1IPTABLES(8) iptables 1.4.7 IPTABLES(8)
2
6 iptables — administration tool for IPv4 packet filtering and NAT
7
9 iptables [-t table] {-A|-C|-D} chain rule-specification
10 iptables [-t table] -I chain [rulenum] rule-specification
12 iptables [-t table] -R chain rulenum rule-specification
14 iptables [-t table] -D chain rulenum
16 iptables [-t table] -S [chain [rulenum]]
18 iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
20 iptables [-t table] -N chain
22 iptables [-t table] -X [chain]
24 iptables [-t table] -P chain target
26 iptables [-t table] -E old-chain-name new-chain-name
28 rule-specification = [matches...] [target]
30 match = -m matchname [per-match-options]
32 target = -j targetname [per-target-options]
34
36 Iptables is used to set up, maintain, and inspect the tables of IPv4
37 packet filter rules in the Linux kernel. Several different tables may
38 be defined. Each table contains a number of built-in chains and may
39 also contain user-defined chains.
40 Each chain is a list of rules which can match a set of packets. Each
42 rule specifies what to do with a packet that matches. This is called a
43 `target', which may be a jump to a user-defined chain in the same ta‐
44 ble.
45
47 A firewall rule specifies criteria for a packet and a target. If the
48 packet does not match, the next rule in the chain is the examined; if
49 it does match, then the next rule is specified by the value of the tar‐
50 get, which can be the name of a user-defined chain or one of the spe‐
51 cial values ACCEPT, DROP, QUEUE or RETURN.
52 ACCEPT means to let the packet through. DROP means to drop the packet
54 on the floor. QUEUE means to pass the packet to userspace. (How the
55 packet can be received by a userspace process differs by the particular
56 queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the
57 ip_queue queue handler. Kernels 2.6.14 and later additionally include
58 the nfnetlink_queue queue handler. Packets with a target of QUEUE will
59 be sent to queue number '0' in this case. Please also see the NFQUEUE
60 target as described later in this man page.) RETURN means stop
61 traversing this chain and resume at the next rule in the previous
62 (calling) chain. If the end of a built-in chain is reached or a rule
63 in a built-in chain with target RETURN is matched, the target specified
64 by the chain policy determines the fate of the packet.
65
67 There are currently three independent tables (which tables are present
68 at any time depends on the kernel configuration options and which mod‐
69 ules are present).
70 -t, --table table
72 This option specifies the packet matching table which the com‐
73 mand should operate on. If the kernel is configured with auto‐
74 matic module loading, an attempt will be made to load the appro‐
75 priate module for that table if it is not already there.
76 The tables are as follows:
78 filter:
80 This is the default table (if no -t option is passed). It
81 contains the built-in chains INPUT (for packets destined to
82 local sockets), FORWARD (for packets being routed through
83 the box), and OUTPUT (for locally-generated packets).
84 nat:
86 This table is consulted when a packet that creates a new
87 connection is encountered. It consists of three built-ins:
88 PREROUTING (for altering packets as soon as they come in),
89 OUTPUT (for altering locally-generated packets before rout‐
90 ing), and POSTROUTING (for altering packets as they are
91 about to go out).
92 mangle:
94 This table is used for specialized packet alteration. Until
95 kernel 2.4.17 it had two built-in chains: PREROUTING (for
96 altering incoming packets before routing) and OUTPUT (for
97 altering locally-generated packets before routing). Since
98 kernel 2.4.18, three other built-in chains are also sup‐
99 ported: INPUT (for packets coming into the box itself), FOR‐
100 WARD (for altering packets being routed through the box),
101 and POSTROUTING (for altering packets as they are about to
102 go out).
103 raw:
105 This table is used mainly for configuring exemptions from
106 connection tracking in combination with the NOTRACK target.
107 It registers at the netfilter hooks with higher priority and
108 is thus called before ip_conntrack, or any other IP tables.
109 It provides the following built-in chains: PREROUTING (for
110 packets arriving via any network interface) OUTPUT (for
111 packets generated by local processes)
112
114 The options that are recognized by iptables can be divided into several
115 different groups.
116 COMMANDS
118 These options specify the desired action to perform. Only one of them
119 can be specified on the command line unless otherwise stated below. For
120 long versions of the command and option names, you need to use only
121 enough letters to ensure that iptables can differentiate it from all
122 other options.
123 -A, --append chain rule-specification
125 Append one or more rules to the end of the selected chain. When
126 the source and/or destination names resolve to more than one
127 address, a rule will be added for each possible address combina‐
128 tion.
129 -C, --check chain rule-specification
131 Check whether a rule matching the specification does exist in
132 the selected chain. This command uses the same logic as -D to
133 find a matching entry, but does not alter the existing iptables
134 configuration and uses its exit code to indicate success or
135 failure.
136 -D, --delete chain rule-specification
138 -D, --delete chain rulenum
139 Delete one or more rules from the selected chain. There are two
140 versions of this command: the rule can be specified as a number
141 in the chain (starting at 1 for the first rule) or a rule to
142 match.
143 -I, --insert chain [rulenum] rule-specification
145 Insert one or more rules in the selected chain as the given rule
146 number. So, if the rule number is 1, the rule or rules are
147 inserted at the head of the chain. This is also the default if
148 no rule number is specified.
149 -R, --replace chain rulenum rule-specification
151 Replace a rule in the selected chain. If the source and/or des‐
152 tination names resolve to multiple addresses, the command will
153 fail. Rules are numbered starting at 1.
154 -L, --list [chain]
156 List all rules in the selected chain. If no chain is selected,
157 all chains are listed. Like every other iptables command, it
158 applies to the specified table (filter is the default), so NAT
159 rules get listed by
160 iptables -t nat -n -L
161 Please note that it is often used with the -n option, in order
162 to avoid long reverse DNS lookups. It is legal to specify the
163 -Z (zero) option as well, in which case the chain(s) will be
164 atomically listed and zeroed. The exact output is affected by
165 the other arguments given. The exact rules are suppressed until
166 you use
167 iptables -L -v
168 -S, --list-rules [chain]
170 Print all rules in the selected chain. If no chain is selected,
171 all chains are printed like iptables-save. Like every other ipt‐
172 ables command, it applies to the specified table (filter is the
173 default).
174 -F, --flush [chain]
176 Flush the selected chain (all the chains in the table if none is
177 given). This is equivalent to deleting all the rules one by
178 one.
179 -Z, --zero [chain [rulenum]]
181 Zero the packet and byte counters in all chains, or only the
182 given chain, or only the given rule in a chain. It is legal to
183 specify the -L, --list (list) option as well, to see the coun‐
184 ters immediately before they are cleared. (See above.)
185 -N, --new-chain chain
187 Create a new user-defined chain by the given name. There must
188 be no target of that name already.
189 -X, --delete-chain [chain]
191 Delete the optional user-defined chain specified. There must be
192 no references to the chain. If there are, you must delete or
193 replace the referring rules before the chain can be deleted.
194 The chain must be empty, i.e. not contain any rules. If no
195 argument is given, it will attempt to delete every non-builtin
196 chain in the table.
197 -P, --policy chain target
199 Set the policy for the chain to the given target. See the sec‐
200 tion TARGETS for the legal targets. Only built-in (non-user-
201 defined) chains can have policies, and neither built-in nor
202 user-defined chains can be policy targets.
203 -E, --rename-chain old-chain new-chain
205 Rename the user specified chain to the user supplied name. This
206 is cosmetic, and has no effect on the structure of the table.
207 -h Help. Give a (currently very brief) description of the command
209 syntax.
210 PARAMETERS
212 The following parameters make up a rule specification (as used in the
213 add, delete, insert, replace and append commands).
214 [!] -p, --protocol protocol
216 The protocol of the rule or of the packet to check. The speci‐
217 fied protocol can be one of tcp, udp, udplite, icmp, esp, ah,
218 sctp or all, or it can be a numeric value, representing one of
219 these protocols or a different one. A protocol name from
220 /etc/protocols is also allowed. A "!" argument before the pro‐
221 tocol inverts the test. The number zero is equivalent to all.
222 Protocol all will match with all protocols and is taken as
223 default when this option is omitted.
224 [!] -s, --source address[/mask][,...]
226 Source specification. Address can be either a network name, a
227 hostname, a network IP address (with /mask), or a plain IP
228 address. Hostnames will be resolved once only, before the rule
229 is submitted to the kernel. Please note that specifying any
230 name to be resolved with a remote query such as DNS is a really
231 bad idea. The mask can be either a network mask or a plain num‐
232 ber, specifying the number of 1's at the left side of the net‐
233 work mask. Thus, a mask of 24 is equivalent to 255.255.255.0.
234 A "!" argument before the address specification inverts the
235 sense of the address. The flag --src is an alias for this
236 option. Multiple addresses can be specified, but this will
237 expand to multiple rules (when adding with -A), or will cause
238 multiple rules to be deleted (with -D).
239 [!] -d, --destination address[/mask][,...]
241 Destination specification. See the description of the -s
242 (source) flag for a detailed description of the syntax. The
243 flag --dst is an alias for this option.
244 -j, --jump target
246 This specifies the target of the rule; i.e., what to do if the
247 packet matches it. The target can be a user-defined chain
248 (other than the one this rule is in), one of the special builtin
249 targets which decide the fate of the packet immediately, or an
250 extension (see EXTENSIONS below). If this option is omitted in
251 a rule (and -g is not used), then matching the rule will have no
252 effect on the packet's fate, but the counters on the rule will
253 be incremented.
254 -g, --goto chain
256 This specifies that the processing should continue in a user
257 specified chain. Unlike the --jump option return will not con‐
258 tinue processing in this chain but instead in the chain that
259 called us via --jump.
260 [!] -i, --in-interface name
262 Name of an interface via which a packet was received (only for
263 packets entering the INPUT, FORWARD and PREROUTING chains).
264 When the "!" argument is used before the interface name, the
265 sense is inverted. If the interface name ends in a "+", then
266 any interface which begins with this name will match. If this
267 option is omitted, any interface name will match.
268 [!] -o, --out-interface name
270 Name of an interface via which a packet is going to be sent (for
271 packets entering the FORWARD, OUTPUT and POSTROUTING chains).
272 When the "!" argument is used before the interface name, the
273 sense is inverted. If the interface name ends in a "+", then
274 any interface which begins with this name will match. If this
275 option is omitted, any interface name will match.
276 [!] -f, --fragment
278 This means that the rule only refers to second and further frag‐
279 ments of fragmented packets. Since there is no way to tell the
280 source or destination ports of such a packet (or ICMP type),
281 such a packet will not match any rules which specify them. When
282 the "!" argument precedes the "-f" flag, the rule will only
283 match head fragments, or unfragmented packets.
284 -c, --set-counters packets bytes
286 This enables the administrator to initialize the packet and byte
287 counters of a rule (during INSERT, APPEND, REPLACE operations).
288 OTHER OPTIONS
290 The following additional options can be specified:
291 -v, --verbose
293 Verbose output. This option makes the list command show the
294 interface name, the rule options (if any), and the TOS masks.
295 The packet and byte counters are also listed, with the suffix
296 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipli‐
297 ers respectively (but see the -x flag to change this). For
298 appending, insertion, deletion and replacement, this causes
299 detailed information on the rule or rules to be printed.
300 -n, --numeric
302 Numeric output. IP addresses and port numbers will be printed
303 in numeric format. By default, the program will try to display
304 them as host names, network names, or services (whenever appli‐
305 cable).
306 -x, --exact
308 Expand numbers. Display the exact value of the packet and byte
309 counters, instead of only the rounded number in K's (multiples
310 of 1000) M's (multiples of 1000K) or G's (multiples of 1000M).
311 This option is only relevant for the -L command.
312 --line-numbers
314 When listing rules, add line numbers to the beginning of each
315 rule, corresponding to that rule's position in the chain.
316 --modprobe=command
318 When adding or inserting rules into a chain, use command to load
319 any necessary modules (targets, match extensions, etc).
320
322 iptables can use extended packet matching modules. These are loaded in
323 two ways: implicitly, when -p or --protocol is specified, or with the
324 -m or --match options, followed by the matching module name; after
325 these, various extra command line options become available, depending
326 on the specific module. You can specify multiple extended match mod‐
327 ules in one line, and you can use the -h or --help options after the
328 module has been specified to receive help specific to that module.
329 The following are included in the base package, and most of these can
331 be preceded by a "!" to invert the sense of the match.
332 addrtype
334 This module matches packets based on their address type. Address types
335 are used within the kernel networking stack and categorize addresses
336 into various groups. The exact definition of that group depends on the
337 specific layer three protocol.
338 The following address types are possible:
340 UNSPEC an unspecified address (i.e. 0.0.0.0)
342 UNICAST
344 an unicast address
345 LOCAL a local address
347 BROADCAST
349 a broadcast address
350 ANYCAST
352 an anycast packet
353 MULTICAST
355 a multicast address
356 BLACKHOLE
358 a blackhole address
359 UNREACHABLE
361 an unreachable address
362 PROHIBIT
364 a prohibited address
365 THROW FIXME
367 NAT FIXME
369 XRESOLVE
371 [!] --src-type type
373 Matches if the source address is of given type
374 [!] --dst-type type
376 Matches if the destination address is of given type
377 --limit-iface-in
379 The address type checking can be limited to the interface the
380 packet is coming in. This option is only valid in the PREROUT‐
381 ING, INPUT and FORWARD chains. It cannot be specified with the
382 --limit-iface-out option.
383 --limit-iface-out
385 The address type checking can be limited to the interface the
386 packet is going out. This option is only valid in the POSTROUT‐
387 ING, OUTPUT and FORWARD chains. It cannot be specified with the
388 --limit-iface-in option.
389 ah
391 This module matches the SPIs in Authentication header of IPsec packets.
392 [!] --ahspi spi[:spi]
394 cluster
396 Allows you to deploy gateway and back-end load-sharing clusters without
397 the need of load-balancers.
398 This match requires that all the nodes see the same packets. Thus, the
400 cluster match decides if this node has to handle a packet given the
401 following options:
402 --cluster-total-nodes num
404 Set number of total nodes in cluster.
405 [!] --cluster-local-node num
407 Set the local node number ID.
408 [!] --cluster-local-nodemask mask
410 Set the local node number ID mask. You can use this option
411 instead of --cluster-local-node.
412 --cluster-hash-seed value
414 Set seed value of the Jenkins hash.
415 Example:
417 iptables -A PREROUTING -t mangle -i eth1 -m cluster --clus‐
419 ter-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed
420 0xdeadbeef -j MARK --set-mark 0xffff
421 iptables -A PREROUTING -t mangle -i eth2 -m cluster --clus‐
423 ter-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed
424 0xdeadbeef -j MARK --set-mark 0xffff
425 iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff
427 -j DROP
428 iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff
430 -j DROP
431 And the following commands to make all nodes see the same packets:
433 ip maddr add 01:00:5e:00:01:01 dev eth1
435 ip maddr add 01:00:5e:00:01:02 dev eth2
437 arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-
439 s 01:00:5e:00:01:01
440 arptables -A INPUT -i eth1 --h-length 6 --destination-mac
442 01:00:5e:00:01:01 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27
443 arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --man‐
445 gle-mac-s 01:00:5e:00:01:02
446 arptables -A INPUT -i eth2 --h-length 6 --destination-mac
448 01:00:5e:00:01:02 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27
449 In the case of TCP connections, pickup facility has to be disabled to
451 avoid marking TCP ACK packets coming in the reply direction as valid.
452 echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
454 comment
456 Allows you to add comments (up to 256 characters) to any rule.
457 --comment comment
459 Example:
461 iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A pri‐
462 vatized IP block"
463 connbytes
465 Match by how many bytes or packets a connection (or one of the two
466 flows constituting the connection) has transferred so far, or by aver‐
467 age bytes per packet.
468 The counters are 64-bit and are thus not expected to overflow ;)
470 The primary use is to detect long-lived downloads and mark them to be
472 scheduled using a lower priority band in traffic control.
473 The transferred bytes per connection can also be viewed through `con‐
475 ntrack -L` and accessed via ctnetlink.
476 NOTE that for connections which have no accounting information, the
478 match will always return false. The "net.netfilter.nf_conntrack_acct"
479 sysctl flag controls whether new connections will be byte/packet
480 counted. Existing connection flows will not be gaining/losing a/the
481 accounting structure when be sysctl flag is flipped.
482 [!] --connbytes from[:to]
484 match packets from a connection whose packets/bytes/average
485 packet size is more than FROM and less than TO bytes/packets. if
486 TO is omitted only FROM check is done. "!" is used to match
487 packets not falling in the range.
488 --connbytes-dir {original|reply|both}
490 which packets to consider
491 --connbytes-mode {packets|bytes|avgpkt}
493 whether to check the amount of packets, number of bytes trans‐
494 ferred or the average size (in bytes) of all packets received so
495 far. Note that when "both" is used together with "avgpkt", and
496 data is going (mainly) only in one direction (for example HTTP),
497 the average packet size will be about half of the actual data
498 packets.
499 Example:
501 iptables .. -m connbytes --connbytes 10000:100000
502 --connbytes-dir both --connbytes-mode bytes ...
503 connlimit
505 Allows you to restrict the number of parallel connections to a server
506 per client IP address (or client address block).
507 [!] --connlimit-above n
509 Match if the number of existing connections is (not) above n.
510 --connlimit-mask prefix_length
512 Group hosts using the prefix length. For IPv4, this must be a
513 number between (including) 0 and 32. For IPv6, between 0 and
514 128.
515 Examples:
517 # allow 2 telnet connections per client host
519 iptables -A INPUT -p tcp --syn --dport 23 -m connlimit
520 --connlimit-above 2 -j REJECT
521 # you can also match the other way around:
523 iptables -A INPUT -p tcp --syn --dport 23 -m connlimit !
524 --connlimit-above 2 -j ACCEPT
525 # limit the number of parallel HTTP requests to 16 per class C sized
527 network (24 bit netmask)
528 iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above
529 16 --connlimit-mask 24 -j REJECT
530 # limit the number of parallel HTTP requests to 16 for the link local
532 network
533 (ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m
534 connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT
535 connmark
537 This module matches the netfilter mark field associated with a connec‐
538 tion (which can be set using the CONNMARK target below).
539 [!] --mark value[/mask]
541 Matches packets in connections with the given mark value (if a
542 mask is specified, this is logically ANDed with the mark before
543 the comparison).
544 conntrack
546 This module, when combined with connection tracking, allows access to
547 the connection tracking state for this packet/connection.
548 [!] --ctstate statelist
550 statelist is a comma separated list of the connection states to
551 match. Possible states are listed below.
552 [!] --ctproto l4proto
554 Layer-4 protocol to match (by number or name)
555 [!] --ctorigsrc address[/mask]
557 [!] --ctorigdst address[/mask]
559 [!] --ctreplsrc address[/mask]
561 [!] --ctrepldst address[/mask]
563 Match against original/reply source/destination address
564 [!] --ctorigsrcport port
566 [!] --ctorigdstport port
568 [!] --ctreplsrcport port
570 [!] --ctrepldstport port
572 Match against original/reply source/destination port
573 (TCP/UDP/etc.) or GRE key.
574 [!] --ctstatus statelist
576 statuslist is a comma separated list of the connection statuses
577 to match. Possible statuses are listed below.
578 [!] --ctexpire time[:time]
580 Match remaining lifetime in seconds against given value or range
581 of values (inclusive)
582 --ctdir {ORIGINAL|REPLY}
584 Match packets that are flowing in the specified direction. If
585 this flag is not specified at all, matches packets in both
586 directions.
587 States for --ctstate:
589 INVALID
591 meaning that the packet is associated with no known connection
592 NEW meaning that the packet has started a new connection, or other‐
594 wise associated with a connection which has not seen packets in
595 both directions, and
596 ESTABLISHED
598 meaning that the packet is associated with a connection which
599 has seen packets in both directions,
600 RELATED
602 meaning that the packet is starting a new connection, but is
603 associated with an existing connection, such as an FTP data
604 transfer, or an ICMP error.
605 SNAT A virtual state, matching if the original source address differs
607 from the reply destination.
608 DNAT A virtual state, matching if the original destination differs
610 from the reply source.
611 Statuses for --ctstatus:
613 NONE None of the below.
615 EXPECTED
617 This is an expected connection (i.e. a conntrack helper set it
618 up)
619 SEEN_REPLY
621 Conntrack has seen packets in both directions.
622 ASSURED
624 Conntrack entry should never be early-expired.
625 CONFIRMED
627 Connection is confirmed: originating packet has left box.
628 dccp
630 [!] --source-port,--sport port[:port]
631 [!] --destination-port,--dport port[:port]
633 [!] --dccp-types mask
635 Match when the DCCP packet type is one of 'mask'. 'mask' is a
636 comma-separated list of packet types. Packet types are: REQUEST
637 RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK
638 INVALID.
639 [!] --dccp-option number
641 Match if DCP option set.
642 dscp
644 This module matches the 6 bit DSCP field within the TOS field in the IP
645 header. DSCP has superseded TOS within the IETF.
646 [!] --dscp value
648 Match against a numeric (decimal or hex) value [0-63].
649 [!] --dscp-class class
651 Match the DiffServ class. This value may be any of the BE, EF,
652 AFxx or CSx classes. It will then be converted into its accord‐
653 ing numeric value.
654 ecn
656 This allows you to match the ECN bits of the IPv4 and TCP header. ECN
657 is the Explicit Congestion Notification mechanism as specified in
658 RFC3168
659 [!] --ecn-tcp-cwr
661 This matches if the TCP ECN CWR (Congestion Window Received) bit
662 is set.
663 [!] --ecn-tcp-ece
665 This matches if the TCP ECN ECE (ECN Echo) bit is set.
666 [!] --ecn-ip-ect num
668 This matches a particular IPv4 ECT (ECN-Capable Transport). You
669 have to specify a number between `0' and `3'.
670 esp
672 This module matches the SPIs in ESP header of IPsec packets.
673 [!] --espspi spi[:spi]
675 hashlimit
677 hashlimit uses hash buckets to express a rate limiting match (like the
678 limit match) for a group of connections using a single iptables rule.
679 Grouping can be done per-hostgroup (source and/or destination address)
680 and/or per-port. It gives you the ability to express "N packets per
681 time quantum per group":
682 matching on source host
684 "1000 packets per second for every host in 192.168.0.0/16"
685 matching on source prot
687 "100 packets per second for every service of 192.168.1.1"
688 matching on subnet
690 "10000 packets per minute for every /28 subnet in 10.0.0.0/8"
691 A hash limit option (--hashlimit-upto, --hashlimit-above) and --hash‐
693 limit-name are required.
694 --hashlimit-upto amount[/second|/minute|/hour|/day]
696 Match if the rate is below or equal to amount/quantum. It is
697 specified as a number, with an optional time quantum suffix; the
698 default is 3/hour.
699 --hashlimit-above amount[/second|/minute|/hour|/day]
701 Match if the rate is above amount/quantum.
702 --hashlimit-burst amount
704 Maximum initial number of packets to match: this number gets
705 recharged by one every time the limit specified above is not
706 reached, up to this number; the default is 5.
707 --hashlimit-mode {srcip|srcport|dstip|dstport},...
709 A comma-separated list of objects to take into consideration. If
710 no --hashlimit-mode option is given, hashlimit acts like limit,
711 but at the expensive of doing the hash housekeeping.
712 --hashlimit-srcmask prefix
714 When --hashlimit-mode srcip is used, all source addresses
715 encountered will be grouped according to the given prefix length
716 and the so-created subnet will be subject to hashlimit. prefix
717 must be between (inclusive) 0 and 32. Note that --hashlimit-src‐
718 mask 0 is basically doing the same thing as not specifying srcip
719 for --hashlimit-mode, but is technically more expensive.
720 --hashlimit-dstmask prefix
722 Like --hashlimit-srcmask, but for destination addresses.
723 --hashlimit-name foo
725 The name for the /proc/net/ipt_hashlimit/foo entry.
726 --hashlimit-htable-size buckets
728 The number of buckets of the hash table
729 --hashlimit-htable-max entries
731 Maximum entries in the hash.
732 --hashlimit-htable-expire msec
734 After how many milliseconds do hash entries expire.
735 --hashlimit-htable-gcinterval msec
737 How many milliseconds between garbage collection intervals.
738 helper
740 This module matches packets related to a specific conntrack-helper.
741 [!] --helper string
743 Matches packets related to the specified conntrack-helper.
744 string can be "ftp" for packets related to a ftp-session on
746 default port. For other ports append -portnr to the value, ie.
747 "ftp-2121".
748 Same rules apply for other conntrack-helpers.
750 icmp
752 This extension can be used if `--protocol icmp' is specified. It pro‐
753 vides the following option:
754 [!] --icmp-type {type[/code]|typename}
756 This allows specification of the ICMP type, which can be a
757 numeric ICMP type, type/code pair, or one of the ICMP type names
758 shown by the command
759 iptables -p icmp -h
760 iprange
762 This matches on a given arbitrary range of IP addresses.
763 [!] --src-range from[-to]
765 Match source IP in the specified range.
766 [!] --dst-range from[-to]
768 Match destination IP in the specified range.
769 length
771 This module matches the length of the layer-3 payload (e.g. layer-4
772 packet) of a packet against a specific value or range of values.
773 [!] --length length[:length]
775 limit
777 This module matches at a limited rate using a token bucket filter. A
778 rule using this extension will match until this limit is reached
779 (unless the `!' flag is used). It can be used in combination with the
780 LOG target to give limited logging, for example.
781 --limit rate[/second|/minute|/hour|/day]
783 Maximum average matching rate: specified as a number, with an
784 optional `/second', `/minute', `/hour', or `/day' suffix; the
785 default is 3/hour.
786 --limit-burst number
788 Maximum initial number of packets to match: this number gets
789 recharged by one every time the limit specified above is not
790 reached, up to this number; the default is 5.
791 mac
793 [!] --mac-source address
794 Match source MAC address. It must be of the form
795 XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets
796 coming from an Ethernet device and entering the PREROUTING, FOR‐
797 WARD or INPUT chains.
798 mark
800 This module matches the netfilter mark field associated with a packet
801 (which can be set using the MARK target below).
802 [!] --mark value[/mask]
804 Matches packets with the given unsigned mark value (if a mask is
805 specified, this is logically ANDed with the mask before the com‐
806 parison).
807 multiport
809 This module matches a set of source or destination ports. Up to 15
810 ports can be specified. A port range (port:port) counts as two ports.
811 It can only be used in conjunction with -p tcp or -p udp.
812 [!] --source-ports,--sports port[,port|,port:port]...
814 Match if the source port is one of the given ports. The flag
815 --sports is a convenient alias for this option. Multiple ports
816 or port ranges are separated using a comma, and a port range is
817 specified using a colon. 53,1024:65535 would therefore match
818 ports 53 and all from 1024 through 65535.
819 [!] --destination-ports,--dports port[,port|,port:port]...
821 Match if the destination port is one of the given ports. The
822 flag --dports is a convenient alias for this option.
823 [!] --ports port[,port|,port:port]...
825 Match if either the source or destination ports are equal to one
826 of the given ports.
827 owner
829 This module attempts to match various characteristics of the packet
830 creator, for locally generated packets. This match is only valid in the
831 OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket
832 associated with them. Packets from kernel threads do have a socket, but
833 usually no owner.
834 [!] --uid-owner username
836 [!] --uid-owner userid[-userid]
838 Matches if the packet socket's file structure (if it has one) is
839 owned by the given user. You may also specify a numerical UID,
840 or an UID range.
841 [!] --gid-owner groupname
843 [!] --gid-owner groupid[-groupid]
845 Matches if the packet socket's file structure is owned by the
846 given group. You may also specify a numerical GID, or a GID
847 range.
848 [!] --socket-exists
850 Matches if the packet is associated with a socket.
851 physdev
853 This module matches on the bridge port input and output devices
854 enslaved to a bridge device. This module is a part of the infrastruc‐
855 ture that enables a transparent bridging IP firewall and is only useful
856 for kernel versions above version 2.5.44.
857 [!] --physdev-in name
859 Name of a bridge port via which a packet is received (only for
860 packets entering the INPUT, FORWARD and PREROUTING chains). If
861 the interface name ends in a "+", then any interface which
862 begins with this name will match. If the packet didn't arrive
863 through a bridge device, this packet won't match this option,
864 unless '!' is used.
865 [!] --physdev-out name
867 Name of a bridge port via which a packet is going to be sent
868 (for packets entering the FORWARD, OUTPUT and POSTROUTING
869 chains). If the interface name ends in a "+", then any inter‐
870 face which begins with this name will match. Note that in the
871 nat and mangle OUTPUT chains one cannot match on the bridge out‐
872 put port, however one can in the filter OUTPUT chain. If the
873 packet won't leave by a bridge device or if it is yet unknown
874 what the output device will be, then the packet won't match this
875 option, unless '!' is used.
876 [!] --physdev-is-in
878 Matches if the packet has entered through a bridge interface.
879 [!] --physdev-is-out
881 Matches if the packet will leave through a bridge interface.
882 [!] --physdev-is-bridged
884 Matches if the packet is being bridged and therefore is not
885 being routed. This is only useful in the FORWARD and POSTROUT‐
886 ING chains.
887 pkttype
889 This module matches the link-layer packet type.
890 [!] --pkt-type {unicast|broadcast|multicast}
892 policy
894 This modules matches the policy used by IPsec for handling a packet.
895 --dir {in|out}
897 Used to select whether to match the policy used for decapsula‐
898 tion or the policy that will be used for encapsulation. in is
899 valid in the PREROUTING, INPUT and FORWARD chains, out is valid
900 in the POSTROUTING, OUTPUT and FORWARD chains.
901 --pol {none|ipsec}
903 Matches if the packet is subject to IPsec processing.
904 --strict
906 Selects whether to match the exact policy or match if any rule
907 of the policy matches the given policy.
908 [!] --reqid id
910 Matches the reqid of the policy rule. The reqid can be specified
911 with setkey(8) using unique:id as level.
912 [!] --spi spi
914 Matches the SPI of the SA.
915 [!] --proto {ah|esp|ipcomp}
917 Matches the encapsulation protocol.
918 [!] --mode {tunnel|transport}
920 Matches the encapsulation mode.
921 [!] --tunnel-src addr[/mask]
923 Matches the source end-point address of a tunnel mode SA. Only
924 valid with --mode tunnel.
925 [!] --tunnel-dst addr[/mask]
927 Matches the destination end-point address of a tunnel mode SA.
928 Only valid with --mode tunnel.
929 --next Start the next element in the policy specification. Can only be
931 used with --strict.
932 quota
934 Implements network quotas by decrementing a byte counter with each
935 packet.
936 --quota bytes
938 The quota in bytes.
939 rateest
941 The rate estimator can match on estimated rates as collected by the
942 RATEEST target. It supports matching on absolute bps/pps values, com‐
943 paring two rate estimators and matching on the difference between two
944 rate estimators.
945 --rateest1 name
947 Name of the first rate estimator.
948 --rateest2 name
950 Name of the second rate estimator (if difference is to be calcu‐
951 lated).
952 --rateest-delta
954 Compare difference(s) to given rate(s)
955 --rateest1-bps value
957 --rateest2-bps value
959 Compare bytes per second.
960 --rateest1-pps value
962 --rateest2-pps value
964 Compare packets per second.
965 [!] --rateest-lt
967 Match if rate is less than given rate/estimator.
968 [!] --rateest-gt
970 Match if rate is greater than given rate/estimator.
971 [!] --rateest-eq
973 Match if rate is equal to given rate/estimator.
974 Example: This is what can be used to route outgoing data connections
976 from an FTP server over two lines based on the available bandwidth at
977 the time the data connection was started:
978 # Estimate outgoing rates
980 iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name
982 eth0 --rateest-interval 250ms --rateest-ewma 0.5s
983 iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name
985 ppp0 --rateest-interval 250ms --rateest-ewma 0.5s
986 # Mark based on available bandwidth
988 iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper
990 --helper ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1
991 2.5mbit --rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK
992 --set-mark 1
993 iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper
995 --helper ftp -m rateest --rateest-delta --rateest1 ppp0 --rateest-bps1
996 2mbit --rateest-gt --rateest2 eth0 --rateest-bps2 2.5mbit -j CONNMARK
997 --set-mark 2
998 iptables -t mangle -A balance -j CONNMARK --restore-mark
1000 realm
1002 This matches the routing realm. Routing realms are used in complex
1003 routing setups involving dynamic routing protocols like BGP.
1004 [!] --realm value[/mask]
1006 Matches a given realm number (and optionally mask). If not a
1007 number, value can be a named realm from /etc/iproute2/rt_realms
1008 (mask can not be used in that case).
1009 recent
1011 Allows you to dynamically create a list of IP addresses and then match
1012 against that list in a few different ways.
1013 For example, you can create a "badguy" list out of people attempting to
1015 connect to port 139 on your firewall and then DROP all future packets
1016 from them without considering them.
1017 --set, --rcheck, --update and --remove are mutually exclusive.
1019 --name name
1021 Specify the list to use for the commands. If no name is given
1022 then DEFAULT will be used.
1023 [!] --set
1025 This will add the source address of the packet to the list. If
1026 the source address is already in the list, this will update the
1027 existing entry. This will always return success (or failure if !
1028 is passed in).
1029 --rsource
1031 Match/save the source address of each packet in the recent list
1032 table. This is the default.
1033 --rdest
1035 Match/save the destination address of each packet in the recent
1036 list table.
1037 [!] --rcheck
1039 Check if the source address of the packet is currently in the
1040 list.
1041 [!] --update
1043 Like --rcheck, except it will update the "last seen" timestamp
1044 if it matches.
1045 [!] --remove
1047 Check if the source address of the packet is currently in the
1048 list and if so that address will be removed from the list and
1049 the rule will return true. If the address is not found, false is
1050 returned.
1051 --seconds seconds
1053 This option must be used in conjunction with one of --rcheck or
1054 --update. When used, this will narrow the match to only happen
1055 when the address is in the list and was seen within the last
1056 given number of seconds.
1057 --hitcount hits
1059 This option must be used in conjunction with one of --rcheck or
1060 --update. When used, this will narrow the match to only happen
1061 when the address is in the list and packets had been received
1062 greater than or equal to the given value. This option may be
1063 used along with --seconds to create an even narrower match
1064 requiring a certain number of hits within a specific time frame.
1065 The maximum value for the hitcount parameter is given by the
1066 "ip_pkt_list_tot" parameter of the xt_recent kernel module.
1067 Exceeding this value on the command line will cause the rule to
1068 be rejected.
1069 --rttl This option may only be used in conjunction with one of --rcheck
1071 or --update. When used, this will narrow the match to only hap‐
1072 pen when the address is in the list and the TTL of the current
1073 packet matches that of the packet which hit the --set rule. This
1074 may be useful if you have problems with people faking their
1075 source address in order to DoS you via this module by disallow‐
1076 ing others access to your site by sending bogus packets to you.
1077 Examples:
1079 iptables -A FORWARD -m recent --name badguy --rcheck --seconds
1081 60 -j DROP
1082 iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name
1084 badguy --set -j DROP
1085 Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/)
1087 also has some examples of usage.
1088 /proc/net/xt_recent/* are the current lists of addresses and informa‐
1090 tion about each entry of each list.
1091 Each file in /proc/net/xt_recent/ can be read from to see the current
1093 list or written two using the following commands to modify the list:
1094 echo +addr >/proc/net/xt_recent/DEFAULT
1096 to add addr to the DEFAULT list
1097 echo -addr >/proc/net/xt_recent/DEFAULT
1099 to remove addr from the DEFAULT list
1100 echo / >/proc/net/xt_recent/DEFAULT
1102 to flush the DEFAULT list (remove all entries).
1103 The module itself accepts parameters, defaults shown:
1105 ip_list_tot=100
1107 Number of addresses remembered per table.
1108 ip_pkt_list_tot=20
1110 Number of packets per address remembered.
1111 ip_list_hash_size=0
1113 Hash table size. 0 means to calculate it based on ip_list_tot,
1114 default: 512.
1115 ip_list_perms=0644
1117 Permissions for /proc/net/xt_recent/* files.
1118 ip_list_uid=0
1120 Numerical UID for ownership of /proc/net/xt_recent/* files.
1121 ip_list_gid=0
1123 Numerical GID for ownership of /proc/net/xt_recent/* files.
1124 sctp
1126 [!] --source-port,--sport port[:port]
1127 [!] --destination-port,--dport port[:port]
1129 [!] --chunk-types {all|any|only} chunktype[:flags] [...]
1131 The flag letter in upper case indicates that the flag is to
1132 match if set, in the lower case indicates to match if unset.
1133 Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK
1135 ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK
1136 ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK
1137 chunk type available flags
1139 DATA U B E u b e
1140 ABORT T t
1141 SHUTDOWN_COMPLETE T t
1142 (lowercase means flag should be "off", uppercase means "on")
1144 Examples:
1146 iptables -A INPUT -p sctp --dport 80 -j DROP
1148 iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP
1150 iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT
1152 set
1154 This module matches IP sets which can be defined by ipset(8).
1155 [!] --match-set setname flag[,flag]...
1157 where flags are the comma separated list of src and/or dst spec‐
1158 ifications and there can be no more than six of them. Hence the
1159 command
1160 iptables -A FORWARD -m set --match-set test src,dst
1162 will match packets, for which (if the set type is ipportmap) the
1164 source address and destination port pair can be found in the
1165 specified set. If the set type of the specified set is single
1166 dimension (for example ipmap), then the command will match pack‐
1167 ets for which the source address can be found in the specified
1168 set.
1169 The option --match-set can be replaced by --set if that does not clash
1171 with an option of other extensions.
1172 Use of -m set requires that ipset kernel support is provided. As stan‐
1174 dard kernels do not ship this currently, the ipset or Xtables-addons
1175 package needs to be installed.
1176 socket
1178 This matches if an open socket can be found by doing a socket lookup on
1179 the packet.
1180 --transparent
1182 Ignore non-transparent sockets.
1183 state
1185 This module, when combined with connection tracking, allows access to
1186 the connection tracking state for this packet.
1187 [!] --state state
1189 Where state is a comma separated list of the connection states
1190 to match. Possible states are INVALID meaning that the packet
1191 could not be identified for some reason which includes running
1192 out of memory and ICMP errors which don't correspond to any
1193 known connection, ESTABLISHED meaning that the packet is associ‐
1194 ated with a connection which has seen packets in both direc‐
1195 tions, NEW meaning that the packet has started a new connection,
1196 or otherwise associated with a connection which has not seen
1197 packets in both directions, and RELATED meaning that the packet
1198 is starting a new connection, but is associated with an existing
1199 connection, such as an FTP data transfer, or an ICMP error.
1200 statistic
1202 This module matches packets based on some statistic condition. It sup‐
1203 ports two distinct modes settable with the --mode option.
1204 Supported options:
1206 --mode mode
1208 Set the matching mode of the matching rule, supported modes are
1209 random and nth.
1210 --probability p
1212 Set the probability from 0 to 1 for a packet to be randomly
1213 matched. It works only with the random mode.
1214 --every n
1216 Match one packet every nth packet. It works only with the nth
1217 mode (see also the --packet option).
1218 --packet p
1220 Set the initial counter value (0 <= p <= n-1, default 0) for the
1221 nth mode.
1222 string
1224 This modules matches a given string by using some pattern matching
1225 strategy. It requires a linux kernel >= 2.6.14.
1226 --algo {bm|kmp}
1228 Select the pattern matching strategy. (bm = Boyer-Moore, kmp =
1229 Knuth-Pratt-Morris)
1230 --from offset
1232 Set the offset from which it starts looking for any matching. If
1233 not passed, default is 0.
1234 --to offset
1236 Set the offset from which it starts looking for any matching. If
1237 not passed, default is the packet size.
1238 [!] --string pattern
1240 Matches the given pattern.
1241 [!] --hex-string pattern
1243 Matches the given pattern in hex notation.
1244 tcp
1246 These extensions can be used if `--protocol tcp' is specified. It pro‐
1247 vides the following options:
1248 [!] --source-port,--sport port[:port]
1250 Source port or port range specification. This can either be a
1251 service name or a port number. An inclusive range can also be
1252 specified, using the format first:last. If the first port is
1253 omitted, "0" is assumed; if the last is omitted, "65535" is
1254 assumed. If the first port is greater than the second one they
1255 will be swapped. The flag --sport is a convenient alias for
1256 this option.
1257 [!] --destination-port,--dport port[:port]
1259 Destination port or port range specification. The flag --dport
1260 is a convenient alias for this option.
1261 [!] --tcp-flags mask comp
1263 Match when the TCP flags are as specified. The first argument
1264 mask is the flags which we should examine, written as a comma-
1265 separated list, and the second argument comp is a comma-sepa‐
1266 rated list of flags which must be set. Flags are: SYN ACK FIN
1267 RST URG PSH ALL NONE. Hence the command
1268 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
1269 will only match packets with the SYN flag set, and the ACK, FIN
1270 and RST flags unset.
1271 [!] --syn
1273 Only match TCP packets with the SYN bit set and the ACK,RST and
1274 FIN bits cleared. Such packets are used to request TCP connec‐
1275 tion initiation; for example, blocking such packets coming in an
1276 interface will prevent incoming TCP connections, but outgoing
1277 TCP connections will be unaffected. It is equivalent to
1278 --tcp-flags SYN,RST,ACK,FIN SYN. If the "!" flag precedes the
1279 "--syn", the sense of the option is inverted.
1280 [!] --tcp-option number
1282 Match if TCP option set.
1283 tcpmss
1285 This matches the TCP MSS (maximum segment size) field of the TCP
1286 header. You can only use this on TCP SYN or SYN/ACK packets, since the
1287 MSS is only negotiated during the TCP handshake at connection startup
1288 time.
1289 [!] --mss value[:value]
1291 Match a given TCP MSS value or range.
1292 time
1294 This matches if the packet arrival time/date is within a given range.
1295 All options are optional, but are ANDed when specified.
1296 --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
1298 --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
1300 Only match during the given time, which must be in ISO 8601 "T"
1302 notation. The possible time range is 1970-01-01T00:00:00 to
1303 2038-01-19T04:17:07.
1304 If --datestart or --datestop are not specified, it will default
1306 to 1970-01-01 and 2038-01-19, respectively.
1307 --timestart hh:mm[:ss]
1309 --timestop hh:mm[:ss]
1311 Only match during the given daytime. The possible time range is
1313 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03")
1314 and correctly interpreted as base-10.
1315 [!] --monthdays day[,day...]
1317 Only match on the given days of the month. Possible values are 1
1319 to 31. Note that specifying 31 will of course not match on
1320 months which do not have a 31st day; the same goes for 28- or
1321 29-day February.
1322 [!] --weekdays day[,day...]
1324 Only match on the given weekdays. Possible values are Mon, Tue,
1326 Wed, Thu, Fri, Sat, Sun, or values from 1 to 7, respectively.
1327 You may also use two-character variants (Mo, Tu, etc.).
1328 --utc
1330 Interpret the times given for --datestart, --datestop, --times‐
1332 tart and --timestop to be UTC.
1333 --localtz
1335 Interpret the times given for --datestart, --datestop, --times‐
1337 tart and --timestop to be local kernel time. (Default)
1338 EXAMPLES. To match on weekends, use:
1340 -m time --weekdays Sa,Su
1342 Or, to match (once) on a national holiday block:
1344 -m time --datestart 2007-12-24 --datestop 2007-12-27
1346 Since the stop time is actually inclusive, you would need the following
1348 stop time to not match the first second of the new day:
1349 -m time --datestart 2007-01-01T17:00 --datestop
1351 2007-01-01T23:59:59
1352 During lunch hour:
1354 -m time --timestart 12:30 --timestop 13:30
1356 The fourth Friday in the month:
1358 -m time --weekdays Fr --monthdays 22,23,24,25,26,27,28
1360 (Note that this exploits a certain mathematical property. It is not
1362 possible to say "fourth Thursday OR fourth Friday" in one rule. It is
1363 possible with multiple rules, though.)
1364 tos
1366 This module matches the 8-bit Type of Service field in the IPv4 header
1367 (i.e. including the "Precedence" bits) or the (also 8-bit) Priority
1368 field in the IPv6 header.
1369 [!] --tos value[/mask]
1371 Matches packets with the given TOS mark value. If a mask is
1372 specified, it is logically ANDed with the TOS mark before the
1373 comparison.
1374 [!] --tos symbol
1376 You can specify a symbolic name when using the tos match for
1377 IPv4. The list of recognized TOS names can be obtained by call‐
1378 ing iptables with -m tos -h. Note that this implies a mask of
1379 0x3F, i.e. all but the ECN bits.
1380 ttl
1382 This module matches the time to live field in the IP header.
1383 --ttl-eq ttl
1385 Matches the given TTL value.
1386 --ttl-gt ttl
1388 Matches if TTL is greater than the given TTL value.
1389 --ttl-lt ttl
1391 Matches if TTL is less than the given TTL value.
1392 u32
1394 U32 tests whether quantities of up to 4 bytes extracted from a packet
1395 have specified values. The specification of what to extract is general
1396 enough to find data at given offsets from tcp headers or payloads.
1397 [!] --u32 tests
1399 The argument amounts to a program in a small language described
1400 below.
1401 tests := location "=" value | tests "&&" location "=" value
1403 value := range | value "," range
1405 range := number | number ":" number
1407 a single number, n, is interpreted the same as n:n. n:m is interpreted
1409 as the range of numbers >=n and <=m.
1410 location := number | location operator number
1412 operator := "&" | "<<" | ">>" | "@"
1414 The operators &, <<, >> and && mean the same as in C. The = is really
1416 a set membership operator and the value syntax describes a set. The @
1417 operator is what allows moving to the next header and is described fur‐
1418 ther below.
1419 There are currently some artificial implementation limits on the size
1421 of the tests:
1422 * no more than 10 of "=" (and 9 "&&"s) in the u32 argument
1424 * no more than 10 ranges (and 9 commas) per value
1426 * no more than 10 numbers (and 9 operators) per location
1428 To describe the meaning of location, imagine the following machine that
1430 interprets it. There are three registers:
1431 A is of type char *, initially the address of the IP header
1433 B and C are unsigned 32 bit integers, initially zero
1435 The instructions are:
1437 number B = number;
1439 C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3)
1441 &number C = C & number
1443 << number C = C << number
1445 >> number C = C >> number
1447 @number A = A + C; then do the instruction number
1449 Any access of memory outside [skb->data,skb->end] causes the match to
1451 fail. Otherwise the result of the computation is the final value of C.
1452 Whitespace is allowed but not required in the tests. However, the char‐
1454 acters that do occur there are likely to require shell quoting, so it
1455 is a good idea to enclose the arguments in quotes.
1456 Example:
1458 match IP packets with total length >= 256
1460 The IP header contains a total length field in bytes 2-3.
1462 --u32 "0 & 0xFFFF = 0x100:0xFFFF"
1464 read bytes 0-3
1466 AND that with 0xFFFF (giving bytes 2-3), and test whether that
1468 is in the range [0x100:0xFFFF]
1469 Example: (more realistic, hence more complicated)
1471 match ICMP packets with icmp type 0
1473 First test that it is an ICMP packet, true iff byte 9 (protocol)
1475 = 1
1476 --u32 "6 & 0xFF = 1 && ...
1478 read bytes 6-9, use & to throw away bytes 6-8 and compare the
1480 result to 1. Next test that it is not a fragment. (If so, it
1481 might be part of such a packet but we cannot always tell.) N.B.:
1482 This test is generally needed if you want to match anything
1483 beyond the IP header. The last 6 bits of byte 6 and all of byte
1484 7 are 0 iff this is a complete packet (not a fragment). Alterna‐
1485 tively, you can allow first fragments by only testing the last 5
1486 bits of byte 6.
1487 ... 4 & 0x3FFF = 0 && ...
1489 Last test: the first byte past the IP header (the type) is 0.
1491 This is where we have to use the @syntax. The length of the IP
1492 header (IHL) in 32 bit words is stored in the right half of byte
1493 0 of the IP header itself.
1494 ... 0 >> 22 & 0x3C @ 0 >> 24 = 0"
1496 The first 0 means read bytes 0-3, >>22 means shift that 22 bits
1498 to the right. Shifting 24 bits would give the first byte, so
1499 only 22 bits is four times that plus a few more bits. &3C then
1500 eliminates the two extra bits on the right and the first four
1501 bits of the first byte. For instance, if IHL=5, then the IP
1502 header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in
1503 binary) xxxx0101 yyzzzzzz, >>22 gives the 10 bit value
1504 xxxx0101yy and &3C gives 010100. @ means to use this number as a
1505 new offset into the packet, and read four bytes starting from
1506 there. This is the first 4 bytes of the ICMP payload, of which
1507 byte 0 is the ICMP type. Therefore, we simply shift the value 24
1508 to the right to throw out all but the first byte and compare the
1509 result with 0.
1510 Example:
1512 TCP payload bytes 8-12 is any of 1, 2, 5 or 8
1514 First we test that the packet is a tcp packet (similar to ICMP).
1516 --u32 "6 & 0xFF = 6 && ...
1518 Next, test that it is not a fragment (same as above).
1520 ... 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8"
1522 0>>22&3C as above computes the number of bytes in the IP header.
1524 @ makes this the new offset into the packet, which is the start
1525 of the TCP header. The length of the TCP header (again in 32 bit
1526 words) is the left half of byte 12 of the TCP header. The
1527 12>>26&3C computes this length in bytes (similar to the IP
1528 header before). "@" makes this the new offset, which is the
1529 start of the TCP payload. Finally, 8 reads bytes 8-12 of the
1530 payload and = checks whether the result is any of 1, 2, 5 or 8.
1531 udp
1533 These extensions can be used if `--protocol udp' is specified. It pro‐
1534 vides the following options:
1535 [!] --source-port,--sport port[:port]
1537 Source port or port range specification. See the description of
1538 the --source-port option of the TCP extension for details.
1539 [!] --destination-port,--dport port[:port]
1541 Destination port or port range specification. See the descrip‐
1542 tion of the --destination-port option of the TCP extension for
1543 details.
1544 unclean
1546 This module takes no options, but attempts to match packets which seem
1547 malformed or unusual. This is regarded as experimental.
1548
1550 iptables can use extended target modules: the following are included in
1551 the standard distribution.
1552 AUDIT
1554 This target allows to create audit records for packets hitting the tar‐
1555 get. It can be used to record accepted, dropped, and rejected packets.
1556 See auditd(8) for additional details.
1557 --type {accept|drop|reject}
1559 Set type of audit record.
1560 Example:
1562 iptables -N AUDIT_DROP
1564 iptables -A AUDIT_DROP -j AUDIT --type drop
1566 iptables -A AUDIT_DROP -j DROP
1568 CHECKSUM
1570 This target allows to selectively work around broken/old applications.
1571 It can only be used in the mangle table.
1572 --checksum-fill
1574 Compute and fill in the checksum in a packet that lacks a check‐
1575 sum. This is particularly useful, if you need to work around
1576 old applications such as dhcp clients, that do not work well
1577 with checksum offloads, but don't want to disable checksum off‐
1578 load in your device.
1579 CLASSIFY
1581 This module allows you to set the skb->priority value (and thus clas‐
1582 sify the packet into a specific CBQ class).
1583 --set-class major:minor
1585 Set the major and minor class value. The values are always
1586 interpreted as hexadecimal even if no 0x prefix is given.
1587 CLUSTERIP
1589 This module allows you to configure a simple cluster of nodes that
1590 share a certain IP and MAC address without an explicit load balancer in
1591 front of them. Connections are statically distributed between the
1592 nodes in this cluster.
1593 --new Create a new ClusterIP. You always have to set this on the
1595 first rule for a given ClusterIP.
1596 --hashmode mode
1598 Specify the hashing mode. Has to be one of sourceip, sour‐
1599 ceip-sourceport, sourceip-sourceport-destport.
1600 --clustermac mac
1602 Specify the ClusterIP MAC address. Has to be a link-layer multi‐
1603 cast address
1604 --total-nodes num
1606 Number of total nodes within this cluster.
1607 --local-node num
1609 Local node number within this cluster.
1610 --hash-init rnd
1612 Specify the random seed used for hash initialization.
1613 CONNMARK
1615 This module sets the netfilter mark value associated with a connection.
1616 The mark is 32 bits wide.
1617 --set-xmark value[/mask]
1619 Zero out the bits given by mask and XOR value into the ctmark.
1620 --save-mark [--nfmask nfmask] [--ctmask ctmask]
1622 Copy the packet mark (nfmark) to the connection mark (ctmark)
1623 using the given masks. The new nfmark value is determined as
1624 follows:
1625 ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)
1627 i.e. ctmask defines what bits to clear and nfmask what bits of
1629 the nfmark to XOR into the ctmark. ctmask and nfmask default to
1630 0xFFFFFFFF.
1631 --restore-mark [--nfmask nfmask] [--ctmask ctmask]
1633 Copy the connection mark (ctmark) to the packet mark (nfmark)
1634 using the given masks. The new ctmark value is determined as
1635 follows:
1636 nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask);
1638 i.e. nfmask defines what bits to clear and ctmask what bits of
1640 the ctmark to XOR into the nfmark. ctmask and nfmask default to
1641 0xFFFFFFFF.
1642 --restore-mark is only valid in the mangle table.
1644 The following mnemonics are available for --set-xmark:
1646 --and-mark bits
1648 Binary AND the ctmark with bits. (Mnemonic for --set-xmark
1649 0/invbits, where invbits is the binary negation of bits.)
1650 --or-mark bits
1652 Binary OR the ctmark with bits. (Mnemonic for --set-xmark
1653 bits/bits.)
1654 --xor-mark bits
1656 Binary XOR the ctmark with bits. (Mnemonic for --set-xmark
1657 bits/0.)
1658 --set-mark value[/mask]
1660 Set the connection mark. If a mask is specified then only those
1661 bits set in the mask are modified.
1662 --save-mark [--mask mask]
1664 Copy the nfmark to the ctmark. If a mask is specified, only
1665 those bits are copied.
1666 --restore-mark [--mask mask]
1668 Copy the ctmark to the nfmark. If a mask is specified, only
1669 those bits are copied. This is only valid in the mangle table.
1670 CONNSECMARK
1672 This module copies security markings from packets to connections (if
1673 unlabeled), and from connections back to packets (also only if unla‐
1674 beled). Typically used in conjunction with SECMARK, it is only valid
1675 in the mangle table.
1676 --save If the packet has a security marking, copy it to the connection
1678 if the connection is not marked.
1679 --restore
1681 If the packet does not have a security marking, and the connec‐
1682 tion does, copy the security marking from the connection to the
1683 packet.
1684 DNAT
1687 This target is only valid in the nat table, in the PREROUTING and OUT‐
1688 PUT chains, and user-defined chains which are only called from those
1689 chains. It specifies that the destination address of the packet should
1690 be modified (and all future packets in this connection will also be
1691 mangled), and rules should cease being examined. It takes one type of
1692 option:
1693 --to-destination [ipaddr][-ipaddr][:port[-port]]
1695 which can specify a single new destination IP address, an inclu‐
1696 sive range of IP addresses, and optionally, a port range (which
1697 is only valid if the rule also specifies -p tcp or -p udp). If
1698 no port range is specified, then the destination port will never
1699 be modified. If no IP address is specified then only the desti‐
1700 nation port will be modified.
1701 In Kernels up to 2.6.10 you can add several --to-destination
1703 options. For those kernels, if you specify more than one desti‐
1704 nation address, either via an address range or multiple
1705 --to-destination options, a simple round-robin (one after
1706 another in cycle) load balancing takes place between these
1707 addresses. Later Kernels (>= 2.6.11-rc1) don't have the ability
1708 to NAT to multiple ranges anymore.
1709 --random
1711 If option --random is used then port mapping will be randomized
1712 (kernel >= 2.6.22).
1713 --persistent
1715 Gives a client the same source-/destination-address for each
1716 connection. This supersedes the SAME target. Support for per‐
1717 sistent mappings is available from 2.6.29-rc2.
1718 DSCP
1720 This target allows to alter the value of the DSCP bits within the TOS
1721 header of the IPv4 packet. As this manipulates a packet, it can only
1722 be used in the mangle table.
1723 --set-dscp value
1725 Set the DSCP field to a numerical value (can be decimal or hex)
1726 --set-dscp-class class
1728 Set the DSCP field to a DiffServ class.
1729 ECN
1731 This target allows to selectively work around known ECN blackholes. It
1732 can only be used in the mangle table.
1733 --ecn-tcp-remove
1735 Remove all ECN bits from the TCP header. Of course, it can only
1736 be used in conjunction with -p tcp.
1737 LOG
1739 Turn on kernel logging of matching packets. When this option is set
1740 for a rule, the Linux kernel will print some information on all match‐
1741 ing packets (like most IP header fields) via the kernel log (where it
1742 can be read with dmesg or syslogd(8)). This is a "non-terminating tar‐
1743 get", i.e. rule traversal continues at the next rule. So if you want
1744 to LOG the packets you refuse, use two separate rules with the same
1745 matching criteria, first using target LOG then DROP (or REJECT).
1746 --log-level level
1748 Level of logging (numeric or see syslog.conf(5)).
1749 --log-prefix prefix
1751 Prefix log messages with the specified prefix; up to 29 letters
1752 long, and useful for distinguishing messages in the logs.
1753 --log-tcp-sequence
1755 Log TCP sequence numbers. This is a security risk if the log is
1756 readable by users.
1757 --log-tcp-options
1759 Log options from the TCP packet header.
1760 --log-ip-options
1762 Log options from the IP packet header.
1763 --log-uid
1765 Log the userid of the process which generated the packet.
1766 MARK
1768 This target is used to set the Netfilter mark value associated with the
1769 packet. The target can only be used in the mangle table. It can, for
1770 example, be used in conjunction with routing based on fwmark (needs
1771 iproute2). The mark field is 32 bits wide.
1772 --set-xmark value[/mask]
1774 Zeroes out the bits given by mask and XORs value into the packet
1775 mark ("nfmark"). If mask is omitted, 0xFFFFFFFF is assumed.
1776 --set-mark value[/mask]
1778 Zeroes out the bits given by mask and ORs value into the packet
1779 mark. If mask is omitted, 0xFFFFFFFF is assumed.
1780 The following mnemonics are available:
1782 --and-mark bits
1784 Binary AND the nfmark with bits. (Mnemonic for --set-xmark
1785 0/invbits, where invbits is the binary negation of bits.)
1786 --or-mark bits
1788 Binary OR the nfmark with bits. (Mnemonic for --set-xmark
1789 bits/bits.)
1790 --xor-mark bits
1792 Binary XOR the nfmark with bits. (Mnemonic for --set-xmark
1793 bits/0.)
1794 MASQUERADE
1796 This target is only valid in the nat table, in the POSTROUTING chain.
1797 It should only be used with dynamically assigned IP (dialup) connec‐
1798 tions: if you have a static IP address, you should use the SNAT target.
1799 Masquerading is equivalent to specifying a mapping to the IP address of
1800 the interface the packet is going out, but also has the effect that
1801 connections are forgotten when the interface goes down. This is the
1802 correct behavior when the next dialup is unlikely to have the same
1803 interface address (and hence any established connections are lost any‐
1804 way). It takes one option:
1805 --to-ports port[-port]
1807 This specifies a range of source ports to use, overriding the
1808 default SNAT source port-selection heuristics (see above). This
1809 is only valid if the rule also specifies -p tcp or -p udp.
1810 --random
1812 Randomize source port mapping If option --random is used then
1813 port mapping will be randomized (kernel >= 2.6.21).
1814 MIRROR
1816 This is an experimental demonstration target which inverts the source
1817 and destination fields in the IP header and retransmits the packet. It
1818 is only valid in the INPUT, FORWARD and PREROUTING chains, and user-
1819 defined chains which are only called from those chains. Note that the
1820 outgoing packets are NOT seen by any packet filtering chains, connec‐
1821 tion tracking or NAT, to avoid loops and other problems.
1822 NETMAP
1824 This target allows you to statically map a whole network of addresses
1825 onto another network of addresses. It can only be used from rules in
1826 the nat table.
1827 --to address[/mask]
1829 Network address to map to. The resulting address will be con‐
1830 structed in the following way: All 'one' bits in the mask are
1831 filled in from the new `address'. All bits that are zero in the
1832 mask are filled in from the original address.
1833 NFLOG
1835 This target provides logging of matching packets. When this target is
1836 set for a rule, the Linux kernel will pass the packet to the loaded
1837 logging backend to log the packet. This is usually used in combination
1838 with nfnetlink_log as logging backend, which will multicast the packet
1839 through a netlink socket to the specified multicast group. One or more
1840 userspace processes may subscribe to the group to receive the packets.
1841 Like LOG, this is a non-terminating target, i.e. rule traversal contin‐
1842 ues at the next rule.
1843 --nflog-group nlgroup
1845 The netlink group (1 - 2^32-1) to which packets are (only appli‐
1846 cable for nfnetlink_log). The default value is 0.
1847 --nflog-prefix prefix
1849 A prefix string to include in the log message, up to 64 charac‐
1850 ters long, useful for distinguishing messages in the logs.
1851 --nflog-range size
1853 The number of bytes to be copied to userspace (only applicable
1854 for nfnetlink_log). nfnetlink_log instances may specify their
1855 own range, this option overrides it.
1856 --nflog-threshold size
1858 Number of packets to queue inside the kernel before sending them
1859 to userspace (only applicable for nfnetlink_log). Higher values
1860 result in less overhead per packet, but increase delay until the
1861 packets reach userspace. The default value is 1.
1862 NFQUEUE
1864 This target is an extension of the QUEUE target. As opposed to QUEUE,
1865 it allows you to put a packet into any specific queue, identified by
1866 its 16-bit queue number. It can only be used with Kernel versions
1867 2.6.14 or later, since it requires the nfnetlink_queue kernel support.
1868 The queue-balance option was added in Linux 2.6.31, queue-bypass in
1869 2.6.39.
1870 --queue-num value
1872 This specifies the QUEUE number to use. Valid queue numbers are
1873 0 to 65535. The default value is 0.
1874 --queue-balance value:value
1876 This specifies a range of queues to use. Packets are then bal‐
1877 anced across the given queues. This is useful for multicore
1878 systems: start multiple instances of the userspace program on
1879 queues x, x+1, .. x+n and use "--queue-balance x:x+n". Packets
1880 belonging to the same connection are put into the same nfqueue.
1881 --queue-bypass
1883 By default, if no userspace program is listening on an NFQUEUE,
1884 then all packets that are to be queued are dropped. When this
1885 option is used, the NFQUEUE rule is silently bypassed instead.
1886 The packet will move on to the next rule.
1887 NOTRACK
1889 This target disables connection tracking for all packets matching that
1890 rule.
1891 It can only be used in the raw table.
1893 RATEEST
1895 The RATEEST target collects statistics, performs rate estimation calcu‐
1896 lation and saves the results for later evaluation using the rateest
1897 match.
1898 --rateest-name name
1900 Count matched packets into the pool referred to by name, which
1901 is freely choosable.
1902 --rateest-interval amount{s|ms|us}
1904 Rate measurement interval, in seconds, milliseconds or microsec‐
1905 onds.
1906 --rateest-ewmalog value
1908 Rate measurement averaging time constant.
1909 REDIRECT
1911 This target is only valid in the nat table, in the PREROUTING and OUT‐
1912 PUT chains, and user-defined chains which are only called from those
1913 chains. It redirects the packet to the machine itself by changing the
1914 destination IP to the primary address of the incoming interface
1915 (locally-generated packets are mapped to the 127.0.0.1 address).
1916 --to-ports port[-port]
1918 This specifies a destination port or range of ports to use:
1919 without this, the destination port is never altered. This is
1920 only valid if the rule also specifies -p tcp or -p udp.
1921 --random
1923 If option --random is used then port mapping will be randomized
1924 (kernel >= 2.6.22).
1925 REJECT
1927 This is used to send back an error packet in response to the matched
1928 packet: otherwise it is equivalent to DROP so it is a terminating TAR‐
1929 GET, ending rule traversal. This target is only valid in the INPUT,
1930 FORWARD and OUTPUT chains, and user-defined chains which are only
1931 called from those chains. The following option controls the nature of
1932 the error packet returned:
1933 --reject-with type
1935 The type given can be icmp-net-unreachable, icmp-host-unreach‐
1936 able, icmp-port-unreachable, icmp-proto-unreachable,
1937 icmp-net-prohibited, icmp-host-prohibited or icmp-admin-prohib‐
1938 ited (*) which return the appropriate ICMP error message
1939 (port-unreachable is the default). The option tcp-reset can be
1940 used on rules which only match the TCP protocol: this causes a
1941 TCP RST packet to be sent back. This is mainly useful for
1942 blocking ident (113/tcp) probes which frequently occur when
1943 sending mail to broken mail hosts (which won't accept your mail
1944 otherwise).
1945 (*) Using icmp-admin-prohibited with kernels that do not support it
1947 will result in a plain DROP instead of REJECT
1948 SAME
1950 Similar to SNAT/DNAT depending on chain: it takes a range of addresses
1951 (`--to 1.2.3.4-1.2.3.7') and gives a client the same source-/destina‐
1952 tion-address for each connection.
1953 N.B.: The DNAT target's --persistent option replaced the SAME target.
1955 --to ipaddr[-ipaddr]
1957 Addresses to map source to. May be specified more than once for
1958 multiple ranges.
1959 --nodst
1961 Don't use the destination-ip in the calculations when selecting
1962 the new source-ip
1963 --random
1965 Port mapping will be forcibly randomized to avoid attacks based
1966 on port prediction (kernel >= 2.6.21).
1967 SECMARK
1969 This is used to set the security mark value associated with the packet
1970 for use by security subsystems such as SELinux. It is only valid in
1971 the mangle table. The mark is 32 bits wide.
1972 --selctx security_context
1974 SET
1976 This modules adds and/or deletes entries from IP sets which can be
1977 defined by ipset(8).
1978 --add-set setname flag[,flag...]
1980 add the address(es)/port(s) of the packet to the sets
1981 --del-set setname flag[,flag...]
1983 delete the address(es)/port(s) of the packet from the sets
1984 where flags are src and/or dst specifications and there can be
1986 no more than six of them.
1987 Use of -j SET requires that ipset kernel support is provided. As stan‐
1989 dard kernels do not ship this currently, the ipset or Xtables-addons
1990 package needs to be installed.
1991 SNAT
1993 This target is only valid in the nat table, in the POSTROUTING chain.
1994 It specifies that the source address of the packet should be modified
1995 (and all future packets in this connection will also be mangled), and
1996 rules should cease being examined. It takes one type of option:
1997 --to-source ipaddr[-ipaddr][:port[-port]]
1999 which can specify a single new source IP address, an inclusive
2000 range of IP addresses, and optionally, a port range (which is
2001 only valid if the rule also specifies -p tcp or -p udp). If no
2002 port range is specified, then source ports below 512 will be
2003 mapped to other ports below 512: those between 512 and 1023
2004 inclusive will be mapped to ports below 1024, and other ports
2005 will be mapped to 1024 or above. Where possible, no port alter‐
2006 ation will
2007 In Kernels up to 2.6.10, you can add several --to-source
2009 options. For those kernels, if you specify more than one source
2010 address, either via an address range or multiple --to-source
2011 options, a simple round-robin (one after another in cycle) takes
2012 place between these addresses. Later Kernels (>= 2.6.11-rc1)
2013 don't have the ability to NAT to multiple ranges anymore.
2014 --random
2016 If option --random is used then port mapping will be randomized
2017 (kernel >= 2.6.21).
2018 --persistent
2020 Gives a client the same source-/destination-address for each
2021 connection. This supersedes the SAME target. Support for per‐
2022 sistent mappings is available from 2.6.29-rc2.
2023 TCPMSS
2025 This target allows to alter the MSS value of TCP SYN packets, to con‐
2026 trol the maximum size for that connection (usually limiting it to your
2027 outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respec‐
2028 tively). Of course, it can only be used in conjunction with -p tcp.
2029 It is only valid in the mangle table.
2030 This target is used to overcome criminally braindead ISPs or servers
2031 which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
2032 packets. The symptoms of this problem are that everything works fine
2033 from your Linux firewall/router, but machines behind it can never
2034 exchange large packets:
2035 1) Web browsers connect, then hang with no data received.
2036 2) Small mail works fine, but large emails hang.
2037 3) ssh works fine, but scp hangs after initial handshaking.
2038 Workaround: activate this option and add a rule to your firewall con‐
2039 figuration like:
2040 iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
2042 -j TCPMSS --clamp-mss-to-pmtu
2043 --set-mss value
2045 Explicitly sets MSS option to specified value. If the MSS of the
2046 packet is already lower than value, it will not be increased
2047 (from Linux 2.6.25 onwards) to avoid more problems with hosts
2048 relying on a proper MSS.
2049 --clamp-mss-to-pmtu
2051 Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60
2052 for IPv6). This may not function as desired where asymmetric
2053 routes with differing path MTU exist — the kernel uses the path
2054 MTU which it would use to send packets from itself to the source
2055 and destination IP addresses. Prior to Linux 2.6.25, only the
2056 path MTU to the destination IP address was considered by this
2057 option; subsequent kernels also consider the path MTU to the
2058 source IP address.
2059 These options are mutually exclusive.
2061 TCPOPTSTRIP
2063 This target will strip TCP options off a TCP packet. (It will actually
2064 replace them by NO-OPs.) As such, you will need to add the -p tcp
2065 parameters.
2066 --strip-options option[,option...]
2068 Strip the given option(s). The options may be specified by TCP
2069 option number or by symbolic name. The list of recognized
2070 options can be obtained by calling iptables with -j TCPOPTSTRIP
2071 -h.
2072 TOS
2074 This module sets the Type of Service field in the IPv4 header (includ‐
2075 ing the "precedence" bits) or the Priority field in the IPv6 header.
2076 Note that TOS shares the same bits as DSCP and ECN. The TOS target is
2077 only valid in the mangle table.
2078 --set-tos value[/mask]
2080 Zeroes out the bits given by mask and XORs value into the
2081 TOS/Priority field. If mask is omitted, 0xFF is assumed.
2082 --set-tos symbol
2084 You can specify a symbolic name when using the TOS target for
2085 IPv4. It implies a mask of 0xFF. The list of recognized TOS
2086 names can be obtained by calling iptables with -j TOS -h.
2087 The following mnemonics are available:
2089 --and-tos bits
2091 Binary AND the TOS value with bits. (Mnemonic for --set-tos
2092 0/invbits, where invbits is the binary negation of bits.)
2093 --or-tos bits
2095 Binary OR the TOS value with bits. (Mnemonic for --set-tos
2096 bits/bits.)
2097 --xor-tos bits
2099 Binary XOR the TOS value with bits. (Mnemonic for --set-tos
2100 bits/0.)
2101 TPROXY
2103 This target is only valid in the mangle table, in the PREROUTING chain
2104 and user-defined chains which are only called from this chain. It redi‐
2105 rects the packet to a local socket without changing the packet header
2106 in any way. It can also change the mark value which can then be used in
2107 advanced routing rules. It takes three options:
2108 --on-port port
2110 This specifies a destination port to use. It is a required
2111 option, 0 means the new destination port is the same as the
2112 original. This is only valid if the rule also specifies -p tcp
2113 or -p udp.
2114 --on-ip address
2116 This specifies a destination address to use. By default the
2117 address is the IP address of the incoming interface. This is
2118 only valid if the rule also specifies -p tcp or -p udp.
2119 --tproxy-mark value[/mask]
2121 Marks packets with the given value/mask. The fwmark value set
2122 here can be used by advanced routing. (Required for transparent
2123 proxying to work: otherwise these packets will get forwarded,
2124 which is probably not what you want.)
2125 TRACE
2127 This target marks packes so that the kernel will log every rule which
2128 match the packets as those traverse the tables, chains, rules. (The
2129 ipt_LOG or ip6t_LOG module is required for the logging.) The packets
2130 are logged with the string prefix: "TRACE: tablename:chain‐
2131 name:type:rulenum " where type can be "rule" for plain rule, "return"
2132 for implicit rule at the end of a user defined chain and "policy" for
2133 the policy of the built in chains.
2134 It can only be used in the raw table.
2135 TTL
2137 This is used to modify the IPv4 TTL header field. The TTL field deter‐
2138 mines how many hops (routers) a packet can traverse until it's time to
2139 live is exceeded.
2140 Setting or incrementing the TTL field can potentially be very danger‐
2142 ous, so it should be avoided at any cost.
2143 Don't ever set or increment the value on packets that leave your local
2145 network! mangle table.
2146 --ttl-set value
2148 Set the TTL value to `value'.
2149 --ttl-dec value
2151 Decrement the TTL value `value' times.
2152 --ttl-inc value
2154 Increment the TTL value `value' times.
2155 ULOG
2157 This target provides userspace logging of matching packets. When this
2158 target is set for a rule, the Linux kernel will multicast this packet
2159 through a netlink socket. One or more userspace processes may then sub‐
2160 scribe to various multicast groups and receive the packets. Like LOG,
2161 this is a "non-terminating target", i.e. rule traversal continues at
2162 the next rule.
2163 --ulog-nlgroup nlgroup
2165 This specifies the netlink group (1-32) to which the packet is
2166 sent. Default value is 1.
2167 --ulog-prefix prefix
2169 Prefix log messages with the specified prefix; up to 32 charac‐
2170 ters long, and useful for distinguishing messages in the logs.
2171 --ulog-cprange size
2173 Number of bytes to be copied to userspace. A value of 0 always
2174 copies the entire packet, regardless of its size. Default is 0.
2175 --ulog-qthreshold size
2177 Number of packet to queue inside kernel. Setting this value to,
2178 e.g. 10 accumulates ten packets inside the kernel and transmits
2179 them as one netlink multipart message to userspace. Default is
2180 1 (for backwards compatibility).
2181
2183 Various error messages are printed to standard error. The exit code is
2184 0 for correct functioning. Errors which appear to be caused by invalid
2185 or abused command line parameters cause an exit code of 2, and other
2186 errors cause an exit code of 1.
2187
2189 Bugs? What's this? ;-) Well, you might want to have a look at
2190 http://bugzilla.netfilter.org/
2191
2193 This iptables is very similar to ipchains by Rusty Russell. The main
2194 difference is that the chains INPUT and OUTPUT are only traversed for
2195 packets coming into the local host and originating from the local host
2196 respectively. Hence every packet only passes through one of the three
2197 chains (except loopback traffic, which involves both INPUT and OUTPUT
2198 chains); previously a forwarded packet would pass through all three.
2199 The other main difference is that -i refers to the input interface; -o
2201 refers to the output interface, and both are available for packets
2202 entering the FORWARD chain.
2203 The various forms of NAT have been separated out; iptables is a pure
2205 packet filter when using the default `filter' table, with optional
2206 extension modules. This should simplify much of the previous confusion
2207 over the combination of IP masquerading and packet filtering seen pre‐
2208 viously. So the following options are handled differently:
2209 -j MASQ
2210 -M -S
2211 -M -L
2212 There are several other changes in iptables.
2213
2215 iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8),
2216 ip6tables-restore(8), libipq(3).
2217 The packet-filtering-HOWTO details iptables usage for packet filtering,
2219 the NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the
2220 extensions that are not in the standard distribution, and the netfil‐
2221 ter-hacking-HOWTO details the netfilter internals.
2222 See http://www.netfilter.org/.
2223
2225 Rusty Russell originally wrote iptables, in early consultation with
2226 Michael Neuling.
2227 Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic
2229 packet selection framework in iptables, then wrote the mangle table,
2230 the owner match, the mark stuff, and ran around doing cool stuff every‐
2231 where.
2232 James Morris wrote the TOS target, and tos match.
2234 Jozsef Kadlecsik wrote the REJECT target.
2236 Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as
2238 well as the TTL, DSCP, ECN matches and targets.
2239 The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki
2241 Kozakai, Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira
2242 Ayuso, Harald Welte and Rusty Russell.
2243 Man page originally written by Herve Eychenne <rv@wallfire.org>.
2245iptables 1.4.7 IPTABLES(8)