1IP6TABLES(8) iptables 1.4.4 IP6TABLES(8)
2
6 ip6tables — IPv6 packet filter administration
7
9 ip6tables [-t table] {-A|-C|-D} chain rule-specification [options...]
10 ip6tables [-t table] -I chain [rulenum] rule-specification [options...]
12 ip6tables [-t table] -R chain rulenum rule-specification [options...]
14 ip6tables [-t table] -D chain rulenum [options...]
16 ip6tables [-t table] -S [chain [rulenum]]
18 ip6tables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
20 ip6tables [-t table] -N chain
22 ip6tables [-t table] -X [chain]
24 ip6tables [-t table] -P chain target [options...]
26 ip6tables [-t table] -E old-chain-name new-chain-name
28
30 Ip6tables is used to set up, maintain, and inspect the tables of IPv6
31 packet filter rules in the Linux kernel. Several different tables may
32 be defined. Each table contains a number of built-in chains and may
33 also contain user-defined chains.
34 Each chain is a list of rules which can match a set of packets. Each
36 rule specifies what to do with a packet that matches. This is called a
37 `target', which may be a jump to a user-defined chain in the same ta‐
38 ble.
39
41 A firewall rule specifies criteria for a packet and a target. If the
42 packet does not match, the next rule in the chain is the examined; if
43 it does match, then the next rule is specified by the value of the tar‐
44 get, which can be the name of a user-defined chain or one of the spe‐
45 cial values ACCEPT, DROP, QUEUE or RETURN.
46 ACCEPT means to let the packet through. DROP means to drop the packet
48 on the floor. QUEUE means to pass the packet to userspace. (How the
49 packet can be received by a userspace process differs by the particular
50 queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the
51 ip_queue queue handler. Kernels 2.6.14 and later additionally include
52 the nfnetlink_queue queue handler. Packets with a target of QUEUE will
53 be sent to queue number '0' in this case. Please also see the NFQUEUE
54 target as described later in this man page.) RETURN means stop
55 traversing this chain and resume at the next rule in the previous
56 (calling) chain. If the end of a built-in chain is reached or a rule
57 in a built-in chain with target RETURN is matched, the target specified
58 by the chain policy determines the fate of the packet.
59
61 There are currently three independent tables (which tables are present
62 at any time depends on the kernel configuration options and which mod‐
63 ules are present).
64 -t, --table table
66 This option specifies the packet matching table which the com‐
67 mand should operate on. If the kernel is configured with auto‐
68 matic module loading, an attempt will be made to load the appro‐
69 priate module for that table if it is not already there.
70 The tables are as follows:
72 filter:
74 This is the default table (if no -t option is passed). It
75 contains the built-in chains INPUT (for packets destined to
76 local sockets), FORWARD (for packets being routed through
77 the box), and OUTPUT (for locally-generated packets).
78 mangle:
80 This table is used for specialized packet alteration. Until
81 kernel 2.4.17 it had two built-in chains: PREROUTING (for
82 altering incoming packets before routing) and OUTPUT (for
83 altering locally-generated packets before routing). Since
84 kernel 2.4.18, three other built-in chains are also sup‐
85 ported: INPUT (for packets coming into the box itself), FOR‐
86 WARD (for altering packets being routed through the box),
87 and POSTROUTING (for altering packets as they are about to
88 go out).
89 raw:
91 This table is used mainly for configuring exemptions from
92 connection tracking in combination with the NOTRACK target.
93 It registers at the netfilter hooks with higher priority and
94 is thus called before ip_conntrack, or any other IP tables.
95 It provides the following built-in chains: PREROUTING (for
96 packets arriving via any network interface) OUTPUT (for
97 packets generated by local processes)
98
100 The options that are recognized by ip6tables can be divided into sev‐
101 eral different groups.
102 COMMANDS
104 These options specify the specific action to perform. Only one of them
105 can be specified on the command line unless otherwise specified below.
106 For all the long versions of the command and option names, you need to
107 use only enough letters to ensure that ip6tables can differentiate it
108 from all other options.
109 -A, --append chain rule-specification
111 Append one or more rules to the end of the selected chain. When
112 the source and/or destination names resolve to more than one
113 address, a rule will be added for each possible address combina‐
114 tion.
115 -C, --check chain rule-specification
117 Check whether a rule matching the specification does exist in
118 the selected chain. This command uses the same logic as -D to
119 find a matching entry, but does not alter the existing iptables
120 configuration and uses its exit code to indicate success or
121 failure.
122 -D, --delete chain rule-specification
124 -D, --delete chain rulenum
125 Delete one or more rules from the selected chain. There are two
126 versions of this command: the rule can be specified as a number
127 in the chain (starting at 1 for the first rule) or a rule to
128 match.
129 -I, --insert chain [rulenum] rule-specification
131 Insert one or more rules in the selected chain as the given rule
132 number. So, if the rule number is 1, the rule or rules are
133 inserted at the head of the chain. This is also the default if
134 no rule number is specified.
135 -R, --replace chain rulenum rule-specification
137 Replace a rule in the selected chain. If the source and/or des‐
138 tination names resolve to multiple addresses, the command will
139 fail. Rules are numbered starting at 1.
140 -L, --list [chain]
142 List all rules in the selected chain. If no chain is selected,
143 all chains are listed. Like every other ip6tables command, it
144 applies to the specified table (filter is the default).
145 Please note that it is often used with the -n option, in order
147 to avoid long reverse DNS lookups. It is legal to specify the
148 -Z (zero) option as well, in which case the chain(s) will be
149 atomically listed and zeroed. The exact output is affected by
150 the other arguments given. The exact rules are suppressed until
151 you use
152 ip6tables -L -v
153 -S, --list-rules [chain]
155 Print all rules in the selected chain. If no chain is selected,
156 all chains are printed like ip6tables-save. Like every other
157 ip6tables command, it applies to the specified table (filter is
158 the default).
159 -F, --flush [chain]
161 Flush the selected chain (all the chains in the table if none is
162 given). This is equivalent to deleting all the rules one by
163 one.
164 -Z, --zero [chain [rulenum]]
166 Zero the packet and byte counters in all chains, or only the
167 given chain, or only the given rule in a chain. It is legal to
168 specify the -L, --list (list) option as well, to see the coun‐
169 ters immediately before they are cleared. (See above.)
170 -N, --new-chain chain
172 Create a new user-defined chain by the given name. There must
173 be no target of that name already.
174 -X, --delete-chain [chain]
176 Delete the optional user-defined chain specified. There must be
177 no references to the chain. If there are, you must delete or
178 replace the referring rules before the chain can be deleted.
179 The chain must be empty, i.e. not contain any rules. If no
180 argument is given, it will attempt to delete every non-builtin
181 chain in the table.
182 -P, --policy chain target
184 Set the policy for the chain to the given target. See the sec‐
185 tion TARGETS for the legal targets. Only built-in (non-user-
186 defined) chains can have policies, and neither built-in nor
187 user-defined chains can be policy targets.
188 -E, --rename-chain old-chain new-chain
190 Rename the user specified chain to the user supplied name. This
191 is cosmetic, and has no effect on the structure of the table.
192 -A, --append chain rule-specification
194 Append one or more rules to the end of the selected chain. When
195 the source and/or destination names resolve to more than one
196 address, a rule will be added for each possible address combina‐
197 tion.
198 -h Help. Give a (currently very brief) description of the command
200 syntax.
201 PARAMETERS
203 The following parameters make up a rule specification (as used in the
204 add, delete, insert, replace and append commands).
205 [!] -p, --protocol protocol
207 The protocol of the rule or of the packet to check. The speci‐
208 fied protocol can be one of tcp, udp, udplite, icmpv6, esp, mh
209 or all, or it can be a numeric value, representing one of these
210 protocols or a different one. A protocol name from /etc/proto‐
211 cols is also allowed. But IPv6 extension headers except esp are
212 not allowed. esp and ipv6-nonext can be used with Kernel ver‐
213 sion 2.6.11 or later. A "!" argument before the protocol
214 inverts the test. The number zero is equivalent to all. Proto‐
215 col all will match with all protocols and is taken as default
216 when this option is omitted.
217 [!] -s, --source address[/mask]
219 Source specification. Address can be either be a hostname, a
220 network IP address (with /mask), or a plain IP address. Names
221 will be resolved once only, before the rule is submitted to the
222 kernel. Please note that specifying any name to be resolved
223 with a remote query such as DNS is a really bad idea. (Resolv‐
224 ing network names is not supported at this time.) The mask is a
225 plain number, specifying the number of 1's at the left side of
226 the network mask. A "!" argument before the address specifica‐
227 tion inverts the sense of the address. The flag --src is an
228 alias for this option. Multiple addresses can be specified, but
229 this will expand to multiple rules (when adding with -A), or
230 will cause multiple rules to be deleted (with -D).
231 [!] -d, --destination address[/mask]
233 Destination specification. See the description of the -s
234 (source) flag for a detailed description of the syntax. The
235 flag --dst is an alias for this option.
236 -j, --jump target
238 This specifies the target of the rule; i.e., what to do if the
239 packet matches it. The target can be a user-defined chain
240 (other than the one this rule is in), one of the special builtin
241 targets which decide the fate of the packet immediately, or an
242 extension (see EXTENSIONS below). If this option is omitted in
243 a rule (and -g is not used), then matching the rule will have no
244 effect on the packet's fate, but the counters on the rule will
245 be incremented.
246 -g, --goto chain
248 This specifies that the processing should continue in a user
249 specified chain. Unlike the --jump option return will not con‐
250 tinue processing in this chain but instead in the chain that
251 called us via --jump.
252 [!] -i, --in-interface name
254 Name of an interface via which a packet was received (only for
255 packets entering the INPUT, FORWARD and PREROUTING chains).
256 When the "!" argument is used before the interface name, the
257 sense is inverted. If the interface name ends in a "+", then
258 any interface which begins with this name will match. If this
259 option is omitted, any interface name will match.
260 [!] -o, --out-interface name
262 Name of an interface via which a packet is going to be sent (for
263 packets entering the FORWARD, OUTPUT and POSTROUTING chains).
264 When the "!" argument is used before the interface name, the
265 sense is inverted. If the interface name ends in a "+", then
266 any interface which begins with this name will match. If this
267 option is omitted, any interface name will match.
268 -c, --set-counters packets bytes
270 This enables the administrator to initialize the packet and byte
271 counters of a rule (during INSERT, APPEND, REPLACE operations).
272 OTHER OPTIONS
274 The following additional options can be specified:
275 -v, --verbose
277 Verbose output. This option makes the list command show the
278 interface name, the rule options (if any), and the TOS masks.
279 The packet and byte counters are also listed, with the suffix
280 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipli‐
281 ers respectively (but see the -x flag to change this). For
282 appending, insertion, deletion and replacement, this causes
283 detailed information on the rule or rules to be printed.
284 -n, --numeric
286 Numeric output. IP addresses and port numbers will be printed
287 in numeric format. By default, the program will try to display
288 them as host names, network names, or services (whenever appli‐
289 cable).
290 -x, --exact
292 Expand numbers. Display the exact value of the packet and byte
293 counters, instead of only the rounded number in K's (multiples
294 of 1000) M's (multiples of 1000K) or G's (multiples of 1000M).
295 This option is only relevant for the -L command.
296 --line-numbers
298 When listing rules, add line numbers to the beginning of each
299 rule, corresponding to that rule's position in the chain.
300 --modprobe=command
302 When adding or inserting rules into a chain, use command to load
303 any necessary modules (targets, match extensions, etc).
304
306 ip6tables can use extended packet matching modules. These are loaded
307 in two ways: implicitly, when -p or --protocol is specified, or with
308 the -m or --match options, followed by the matching module name; after
309 these, various extra command line options become available, depending
310 on the specific module. You can specify multiple extended match mod‐
311 ules in one line, and you can use the -h or --help options after the
312 module has been specified to receive help specific to that module.
313 The following are included in the base package, and most of these can
315 be preceded by a "!" to invert the sense of the match.
316 ah
318 This module matches the parameters in Authentication header of IPsec
319 packets.
320 [!] --ahspi spi[:spi]
322 Matches SPI.
323 [!] --ahlen length
325 Total length of this header in octets.
326 --ahres
328 Matches if the reserved field is filled with zero.
329 cluster
331 Allows you to deploy gateway and back-end load-sharing clusters without
332 the need of load-balancers.
333 This match requires that all the nodes see the same packets. Thus, the
335 cluster match decides if this node has to handle a packet given the
336 following options:
337 --cluster-total-nodes num
339 Set number of total nodes in cluster.
340 [!] --cluster-local-node num
342 Set the local node number ID.
343 [!] --cluster-local-nodemask mask
345 Set the local node number ID mask. You can use this option
346 instead of --cluster-local-node.
347 --cluster-hash-seed value
349 Set seed value of the Jenkins hash.
350 Example:
352 iptables -A PREROUTING -t mangle -i eth1 -m cluster --clus‐
354 ter-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed
355 0xdeadbeef -j MARK --set-mark 0xffff
356 iptables -A PREROUTING -t mangle -i eth2 -m cluster --clus‐
358 ter-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed
359 0xdeadbeef -j MARK --set-mark 0xffff
360 iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff
362 -j DROP
363 iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff
365 -j DROP
366 And the following commands to make all nodes see the same packets:
368 ip maddr add 01:00:5e:00:01:01 dev eth1
370 ip maddr add 01:00:5e:00:01:02 dev eth2
372 arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-
374 s 01:00:5e:00:01:01
375 arptables -A INPUT -i eth1 --h-length 6 --destination-mac
377 01:00:5e:00:01:01 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27
378 arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --man‐
380 gle-mac-s 01:00:5e:00:01:02
381 arptables -A INPUT -i eth2 --h-length 6 --destination-mac
383 01:00:5e:00:01:02 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27
384 In the case of TCP connections, pickup facility has to be disabled to
386 avoid marking TCP ACK packets coming in the reply direction as valid.
387 echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
389 comment
391 Allows you to add comments (up to 256 characters) to any rule.
392 --comment comment
394 Example:
396 iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A pri‐
397 vatized IP block"
398 connbytes
400 Match by how many bytes or packets a connection (or one of the two
401 flows constituting the connection) has transferred so far, or by aver‐
402 age bytes per packet.
403 The counters are 64-bit and are thus not expected to overflow ;)
405 The primary use is to detect long-lived downloads and mark them to be
407 scheduled using a lower priority band in traffic control.
408 The transferred bytes per connection can also be viewed through `con‐
410 ntrack -L` and accessed via ctnetlink.
411 NOTE that for connections which have no accounting information, the
413 match will always return false. The "net.netfilter.nf_conntrack_acct"
414 sysctl flag controls whether new connections will be byte/packet
415 counted. Existing connection flows will not be gaining/losing a/the
416 accounting structure when be sysctl flag is flipped.
417 [!] --connbytes from[:to]
419 match packets from a connection whose packets/bytes/average
420 packet size is more than FROM and less than TO bytes/packets. if
421 TO is omitted only FROM check is done. "!" is used to match
422 packets not falling in the range.
423 --connbytes-dir {original|reply|both}
425 which packets to consider
426 --connbytes-mode {packets|bytes|avgpkt}
428 whether to check the amount of packets, number of bytes trans‐
429 ferred or the average size (in bytes) of all packets received so
430 far. Note that when "both" is used together with "avgpkt", and
431 data is going (mainly) only in one direction (for example HTTP),
432 the average packet size will be about half of the actual data
433 packets.
434 Example:
436 iptables .. -m connbytes --connbytes 10000:100000
437 --connbytes-dir both --connbytes-mode bytes ...
438 connlimit
440 Allows you to restrict the number of parallel connections to a server
441 per client IP address (or client address block).
442 [!] --connlimit-above n
444 Match if the number of existing connections is (not) above n.
445 --connlimit-mask prefix_length
447 Group hosts using the prefix length. For IPv4, this must be a
448 number between (including) 0 and 32. For IPv6, between 0 and
449 128.
450 Examples:
452 # allow 2 telnet connections per client host
454 iptables -A INPUT -p tcp --syn --dport 23 -m connlimit
455 --connlimit-above 2 -j REJECT
456 # you can also match the other way around:
458 iptables -A INPUT -p tcp --syn --dport 23 -m connlimit !
459 --connlimit-above 2 -j ACCEPT
460 # limit the number of parallel HTTP requests to 16 per class C sized
462 network (24 bit netmask)
463 iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above
464 16 --connlimit-mask 24 -j REJECT
465 # limit the number of parallel HTTP requests to 16 for the link local
467 network
468 (ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m
469 connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT
470 connmark
472 This module matches the netfilter mark field associated with a connec‐
473 tion (which can be set using the CONNMARK target below).
474 [!] --mark value[/mask]
476 Matches packets in connections with the given mark value (if a
477 mask is specified, this is logically ANDed with the mark before
478 the comparison).
479 conntrack
481 This module, when combined with connection tracking, allows access to
482 the connection tracking state for this packet/connection.
483 [!] --ctstate statelist
485 statelist is a comma separated list of the connection states to
486 match. Possible states are listed below.
487 [!] --ctproto l4proto
489 Layer-4 protocol to match (by number or name)
490 [!] --ctorigsrc address[/mask]
492 [!] --ctorigdst address[/mask]
494 [!] --ctreplsrc address[/mask]
496 [!] --ctrepldst address[/mask]
498 Match against original/reply source/destination address
499 [!] --ctorigsrcport port
501 [!] --ctorigdstport port
503 [!] --ctreplsrcport port
505 [!] --ctrepldstport port
507 Match against original/reply source/destination port
508 (TCP/UDP/etc.) or GRE key.
509 [!] --ctstatus statelist
511 statuslist is a comma separated list of the connection statuses
512 to match. Possible statuses are listed below.
513 [!] --ctexpire time[:time]
515 Match remaining lifetime in seconds against given value or range
516 of values (inclusive)
517 --ctdir {ORIGINAL|REPLY}
519 Match packets that are flowing in the specified direction. If
520 this flag is not specified at all, matches packets in both
521 directions.
522 States for --ctstate:
524 INVALID
526 meaning that the packet is associated with no known connection
527 NEW meaning that the packet has started a new connection, or other‐
529 wise associated with a connection which has not seen packets in
530 both directions, and
531 ESTABLISHED
533 meaning that the packet is associated with a connection which
534 has seen packets in both directions,
535 RELATED
537 meaning that the packet is starting a new connection, but is
538 associated with an existing connection, such as an FTP data
539 transfer, or an ICMP error.
540 SNAT A virtual state, matching if the original source address differs
542 from the reply destination.
543 DNAT A virtual state, matching if the original destination differs
545 from the reply source.
546 Statuses for --ctstatus:
548 NONE None of the below.
550 EXPECTED
552 This is an expected connection (i.e. a conntrack helper set it
553 up)
554 SEEN_REPLY
556 Conntrack has seen packets in both directions.
557 ASSURED
559 Conntrack entry should never be early-expired.
560 CONFIRMED
562 Connection is confirmed: originating packet has left box.
563 dccp
565 [!] --source-port,--sport port[:port]
566 [!] --destination-port,--dport port[:port]
568 [!] --dccp-types mask
570 Match when the DCCP packet type is one of 'mask'. 'mask' is a
571 comma-separated list of packet types. Packet types are: REQUEST
572 RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK
573 INVALID.
574 [!] --dccp-option number
576 Match if DCP option set.
577 dscp
579 This module matches the 6 bit DSCP field within the TOS field in the IP
580 header. DSCP has superseded TOS within the IETF.
581 [!] --dscp value
583 Match against a numeric (decimal or hex) value [0-63].
584 [!] --dscp-class class
586 Match the DiffServ class. This value may be any of the BE, EF,
587 AFxx or CSx classes. It will then be converted into its accord‐
588 ing numeric value.
589 dst
591 This module matches the parameters in Destination Options header
592 [!] --dst-len length
594 Total length of this header in octets.
595 --dst-opts type[:length][,type[:length]...]
597 numeric type of option and the length of the option data in
598 octets.
599 esp
601 This module matches the SPIs in ESP header of IPsec packets.
602 [!] --espspi spi[:spi]
604 eui64
606 This module matches the EUI-64 part of a stateless autoconfigured IPv6
607 address. It compares the EUI-64 derived from the source MAC address in
608 Ethernet frame with the lower 64 bits of the IPv6 source address. But
609 "Universal/Local" bit is not compared. This module doesn't match other
610 link layer frame, and is only valid in the PREROUTING, INPUT and FOR‐
611 WARD chains.
612 frag
614 This module matches the parameters in Fragment header.
615 [!] --fragid id[:id]
617 Matches the given Identification or range of it.
618 [!] --fraglen length
620 This option cannot be used with kernel version 2.6.10 or later.
621 The length of Fragment header is static and this option doesn't
622 make sense.
623 --fragres
625 Matches if the reserved fields are filled with zero.
626 --fragfirst
628 Matches on the first fragment.
629 --fragmore
631 Matches if there are more fragments.
632 --fraglast
634 Matches if this is the last fragment.
635 hashlimit
637 hashlimit uses hash buckets to express a rate limiting match (like the
638 limit match) for a group of connections using a single iptables rule.
639 Grouping can be done per-hostgroup (source and/or destination address)
640 and/or per-port. It gives you the ability to express "N packets per
641 time quantum per group":
642 matching on source host
644 "1000 packets per second for every host in 192.168.0.0/16"
645 matching on source prot
647 "100 packets per second for every service of 192.168.1.1"
648 matching on subnet
650 "10000 packets per minute for every /28 subnet in 10.0.0.0/8"
651 A hash limit option (--hashlimit-upto, --hashlimit-above) and --hash‐
653 limit-name are required.
654 --hashlimit-upto amount[/second|/minute|/hour|/day]
656 Match if the rate is below or equal to amount/quantum. It is
657 specified as a number, with an optional time quantum suffix; the
658 default is 3/hour.
659 --hashlimit-above amount[/second|/minute|/hour|/day]
661 Match if the rate is above amount/quantum.
662 --hashlimit-burst amount
664 Maximum initial number of packets to match: this number gets
665 recharged by one every time the limit specified above is not
666 reached, up to this number; the default is 5.
667 --hashlimit-mode {srcip|srcport|dstip|dstport},...
669 A comma-separated list of objects to take into consideration. If
670 no --hashlimit-mode option is given, hashlimit acts like limit,
671 but at the expensive of doing the hash housekeeping.
672 --hashlimit-srcmask prefix
674 When --hashlimit-mode srcip is used, all source addresses
675 encountered will be grouped according to the given prefix length
676 and the so-created subnet will be subject to hashlimit. prefix
677 must be between (inclusive) 0 and 32. Note that --hashlimit-src‐
678 mask 0 is basically doing the same thing as not specifying srcip
679 for --hashlimit-mode, but is technically more expensive.
680 --hashlimit-dstmask prefix
682 Like --hashlimit-srcmask, but for destination addresses.
683 --hashlimit-name foo
685 The name for the /proc/net/ipt_hashlimit/foo entry.
686 --hashlimit-htable-size buckets
688 The number of buckets of the hash table
689 --hashlimit-htable-max entries
691 Maximum entries in the hash.
692 --hashlimit-htable-expire msec
694 After how many milliseconds do hash entries expire.
695 --hashlimit-htable-gcinterval msec
697 How many milliseconds between garbage collection intervals.
698 hbh
700 This module matches the parameters in Hop-by-Hop Options header
701 [!] --hbh-len length
703 Total length of this header in octets.
704 --hbh-opts type[:length][,type[:length]...]
706 numeric type of option and the length of the option data in
707 octets.
708 helper
710 This module matches packets related to a specific conntrack-helper.
711 [!] --helper string
713 Matches packets related to the specified conntrack-helper.
714 string can be "ftp" for packets related to a ftp-session on
716 default port. For other ports append -portnr to the value, ie.
717 "ftp-2121".
718 Same rules apply for other conntrack-helpers.
720 hl
722 This module matches the Hop Limit field in the IPv6 header.
723 [!] --hl-eq value
725 Matches if Hop Limit equals value.
726 --hl-lt value
728 Matches if Hop Limit is less than value.
729 --hl-gt value
731 Matches if Hop Limit is greater than value.
732 icmp6
734 This extension can be used if `--protocol ipv6-icmp' or `--protocol
735 icmpv6' is specified. It provides the following option:
736 [!] --icmpv6-type type[/code]|typename
738 This allows specification of the ICMPv6 type, which can be a
739 numeric ICMPv6 type, type and code, or one of the ICMPv6 type
740 names shown by the command
741 ip6tables -p ipv6-icmp -h
742 iprange
744 This matches on a given arbitrary range of IP addresses.
745 [!] --src-range from[-to]
747 Match source IP in the specified range.
748 [!] --dst-range from[-to]
750 Match destination IP in the specified range.
751 ipv6header
753 This module matches IPv6 extension headers and/or upper layer header.
754 --soft Matches if the packet includes any of the headers specified with
756 --header.
757 [!] --header header[,header...]
759 Matches the packet which EXACTLY includes all specified headers.
760 The headers encapsulated with ESP header are out of scope. Pos‐
761 sible header types can be:
762 hop|hop-by-hop
764 Hop-by-Hop Options header
765 dst Destination Options header
767 route Routing header
769 frag Fragment header
771 auth Authentication header
773 esp Encapsulating Security Payload header
775 none No Next header which matches 59 in the 'Next Header field' of
777 IPv6 header or any IPv6 extension headers
778 proto which matches any upper layer protocol header. A protocol name
780 from /etc/protocols and numeric value also allowed. The number
781 255 is equivalent to proto.
782 length
784 This module matches the length of the layer-3 payload (e.g. layer-4
785 packet) of a packet against a specific value or range of values.
786 [!] --length length[:length]
788 limit
790 This module matches at a limited rate using a token bucket filter. A
791 rule using this extension will match until this limit is reached
792 (unless the `!' flag is used). It can be used in combination with the
793 LOG target to give limited logging, for example.
794 --limit rate[/second|/minute|/hour|/day]
796 Maximum average matching rate: specified as a number, with an
797 optional `/second', `/minute', `/hour', or `/day' suffix; the
798 default is 3/hour.
799 --limit-burst number
801 Maximum initial number of packets to match: this number gets
802 recharged by one every time the limit specified above is not
803 reached, up to this number; the default is 5.
804 mac
806 [!] --mac-source address
807 Match source MAC address. It must be of the form
808 XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets
809 coming from an Ethernet device and entering the PREROUTING, FOR‐
810 WARD or INPUT chains.
811 mark
813 This module matches the netfilter mark field associated with a packet
814 (which can be set using the MARK target below).
815 [!] --mark value[/mask]
817 Matches packets with the given unsigned mark value (if a mask is
818 specified, this is logically ANDed with the mask before the com‐
819 parison).
820 mh
822 This extension is loaded if `--protocol ipv6-mh' or `--protocol mh' is
823 specified. It provides the following option:
824 [!] --mh-type type[:type]
826 This allows specification of the Mobility Header(MH) type, which
827 can be a numeric MH type, type or one of the MH type names shown
828 by the command
829 ip6tables -p ipv6-mh -h
830 multiport
832 This module matches a set of source or destination ports. Up to 15
833 ports can be specified. A port range (port:port) counts as two ports.
834 It can only be used in conjunction with -p tcp or -p udp.
835 [!] --source-ports,--sports port[,port|,port:port]...
837 Match if the source port is one of the given ports. The flag
838 --sports is a convenient alias for this option. Multiple ports
839 or port ranges are separated using a comma, and a port range is
840 specified using a colon. 53,1024:65535 would therefore match
841 ports 53 and all from 1024 through 65535.
842 [!] --destination-ports,--dports port[,port|,port:port]...
844 Match if the destination port is one of the given ports. The
845 flag --dports is a convenient alias for this option.
846 [!] --ports port[,port|,port:port]...
848 Match if either the source or destination ports are equal to one
849 of the given ports.
850 owner
852 This module attempts to match various characteristics of the packet
853 creator, for locally generated packets. This match is only valid in the
854 OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket
855 associated with them. Packets from kernel threads do have a socket, but
856 usually no owner.
857 [!] --uid-owner username
859 [!] --uid-owner userid[-userid]
861 Matches if the packet socket's file structure (if it has one) is
862 owned by the given user. You may also specify a numerical UID,
863 or an UID range.
864 [!] --gid-owner groupname
866 [!] --gid-owner groupid[-groupid]
868 Matches if the packet socket's file structure is owned by the
869 given group. You may also specify a numerical GID, or a GID
870 range.
871 [!] --socket-exists
873 Matches if the packet is associated with a socket.
874 physdev
876 This module matches on the bridge port input and output devices
877 enslaved to a bridge device. This module is a part of the infrastruc‐
878 ture that enables a transparent bridging IP firewall and is only useful
879 for kernel versions above version 2.5.44.
880 [!] --physdev-in name
882 Name of a bridge port via which a packet is received (only for
883 packets entering the INPUT, FORWARD and PREROUTING chains). If
884 the interface name ends in a "+", then any interface which
885 begins with this name will match. If the packet didn't arrive
886 through a bridge device, this packet won't match this option,
887 unless '!' is used.
888 [!] --physdev-out name
890 Name of a bridge port via which a packet is going to be sent
891 (for packets entering the FORWARD, OUTPUT and POSTROUTING
892 chains). If the interface name ends in a "+", then any inter‐
893 face which begins with this name will match. Note that in the
894 nat and mangle OUTPUT chains one cannot match on the bridge out‐
895 put port, however one can in the filter OUTPUT chain. If the
896 packet won't leave by a bridge device or if it is yet unknown
897 what the output device will be, then the packet won't match this
898 option, unless '!' is used.
899 [!] --physdev-is-in
901 Matches if the packet has entered through a bridge interface.
902 [!] --physdev-is-out
904 Matches if the packet will leave through a bridge interface.
905 [!] --physdev-is-bridged
907 Matches if the packet is being bridged and therefore is not
908 being routed. This is only useful in the FORWARD and POSTROUT‐
909 ING chains.
910 pkttype
912 This module matches the link-layer packet type.
913 [!] --pkt-type {unicast|broadcast|multicast}
915 policy
917 This modules matches the policy used by IPsec for handling a packet.
918 --dir {in|out}
920 Used to select whether to match the policy used for decapsula‐
921 tion or the policy that will be used for encapsulation. in is
922 valid in the PREROUTING, INPUT and FORWARD chains, out is valid
923 in the POSTROUTING, OUTPUT and FORWARD chains.
924 --pol {none|ipsec}
926 Matches if the packet is subject to IPsec processing.
927 --strict
929 Selects whether to match the exact policy or match if any rule
930 of the policy matches the given policy.
931 [!] --reqid id
933 Matches the reqid of the policy rule. The reqid can be specified
934 with setkey(8) using unique:id as level.
935 [!] --spi spi
937 Matches the SPI of the SA.
938 [!] --proto {ah|esp|ipcomp}
940 Matches the encapsulation protocol.
941 [!] --mode {tunnel|transport}
943 Matches the encapsulation mode.
944 [!] --tunnel-src addr[/mask]
946 Matches the source end-point address of a tunnel mode SA. Only
947 valid with --mode tunnel.
948 [!] --tunnel-dst addr[/mask]
950 Matches the destination end-point address of a tunnel mode SA.
951 Only valid with --mode tunnel.
952 --next Start the next element in the policy specification. Can only be
954 used with --strict.
955 quota
957 Implements network quotas by decrementing a byte counter with each
958 packet.
959 --quota bytes
961 The quota in bytes.
962 rateest
964 The rate estimator can match on estimated rates as collected by the
965 RATEEST target. It supports matching on absolute bps/pps values, com‐
966 paring two rate estimators and matching on the difference between two
967 rate estimators.
968 --rateest1 name
970 Name of the first rate estimator.
971 --rateest2 name
973 Name of the second rate estimator (if difference is to be calcu‐
974 lated).
975 --rateest-delta
977 Compare difference(s) to given rate(s)
978 --rateest1-bps value
980 --rateest2-bps value
982 Compare bytes per second.
983 --rateest1-pps value
985 --rateest2-pps value
987 Compare packets per second.
988 [!] --rateest-lt
990 Match if rate is less than given rate/estimator.
991 [!] --rateest-gt
993 Match if rate is greater than given rate/estimator.
994 [!] --rateest-eq
996 Match if rate is equal to given rate/estimator.
997 Example: This is what can be used to route outgoing data connections
999 from an FTP server over two lines based on the available bandwidth at
1000 the time the data connection was started:
1001 # Estimate outgoing rates
1003 iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name
1005 eth0 --rateest-interval 250ms --rateest-ewma 0.5s
1006 iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name
1008 ppp0 --rateest-interval 250ms --rateest-ewma 0.5s
1009 # Mark based on available bandwidth
1011 iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper
1013 --helper ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1
1014 2.5mbit --rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK
1015 --set-mark 1
1016 iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper
1018 --helper ftp -m rateest --rateest-delta --rateest1 ppp0 --rateest-bps1
1019 2mbit --rateest-gt --rateest2 eth0 --rateest-bps2 2.5mbit -j CONNMARK
1020 --set-mark 2
1021 iptables -t mangle -A balance -j CONNMARK --restore-mark
1023 recent
1025 Allows you to dynamically create a list of IP addresses and then match
1026 against that list in a few different ways.
1027 For example, you can create a "badguy" list out of people attempting to
1029 connect to port 139 on your firewall and then DROP all future packets
1030 from them without considering them.
1031 --set, --rcheck, --update and --remove are mutually exclusive.
1033 --name name
1035 Specify the list to use for the commands. If no name is given
1036 then DEFAULT will be used.
1037 [!] --set
1039 This will add the source address of the packet to the list. If
1040 the source address is already in the list, this will update the
1041 existing entry. This will always return success (or failure if !
1042 is passed in).
1043 --rsource
1045 Match/save the source address of each packet in the recent list
1046 table. This is the default.
1047 --rdest
1049 Match/save the destination address of each packet in the recent
1050 list table.
1051 [!] --rcheck
1053 Check if the source address of the packet is currently in the
1054 list.
1055 [!] --update
1057 Like --rcheck, except it will update the "last seen" timestamp
1058 if it matches.
1059 [!] --remove
1061 Check if the source address of the packet is currently in the
1062 list and if so that address will be removed from the list and
1063 the rule will return true. If the address is not found, false is
1064 returned.
1065 --seconds seconds
1067 This option must be used in conjunction with one of --rcheck or
1068 --update. When used, this will narrow the match to only happen
1069 when the address is in the list and was seen within the last
1070 given number of seconds.
1071 --hitcount hits
1073 This option must be used in conjunction with one of --rcheck or
1074 --update. When used, this will narrow the match to only happen
1075 when the address is in the list and packets had been received
1076 greater than or equal to the given value. This option may be
1077 used along with --seconds to create an even narrower match
1078 requiring a certain number of hits within a specific time frame.
1079 The maximum value for the hitcount parameter is given by the
1080 "ip_pkt_list_tot" parameter of the xt_recent kernel module.
1081 Exceeding this value on the command line will cause the rule to
1082 be rejected.
1083 --rttl This option may only be used in conjunction with one of --rcheck
1085 or --update. When used, this will narrow the match to only hap‐
1086 pen when the address is in the list and the TTL of the current
1087 packet matches that of the packet which hit the --set rule. This
1088 may be useful if you have problems with people faking their
1089 source address in order to DoS you via this module by disallow‐
1090 ing others access to your site by sending bogus packets to you.
1091 Examples:
1093 iptables -A FORWARD -m recent --name badguy --rcheck --seconds
1095 60 -j DROP
1096 iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name
1098 badguy --set -j DROP
1099 Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/)
1101 also has some examples of usage.
1102 /proc/net/xt_recent/* are the current lists of addresses and informa‐
1104 tion about each entry of each list.
1105 Each file in /proc/net/xt_recent/ can be read from to see the current
1107 list or written two using the following commands to modify the list:
1108 echo +addr >/proc/net/xt_recent/DEFAULT
1110 to add addr to the DEFAULT list
1111 echo -addr >/proc/net/xt_recent/DEFAULT
1113 to remove addr from the DEFAULT list
1114 echo / >/proc/net/xt_recent/DEFAULT
1116 to flush the DEFAULT list (remove all entries).
1117 The module itself accepts parameters, defaults shown:
1119 ip_list_tot=100
1121 Number of addresses remembered per table.
1122 ip_pkt_list_tot=20
1124 Number of packets per address remembered.
1125 ip_list_hash_size=0
1127 Hash table size. 0 means to calculate it based on ip_list_tot,
1128 default: 512.
1129 ip_list_perms=0644
1131 Permissions for /proc/net/xt_recent/* files.
1132 ip_list_uid=0
1134 Numerical UID for ownership of /proc/net/xt_recent/* files.
1135 ip_list_gid=0
1137 Numerical GID for ownership of /proc/net/xt_recent/* files.
1138 rt
1140 Match on IPv6 routing header
1141 [!] --rt-type type
1143 Match the type (numeric).
1144 [!] --rt-segsleft num[:num]
1146 Match the `segments left' field (range).
1147 [!] --rt-len length
1149 Match the length of this header.
1150 --rt-0-res
1152 Match the reserved field, too (type=0)
1153 --rt-0-addrs addr[,addr...]
1155 Match type=0 addresses (list).
1156 --rt-0-not-strict
1158 List of type=0 addresses is not a strict list.
1159 sctp
1161 [!] --source-port,--sport port[:port]
1162 [!] --destination-port,--dport port[:port]
1164 [!] --chunk-types {all|any|only} chunktype[:flags] [...]
1166 The flag letter in upper case indicates that the flag is to
1167 match if set, in the lower case indicates to match if unset.
1168 Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK
1170 ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK
1171 ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK
1172 chunk type available flags
1174 DATA U B E u b e
1175 ABORT T t
1176 SHUTDOWN_COMPLETE T t
1177 (lowercase means flag should be "off", uppercase means "on")
1179 Examples:
1181 iptables -A INPUT -p sctp --dport 80 -j DROP
1183 iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP
1185 iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT
1187 set
1189 This module matches IP sets which can be defined by ipset(8).
1190 [!] --match-set setname flag[,flag]...
1192 where flags are the comma separated list of src and/or dst spec‐
1193 ifications and there can be no more than six of them. Hence the
1194 command
1195 iptables -A FORWARD -m set --match-set test src,dst
1197 will match packets, for which (if the set type is ipportmap) the
1199 source address and destination port pair can be found in the
1200 specified set. If the set type of the specified set is single
1201 dimension (for example ipmap), then the command will match pack‐
1202 ets for which the source address can be found in the specified
1203 set.
1204 The option --match-set can be replaced by --set if that does not clash
1206 with an option of other extensions.
1207 Use of -m set requires that ipset kernel support is provided. As stan‐
1209 dard kernels do not ship this currently, the ipset or Xtables-addons
1210 package needs to be installed.
1211 socket
1213 This matches if an open socket can be found by doing a socket lookup on
1214 the packet.
1215 --transparent
1217 Ignore non-transparent sockets.
1218 state
1220 This module, when combined with connection tracking, allows access to
1221 the connection tracking state for this packet.
1222 [!] --state state
1224 Where state is a comma separated list of the connection states
1225 to match. Possible states are INVALID meaning that the packet
1226 could not be identified for some reason which includes running
1227 out of memory and ICMP errors which don't correspond to any
1228 known connection, ESTABLISHED meaning that the packet is associ‐
1229 ated with a connection which has seen packets in both direc‐
1230 tions, NEW meaning that the packet has started a new connection,
1231 or otherwise associated with a connection which has not seen
1232 packets in both directions, and RELATED meaning that the packet
1233 is starting a new connection, but is associated with an existing
1234 connection, such as an FTP data transfer, or an ICMP error.
1235 statistic
1237 This module matches packets based on some statistic condition. It sup‐
1238 ports two distinct modes settable with the --mode option.
1239 Supported options:
1241 --mode mode
1243 Set the matching mode of the matching rule, supported modes are
1244 random and nth.
1245 --probability p
1247 Set the probability from 0 to 1 for a packet to be randomly
1248 matched. It works only with the random mode.
1249 --every n
1251 Match one packet every nth packet. It works only with the nth
1252 mode (see also the --packet option).
1253 --packet p
1255 Set the initial counter value (0 <= p <= n-1, default 0) for the
1256 nth mode.
1257 string
1259 This modules matches a given string by using some pattern matching
1260 strategy. It requires a linux kernel >= 2.6.14.
1261 --algo {bm|kmp}
1263 Select the pattern matching strategy. (bm = Boyer-Moore, kmp =
1264 Knuth-Pratt-Morris)
1265 --from offset
1267 Set the offset from which it starts looking for any matching. If
1268 not passed, default is 0.
1269 --to offset
1271 Set the offset from which it starts looking for any matching. If
1272 not passed, default is the packet size.
1273 [!] --string pattern
1275 Matches the given pattern.
1276 [!] --hex-string pattern
1278 Matches the given pattern in hex notation.
1279 tcp
1281 These extensions can be used if `--protocol tcp' is specified. It pro‐
1282 vides the following options:
1283 [!] --source-port,--sport port[:port]
1285 Source port or port range specification. This can either be a
1286 service name or a port number. An inclusive range can also be
1287 specified, using the format first:last. If the first port is
1288 omitted, "0" is assumed; if the last is omitted, "65535" is
1289 assumed. If the first port is greater than the second one they
1290 will be swapped. The flag --sport is a convenient alias for
1291 this option.
1292 [!] --destination-port,--dport port[:port]
1294 Destination port or port range specification. The flag --dport
1295 is a convenient alias for this option.
1296 [!] --tcp-flags mask comp
1298 Match when the TCP flags are as specified. The first argument
1299 mask is the flags which we should examine, written as a comma-
1300 separated list, and the second argument comp is a comma-sepa‐
1301 rated list of flags which must be set. Flags are: SYN ACK FIN
1302 RST URG PSH ALL NONE. Hence the command
1303 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
1304 will only match packets with the SYN flag set, and the ACK, FIN
1305 and RST flags unset.
1306 [!] --syn
1308 Only match TCP packets with the SYN bit set and the ACK,RST and
1309 FIN bits cleared. Such packets are used to request TCP connec‐
1310 tion initiation; for example, blocking such packets coming in an
1311 interface will prevent incoming TCP connections, but outgoing
1312 TCP connections will be unaffected. It is equivalent to
1313 --tcp-flags SYN,RST,ACK,FIN SYN. If the "!" flag precedes the
1314 "--syn", the sense of the option is inverted.
1315 [!] --tcp-option number
1317 Match if TCP option set.
1318 tcpmss
1320 This matches the TCP MSS (maximum segment size) field of the TCP
1321 header. You can only use this on TCP SYN or SYN/ACK packets, since the
1322 MSS is only negotiated during the TCP handshake at connection startup
1323 time.
1324 [!] --mss value[:value]
1326 Match a given TCP MSS value or range.
1327 time
1329 This matches if the packet arrival time/date is within a given range.
1330 All options are optional, but are ANDed when specified.
1331 --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
1333 --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
1335 Only match during the given time, which must be in ISO 8601 "T"
1337 notation. The possible time range is 1970-01-01T00:00:00 to
1338 2038-01-19T04:17:07.
1339 If --datestart or --datestop are not specified, it will default
1341 to 1970-01-01 and 2038-01-19, respectively.
1342 --timestart hh:mm[:ss]
1344 --timestop hh:mm[:ss]
1346 Only match during the given daytime. The possible time range is
1348 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03")
1349 and correctly interpreted as base-10.
1350 [!] --monthdays day[,day...]
1352 Only match on the given days of the month. Possible values are 1
1354 to 31. Note that specifying 31 will of course not match on
1355 months which do not have a 31st day; the same goes for 28- or
1356 29-day February.
1357 [!] --weekdays day[,day...]
1359 Only match on the given weekdays. Possible values are Mon, Tue,
1361 Wed, Thu, Fri, Sat, Sun, or values from 1 to 7, respectively.
1362 You may also use two-character variants (Mo, Tu, etc.).
1363 --utc
1365 Interpret the times given for --datestart, --datestop, --times‐
1367 tart and --timestop to be UTC.
1368 --localtz
1370 Interpret the times given for --datestart, --datestop, --times‐
1372 tart and --timestop to be local kernel time. (Default)
1373 EXAMPLES. To match on weekends, use:
1375 -m time --weekdays Sa,Su
1377 Or, to match (once) on a national holiday block:
1379 -m time --datestart 2007-12-24 --datestop 2007-12-27
1381 Since the stop time is actually inclusive, you would need the following
1383 stop time to not match the first second of the new day:
1384 -m time --datestart 2007-01-01T17:00 --datestop
1386 2007-01-01T23:59:59
1387 During lunch hour:
1389 -m time --timestart 12:30 --timestop 13:30
1391 The fourth Friday in the month:
1393 -m time --weekdays Fr --monthdays 22,23,24,25,26,27,28
1395 (Note that this exploits a certain mathematical property. It is not
1397 possible to say "fourth Thursday OR fourth Friday" in one rule. It is
1398 possible with multiple rules, though.)
1399 tos
1401 This module matches the 8-bit Type of Service field in the IPv4 header
1402 (i.e. including the "Precedence" bits) or the (also 8-bit) Priority
1403 field in the IPv6 header.
1404 [!] --tos value[/mask]
1406 Matches packets with the given TOS mark value. If a mask is
1407 specified, it is logically ANDed with the TOS mark before the
1408 comparison.
1409 [!] --tos symbol
1411 You can specify a symbolic name when using the tos match for
1412 IPv4. The list of recognized TOS names can be obtained by call‐
1413 ing iptables with -m tos -h. Note that this implies a mask of
1414 0x3F, i.e. all but the ECN bits.
1415 u32
1417 U32 tests whether quantities of up to 4 bytes extracted from a packet
1418 have specified values. The specification of what to extract is general
1419 enough to find data at given offsets from tcp headers or payloads.
1420 [!] --u32 tests
1422 The argument amounts to a program in a small language described
1423 below.
1424 tests := location "=" value | tests "&&" location "=" value
1426 value := range | value "," range
1428 range := number | number ":" number
1430 a single number, n, is interpreted the same as n:n. n:m is interpreted
1432 as the range of numbers >=n and <=m.
1433 location := number | location operator number
1435 operator := "&" | "<<" | ">>" | "@"
1437 The operators &, <<, >> and && mean the same as in C. The = is really
1439 a set membership operator and the value syntax describes a set. The @
1440 operator is what allows moving to the next header and is described fur‐
1441 ther below.
1442 There are currently some artificial implementation limits on the size
1444 of the tests:
1445 * no more than 10 of "=" (and 9 "&&"s) in the u32 argument
1447 * no more than 10 ranges (and 9 commas) per value
1449 * no more than 10 numbers (and 9 operators) per location
1451 To describe the meaning of location, imagine the following machine that
1453 interprets it. There are three registers:
1454 A is of type char *, initially the address of the IP header
1456 B and C are unsigned 32 bit integers, initially zero
1458 The instructions are:
1460 number B = number;
1462 C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3)
1464 &number C = C & number
1466 << number C = C << number
1468 >> number C = C >> number
1470 @number A = A + C; then do the instruction number
1472 Any access of memory outside [skb->data,skb->end] causes the match to
1474 fail. Otherwise the result of the computation is the final value of C.
1475 Whitespace is allowed but not required in the tests. However, the char‐
1477 acters that do occur there are likely to require shell quoting, so it
1478 is a good idea to enclose the arguments in quotes.
1479 Example:
1481 match IP packets with total length >= 256
1483 The IP header contains a total length field in bytes 2-3.
1485 --u32 "0 & 0xFFFF = 0x100:0xFFFF"
1487 read bytes 0-3
1489 AND that with 0xFFFF (giving bytes 2-3), and test whether that
1491 is in the range [0x100:0xFFFF]
1492 Example: (more realistic, hence more complicated)
1494 match ICMP packets with icmp type 0
1496 First test that it is an ICMP packet, true iff byte 9 (protocol)
1498 = 1
1499 --u32 "6 & 0xFF = 1 && ...
1501 read bytes 6-9, use & to throw away bytes 6-8 and compare the
1503 result to 1. Next test that it is not a fragment. (If so, it
1504 might be part of such a packet but we cannot always tell.) N.B.:
1505 This test is generally needed if you want to match anything
1506 beyond the IP header. The last 6 bits of byte 6 and all of byte
1507 7 are 0 iff this is a complete packet (not a fragment). Alterna‐
1508 tively, you can allow first fragments by only testing the last 5
1509 bits of byte 6.
1510 ... 4 & 0x3FFF = 0 && ...
1512 Last test: the first byte past the IP header (the type) is 0.
1514 This is where we have to use the @syntax. The length of the IP
1515 header (IHL) in 32 bit words is stored in the right half of byte
1516 0 of the IP header itself.
1517 ... 0 >> 22 & 0x3C @ 0 >> 24 = 0"
1519 The first 0 means read bytes 0-3, >>22 means shift that 22 bits
1521 to the right. Shifting 24 bits would give the first byte, so
1522 only 22 bits is four times that plus a few more bits. &3C then
1523 eliminates the two extra bits on the right and the first four
1524 bits of the first byte. For instance, if IHL=5, then the IP
1525 header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in
1526 binary) xxxx0101 yyzzzzzz, >>22 gives the 10 bit value
1527 xxxx0101yy and &3C gives 010100. @ means to use this number as a
1528 new offset into the packet, and read four bytes starting from
1529 there. This is the first 4 bytes of the ICMP payload, of which
1530 byte 0 is the ICMP type. Therefore, we simply shift the value 24
1531 to the right to throw out all but the first byte and compare the
1532 result with 0.
1533 Example:
1535 TCP payload bytes 8-12 is any of 1, 2, 5 or 8
1537 First we test that the packet is a tcp packet (similar to ICMP).
1539 --u32 "6 & 0xFF = 6 && ...
1541 Next, test that it is not a fragment (same as above).
1543 ... 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8"
1545 0>>22&3C as above computes the number of bytes in the IP header.
1547 @ makes this the new offset into the packet, which is the start
1548 of the TCP header. The length of the TCP header (again in 32 bit
1549 words) is the left half of byte 12 of the TCP header. The
1550 12>>26&3C computes this length in bytes (similar to the IP
1551 header before). "@" makes this the new offset, which is the
1552 start of the TCP payload. Finally, 8 reads bytes 8-12 of the
1553 payload and = checks whether the result is any of 1, 2, 5 or 8.
1554 udp
1556 These extensions can be used if `--protocol udp' is specified. It pro‐
1557 vides the following options:
1558 [!] --source-port,--sport port[:port]
1560 Source port or port range specification. See the description of
1561 the --source-port option of the TCP extension for details.
1562 [!] --destination-port,--dport port[:port]
1564 Destination port or port range specification. See the descrip‐
1565 tion of the --destination-port option of the TCP extension for
1566 details.
1567
1569 ip6tables can use extended target modules: the following are included
1570 in the standard distribution.
1571 AUDIT
1573 This target allows to create audit records for packets hitting the tar‐
1574 get. It can be used to record accepted, dropped, and rejected packets.
1575 See auditd(8) for additional details.
1576 --type {accept|drop|reject}
1578 Set type of audit record.
1579 Example:
1581 iptables -N AUDIT_DROP
1583 iptables -A AUDIT_DROP -j AUDIT --type drop
1585 iptables -A AUDIT_DROP -j DROP
1587 CHECKSUM
1589 This target allows to selectively work around broken/old applications.
1590 It can only be used in the mangle table.
1591 --checksum-fill
1593 Compute and fill in the checksum in a packet that lacks a check‐
1594 sum. This is particularly useful, if you need to work around
1595 old applications such as dhcp clients, that do not work well
1596 with checksum offloads, but don't want to disable checksum off‐
1597 load in your device.
1598 CLASSIFY
1600 This module allows you to set the skb->priority value (and thus clas‐
1601 sify the packet into a specific CBQ class).
1602 --set-class major:minor
1604 Set the major and minor class value. The values are always
1605 interpreted as hexadecimal even if no 0x prefix is given.
1606 CONNMARK
1608 This module sets the netfilter mark value associated with a connection.
1609 The mark is 32 bits wide.
1610 --set-xmark value[/mask]
1612 Zero out the bits given by mask and XOR value into the ctmark.
1613 --save-mark [--nfmask nfmask] [--ctmask ctmask]
1615 Copy the packet mark (nfmark) to the connection mark (ctmark)
1616 using the given masks. The new nfmark value is determined as
1617 follows:
1618 ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)
1620 i.e. ctmask defines what bits to clear and nfmask what bits of
1622 the nfmark to XOR into the ctmark. ctmask and nfmask default to
1623 0xFFFFFFFF.
1624 --restore-mark [--nfmask nfmask] [--ctmask ctmask]
1626 Copy the connection mark (ctmark) to the packet mark (nfmark)
1627 using the given masks. The new ctmark value is determined as
1628 follows:
1629 nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask);
1631 i.e. nfmask defines what bits to clear and ctmask what bits of
1633 the ctmark to XOR into the nfmark. ctmask and nfmask default to
1634 0xFFFFFFFF.
1635 --restore-mark is only valid in the mangle table.
1637 The following mnemonics are available for --set-xmark:
1639 --and-mark bits
1641 Binary AND the ctmark with bits. (Mnemonic for --set-xmark
1642 0/invbits, where invbits is the binary negation of bits.)
1643 --or-mark bits
1645 Binary OR the ctmark with bits. (Mnemonic for --set-xmark
1646 bits/bits.)
1647 --xor-mark bits
1649 Binary XOR the ctmark with bits. (Mnemonic for --set-xmark
1650 bits/0.)
1651 --set-mark value[/mask]
1653 Set the connection mark. If a mask is specified then only those
1654 bits set in the mask are modified.
1655 --save-mark [--mask mask]
1657 Copy the nfmark to the ctmark. If a mask is specified, only
1658 those bits are copied.
1659 --restore-mark [--mask mask]
1661 Copy the ctmark to the nfmark. If a mask is specified, only
1662 those bits are copied. This is only valid in the mangle table.
1663 CONNSECMARK
1665 This module copies security markings from packets to connections (if
1666 unlabeled), and from connections back to packets (also only if unla‐
1667 beled). Typically used in conjunction with SECMARK, it is only valid
1668 in the mangle table.
1669 --save If the packet has a security marking, copy it to the connection
1671 if the connection is not marked.
1672 --restore
1674 If the packet does not have a security marking, and the connec‐
1675 tion does, copy the security marking from the connection to the
1676 packet.
1677 DSCP
1680 This target allows to alter the value of the DSCP bits within the TOS
1681 header of the IPv4 packet. As this manipulates a packet, it can only
1682 be used in the mangle table.
1683 --set-dscp value
1685 Set the DSCP field to a numerical value (can be decimal or hex)
1686 --set-dscp-class class
1688 Set the DSCP field to a DiffServ class.
1689 HL
1691 This is used to modify the Hop Limit field in IPv6 header. The Hop
1692 Limit field is similar to what is known as TTL value in IPv4. Setting
1693 or incrementing the Hop Limit field can potentially be very dangerous,
1694 so it should be avoided at any cost. This target is only valid in man‐
1695 gle table.
1696 Don't ever set or increment the value on packets that leave your local
1698 network!
1699 --hl-set value
1701 Set the Hop Limit to `value'.
1702 --hl-dec value
1704 Decrement the Hop Limit `value' times.
1705 --hl-inc value
1707 Increment the Hop Limit `value' times.
1708 LOG
1710 Turn on kernel logging of matching packets. When this option is set
1711 for a rule, the Linux kernel will print some information on all match‐
1712 ing packets (like most IPv6 IPv6-header fields) via the kernel log
1713 (where it can be read with dmesg or syslogd(8)). This is a "non-termi‐
1714 nating target", i.e. rule traversal continues at the next rule. So if
1715 you want to LOG the packets you refuse, use two separate rules with the
1716 same matching criteria, first using target LOG then DROP (or REJECT).
1717 --log-level level
1719 Level of logging (numeric or see syslog.conf(5)).
1720 --log-prefix prefix
1722 Prefix log messages with the specified prefix; up to 29 letters
1723 long, and useful for distinguishing messages in the logs.
1724 --log-tcp-sequence
1726 Log TCP sequence numbers. This is a security risk if the log is
1727 readable by users.
1728 --log-tcp-options
1730 Log options from the TCP packet header.
1731 --log-ip-options
1733 Log options from the IPv6 packet header.
1734 --log-uid
1736 Log the userid of the process which generated the packet.
1737 MARK
1739 This target is used to set the Netfilter mark value associated with the
1740 packet. The target can only be used in the mangle table. It can, for
1741 example, be used in conjunction with routing based on fwmark (needs
1742 iproute2). The mark field is 32 bits wide.
1743 --set-xmark value[/mask]
1745 Zeroes out the bits given by mask and XORs value into the packet
1746 mark ("nfmark"). If mask is omitted, 0xFFFFFFFF is assumed.
1747 --set-mark value[/mask]
1749 Zeroes out the bits given by mask and ORs value into the packet
1750 mark. If mask is omitted, 0xFFFFFFFF is assumed.
1751 The following mnemonics are available:
1753 --and-mark bits
1755 Binary AND the nfmark with bits. (Mnemonic for --set-xmark
1756 0/invbits, where invbits is the binary negation of bits.)
1757 --or-mark bits
1759 Binary OR the nfmark with bits. (Mnemonic for --set-xmark
1760 bits/bits.)
1761 --xor-mark bits
1763 Binary XOR the nfmark with bits. (Mnemonic for --set-xmark
1764 bits/0.)
1765 NFLOG
1767 This target provides logging of matching packets. When this target is
1768 set for a rule, the Linux kernel will pass the packet to the loaded
1769 logging backend to log the packet. This is usually used in combination
1770 with nfnetlink_log as logging backend, which will multicast the packet
1771 through a netlink socket to the specified multicast group. One or more
1772 userspace processes may subscribe to the group to receive the packets.
1773 Like LOG, this is a non-terminating target, i.e. rule traversal contin‐
1774 ues at the next rule.
1775 --nflog-group nlgroup
1777 The netlink group (1 - 2^32-1) to which packets are (only appli‐
1778 cable for nfnetlink_log). The default value is 0.
1779 --nflog-prefix prefix
1781 A prefix string to include in the log message, up to 64 charac‐
1782 ters long, useful for distinguishing messages in the logs.
1783 --nflog-range size
1785 The number of bytes to be copied to userspace (only applicable
1786 for nfnetlink_log). nfnetlink_log instances may specify their
1787 own range, this option overrides it.
1788 --nflog-threshold size
1790 Number of packets to queue inside the kernel before sending them
1791 to userspace (only applicable for nfnetlink_log). Higher values
1792 result in less overhead per packet, but increase delay until the
1793 packets reach userspace. The default value is 1.
1794 NFQUEUE
1796 This target is an extension of the QUEUE target. As opposed to QUEUE,
1797 it allows you to put a packet into any specific queue, identified by
1798 its 16-bit queue number. It can only be used with Kernel versions
1799 2.6.14 or later, since it requires the nfnetlink_queue kernel support.
1800 The queue-balance option was added in Linux 2.6.31, queue-bypass in
1801 2.6.39.
1802 --queue-num value
1804 This specifies the QUEUE number to use. Valid queue numbers are
1805 0 to 65535. The default value is 0.
1806 --queue-balance value:value
1808 This specifies a range of queues to use. Packets are then bal‐
1809 anced across the given queues. This is useful for multicore
1810 systems: start multiple instances of the userspace program on
1811 queues x, x+1, .. x+n and use "--queue-balance x:x+n". Packets
1812 belonging to the same connection are put into the same nfqueue.
1813 --queue-bypass
1815 By default, if no userspace program is listening on an NFQUEUE,
1816 then all packets that are to be queued are dropped. When this
1817 option is used, the NFQUEUE rule is silently bypassed instead.
1818 The packet will move on to the next rule.
1819 NOTRACK
1821 This target disables connection tracking for all packets matching that
1822 rule.
1823 It can only be used in the raw table.
1825 RATEEST
1827 The RATEEST target collects statistics, performs rate estimation calcu‐
1828 lation and saves the results for later evaluation using the rateest
1829 match.
1830 --rateest-name name
1832 Count matched packets into the pool referred to by name, which
1833 is freely choosable.
1834 --rateest-interval amount{s|ms|us}
1836 Rate measurement interval, in seconds, milliseconds or microsec‐
1837 onds.
1838 --rateest-ewmalog value
1840 Rate measurement averaging time constant.
1841 REJECT
1843 This is used to send back an error packet in response to the matched
1844 packet: otherwise it is equivalent to DROP so it is a terminating TAR‐
1845 GET, ending rule traversal. This target is only valid in the INPUT,
1846 FORWARD and OUTPUT chains, and user-defined chains which are only
1847 called from those chains. The following option controls the nature of
1848 the error packet returned:
1849 --reject-with type
1851 The type given can be icmp6-no-route, no-route, icmp6-adm-pro‐
1852 hibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach,
1853 icmp6-port-unreachable or port-unreach which return the appro‐
1854 priate ICMPv6 error message (port-unreach is the default).
1855 Finally, the option tcp-reset can be used on rules which only
1856 match the TCP protocol: this causes a TCP RST packet to be sent
1857 back. This is mainly useful for blocking ident (113/tcp) probes
1858 which frequently occur when sending mail to broken mail hosts
1859 (which won't accept your mail otherwise). tcp-reset can only be
1860 used with kernel versions 2.6.14 or later.
1861 SECMARK
1863 This is used to set the security mark value associated with the packet
1864 for use by security subsystems such as SELinux. It is only valid in
1865 the mangle table. The mark is 32 bits wide.
1866 --selctx security_context
1868 SET
1870 This modules adds and/or deletes entries from IP sets which can be
1871 defined by ipset(8).
1872 --add-set setname flag[,flag...]
1874 add the address(es)/port(s) of the packet to the sets
1875 --del-set setname flag[,flag...]
1877 delete the address(es)/port(s) of the packet from the sets
1878 where flags are src and/or dst specifications and there can be
1880 no more than six of them.
1881 Use of -j SET requires that ipset kernel support is provided. As stan‐
1883 dard kernels do not ship this currently, the ipset or Xtables-addons
1884 package needs to be installed.
1885 TCPMSS
1887 This target allows to alter the MSS value of TCP SYN packets, to con‐
1888 trol the maximum size for that connection (usually limiting it to your
1889 outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respec‐
1890 tively). Of course, it can only be used in conjunction with -p tcp.
1891 It is only valid in the mangle table.
1892 This target is used to overcome criminally braindead ISPs or servers
1893 which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
1894 packets. The symptoms of this problem are that everything works fine
1895 from your Linux firewall/router, but machines behind it can never
1896 exchange large packets:
1897 1) Web browsers connect, then hang with no data received.
1898 2) Small mail works fine, but large emails hang.
1899 3) ssh works fine, but scp hangs after initial handshaking.
1900 Workaround: activate this option and add a rule to your firewall con‐
1901 figuration like:
1902 iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
1904 -j TCPMSS --clamp-mss-to-pmtu
1905 --set-mss value
1907 Explicitly sets MSS option to specified value. If the MSS of the
1908 packet is already lower than value, it will not be increased
1909 (from Linux 2.6.25 onwards) to avoid more problems with hosts
1910 relying on a proper MSS.
1911 --clamp-mss-to-pmtu
1913 Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60
1914 for IPv6). This may not function as desired where asymmetric
1915 routes with differing path MTU exist — the kernel uses the path
1916 MTU which it would use to send packets from itself to the source
1917 and destination IP addresses. Prior to Linux 2.6.25, only the
1918 path MTU to the destination IP address was considered by this
1919 option; subsequent kernels also consider the path MTU to the
1920 source IP address.
1921 These options are mutually exclusive.
1923 TCPOPTSTRIP
1925 This target will strip TCP options off a TCP packet. (It will actually
1926 replace them by NO-OPs.) As such, you will need to add the -p tcp
1927 parameters.
1928 --strip-options option[,option...]
1930 Strip the given option(s). The options may be specified by TCP
1931 option number or by symbolic name. The list of recognized
1932 options can be obtained by calling iptables with -j TCPOPTSTRIP
1933 -h.
1934 TOS
1936 This module sets the Type of Service field in the IPv4 header (includ‐
1937 ing the "precedence" bits) or the Priority field in the IPv6 header.
1938 Note that TOS shares the same bits as DSCP and ECN. The TOS target is
1939 only valid in the mangle table.
1940 --set-tos value[/mask]
1942 Zeroes out the bits given by mask and XORs value into the
1943 TOS/Priority field. If mask is omitted, 0xFF is assumed.
1944 --set-tos symbol
1946 You can specify a symbolic name when using the TOS target for
1947 IPv4. It implies a mask of 0xFF. The list of recognized TOS
1948 names can be obtained by calling iptables with -j TOS -h.
1949 The following mnemonics are available:
1951 --and-tos bits
1953 Binary AND the TOS value with bits. (Mnemonic for --set-tos
1954 0/invbits, where invbits is the binary negation of bits.)
1955 --or-tos bits
1957 Binary OR the TOS value with bits. (Mnemonic for --set-tos
1958 bits/bits.)
1959 --xor-tos bits
1961 Binary XOR the TOS value with bits. (Mnemonic for --set-tos
1962 bits/0.)
1963 TPROXY
1965 This target is only valid in the mangle table, in the PREROUTING chain
1966 and user-defined chains which are only called from this chain. It redi‐
1967 rects the packet to a local socket without changing the packet header
1968 in any way. It can also change the mark value which can then be used in
1969 advanced routing rules. It takes three options:
1970 --on-port port
1972 This specifies a destination port to use. It is a required
1973 option, 0 means the new destination port is the same as the
1974 original. This is only valid if the rule also specifies -p tcp
1975 or -p udp.
1976 --on-ip address
1978 This specifies a destination address to use. By default the
1979 address is the IP address of the incoming interface. This is
1980 only valid if the rule also specifies -p tcp or -p udp.
1981 --tproxy-mark value[/mask]
1983 Marks packets with the given value/mask. The fwmark value set
1984 here can be used by advanced routing. (Required for transparent
1985 proxying to work: otherwise these packets will get forwarded,
1986 which is probably not what you want.)
1987 TRACE
1989 This target marks packes so that the kernel will log every rule which
1990 match the packets as those traverse the tables, chains, rules. (The
1991 ipt_LOG or ip6t_LOG module is required for the logging.) The packets
1992 are logged with the string prefix: "TRACE: tablename:chain‐
1993 name:type:rulenum " where type can be "rule" for plain rule, "return"
1994 for implicit rule at the end of a user defined chain and "policy" for
1995 the policy of the built in chains.
1996 It can only be used in the raw table.
1997
1999 Various error messages are printed to standard error. The exit code is
2000 0 for correct functioning. Errors which appear to be caused by invalid
2001 or abused command line parameters cause an exit code of 2, and other
2002 errors cause an exit code of 1.
2003
2005 Bugs? What's this? ;-) Well... the counters are not reliable on
2006 sparc64.
2007
2009 This ip6tables is very similar to ipchains by Rusty Russell. The main
2010 difference is that the chains INPUT and OUTPUT are only traversed for
2011 packets coming into the local host and originating from the local host
2012 respectively. Hence every packet only passes through one of the three
2013 chains (except loopback traffic, which involves both INPUT and OUTPUT
2014 chains); previously a forwarded packet would pass through all three.
2015 The other main difference is that -i refers to the input interface; -o
2017 refers to the output interface, and both are available for packets
2018 entering the FORWARD chain. There are several other changes in
2019 ip6tables.
2020
2022 ip6tables-save(8), ip6tables-restore(8), iptables(8), iptables-save(8),
2023 iptables-restore(8), libipq(3).
2024 The packet-filtering-HOWTO details iptables usage for packet filtering,
2026 the netfilter-extensions-HOWTO details the extensions that are not in
2027 the standard distribution, and the netfilter-hacking-HOWTO details the
2028 netfilter internals.
2029 See http://www.netfilter.org/.
2030
2032 Rusty Russell wrote iptables, in early consultation with Michael Neul‐
2033 ing.
2034 Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic
2036 packet selection framework in iptables, then wrote the mangle table,
2037 the owner match, the mark stuff, and ran around doing cool stuff every‐
2038 where.
2039 James Morris wrote the TOS target, and tos match.
2041 Jozsef Kadlecsik wrote the REJECT target.
2043 Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as
2045 well as TTL match+target and libipulog.
2046 The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki
2048 Kozakai, Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira
2049 Ayuso, Harald Welte and Rusty Russell.
2050 ip6tables man page created by Andras Kis-Szabo, based on iptables man
2052 page written by Herve Eychenne <rv@wallfire.org>.
2053iptables 1.4.4 IP6TABLES(8)