# man iptables ... -j, --jump target This specifies the target of the rule; i.e., what to doif the packet matches it. The target can be a user- defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). Ifthis option is omitted in a rule (and -g is not used), then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented. -g, --goto chain This specifies that the processing should continue in a user specified chain. Unlike the --jump option return will not continue processing in this chain but instead in the chain that called us via --jump.
-j 选项指定规则的目标
目标可以是用户自定义链;内建目标;或扩展
-g 选项将规则重定向到一个用户自定义链中
与 -j 选项不同,从自定义链中返回时,是返回到调用 -g 选项上层的那一个 -j 链中
示例
使用iptables -S命令查看Fedora18中默认的防火墙配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES -A INPUT -p icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited ... -A INPUT_ZONES -i p5p1 -g IN_ZONE_public -A INPUT_ZONES -g IN_ZONE_public ... -A IN_ZONE_public -j IN_ZONE_public_deny -A IN_ZONE_public -j IN_ZONE_public_allow
# iptables -L -v ChainINPUT (policy ACCEPT0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2447 173K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 180ACCEPT all -- lo any anywhere anywhere 40482313 INPUT_direct all -- any any anywhere anywhere 40482313INPUT_ZONES all -- any any anywhere anywhere 00ACCEPT icmp -- any any anywhere anywhere 37578428REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited ... ChainINPUT_ZONES (1 references) pkts bytes target prot opt in out source destination 37578428 IN_ZONE_public all -- p5p1 any anywhere anywhere [goto] 00 IN_ZONE_public all -- + any anywhere anywhere [goto] ... ChainIN_ZONE_public (2 references) pkts bytes target prot opt in out source destination 37578428 IN_ZONE_public_deny all -- any any anywhere anywhere 37578428 IN_ZONE_public_allow all -- any any anywhere anywhere ChainIN_ZONE_public_allow (1 references) pkts bytes target prot opt in out source destination 00ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh ctstate NEW 00ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns ctstate NEW ChainIN_ZONE_public_deny (1 references) pkts bytes target prot opt in out source destination