Handle hostnames with upper-case letters

[webmin.git] / squid / nat

IPTABLES(8)                                           IPTABLES(8)


N\bNA\bAM\bME\bE
       iptables - IP packet filter administration

S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
       i\bip\bpt\bta\bab\bbl\ble\bes\bs -\b-[\b[A\bAD\bDC\bC]\b] chain rule-specification [options]
       i\bip\bpt\bta\bab\bbl\ble\bes\bs -\b-[\b[R\bRI\bI]\b] chain rulenum rule-specification [options]
       i\bip\bpt\bta\bab\bbl\ble\bes\bs -\b-D\bD chain rulenum [options]
       i\bip\bpt\bta\bab\bbl\ble\bes\bs -\b-[\b[L\bLF\bFZ\bZ]\b] [chain] [options]
       i\bip\bpt\bta\bab\bbl\ble\bes\bs -\b-[\b[N\bNX\bX]\b] chain
       i\bip\bpt\bta\bab\bbl\ble\bes\bs -\b-P\bP chain target [options]
       i\bip\bpt\bta\bab\bbl\ble\bes\bs -\b-E\bE old-chain-name new-chain-name

D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
       I\bIp\bpt\bta\bab\bbl\ble\bes\bs  is  used  to  set  up, maintain, and inspect the
       tables of IP packet filter  rules  in  the  Linux  kernel.
       There  are  several different tables which may be defined,
       and each table contains a number of built-in  chains,  and
       may contain user-defined chains.

       Each  chain  is  a  list of rules which can match a set of
       packets: each rule specifies what  to  do  with  a  packet
       which  matches.  This is called a `target', which may be a
       jump to a user-defined chain in the same table.


T\bTA\bAR\bRG\bGE\bET\bTS\bS
       A firewall rule specifies criteria for  a  packet,  and  a
       target.   If  the  packet does not match, the next rule in
       the chain is the examined; if it does match, then the next
       rule is specified by the value of the target, which can be
       the name of a user-defined chain, or one  of  the  special
       values _\bA_\bC_\bC_\bE_\bP_\bT, _\bD_\bR_\bO_\bP, _\bQ_\bU_\bE_\bU_\bE, or _\bR_\bE_\bT_\bU_\bR_\bN.

       _\bA_\bC_\bC_\bE_\bP_\bT  means  to  let  the packet through.  _\bD_\bR_\bO_\bP means to
       drop the packet on the floor.  _\bQ_\bU_\bE_\bU_\bE  means  to  pass  the
       packet  to userspace (if supported by the kernel).  _\bR_\bE_\bT_\bU_\bR_\bN
       means stop traversing this chain, and resume at  the  next
       rule  in  the  previous  (calling) chain.  If the end of a
       built-in chain is reached, or a rule in a  built-in  chain
       with target _\bR_\bE_\bT_\bU_\bR_\bN is matched, the target specified by the
       chain policy determines the fate of the packet.

T\bTA\bAB\bBL\bLE\bES\bS
       There are current three independent tables  (which  tables
       are  present  at any time depends on the kernel configura­
       tion options and which modules are present).

       -\b-t\bt,\b, -\b--\b-t\bta\bab\bbl\ble\be
              This option specifies  the  packet  matching  table
              which the command should operate on.  If the kernel
              is configured with  automatic  module  loading,  an
              attempt will be made to load the appropriate module
              for that table if it is not already there.

              The tables are  as  follows:  f\bfi\bil\blt\bte\ber\br  This  is  the
              default  table,  and  contains  the built-in chains
              INPUT (for packets coming  into  the  box  itself),
              FORWARD (for packets being routed through the box),
              and OUTPUT (for  locally-generated  packets).   n\bna\bat\bt
              This table is consulted when a packet which is cre­
              ates a new connection is encountered.  It  consists
              of  three built-ins: PREROUTING (for altering pack­
              ets as soon as they come in), OUTPUT (for  altering
              locally-generated   packets  before  routing),  and
              POSTROUTING (for altering packets as they are about
              to go out).  m\bma\ban\bng\bgl\ble\be This table is used for special­
              ized  packet  alteration.   It  has  two   built-in
              chains:  PREROUTING  (for altering incoming packets
              before routing) and OUTPUT (for  altering  locally-
              generated packets before routing).

O\bOP\bPT\bTI\bIO\bON\bNS\bS
       The options that are recognized by i\bip\bpt\bta\bab\bbl\ble\bes\bs can be divided
       into several different groups.

   C\bCO\bOM\bMM\bMA\bAN\bND\bDS\bS
       These options specify the specific action to perform; only
       one  of  them can be specified on the command line, unless
       otherwise specified below.  For all the long  versions  of
       the  command and option names, you only need to use enough
       letters to ensure that i\bip\bpt\bta\bab\bbl\ble\bes\bs can differentiate it  from
       all other options.

       -\b-A\bA,\b, -\b--\b-a\bap\bpp\bpe\ben\bnd\bd
              Append one or more rules to the end of the selected
              chain.  When the source  and/or  destination  names
              resolve  to  more  than one address, a rule will be
              added for each possible address combination.

       -\b-D\bD,\b, -\b--\b-d\bde\bel\ble\bet\bte\be
              Delete one or more rules from the  selected  chain.
              There  are  two  versions of this command: the rule
              can be specified as a number in the chain (starting
              at 1 for the first rule) or a rule to match.

       -\b-R\bR,\b, -\b--\b-r\bre\bep\bpl\bla\bac\bce\be
              Replace  a  rule  in  the  selected  chain.  If the
              source and/or destination names resolve to multiple
              addresses,  the  command will fail.  Rules are num­
              bered starting at 1.

       -\b-I\bI,\b, -\b--\b-i\bin\bns\bse\ber\brt\bt
              Insert one or more rules in the selected  chain  as
              the  given  rule number.  So, if the rule number is
              1, the rule or rules are inserted at  the  head  of
              the  chain.   This  is  also the default if no rule
              number is specified.

       -\b-L\bL,\b, -\b--\b-l\bli\bis\bst\bt
              List all rules in the selected chain.  If no  chain
              is selected, all chains are listed.  It is legal to
              specify the -\b-Z\bZ (zero) option as well, in which case
              the  chain(s) will be atomically listed and zeroed.
              The exact output is effected by the other arguments
              given.

       -\b-F\bF,\b, -\b--\b-f\bfl\blu\bus\bsh\bh
              Flush  the  selected  chain.  This is equivalent to
              deleting all the rules one by one.

       -\b-Z\bZ,\b, -\b--\b-z\bze\ber\bro\bo
              Zero the packet and byte counters  in  all  chains.
              It is legal to specify the -\b-L\bL,\b, -\b--\b-l\bli\bis\bst\bt (list) option
              as well, to see  the  counters  immediately  before
              they are cleared; see above.

       -\b-N\bN,\b, -\b--\b-n\bne\bew\bw-\b-c\bch\bha\bai\bin\bn
              Create  a new user-defined chain of the given name.
              There must be no target of that name already.

       -\b-X\bX,\b, -\b--\b-d\bde\bel\ble\bet\bte\be-\b-c\bch\bha\bai\bin\bn
              Delete the  specified  user-defined  chain.   There
              must  be  no  references to the chain (if there are
              you must delete  or  replace  the  referring  rules
              before  the  chain can be deleted).  If no argument
              is given, it will  attempt  to  delete  every  non-
              builtin chain in the table.

       -\b-P\bP,\b, -\b--\b-p\bpo\bol\bli\bic\bcy\by
              Set  the  policy for the chain to the given target.
              See the section  T\bTA\bAR\bRG\bGE\bET\bTS\bS  for  the  legal  targets.
              Only non-user-defined chains can have policies, and
              neither built-in nor  user-defined  chains  can  be
              policy targets.

       -\b-E\bE,\b, -\b--\b-r\bre\ben\bna\bam\bme\be-\b-c\bch\bha\bai\bin\bn
              Rename  the  user  specified chain to the user sup­
              plied name; this is cosmetic, and has no effect  on
              the structure of the table.

       -\b-h\bh     Help.  Give a (currently very brief) description of
              the command syntax.

   P\bPA\bAR\bRA\bAM\bME\bET\bTE\bER\bRS\bS
       The following parameters make up a rule specification  (as
       used  in  the  add, delete, replace, append and check com­
       mands).

       -\b-p\bp,\b, -\b--\b-p\bpr\bro\bot\bto\boc\bco\bol\bl [!] _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl
              The protocol of the rule or of the packet to check.
              The  specified  protocol  can  be  one of _\bt_\bc_\bp, _\bu_\bd_\bp,
              _\bi_\bc_\bm_\bp, or _\ba_\bl_\bl, or it can be a numeric value,  repre­
              senting  one of these protocols or a different one.
              A  protocol  name  from  /etc/protocols   is   also
              allowed.    A  "!"  argument  before  the  protocol
              inverts the test.  The number zero is equivalent to
              _\ba_\bl_\bl.   Protocol  _\ba_\bl_\bl  will match with all protocols
              and is taken as default when this option  is  omit­
              ted.

       -\b-s\bs,\b, -\b--\b-s\bso\bou\bur\brc\bce\be [!] _\ba_\bd_\bd_\br_\be_\bs_\bs[/_\bm_\ba_\bs_\bk]
              Source  specification.   _\bA_\bd_\bd_\br_\be_\bs_\bs  can  be  either a
              hostname, a network name, or a  plain  IP  address.
              The  _\bm_\ba_\bs_\bk  can  be either a network mask or a plain
              number, specifying the number of 1's  at  the  left
              side  of  the  network mask.  Thus, a mask of _\b2_\b4 is
              equivalent to _\b2_\b5_\b5_\b._\b2_\b5_\b5_\b._\b2_\b5_\b5_\b._\b0.  A "!" argument before
              the  address specification inverts the sense of the
              address. The flag -\b--\b-s\bsr\brc\bc is a convenient  alias  for
              this option.

       -\b-d\bd,\b, -\b--\b-d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn [!] _\ba_\bd_\bd_\br_\be_\bs_\bs[/_\bm_\ba_\bs_\bk]
              Destination  specification.  See the description of
              the -\b-s\bs (source) flag for a detailed description  of
              the  syntax.   The  flag -\b--\b-d\bds\bst\bt is an alias for this
              option.

       -\b-j\bj,\b, -\b--\b-j\bju\bum\bmp\bp _\bt_\ba_\br_\bg_\be_\bt
              This specifies the target of the rule; ie. what  to
              do  if  the packet matches it.  The target can be a
              user-defined chain (not the one this rule  is  in),
              one of the special builtin targets which decide the
              fate of the packet  immediately,  or  an  extension
              (see  E\bEX\bXT\bTE\bEN\bNS\bSI\bIO\bON\bNS\bS below).  If this option is omitted
              in a rule, then matching  the  rule  will  have  no
              effect  on  the  packet's fate, but the counters on
              the rule will be incremented.

       -\b-i\bi,\b, -\b--\b-i\bin\bn-\b-i\bin\bnt\bte\ber\brf\bfa\bac\bce\be [!] [_\bn_\ba_\bm_\be]
              Optional name of an interface via which a packet is
              received  (for  packets entering the I\bIN\bNP\bPU\bUT\bT, F\bFO\bOR\bRW\bWA\bAR\bRD\bD
              and P\bPR\bRE\bER\bRO\bOU\bUT\bTI\bIN\bNG\bG chains).  When the "!"  argument  is
              used  before  the  interface  name,  the  sense  is
              inverted.  If the interface name  ends  in  a  "+",
              then any interface which begins with this name will
              match.  If this option is omitted, the  string  "+"
              is  assumed,  which  will  match with any interface
              name.

       -\b-o\bo,\b, -\b--\b-o\bou\but\bt-\b-i\bin\bnt\bte\ber\brf\bfa\bac\bce\be [!] [_\bn_\ba_\bm_\be]
              Optional name of an interface via which a packet is
              going to be sent (for packets entering the F\bFO\bOR\bRW\bWA\bAR\bRD\bD,
              O\bOU\bUT\bTP\bPU\bUT\bT and P\bPO\bOS\bST\bTR\bRO\bOU\bUT\bTI\bIN\bNG\bG chains).  When the "!" argu­
              ment  is  used before the interface name, the sense
              is inverted.  If the interface name ends in a  "+",
              then any interface which begins with this name will
              match.  If this option is omitted, the  string  "+"
              is  assumed,  which  will  match with any interface
              name.

       [\b[!\b!]\b]  -\b-f\bf,\b, -\b--\b-f\bfr\bra\bag\bgm\bme\ben\bnt\bt
              This means that the rule only refers to second  and
              further  fragments  of  fragmented  packets.  Since
              there is no way to tell the source  or  destination
              ports  of  such  a  packet  (or  ICMP type), such a
              packet will not match any rules which specify them.
              When  the  "!" argument precedes the "-f" flag, the
              rule will only match  head  fragments,  or  unfrag­
              mented packets.

   O\bOT\bTH\bHE\bER\bR O\bOP\bPT\bTI\bIO\bON\bNS\bS
       The following additional options can be specified:

       -\b-v\bv,\b, -\b--\b-v\bve\ber\brb\bbo\bos\bse\be
              Verbose output.  This option makes the list command
              show the interface address, the  rule  options  (if
              any), and the TOS masks.  The packet and byte coun­
              ters are also listed, with the suffix 'K',  'M'  or
              'G' for 1000, 1,000,000 and 1,000,000,000 multipli­
              ers respectively (but see the  -\b-x\bx  flag  to  change
              this).   For  appending,  insertion,  deletion  and
              replacement, this causes  detailed  information  on
              the rule or rules to be printed.

       -\b-n\bn,\b, -\b--\b-n\bnu\bum\bme\ber\bri\bic\bc
              Numeric output.  IP addresses and port numbers will
              be printed in numeric format.  By default, the pro­
              gram  will  try to display them as host names, net­
              work names, or services (whenever applicable).

       -\b-x\bx,\b, -\b--\b-e\bex\bxa\bac\bct\bt
              Expand numbers.  Display the  exact  value  of  the
              packet  and  byte  counters,  instead  of  only the
              rounded number in K's (multiples of 1000) M's (mul­
              tiples of 1000K) or G's (multiples of 1000M).  This
              option is only relevant for the -\b-L\bL command.

       -\b--\b-l\bli\bin\bne\be-\b-n\bnu\bum\bmb\bbe\ber\brs\bs
              When listing rules, add line numbers to the  begin­
              ning  of  each  rule,  corresponding to that rule's
              position in the chain.

M\bMA\bAT\bTC\bCH\bH E\bEX\bXT\bTE\bEN\bNS\bSI\bIO\bON\bNS\bS
       iptables can use extended packet matching modules.   These
       are  loaded in two ways: implicitly, when -\b-p\bp or -\b--\b-p\bpr\bro\bot\bto\boc\bco\bol\bl
       is specified, or with the -\b-m\bm or -\b--\b-m\bma\bat\btc\bch\bh options,  followed
       by  the  matching  module name; after these, various extra
       command line options become available,  depending  on  the
       specific  module.  You can specify multiple extended match
       modules in one line, and you can  use  the  -\b-h\bh  or  -\b--\b-h\bhe\bel\blp\bp
       options  after  the  module  has been specified to receive
       help specific to that module.

       The following are included in the base package,  and  most
       of  these  can  be preceded by a !\b!  to invert the sense of
       the match.

   t\btc\bcp\bp
       These extensions are loaded if `--protocol tcp' is  speci­
       fied. It provides the following options:

       -\b--\b-s\bso\bou\bur\brc\bce\be-\b-p\bpo\bor\brt\bt [!] [_\bp_\bo_\br_\bt_\b[_\b:_\bp_\bo_\br_\bt_\b]]
              Source  port  or port range specification. This can
              either be a service  name  or  a  port  number.  An
              inclusive  range  can  also be specified, using the
              format _\bp_\bo_\br_\bt:_\bp_\bo_\br_\bt.  If the first  port  is  omitted,
              "0"  is assumed; if the last is omitted, "65535" is
              assumed.  If the second port greater then the first
              they will be swapped.  The flag -\b--\b-s\bsp\bpo\bor\brt\bt is an alias
              for this option.

       -\b--\b-d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn-\b-p\bpo\bor\brt\bt [!] [_\bp_\bo_\br_\bt_\b[_\b:_\bp_\bo_\br_\bt_\b]]
              Destination port or port range  specification.  The
              flag -\b--\b-d\bdp\bpo\bor\brt\bt is an alias for this option.

       -\b--\b-t\btc\bcp\bp-\b-f\bfl\bla\bag\bgs\bs [!] _\bm_\ba_\bs_\bk _\bc_\bo_\bm_\bp
              Match  when  the  TCP  flags are as specified.  The
              first argument is the flags which we  should  exam­
              ine,  written  as  a  comma-separated list, and the
              second argument is a comma-separated list of  flags
              which  must be set.  Flags are: S\bSY\bYN\bN A\bAC\bCK\bK F\bFI\bIN\bN R\bRS\bST\bT U\bUR\bRG\bG
              P\bPS\bSH\bH A\bAL\bLL\bL N\bNO\bON\bNE\bE.  Hence the command
               iptables   -A   FORWARD   -p    tcp    --tcp-flags
              SYN,ACK,FIN,RST SYN
              will  only match packets with the SYN flag set, and
              the ACK, FIN and RST flags unset.

       [\b[!\b!]\b] -\b--\b-s\bsy\byn\bn
              Only match TCP packets with the SYN bit set and the
              ACK and FIN bits cleared.  Such packets are used to
              request TCP  connection  initiation;  for  example,
              blocking  such  packets coming in an interface will
              prevent incoming TCP connections, but outgoing  TCP
              connections  will  be unaffected.  It is equivalent
              to -\b--\b-t\btc\bcp\bp-\b-f\bfl\bla\bag\bgs\bs S\bSY\bYN\bN,\b,R\bRS\bST\bT,\b,A\bAC\bCK\bK S\bSY\bYN\bN.  If  the  "!"  flag
              precedes  the  "--syn",  the sense of the option is
              inverted.

       -\b--\b-t\btc\bcp\bp-\b-o\bop\bpt\bti\bio\bon\bn [!] _\bn_\bu_\bm_\bb_\be_\br
              Match if TCP option set.

   u\bud\bdp\bp
       These extensions are loaded if `--protocol udp' is  speci­
       fied.  It provides the following options:

       -\b--\b-s\bso\bou\bur\brc\bce\be-\b-p\bpo\bor\brt\bt [!] [_\bp_\bo_\br_\bt_\b[_\b:_\bp_\bo_\br_\bt_\b]]
              Source  port  or port range specification.  See the
              description of the -\b--\b-s\bso\bou\bur\brc\bce\be-\b-p\bpo\bor\brt\bt option of the  TCP
              extension for details.

       -\b--\b-d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn-\b-p\bpo\bor\brt\bt [!] [_\bp_\bo_\br_\bt_\b[_\b:_\bp_\bo_\br_\bt_\b]]
              Destination  port or port range specification.  See
              the description of the -\b--\b-d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn-\b-p\bpo\bor\brt\bt option of
              the TCP extension for details.

   i\bic\bcm\bmp\bp
       This  extension  is  loaded if `--protocol icmp' is speci­
       fied.  It provides the following option:

       -\b--\b-i\bic\bcm\bmp\bp-\b-t\bty\byp\bpe\be [!] _\bt_\by_\bp_\be_\bn_\ba_\bm_\be
              This allows specification of the ICMP  type,  which
              can be a numeric ICMP type, or one of the ICMP type
              names shown by the command
               iptables -p icmp -h

   m\bma\bac\bc
       -\b--\b-m\bma\bac\bc-\b-s\bso\bou\bur\brc\bce\be [!] _\ba_\bd_\bd_\br_\be_\bs_\bs
              Match source MAC address.  It must be of  the  form
              XX:XX:XX:XX:XX:XX.  Note that this only makes sense
              for packets entering  the  P\bPR\bRE\bER\bRO\bOU\bUT\bTI\bIN\bNG\bG,  F\bFO\bOR\bRW\bWA\bAR\bRD\bD  or
              I\bIN\bNP\bPU\bUT\bT  chains  for  packets coming from an ethernet
              device.

   l\bli\bim\bmi\bit\bt
       This module matches at a limited rate using a token bucket
       filter:  it can be used in combination with the L\bLO\bOG\bG target
       to give limited logging.  A rule using this extension will
       match  until this limit is reached (unless the `!' flag is
       used).

       -\b--\b-l\bli\bim\bmi\bit\bt _\br_\ba_\bt_\be
              Maximum average matching rate: specified as a  num­
              ber,   with   an   optional  `/second',  `/minute',
              `/hour', or `/day' suffix; the default is 3/hour.

       -\b--\b-l\bli\bim\bmi\bit\bt-\b-b\bbu\bur\brs\bst\bt _\bn_\bu_\bm_\bb_\be_\br
              The maximum initial number  of  packets  to  match:
              this  number  gets  recharged by one every time the
              limit specified above is not reached,  up  to  this
              number; the default is 5.

   m\bmu\bul\blt\bti\bip\bpo\bor\brt\bt
       This  module matches a set of source or destination ports.
       Up to 15 ports can be specified. It can only  be  used  in
       conjunction with -\b-p\bp t\btc\bcp\bp or -\b-p\bp u\bud\bdp\bp.

       -\b--\b-s\bso\bou\bur\brc\bce\be-\b-p\bpo\bor\brt\bt [_\bp_\bo_\br_\bt_\b[_\b,_\bp_\bo_\br_\bt_\b]]
              Match if the source port is one of the given ports.

       -\b--\b-d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn-\b-p\bpo\bor\brt\bt [_\bp_\bo_\br_\bt_\b[_\b,_\bp_\bo_\br_\bt_\b]]
              Match if the destination port is one of  the  given
              ports.

       -\b--\b-p\bpo\bor\brt\bt [_\bp_\bo_\br_\bt_\b[_\b,_\bp_\bo_\br_\bt_\b]]
              Match  if the both the source and destination ports
              are equal to each other and to  one  of  the  given
              ports.

   m\bma\bar\brk\bk
       This  module  matches  the netfilter mark field associated
       with a packet (which can be  set  using  the  M\bMA\bAR\bRK\bK  target
       below).

       -\b--\b-m\bma\bar\brk\bk _\bv_\ba_\bl_\bu_\be_\b[_\b/_\bm_\ba_\bs_\bk_\b]
              Matches  packets with the given unsigned mark value
              (if a mask is specified, this  is  logically  ANDed
              with the mark before the comparison).

   o\bow\bwn\bne\ber\br
       This  module  attempts to match various characteristics of
       the packet creator, for locally-generated packets.  It  is
       only valid in the O\bOU\bUT\bTP\bPU\bUT\bT chain, and even this some packets
       (such as ICMP ping responses) may have no owner, and hence
       never match.

       -\b--\b-u\bui\bid\bd-\b-o\bow\bwn\bne\ber\br _\bu_\bs_\be_\br_\bi_\bd
              Matches if the packet was created by a process with
              the given effective user id.

       -\b--\b-g\bgi\bid\bd-\b-o\bow\bwn\bne\ber\br _\bg_\br_\bo_\bu_\bp_\bi_\bd
              Matches if the packet was created by a process with
              the given effective group id.

       -\b--\b-p\bpi\bid\bd-\b-o\bow\bwn\bne\ber\br _\bp_\br_\bo_\bc_\be_\bs_\bs_\bi_\bd
              Matches if the packet was created by a process with
              the given process id.

       -\b--\b-s\bsi\bid\bd-\b-o\bow\bwn\bne\ber\br _\bs_\be_\bs_\bs_\bi_\bo_\bn_\bi_\bd
              Matches if the packet was created by a  process  in
              the given session group.

   s\bst\bta\bat\bte\be
       This  module,  when  combined  with  connection  tracking,
       allows access to the connection tracking  state  for  this
       packet.

       -\b--\b-s\bst\bta\bat\bte\be _\bs_\bt_\ba_\bt_\be
              Where  state  is a comma separated list of the con­
              nection  states  to  match.   Possible  states  are
              I\bIN\bNV\bVA\bAL\bLI\bID\bD  meaning that the packet is associated with
              no known connection, E\bES\bST\bTA\bAB\bBL\bLI\bIS\bSH\bHE\bED\bD meaning  that  the
              packet  is  associated  with a connection which has
              seen packets in both directions, N\bNE\bEW\bW  meaning  that
              the  packet has started a new connection, or other­
              wise associated with a  connection  which  has  not
              seen  packets in both directions, and R\bRE\bEL\bLA\bAT\bTE\bED\bD mean­
              ing that the packet is starting a  new  connection,
              but is associated with an existing connection, such
              as an FTP data transfer, or an ICMP error.

   u\bun\bnc\bcl\ble\bea\ban\bn
       This module takes no options, but attempts to match  pack­
       ets  which seem malformed or unusual.  This is regarded as
       experimental.

   t\bto\bos\bs
       This module matches the 8 bits of Type of Service field in
       the IP header (ie. including the precedence bits).

       -\b--\b-t\bto\bos\bs _\bt_\bo_\bs
              The argument is either a standard name, (use
               iptables -m tos -h
              to see the list), or a numeric value to match.

T\bTA\bAR\bRG\bGE\bET\bT E\bEX\bXT\bTE\bEN\bNS\bSI\bIO\bON\bNS\bS
       iptables  can  use  extended target modules: the following
       are included in the standard distribution.

   L\bLO\bOG\bG
       Turn on kernel logging of  matching  packets.   When  this
       option is set for a rule, the Linux kernel will print some
       information on all matching packets (like most  IP  header
       fields)  via  the  kernel  log  (where it can be read with
       _\bd_\bm_\be_\bs_\bg or _\bs_\by_\bs_\bl_\bo_\bg_\bd(8)).

       -\b--\b-l\blo\bog\bg-\b-l\ble\bev\bve\bel\bl _\bl_\be_\bv_\be_\bl
              Level of logging (numeric or see _\bs_\by_\bs_\bl_\bo_\bg_\b._\bc_\bo_\bn_\bf(5)).

       -\b--\b-l\blo\bog\bg-\b-p\bpr\bre\bef\bfi\bix\bx _\bp_\br_\be_\bf_\bi_\bx
              Prefix log messages with the specified  prefix;  up
              to  29  letters long, and useful for distinguishing
              messages in the logs.

       -\b--\b-l\blo\bog\bg-\b-t\btc\bcp\bp-\b-s\bse\beq\bqu\bue\ben\bnc\bce\be
              Log TCP sequence numbers. This is a  security  risk
              if the log is readable by users.

       -\b--\b-l\blo\bog\bg-\b-t\btc\bcp\bp-\b-o\bop\bpt\bti\bio\bon\bns\bs
              Log options from the TCP packet header.

       -\b--\b-l\blo\bog\bg-\b-i\bip\bp-\b-o\bop\bpt\bti\bio\bon\bns\bs
              Log options from the IP packet header.

   M\bMA\bAR\bRK\bK
       This  is  used  to set the netfilter mark value associated
       with the packet.  It is only valid in the m\bma\ban\bng\bgl\ble\be table.

       -\b--\b-s\bse\bet\bt-\b-m\bma\bar\brk\bk _\bm_\ba_\br_\bk

   R\bRE\bEJ\bJE\bEC\bCT\bT
       This is used to send back an error packet in  response  to
       the  matched  packet:  otherwise it is equivalent to D\bDR\bRO\bOP\bP.
       This target is only valid in the I\bIN\bNP\bPU\bUT\bT, F\bFO\bOR\bRW\bWA\bAR\bRD\bD and O\bOU\bUT\bTP\bPU\bUT\bT
       chains, and user-defined chains which are only called from
       those chains.  Several options control the nature  of  the
       error packet returned:

       -\b--\b-r\bre\bej\bje\bec\bct\bt-\b-w\bwi\bit\bth\bh _\bt_\by_\bp_\be
              The  type  given can be i\bic\bcm\bmp\bp-\b-n\bne\bet\bt-\b-u\bun\bnr\bre\bea\bac\bch\bha\bab\bbl\ble\be, i\bic\bcm\bmp\bp-\b-
              h\bho\bos\bst\bt-\b-u\bun\bnr\bre\bea\bac\bch\bha\bab\bbl\ble\be,   i\bic\bcm\bmp\bp-\b-p\bpo\bor\brt\bt-\b-u\bun\bnr\bre\bea\bac\bch\bha\bab\bbl\ble\be,    i\bic\bcm\bmp\bp-\b-
              p\bpr\bro\bot\bto\bo-\b-u\bun\bnr\bre\bea\bac\bch\bha\bab\bbl\ble\be, i\bic\bcm\bmp\bp-\b-n\bne\bet\bt-\b-p\bpr\bro\boh\bhi\bib\bbi\bit\bte\bed\bdor i\bic\bcm\bmp\bp-\b-h\bho\bos\bst\bt-\b-
              p\bpr\bro\boh\bhi\bib\bbi\bit\bte\bed\bd, which return the appropriate ICMP error
              message  (port-unreachable  is  the  default).  The
              option e\bec\bch\bho\bo-\b-r\bre\bep\bpl\bly\by is also allowed; it can  only  be
              used  for  rules which specify an ICMP ping packet,
              and generates a ping reply.   Finally,  the  option
              t\btc\bcp\bp-\b-r\bre\bes\bse\bet\bt can be used on rules which only match the
              TCP protocol: this causes a TCP RST  packet  to  be
              sent  back.   This  is  mainly  useful for blocking
              _\bi_\bd_\be_\bn_\bt probes which frequently  occur  when  sending
              mail  to broken mail hosts (which won't accept your
              mail otherwise).

   T\bTO\bOS\bS
       This is used to set the 8-bit Type of Service field in the
       IP header.  It is only valid in the m\bma\ban\bng\bgl\ble\be table.

       -\b--\b-s\bse\bet\bt-\b-t\bto\bos\bs _\bt_\bo_\bs
              You can use a numeric TOS values, or use
               iptables -j TOS -h
              to see the list of valid TOS names.

   M\bMI\bIR\bRR\bRO\bOR\bR
       This is an experimental demonstration target which inverts
       the source and destination fields in  the  IP  header  and
       retransmits  the  packet.   It is only valid in the I\bIN\bNP\bPU\bUT\bT,
       F\bFO\bOR\bRW\bWA\bAR\bRD\bD and P\bPR\bRE\bER\bRO\bOU\bUT\bTI\bIN\bNG\bG  chains,  and  user-defined  chains
       which  are  only  called from those chains.  Note that the
       outgoing packets are N\bNO\bOT\bT  seen  by  any  packet  filtering
       chains,  connection  tracking  or  NAT, to avoid loops and
       other problems.

   S\bSN\bNA\bAT\bT
       This target is  only  valid  in  the  n\bna\bat\bt  table,  in  the
       P\bPO\bOS\bST\bTR\bRO\bOU\bUT\bTI\bIN\bNG\bG  chain.   It specifies that the source address
       of the packet should be modified (and all  future  packets
       in this connection will also be mangled), and rules should
       cease being examined.  It takes one option:

       -\b--\b-t\bto\bo-\b-s\bso\bou\bur\brc\bce\be  _\b<_\bi_\bp_\ba_\bd_\bd_\br_\b>_\b[_\b-_\b<_\bi_\bp_\ba_\bd_\bd_\br_\b>_\b]_\b[_\b:_\bp_\bo_\br_\bt_\b-_\bp_\bo_\br_\bt_\b]
              which can specify a single new source  IP  address,
              an inclusive range of IP addresses, and optionally,
              a port range (which is only valid if the rule  also
              specifies  -\b-p\bp  t\btc\bcp\bp or -\b-p\bp u\bud\bdp\bp).  If no port range is
              specified, then source  ports  below  512  will  be
              mapped to other ports below 512: those between 1024
              will be mapped to ports below 1024, and other ports
              will  be  mapped to 1024 or above.  Where possible,
              no port alteration will occur.

   D\bDN\bNA\bAT\bT
       This target is only valid in the n\bna\bat\bt table,  in  the  P\bPR\bRE\bE­\b­
       R\bRO\bOU\bUT\bTI\bIN\bNG\bG  and  O\bOU\bUT\bTP\bPU\bUT\bT chains, and user-defined chains which
       are only called from those chains.  It specifies that  the
       destination  address of the packet should be modified (and
       all future packets in this connection will  also  be  man­
       gled),  and  rules  should cease being examined.  It takes
       one option:

       -\b--\b-t\bto\bo-\b-d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn _\b<_\bi_\bp_\ba_\bd_\bd_\br_\b>_\b[_\b-_\b<_\bi_\bp_\ba_\bd_\bd_\br_\b>_\b]_\b[_\b:_\bp_\bo_\br_\bt_\b-_\bp_\bo_\br_\bt_\b]
              which can  specify  a  single  new  destination  IP
              address,  an  inclusive  range of IP addresses, and
              optionally, a port range (which is  only  valid  if
              the  rule  also specifies -\b-p\bp t\btc\bcp\bp or -\b-p\bp u\bud\bdp\bp).  If no
              port range is specified, then the destination  port
              will never be modified.

   M\bMA\bAS\bSQ\bQU\bUE\bER\bRA\bAD\bDE\bE
       This  target  is  only  valid  in  the  n\bna\bat\bt  table, in the
       P\bPO\bOS\bST\bTR\bRO\bOU\bUT\bTI\bIN\bNG\bG chain.  It should only be  used  with  dynami­
       cally  assigned  IP  (dialup)  connections:  if you have a
       static IP address, you should use the SNAT  target.   Mas­
       querading  is equivalent to specifying a mapping to the IP
       address of the interface the packet is going out, but also
       has  the  effect  that  connections are _\bf_\bo_\br_\bg_\bo_\bt_\bt_\be_\bn when the
       interface goes down.  This is the  correct  behavior  when
       the  next  dialup  is  unlikely to have the same interface
       address (and hence any established  connections  are  lost
       anyway).  It takes one option:

       -\b--\b-t\bto\bo-\b-p\bpo\bor\brt\bts\bs _\b<_\bp_\bo_\br_\bt_\b>_\b[_\b-_\b<_\bp_\bo_\br_\bt_\b>_\b]
              This  specifies  a  range  of  source ports to use,
              overriding the default S\bSN\bNA\bAT\bT  source  port-selection
              heuristics (see above).  This is only valid with if
              the rule also specifies -\b-p\bp t\btc\bcp\bp or -\b-p\bp u\bud\bdp\bp).

   R\bRE\bED\bDI\bIR\bRE\bEC\bCT\bT
       This target is only valid in the n\bna\bat\bt table,  in  the  P\bPR\bRE\bE­\b­
       R\bRO\bOU\bUT\bTI\bIN\bNG\bG  and  O\bOU\bUT\bTP\bPU\bUT\bT chains, and user-defined chains which
       are only called from those chains.  It alters the destina­
       tion  IP  address to send the packet to the machine itself
       (locally-generated packets are  mapped  to  the  127.0.0.1
       address).  It takes one option:

       -\b--\b-t\bto\bo-\b-p\bpo\bor\brt\bts\bs _\b<_\bp_\bo_\br_\bt_\b>_\b[_\b-_\b<_\bp_\bo_\br_\bt_\b>_\b]
              This specifies a destination port or range or ports
              to use: without this, the destination port is never
              altered.   This is only valid with if the rule also
              specifies -\b-p\bp t\btc\bcp\bp or -\b-p\bp u\bud\bdp\bp).

E\bEX\bXT\bTR\bRA\bA E\bEX\bXT\bTE\bEN\bNS\bSI\bIO\bON\bNS\bS
       The following extensions are not included  by  default  in
       the standard distribution.

   t\btt\btl\bl
       This  module  matches  the  time  to  live field in the IP
       header.

       -\b--\b-t\btt\btl\bl _\bt_\bt_\bl
              Matches the given TTL value.

   T\bTT\bTL\bL
       This target is used to modify the time to  live  field  in
       the IP header.  It is only valid in the m\bma\ban\bng\bgl\ble\be table.

       -\b--\b-t\btt\btl\bl-\b-s\bse\bet\bt _\bt_\bt_\bl
              Set the TTL to the given value.

       -\b--\b-t\btt\btl\bl-\b-d\bde\bec\bc _\bt_\bt_\bl
              Decrement the TTL by the given value.

       -\b--\b-t\btt\btl\bl-\b-i\bin\bnc\bc _\bt_\bt_\bl
              Increment the TTL by the given value.

   U\bUL\bLO\bOG\bG
       This  target  provides userspace logging of matching pack­
       ets.  When this target is set for a rule, the Linux kernel
       will  multicast  this packet through a _\bn_\be_\bt_\bl_\bi_\bn_\bk socket. One
       or more userspace processes may then subscribe to  various
       multicast groups and receive the packets.

       -\b--\b-u\bul\blo\bog\bg-\b-n\bnl\blg\bgr\bro\bou\bup\bp_\b<_\bn_\bl_\bg_\br_\bo_\bu_\bp_\b>
              This  specifies  the  netlink group (1-32) to which
              the packet is sent.

       -\b--\b-u\bul\blo\bog\bg-\b-p\bpr\bre\bef\bfi\bix\bx_\b<_\bp_\br_\be_\bf_\bi_\bx_\b>
              Prefix log messages with the specified  prefix;  up
              to  32 characters long, and useful fro distinguish­
              ing messages in the logs.

       -\b--\b-u\bul\blo\bog\bg-\b-c\bcp\bpr\bra\ban\bng\bge\be_\b<_\bs_\bi_\bz_\be_\b>
              Number of bytes to be copied to userspace. A  value
              of 0 always copies the entire packet, regardless of
              its size.

D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
       Various error messages are printed to standard error.  The
       exit  code  is  0  for  correct functioning.  Errors which
       appear to be caused by  invalid  or  abused  command  line
       parameters cause an exit code of 2, and other errors cause
       an exit code of 1.

B\bBU\bUG\bGS\bS
       Check is not implemented (yet).

C\bCO\bOM\bMP\bPA\bAT\bTI\bIB\bBI\bIL\bLI\bIT\bTY\bY W\bWI\bIT\bTH\bH I\bIP\bPC\bCH\bHA\bAI\bIN\bNS\bS
       This i\bip\bpt\bta\bab\bbl\ble\bes\bs is very similar to ipchains  by  Rusty  Rus­
       sell.   The  main  difference is that the chains I\bIN\bNP\bPU\bUT\bT and
       O\bOU\bUT\bTP\bPU\bUT\bT are only traversed  for  packets  coming  into  the
       local  host  and  originating  from the local host respec­
       tively.  Hence every packet only passes through one of the
       three  chains;  previously  a  forwarded packet would pass
       through all three.

       The other main difference is that -\b-i\bi refers to  the  input
       interface; -\b-o\bo refers to the output interface, and both are
       available for packets entering the F\bFO\bOR\bRW\bWA\bAR\bRD\bD chain.

       i\bip\bpt\bta\bab\bbl\ble\bes\bs is a pure packet filter when  using  the  default
       `filter'  table,  with  optional  extension modules.  This
       should simplify much of the previous  confusion  over  the
       combination  of  IP masquerading and packet filtering seen
       previously.  So the following options are handled  differ­
       ently:
        -j MASQ
        -M -S
        -M -L
       There are several other changes in iptables.

S\bSE\bEE\bE A\bAL\bLS\bSO\bO
       The iptables-HOWTO, which details more iptables usage, the
       NAT-HOWTO, which details NAT, and  the  netfilter-hacking-
       HOWTO which details the internals.

A\bAU\bUT\bTH\bHO\bOR\bRS\bS
       Rusty  Russell  wrote iptables, in early consultation with
       Michael Neuling.

       Marc Boucher made Rusty abandon ipnatctl by lobbying for a
       generic packet selection framework in iptables, then wrote
       the mangle table, the owner match, the mark stuff, and ran
       around doing cool stuff everywhere.

       James Morris wrote the TOS target, and tos match.

       Jozsef Kadlecsik wrote the REJECT target.

       Harald  Welte  wrote the ULOG target, TTL match+target and
       libipulog.

       The Netfilter Core Team is: Marc Boucher, James Morris and
       Rusty Russell.






                           Aug 11, 2000                         1