execute a command as another user
|
administration tool for IPv4 packet filtering and NAT
|
-t, --table table
This option specifies the packet matching table which the command should operate on. If the
kernel is configured with automatic module loading, an attempt will be made to load the
appropriate module for that table if it is not already there.
The tables are as follows:
filter:
This is the default table (if no -t option is passed). It contains the built-in chains INPUT
(for packets destined to local sockets), FORWARD (for packets being routed through the box),
and OUTPUT (for locally-generated packets).
nat:
This table is consulted when a packet that creates a new connection is encountered. It
consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT
(for altering locally-generated packets before routing), and POSTROUTING (for altering packets
as they are about to go out).
mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in
chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering
locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains
are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering
packets being routed through the box), and POSTROUTING (for altering packets as they are about
to go out).
raw:
This table is used mainly for configuring exemptions from connection tracking in combination
with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus
called before ip_conntrack, or any other IP tables. It provides the following built-in
chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets
generated by local processes)
security:
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled
by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux
Security Modules such as SELinux. The security table is called after the filter table,
allowing any Discretionary Access Control (DAC) rules in the filter table to take effect
before MAC rules. This table provides the following built-in chains: INPUT (for packets
coming into the box itself), OUTPUT (for altering locally-generated packets before routing),
and FORWARD (for altering packets being routed through the box).
|
-L, --list [chain]
List all rules in the selected chain. If no chain is selected, all chains are listed. Like every
other iptables command, it applies to the specified table (filter is the default), so NAT rules
get listed by
iptables -t nat -n -L
Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups.
It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically
listed and zeroed. The exact output is affected by the other arguments given. The exact rules are
suppressed until you use
iptables -L -v
|
-n, --numeric
Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the
program will try to display them as host names, network names, or services (whenever applicable).
|
Pipelines
A pipeline is a sequence of one or more commands separated by one of the control operators | or |&. The
format for a pipeline is:
[time [-p]] [ ! ] command [ [|⎪|&] command2 ... ]
The standard output of command is connected via a pipe to the standard input of command2. This
connection is performed before any redirections specified by the command (see REDIRECTION below). If |&
is used, the standard error of command is connected to command2's standard input through the pipe; it is
shorthand for 2>&1 |. This implicit redirection of the standard error is performed after any
redirections specified by the command.
The return status of a pipeline is the exit status of the last command, unless the pipefail option is
enabled. If pipefail is enabled, the pipeline's return status is the value of the last (rightmost)
command to exit with a non-zero status, or zero if all commands exit successfully. If the reserved word
! precedes a pipeline, the exit status of that pipeline is the logical negation of the exit status as
described above. The shell waits for all commands in the pipeline to terminate before returning a value.
If the time reserved word precedes a pipeline, the elapsed as well as user and system time consumed by
its execution are reported when the pipeline terminates. The -p option changes the output format to that
specified by POSIX. When the shell is in posix mode, it does not recognize time as a reserved word if
the next token begins with a `-'. The TIMEFORMAT variable may be set to a format string that specifies
how the timing information should be displayed; see the description of TIMEFORMAT under Shell Variables
below.
When the shell is in posix mode, time may be followed by a newline. In this case, the shell displays the
total user and system time consumed by the shell and its children. The TIMEFORMAT variable may be used
to specify the format of the time information.
Each command in a pipeline is executed as a separate process (i.e., in a subshell).
|
translate characters
|
-s Replace instances of repeated characters with a single character, as described in the EXTENDED
DESCRIPTION section.
|
remove sections from each line of files
|
-d, --delimiter=DELIM
use DELIM instead of TAB for field delimiter
|
-f, --fields=LIST
select only these fields; also print any line that contains no delimiter character, unless the -s
option is specified
|