4 IPTABLES(8) IPTABLES(8)
8 iptables - IP packet filter administration
10 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
11 i
\bip
\bpt
\bta
\bab
\bbl
\ble
\bes
\bs -
\b-[
\b[A
\bAD
\bDC
\bC]
\b] chain rule-specification [options]
12 i
\bip
\bpt
\bta
\bab
\bbl
\ble
\bes
\bs -
\b-[
\b[R
\bRI
\bI]
\b] chain rulenum rule-specification [options]
13 i
\bip
\bpt
\bta
\bab
\bbl
\ble
\bes
\bs -
\b-D
\bD chain rulenum [options]
14 i
\bip
\bpt
\bta
\bab
\bbl
\ble
\bes
\bs -
\b-[
\b[L
\bLF
\bFZ
\bZ]
\b] [chain] [options]
15 i
\bip
\bpt
\bta
\bab
\bbl
\ble
\bes
\bs -
\b-[
\b[N
\bNX
\bX]
\b] chain
16 i
\bip
\bpt
\bta
\bab
\bbl
\ble
\bes
\bs -
\b-P
\bP chain target [options]
17 i
\bip
\bpt
\bta
\bab
\bbl
\ble
\bes
\bs -
\b-E
\bE old-chain-name new-chain-name
19 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
20 I
\bIp
\bpt
\bta
\bab
\bbl
\ble
\bes
\bs is used to set up, maintain, and inspect the
21 tables of IP packet filter rules in the Linux kernel.
22 There are several different tables which may be defined,
23 and each table contains a number of built-in chains, and
24 may contain user-defined chains.
26 Each chain is a list of rules which can match a set of
27 packets: each rule specifies what to do with a packet
28 which matches. This is called a `target', which may be a
29 jump to a user-defined chain in the same table.
32 T
\bTA
\bAR
\bRG
\bGE
\bET
\bTS
\bS
33 A firewall rule specifies criteria for a packet, and a
34 target. If the packet does not match, the next rule in
35 the chain is the examined; if it does match, then the next
36 rule is specified by the value of the target, which can be
37 the name of a user-defined chain, or one of the special
38 values _
\bA_
\bC_
\bC_
\bE_
\bP_
\bT, _
\bD_
\bR_
\bO_
\bP, _
\bQ_
\bU_
\bE_
\bU_
\bE, or _
\bR_
\bE_
\bT_
\bU_
\bR_
\bN.
40 _
\bA_
\bC_
\bC_
\bE_
\bP_
\bT means to let the packet through. _
\bD_
\bR_
\bO_
\bP means to
41 drop the packet on the floor. _
\bQ_
\bU_
\bE_
\bU_
\bE means to pass the
42 packet to userspace (if supported by the kernel). _
\bR_
\bE_
\bT_
\bU_
\bR_
\bN
43 means stop traversing this chain, and resume at the next
44 rule in the previous (calling) chain. If the end of a
45 built-in chain is reached, or a rule in a built-in chain
46 with target _
\bR_
\bE_
\bT_
\bU_
\bR_
\bN is matched, the target specified by the
47 chain policy determines the fate of the packet.
49 T
\bTA
\bAB
\bBL
\bLE
\bES
\bS
50 There are current three independent tables (which tables
51 are present at any time depends on the kernel configura
52 tion options and which modules are present).
54 -
\b-t
\bt,
\b, -
\b--
\b-t
\bta
\bab
\bbl
\ble
\be
55 This option specifies the packet matching table
56 which the command should operate on. If the kernel
57 is configured with automatic module loading, an
58 attempt will be made to load the appropriate module
59 for that table if it is not already there.
61 The tables are as follows: f
\bfi
\bil
\blt
\bte
\ber
\br This is the
62 default table, and contains the built-in chains
63 INPUT (for packets coming into the box itself),
64 FORWARD (for packets being routed through the box),
65 and OUTPUT (for locally-generated packets). n
\bna
\bat
\bt
66 This table is consulted when a packet which is cre
67 ates a new connection is encountered. It consists
68 of three built-ins: PREROUTING (for altering pack
69 ets as soon as they come in), OUTPUT (for altering
70 locally-generated packets before routing), and
71 POSTROUTING (for altering packets as they are about
72 to go out). m
\bma
\ban
\bng
\bgl
\ble
\be This table is used for special
73 ized packet alteration. It has two built-in
74 chains: PREROUTING (for altering incoming packets
75 before routing) and OUTPUT (for altering locally-
76 generated packets before routing).
78 O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
79 The options that are recognized by i
\bip
\bpt
\bta
\bab
\bbl
\ble
\bes
\bs can be divided
80 into several different groups.
82 C
\bCO
\bOM
\bMM
\bMA
\bAN
\bND
\bDS
\bS
83 These options specify the specific action to perform; only
84 one of them can be specified on the command line, unless
85 otherwise specified below. For all the long versions of
86 the command and option names, you only need to use enough
87 letters to ensure that i
\bip
\bpt
\bta
\bab
\bbl
\ble
\bes
\bs can differentiate it from
90 -
\b-A
\bA,
\b, -
\b--
\b-a
\bap
\bpp
\bpe
\ben
\bnd
\bd
91 Append one or more rules to the end of the selected
92 chain. When the source and/or destination names
93 resolve to more than one address, a rule will be
94 added for each possible address combination.
96 -
\b-D
\bD,
\b, -
\b--
\b-d
\bde
\bel
\ble
\bet
\bte
\be
97 Delete one or more rules from the selected chain.
98 There are two versions of this command: the rule
99 can be specified as a number in the chain (starting
100 at 1 for the first rule) or a rule to match.
102 -
\b-R
\bR,
\b, -
\b--
\b-r
\bre
\bep
\bpl
\bla
\bac
\bce
\be
103 Replace a rule in the selected chain. If the
104 source and/or destination names resolve to multiple
105 addresses, the command will fail. Rules are num
108 -
\b-I
\bI,
\b, -
\b--
\b-i
\bin
\bns
\bse
\ber
\brt
\bt
109 Insert one or more rules in the selected chain as
110 the given rule number. So, if the rule number is
111 1, the rule or rules are inserted at the head of
112 the chain. This is also the default if no rule
115 -
\b-L
\bL,
\b, -
\b--
\b-l
\bli
\bis
\bst
\bt
116 List all rules in the selected chain. If no chain
117 is selected, all chains are listed. It is legal to
118 specify the -
\b-Z
\bZ (zero) option as well, in which case
119 the chain(s) will be atomically listed and zeroed.
120 The exact output is effected by the other arguments
123 -
\b-F
\bF,
\b, -
\b--
\b-f
\bfl
\blu
\bus
\bsh
\bh
124 Flush the selected chain. This is equivalent to
125 deleting all the rules one by one.
127 -
\b-Z
\bZ,
\b, -
\b--
\b-z
\bze
\ber
\bro
\bo
128 Zero the packet and byte counters in all chains.
129 It is legal to specify the -
\b-L
\bL,
\b, -
\b--
\b-l
\bli
\bis
\bst
\bt (list) option
130 as well, to see the counters immediately before
131 they are cleared; see above.
133 -
\b-N
\bN,
\b, -
\b--
\b-n
\bne
\bew
\bw-
\b-c
\bch
\bha
\bai
\bin
\bn
134 Create a new user-defined chain of the given name.
135 There must be no target of that name already.
137 -
\b-X
\bX,
\b, -
\b--
\b-d
\bde
\bel
\ble
\bet
\bte
\be-
\b-c
\bch
\bha
\bai
\bin
\bn
138 Delete the specified user-defined chain. There
139 must be no references to the chain (if there are
140 you must delete or replace the referring rules
141 before the chain can be deleted). If no argument
142 is given, it will attempt to delete every non-
143 builtin chain in the table.
145 -
\b-P
\bP,
\b, -
\b--
\b-p
\bpo
\bol
\bli
\bic
\bcy
\by
146 Set the policy for the chain to the given target.
147 See the section T
\bTA
\bAR
\bRG
\bGE
\bET
\bTS
\bS for the legal targets.
148 Only non-user-defined chains can have policies, and
149 neither built-in nor user-defined chains can be
152 -
\b-E
\bE,
\b, -
\b--
\b-r
\bre
\ben
\bna
\bam
\bme
\be-
\b-c
\bch
\bha
\bai
\bin
\bn
153 Rename the user specified chain to the user sup
154 plied name; this is cosmetic, and has no effect on
155 the structure of the table.
157 -
\b-h
\bh Help. Give a (currently very brief) description of
160 P
\bPA
\bAR
\bRA
\bAM
\bME
\bET
\bTE
\bER
\bRS
\bS
161 The following parameters make up a rule specification (as
162 used in the add, delete, replace, append and check com
165 -
\b-p
\bp,
\b, -
\b--
\b-p
\bpr
\bro
\bot
\bto
\boc
\bco
\bol
\bl [!] _
\bp_
\br_
\bo_
\bt_
\bo_
\bc_
\bo_
\bl
166 The protocol of the rule or of the packet to check.
167 The specified protocol can be one of _
\bt_
\bc_
\bp, _
\bu_
\bd_
\bp,
168 _
\bi_
\bc_
\bm_
\bp, or _
\ba_
\bl_
\bl, or it can be a numeric value, repre
169 senting one of these protocols or a different one.
170 A protocol name from /etc/protocols is also
171 allowed. A "!" argument before the protocol
172 inverts the test. The number zero is equivalent to
173 _
\ba_
\bl_
\bl. Protocol _
\ba_
\bl_
\bl will match with all protocols
174 and is taken as default when this option is omit
177 -
\b-s
\bs,
\b, -
\b--
\b-s
\bso
\bou
\bur
\brc
\bce
\be [!] _
\ba_
\bd_
\bd_
\br_
\be_
\bs_
\bs[/_
\bm_
\ba_
\bs_
\bk]
178 Source specification. _
\bA_
\bd_
\bd_
\br_
\be_
\bs_
\bs can be either a
179 hostname, a network name, or a plain IP address.
180 The _
\bm_
\ba_
\bs_
\bk can be either a network mask or a plain
181 number, specifying the number of 1's at the left
182 side of the network mask. Thus, a mask of _
\b2_
\b4 is
183 equivalent to _
\b2_
\b5_
\b5_
\b._
\b2_
\b5_
\b5_
\b._
\b2_
\b5_
\b5_
\b._
\b0. A "!" argument before
184 the address specification inverts the sense of the
185 address. The flag -
\b--
\b-s
\bsr
\brc
\bc is a convenient alias for
188 -
\b-d
\bd,
\b, -
\b--
\b-d
\bde
\bes
\bst
\bti
\bin
\bna
\bat
\bti
\bio
\bon
\bn [!] _
\ba_
\bd_
\bd_
\br_
\be_
\bs_
\bs[/_
\bm_
\ba_
\bs_
\bk]
189 Destination specification. See the description of
190 the -
\b-s
\bs (source) flag for a detailed description of
191 the syntax. The flag -
\b--
\b-d
\bds
\bst
\bt is an alias for this
194 -
\b-j
\bj,
\b, -
\b--
\b-j
\bju
\bum
\bmp
\bp _
\bt_
\ba_
\br_
\bg_
\be_
\bt
195 This specifies the target of the rule; ie. what to
196 do if the packet matches it. The target can be a
197 user-defined chain (not the one this rule is in),
198 one of the special builtin targets which decide the
199 fate of the packet immediately, or an extension
200 (see E
\bEX
\bXT
\bTE
\bEN
\bNS
\bSI
\bIO
\bON
\bNS
\bS below). If this option is omitted
201 in a rule, then matching the rule will have no
202 effect on the packet's fate, but the counters on
203 the rule will be incremented.
205 -
\b-i
\bi,
\b, -
\b--
\b-i
\bin
\bn-
\b-i
\bin
\bnt
\bte
\ber
\brf
\bfa
\bac
\bce
\be [!] [_
\bn_
\ba_
\bm_
\be]
206 Optional name of an interface via which a packet is
207 received (for packets entering the I
\bIN
\bNP
\bPU
\bUT
\bT, F
\bFO
\bOR
\bRW
\bWA
\bAR
\bRD
\bD
208 and P
\bPR
\bRE
\bER
\bRO
\bOU
\bUT
\bTI
\bIN
\bNG
\bG chains). When the "!" argument is
209 used before the interface name, the sense is
210 inverted. If the interface name ends in a "+",
211 then any interface which begins with this name will
212 match. If this option is omitted, the string "+"
213 is assumed, which will match with any interface
216 -
\b-o
\bo,
\b, -
\b--
\b-o
\bou
\but
\bt-
\b-i
\bin
\bnt
\bte
\ber
\brf
\bfa
\bac
\bce
\be [!] [_
\bn_
\ba_
\bm_
\be]
217 Optional name of an interface via which a packet is
218 going to be sent (for packets entering the F
\bFO
\bOR
\bRW
\bWA
\bAR
\bRD
\bD,
219 O
\bOU
\bUT
\bTP
\bPU
\bUT
\bT and P
\bPO
\bOS
\bST
\bTR
\bRO
\bOU
\bUT
\bTI
\bIN
\bNG
\bG chains). When the "!" argu
220 ment is used before the interface name, the sense
221 is inverted. If the interface name ends in a "+",
222 then any interface which begins with this name will
223 match. If this option is omitted, the string "+"
224 is assumed, which will match with any interface
227 [
\b[!
\b!]
\b] -
\b-f
\bf,
\b, -
\b--
\b-f
\bfr
\bra
\bag
\bgm
\bme
\ben
\bnt
\bt
228 This means that the rule only refers to second and
229 further fragments of fragmented packets. Since
230 there is no way to tell the source or destination
231 ports of such a packet (or ICMP type), such a
232 packet will not match any rules which specify them.
233 When the "!" argument precedes the "-f" flag, the
234 rule will only match head fragments, or unfrag
237 O
\bOT
\bTH
\bHE
\bER
\bR O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
238 The following additional options can be specified:
240 -
\b-v
\bv,
\b, -
\b--
\b-v
\bve
\ber
\brb
\bbo
\bos
\bse
\be
241 Verbose output. This option makes the list command
242 show the interface address, the rule options (if
243 any), and the TOS masks. The packet and byte coun
244 ters are also listed, with the suffix 'K', 'M' or
245 'G' for 1000, 1,000,000 and 1,000,000,000 multipli
246 ers respectively (but see the -
\b-x
\bx flag to change
247 this). For appending, insertion, deletion and
248 replacement, this causes detailed information on
249 the rule or rules to be printed.
251 -
\b-n
\bn,
\b, -
\b--
\b-n
\bnu
\bum
\bme
\ber
\bri
\bic
\bc
252 Numeric output. IP addresses and port numbers will
253 be printed in numeric format. By default, the pro
254 gram will try to display them as host names, net
255 work names, or services (whenever applicable).
257 -
\b-x
\bx,
\b, -
\b--
\b-e
\bex
\bxa
\bac
\bct
\bt
258 Expand numbers. Display the exact value of the
259 packet and byte counters, instead of only the
260 rounded number in K's (multiples of 1000) M's (mul
261 tiples of 1000K) or G's (multiples of 1000M). This
262 option is only relevant for the -
\b-L
\bL command.
264 -
\b--
\b-l
\bli
\bin
\bne
\be-
\b-n
\bnu
\bum
\bmb
\bbe
\ber
\brs
\bs
265 When listing rules, add line numbers to the begin
266 ning of each rule, corresponding to that rule's
267 position in the chain.
269 M
\bMA
\bAT
\bTC
\bCH
\bH E
\bEX
\bXT
\bTE
\bEN
\bNS
\bSI
\bIO
\bON
\bNS
\bS
270 iptables can use extended packet matching modules. These
271 are loaded in two ways: implicitly, when -
\b-p
\bp or -
\b--
\b-p
\bpr
\bro
\bot
\bto
\boc
\bco
\bol
\bl
272 is specified, or with the -
\b-m
\bm or -
\b--
\b-m
\bma
\bat
\btc
\bch
\bh options, followed
273 by the matching module name; after these, various extra
274 command line options become available, depending on the
275 specific module. You can specify multiple extended match
276 modules in one line, and you can use the -
\b-h
\bh or -
\b--
\b-h
\bhe
\bel
\blp
\bp
277 options after the module has been specified to receive
278 help specific to that module.
280 The following are included in the base package, and most
281 of these can be preceded by a !
\b! to invert the sense of
285 These extensions are loaded if `--protocol tcp' is speci
286 fied. It provides the following options:
288 -
\b--
\b-s
\bso
\bou
\bur
\brc
\bce
\be-
\b-p
\bpo
\bor
\brt
\bt [!] [_
\bp_
\bo_
\br_
\bt_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b]]
289 Source port or port range specification. This can
290 either be a service name or a port number. An
291 inclusive range can also be specified, using the
292 format _
\bp_
\bo_
\br_
\bt:_
\bp_
\bo_
\br_
\bt. If the first port is omitted,
293 "0" is assumed; if the last is omitted, "65535" is
294 assumed. If the second port greater then the first
295 they will be swapped. The flag -
\b--
\b-s
\bsp
\bpo
\bor
\brt
\bt is an alias
298 -
\b--
\b-d
\bde
\bes
\bst
\bti
\bin
\bna
\bat
\bti
\bio
\bon
\bn-
\b-p
\bpo
\bor
\brt
\bt [!] [_
\bp_
\bo_
\br_
\bt_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b]]
299 Destination port or port range specification. The
300 flag -
\b--
\b-d
\bdp
\bpo
\bor
\brt
\bt is an alias for this option.
302 -
\b--
\b-t
\btc
\bcp
\bp-
\b-f
\bfl
\bla
\bag
\bgs
\bs [!] _
\bm_
\ba_
\bs_
\bk _
\bc_
\bo_
\bm_
\bp
303 Match when the TCP flags are as specified. The
304 first argument is the flags which we should exam
305 ine, written as a comma-separated list, and the
306 second argument is a comma-separated list of flags
307 which must be set. Flags are: S
\bSY
\bYN
\bN A
\bAC
\bCK
\bK F
\bFI
\bIN
\bN R
\bRS
\bST
\bT U
\bUR
\bRG
\bG
308 P
\bPS
\bSH
\bH A
\bAL
\bLL
\bL N
\bNO
\bON
\bNE
\bE. Hence the command
309 iptables -A FORWARD -p tcp --tcp-flags
311 will only match packets with the SYN flag set, and
312 the ACK, FIN and RST flags unset.
314 [
\b[!
\b!]
\b] -
\b--
\b-s
\bsy
\byn
\bn
315 Only match TCP packets with the SYN bit set and the
316 ACK and FIN bits cleared. Such packets are used to
317 request TCP connection initiation; for example,
318 blocking such packets coming in an interface will
319 prevent incoming TCP connections, but outgoing TCP
320 connections will be unaffected. It is equivalent
321 to -
\b--
\b-t
\btc
\bcp
\bp-
\b-f
\bfl
\bla
\bag
\bgs
\bs S
\bSY
\bYN
\bN,
\b,R
\bRS
\bST
\bT,
\b,A
\bAC
\bCK
\bK S
\bSY
\bYN
\bN. If the "!" flag
322 precedes the "--syn", the sense of the option is
325 -
\b--
\b-t
\btc
\bcp
\bp-
\b-o
\bop
\bpt
\bti
\bio
\bon
\bn [!] _
\bn_
\bu_
\bm_
\bb_
\be_
\br
326 Match if TCP option set.
329 These extensions are loaded if `--protocol udp' is speci
330 fied. It provides the following options:
332 -
\b--
\b-s
\bso
\bou
\bur
\brc
\bce
\be-
\b-p
\bpo
\bor
\brt
\bt [!] [_
\bp_
\bo_
\br_
\bt_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b]]
333 Source port or port range specification. See the
334 description of the -
\b--
\b-s
\bso
\bou
\bur
\brc
\bce
\be-
\b-p
\bpo
\bor
\brt
\bt option of the TCP
335 extension for details.
337 -
\b--
\b-d
\bde
\bes
\bst
\bti
\bin
\bna
\bat
\bti
\bio
\bon
\bn-
\b-p
\bpo
\bor
\brt
\bt [!] [_
\bp_
\bo_
\br_
\bt_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b]]
338 Destination port or port range specification. See
339 the description of the -
\b--
\b-d
\bde
\bes
\bst
\bti
\bin
\bna
\bat
\bti
\bio
\bon
\bn-
\b-p
\bpo
\bor
\brt
\bt option of
340 the TCP extension for details.
343 This extension is loaded if `--protocol icmp' is speci
344 fied. It provides the following option:
346 -
\b--
\b-i
\bic
\bcm
\bmp
\bp-
\b-t
\bty
\byp
\bpe
\be [!] _
\bt_
\by_
\bp_
\be_
\bn_
\ba_
\bm_
\be
347 This allows specification of the ICMP type, which
348 can be a numeric ICMP type, or one of the ICMP type
349 names shown by the command
353 -
\b--
\b-m
\bma
\bac
\bc-
\b-s
\bso
\bou
\bur
\brc
\bce
\be [!] _
\ba_
\bd_
\bd_
\br_
\be_
\bs_
\bs
354 Match source MAC address. It must be of the form
355 XX:XX:XX:XX:XX:XX. Note that this only makes sense
356 for packets entering the P
\bPR
\bRE
\bER
\bRO
\bOU
\bUT
\bTI
\bIN
\bNG
\bG, F
\bFO
\bOR
\bRW
\bWA
\bAR
\bRD
\bD or
357 I
\bIN
\bNP
\bPU
\bUT
\bT chains for packets coming from an ethernet
361 This module matches at a limited rate using a token bucket
362 filter: it can be used in combination with the L
\bLO
\bOG
\bG target
363 to give limited logging. A rule using this extension will
364 match until this limit is reached (unless the `!' flag is
367 -
\b--
\b-l
\bli
\bim
\bmi
\bit
\bt _
\br_
\ba_
\bt_
\be
368 Maximum average matching rate: specified as a num
369 ber, with an optional `/second', `/minute',
370 `/hour', or `/day' suffix; the default is 3/hour.
372 -
\b--
\b-l
\bli
\bim
\bmi
\bit
\bt-
\b-b
\bbu
\bur
\brs
\bst
\bt _
\bn_
\bu_
\bm_
\bb_
\be_
\br
373 The maximum initial number of packets to match:
374 this number gets recharged by one every time the
375 limit specified above is not reached, up to this
376 number; the default is 5.
378 m
\bmu
\bul
\blt
\bti
\bip
\bpo
\bor
\brt
\bt
379 This module matches a set of source or destination ports.
380 Up to 15 ports can be specified. It can only be used in
381 conjunction with -
\b-p
\bp t
\btc
\bcp
\bp or -
\b-p
\bp u
\bud
\bdp
\bp.
383 -
\b--
\b-s
\bso
\bou
\bur
\brc
\bce
\be-
\b-p
\bpo
\bor
\brt
\bt [_
\bp_
\bo_
\br_
\bt_
\b[_
\b,_
\bp_
\bo_
\br_
\bt_
\b]]
384 Match if the source port is one of the given ports.
386 -
\b--
\b-d
\bde
\bes
\bst
\bti
\bin
\bna
\bat
\bti
\bio
\bon
\bn-
\b-p
\bpo
\bor
\brt
\bt [_
\bp_
\bo_
\br_
\bt_
\b[_
\b,_
\bp_
\bo_
\br_
\bt_
\b]]
387 Match if the destination port is one of the given
390 -
\b--
\b-p
\bpo
\bor
\brt
\bt [_
\bp_
\bo_
\br_
\bt_
\b[_
\b,_
\bp_
\bo_
\br_
\bt_
\b]]
391 Match if the both the source and destination ports
392 are equal to each other and to one of the given
396 This module matches the netfilter mark field associated
397 with a packet (which can be set using the M
\bMA
\bAR
\bRK
\bK target
400 -
\b--
\b-m
\bma
\bar
\brk
\bk _
\bv_
\ba_
\bl_
\bu_
\be_
\b[_
\b/_
\bm_
\ba_
\bs_
\bk_
\b]
401 Matches packets with the given unsigned mark value
402 (if a mask is specified, this is logically ANDed
403 with the mark before the comparison).
406 This module attempts to match various characteristics of
407 the packet creator, for locally-generated packets. It is
408 only valid in the O
\bOU
\bUT
\bTP
\bPU
\bUT
\bT chain, and even this some packets
409 (such as ICMP ping responses) may have no owner, and hence
412 -
\b--
\b-u
\bui
\bid
\bd-
\b-o
\bow
\bwn
\bne
\ber
\br _
\bu_
\bs_
\be_
\br_
\bi_
\bd
413 Matches if the packet was created by a process with
414 the given effective user id.
416 -
\b--
\b-g
\bgi
\bid
\bd-
\b-o
\bow
\bwn
\bne
\ber
\br _
\bg_
\br_
\bo_
\bu_
\bp_
\bi_
\bd
417 Matches if the packet was created by a process with
418 the given effective group id.
420 -
\b--
\b-p
\bpi
\bid
\bd-
\b-o
\bow
\bwn
\bne
\ber
\br _
\bp_
\br_
\bo_
\bc_
\be_
\bs_
\bs_
\bi_
\bd
421 Matches if the packet was created by a process with
422 the given process id.
424 -
\b--
\b-s
\bsi
\bid
\bd-
\b-o
\bow
\bwn
\bne
\ber
\br _
\bs_
\be_
\bs_
\bs_
\bi_
\bo_
\bn_
\bi_
\bd
425 Matches if the packet was created by a process in
426 the given session group.
429 This module, when combined with connection tracking,
430 allows access to the connection tracking state for this
433 -
\b--
\b-s
\bst
\bta
\bat
\bte
\be _
\bs_
\bt_
\ba_
\bt_
\be
434 Where state is a comma separated list of the con
435 nection states to match. Possible states are
436 I
\bIN
\bNV
\bVA
\bAL
\bLI
\bID
\bD meaning that the packet is associated with
437 no known connection, E
\bES
\bST
\bTA
\bAB
\bBL
\bLI
\bIS
\bSH
\bHE
\bED
\bD meaning that the
438 packet is associated with a connection which has
439 seen packets in both directions, N
\bNE
\bEW
\bW meaning that
440 the packet has started a new connection, or other
441 wise associated with a connection which has not
442 seen packets in both directions, and R
\bRE
\bEL
\bLA
\bAT
\bTE
\bED
\bD mean
443 ing that the packet is starting a new connection,
444 but is associated with an existing connection, such
445 as an FTP data transfer, or an ICMP error.
447 u
\bun
\bnc
\bcl
\ble
\bea
\ban
\bn
448 This module takes no options, but attempts to match pack
449 ets which seem malformed or unusual. This is regarded as
453 This module matches the 8 bits of Type of Service field in
454 the IP header (ie. including the precedence bits).
456 -
\b--
\b-t
\bto
\bos
\bs _
\bt_
\bo_
\bs
457 The argument is either a standard name, (use
459 to see the list), or a numeric value to match.
461 T
\bTA
\bAR
\bRG
\bGE
\bET
\bT E
\bEX
\bXT
\bTE
\bEN
\bNS
\bSI
\bIO
\bON
\bNS
\bS
462 iptables can use extended target modules: the following
463 are included in the standard distribution.
466 Turn on kernel logging of matching packets. When this
467 option is set for a rule, the Linux kernel will print some
468 information on all matching packets (like most IP header
469 fields) via the kernel log (where it can be read with
470 _
\bd_
\bm_
\be_
\bs_
\bg or _
\bs_
\by_
\bs_
\bl_
\bo_
\bg_
\bd(8)).
472 -
\b--
\b-l
\blo
\bog
\bg-
\b-l
\ble
\bev
\bve
\bel
\bl _
\bl_
\be_
\bv_
\be_
\bl
473 Level of logging (numeric or see _
\bs_
\by_
\bs_
\bl_
\bo_
\bg_
\b._
\bc_
\bo_
\bn_
\bf(5)).
475 -
\b--
\b-l
\blo
\bog
\bg-
\b-p
\bpr
\bre
\bef
\bfi
\bix
\bx _
\bp_
\br_
\be_
\bf_
\bi_
\bx
476 Prefix log messages with the specified prefix; up
477 to 29 letters long, and useful for distinguishing
478 messages in the logs.
480 -
\b--
\b-l
\blo
\bog
\bg-
\b-t
\btc
\bcp
\bp-
\b-s
\bse
\beq
\bqu
\bue
\ben
\bnc
\bce
\be
481 Log TCP sequence numbers. This is a security risk
482 if the log is readable by users.
484 -
\b--
\b-l
\blo
\bog
\bg-
\b-t
\btc
\bcp
\bp-
\b-o
\bop
\bpt
\bti
\bio
\bon
\bns
\bs
485 Log options from the TCP packet header.
487 -
\b--
\b-l
\blo
\bog
\bg-
\b-i
\bip
\bp-
\b-o
\bop
\bpt
\bti
\bio
\bon
\bns
\bs
488 Log options from the IP packet header.
491 This is used to set the netfilter mark value associated
492 with the packet. It is only valid in the m
\bma
\ban
\bng
\bgl
\ble
\be table.
494 -
\b--
\b-s
\bse
\bet
\bt-
\b-m
\bma
\bar
\brk
\bk _
\bm_
\ba_
\br_
\bk
496 R
\bRE
\bEJ
\bJE
\bEC
\bCT
\bT
497 This is used to send back an error packet in response to
498 the matched packet: otherwise it is equivalent to D
\bDR
\bRO
\bOP
\bP.
499 This target is only valid in the I
\bIN
\bNP
\bPU
\bUT
\bT, F
\bFO
\bOR
\bRW
\bWA
\bAR
\bRD
\bD and O
\bOU
\bUT
\bTP
\bPU
\bUT
\bT
500 chains, and user-defined chains which are only called from
501 those chains. Several options control the nature of the
502 error packet returned:
504 -
\b--
\b-r
\bre
\bej
\bje
\bec
\bct
\bt-
\b-w
\bwi
\bit
\bth
\bh _
\bt_
\by_
\bp_
\be
505 The type given can be i
\bic
\bcm
\bmp
\bp-
\b-n
\bne
\bet
\bt-
\b-u
\bun
\bnr
\bre
\bea
\bac
\bch
\bha
\bab
\bbl
\ble
\be, i
\bic
\bcm
\bmp
\bp-
\b-
506 h
\bho
\bos
\bst
\bt-
\b-u
\bun
\bnr
\bre
\bea
\bac
\bch
\bha
\bab
\bbl
\ble
\be, i
\bic
\bcm
\bmp
\bp-
\b-p
\bpo
\bor
\brt
\bt-
\b-u
\bun
\bnr
\bre
\bea
\bac
\bch
\bha
\bab
\bbl
\ble
\be, i
\bic
\bcm
\bmp
\bp-
\b-
507 p
\bpr
\bro
\bot
\bto
\bo-
\b-u
\bun
\bnr
\bre
\bea
\bac
\bch
\bha
\bab
\bbl
\ble
\be, i
\bic
\bcm
\bmp
\bp-
\b-n
\bne
\bet
\bt-
\b-p
\bpr
\bro
\boh
\bhi
\bib
\bbi
\bit
\bte
\bed
\bdor i
\bic
\bcm
\bmp
\bp-
\b-h
\bho
\bos
\bst
\bt-
\b-
508 p
\bpr
\bro
\boh
\bhi
\bib
\bbi
\bit
\bte
\bed
\bd, which return the appropriate ICMP error
509 message (port-unreachable is the default). The
510 option e
\bec
\bch
\bho
\bo-
\b-r
\bre
\bep
\bpl
\bly
\by is also allowed; it can only be
511 used for rules which specify an ICMP ping packet,
512 and generates a ping reply. Finally, the option
513 t
\btc
\bcp
\bp-
\b-r
\bre
\bes
\bse
\bet
\bt can be used on rules which only match the
514 TCP protocol: this causes a TCP RST packet to be
515 sent back. This is mainly useful for blocking
516 _
\bi_
\bd_
\be_
\bn_
\bt probes which frequently occur when sending
517 mail to broken mail hosts (which won't accept your
521 This is used to set the 8-bit Type of Service field in the
522 IP header. It is only valid in the m
\bma
\ban
\bng
\bgl
\ble
\be table.
524 -
\b--
\b-s
\bse
\bet
\bt-
\b-t
\bto
\bos
\bs _
\bt_
\bo_
\bs
525 You can use a numeric TOS values, or use
527 to see the list of valid TOS names.
529 M
\bMI
\bIR
\bRR
\bRO
\bOR
\bR
530 This is an experimental demonstration target which inverts
531 the source and destination fields in the IP header and
532 retransmits the packet. It is only valid in the I
\bIN
\bNP
\bPU
\bUT
\bT,
533 F
\bFO
\bOR
\bRW
\bWA
\bAR
\bRD
\bD and P
\bPR
\bRE
\bER
\bRO
\bOU
\bUT
\bTI
\bIN
\bNG
\bG chains, and user-defined chains
534 which are only called from those chains. Note that the
535 outgoing packets are N
\bNO
\bOT
\bT seen by any packet filtering
536 chains, connection tracking or NAT, to avoid loops and
540 This target is only valid in the n
\bna
\bat
\bt table, in the
541 P
\bPO
\bOS
\bST
\bTR
\bRO
\bOU
\bUT
\bTI
\bIN
\bNG
\bG chain. It specifies that the source address
542 of the packet should be modified (and all future packets
543 in this connection will also be mangled), and rules should
544 cease being examined. It takes one option:
546 -
\b--
\b-t
\bto
\bo-
\b-s
\bso
\bou
\bur
\brc
\bce
\be _
\b<_
\bi_
\bp_
\ba_
\bd_
\bd_
\br_
\b>_
\b[_
\b-_
\b<_
\bi_
\bp_
\ba_
\bd_
\bd_
\br_
\b>_
\b]_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b-_
\bp_
\bo_
\br_
\bt_
\b]
547 which can specify a single new source IP address,
548 an inclusive range of IP addresses, and optionally,
549 a port range (which is only valid if the rule also
550 specifies -
\b-p
\bp t
\btc
\bcp
\bp or -
\b-p
\bp u
\bud
\bdp
\bp). If no port range is
551 specified, then source ports below 512 will be
552 mapped to other ports below 512: those between 1024
553 will be mapped to ports below 1024, and other ports
554 will be mapped to 1024 or above. Where possible,
555 no port alteration will occur.
558 This target is only valid in the n
\bna
\bat
\bt table, in the P
\bPR
\bRE
\bE
\b
559 R
\bRO
\bOU
\bUT
\bTI
\bIN
\bNG
\bG and O
\bOU
\bUT
\bTP
\bPU
\bUT
\bT chains, and user-defined chains which
560 are only called from those chains. It specifies that the
561 destination address of the packet should be modified (and
562 all future packets in this connection will also be man
563 gled), and rules should cease being examined. It takes
566 -
\b--
\b-t
\bto
\bo-
\b-d
\bde
\bes
\bst
\bti
\bin
\bna
\bat
\bti
\bio
\bon
\bn _
\b<_
\bi_
\bp_
\ba_
\bd_
\bd_
\br_
\b>_
\b[_
\b-_
\b<_
\bi_
\bp_
\ba_
\bd_
\bd_
\br_
\b>_
\b]_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b-_
\bp_
\bo_
\br_
\bt_
\b]
567 which can specify a single new destination IP
568 address, an inclusive range of IP addresses, and
569 optionally, a port range (which is only valid if
570 the rule also specifies -
\b-p
\bp t
\btc
\bcp
\bp or -
\b-p
\bp u
\bud
\bdp
\bp). If no
571 port range is specified, then the destination port
572 will never be modified.
574 M
\bMA
\bAS
\bSQ
\bQU
\bUE
\bER
\bRA
\bAD
\bDE
\bE
575 This target is only valid in the n
\bna
\bat
\bt table, in the
576 P
\bPO
\bOS
\bST
\bTR
\bRO
\bOU
\bUT
\bTI
\bIN
\bNG
\bG chain. It should only be used with dynami
577 cally assigned IP (dialup) connections: if you have a
578 static IP address, you should use the SNAT target. Mas
579 querading is equivalent to specifying a mapping to the IP
580 address of the interface the packet is going out, but also
581 has the effect that connections are _
\bf_
\bo_
\br_
\bg_
\bo_
\bt_
\bt_
\be_
\bn when the
582 interface goes down. This is the correct behavior when
583 the next dialup is unlikely to have the same interface
584 address (and hence any established connections are lost
585 anyway). It takes one option:
587 -
\b--
\b-t
\bto
\bo-
\b-p
\bpo
\bor
\brt
\bts
\bs _
\b<_
\bp_
\bo_
\br_
\bt_
\b>_
\b[_
\b-_
\b<_
\bp_
\bo_
\br_
\bt_
\b>_
\b]
588 This specifies a range of source ports to use,
589 overriding the default S
\bSN
\bNA
\bAT
\bT source port-selection
590 heuristics (see above). This is only valid with if
591 the rule also specifies -
\b-p
\bp t
\btc
\bcp
\bp or -
\b-p
\bp u
\bud
\bdp
\bp).
593 R
\bRE
\bED
\bDI
\bIR
\bRE
\bEC
\bCT
\bT
594 This target is only valid in the n
\bna
\bat
\bt table, in the P
\bPR
\bRE
\bE
\b
595 R
\bRO
\bOU
\bUT
\bTI
\bIN
\bNG
\bG and O
\bOU
\bUT
\bTP
\bPU
\bUT
\bT chains, and user-defined chains which
596 are only called from those chains. It alters the destina
597 tion IP address to send the packet to the machine itself
598 (locally-generated packets are mapped to the 127.0.0.1
599 address). It takes one option:
601 -
\b--
\b-t
\bto
\bo-
\b-p
\bpo
\bor
\brt
\bts
\bs _
\b<_
\bp_
\bo_
\br_
\bt_
\b>_
\b[_
\b-_
\b<_
\bp_
\bo_
\br_
\bt_
\b>_
\b]
602 This specifies a destination port or range or ports
603 to use: without this, the destination port is never
604 altered. This is only valid with if the rule also
605 specifies -
\b-p
\bp t
\btc
\bcp
\bp or -
\b-p
\bp u
\bud
\bdp
\bp).
607 E
\bEX
\bXT
\bTR
\bRA
\bA E
\bEX
\bXT
\bTE
\bEN
\bNS
\bSI
\bIO
\bON
\bNS
\bS
608 The following extensions are not included by default in
609 the standard distribution.
612 This module matches the time to live field in the IP
615 -
\b--
\b-t
\btt
\btl
\bl _
\bt_
\bt_
\bl
616 Matches the given TTL value.
619 This target is used to modify the time to live field in
620 the IP header. It is only valid in the m
\bma
\ban
\bng
\bgl
\ble
\be table.
622 -
\b--
\b-t
\btt
\btl
\bl-
\b-s
\bse
\bet
\bt _
\bt_
\bt_
\bl
623 Set the TTL to the given value.
625 -
\b--
\b-t
\btt
\btl
\bl-
\b-d
\bde
\bec
\bc _
\bt_
\bt_
\bl
626 Decrement the TTL by the given value.
628 -
\b--
\b-t
\btt
\btl
\bl-
\b-i
\bin
\bnc
\bc _
\bt_
\bt_
\bl
629 Increment the TTL by the given value.
632 This target provides userspace logging of matching pack
633 ets. When this target is set for a rule, the Linux kernel
634 will multicast this packet through a _
\bn_
\be_
\bt_
\bl_
\bi_
\bn_
\bk socket. One
635 or more userspace processes may then subscribe to various
636 multicast groups and receive the packets.
638 -
\b--
\b-u
\bul
\blo
\bog
\bg-
\b-n
\bnl
\blg
\bgr
\bro
\bou
\bup
\bp_
\b<_
\bn_
\bl_
\bg_
\br_
\bo_
\bu_
\bp_
\b>
639 This specifies the netlink group (1-32) to which
642 -
\b--
\b-u
\bul
\blo
\bog
\bg-
\b-p
\bpr
\bre
\bef
\bfi
\bix
\bx_
\b<_
\bp_
\br_
\be_
\bf_
\bi_
\bx_
\b>
643 Prefix log messages with the specified prefix; up
644 to 32 characters long, and useful fro distinguish
645 ing messages in the logs.
647 -
\b--
\b-u
\bul
\blo
\bog
\bg-
\b-c
\bcp
\bpr
\bra
\ban
\bng
\bge
\be_
\b<_
\bs_
\bi_
\bz_
\be_
\b>
648 Number of bytes to be copied to userspace. A value
649 of 0 always copies the entire packet, regardless of
652 D
\bDI
\bIA
\bAG
\bGN
\bNO
\bOS
\bST
\bTI
\bIC
\bCS
\bS
653 Various error messages are printed to standard error. The
654 exit code is 0 for correct functioning. Errors which
655 appear to be caused by invalid or abused command line
656 parameters cause an exit code of 2, and other errors cause
660 Check is not implemented (yet).
662 C
\bCO
\bOM
\bMP
\bPA
\bAT
\bTI
\bIB
\bBI
\bIL
\bLI
\bIT
\bTY
\bY W
\bWI
\bIT
\bTH
\bH I
\bIP
\bPC
\bCH
\bHA
\bAI
\bIN
\bNS
\bS
663 This i
\bip
\bpt
\bta
\bab
\bbl
\ble
\bes
\bs is very similar to ipchains by Rusty Rus
664 sell. The main difference is that the chains I
\bIN
\bNP
\bPU
\bUT
\bT and
665 O
\bOU
\bUT
\bTP
\bPU
\bUT
\bT are only traversed for packets coming into the
666 local host and originating from the local host respec
667 tively. Hence every packet only passes through one of the
668 three chains; previously a forwarded packet would pass
671 The other main difference is that -
\b-i
\bi refers to the input
672 interface; -
\b-o
\bo refers to the output interface, and both are
673 available for packets entering the F
\bFO
\bOR
\bRW
\bWA
\bAR
\bRD
\bD chain.
675 i
\bip
\bpt
\bta
\bab
\bbl
\ble
\bes
\bs is a pure packet filter when using the default
676 `filter' table, with optional extension modules. This
677 should simplify much of the previous confusion over the
678 combination of IP masquerading and packet filtering seen
679 previously. So the following options are handled differ
684 There are several other changes in iptables.
686 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
687 The iptables-HOWTO, which details more iptables usage, the
688 NAT-HOWTO, which details NAT, and the netfilter-hacking-
689 HOWTO which details the internals.
691 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bRS
\bS
692 Rusty Russell wrote iptables, in early consultation with
695 Marc Boucher made Rusty abandon ipnatctl by lobbying for a
696 generic packet selection framework in iptables, then wrote
697 the mangle table, the owner match, the mark stuff, and ran
698 around doing cool stuff everywhere.
700 James Morris wrote the TOS target, and tos match.
702 Jozsef Kadlecsik wrote the REJECT target.
704 Harald Welte wrote the ULOG target, TTL match+target and
707 The Netfilter Core Team is: Marc Boucher, James Morris and