4\uc774 \uc5ec\ub7ec\uac1c\uc758 \uc8fc\uc18c\ub4e4\ub85c \ubd84\ud574\ub418\uba74, \uba85\ub839\uc774 \uc2e4\ud328\ub41c\ub2e4. \uaddc\uce59\ub4e4\uc740 Rule Number 1\ubd80\ud130 \uc9c0\uc815\ub41c\ub2e4.\n<\/dd>
-L, --list <\/b>[chain<\/i>]\n\n<\/dt>
\n\uc120\ud0dd\ub41c \uccb4\uc778\uc758 \ubaa8\ub4e0 \uaddc\uce59\ub4e4\uc744 \ub098\uc5f4\ud55c\ub2e4. \ub9cc\uc77c \uc5b4\ub5a4 \uccb4\uc778\ub3c4 \uc120\ud0dd\ub418\uc9c0 \uc54a\uc73c\uba74, \ubaa8\ub4e0 \uccb4\uc778\uc758 \uaddc\uce59\uc774 \ub098\uc5f4\ub41c\ub2e4. \ubaa8\ub4e0 \ub2e4\ub978 \niptables \uba85\ub839\ub4e4\uacfc \uac19\uc774, \uc774\ub294 \uc9c0\uc815\ub41c \ud14c\uc774\ube14(\ud544\ud130\ub294 Default)\uc744 \uc801\uc6a9\ud55c\ub2e4. \uadf8\ub7ec\ubbc0\ub85c NAT \uaddc\uce59\ub4e4\uc744 \ubc1b\uc544\ubcf4\uae30 \uc704\ud574\uc11c\ub294\n \n
 iptables -t nat -n -L\n<\/pre>\n\n\uae34 \uc5ed\ud589 DNS \uac80\uc0c9\uc744 \ud53c\ud558\ub294 \ub300\uc2e0\uc5d0\n-n<\/b>\n\n\uc635\uc158\uc774 \uc790\uc8fc \uc0ac\uc6a9\ub418\ub294 \uac83\uc5d0 \ub300\ud574 \uc720\uc758\ud558\ub77c.\n-Z<\/b>\n\n(zero) \uc635\uc158\uc744 \uc9c0\uc815\ud558\ub294 \uac83\uacfc \ub9c8\ucc2c\uac00\uc9c0\ub85c \uc815\uc11d\uc801\uc774\ub2e4. \uc774\ub7ec\ud55c \uacbd\uc6b0 \uccb4\uc778\ub4e4\uc740 \uc6d0\uc790\uc801\uc73c\ub85c \ub098\uc5f4\ub418\uace0 \uc6d0\uc810\uc73c\ub85c \ub9de\ucd94\uc5b4\uc9c8 \uac83\uc774\ub2e4. \uc815\ud655\ud55c \uacb0\uacfc\ub294 \ub2e4\ub978 \uc8fc\uc5b4\uc9c4 \ubcc0\uc218\ub4e4\uc5d0 \uc758\ud574 \uc601\ud5a5\uc744 \ubc1b\ub294\ub2e4. \uc815\ud655\ud55c \uaddc\uce59\ub4e4\uc740 \ub2f9\uc2e0\uc774\n
 iptables -L -v\n<\/pre>\n\n\ub97c \uc0ac\uc6a9\ud558\uae30 \uc804\uae4c\uc9c0 \ub9c9\ud600\uc788\uac8c \ub41c\ub2e4.\n<\/dd>
-F, --flush <\/b>[chain<\/i>]\n\n<\/dt>
\n\uc120\ud0dd\ub41c \uccb4\uc778\uc744 \uc3df\uc544 \ud758\ub7ec\ub0b4\ub9ac\uac8c \ud55c\ub2e4. (\uc544\ubb34\uac83\ub3c4 \uc8fc\uc5b4\uc9c0\uc9c0 \uc54a\uc740 \uacbd\uc6b0\uc5d4 \ud14c\uc774\ube14 \ub0b4\uc758 \ubaa8\ub4e0 \uccb4\uc778\uc774 \uc120\ud0dd\ub41c\ub2e4). \uc774\uac83\uc740 \ubaa8\ub4e0 \uaddc\uce59\ub4e4\uc744 \ud558\ub098\ud558\ub098 \uc9c0\uc6cc\ub098\uac00\ub294 \uac83\uacfc \ub3d9\ub4f1\ud558\ub2e4.\n<\/dd>
-Z, --zero <\/b>[chain<\/i>]\n\n<\/dt>
\n\ubaa8\ub4e0 \uccb4\uc778\ub4e4 \ub0b4\uc758 \ud328\ud0b7\uacfc \ubc14\uc774\ud2b8 \uce74\uc6b4\ud130\ub4e4\uc744 \uc6d0\uc810\ud654\ud55c\ub2e4. \uc774\uac83\uc740 \uce74\uc6b4\ud130\ub4e4\uc774 \uc9c0\uc6cc\uc9c0\uae30 \uc804\uc5d0 \uc989\uc2dc \ubcfc \uc218 \uc788\uac8c(\uc55e\uc744 \ucc38\uace0) \ud558\uae30 \uc704\ud574\uc11c\n-L, --list<\/b>\n\n(list) \uc635\uc158\uc744 \uc9c0\uc815\ud558\ub294 \uac83\uacfc \ub9c8\ucc2c\uac00\uc9c0\ub85c \uc815\uc11d\uc801\uc774\ub2e4. \n<\/dd>
-N, --new-chain <\/b>chain<\/i>\n\n<\/dt>
\n\uc0c8\ub85c\uc6b4 \uc0ac\uc6a9\uc790 \uc815\uc758 \uccb4\uc778\uc744 \uc8fc\uc5b4\uc9c4 \uc774\ub984\uc73c\ub85c \uc0dd\uc131\ud55c\ub2e4. \uadf8 \uc774\ub984\uc5d0 \ub300\ud574 \uc5b4\ub5a0\ud55c \ud0c0\uac9f\ub3c4 \ubbf8\ub9ac \uc874\uc7ac\ud574\uc11c\ub294 \uc548\ub41c\ub2e4.\n<\/dd>
-X, --delete-chain <\/b>[chain<\/i>]\n\n<\/dt>
\n\uc9c0\uc815\ub41c \uc784\uc758\uc758 \uc0ac\uc6a9\uc790 \uc815\uc758 \uccb4\uc778\uc744 \uc9c0\uc6b4\ub2e4. \uc5ec\uae30\uc5d0\ub294 \uc5b4\ub5a0\ud55c \ucc38\uc870\ub3c4 \uc788\uc73c\uba74 \uc548\ub41c\ub2e4. \ub9cc\uc77c \uadf8\ub807\uc9c0 \uc54a\ub2e4\uba74, \ud574\ub2f9 \uccb4\uc778\uc774 \uc9c0\uc6cc\uc9c0\uae30 \uc804\uc5d0\n \ucc38\uc870\ub41c \uaddc\uce59\uc744 \uba3c\uc800 \uc9c0\uc6cc\uc57c\ub9cc \ud55c\ub2e4. \ub9cc\uc57d \uc544\ubb34\ub7f0 \uc778\uc790\ub3c4 \uc8fc\uc5b4\uc9c0\uc9c0 \uc54a\ub294\ub2e4\uba74, \uadf8\uac83\uc740 \uc784\uc758\ub85c \ud14c\uc774\ube14 \ub0b4\uc758 \ucd08\uae30 \uc815\uc758\ub41c \uac83\uc774 \uc544\ub2cc \n\ubaa8\ub4e0 \uccb4\uc778\ub4e4\uc744 \uc9c0\uc6b8 \uac83\uc774\ub2e4.\n<\/dd>
-P, --policy <\/b>chain target<\/i>\n\n<\/dt>
\n\ud574\ub2f9 \uccb4\uc778\uc5d0 \ub300\ud574 \uc8fc\uc5b4\uc9c4 \ud0c0\uac9f\uc73c\ub85c\uc758 \uc815\ucc45\uc744 \ub9de\ucd98\ub2e4. \ud569\ub2f9\ud55c \ud14c\uac9f\uc5d0 \ub300\ud574\uc11c\ub294 \uc139\uc158\nTARGETS<\/b>\n\n\uc744 \ubcf8\ub2e4. \uc624\uc9c1 \ucd08\uae30 \uc815\uc758 \uccb4\uc778\ub4e4 (\ub9e8 \ucc98\uc74c\ubd80\ud130 \uc815\uc758\ub418\uc5b4\uc788\ub358 : \uc0ac\uc6a9\uc790 \uc815\uc758\uac00 \uc544\ub2cc) \ub9cc\uc774 \uc815\ucc45\ub4e4\uc744 \uac00\uc9c8 \uc218 \uc788\uace0, \ucd08\uae30 \uc815\uc758 \uccb4\uc778\ub4e4\uacfc \uc0ac\uc6a9\uc790 \uc815\uc758 \uccb4\uc778\ub4e4 \ubaa8\ub450 \uc815\ucc45 \ud0c0\uac9f\uc73c\ub85c\ub294 \ub420 \uc218 \uc5c6\ub2e4.\n<\/dd>
-E, --rename-chain <\/b>old-chain new-chain<\/i>\n\n<\/dt>
\n\uc0ac\uc6a9\uc790 \uc815\uc758\uc758 \uccb4\uc778\uc744 \uc0c8\ub85c \uc8fc\ub294 \uc774\ub984\uc73c\ub85c \ubc14\uafbc\ub2e4. \uc774\uac83\uc740 \ud45c\uba74\uc801\uc774\uba70, \ud14c\uc774\ube14\uc758 \uad6c\uc870\uc5d0\ub294 \uc804\ud600 \uc601\ud5a5\uc744 \ub07c\uce58\uc9c0 \uc54a\ub294\ub2e4.\n<\/dd>
-h<\/b>\n\n<\/dt>
\n\ub3c4\uc6c0\ub9d0.\n\uba85\ub839 \ubb38\ubc95\uc5d0 \ub300\ud55c (\uc77c\ubc18\uc801\uc73c\ub85c \uac00\uc7a5 \uac04\ub2e8\ud55c) \uc124\uba85\uc744 \uc900\ub2e4. \n<\/dd><\/dl>\n <\/a>\n
PARAMETERS<\/h3>\n\n\uc544\ub798\uc758 \ud30c\ub77c\ubbf8\ud130\ub4e4\uc740 \uaddc\uce59 \uc124\uba85\uc11c\ub97c \uad6c\uc131\ud55c\ub2e4. (add, delete, insert, replace, append \uba85\ub839\ub4e4\uc5d0\uc11c \uc0ac\uc6a9\ub418\uc5c8\ub358 \uac83\ucc98\ub7fc)\n
-p, --protocol <\/b>[!] protocol<\/i>\n\n<\/dt>
\n\uccb4\ud06c\ud560 \ub8f0\uc774\ub098 \ud328\ud0b7\uc758 \ud504\ub85c\ud1a0\ucf5c\uc774\ub2e4. \n\ud504\ub85c\ud1a0\ucf5c\uc740 \ntcp<\/i>,\n\nudp<\/i>,\n\nicmp<\/i>,\n\n\ub610\ub294\nor\nall<\/i>,\n\n\ub610\ub294 \uc774\ub4e4 \ud504\ub85c\ud1a0\ucf5c\uc744 \ub098\ud0c0\ub0b4\ub294 \uc22b\uc790\ub85c \ud504\ub85c\ud1a0\ucf5c\uc744 \uc9c0\uc815\ud560 \uc218 \uc788\ub2e4. \/etc\/protocols\uc758 \ud504\ub85c\ud1a0\ucf5c \uc774\ub984\ub3c4 \uac00\ub2a5\ud558\ub2e4. \ud504\ub85c\ud1a0\ucf5c \uc55e\uc758 \"!\" \ub294 \ud574\ub2f9 \ud504\ub85c\ud1a0\ucf5c\uc744 \uc81c\uc678\ud55c \ub098\uba38\uc9c0\ub97c \uac00\ub9ac\ud0a8\ub2e4. \uc22b\uc790 \uc601(0)\uc740\nall<\/i>.\n\n\uacfc \uac19\ub2e4. \n\ud504\ub85c\ud1a0\ucf5c\nall<\/i>\n\n\uc740 \ubaa8\ub4e0 \ud504\ub85c\ud1a0\ucf5c\uc744 \ub098\ud0c0\ub0b4\uba70 -p \uc635\uc158\uc774 \uc0dd\ub7b5\ub418\uc5c8\uc744 \ub54c \uae30\ubcf8\uc73c\ub85c \uc0ac\uc6a9\ub41c\ub2e4. \n<\/dd>
-s, --source <\/b>[!] address<\/i>[\/mask<\/i>]\n\n<\/dt>
\n\uc18c\uc2a4 \uc124\uc815. \nAddress<\/i>\n\n\ub294 \ub124\ud2b8\uc6cc\ud06c \uc774\ub984, \ud638\uc2a4\ud2b8 \uc774\ub984(DNS\uc640 \uac19\uc740 \uc6d0\uaca9 \ucffc\ub9ac\ub85c \uc815\ud574\uc9c4 \uc774\ub984\uc744 \uc9c0\uc815\ud558\ub294 \ud558\ub294 \uac83\uc740 \uc88b\uc9c0 \uc54a\ub2e4), \ub124\ud2b8\uc6cc\ud06c IP \uc8fc\uc18c(\/\ub9c8\uc2a4\ud06c \uc635\uc158 \uac00\ub2a5), \ub610\ub294 \uc77c\ubc18 IP \uc8fc\uc18c\ub97c \uc124\uc815\ud560 \uc218 \uc788\ub2e4. \n\ub9c8\uc2a4\ud06c\ub294<\/i>\n\n\ub124\ud2b8\ucffc\ud06c \ub9c8\uc2a4\ud06c\ub098 \ub124\ud2b8\uc6cc\ud06c \ub9c8\uc2a4\ud06c\uc758 \uc67c\ucabd \ub05d\ubd80\ud130 1\ub85c \ub9c8\uc2a4\ud06c\ud55c 10\uc9c4\uc218 \uac12\uc77c \uc218 \uc788\ub2e4. \n\uc989 \ub9c8\uc2a4\ud06c\n24<\/i>\n\n\ub294\n255.255.255.0<\/i>.\n\n\uc640 \uac19\ub2e4. \n\uc8fc\uc18c \uc55e\uc758 \"!\" \ub294 \ud574\ub2f9 \uc8fc\uc18c\ub97c \uc81c\uc678\ud55c \ub2e4\ub978 \uc8fc\uc18c\ub97c \ub098\ud0c0\ub0b8\ub2e4. \ud50c\ub798\uadf8\n--src<\/b>\n\n\uc740 \uc774 \uc635\uc158\uc758 \ubcc4\uce6d\uc774\ub2e4. \n<\/dd>
-d, --destination <\/b>[!] address<\/i>[\/mask<\/i>]\n\n<\/dt>
\n\ubaa9\uc801\uc9c0 \uc124\uc815\n\uc774 \uc124\uc815\uc758 \uc790\uc138\ud55c \uc0ac\ud56d\uc740 \n-s<\/b>\n\n(source) \uc744 \ucc38\uc870\ud55c\ub2e4. \uc774 \uc635\uc158\uc740\n--dst<\/b>\n\n\uc744 \ubcc4\uce6d\uc73c\ub85c \uc0ac\uc6a9\ud55c\ub2e4. \n<\/dd>
-j, --jump <\/b>target<\/i>\n\n<\/dt>
\n\uc774 \uc635\uc158\uc740 \ub8f0\uc758 \ub300\uc0c1(target)\uc744 \uc9c0\uc815\ud55c\ub2e4. \ud328\ud0b7\uc774 \ub8f0\uacfc \uc77c\uce58\ud560 \uacbd\uc6b0\uc758 \ud589\ub3d9\uc744 \uc815\ud560 \uc218 \uc788\ub2e4. \ub300\uc0c1\uc740 \uc0ac\uc6a9\uc790 \uc815\uc758 \uccb4\uc778(\uc774 \ub8f0\uc774 \uc815\uc758\ub41c \ud14c\uc774\ube14\uc758)\uc774\uac70\ub098 \ubc14\ub85c \ud328\ud0b7\uc758 \uc6b4\uba85\uc744 \uacb0\uc815\uc9c0\uc744 \ub0b4\uc7a5 \uccb4\uc778 \ub610\ub294 extension (\uc544\ub798\uc758 \nEXTENSIONS<\/b>\n\n\ucc38\uc870). \ub8f0\uc5d0\uc11c \uc774 \uc635\uc158\uc774 \uc0dd\ub7b5\ub418\uba74 \uc774 \ub8f0\uc740 \ud328\ud0b7\uc5d0\ub294 \uc544\ubb34\ub7f0 \uc5ed\ud560\ub3c4 \ud558\uc9c0 \uc54a\uc9c0\ub9cc \ub8f0\uc758 \uc22b\uc790\ub294 \ub298\uc5b4\ub09c\ub2e4. \n<\/dd>
-i, --in-interface <\/b>[!] \uc774\ub984<\/i>\n\n<\/dt>
\n\ud328\ud0b7\uc744 \ubc1b\uc744 \uc778\ud130\ud398\uc774\uc2a4 \uc774\ub984\uc774\ub2e4. (\ub2e8, \ud328\ud0b7\uc774\nINPUT<\/b>,\n\nFORWARD<\/b>\n\nPREROUTING<\/b>\n\n\uccb4\uc778 \uc911\uc758 \ud558\ub098\uc5d0 \ub4e4\uc5b4\uc788\uc5b4\uc57c \ud55c\ub2e4). \uc778\ud130\ud398\uc774\uc2a4 \uc774\ub984 \uc55e\uc5d0 \"!\" \uc774 \uc788\uc73c\uba74 \uadf8 \uacb0\uacfc\ub97c \ub4a4\uc9d1\ub294\ub2e4. \uc778\ud130\ud398\uc774\uc2a4 \uc774\ub984\uc774 \"+\"\ub85c \n\ub05d\ub098\uba74 \uadf8\uac83\uc73c\ub85c \uc2dc\uc791\ud558\ub294 \ubaa8\ub4e0 \uc778\ud130\ud398\uc774\uc2a4\ub97c \ub098\ud0c0\ub0b8\ub2e4. \uc635\uc158\uc744 \uc0dd\ub7b5\ud560 \uacbd\uc6b0 \ubaa8\ub4e0 \uc778\ud130\ud398\uc774\uc2a4 \uc774\ub984\uc774 \ub9e4\uce6d\ub41c\ub2e4. \n<\/dd>
-o, --out-interface <\/b>[!] \uc774\ub984<\/i>\n\n<\/dt>
\n\ud328\ud0b7\uc774 \ubcf4\ub0b4\uc9c8 \uc778\ud130\ud398\uc774\uc2a4 \uc774\ub984\uc744 \uc9c0\uc815\ud55c\ub2e4.  (\nFORWARD<\/b>,\n\nOUTPUT<\/b>\n\nPOSTROUTING<\/b>\n\n\uccb4\uc778\uc5d0 \ub4e4\uc5b4\uc628 \ud328\ud0b7\uc5d0 \ub300\ud574\uc11c\ub9cc). \uc778\ud130\ud398\uc774\uc2a4 \uc774\ub984 \uc55e\uc5d0 \"!\" \uc774 \uc788\uc73c\uba74 \uadf8 \uacb0\uacfc\ub97c \ub4a4\uc9d1\ub294\ub2e4. \uc778\ud130\ud398\uc774\uc2a4 \uc774\ub984\uc774 \"+\"\ub85c \ub05d\ub098\uba74 \uadf8\uac83\uc73c\ub85c \uc2dc\uc791\ud558\ub294 \ubaa8\ub4e0 \uc778\ud130\ud398\uc774\uc2a4\ub97c \ub098\ud0c0\ub0b8\ub2e4. \uc635\uc158\uc744 \uc0dd\ub7b5\ud560 \uacbd\uc6b0 \ubaa8\ub4e0 \uc778\ud130\ud398\uc774\uc2a4 \uc774\ub984\uc774 \ub9e4\uce6d\ub41c\ub2e4. \n<\/dd>
[!]  -f, --fragment<\/b>\n\n<\/dt>
\n\uc774 \uc635\uc158\uc740 \ucabc\uac1c\uc9c4 \ud328\ud0b7\uc5d0\uc11c \ud5e4\ub4dc \ud328\ud0b7\uc744 \uc81c\uc678\ud55c \ub098\uba38\uc9c0 \ud328\ud0b7\uc5d0\ub9cc \ub8f0\uc744 \uc801\uc6a9\ud55c\ub2e4. \ucd9c\ubc1c\uc9c0\uc640 \ubaa9\uc801\uc9c0\ub97c \uad6c\ubd84\ud560 \uc218 \uc5c6\ub294 \ud328\ud0b7(\ub610\ub294 \nICMP \ud0c0\uc785)\uc740 \uac78\ub7ec\ub0bc \uc218 \uc788\ub294 \ub8f0\uc774 \uc874\uc7ac\ud558\uc9c0 \uc54a\ub294\ub2e4. -f \ud50c\ub798\uadf8 \uc55e\uc5d0 \"!\" \uc774 \ubd99\uc73c\uba74 \ud5e4\ub4dc \ud328\ud0b7\uc774\ub098 \ucabc\uac1c\uc9c0\uc9c0 \uc54a\uc740 \ud328\ud0b7\uc5d0\ub9cc\n \uc801\uc6a9\ub41c\ub2e4. \n<\/dd>
-c, --set-counters <\/b>PKTS BYTES<\/i>\n\n<\/dt>
\n\uc774 \uc635\uc158\uc73c\ub85c \ud328\ud0b7\uc774\ub098 \ub8f0\uc758 \ubc14\uc774\ud2b8 \uce74\uc6b4\ud130\ub97c \ubcfc \uc218 \uc788\ub2e4. (\nINSERT,<\/b>\n\nAPPEND,<\/b>\n\nREPLACE<\/b>\n\n\uc5f0\uc0b0 \uc911\uc5d0).\n<\/dd><\/dl>\n <\/a>\n
OTHER \uc635\uc158S<\/h3>\n\nThe following additional \uc635\uc158s can be specified:\n
-v, --verbose<\/b>\n\n<\/dt>
\nVerbose output.  This \uc635\uc158 makes the list \uba85\ub839 show the interface\n\uc774\ub984, the rule \uc635\uc158s (if any), and the TOS masks.  The packet and\nbyte counters are also listed, with the suffix 'K', 'M' or 'G' for\n1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see\nthe\n-x<\/b>\n\nflag to change this).\nFor appending, insertion, deletion and replacement, this causes\ndetailed information on the rule or rules to be printed.\n<\/dd>
-n, --numeric<\/b>\n\n<\/dt>
\nNumeric output.\nIP addresses and port numbers will be printed in numeric format.\nBy default, the program will try to display them as host \uc774\ub984s,\nnetwork \uc774\ub984s, or services (whenever applicable).\n<\/dd>
-x, --exact<\/b>\n\n<\/dt>
\nExpand numbers.\nDisplay the exact value of the packet and byte counters,\ninstead of only the rounded number in K's (multiples of 1000)\nM's (multiples of 1000K) or G's (multiples of 1000M).  This \uc635\uc158 is\nonly relevant for the\n-L<\/b>\n\n\uba85\ub839.\n<\/dd>
--line-numbers<\/b>\n\n<\/dt>
\nWhen listing rules, add line numbers to the beginning of each rule,\ncorresponding to that rule's position in the chain.\n<\/dd>
--modprobe=\uba85\ub839<\/b>\n\n<\/dt>
\nWhen adding or inserting rules into a chain, use\n\uba85\ub839<\/b>\n\nto load any necessary modules (targets, match \ud655\uc7a5s, etc).\n<\/dd><\/dl>\n <\/a>\n
MATCH \ud655\uc7a5S<\/h2>\n\niptables can use extended packet matching modules.  These are loaded\nin two ways: implicitly, when\n-p<\/b>\n\nor\n--protocol<\/b>\n\nis specified, or with the\n-m<\/b>\n\nor\n--match<\/b>\n\n\uc635\uc158s, followed by the matching module \uc774\ub984; after these, various\nextra \uba85\ub839 line \uc635\uc158s become available, depending on the specific\nmodule.  You can specify multiple extended match modules in one line,\nand you can use the\n-h<\/b>\n\nor\n--help<\/b>\n\n\uc635\uc158s after the module has been specified to receive help specific\nto that module.\n
\nThe following are included in the base package, and most of these can\nbe preceded by a\n!<\/b>\n\nto invert the sense of the match.\n <\/a>\n<\/p>
ah<\/h3>\n\nThis module matches the SPIs in AH header of IPSec packets.\n
--ahspi <\/b>[!] spi<\/i>[:spi<\/i>]\n\n<\/dt>
\n
<\/dd><\/dl>\n <\/a>\n
conntrack<\/h3>\n\nThis module, when combined with connection tracking, allows access to\nmore connection tracking information than the \"state\" match.\n(this module is present only if iptables was compiled under a kernel\nsupporting this feature)\n
--ctstate <\/b>state<\/i>\n\n<\/dt>
\nWhere state is a comma separated list of the connection states to\nmatch.  Possible states are\nINVALID<\/b>\n\nmeaning that the packet is associated with no known connection,\nESTABLISHED<\/b>\n\nmeaning that the packet is associated with a connection which has seen\npackets in both directions,\nNEW<\/b>\n\nmeaning that the packet has started a new connection, or otherwise\nassociated with a connection which has not seen packets in both\ndirections, and\nRELATED<\/b>\n\nmeaning that the packet is starting a new connection, but is\nassociated with an existing connection, such as an FTP data transfer,\nor an ICMP \uc5d0\ub7ec.\nSNAT<\/b>\n\nA virtual state, matching if the original source address differs from\nthe reply destination.\nDNAT<\/b>\n\nA virtual state, matching if the original destination differs from the\nreply source.\n<\/dd>
--ctproto <\/b>proto<\/i>\n\n<\/dt>
\nProtocol to match (by number or \uc774\ub984)\n<\/dd>
--ctorigsrc <\/b>[!] address<\/i>[\/mask<\/i>]\n\n<\/dt>
\nMatch against original source address\n<\/dd>
--ctorigdst <\/b>[!] address<\/i>[\/mask<\/i>]\n\n<\/dt>
\nMatch against original destination address\n<\/dd>
--ctreplsrc <\/b>[!] address<\/i>[\/mask<\/i>]\n\n<\/dt>
\nMatch against reply source address\n<\/dd>
--ctrepldst <\/b>[!] address<\/i>[\/<\/b>mask<\/i>]\n\n<\/dt>
\nMatch against reply destination address\n<\/dd>
--ctstatus <\/b>[NONE|EXPECTED|SEEN_REPLY|ASSURED<\/i>][,...]\n\n<\/dt>
\nMatch against internal conntrack states\n<\/dd>
--ctexpire <\/b>time<\/i>[:time<\/i>]\n\n<\/dt>
\nMatch remaining lifetime in seconds against given value\nor range of values (inclusive)\n<\/dd><\/dl>\n <\/a>\n
dscp<\/h3>\n\nThis module matches the 6 bit DSCP field within the TOS field in the\nIP header.  DSCP has superseded TOS within the IETF.\n
--dscp <\/b>value<\/i>\n\n<\/dt>
\nMatch against a numeric (decimal or hex) value [0-32].\n<\/dd>
--dscp-class <\/b>DiffServ Class<\/i>\n\n<\/dt>
\nMatch the DiffServ class. This value may be any of the\nBE, EF, AFxx or CSx classes.  It will then be converted\ninto it's according numeric value.\n<\/dd><\/dl>\n <\/a>\n
esp<\/h3>\n\nThis module matches the SPIs in ESP header of IPSec packets.\n
--espspi <\/b>[!] spi<\/i>[:spi<\/i>]\n\n<\/dt>
\n
<\/dd><\/dl>\n <\/a>\n
helper<\/h3>\n\nThis module matches packets related to a specific conntrack-helper.\n
--helper <\/b>string<\/i>\n\n<\/dt>
\nMatches packets related to the specified conntrack-helper.\n

<\/dt>
\n
\n\nstring can be \"ftp\" for packets related to a ftp-session on default port.\nFor other ports append -portnr to the value, ie. \"ftp-2121\".\n<\/p>
\n\nSame rules apply for other conntrack-helpers.\n<\/p><\/dd><\/dl>\n\n<\/dd><\/dl>\n <\/a>\n
icmp<\/h3>\n\nThis \ud655\uc7a5 is loaded if `--protocol icmp' is specified.  It\nprovides the following \uc635\uc158:\n
--icmp-type <\/b>[!] type\uc774\ub984<\/i>\n\n<\/dt>
\nThis allows specification of the ICMP type, which can be a numeric\nICMP type, or one of the ICMP type \uc774\ub984s shown by the \uba85\ub839\n
 iptables -p icmp -h\n<\/pre>\n\n<\/dd><\/dl>\n <\/a>\n
length<\/h3>\n\nThis module matches the length of a packet against a specific value\nor range of values.\n
--length <\/b>length<\/i>[:length<\/i>]\n\n<\/dt>
\n
<\/dd><\/dl>\n <\/a>\n
limit<\/h3>\n\nThis module matches at a limited rate using a token bucket filter.\nA rule using this \ud655\uc7a5 will match until this limit is reached\n(unless the `!' flag is used).  It can be used in combination with the\nLOG<\/b>\n\ntarget to give limited logging, for \uc608.\n
--limit <\/b>rate<\/i>\n\n<\/dt>
\nMaximum average matching rate: specified as a number, with an \uc635\uc158al\n`\/second', `\/minute', `\/hour', or `\/day' suffix; the default is\n3\/hour.\n<\/dd>
--limit-burst <\/b>number<\/i>\n\n<\/dt>
\nMaximum initial number of packets to match: this number gets\nrecharged by one every time the limit specified above is not reached,\nup to this number; the default is 5.\n<\/dd><\/dl>\n <\/a>\n
mac<\/h3>\n\n
--mac-source <\/b>[!] address<\/i>\n\n<\/dt>
\nMatch source MAC address.  It must be of the form XX:XX:XX:XX:XX:XX.\n\uc8fc\uc758 that this only makes sense for packets coming from an Ethernet device\nand entering the\nPREROUTING<\/b>,\n\nFORWARD<\/b>\n\nor\nINPUT<\/b>\n\nchains.\n<\/dd><\/dl>\n <\/a>\n
mark<\/h3>\n\nThis module matches the netfilter mark field associated with a packet\n(which can be set using the\nMARK<\/b>\n\ntarget below).\n
--mark <\/b>value<\/i>[\/mask<\/i>]\n\n<\/dt>
\nMatches packets with the given unsigned mark value (if a mask is\nspecified, this is logically ANDed with the mask before the\ncomparison).\n<\/dd><\/dl>\n <\/a>\n
multiport<\/h3>\n\nThis module matches a set of source or destination ports.  Up to 15\nports can be specified.  It can only be used in conjunction with\n-p tcp<\/b>\n\nor\n-p udp<\/b>.\n\n
--source-ports <\/b>port<\/i>[,port<\/i>[,port<\/i>...]]\n\n<\/dt>
\nMatch if the source port is one of the given ports.  The flag\n--sports<\/b>\n\nis a convenient alias for this \uc635\uc158.\n<\/dd>
--destination-ports <\/b>port<\/i>[,port<\/i>[,port<\/i>...]]\n\n<\/dt>
\nMatch if the destination port is one of the given ports.  The flag\n--dports<\/b>\n\nis a convenient alias for this \uc635\uc158.\n<\/dd>
--ports <\/b>port<\/i>[,port<\/i>[,port<\/i>...]]\n\n<\/dt>
\nMatch if the both the source and destination ports are equal to each\nother and to one of the given ports.\n<\/dd><\/dl>\n <\/a>\n
owner<\/h3>\n\nThis module attempts to match various characteristics of the packet\ncreator, for locally-generated packets.  It is only valid in the\nOUTPUT<\/b>\n\nchain, and even this some packets (such as ICMP ping responses) may\nhave no owner, and hence never match.\n
--uid-owner <\/b>userid<\/i>\n\n<\/dt>
\nMatches if the packet was created by a process with the given\neffective user id.\n<\/dd>
--gid-owner <\/b>groupid<\/i>\n\n<\/dt>
\nMatches if the packet was created by a process with the given\neffective group id.\n<\/dd>
--pid-owner <\/b>processid<\/i>\n\n<\/dt>
\nMatches if the packet was created by a process with the given\nprocess id.\n<\/dd>
--sid-owner <\/b>sessionid<\/i>\n\n<\/dt>
\nMatches if the packet was created by a process in the given session\ngroup.\n<\/dd>
--cmd-owner <\/b>\uc774\ub984<\/i>\n\n<\/dt>
\nMatches if the packet was created by a process with the given \uba85\ub839 \uc774\ub984.\n(this \uc635\uc158 is present only if iptables was compiled under a kernel\nsupporting this feature)\n<\/dd><\/dl>\n <\/a>\n
physdev<\/h3>\n\nThis module matches on the bridge port input and output devices enslaved\nto a bridge device. This module is a part of the infrastructure that enables\na transparent bridging IP firewall and is only useful for kernel \ubc84\uc83cs\nabove \ubc84\uc83c 2.5.44.\n
--physdev-in \uc774\ub984<\/b>\n\n<\/dt>
\n\uc774\ub984 of a bridge port via which a packet is received (only for\npackets entering the\nINPUT<\/b>,\n\nFORWARD<\/b>\n\nand\nPREROUTING<\/b>\n\nchains). If the interface \uc774\ub984 ends in a \"+\", then any\ninterface which begins with this \uc774\ub984 will match. If the packet didn't arrive\nthrough a bridge device, this packet won't match this \uc635\uc158, unless '!' is used.\n<\/dd>
--physdev-out \uc774\ub984<\/b>\n\n<\/dt>
\n\uc774\ub984 of a bridge port via which a packet is going to be sent (for packets\nentering the\nFORWARD<\/b>,\n\nOUTPUT<\/b>\n\nand\nPOSTROUTING<\/b>\n\nchains).  If the interface \uc774\ub984 ends in a \"+\", then any\ninterface which begins with this \uc774\ub984 will match. \uc8fc\uc758 that in the\nnat<\/b> and mangle<\/b>\n\nOUTPUT<\/b>\n\nchains one cannot match on the bridge output port, however one can in the\nfilter OUTPUT<\/b>\n\nchain. If the packet won't leave by a bridge device or it is yet unknown what\nthe output device will be, then the packet won't match this \uc635\uc158, unless\n\n<\/dd>
--physdev-is-in<\/b>\n\n<\/dt>
\nMatches if the packet has entered through a bridge interface.\n<\/dd>
--physdev-is-out<\/b>\n\n<\/dt>
\nMatches if the packet will leave through a bridge interface.\n<\/dd>
--physdev-is-bridged<\/b>\n\n<\/dt>
\nMatches if the packet is being bridged and therefore is not being routed.\nThis is only useful in the FORWARD and POSTROUTING chains.\n<\/dd><\/dl>\n <\/a>\n
pkttype<\/h3>\n\nThis module matches the link-layer packet type.\n
--pkt-type <\/b>[unicast<\/i>|broadcast<\/i>|multicast<\/i>]\n\n<\/dt>
\n
<\/dd><\/dl>\n <\/a>\n
state<\/h3>\n\nThis module, when combined with connection tracking, allows access to\nthe connection tracking state for this packet.\n
--state <\/b>state<\/i>\n\n<\/dt>
\nWhere state is a comma separated list of the connection states to\nmatch.  Possible states are\nINVALID<\/b>\n\nmeaning that the packet could not be identified for some reason which\nincludes running out of memory and ICMP \uc5d0\ub7ecs which don't correspond to any\nknown connection,\nESTABLISHED<\/b>\n\nmeaning that the packet is associated with a connection which has seen\npackets in both directions,\nNEW<\/b>\n\nmeaning that the packet has started a new connection, or otherwise\nassociated with a connection which has not seen packets in both\ndirections, and\nRELATED<\/b>\n\nmeaning that the packet is starting a new connection, but is\nassociated with an existing connection, such as an FTP data transfer,\nor an ICMP \uc5d0\ub7ec.\n<\/dd><\/dl>\n <\/a>\n
tcp<\/h3>\n\nThese \ud655\uc7a5s are loaded if `--protocol tcp' is specified. It\nprovides the following \uc635\uc158s:\n
--source-port <\/b>[!] port<\/i>[:port<\/i>]\n\n<\/dt>
\nSource port or port range specification. This can either be a service\n\uc774\ub984 or a port number. An inclusive range can also be specified,\nusing the format\nport<\/i>:port<\/i>.\n\nIf the first port is omitted, \"0\" is assumed; if the last is omitted,\n\"65535\" is assumed.\nIf the second port greater then the first they will be swapped.\nThe flag\n--sport<\/b>\n\nis a convenient alias for this \uc635\uc158.\n<\/dd>
--destination-port <\/b>[!] port<\/i>[:port<\/i>]\n\n<\/dt>
\nDestination port or port range specification.  The flag\n--dport<\/b>\n\nis a convenient alias for this \uc635\uc158.\n<\/dd>
--tcp-\ud50c\ub798\uadf8 <\/b>[!] mask<\/i> comp<\/i>\n\n<\/dt>
\nMatch when the TCP \ud50c\ub798\uadf8 are as specified.  The first argument is the\n\ud50c\ub798\uadf8 which we should examine, written as a comma-separated list, and\nthe second argument is a comma-separated list of \ud50c\ub798\uadf8 which must be\nset.  \ud50c\ub798\uadf8 are:\nSYN ACK FIN RST URG PSH ALL NONE<\/b>.\n\nHence the \uba85\ub839\n
 iptables -A FORWARD -p tcp --tcp-\ud50c\ub798\uadf8 SYN,ACK,FIN,RST SYN\n<\/pre>\n\nwill only match packets with the SYN flag set, and the ACK, FIN and\nRST \ud50c\ub798\uadf8 unset.\n<\/dd>
[!] --syn<\/b>\n\n<\/dt>
\nOnly match TCP packets with the SYN bit set and the ACK and RST bits\ncleared.  Such packets are used to request TCP connection initiation;\nfor \uc608, blocking such packets coming in an interface will prevent\nincoming TCP connections, but outgoing TCP connections will be\nunaffected.\nIt is equivalent to --tcp-\ud50c\ub798\uadf8 SYN,RST,ACK SYN<\/b>.\nIf the \"!\" flag precedes the \"--syn\", the sense of the\n\uc635\uc158 is inverted.\n<\/dd>
--tcp-\uc635\uc158 <\/b>[!] number<\/i>\n\n<\/dt>
\nMatch if TCP \uc635\uc158 set.\n<\/dd>
--mss <\/b>value<\/i>[:value<\/i>]\n\n<\/dt>
\nMatch TCP SYN or SYN\/ACK packets with the specified MSS value (or range),\nwhich control the maximum packet size for that connection.\n<\/dd><\/dl>\n <\/a>\n
tos<\/h3>\n\nThis module matches the 8 bits of Type of Service field in the IP\nheader (ie. including the precedence bits).\n
--tos <\/b>tos<\/i>\n\n<\/dt>
\nThe argument is either a standard \uc774\ub984, (use\n
\n\n
 iptables -m tos -h\n
\n\nto see the list), or a numeric value to match.\n<\/dd><\/dl>\n <\/a>\n
ttl<\/h3>\n\nThis module matches the time to live field in the IP header.\n
--ttl <\/b>ttl<\/i>\n\n<\/dt>
\nMatches the given TTL value.\n<\/dd><\/dl>\n <\/a>\n
udp<\/h3>\n\nThese \ud655\uc7a5s are loaded if `--protocol udp' is specified.  It\nprovides the following \uc635\uc158s:\n
--source-port <\/b>[!] port<\/i>[:port<\/i>]\n\n<\/dt>
\nSource port or port range specification.\nSee the \uc124\uba85 of the\n--source-port<\/b>\n\n\uc635\uc158 of the TCP \ud655\uc7a5 for details.\n<\/dd>
--destination-port <\/b>[!] port<\/i>[:port<\/i>]\n\n<\/dt>
\nDestination port or port range specification.\nSee the \uc124\uba85 of the\n--destination-port<\/b>\n\n\uc635\uc158 of the TCP \ud655\uc7a5 for details.\n<\/dd><\/dl>\n <\/a>\n
unclean<\/h3>\n\nThis module takes no \uc635\uc158s, but attempts to match packets which seem\nmalformed or unusual.  This is regarded as experimental.\n <\/a>\n
TARGET \ud655\uc7a5S<\/h2>\n\niptables can use extended target modules: the following are included\nin the standard distribution.\n <\/a>\n
DNAT<\/h3>\n\nThis target is only valid in the\nnat<\/b>\n\ntable, in the\nPREROUTING<\/b>\n\nand\nOUTPUT<\/b>\n\nchains, and user-defined chains which are only called from those\nchains.  It specifies that the destination address of the packet\nshould be modified (and all future packets in this connection will\nalso be mangled), and rules should cease being examined.  It takes one\ntype of \uc635\uc158:\n
--to-destination <\/b>ipaddr<\/i>[-ipaddr<\/i>][:port<\/i>-port<\/i>]\n\n<\/dt>
\nwhich can specify a single new destination IP address, an inclusive\nrange of IP addresses, and \uc635\uc158ally, a port range (which is only\nvalid if the rule also specifies\n-p tcp<\/b>\n\nor\n-p udp<\/b>).\n\nIf no port range is specified, then the destination port will never be\nmodified.\n

<\/dt>
\n
\n\nYou can add several --to-destination \uc635\uc158s.  If you specify more\nthan one destination address, either via an address range or multiple\n--to-destination \uc635\uc158s, a simple round-robin (one after another in\ncycle) load balancing takes place between these adresses.\n<\/p><\/dd><\/dl>\n<\/dd><\/dl>\n <\/a>\n
DSCP<\/h3>\n\nThis target allows to alter the value of the DSCP bits within the TOS\nheader of the IPv4 packet.  As this manipulates a packet, it can only\nbe used in the mangle table.\n
--set-dscp <\/b>value<\/i>\n\n<\/dt>
\nSet the DSCP field to a numerical value (can be decimal or hex)\n<\/dd>
--set-dscp-class <\/b>class<\/i>\n\n<\/dt>
\nSet the DSCP field to a DiffServ class.\n<\/dd><\/dl>\n <\/a>\n
ECN<\/h3>\n\nThis target allows to selectively work around known ECN blackholes.\nIt can only be used in the mangle table.\n
--ecn-tcp-remove<\/b>\n\n<\/dt>
\nRemove all ECN bits from the TCP header.  Of course, it can only be used\nin conjunction with\n-p tcp<\/b>.\n\n<\/dd><\/dl>\n <\/a>\n
LOG<\/h3>\n\nTurn on kernel logging of matching packets.  When this \uc635\uc158 is set\nfor a rule, the Linux kernel will print some information on all\nmatching packets (like most IP header fields) via the kernel log\n(where it can be read with\ndmesg<\/i>\n\nor\nsyslogd<\/a><\/i>(8)).\n\nThis is a \"non-terminating target\", i.e. rule traversal continues at\nthe next rule.  So if you want to LOG the packets you refuse, use two\nseparate rules with the same matching criteria, first using target LOG\nthen DROP (or REJECT).\n
--log-level <\/b>level<\/i>\n\n<\/dt>
\nLevel of logging (numeric or see syslog.conf<\/a><\/i>(5)).\n<\/dd>
--log-prefix <\/b>prefix<\/i>\n\n<\/dt>
\nPrefix log messages with the specified prefix; up to 29 letters long,\nand useful for distinguishing messages in the logs.\n<\/dd>
--log-tcp-sequence<\/b>\n\n<\/dt>
\nLog TCP sequence numbers. This is a security risk if the log is\nreadable by users.\n<\/dd>
--log-tcp-\uc635\uc158s<\/b>\n\n<\/dt>
\nLog \uc635\uc158s from the TCP packet header.\n<\/dd>
--log-ip-\uc635\uc158s<\/b>\n\n<\/dt>
\nLog \uc635\uc158s from the IP packet header.\n<\/dd><\/dl>\n <\/a>\n
MARK<\/h3>\n\nThis is used to set the netfilter mark value associated with the\npacket.  It is only valid in the\nmangle<\/b>\n\ntable.  It can for \uc608 be used in conjunction with iproute2.\n
--set-mark <\/b>mark<\/i>\n\n<\/dt>
\n
<\/dd><\/dl>\n <\/a>\n
MASQUERADE<\/h3>\n\nThis target is only valid in the\nnat<\/b>\n\ntable, in the\nPOSTROUTING<\/b>\n\nchain.  It should only be used with dynamically assigned IP (dialup)\nconnections: if you have a static IP address, you should use the SNAT\ntarget.  Masquerading is equivalent to specifying a mapping to the IP\naddress of the interface the packet is going out, but also has the\neffect that connections are\nforgotten<\/i>\n\nwhen the interface goes down.  This is the correct behavior when the\nnext dialup is unlikely to have the same interface address (and hence\nany established connections are lost anyway).  It takes one \uc635\uc158:\n
--to-ports <\/b>port<\/i>[-port<\/i>]\n\n<\/dt>
\nThis specifies a range of source ports to use, overriding the default\nSNAT<\/b>\n\nsource port-selection heuristics (see above).  This is only valid\nif the rule also specifies\n-p tcp<\/b>\n\nor\n-p udp<\/b>.\n\n<\/dd><\/dl>\n <\/a>\n
MIRROR<\/h3>\n\nThis is an experimental demonstration target which inverts the source\nand destination fields in the IP header and retransmits the packet.\nIt is only valid in the\nINPUT<\/b>,\n\nFORWARD<\/b>\n\nand\nPREROUTING<\/b>\n\nchains, and user-defined chains which are only called from those\nchains.  \uc8fc\uc758 that the outgoing packets are\nNOT<\/b>\n\nseen by any packet filtering chains, connection tracking or NAT, to\navoid loops and other problems.\n <\/a>\n
REDIRECT<\/h3>\n\nThis target is only valid in the\nnat<\/b>\n\ntable, in the\nPREROUTING<\/b>\n\nand\nOUTPUT<\/b>\n\nchains, and user-defined chains which are only called from those\nchains.  It alters the destination IP address to send the packet to\nthe machine itself (locally-generated packets are mapped to the\n127.0.0.1 address).  It takes one \uc635\uc158:\n
--to-ports <\/b>port<\/i>[-port<\/i>]\n\n<\/dt>
\nThis specifies a destination port or range of ports to use: without\nthis, the destination port is never altered.  This is only valid\nif the rule also specifies\n-p tcp<\/b>\n\nor\n-p udp<\/b>.\n\n<\/dd><\/dl>\n <\/a>\n
REJECT<\/h3>\n\nThis is used to send back an \uc5d0\ub7ec packet in response to the matched\npacket: otherwise it is equivalent to\nDROP<\/b>\n\nso it is a terminating TARGET, ending rule traversal.\nThis target is only valid in the\nINPUT<\/b>,\n\nFORWARD<\/b>\n\nand\nOUTPUT<\/b>\n\nchains, and user-defined chains which are only called from those\nchains.  The following \uc635\uc158 controls the nature of the \uc5d0\ub7ec packet\nreturned:\n
--reject-with <\/b>type<\/i>\n\n<\/dt>
\nThe type given can be\n
 icmp-net-unreachable<\/b>\n icmp-host-unreachable<\/b>\n icmp-port-unreachable<\/b>\n icmp-proto-unreachable<\/b>\n icmp-net-prohibited<\/b>\n icmp-host-prohibited or<\/b>\n icmp-admin-prohibited (*)<\/b>\n<\/pre>\n\nwhich return the appropriate ICMP \uc5d0\ub7ec message (port-unreachable<\/b> is\nthe default).  The \uc635\uc158\ntcp-reset<\/b>\n\ncan be used on rules which only match the TCP protocol: this causes a\nTCP RST packet to be sent back.  This is mainly useful for blocking\nident<\/i>\n\n(113\/tcp) probes which frequently occur when sending mail to broken mail\nhosts (which won't accept your mail otherwise).\n<\/dd>
(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT<\/dt>
\n
<\/dd><\/dl>\n <\/a>\n
SNAT<\/h3>\n\nThis target is only valid in the\nnat<\/b>\n\ntable, in the\nPOSTROUTING<\/b>\n\nchain.  It specifies that the source address of the packet should be\nmodified (and all future packets in this connection will also be\nmangled), and rules should cease being examined.  It takes one type\nof \uc635\uc158:\n
--to-source  <\/b>ipaddr<\/i>[-ipaddr<\/i>][:port<\/i>-port<\/i>]\n\n<\/dt>
\nwhich can specify a single new source IP address, an inclusive range\nof IP addresses, and \uc635\uc158ally, a port range (which is only valid if\nthe rule also specifies\n-p tcp<\/b>\n\nor\n-p udp<\/b>).\n\nIf no port range is specified, then source ports below 512 will be\nmapped to other ports below 512: those between 512 and 1023 inclusive\nwill be mapped to ports below 1024, and other ports will be mapped to\n1024 or above. Where possible, no port alteration will occur.\n

<\/dt>
\n
\n\nYou can add several --to-source \uc635\uc158s.  If you specify more\nthan one source address, either via an address range or multiple\n--to-source \uc635\uc158s, a simple round-robin (one after another in\ncycle) takes place between these adresses.\n<\/p><\/dd><\/dl>\n<\/dd><\/dl>\n <\/a>\n
TCPMSS<\/h3>\n\nThis target allows to alter the MSS value of TCP SYN packets, to control\nthe maximum size for that connection (usually limiting it to your\noutgoing interface's MTU minus 40).  Of course, it can only be used\nin conjunction with\n-p tcp<\/b>.\n\n
\n\nThis target is used to overcome criminally braindead ISPs or servers\nwhich block ICMP Fragmentation Needed packets.  The symptoms of this\nproblem are that everything works fine from your Linux\nfirewall\/router, but machines behind it can never exchange large\npackets:\n\n

<\/dt>
\n
1)<\/dt>
\nWeb browsers connect, then hang with no data received.\n<\/dd>
2)<\/dt>
\nSmall mail works fine, but large emails hang.\n<\/dd>
3)<\/dt>
\nssh works fine, but scp hangs after initial handshaking.\n<\/dd><\/dl>\n<\/dd><\/dl>\n\n\nWorkaround: activate this \uc635\uc158 and add a rule to your firewall\nconfiguration like:\n
 iptables -A FORWARD -p tcp --tcp-\ud50c\ub798\uadf8 SYN,RST SYN \\\n             -j TCPMSS --clamp-mss-to-pmtu\n<\/pre>\n\n
--set-mss <\/b>value<\/i>\n\n<\/dt>
\nExplicitly set MSS \uc635\uc158 to specified value.\n<\/dd>
--clamp-mss-to-pmtu<\/b>\n\n<\/dt>
\nAutomatically clamp MSS value to (path_MTU - 40).\n<\/dd>
These \uc635\uc158s are mutually exclusive.<\/dt>
\n
<\/dd><\/dl>\n <\/a>\n
TOS<\/h3>\n\nThis is used to set the 8-bit Type of Service field in the IP header.\nIt is only valid in the\nmangle<\/b>\n\ntable.\n
--set-tos <\/b>tos<\/i>\n\n<\/dt>
\nYou can use a numeric TOS values, or use\n
 iptables -j TOS -h\n<\/pre>\n\nto see the list of valid TOS \uc774\ub984s.\n<\/dd><\/dl>\n <\/a>\n
ULOG<\/h3>\n\nThis target provides userspace logging of matching packets.  When this\ntarget is set for a rule, the Linux kernel will multicast this packet\nthrough a\nnetlink<\/i>\n\nsocket. One or more userspace processes may then subscribe to various\nmulticast groups and receive the packets.\nLike LOG, this is a \"non-terminating target\", i.e. rule traversal\ncontinues at the next rule.\n
--ulog-nlgroup <\/b>nlgroup<\/i>\n\n<\/dt>
\nThis specifies the netlink group (1-32) to which the packet is sent.\nDefault value is 1.\n<\/dd>
--ulog-prefix <\/b>prefix<\/i>\n\n<\/dt>
\nPrefix log messages with the specified prefix; up to 32 characters\nlong, and useful for distinguishing messages in the logs.\n<\/dd>
--ulog-cprange <\/b>size<\/i>\n\n<\/dt>
\nNumber of bytes to be copied to userspace.  A value of 0 always copies\nthe entire packet, regardless of its size.  Default is 0.\n<\/dd>
--ulog-qthreshold <\/b>size<\/i>\n\n<\/dt>
\nNumber of packet to queue inside kernel.  Setting this value to, e.g. 10\naccumulates ten packets inside the kernel and transmits them as one\nnetlink multipart message to userspace.  Default is 1 (for backwards\ncompatibility).\n
\n\n<\/dd><\/dl>\n <\/a>\n
\uc9c4\ub2e8<\/h2>\n\nVarious \uc5d0\ub7ec messages are printed to standard \uc5d0\ub7ec.  The exit code\nis 0 for correct functioning.  \uc5d0\ub7ecs which appear to be caused by\ninvalid or abused \uba85\ub839 line parameters cause an exit code of 2, and\nother \uc5d0\ub7ecs cause an exit code of 1.\n <\/a>\n
\ubc84\uadf8<\/h2>\n\n\ubc84\uadf8?  What's this? \ud83d\ude09\nWell... the counters are not reliable on sparc64.\n <\/a>\n
\ud638\ud658 WITH IPCHAINS<\/h2>\n\nThis\niptables<\/b>\n\nis very similar to ipchains by Rusty Russell.  The main difference is\nthat the chains\nINPUT<\/b>\n\nand\nOUTPUT<\/b>\n\nare only traversed for packets coming into the local host and\noriginating from the local host respectively.  Hence every packet only\npasses through one of the three chains (except loopback traffic, which\ninvolves both INPUT and OUTPUT chains); previously a forwarded packet\nwould pass through all three.\n
\n\nThe other main difference is that\n-i<\/b>\n\nrefers to the input interface;\n-o<\/b>\n\nrefers to the output interface, and both are available for packets\nentering the\nFORWARD<\/b>\n\nchain.\n<\/p>
\n\niptables<\/b>\n\nis a pure packet filter when using the default `filter' table, with\n\uc635\uc158al \ud655\uc7a5 modules.  This should simplify much of the previous\nconfusion over the combination of IP masquerading and packet filtering\nseen previously.  So the following \uc635\uc158s are handled differently:\n<\/p>
 -j MASQ\n -M -S\n -M -L\n<\/pre>\n\nThere are several other changes in iptables.\n <\/a>\n
\uad00\ub828 \ud56d\ubaa9<\/h2>\n\niptables-save<\/a><\/b>(8),\n\niptables-restore<\/a><\/b>(8),\n\nip6tables<\/a><\/b>(8),\n\nip6tables-save<\/a><\/b>(8),\n\nip6tables-restore<\/a><\/b>(8).\n\n\nThe packet-filtering-HOWTO details iptables \uc0ac\uc6a9\ubc95 for\npacket filtering, the NAT-HOWTO details NAT,\nthe netfilter-\ud655\uc7a5s-HOWTO details the \ud655\uc7a5s that are\nnot in the standard distribution,\nand the netfilter-hacking-HOWTO details the netfilter internals.\n
\n\nSee\nhttp:\/\/www.netfilter.org\/<\/a><\/b>.\n\n <\/a>\n
\uc800\uc790S<\/h2>\n\nRusty Russell wrote iptables, in early consultation with Michael\nNeuling.\n
\n\nMarc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet\nselection framework in iptables, then wrote the mangle table, the owner match,\nthe mark stuff, and ran around doing cool stuff everywhere.\n<\/p>
\n\nJames Morris wrote the TOS target, and tos match.\n<\/p>
\n\nJozsef Kadlecsik wrote the REJECT target.\n<\/p>
\n\nHarald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets.\n<\/p>
\n\nThe Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,\nJames Morris, Harald Welte and Rusty Russell.\n<\/p>
\n\nMan page written by Herve Eychenne &lt;rv@wallfire.org<\/a>>.\n\n\n\n\n----\nCategoryManPage\n----\nCategoryManPage\n<\/p>
\n<\/p>
\n<\/p>
\n\n<\/p>
\n <\/a>
Index<\/h2>\n
NAME<\/a><\/dt>
\n
<\/dd>
SYNOPSIS<\/a><\/dt>
\n
<\/dd>
DESCRIPTION<\/a><\/dt>
\n
<\/dd>
TARGETS<\/a><\/dt>
\n
<\/dd>
TABLES<\/a><\/dt>
\n
<\/dd>
OPTIONS<\/a><\/dt>
\n
COMMANDS<\/a><\/dt>
\n
<\/dd>
PARAMETERS<\/a><\/dt>
\n
<\/dd>
OTHER \uc635\uc158S<\/a><\/dt>
\n
<\/dd><\/dl>\n<\/dd>
MATCH \ud655\uc7a5S<\/a><\/dt>
\n
ah<\/a><\/dt>
\n
<\/dd>
conntrack<\/a><\/dt>
\n
<\/dd>
dscp<\/a><\/dt>
\n
<\/dd>
esp<\/a><\/dt>
\n
<\/dd>
helper<\/a><\/dt>
\n
<\/dd>
icmp<\/a><\/dt>
\n
<\/dd>
length<\/a><\/dt>
\n
<\/dd>
limit<\/a><\/dt>
\n
<\/dd>
mac<\/a><\/dt>
\n
<\/dd>
mark<\/a><\/dt>
\n
<\/dd>
multiport<\/a><\/dt>
\n
<\/dd>
owner<\/a><\/dt>
\n
<\/dd>
physdev<\/a><\/dt>
\n
<\/dd>
pkttype<\/a><\/dt>
\n
<\/dd>
state<\/a><\/dt>
\n
<\/dd>
tcp<\/a><\/dt>
\n
<\/dd>
tos<\/a><\/dt>
\n
<\/dd>
ttl<\/a><\/dt>
\n
<\/dd>
udp<\/a><\/dt>
\n
<\/dd>
unclean<\/a><\/dt>
\n
<\/dd><\/dl>\n<\/dd>
TARGET \ud655\uc7a5S<\/a><\/dt>
\n
DNAT<\/a><\/dt>
\n
<\/dd>
DSCP<\/a><\/dt>
\n
<\/dd>
ECN<\/a><\/dt>
\n
<\/dd>
LOG<\/a><\/dt>
\n
<\/dd>
MARK<\/a><\/dt>
\n
<\/dd>
MASQUERADE<\/a><\/dt>
\n
<\/dd>
MIRROR<\/a><\/dt>
\n
<\/dd>
REDIRECT<\/a><\/dt>
\n
<\/dd>
REJECT<\/a><\/dt>
\n
<\/dd>
SNAT<\/a><\/dt>
\n
<\/dd>
TCPMSS<\/a><\/dt>
\n
<\/dd>
TOS<\/a><\/dt>
\n
<\/dd>
ULOG<\/a><\/dt><\/dl><\/dd><\/dl>

<\/p>\n","protected":false},"excerpt":{"rendered":"
NAME iptables – IPv4 \uae30\ubc18 \ud328\ud0b7 \ud544\ud130\ub9c1 \ubc0f NAT \ub97c \uc704\ud55c \uad00\ub9ac\uc790 \ud234   SYNOPSIS iptables [-t table] -[AD] chain rule-specification [options] iptables [-t table] -I chain [rulenum] rule-specification [options] iptables [-t table] -R chain rulenum rule-specification [options] iptables [-t table] -D chain rulenum [options] iptables [-t table] -[LFZ] [chain] [options] iptables [-t table] -N […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[39],"tags":[],"class_list":["post-494","post","type-post","status-publish","format-standard","hentry","category-os_linux_unix_macos"],"_links":{"self":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/494","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=494"}],"version-history":[{"count":0,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/494\/revisions"}],"wp:attachment":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=494"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=494"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=494"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}