1IPTABLES(8) iptables 1.4.7 IPTABLES(8)
2
3
4
6 iptables — administration tool for IPv4 packet filtering and NAT
7
9 iptables [-t table] {-A|-C|-D} chain rule-specification
10
11 iptables [-t table] -I chain [rulenum] rule-specification
12
13 iptables [-t table] -R chain rulenum rule-specification
14
15 iptables [-t table] -D chain rulenum
16
17 iptables [-t table] -S [chain [rulenum]]
18
19 iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
20
21 iptables [-t table] -N chain
22
23 iptables [-t table] -X [chain]
24
25 iptables [-t table] -P chain target
26
27 iptables [-t table] -E old-chain-name new-chain-name
28
29 rule-specification = [matches...] [target]
30
31 match = -m matchname [per-match-options]
32
33 target = -j targetname [per-target-options]
34
36 Iptables is used to set up, maintain, and inspect the tables of IPv4
37 packet filter rules in the Linux kernel. Several different tables may
38 be defined. Each table contains a number of built-in chains and may
39 also contain user-defined chains.
40
41 Each chain is a list of rules which can match a set of packets. Each
42 rule specifies what to do with a packet that matches. This is called a
43 `target', which may be a jump to a user-defined chain in the same ta‐
44 ble.
45
47 A firewall rule specifies criteria for a packet and a target. If the
48 packet does not match, the next rule in the chain is the examined; if
49 it does match, then the next rule is specified by the value of the tar‐
50 get, which can be the name of a user-defined chain or one of the spe‐
51 cial values ACCEPT, DROP, QUEUE or RETURN.
52
53 ACCEPT means to let the packet through. DROP means to drop the packet
54 on the floor. QUEUE means to pass the packet to userspace. (How the
55 packet can be received by a userspace process differs by the particular
56 queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the
57 ip_queue queue handler. Kernels 2.6.14 and later additionally include
58 the nfnetlink_queue queue handler. Packets with a target of QUEUE will
59 be sent to queue number '0' in this case. Please also see the NFQUEUE
60 target as described later in this man page.) RETURN means stop
61 traversing this chain and resume at the next rule in the previous
62 (calling) chain. If the end of a built-in chain is reached or a rule
63 in a built-in chain with target RETURN is matched, the target specified
64 by the chain policy determines the fate of the packet.
65
67 There are currently three independent tables (which tables are present
68 at any time depends on the kernel configuration options and which mod‐
69 ules are present).
70
71 -t, --table table
72 This option specifies the packet matching table which the com‐
73 mand should operate on. If the kernel is configured with auto‐
74 matic module loading, an attempt will be made to load the appro‐
75 priate module for that table if it is not already there.
76
77 The tables are as follows:
78
79 filter:
80 This is the default table (if no -t option is passed). It
81 contains the built-in chains INPUT (for packets destined to
82 local sockets), FORWARD (for packets being routed through
83 the box), and OUTPUT (for locally-generated packets).
84
85 nat:
86 This table is consulted when a packet that creates a new
87 connection is encountered. It consists of three built-ins:
88 PREROUTING (for altering packets as soon as they come in),
89 OUTPUT (for altering locally-generated packets before rout‐
90 ing), and POSTROUTING (for altering packets as they are
91 about to go out).
92
93 mangle:
94 This table is used for specialized packet alteration. Until
95 kernel 2.4.17 it had two built-in chains: PREROUTING (for
96 altering incoming packets before routing) and OUTPUT (for
97 altering locally-generated packets before routing). Since
98 kernel 2.4.18, three other built-in chains are also sup‐
99 ported: INPUT (for packets coming into the box itself), FOR‐
100 WARD (for altering packets being routed through the box),
101 and POSTROUTING (for altering packets as they are about to
102 go out).
103
104 raw:
105 This table is used mainly for configuring exemptions from
106 connection tracking in combination with the NOTRACK target.
107 It registers at the netfilter hooks with higher priority and
108 is thus called before ip_conntrack, or any other IP tables.
109 It provides the following built-in chains: PREROUTING (for
110 packets arriving via any network interface) OUTPUT (for
111 packets generated by local processes)
112
114 The options that are recognized by iptables can be divided into several
115 different groups.
116
117 COMMANDS
118 These options specify the desired action to perform. Only one of them
119 can be specified on the command line unless otherwise stated below. For
120 long versions of the command and option names, you need to use only
121 enough letters to ensure that iptables can differentiate it from all
122 other options.
123
124 -A, --append chain rule-specification
125 Append one or more rules to the end of the selected chain. When
126 the source and/or destination names resolve to more than one
127 address, a rule will be added for each possible address combina‐
128 tion.
129
130 -C, --check chain rule-specification
131 Check whether a rule matching the specification does exist in
132 the selected chain. This command uses the same logic as -D to
133 find a matching entry, but does not alter the existing iptables
134 configuration and uses its exit code to indicate success or
135 failure.
136
137 -D, --delete chain rule-specification
138 -D, --delete chain rulenum
139 Delete one or more rules from the selected chain. There are two
140 versions of this command: the rule can be specified as a number
141 in the chain (starting at 1 for the first rule) or a rule to
142 match.
143
144 -I, --insert chain [rulenum] rule-specification
145 Insert one or more rules in the selected chain as the given rule
146 number. So, if the rule number is 1, the rule or rules are
147 inserted at the head of the chain. This is also the default if
148 no rule number is specified.
149
150 -R, --replace chain rulenum rule-specification
151 Replace a rule in the selected chain. If the source and/or des‐
152 tination names resolve to multiple addresses, the command will
153 fail. Rules are numbered starting at 1.
154
155 -L, --list [chain]
156 List all rules in the selected chain. If no chain is selected,
157 all chains are listed. Like every other iptables command, it
158 applies to the specified table (filter is the default), so NAT
159 rules get listed by
160 iptables -t nat -n -L
161 Please note that it is often used with the -n option, in order
162 to avoid long reverse DNS lookups. It is legal to specify the
163 -Z (zero) option as well, in which case the chain(s) will be
164 atomically listed and zeroed. The exact output is affected by
165 the other arguments given. The exact rules are suppressed until
166 you use
167 iptables -L -v
168
169 -S, --list-rules [chain]
170 Print all rules in the selected chain. If no chain is selected,
171 all chains are printed like iptables-save. Like every other ipt‐
172 ables command, it applies to the specified table (filter is the
173 default).
174
175 -F, --flush [chain]
176 Flush the selected chain (all the chains in the table if none is
177 given). This is equivalent to deleting all the rules one by
178 one.
179
180 -Z, --zero [chain [rulenum]]
181 Zero the packet and byte counters in all chains, or only the
182 given chain, or only the given rule in a chain. It is legal to
183 specify the -L, --list (list) option as well, to see the coun‐
184 ters immediately before they are cleared. (See above.)
185
186 -N, --new-chain chain
187 Create a new user-defined chain by the given name. There must
188 be no target of that name already.
189
190 -X, --delete-chain [chain]
191 Delete the optional user-defined chain specified. There must be
192 no references to the chain. If there are, you must delete or
193 replace the referring rules before the chain can be deleted.
194 The chain must be empty, i.e. not contain any rules. If no
195 argument is given, it will attempt to delete every non-builtin
196 chain in the table.
197
198 -P, --policy chain target
199 Set the policy for the chain to the given target. See the sec‐
200 tion TARGETS for the legal targets. Only built-in (non-user-
201 defined) chains can have policies, and neither built-in nor
202 user-defined chains can be policy targets.
203
204 -E, --rename-chain old-chain new-chain
205 Rename the user specified chain to the user supplied name. This
206 is cosmetic, and has no effect on the structure of the table.
207
208 -h Help. Give a (currently very brief) description of the command
209 syntax.
210
211 PARAMETERS
212 The following parameters make up a rule specification (as used in the
213 add, delete, insert, replace and append commands).
214
215 [!] -p, --protocol protocol
216 The protocol of the rule or of the packet to check. The speci‐
217 fied protocol can be one of tcp, udp, udplite, icmp, esp, ah,
218 sctp or all, or it can be a numeric value, representing one of
219 these protocols or a different one. A protocol name from
220 /etc/protocols is also allowed. A "!" argument before the pro‐
221 tocol inverts the test. The number zero is equivalent to all.
222 Protocol all will match with all protocols and is taken as
223 default when this option is omitted.
224
225 [!] -s, --source address[/mask][,...]
226 Source specification. Address can be either a network name, a
227 hostname, a network IP address (with /mask), or a plain IP
228 address. Hostnames will be resolved once only, before the rule
229 is submitted to the kernel. Please note that specifying any
230 name to be resolved with a remote query such as DNS is a really
231 bad idea. The mask can be either a network mask or a plain num‐
232 ber, specifying the number of 1's at the left side of the net‐
233 work mask. Thus, a mask of 24 is equivalent to 255.255.255.0.
234 A "!" argument before the address specification inverts the
235 sense of the address. The flag --src is an alias for this
236 option. Multiple addresses can be specified, but this will
237 expand to multiple rules (when adding with -A), or will cause
238 multiple rules to be deleted (with -D).
239
240 [!] -d, --destination address[/mask][,...]
241 Destination specification. See the description of the -s
242 (source) flag for a detailed description of the syntax. The
243 flag --dst is an alias for this option.
244
245 -j, --jump target
246 This specifies the target of the rule; i.e., what to do if the
247 packet matches it. The target can be a user-defined chain
248 (other than the one this rule is in), one of the special builtin
249 targets which decide the fate of the packet immediately, or an
250 extension (see EXTENSIONS below). If this option is omitted in
251 a rule (and -g is not used), then matching the rule will have no
252 effect on the packet's fate, but the counters on the rule will
253 be incremented.
254
255 -g, --goto chain
256 This specifies that the processing should continue in a user
257 specified chain. Unlike the --jump option return will not con‐
258 tinue processing in this chain but instead in the chain that
259 called us via --jump.
260
261 [!] -i, --in-interface name
262 Name of an interface via which a packet was received (only for
263 packets entering the INPUT, FORWARD and PREROUTING chains).
264 When the "!" argument is used before the interface name, the
265 sense is inverted. If the interface name ends in a "+", then
266 any interface which begins with this name will match. If this
267 option is omitted, any interface name will match.
268
269 [!] -o, --out-interface name
270 Name of an interface via which a packet is going to be sent (for
271 packets entering the FORWARD, OUTPUT and POSTROUTING chains).
272 When the "!" argument is used before the interface name, the
273 sense is inverted. If the interface name ends in a "+", then
274 any interface which begins with this name will match. If this
275 option is omitted, any interface name will match.
276
277 [!] -f, --fragment
278 This means that the rule only refers to second and further frag‐
279 ments of fragmented packets. Since there is no way to tell the
280 source or destination ports of such a packet (or ICMP type),
281 such a packet will not match any rules which specify them. When
282 the "!" argument precedes the "-f" flag, the rule will only
283 match head fragments, or unfragmented packets.
284
285 -c, --set-counters packets bytes
286 This enables the administrator to initialize the packet and byte
287 counters of a rule (during INSERT, APPEND, REPLACE operations).
288
289 OTHER OPTIONS
290 The following additional options can be specified:
291
292 -v, --verbose
293 Verbose output. This option makes the list command show the
294 interface name, the rule options (if any), and the TOS masks.
295 The packet and byte counters are also listed, with the suffix
296 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipli‐
297 ers respectively (but see the -x flag to change this). For
298 appending, insertion, deletion and replacement, this causes
299 detailed information on the rule or rules to be printed.
300
301 -n, --numeric
302 Numeric output. IP addresses and port numbers will be printed
303 in numeric format. By default, the program will try to display
304 them as host names, network names, or services (whenever appli‐
305 cable).
306
307 -x, --exact
308 Expand numbers. Display the exact value of the packet and byte
309 counters, instead of only the rounded number in K's (multiples
310 of 1000) M's (multiples of 1000K) or G's (multiples of 1000M).
311 This option is only relevant for the -L command.
312
313 --line-numbers
314 When listing rules, add line numbers to the beginning of each
315 rule, corresponding to that rule's position in the chain.
316
317 --modprobe=command
318 When adding or inserting rules into a chain, use command to load
319 any necessary modules (targets, match extensions, etc).
320
322 iptables can use extended packet matching modules. These are loaded in
323 two ways: implicitly, when -p or --protocol is specified, or with the
324 -m or --match options, followed by the matching module name; after
325 these, various extra command line options become available, depending
326 on the specific module. You can specify multiple extended match mod‐
327 ules in one line, and you can use the -h or --help options after the
328 module has been specified to receive help specific to that module.
329
330 The following are included in the base package, and most of these can
331 be preceded by a "!" to invert the sense of the match.
332
333 addrtype
334 This module matches packets based on their address type. Address types
335 are used within the kernel networking stack and categorize addresses
336 into various groups. The exact definition of that group depends on the
337 specific layer three protocol.
338
339 The following address types are possible:
340
341 UNSPEC an unspecified address (i.e. 0.0.0.0)
342
343 UNICAST
344 an unicast address
345
346 LOCAL a local address
347
348 BROADCAST
349 a broadcast address
350
351 ANYCAST
352 an anycast packet
353
354 MULTICAST
355 a multicast address
356
357 BLACKHOLE
358 a blackhole address
359
360 UNREACHABLE
361 an unreachable address
362
363 PROHIBIT
364 a prohibited address
365
366 THROW FIXME
367
368 NAT FIXME
369
370 XRESOLVE
371
372 [!] --src-type type
373 Matches if the source address is of given type
374
375 [!] --dst-type type
376 Matches if the destination address is of given type
377
378 --limit-iface-in
379 The address type checking can be limited to the interface the
380 packet is coming in. This option is only valid in the PREROUT‐
381 ING, INPUT and FORWARD chains. It cannot be specified with the
382 --limit-iface-out option.
383
384 --limit-iface-out
385 The address type checking can be limited to the interface the
386 packet is going out. This option is only valid in the POSTROUT‐
387 ING, OUTPUT and FORWARD chains. It cannot be specified with the
388 --limit-iface-in option.
389
390 ah
391 This module matches the SPIs in Authentication header of IPsec packets.
392
393 [!] --ahspi spi[:spi]
394
395 cluster
396 Allows you to deploy gateway and back-end load-sharing clusters without
397 the need of load-balancers.
398
399 This match requires that all the nodes see the same packets. Thus, the
400 cluster match decides if this node has to handle a packet given the
401 following options:
402
403 --cluster-total-nodes num
404 Set number of total nodes in cluster.
405
406 [!] --cluster-local-node num
407 Set the local node number ID.
408
409 [!] --cluster-local-nodemask mask
410 Set the local node number ID mask. You can use this option
411 instead of --cluster-local-node.
412
413 --cluster-hash-seed value
414 Set seed value of the Jenkins hash.
415
416 Example:
417
418 iptables -A PREROUTING -t mangle -i eth1 -m cluster --clus‐
419 ter-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed
420 0xdeadbeef -j MARK --set-mark 0xffff
421
422 iptables -A PREROUTING -t mangle -i eth2 -m cluster --clus‐
423 ter-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed
424 0xdeadbeef -j MARK --set-mark 0xffff
425
426 iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff
427 -j DROP
428
429 iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff
430 -j DROP
431
432 And the following commands to make all nodes see the same packets:
433
434 ip maddr add 01:00:5e:00:01:01 dev eth1
435
436 ip maddr add 01:00:5e:00:01:02 dev eth2
437
438 arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-
439 s 01:00:5e:00:01:01
440
441 arptables -A INPUT -i eth1 --h-length 6 --destination-mac
442 01:00:5e:00:01:01 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27
443
444 arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --man‐
445 gle-mac-s 01:00:5e:00:01:02
446
447 arptables -A INPUT -i eth2 --h-length 6 --destination-mac
448 01:00:5e:00:01:02 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27
449
450 In the case of TCP connections, pickup facility has to be disabled to
451 avoid marking TCP ACK packets coming in the reply direction as valid.
452
453 echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
454
455 comment
456 Allows you to add comments (up to 256 characters) to any rule.
457
458 --comment comment
459
460 Example:
461 iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A pri‐
462 vatized IP block"
463
464 connbytes
465 Match by how many bytes or packets a connection (or one of the two
466 flows constituting the connection) has transferred so far, or by aver‐
467 age bytes per packet.
468
469 The counters are 64-bit and are thus not expected to overflow ;)
470
471 The primary use is to detect long-lived downloads and mark them to be
472 scheduled using a lower priority band in traffic control.
473
474 The transferred bytes per connection can also be viewed through `con‐
475 ntrack -L` and accessed via ctnetlink.
476
477 NOTE that for connections which have no accounting information, the
478 match will always return false. The "net.netfilter.nf_conntrack_acct"
479 sysctl flag controls whether new connections will be byte/packet
480 counted. Existing connection flows will not be gaining/losing a/the
481 accounting structure when be sysctl flag is flipped.
482
483 [!] --connbytes from[:to]
484 match packets from a connection whose packets/bytes/average
485 packet size is more than FROM and less than TO bytes/packets. if
486 TO is omitted only FROM check is done. "!" is used to match
487 packets not falling in the range.
488
489 --connbytes-dir {original|reply|both}
490 which packets to consider
491
492 --connbytes-mode {packets|bytes|avgpkt}
493 whether to check the amount of packets, number of bytes trans‐
494 ferred or the average size (in bytes) of all packets received so
495 far. Note that when "both" is used together with "avgpkt", and
496 data is going (mainly) only in one direction (for example HTTP),
497 the average packet size will be about half of the actual data
498 packets.
499
500 Example:
501 iptables .. -m connbytes --connbytes 10000:100000
502 --connbytes-dir both --connbytes-mode bytes ...
503
504 connlimit
505 Allows you to restrict the number of parallel connections to a server
506 per client IP address (or client address block).
507
508 [!] --connlimit-above n
509 Match if the number of existing connections is (not) above n.
510
511 --connlimit-mask prefix_length
512 Group hosts using the prefix length. For IPv4, this must be a
513 number between (including) 0 and 32. For IPv6, between 0 and
514 128.
515
516 Examples:
517
518 # allow 2 telnet connections per client host
519 iptables -A INPUT -p tcp --syn --dport 23 -m connlimit
520 --connlimit-above 2 -j REJECT
521
522 # you can also match the other way around:
523 iptables -A INPUT -p tcp --syn --dport 23 -m connlimit !
524 --connlimit-above 2 -j ACCEPT
525
526 # limit the number of parallel HTTP requests to 16 per class C sized
527 network (24 bit netmask)
528 iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above
529 16 --connlimit-mask 24 -j REJECT
530
531 # limit the number of parallel HTTP requests to 16 for the link local
532 network
533 (ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m
534 connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT
535
536 connmark
537 This module matches the netfilter mark field associated with a connec‐
538 tion (which can be set using the CONNMARK target below).
539
540 [!] --mark value[/mask]
541 Matches packets in connections with the given mark value (if a
542 mask is specified, this is logically ANDed with the mark before
543 the comparison).
544
545 conntrack
546 This module, when combined with connection tracking, allows access to
547 the connection tracking state for this packet/connection.
548
549 [!] --ctstate statelist
550 statelist is a comma separated list of the connection states to
551 match. Possible states are listed below.
552
553 [!] --ctproto l4proto
554 Layer-4 protocol to match (by number or name)
555
556 [!] --ctorigsrc address[/mask]
557
558 [!] --ctorigdst address[/mask]
559
560 [!] --ctreplsrc address[/mask]
561
562 [!] --ctrepldst address[/mask]
563 Match against original/reply source/destination address
564
565 [!] --ctorigsrcport port
566
567 [!] --ctorigdstport port
568
569 [!] --ctreplsrcport port
570
571 [!] --ctrepldstport port
572 Match against original/reply source/destination port
573 (TCP/UDP/etc.) or GRE key.
574
575 [!] --ctstatus statelist
576 statuslist is a comma separated list of the connection statuses
577 to match. Possible statuses are listed below.
578
579 [!] --ctexpire time[:time]
580 Match remaining lifetime in seconds against given value or range
581 of values (inclusive)
582
583 --ctdir {ORIGINAL|REPLY}
584 Match packets that are flowing in the specified direction. If
585 this flag is not specified at all, matches packets in both
586 directions.
587
588 States for --ctstate:
589
590 INVALID
591 meaning that the packet is associated with no known connection
592
593 NEW meaning that the packet has started a new connection, or other‐
594 wise associated with a connection which has not seen packets in
595 both directions, and
596
597 ESTABLISHED
598 meaning that the packet is associated with a connection which
599 has seen packets in both directions,
600
601 RELATED
602 meaning that the packet is starting a new connection, but is
603 associated with an existing connection, such as an FTP data
604 transfer, or an ICMP error.
605
606 SNAT A virtual state, matching if the original source address differs
607 from the reply destination.
608
609 DNAT A virtual state, matching if the original destination differs
610 from the reply source.
611
612 Statuses for --ctstatus:
613
614 NONE None of the below.
615
616 EXPECTED
617 This is an expected connection (i.e. a conntrack helper set it
618 up)
619
620 SEEN_REPLY
621 Conntrack has seen packets in both directions.
622
623 ASSURED
624 Conntrack entry should never be early-expired.
625
626 CONFIRMED
627 Connection is confirmed: originating packet has left box.
628
629 dccp
630 [!] --source-port,--sport port[:port]
631
632 [!] --destination-port,--dport port[:port]
633
634 [!] --dccp-types mask
635 Match when the DCCP packet type is one of 'mask'. 'mask' is a
636 comma-separated list of packet types. Packet types are: REQUEST
637 RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK
638 INVALID.
639
640 [!] --dccp-option number
641 Match if DCP option set.
642
643 dscp
644 This module matches the 6 bit DSCP field within the TOS field in the IP
645 header. DSCP has superseded TOS within the IETF.
646
647 [!] --dscp value
648 Match against a numeric (decimal or hex) value [0-63].
649
650 [!] --dscp-class class
651 Match the DiffServ class. This value may be any of the BE, EF,
652 AFxx or CSx classes. It will then be converted into its accord‐
653 ing numeric value.
654
655 ecn
656 This allows you to match the ECN bits of the IPv4 and TCP header. ECN
657 is the Explicit Congestion Notification mechanism as specified in
658 RFC3168
659
660 [!] --ecn-tcp-cwr
661 This matches if the TCP ECN CWR (Congestion Window Received) bit
662 is set.
663
664 [!] --ecn-tcp-ece
665 This matches if the TCP ECN ECE (ECN Echo) bit is set.
666
667 [!] --ecn-ip-ect num
668 This matches a particular IPv4 ECT (ECN-Capable Transport). You
669 have to specify a number between `0' and `3'.
670
671 esp
672 This module matches the SPIs in ESP header of IPsec packets.
673
674 [!] --espspi spi[:spi]
675
676 hashlimit
677 hashlimit uses hash buckets to express a rate limiting match (like the
678 limit match) for a group of connections using a single iptables rule.
679 Grouping can be done per-hostgroup (source and/or destination address)
680 and/or per-port. It gives you the ability to express "N packets per
681 time quantum per group":
682
683 matching on source host
684 "1000 packets per second for every host in 192.168.0.0/16"
685
686 matching on source prot
687 "100 packets per second for every service of 192.168.1.1"
688
689 matching on subnet
690 "10000 packets per minute for every /28 subnet in 10.0.0.0/8"
691
692 A hash limit option (--hashlimit-upto, --hashlimit-above) and --hash‐
693 limit-name are required.
694
695 --hashlimit-upto amount[/second|/minute|/hour|/day]
696 Match if the rate is below or equal to amount/quantum. It is
697 specified as a number, with an optional time quantum suffix; the
698 default is 3/hour.
699
700 --hashlimit-above amount[/second|/minute|/hour|/day]
701 Match if the rate is above amount/quantum.
702
703 --hashlimit-burst amount
704 Maximum initial number of packets to match: this number gets
705 recharged by one every time the limit specified above is not
706 reached, up to this number; the default is 5.
707
708 --hashlimit-mode {srcip|srcport|dstip|dstport},...
709 A comma-separated list of objects to take into consideration. If
710 no --hashlimit-mode option is given, hashlimit acts like limit,
711 but at the expensive of doing the hash housekeeping.
712
713 --hashlimit-srcmask prefix
714 When --hashlimit-mode srcip is used, all source addresses
715 encountered will be grouped according to the given prefix length
716 and the so-created subnet will be subject to hashlimit. prefix
717 must be between (inclusive) 0 and 32. Note that --hashlimit-src‐
718 mask 0 is basically doing the same thing as not specifying srcip
719 for --hashlimit-mode, but is technically more expensive.
720
721 --hashlimit-dstmask prefix
722 Like --hashlimit-srcmask, but for destination addresses.
723
724 --hashlimit-name foo
725 The name for the /proc/net/ipt_hashlimit/foo entry.
726
727 --hashlimit-htable-size buckets
728 The number of buckets of the hash table
729
730 --hashlimit-htable-max entries
731 Maximum entries in the hash.
732
733 --hashlimit-htable-expire msec
734 After how many milliseconds do hash entries expire.
735
736 --hashlimit-htable-gcinterval msec
737 How many milliseconds between garbage collection intervals.
738
739 helper
740 This module matches packets related to a specific conntrack-helper.
741
742 [!] --helper string
743 Matches packets related to the specified conntrack-helper.
744
745 string can be "ftp" for packets related to a ftp-session on
746 default port. For other ports append -portnr to the value, ie.
747 "ftp-2121".
748
749 Same rules apply for other conntrack-helpers.
750
751 icmp
752 This extension can be used if `--protocol icmp' is specified. It pro‐
753 vides the following option:
754
755 [!] --icmp-type {type[/code]|typename}
756 This allows specification of the ICMP type, which can be a
757 numeric ICMP type, type/code pair, or one of the ICMP type names
758 shown by the command
759 iptables -p icmp -h
760
761 iprange
762 This matches on a given arbitrary range of IP addresses.
763
764 [!] --src-range from[-to]
765 Match source IP in the specified range.
766
767 [!] --dst-range from[-to]
768 Match destination IP in the specified range.
769
770 length
771 This module matches the length of the layer-3 payload (e.g. layer-4
772 packet) of a packet against a specific value or range of values.
773
774 [!] --length length[:length]
775
776 limit
777 This module matches at a limited rate using a token bucket filter. A
778 rule using this extension will match until this limit is reached
779 (unless the `!' flag is used). It can be used in combination with the
780 LOG target to give limited logging, for example.
781
782 --limit rate[/second|/minute|/hour|/day]
783 Maximum average matching rate: specified as a number, with an
784 optional `/second', `/minute', `/hour', or `/day' suffix; the
785 default is 3/hour.
786
787 --limit-burst number
788 Maximum initial number of packets to match: this number gets
789 recharged by one every time the limit specified above is not
790 reached, up to this number; the default is 5.
791
792 mac
793 [!] --mac-source address
794 Match source MAC address. It must be of the form
795 XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets
796 coming from an Ethernet device and entering the PREROUTING, FOR‐
797 WARD or INPUT chains.
798
799 mark
800 This module matches the netfilter mark field associated with a packet
801 (which can be set using the MARK target below).
802
803 [!] --mark value[/mask]
804 Matches packets with the given unsigned mark value (if a mask is
805 specified, this is logically ANDed with the mask before the com‐
806 parison).
807
808 multiport
809 This module matches a set of source or destination ports. Up to 15
810 ports can be specified. A port range (port:port) counts as two ports.
811 It can only be used in conjunction with -p tcp or -p udp.
812
813 [!] --source-ports,--sports port[,port|,port:port]...
814 Match if the source port is one of the given ports. The flag
815 --sports is a convenient alias for this option. Multiple ports
816 or port ranges are separated using a comma, and a port range is
817 specified using a colon. 53,1024:65535 would therefore match
818 ports 53 and all from 1024 through 65535.
819
820 [!] --destination-ports,--dports port[,port|,port:port]...
821 Match if the destination port is one of the given ports. The
822 flag --dports is a convenient alias for this option.
823
824 [!] --ports port[,port|,port:port]...
825 Match if either the source or destination ports are equal to one
826 of the given ports.
827
828 owner
829 This module attempts to match various characteristics of the packet
830 creator, for locally generated packets. This match is only valid in the
831 OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket
832 associated with them. Packets from kernel threads do have a socket, but
833 usually no owner.
834
835 [!] --uid-owner username
836
837 [!] --uid-owner userid[-userid]
838 Matches if the packet socket's file structure (if it has one) is
839 owned by the given user. You may also specify a numerical UID,
840 or an UID range.
841
842 [!] --gid-owner groupname
843
844 [!] --gid-owner groupid[-groupid]
845 Matches if the packet socket's file structure is owned by the
846 given group. You may also specify a numerical GID, or a GID
847 range.
848
849 [!] --socket-exists
850 Matches if the packet is associated with a socket.
851
852 physdev
853 This module matches on the bridge port input and output devices
854 enslaved to a bridge device. This module is a part of the infrastruc‐
855 ture that enables a transparent bridging IP firewall and is only useful
856 for kernel versions above version 2.5.44.
857
858 [!] --physdev-in name
859 Name of a bridge port via which a packet is received (only for
860 packets entering the INPUT, FORWARD and PREROUTING chains). If
861 the interface name ends in a "+", then any interface which
862 begins with this name will match. If the packet didn't arrive
863 through a bridge device, this packet won't match this option,
864 unless '!' is used.
865
866 [!] --physdev-out name
867 Name of a bridge port via which a packet is going to be sent
868 (for packets entering the FORWARD, OUTPUT and POSTROUTING
869 chains). If the interface name ends in a "+", then any inter‐
870 face which begins with this name will match. Note that in the
871 nat and mangle OUTPUT chains one cannot match on the bridge out‐
872 put port, however one can in the filter OUTPUT chain. If the
873 packet won't leave by a bridge device or if it is yet unknown
874 what the output device will be, then the packet won't match this
875 option, unless '!' is used.
876
877 [!] --physdev-is-in
878 Matches if the packet has entered through a bridge interface.
879
880 [!] --physdev-is-out
881 Matches if the packet will leave through a bridge interface.
882
883 [!] --physdev-is-bridged
884 Matches if the packet is being bridged and therefore is not
885 being routed. This is only useful in the FORWARD and POSTROUT‐
886 ING chains.
887
888 pkttype
889 This module matches the link-layer packet type.
890
891 [!] --pkt-type {unicast|broadcast|multicast}
892
893 policy
894 This modules matches the policy used by IPsec for handling a packet.
895
896 --dir {in|out}
897 Used to select whether to match the policy used for decapsula‐
898 tion or the policy that will be used for encapsulation. in is
899 valid in the PREROUTING, INPUT and FORWARD chains, out is valid
900 in the POSTROUTING, OUTPUT and FORWARD chains.
901
902 --pol {none|ipsec}
903 Matches if the packet is subject to IPsec processing.
904
905 --strict
906 Selects whether to match the exact policy or match if any rule
907 of the policy matches the given policy.
908
909 [!] --reqid id
910 Matches the reqid of the policy rule. The reqid can be specified
911 with setkey(8) using unique:id as level.
912
913 [!] --spi spi
914 Matches the SPI of the SA.
915
916 [!] --proto {ah|esp|ipcomp}
917 Matches the encapsulation protocol.
918
919 [!] --mode {tunnel|transport}
920 Matches the encapsulation mode.
921
922 [!] --tunnel-src addr[/mask]
923 Matches the source end-point address of a tunnel mode SA. Only
924 valid with --mode tunnel.
925
926 [!] --tunnel-dst addr[/mask]
927 Matches the destination end-point address of a tunnel mode SA.
928 Only valid with --mode tunnel.
929
930 --next Start the next element in the policy specification. Can only be
931 used with --strict.
932
933 quota
934 Implements network quotas by decrementing a byte counter with each
935 packet.
936
937 --quota bytes
938 The quota in bytes.
939
940 rateest
941 The rate estimator can match on estimated rates as collected by the
942 RATEEST target. It supports matching on absolute bps/pps values, com‐
943 paring two rate estimators and matching on the difference between two
944 rate estimators.
945
946 --rateest1 name
947 Name of the first rate estimator.
948
949 --rateest2 name
950 Name of the second rate estimator (if difference is to be calcu‐
951 lated).
952
953 --rateest-delta
954 Compare difference(s) to given rate(s)
955
956 --rateest1-bps value
957
958 --rateest2-bps value
959 Compare bytes per second.
960
961 --rateest1-pps value
962
963 --rateest2-pps value
964 Compare packets per second.
965
966 [!] --rateest-lt
967 Match if rate is less than given rate/estimator.
968
969 [!] --rateest-gt
970 Match if rate is greater than given rate/estimator.
971
972 [!] --rateest-eq
973 Match if rate is equal to given rate/estimator.
974
975 Example: This is what can be used to route outgoing data connections
976 from an FTP server over two lines based on the available bandwidth at
977 the time the data connection was started:
978
979 # Estimate outgoing rates
980
981 iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name
982 eth0 --rateest-interval 250ms --rateest-ewma 0.5s
983
984 iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name
985 ppp0 --rateest-interval 250ms --rateest-ewma 0.5s
986
987 # Mark based on available bandwidth
988
989 iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper
990 --helper ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1
991 2.5mbit --rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK
992 --set-mark 1
993
994 iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper
995 --helper ftp -m rateest --rateest-delta --rateest1 ppp0 --rateest-bps1
996 2mbit --rateest-gt --rateest2 eth0 --rateest-bps2 2.5mbit -j CONNMARK
997 --set-mark 2
998
999 iptables -t mangle -A balance -j CONNMARK --restore-mark
1000
1001 realm
1002 This matches the routing realm. Routing realms are used in complex
1003 routing setups involving dynamic routing protocols like BGP.
1004
1005 [!] --realm value[/mask]
1006 Matches a given realm number (and optionally mask). If not a
1007 number, value can be a named realm from /etc/iproute2/rt_realms
1008 (mask can not be used in that case).
1009
1010 recent
1011 Allows you to dynamically create a list of IP addresses and then match
1012 against that list in a few different ways.
1013
1014 For example, you can create a "badguy" list out of people attempting to
1015 connect to port 139 on your firewall and then DROP all future packets
1016 from them without considering them.
1017
1018 --set, --rcheck, --update and --remove are mutually exclusive.
1019
1020 --name name
1021 Specify the list to use for the commands. If no name is given
1022 then DEFAULT will be used.
1023
1024 [!] --set
1025 This will add the source address of the packet to the list. If
1026 the source address is already in the list, this will update the
1027 existing entry. This will always return success (or failure if !
1028 is passed in).
1029
1030 --rsource
1031 Match/save the source address of each packet in the recent list
1032 table. This is the default.
1033
1034 --rdest
1035 Match/save the destination address of each packet in the recent
1036 list table.
1037
1038 [!] --rcheck
1039 Check if the source address of the packet is currently in the
1040 list.
1041
1042 [!] --update
1043 Like --rcheck, except it will update the "last seen" timestamp
1044 if it matches.
1045
1046 [!] --remove
1047 Check if the source address of the packet is currently in the
1048 list and if so that address will be removed from the list and
1049 the rule will return true. If the address is not found, false is
1050 returned.
1051
1052 --seconds seconds
1053 This option must be used in conjunction with one of --rcheck or
1054 --update. When used, this will narrow the match to only happen
1055 when the address is in the list and was seen within the last
1056 given number of seconds.
1057
1058 --hitcount hits
1059 This option must be used in conjunction with one of --rcheck or
1060 --update. When used, this will narrow the match to only happen
1061 when the address is in the list and packets had been received
1062 greater than or equal to the given value. This option may be
1063 used along with --seconds to create an even narrower match
1064 requiring a certain number of hits within a specific time frame.
1065 The maximum value for the hitcount parameter is given by the
1066 "ip_pkt_list_tot" parameter of the xt_recent kernel module.
1067 Exceeding this value on the command line will cause the rule to
1068 be rejected.
1069
1070 --rttl This option may only be used in conjunction with one of --rcheck
1071 or --update. When used, this will narrow the match to only hap‐
1072 pen when the address is in the list and the TTL of the current
1073 packet matches that of the packet which hit the --set rule. This
1074 may be useful if you have problems with people faking their
1075 source address in order to DoS you via this module by disallow‐
1076 ing others access to your site by sending bogus packets to you.
1077
1078 Examples:
1079
1080 iptables -A FORWARD -m recent --name badguy --rcheck --seconds
1081 60 -j DROP
1082
1083 iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name
1084 badguy --set -j DROP
1085
1086 Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/)
1087 also has some examples of usage.
1088
1089 /proc/net/xt_recent/* are the current lists of addresses and informa‐
1090 tion about each entry of each list.
1091
1092 Each file in /proc/net/xt_recent/ can be read from to see the current
1093 list or written two using the following commands to modify the list:
1094
1095 echo +addr >/proc/net/xt_recent/DEFAULT
1096 to add addr to the DEFAULT list
1097
1098 echo -addr >/proc/net/xt_recent/DEFAULT
1099 to remove addr from the DEFAULT list
1100
1101 echo / >/proc/net/xt_recent/DEFAULT
1102 to flush the DEFAULT list (remove all entries).
1103
1104 The module itself accepts parameters, defaults shown:
1105
1106 ip_list_tot=100
1107 Number of addresses remembered per table.
1108
1109 ip_pkt_list_tot=20
1110 Number of packets per address remembered.
1111
1112 ip_list_hash_size=0
1113 Hash table size. 0 means to calculate it based on ip_list_tot,
1114 default: 512.
1115
1116 ip_list_perms=0644
1117 Permissions for /proc/net/xt_recent/* files.
1118
1119 ip_list_uid=0
1120 Numerical UID for ownership of /proc/net/xt_recent/* files.
1121
1122 ip_list_gid=0
1123 Numerical GID for ownership of /proc/net/xt_recent/* files.
1124
1125 sctp
1126 [!] --source-port,--sport port[:port]
1127
1128 [!] --destination-port,--dport port[:port]
1129
1130 [!] --chunk-types {all|any|only} chunktype[:flags] [...]
1131 The flag letter in upper case indicates that the flag is to
1132 match if set, in the lower case indicates to match if unset.
1133
1134 Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK
1135 ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK
1136 ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK
1137
1138 chunk type available flags
1139 DATA U B E u b e
1140 ABORT T t
1141 SHUTDOWN_COMPLETE T t
1142
1143 (lowercase means flag should be "off", uppercase means "on")
1144
1145 Examples:
1146
1147 iptables -A INPUT -p sctp --dport 80 -j DROP
1148
1149 iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP
1150
1151 iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT
1152
1153 set
1154 This module matches IP sets which can be defined by ipset(8).
1155
1156 [!] --match-set setname flag[,flag]...
1157 where flags are the comma separated list of src and/or dst spec‐
1158 ifications and there can be no more than six of them. Hence the
1159 command
1160
1161 iptables -A FORWARD -m set --match-set test src,dst
1162
1163 will match packets, for which (if the set type is ipportmap) the
1164 source address and destination port pair can be found in the
1165 specified set. If the set type of the specified set is single
1166 dimension (for example ipmap), then the command will match pack‐
1167 ets for which the source address can be found in the specified
1168 set.
1169
1170 The option --match-set can be replaced by --set if that does not clash
1171 with an option of other extensions.
1172
1173 Use of -m set requires that ipset kernel support is provided. As stan‐
1174 dard kernels do not ship this currently, the ipset or Xtables-addons
1175 package needs to be installed.
1176
1177 socket
1178 This matches if an open socket can be found by doing a socket lookup on
1179 the packet.
1180
1181 --transparent
1182 Ignore non-transparent sockets.
1183
1184 state
1185 This module, when combined with connection tracking, allows access to
1186 the connection tracking state for this packet.
1187
1188 [!] --state state
1189 Where state is a comma separated list of the connection states
1190 to match. Possible states are INVALID meaning that the packet
1191 could not be identified for some reason which includes running
1192 out of memory and ICMP errors which don't correspond to any
1193 known connection, ESTABLISHED meaning that the packet is associ‐
1194 ated with a connection which has seen packets in both direc‐
1195 tions, NEW meaning that the packet has started a new connection,
1196 or otherwise associated with a connection which has not seen
1197 packets in both directions, and RELATED meaning that the packet
1198 is starting a new connection, but is associated with an existing
1199 connection, such as an FTP data transfer, or an ICMP error.
1200
1201 statistic
1202 This module matches packets based on some statistic condition. It sup‐
1203 ports two distinct modes settable with the --mode option.
1204
1205 Supported options:
1206
1207 --mode mode
1208 Set the matching mode of the matching rule, supported modes are
1209 random and nth.
1210
1211 --probability p
1212 Set the probability from 0 to 1 for a packet to be randomly
1213 matched. It works only with the random mode.
1214
1215 --every n
1216 Match one packet every nth packet. It works only with the nth
1217 mode (see also the --packet option).
1218
1219 --packet p
1220 Set the initial counter value (0 <= p <= n-1, default 0) for the
1221 nth mode.
1222
1223 string
1224 This modules matches a given string by using some pattern matching
1225 strategy. It requires a linux kernel >= 2.6.14.
1226
1227 --algo {bm|kmp}
1228 Select the pattern matching strategy. (bm = Boyer-Moore, kmp =
1229 Knuth-Pratt-Morris)
1230
1231 --from offset
1232 Set the offset from which it starts looking for any matching. If
1233 not passed, default is 0.
1234
1235 --to offset
1236 Set the offset from which it starts looking for any matching. If
1237 not passed, default is the packet size.
1238
1239 [!] --string pattern
1240 Matches the given pattern.
1241
1242 [!] --hex-string pattern
1243 Matches the given pattern in hex notation.
1244
1245 tcp
1246 These extensions can be used if `--protocol tcp' is specified. It pro‐
1247 vides the following options:
1248
1249 [!] --source-port,--sport port[:port]
1250 Source port or port range specification. This can either be a
1251 service name or a port number. An inclusive range can also be
1252 specified, using the format first:last. If the first port is
1253 omitted, "0" is assumed; if the last is omitted, "65535" is
1254 assumed. If the first port is greater than the second one they
1255 will be swapped. The flag --sport is a convenient alias for
1256 this option.
1257
1258 [!] --destination-port,--dport port[:port]
1259 Destination port or port range specification. The flag --dport
1260 is a convenient alias for this option.
1261
1262 [!] --tcp-flags mask comp
1263 Match when the TCP flags are as specified. The first argument
1264 mask is the flags which we should examine, written as a comma-
1265 separated list, and the second argument comp is a comma-sepa‐
1266 rated list of flags which must be set. Flags are: SYN ACK FIN
1267 RST URG PSH ALL NONE. Hence the command
1268 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
1269 will only match packets with the SYN flag set, and the ACK, FIN
1270 and RST flags unset.
1271
1272 [!] --syn
1273 Only match TCP packets with the SYN bit set and the ACK,RST and
1274 FIN bits cleared. Such packets are used to request TCP connec‐
1275 tion initiation; for example, blocking such packets coming in an
1276 interface will prevent incoming TCP connections, but outgoing
1277 TCP connections will be unaffected. It is equivalent to
1278 --tcp-flags SYN,RST,ACK,FIN SYN. If the "!" flag precedes the
1279 "--syn", the sense of the option is inverted.
1280
1281 [!] --tcp-option number
1282 Match if TCP option set.
1283
1284 tcpmss
1285 This matches the TCP MSS (maximum segment size) field of the TCP
1286 header. You can only use this on TCP SYN or SYN/ACK packets, since the
1287 MSS is only negotiated during the TCP handshake at connection startup
1288 time.
1289
1290 [!] --mss value[:value]
1291 Match a given TCP MSS value or range.
1292
1293 time
1294 This matches if the packet arrival time/date is within a given range.
1295 All options are optional, but are ANDed when specified.
1296
1297 --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
1298
1299 --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
1300
1301 Only match during the given time, which must be in ISO 8601 "T"
1302 notation. The possible time range is 1970-01-01T00:00:00 to
1303 2038-01-19T04:17:07.
1304
1305 If --datestart or --datestop are not specified, it will default
1306 to 1970-01-01 and 2038-01-19, respectively.
1307
1308 --timestart hh:mm[:ss]
1309
1310 --timestop hh:mm[:ss]
1311
1312 Only match during the given daytime. The possible time range is
1313 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03")
1314 and correctly interpreted as base-10.
1315
1316 [!] --monthdays day[,day...]
1317
1318 Only match on the given days of the month. Possible values are 1
1319 to 31. Note that specifying 31 will of course not match on
1320 months which do not have a 31st day; the same goes for 28- or
1321 29-day February.
1322
1323 [!] --weekdays day[,day...]
1324
1325 Only match on the given weekdays. Possible values are Mon, Tue,
1326 Wed, Thu, Fri, Sat, Sun, or values from 1 to 7, respectively.
1327 You may also use two-character variants (Mo, Tu, etc.).
1328
1329 --utc
1330
1331 Interpret the times given for --datestart, --datestop, --times‐
1332 tart and --timestop to be UTC.
1333
1334 --localtz
1335
1336 Interpret the times given for --datestart, --datestop, --times‐
1337 tart and --timestop to be local kernel time. (Default)
1338
1339 EXAMPLES. To match on weekends, use:
1340
1341 -m time --weekdays Sa,Su
1342
1343 Or, to match (once) on a national holiday block:
1344
1345 -m time --datestart 2007-12-24 --datestop 2007-12-27
1346
1347 Since the stop time is actually inclusive, you would need the following
1348 stop time to not match the first second of the new day:
1349
1350 -m time --datestart 2007-01-01T17:00 --datestop
1351 2007-01-01T23:59:59
1352
1353 During lunch hour:
1354
1355 -m time --timestart 12:30 --timestop 13:30
1356
1357 The fourth Friday in the month:
1358
1359 -m time --weekdays Fr --monthdays 22,23,24,25,26,27,28
1360
1361 (Note that this exploits a certain mathematical property. It is not
1362 possible to say "fourth Thursday OR fourth Friday" in one rule. It is
1363 possible with multiple rules, though.)
1364
1365 tos
1366 This module matches the 8-bit Type of Service field in the IPv4 header
1367 (i.e. including the "Precedence" bits) or the (also 8-bit) Priority
1368 field in the IPv6 header.
1369
1370 [!] --tos value[/mask]
1371 Matches packets with the given TOS mark value. If a mask is
1372 specified, it is logically ANDed with the TOS mark before the
1373 comparison.
1374
1375 [!] --tos symbol
1376 You can specify a symbolic name when using the tos match for
1377 IPv4. The list of recognized TOS names can be obtained by call‐
1378 ing iptables with -m tos -h. Note that this implies a mask of
1379 0x3F, i.e. all but the ECN bits.
1380
1381 ttl
1382 This module matches the time to live field in the IP header.
1383
1384 --ttl-eq ttl
1385 Matches the given TTL value.
1386
1387 --ttl-gt ttl
1388 Matches if TTL is greater than the given TTL value.
1389
1390 --ttl-lt ttl
1391 Matches if TTL is less than the given TTL value.
1392
1393 u32
1394 U32 tests whether quantities of up to 4 bytes extracted from a packet
1395 have specified values. The specification of what to extract is general
1396 enough to find data at given offsets from tcp headers or payloads.
1397
1398 [!] --u32 tests
1399 The argument amounts to a program in a small language described
1400 below.
1401
1402 tests := location "=" value | tests "&&" location "=" value
1403
1404 value := range | value "," range
1405
1406 range := number | number ":" number
1407
1408 a single number, n, is interpreted the same as n:n. n:m is interpreted
1409 as the range of numbers >=n and <=m.
1410
1411 location := number | location operator number
1412
1413 operator := "&" | "<<" | ">>" | "@"
1414
1415 The operators &, <<, >> and && mean the same as in C. The = is really
1416 a set membership operator and the value syntax describes a set. The @
1417 operator is what allows moving to the next header and is described fur‐
1418 ther below.
1419
1420 There are currently some artificial implementation limits on the size
1421 of the tests:
1422
1423 * no more than 10 of "=" (and 9 "&&"s) in the u32 argument
1424
1425 * no more than 10 ranges (and 9 commas) per value
1426
1427 * no more than 10 numbers (and 9 operators) per location
1428
1429 To describe the meaning of location, imagine the following machine that
1430 interprets it. There are three registers:
1431
1432 A is of type char *, initially the address of the IP header
1433
1434 B and C are unsigned 32 bit integers, initially zero
1435
1436 The instructions are:
1437
1438 number B = number;
1439
1440 C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3)
1441
1442 &number C = C & number
1443
1444 << number C = C << number
1445
1446 >> number C = C >> number
1447
1448 @number A = A + C; then do the instruction number
1449
1450 Any access of memory outside [skb->data,skb->end] causes the match to
1451 fail. Otherwise the result of the computation is the final value of C.
1452
1453 Whitespace is allowed but not required in the tests. However, the char‐
1454 acters that do occur there are likely to require shell quoting, so it
1455 is a good idea to enclose the arguments in quotes.
1456
1457 Example:
1458
1459 match IP packets with total length >= 256
1460
1461 The IP header contains a total length field in bytes 2-3.
1462
1463 --u32 "0 & 0xFFFF = 0x100:0xFFFF"
1464
1465 read bytes 0-3
1466
1467 AND that with 0xFFFF (giving bytes 2-3), and test whether that
1468 is in the range [0x100:0xFFFF]
1469
1470 Example: (more realistic, hence more complicated)
1471
1472 match ICMP packets with icmp type 0
1473
1474 First test that it is an ICMP packet, true iff byte 9 (protocol)
1475 = 1
1476
1477 --u32 "6 & 0xFF = 1 && ...
1478
1479 read bytes 6-9, use & to throw away bytes 6-8 and compare the
1480 result to 1. Next test that it is not a fragment. (If so, it
1481 might be part of such a packet but we cannot always tell.) N.B.:
1482 This test is generally needed if you want to match anything
1483 beyond the IP header. The last 6 bits of byte 6 and all of byte
1484 7 are 0 iff this is a complete packet (not a fragment). Alterna‐
1485 tively, you can allow first fragments by only testing the last 5
1486 bits of byte 6.
1487
1488 ... 4 & 0x3FFF = 0 && ...
1489
1490 Last test: the first byte past the IP header (the type) is 0.
1491 This is where we have to use the @syntax. The length of the IP
1492 header (IHL) in 32 bit words is stored in the right half of byte
1493 0 of the IP header itself.
1494
1495 ... 0 >> 22 & 0x3C @ 0 >> 24 = 0"
1496
1497 The first 0 means read bytes 0-3, >>22 means shift that 22 bits
1498 to the right. Shifting 24 bits would give the first byte, so
1499 only 22 bits is four times that plus a few more bits. &3C then
1500 eliminates the two extra bits on the right and the first four
1501 bits of the first byte. For instance, if IHL=5, then the IP
1502 header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in
1503 binary) xxxx0101 yyzzzzzz, >>22 gives the 10 bit value
1504 xxxx0101yy and &3C gives 010100. @ means to use this number as a
1505 new offset into the packet, and read four bytes starting from
1506 there. This is the first 4 bytes of the ICMP payload, of which
1507 byte 0 is the ICMP type. Therefore, we simply shift the value 24
1508 to the right to throw out all but the first byte and compare the
1509 result with 0.
1510
1511 Example:
1512
1513 TCP payload bytes 8-12 is any of 1, 2, 5 or 8
1514
1515 First we test that the packet is a tcp packet (similar to ICMP).
1516
1517 --u32 "6 & 0xFF = 6 && ...
1518
1519 Next, test that it is not a fragment (same as above).
1520
1521 ... 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8"
1522
1523 0>>22&3C as above computes the number of bytes in the IP header.
1524 @ makes this the new offset into the packet, which is the start
1525 of the TCP header. The length of the TCP header (again in 32 bit
1526 words) is the left half of byte 12 of the TCP header. The
1527 12>>26&3C computes this length in bytes (similar to the IP
1528 header before). "@" makes this the new offset, which is the
1529 start of the TCP payload. Finally, 8 reads bytes 8-12 of the
1530 payload and = checks whether the result is any of 1, 2, 5 or 8.
1531
1532 udp
1533 These extensions can be used if `--protocol udp' is specified. It pro‐
1534 vides the following options:
1535
1536 [!] --source-port,--sport port[:port]
1537 Source port or port range specification. See the description of
1538 the --source-port option of the TCP extension for details.
1539
1540 [!] --destination-port,--dport port[:port]
1541 Destination port or port range specification. See the descrip‐
1542 tion of the --destination-port option of the TCP extension for
1543 details.
1544
1545 unclean
1546 This module takes no options, but attempts to match packets which seem
1547 malformed or unusual. This is regarded as experimental.
1548
1550 iptables can use extended target modules: the following are included in
1551 the standard distribution.
1552
1553 AUDIT
1554 This target allows to create audit records for packets hitting the tar‐
1555 get. It can be used to record accepted, dropped, and rejected packets.
1556 See auditd(8) for additional details.
1557
1558 --type {accept|drop|reject}
1559 Set type of audit record.
1560
1561 Example:
1562
1563 iptables -N AUDIT_DROP
1564
1565 iptables -A AUDIT_DROP -j AUDIT --type drop
1566
1567 iptables -A AUDIT_DROP -j DROP
1568
1569 CHECKSUM
1570 This target allows to selectively work around broken/old applications.
1571 It can only be used in the mangle table.
1572
1573 --checksum-fill
1574 Compute and fill in the checksum in a packet that lacks a check‐
1575 sum. This is particularly useful, if you need to work around
1576 old applications such as dhcp clients, that do not work well
1577 with checksum offloads, but don't want to disable checksum off‐
1578 load in your device.
1579
1580 CLASSIFY
1581 This module allows you to set the skb->priority value (and thus clas‐
1582 sify the packet into a specific CBQ class).
1583
1584 --set-class major:minor
1585 Set the major and minor class value. The values are always
1586 interpreted as hexadecimal even if no 0x prefix is given.
1587
1588 CLUSTERIP
1589 This module allows you to configure a simple cluster of nodes that
1590 share a certain IP and MAC address without an explicit load balancer in
1591 front of them. Connections are statically distributed between the
1592 nodes in this cluster.
1593
1594 --new Create a new ClusterIP. You always have to set this on the
1595 first rule for a given ClusterIP.
1596
1597 --hashmode mode
1598 Specify the hashing mode. Has to be one of sourceip, sour‐
1599 ceip-sourceport, sourceip-sourceport-destport.
1600
1601 --clustermac mac
1602 Specify the ClusterIP MAC address. Has to be a link-layer multi‐
1603 cast address
1604
1605 --total-nodes num
1606 Number of total nodes within this cluster.
1607
1608 --local-node num
1609 Local node number within this cluster.
1610
1611 --hash-init rnd
1612 Specify the random seed used for hash initialization.
1613
1614 CONNMARK
1615 This module sets the netfilter mark value associated with a connection.
1616 The mark is 32 bits wide.
1617
1618 --set-xmark value[/mask]
1619 Zero out the bits given by mask and XOR value into the ctmark.
1620
1621 --save-mark [--nfmask nfmask] [--ctmask ctmask]
1622 Copy the packet mark (nfmark) to the connection mark (ctmark)
1623 using the given masks. The new nfmark value is determined as
1624 follows:
1625
1626 ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)
1627
1628 i.e. ctmask defines what bits to clear and nfmask what bits of
1629 the nfmark to XOR into the ctmark. ctmask and nfmask default to
1630 0xFFFFFFFF.
1631
1632 --restore-mark [--nfmask nfmask] [--ctmask ctmask]
1633 Copy the connection mark (ctmark) to the packet mark (nfmark)
1634 using the given masks. The new ctmark value is determined as
1635 follows:
1636
1637 nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask);
1638
1639 i.e. nfmask defines what bits to clear and ctmask what bits of
1640 the ctmark to XOR into the nfmark. ctmask and nfmask default to
1641 0xFFFFFFFF.
1642
1643 --restore-mark is only valid in the mangle table.
1644
1645 The following mnemonics are available for --set-xmark:
1646
1647 --and-mark bits
1648 Binary AND the ctmark with bits. (Mnemonic for --set-xmark
1649 0/invbits, where invbits is the binary negation of bits.)
1650
1651 --or-mark bits
1652 Binary OR the ctmark with bits. (Mnemonic for --set-xmark
1653 bits/bits.)
1654
1655 --xor-mark bits
1656 Binary XOR the ctmark with bits. (Mnemonic for --set-xmark
1657 bits/0.)
1658
1659 --set-mark value[/mask]
1660 Set the connection mark. If a mask is specified then only those
1661 bits set in the mask are modified.
1662
1663 --save-mark [--mask mask]
1664 Copy the nfmark to the ctmark. If a mask is specified, only
1665 those bits are copied.
1666
1667 --restore-mark [--mask mask]
1668 Copy the ctmark to the nfmark. If a mask is specified, only
1669 those bits are copied. This is only valid in the mangle table.
1670
1671 CONNSECMARK
1672 This module copies security markings from packets to connections (if
1673 unlabeled), and from connections back to packets (also only if unla‐
1674 beled). Typically used in conjunction with SECMARK, it is only valid
1675 in the mangle table.
1676
1677 --save If the packet has a security marking, copy it to the connection
1678 if the connection is not marked.
1679
1680 --restore
1681 If the packet does not have a security marking, and the connec‐
1682 tion does, copy the security marking from the connection to the
1683 packet.
1684
1685
1686 DNAT
1687 This target is only valid in the nat table, in the PREROUTING and OUT‐
1688 PUT chains, and user-defined chains which are only called from those
1689 chains. It specifies that the destination address of the packet should
1690 be modified (and all future packets in this connection will also be
1691 mangled), and rules should cease being examined. It takes one type of
1692 option:
1693
1694 --to-destination [ipaddr][-ipaddr][:port[-port]]
1695 which can specify a single new destination IP address, an inclu‐
1696 sive range of IP addresses, and optionally, a port range (which
1697 is only valid if the rule also specifies -p tcp or -p udp). If
1698 no port range is specified, then the destination port will never
1699 be modified. If no IP address is specified then only the desti‐
1700 nation port will be modified.
1701
1702 In Kernels up to 2.6.10 you can add several --to-destination
1703 options. For those kernels, if you specify more than one desti‐
1704 nation address, either via an address range or multiple
1705 --to-destination options, a simple round-robin (one after
1706 another in cycle) load balancing takes place between these
1707 addresses. Later Kernels (>= 2.6.11-rc1) don't have the ability
1708 to NAT to multiple ranges anymore.
1709
1710 --random
1711 If option --random is used then port mapping will be randomized
1712 (kernel >= 2.6.22).
1713
1714 --persistent
1715 Gives a client the same source-/destination-address for each
1716 connection. This supersedes the SAME target. Support for per‐
1717 sistent mappings is available from 2.6.29-rc2.
1718
1719 DSCP
1720 This target allows to alter the value of the DSCP bits within the TOS
1721 header of the IPv4 packet. As this manipulates a packet, it can only
1722 be used in the mangle table.
1723
1724 --set-dscp value
1725 Set the DSCP field to a numerical value (can be decimal or hex)
1726
1727 --set-dscp-class class
1728 Set the DSCP field to a DiffServ class.
1729
1730 ECN
1731 This target allows to selectively work around known ECN blackholes. It
1732 can only be used in the mangle table.
1733
1734 --ecn-tcp-remove
1735 Remove all ECN bits from the TCP header. Of course, it can only
1736 be used in conjunction with -p tcp.
1737
1738 LOG
1739 Turn on kernel logging of matching packets. When this option is set
1740 for a rule, the Linux kernel will print some information on all match‐
1741 ing packets (like most IP header fields) via the kernel log (where it
1742 can be read with dmesg or syslogd(8)). This is a "non-terminating tar‐
1743 get", i.e. rule traversal continues at the next rule. So if you want
1744 to LOG the packets you refuse, use two separate rules with the same
1745 matching criteria, first using target LOG then DROP (or REJECT).
1746
1747 --log-level level
1748 Level of logging (numeric or see syslog.conf(5)).
1749
1750 --log-prefix prefix
1751 Prefix log messages with the specified prefix; up to 29 letters
1752 long, and useful for distinguishing messages in the logs.
1753
1754 --log-tcp-sequence
1755 Log TCP sequence numbers. This is a security risk if the log is
1756 readable by users.
1757
1758 --log-tcp-options
1759 Log options from the TCP packet header.
1760
1761 --log-ip-options
1762 Log options from the IP packet header.
1763
1764 --log-uid
1765 Log the userid of the process which generated the packet.
1766
1767 MARK
1768 This target is used to set the Netfilter mark value associated with the
1769 packet. The target can only be used in the mangle table. It can, for
1770 example, be used in conjunction with routing based on fwmark (needs
1771 iproute2). The mark field is 32 bits wide.
1772
1773 --set-xmark value[/mask]
1774 Zeroes out the bits given by mask and XORs value into the packet
1775 mark ("nfmark"). If mask is omitted, 0xFFFFFFFF is assumed.
1776
1777 --set-mark value[/mask]
1778 Zeroes out the bits given by mask and ORs value into the packet
1779 mark. If mask is omitted, 0xFFFFFFFF is assumed.
1780
1781 The following mnemonics are available:
1782
1783 --and-mark bits
1784 Binary AND the nfmark with bits. (Mnemonic for --set-xmark
1785 0/invbits, where invbits is the binary negation of bits.)
1786
1787 --or-mark bits
1788 Binary OR the nfmark with bits. (Mnemonic for --set-xmark
1789 bits/bits.)
1790
1791 --xor-mark bits
1792 Binary XOR the nfmark with bits. (Mnemonic for --set-xmark
1793 bits/0.)
1794
1795 MASQUERADE
1796 This target is only valid in the nat table, in the POSTROUTING chain.
1797 It should only be used with dynamically assigned IP (dialup) connec‐
1798 tions: if you have a static IP address, you should use the SNAT target.
1799 Masquerading is equivalent to specifying a mapping to the IP address of
1800 the interface the packet is going out, but also has the effect that
1801 connections are forgotten when the interface goes down. This is the
1802 correct behavior when the next dialup is unlikely to have the same
1803 interface address (and hence any established connections are lost any‐
1804 way). It takes one option:
1805
1806 --to-ports port[-port]
1807 This specifies a range of source ports to use, overriding the
1808 default SNAT source port-selection heuristics (see above). This
1809 is only valid if the rule also specifies -p tcp or -p udp.
1810
1811 --random
1812 Randomize source port mapping If option --random is used then
1813 port mapping will be randomized (kernel >= 2.6.21).
1814
1815 MIRROR
1816 This is an experimental demonstration target which inverts the source
1817 and destination fields in the IP header and retransmits the packet. It
1818 is only valid in the INPUT, FORWARD and PREROUTING chains, and user-
1819 defined chains which are only called from those chains. Note that the
1820 outgoing packets are NOT seen by any packet filtering chains, connec‐
1821 tion tracking or NAT, to avoid loops and other problems.
1822
1823 NETMAP
1824 This target allows you to statically map a whole network of addresses
1825 onto another network of addresses. It can only be used from rules in
1826 the nat table.
1827
1828 --to address[/mask]
1829 Network address to map to. The resulting address will be con‐
1830 structed in the following way: All 'one' bits in the mask are
1831 filled in from the new `address'. All bits that are zero in the
1832 mask are filled in from the original address.
1833
1834 NFLOG
1835 This target provides logging of matching packets. When this target is
1836 set for a rule, the Linux kernel will pass the packet to the loaded
1837 logging backend to log the packet. This is usually used in combination
1838 with nfnetlink_log as logging backend, which will multicast the packet
1839 through a netlink socket to the specified multicast group. One or more
1840 userspace processes may subscribe to the group to receive the packets.
1841 Like LOG, this is a non-terminating target, i.e. rule traversal contin‐
1842 ues at the next rule.
1843
1844 --nflog-group nlgroup
1845 The netlink group (1 - 2^32-1) to which packets are (only appli‐
1846 cable for nfnetlink_log). The default value is 0.
1847
1848 --nflog-prefix prefix
1849 A prefix string to include in the log message, up to 64 charac‐
1850 ters long, useful for distinguishing messages in the logs.
1851
1852 --nflog-range size
1853 The number of bytes to be copied to userspace (only applicable
1854 for nfnetlink_log). nfnetlink_log instances may specify their
1855 own range, this option overrides it.
1856
1857 --nflog-threshold size
1858 Number of packets to queue inside the kernel before sending them
1859 to userspace (only applicable for nfnetlink_log). Higher values
1860 result in less overhead per packet, but increase delay until the
1861 packets reach userspace. The default value is 1.
1862
1863 NFQUEUE
1864 This target is an extension of the QUEUE target. As opposed to QUEUE,
1865 it allows you to put a packet into any specific queue, identified by
1866 its 16-bit queue number. It can only be used with Kernel versions
1867 2.6.14 or later, since it requires the nfnetlink_queue kernel support.
1868 The queue-balance option was added in Linux 2.6.31, queue-bypass in
1869 2.6.39.
1870
1871 --queue-num value
1872 This specifies the QUEUE number to use. Valid queue numbers are
1873 0 to 65535. The default value is 0.
1874
1875 --queue-balance value:value
1876 This specifies a range of queues to use. Packets are then bal‐
1877 anced across the given queues. This is useful for multicore
1878 systems: start multiple instances of the userspace program on
1879 queues x, x+1, .. x+n and use "--queue-balance x:x+n". Packets
1880 belonging to the same connection are put into the same nfqueue.
1881
1882 --queue-bypass
1883 By default, if no userspace program is listening on an NFQUEUE,
1884 then all packets that are to be queued are dropped. When this
1885 option is used, the NFQUEUE rule is silently bypassed instead.
1886 The packet will move on to the next rule.
1887
1888 NOTRACK
1889 This target disables connection tracking for all packets matching that
1890 rule.
1891
1892 It can only be used in the raw table.
1893
1894 RATEEST
1895 The RATEEST target collects statistics, performs rate estimation calcu‐
1896 lation and saves the results for later evaluation using the rateest
1897 match.
1898
1899 --rateest-name name
1900 Count matched packets into the pool referred to by name, which
1901 is freely choosable.
1902
1903 --rateest-interval amount{s|ms|us}
1904 Rate measurement interval, in seconds, milliseconds or microsec‐
1905 onds.
1906
1907 --rateest-ewmalog value
1908 Rate measurement averaging time constant.
1909
1910 REDIRECT
1911 This target is only valid in the nat table, in the PREROUTING and OUT‐
1912 PUT chains, and user-defined chains which are only called from those
1913 chains. It redirects the packet to the machine itself by changing the
1914 destination IP to the primary address of the incoming interface
1915 (locally-generated packets are mapped to the 127.0.0.1 address).
1916
1917 --to-ports port[-port]
1918 This specifies a destination port or range of ports to use:
1919 without this, the destination port is never altered. This is
1920 only valid if the rule also specifies -p tcp or -p udp.
1921
1922 --random
1923 If option --random is used then port mapping will be randomized
1924 (kernel >= 2.6.22).
1925
1926 REJECT
1927 This is used to send back an error packet in response to the matched
1928 packet: otherwise it is equivalent to DROP so it is a terminating TAR‐
1929 GET, ending rule traversal. This target is only valid in the INPUT,
1930 FORWARD and OUTPUT chains, and user-defined chains which are only
1931 called from those chains. The following option controls the nature of
1932 the error packet returned:
1933
1934 --reject-with type
1935 The type given can be icmp-net-unreachable, icmp-host-unreach‐
1936 able, icmp-port-unreachable, icmp-proto-unreachable,
1937 icmp-net-prohibited, icmp-host-prohibited or icmp-admin-prohib‐
1938 ited (*) which return the appropriate ICMP error message
1939 (port-unreachable is the default). The option tcp-reset can be
1940 used on rules which only match the TCP protocol: this causes a
1941 TCP RST packet to be sent back. This is mainly useful for
1942 blocking ident (113/tcp) probes which frequently occur when
1943 sending mail to broken mail hosts (which won't accept your mail
1944 otherwise).
1945
1946 (*) Using icmp-admin-prohibited with kernels that do not support it
1947 will result in a plain DROP instead of REJECT
1948
1949 SAME
1950 Similar to SNAT/DNAT depending on chain: it takes a range of addresses
1951 (`--to 1.2.3.4-1.2.3.7') and gives a client the same source-/destina‐
1952 tion-address for each connection.
1953
1954 N.B.: The DNAT target's --persistent option replaced the SAME target.
1955
1956 --to ipaddr[-ipaddr]
1957 Addresses to map source to. May be specified more than once for
1958 multiple ranges.
1959
1960 --nodst
1961 Don't use the destination-ip in the calculations when selecting
1962 the new source-ip
1963
1964 --random
1965 Port mapping will be forcibly randomized to avoid attacks based
1966 on port prediction (kernel >= 2.6.21).
1967
1968 SECMARK
1969 This is used to set the security mark value associated with the packet
1970 for use by security subsystems such as SELinux. It is only valid in
1971 the mangle table. The mark is 32 bits wide.
1972
1973 --selctx security_context
1974
1975 SET
1976 This modules adds and/or deletes entries from IP sets which can be
1977 defined by ipset(8).
1978
1979 --add-set setname flag[,flag...]
1980 add the address(es)/port(s) of the packet to the sets
1981
1982 --del-set setname flag[,flag...]
1983 delete the address(es)/port(s) of the packet from the sets
1984
1985 where flags are src and/or dst specifications and there can be
1986 no more than six of them.
1987
1988 Use of -j SET requires that ipset kernel support is provided. As stan‐
1989 dard kernels do not ship this currently, the ipset or Xtables-addons
1990 package needs to be installed.
1991
1992 SNAT
1993 This target is only valid in the nat table, in the POSTROUTING chain.
1994 It specifies that the source address of the packet should be modified
1995 (and all future packets in this connection will also be mangled), and
1996 rules should cease being examined. It takes one type of option:
1997
1998 --to-source ipaddr[-ipaddr][:port[-port]]
1999 which can specify a single new source IP address, an inclusive
2000 range of IP addresses, and optionally, a port range (which is
2001 only valid if the rule also specifies -p tcp or -p udp). If no
2002 port range is specified, then source ports below 512 will be
2003 mapped to other ports below 512: those between 512 and 1023
2004 inclusive will be mapped to ports below 1024, and other ports
2005 will be mapped to 1024 or above. Where possible, no port alter‐
2006 ation will
2007
2008 In Kernels up to 2.6.10, you can add several --to-source
2009 options. For those kernels, if you specify more than one source
2010 address, either via an address range or multiple --to-source
2011 options, a simple round-robin (one after another in cycle) takes
2012 place between these addresses. Later Kernels (>= 2.6.11-rc1)
2013 don't have the ability to NAT to multiple ranges anymore.
2014
2015 --random
2016 If option --random is used then port mapping will be randomized
2017 (kernel >= 2.6.21).
2018
2019 --persistent
2020 Gives a client the same source-/destination-address for each
2021 connection. This supersedes the SAME target. Support for per‐
2022 sistent mappings is available from 2.6.29-rc2.
2023
2024 TCPMSS
2025 This target allows to alter the MSS value of TCP SYN packets, to con‐
2026 trol the maximum size for that connection (usually limiting it to your
2027 outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respec‐
2028 tively). Of course, it can only be used in conjunction with -p tcp.
2029 It is only valid in the mangle table.
2030 This target is used to overcome criminally braindead ISPs or servers
2031 which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
2032 packets. The symptoms of this problem are that everything works fine
2033 from your Linux firewall/router, but machines behind it can never
2034 exchange large packets:
2035 1) Web browsers connect, then hang with no data received.
2036 2) Small mail works fine, but large emails hang.
2037 3) ssh works fine, but scp hangs after initial handshaking.
2038 Workaround: activate this option and add a rule to your firewall con‐
2039 figuration like:
2040
2041 iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
2042 -j TCPMSS --clamp-mss-to-pmtu
2043
2044 --set-mss value
2045 Explicitly sets MSS option to specified value. If the MSS of the
2046 packet is already lower than value, it will not be increased
2047 (from Linux 2.6.25 onwards) to avoid more problems with hosts
2048 relying on a proper MSS.
2049
2050 --clamp-mss-to-pmtu
2051 Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60
2052 for IPv6). This may not function as desired where asymmetric
2053 routes with differing path MTU exist — the kernel uses the path
2054 MTU which it would use to send packets from itself to the source
2055 and destination IP addresses. Prior to Linux 2.6.25, only the
2056 path MTU to the destination IP address was considered by this
2057 option; subsequent kernels also consider the path MTU to the
2058 source IP address.
2059
2060 These options are mutually exclusive.
2061
2062 TCPOPTSTRIP
2063 This target will strip TCP options off a TCP packet. (It will actually
2064 replace them by NO-OPs.) As such, you will need to add the -p tcp
2065 parameters.
2066
2067 --strip-options option[,option...]
2068 Strip the given option(s). The options may be specified by TCP
2069 option number or by symbolic name. The list of recognized
2070 options can be obtained by calling iptables with -j TCPOPTSTRIP
2071 -h.
2072
2073 TOS
2074 This module sets the Type of Service field in the IPv4 header (includ‐
2075 ing the "precedence" bits) or the Priority field in the IPv6 header.
2076 Note that TOS shares the same bits as DSCP and ECN. The TOS target is
2077 only valid in the mangle table.
2078
2079 --set-tos value[/mask]
2080 Zeroes out the bits given by mask and XORs value into the
2081 TOS/Priority field. If mask is omitted, 0xFF is assumed.
2082
2083 --set-tos symbol
2084 You can specify a symbolic name when using the TOS target for
2085 IPv4. It implies a mask of 0xFF. The list of recognized TOS
2086 names can be obtained by calling iptables with -j TOS -h.
2087
2088 The following mnemonics are available:
2089
2090 --and-tos bits
2091 Binary AND the TOS value with bits. (Mnemonic for --set-tos
2092 0/invbits, where invbits is the binary negation of bits.)
2093
2094 --or-tos bits
2095 Binary OR the TOS value with bits. (Mnemonic for --set-tos
2096 bits/bits.)
2097
2098 --xor-tos bits
2099 Binary XOR the TOS value with bits. (Mnemonic for --set-tos
2100 bits/0.)
2101
2102 TPROXY
2103 This target is only valid in the mangle table, in the PREROUTING chain
2104 and user-defined chains which are only called from this chain. It redi‐
2105 rects the packet to a local socket without changing the packet header
2106 in any way. It can also change the mark value which can then be used in
2107 advanced routing rules. It takes three options:
2108
2109 --on-port port
2110 This specifies a destination port to use. It is a required
2111 option, 0 means the new destination port is the same as the
2112 original. This is only valid if the rule also specifies -p tcp
2113 or -p udp.
2114
2115 --on-ip address
2116 This specifies a destination address to use. By default the
2117 address is the IP address of the incoming interface. This is
2118 only valid if the rule also specifies -p tcp or -p udp.
2119
2120 --tproxy-mark value[/mask]
2121 Marks packets with the given value/mask. The fwmark value set
2122 here can be used by advanced routing. (Required for transparent
2123 proxying to work: otherwise these packets will get forwarded,
2124 which is probably not what you want.)
2125
2126 TRACE
2127 This target marks packes so that the kernel will log every rule which
2128 match the packets as those traverse the tables, chains, rules. (The
2129 ipt_LOG or ip6t_LOG module is required for the logging.) The packets
2130 are logged with the string prefix: "TRACE: tablename:chain‐
2131 name:type:rulenum " where type can be "rule" for plain rule, "return"
2132 for implicit rule at the end of a user defined chain and "policy" for
2133 the policy of the built in chains.
2134 It can only be used in the raw table.
2135
2136 TTL
2137 This is used to modify the IPv4 TTL header field. The TTL field deter‐
2138 mines how many hops (routers) a packet can traverse until it's time to
2139 live is exceeded.
2140
2141 Setting or incrementing the TTL field can potentially be very danger‐
2142 ous, so it should be avoided at any cost.
2143
2144 Don't ever set or increment the value on packets that leave your local
2145 network! mangle table.
2146
2147 --ttl-set value
2148 Set the TTL value to `value'.
2149
2150 --ttl-dec value
2151 Decrement the TTL value `value' times.
2152
2153 --ttl-inc value
2154 Increment the TTL value `value' times.
2155
2156 ULOG
2157 This target provides userspace logging of matching packets. When this
2158 target is set for a rule, the Linux kernel will multicast this packet
2159 through a netlink socket. One or more userspace processes may then sub‐
2160 scribe to various multicast groups and receive the packets. Like LOG,
2161 this is a "non-terminating target", i.e. rule traversal continues at
2162 the next rule.
2163
2164 --ulog-nlgroup nlgroup
2165 This specifies the netlink group (1-32) to which the packet is
2166 sent. Default value is 1.
2167
2168 --ulog-prefix prefix
2169 Prefix log messages with the specified prefix; up to 32 charac‐
2170 ters long, and useful for distinguishing messages in the logs.
2171
2172 --ulog-cprange size
2173 Number of bytes to be copied to userspace. A value of 0 always
2174 copies the entire packet, regardless of its size. Default is 0.
2175
2176 --ulog-qthreshold size
2177 Number of packet to queue inside kernel. Setting this value to,
2178 e.g. 10 accumulates ten packets inside the kernel and transmits
2179 them as one netlink multipart message to userspace. Default is
2180 1 (for backwards compatibility).
2181
2183 Various error messages are printed to standard error. The exit code is
2184 0 for correct functioning. Errors which appear to be caused by invalid
2185 or abused command line parameters cause an exit code of 2, and other
2186 errors cause an exit code of 1.
2187
2189 Bugs? What's this? ;-) Well, you might want to have a look at
2190 http://bugzilla.netfilter.org/
2191
2193 This iptables is very similar to ipchains by Rusty Russell. The main
2194 difference is that the chains INPUT and OUTPUT are only traversed for
2195 packets coming into the local host and originating from the local host
2196 respectively. Hence every packet only passes through one of the three
2197 chains (except loopback traffic, which involves both INPUT and OUTPUT
2198 chains); previously a forwarded packet would pass through all three.
2199
2200 The other main difference is that -i refers to the input interface; -o
2201 refers to the output interface, and both are available for packets
2202 entering the FORWARD chain.
2203
2204 The various forms of NAT have been separated out; iptables is a pure
2205 packet filter when using the default `filter' table, with optional
2206 extension modules. This should simplify much of the previous confusion
2207 over the combination of IP masquerading and packet filtering seen pre‐
2208 viously. So the following options are handled differently:
2209 -j MASQ
2210 -M -S
2211 -M -L
2212 There are several other changes in iptables.
2213
2215 iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8),
2216 ip6tables-restore(8), libipq(3).
2217
2218 The packet-filtering-HOWTO details iptables usage for packet filtering,
2219 the NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the
2220 extensions that are not in the standard distribution, and the netfil‐
2221 ter-hacking-HOWTO details the netfilter internals.
2222 See http://www.netfilter.org/.
2223
2225 Rusty Russell originally wrote iptables, in early consultation with
2226 Michael Neuling.
2227
2228 Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic
2229 packet selection framework in iptables, then wrote the mangle table,
2230 the owner match, the mark stuff, and ran around doing cool stuff every‐
2231 where.
2232
2233 James Morris wrote the TOS target, and tos match.
2234
2235 Jozsef Kadlecsik wrote the REJECT target.
2236
2237 Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as
2238 well as the TTL, DSCP, ECN matches and targets.
2239
2240 The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki
2241 Kozakai, Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira
2242 Ayuso, Harald Welte and Rusty Russell.
2243
2244 Man page originally written by Herve Eychenne <rv@wallfire.org>.
2245
2246
2247
2248iptables 1.4.7 IPTABLES(8)