1IP6TABLES(8) iptables 1.4.4 IP6TABLES(8)
2
6 ip6tables — IPv6 packet filter administration
7
9 ip6tables [-t table] {-A|-D} chain rule-specification [options...]
10 ip6tables [-t table] -I chain [rulenum] rule-specification [options...]
12 ip6tables [-t table] -R chain rulenum rule-specification [options...]
14 ip6tables [-t table] -D chain rulenum [options...]
16 ip6tables [-t table] -S [chain [rulenum]]
18 ip6tables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
20 ip6tables [-t table] -N chain
22 ip6tables [-t table] -X [chain]
24 ip6tables [-t table] -P chain target [options...]
26 ip6tables [-t table] -E old-chain-name new-chain-name
28
30 Ip6tables is used to set up, maintain, and inspect the tables of IPv6
31 packet filter rules in the Linux kernel. Several different tables may
32 be defined. Each table contains a number of built-in chains and may
33 also contain user-defined chains.
34 Each chain is a list of rules which can match a set of packets. Each
36 rule specifies what to do with a packet that matches. This is called a
37 `target', which may be a jump to a user-defined chain in the same ta‐
38 ble.
39
41 A firewall rule specifies criteria for a packet and a target. If the
42 packet does not match, the next rule in the chain is the examined; if
43 it does match, then the next rule is specified by the value of the tar‐
44 get, which can be the name of a user-defined chain or one of the spe‐
45 cial values ACCEPT, DROP, QUEUE or RETURN.
46 ACCEPT means to let the packet through. DROP means to drop the packet
48 on the floor. QUEUE means to pass the packet to userspace. (How the
49 packet can be received by a userspace process differs by the particular
50 queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the
51 ip_queue queue handler. Kernels 2.6.14 and later additionally include
52 the nfnetlink_queue queue handler. Packets with a target of QUEUE will
53 be sent to queue number '0' in this case. Please also see the NFQUEUE
54 target as described later in this man page.) RETURN means stop
55 traversing this chain and resume at the next rule in the previous
56 (calling) chain. If the end of a built-in chain is reached or a rule
57 in a built-in chain with target RETURN is matched, the target specified
58 by the chain policy determines the fate of the packet.
59
61 There are currently three independent tables (which tables are present
62 at any time depends on the kernel configuration options and which mod‐
63 ules are present).
64 -t, --table table
66 This option specifies the packet matching table which the com‐
67 mand should operate on. If the kernel is configured with auto‐
68 matic module loading, an attempt will be made to load the appro‐
69 priate module for that table if it is not already there.
70 The tables are as follows:
72 filter:
74 This is the default table (if no -t option is passed). It
75 contains the built-in chains INPUT (for packets destined to
76 local sockets), FORWARD (for packets being routed through
77 the box), and OUTPUT (for locally-generated packets).
78 mangle:
80 This table is used for specialized packet alteration. Until
81 kernel 2.4.17 it had two built-in chains: PREROUTING (for
82 altering incoming packets before routing) and OUTPUT (for
83 altering locally-generated packets before routing). Since
84 kernel 2.4.18, three other built-in chains are also sup‐
85 ported: INPUT (for packets coming into the box itself), FOR‐
86 WARD (for altering packets being routed through the box),
87 and POSTROUTING (for altering packets as they are about to
88 go out).
89 raw:
91 This table is used mainly for configuring exemptions from
92 connection tracking in combination with the NOTRACK target.
93 It registers at the netfilter hooks with higher priority and
94 is thus called before ip_conntrack, or any other IP tables.
95 It provides the following built-in chains: PREROUTING (for
96 packets arriving via any network interface) OUTPUT (for
97 packets generated by local processes)
98
100 The options that are recognized by ip6tables can be divided into sev‐
101 eral different groups.
102 COMMANDS
104 These options specify the specific action to perform. Only one of them
105 can be specified on the command line unless otherwise specified below.
106 For all the long versions of the command and option names, you need to
107 use only enough letters to ensure that ip6tables can differentiate it
108 from all other options.
109 -A, --append chain rule-specification
111 Append one or more rules to the end of the selected chain. When
112 the source and/or destination names resolve to more than one
113 address, a rule will be added for each possible address combina‐
114 tion.
115 -D, --delete chain rule-specification
117 -D, --delete chain rulenum
118 Delete one or more rules from the selected chain. There are two
119 versions of this command: the rule can be specified as a number
120 in the chain (starting at 1 for the first rule) or a rule to
121 match.
122 -I, --insert chain [rulenum] rule-specification
124 Insert one or more rules in the selected chain as the given rule
125 number. So, if the rule number is 1, the rule or rules are
126 inserted at the head of the chain. This is also the default if
127 no rule number is specified.
128 -R, --replace chain rulenum rule-specification
130 Replace a rule in the selected chain. If the source and/or des‐
131 tination names resolve to multiple addresses, the command will
132 fail. Rules are numbered starting at 1.
133 -L, --list [chain]
135 List all rules in the selected chain. If no chain is selected,
136 all chains are listed. Like every other ip6tables command, it
137 applies to the specified table (filter is the default).
138 Please note that it is often used with the -n option, in order
140 to avoid long reverse DNS lookups. It is legal to specify the
141 -Z (zero) option as well, in which case the chain(s) will be
142 atomically listed and zeroed. The exact output is affected by
143 the other arguments given. The exact rules are suppressed until
144 you use
145 ip6tables -L -v
146 -S, --list-rules [chain]
148 Print all rules in the selected chain. If no chain is selected,
149 all chains are printed like ip6tables-save. Like every other
150 ip6tables command, it applies to the specified table (filter is
151 the default).
152 -F, --flush [chain]
154 Flush the selected chain (all the chains in the table if none is
155 given). This is equivalent to deleting all the rules one by
156 one.
157 -Z, --zero [chain [rulenum]]
159 Zero the packet and byte counters in all chains, or only the
160 given chain, or only the given rule in a chain. It is legal to
161 specify the -L, --list (list) option as well, to see the coun‐
162 ters immediately before they are cleared. (See above.)
163 -N, --new-chain chain
165 Create a new user-defined chain by the given name. There must
166 be no target of that name already.
167 -X, --delete-chain [chain]
169 Delete the optional user-defined chain specified. There must be
170 no references to the chain. If there are, you must delete or
171 replace the referring rules before the chain can be deleted.
172 The chain must be empty, i.e. not contain any rules. If no
173 argument is given, it will attempt to delete every non-builtin
174 chain in the table.
175 -P, --policy chain target
177 Set the policy for the chain to the given target. See the sec‐
178 tion TARGETS for the legal targets. Only built-in (non-user-
179 defined) chains can have policies, and neither built-in nor
180 user-defined chains can be policy targets.
181 -E, --rename-chain old-chain new-chain
183 Rename the user specified chain to the user supplied name. This
184 is cosmetic, and has no effect on the structure of the table.
185 -A, --append chain rule-specification
187 Append one or more rules to the end of the selected chain. When
188 the source and/or destination names resolve to more than one
189 address, a rule will be added for each possible address combina‐
190 tion.
191 -h Help. Give a (currently very brief) description of the command
193 syntax.
194 PARAMETERS
196 The following parameters make up a rule specification (as used in the
197 add, delete, insert, replace and append commands).
198 [!] -p, --protocol protocol
200 The protocol of the rule or of the packet to check. The speci‐
201 fied protocol can be one of tcp, udp, udplite, icmpv6, esp, mh
202 or all, or it can be a numeric value, representing one of these
203 protocols or a different one. A protocol name from /etc/proto‐
204 cols is also allowed. But IPv6 extension headers except esp are
205 not allowed. esp and ipv6-nonext can be used with Kernel ver‐
206 sion 2.6.11 or later. A "!" argument before the protocol
207 inverts the test. The number zero is equivalent to all. Proto‐
208 col all will match with all protocols and is taken as default
209 when this option is omitted.
210 [!] -s, --source address[/mask]
212 Source specification. Address can be either be a hostname, a
213 network IP address (with /mask), or a plain IP address. Names
214 will be resolved once only, before the rule is submitted to the
215 kernel. Please note that specifying any name to be resolved
216 with a remote query such as DNS is a really bad idea. (Resolv‐
217 ing network names is not supported at this time.) The mask is a
218 plain number, specifying the number of 1's at the left side of
219 the network mask. A "!" argument before the address specifica‐
220 tion inverts the sense of the address. The flag --src is an
221 alias for this option. Multiple addresses can be specified, but
222 this will expand to multiple rules (when adding with -A), or
223 will cause multiple rules to be deleted (with -D).
224 [!] -d, --destination address[/mask]
226 Destination specification. See the description of the -s
227 (source) flag for a detailed description of the syntax. The
228 flag --dst is an alias for this option.
229 -j, --jump target
231 This specifies the target of the rule; i.e., what to do if the
232 packet matches it. The target can be a user-defined chain
233 (other than the one this rule is in), one of the special builtin
234 targets which decide the fate of the packet immediately, or an
235 extension (see EXTENSIONS below). If this option is omitted in
236 a rule (and -g is not used), then matching the rule will have no
237 effect on the packet's fate, but the counters on the rule will
238 be incremented.
239 -g, --goto chain
241 This specifies that the processing should continue in a user
242 specified chain. Unlike the --jump option return will not con‐
243 tinue processing in this chain but instead in the chain that
244 called us via --jump.
245 [!] -i, --in-interface name
247 Name of an interface via which a packet was received (only for
248 packets entering the INPUT, FORWARD and PREROUTING chains).
249 When the "!" argument is used before the interface name, the
250 sense is inverted. If the interface name ends in a "+", then
251 any interface which begins with this name will match. If this
252 option is omitted, any interface name will match.
253 [!] -o, --out-interface name
255 Name of an interface via which a packet is going to be sent (for
256 packets entering the FORWARD, OUTPUT and POSTROUTING chains).
257 When the "!" argument is used before the interface name, the
258 sense is inverted. If the interface name ends in a "+", then
259 any interface which begins with this name will match. If this
260 option is omitted, any interface name will match.
261 -c, --set-counters packets bytes
263 This enables the administrator to initialize the packet and byte
264 counters of a rule (during INSERT, APPEND, REPLACE operations).
265 OTHER OPTIONS
267 The following additional options can be specified:
268 -v, --verbose
270 Verbose output. This option makes the list command show the
271 interface name, the rule options (if any), and the TOS masks.
272 The packet and byte counters are also listed, with the suffix
273 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipli‐
274 ers respectively (but see the -x flag to change this). For
275 appending, insertion, deletion and replacement, this causes
276 detailed information on the rule or rules to be printed.
277 -n, --numeric
279 Numeric output. IP addresses and port numbers will be printed
280 in numeric format. By default, the program will try to display
281 them as host names, network names, or services (whenever appli‐
282 cable).
283 -x, --exact
285 Expand numbers. Display the exact value of the packet and byte
286 counters, instead of only the rounded number in K's (multiples
287 of 1000) M's (multiples of 1000K) or G's (multiples of 1000M).
288 This option is only relevant for the -L command.
289 --line-numbers
291 When listing rules, add line numbers to the beginning of each
292 rule, corresponding to that rule's position in the chain.
293 --modprobe=command
295 When adding or inserting rules into a chain, use command to load
296 any necessary modules (targets, match extensions, etc).
297
299 ip6tables can use extended packet matching modules. These are loaded
300 in two ways: implicitly, when -p or --protocol is specified, or with
301 the -m or --match options, followed by the matching module name; after
302 these, various extra command line options become available, depending
303 on the specific module. You can specify multiple extended match mod‐
304 ules in one line, and you can use the -h or --help options after the
305 module has been specified to receive help specific to that module.
306 The following are included in the base package, and most of these can
308 be preceded by a "!" to invert the sense of the match.
309 ah
311 This module matches the parameters in Authentication header of IPsec
312 packets.
313 [!] --ahspi spi[:spi]
315 Matches SPI.
316 [!] --ahlen length
318 Total length of this header in octets.
319 --ahres
321 Matches if the reserved field is filled with zero.
322 cluster
324 Allows you to deploy gateway and back-end load-sharing clusters without
325 the need of load-balancers.
326 This match requires that all the nodes see the same packets. Thus, the
328 cluster match decides if this node has to handle a packet given the
329 following options:
330 --cluster-total-nodes num
332 Set number of total nodes in cluster.
333 [!] --cluster-local-node num
335 Set the local node number ID.
336 [!] --cluster-local-nodemask mask
338 Set the local node number ID mask. You can use this option
339 instead of --cluster-local-node.
340 --cluster-hash-seed value
342 Set seed value of the Jenkins hash.
343 Example:
345 iptables -A PREROUTING -t mangle -i eth1 -m cluster --clus‐
347 ter-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed
348 0xdeadbeef -j MARK --set-mark 0xffff
349 iptables -A PREROUTING -t mangle -i eth2 -m cluster --clus‐
351 ter-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed
352 0xdeadbeef -j MARK --set-mark 0xffff
353 iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff
355 -j DROP
356 iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff
358 -j DROP
359 And the following commands to make all nodes see the same packets:
361 ip maddr add 01:00:5e:00:01:01 dev eth1
363 ip maddr add 01:00:5e:00:01:02 dev eth2
365 arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-
367 s 01:00:5e:00:01:01
368 arptables -A INPUT -i eth1 --h-length 6 --destination-mac
370 01:00:5e:00:01:01 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27
371 arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --man‐
373 gle-mac-s 01:00:5e:00:01:02
374 arptables -A INPUT -i eth2 --h-length 6 --destination-mac
376 01:00:5e:00:01:02 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27
377 In the case of TCP connections, pickup facility has to be disabled to
379 avoid marking TCP ACK packets coming in the reply direction as valid.
380 echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
382 comment
384 Allows you to add comments (up to 256 characters) to any rule.
385 --comment comment
387 Example:
389 iptables -A INPUT -i eth1 -m comment --comment "my local LAN"
390 connbytes
392 Match by how many bytes or packets a connection (or one of the two
393 flows constituting the connection) has transferred so far, or by aver‐
394 age bytes per packet.
395 The counters are 64-bit and are thus not expected to overflow ;)
397 The primary use is to detect long-lived downloads and mark them to be
399 scheduled using a lower priority band in traffic control.
400 The transferred bytes per connection can also be viewed through `con‐
402 ntrack -L` and accessed via ctnetlink.
403 NOTE that for connections which have no accounting information, the
405 match will always return false. The "net.netfilter.nf_conntrack_acct"
406 sysctl flag controls whether new connections will be byte/packet
407 counted. Existing connection flows will not be gaining/losing a/the
408 accounting structure when be sysctl flag is flipped.
409 [!] --connbytes from[:to]
411 match packets from a connection whose packets/bytes/average
412 packet size is more than FROM and less than TO bytes/packets. if
413 TO is omitted only FROM check is done. "!" is used to match
414 packets not falling in the range.
415 --connbytes-dir {original|reply|both}
417 which packets to consider
418 --connbytes-mode {packets|bytes|avgpkt}
420 whether to check the amount of packets, number of bytes trans‐
421 ferred or the average size (in bytes) of all packets received so
422 far. Note that when "both" is used together with "avgpkt", and
423 data is going (mainly) only in one direction (for example HTTP),
424 the average packet size will be about half of the actual data
425 packets.
426 Example:
428 iptables .. -m connbytes --connbytes 10000:100000
429 --connbytes-dir both --connbytes-mode bytes ...
430 connlimit
432 Allows you to restrict the number of parallel connections to a server
433 per client IP address (or client address block).
434 [!] --connlimit-above n
436 Match if the number of existing connections is (not) above n.
437 --connlimit-mask prefix_length
439 Group hosts using the prefix length. For IPv4, this must be a
440 number between (including) 0 and 32. For IPv6, between 0 and
441 128.
442 Examples:
444 # allow 2 telnet connections per client host
446 iptables -A INPUT -p tcp --syn --dport 23 -m connlimit
447 --connlimit-above 2 -j REJECT
448 # you can also match the other way around:
450 iptables -A INPUT -p tcp --syn --dport 23 -m connlimit !
451 --connlimit-above 2 -j ACCEPT
452 # limit the number of parallel HTTP requests to 16 per class C sized
454 network (24 bit netmask)
455 iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above
456 16 --connlimit-mask 24 -j REJECT
457 # limit the number of parallel HTTP requests to 16 for the link local
459 network
460 (ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m
461 connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT
462 connmark
464 This module matches the netfilter mark field associated with a connec‐
465 tion (which can be set using the CONNMARK target below).
466 [!] --mark value[/mask]
468 Matches packets in connections with the given mark value (if a
469 mask is specified, this is logically ANDed with the mark before
470 the comparison).
471 conntrack
473 This module, when combined with connection tracking, allows access to
474 the connection tracking state for this packet/connection.
475 [!] --ctstate statelist
477 statelist is a comma separated list of the connection states to
478 match. Possible states are listed below.
479 [!] --ctproto l4proto
481 Layer-4 protocol to match (by number or name)
482 [!] --ctorigsrc address[/mask]
484 [!] --ctorigdst address[/mask]
486 [!] --ctreplsrc address[/mask]
488 [!] --ctrepldst address[/mask]
490 Match against original/reply source/destination address
491 [!] --ctorigsrcport port
493 [!] --ctorigdstport port
495 [!] --ctreplsrcport port
497 [!] --ctrepldstport port
499 Match against original/reply source/destination port
500 (TCP/UDP/etc.) or GRE key.
501 [!] --ctstatus statelist
503 statuslist is a comma separated list of the connection statuses
504 to match. Possible statuses are listed below.
505 [!] --ctexpire time[:time]
507 Match remaining lifetime in seconds against given value or range
508 of values (inclusive)
509 --ctdir {ORIGINAL|REPLY}
511 Match packets that are flowing in the specified direction. If
512 this flag is not specified at all, matches packets in both
513 directions.
514 States for --ctstate:
516 INVALID
518 meaning that the packet is associated with no known connection
519 NEW meaning that the packet has started a new connection, or other‐
521 wise associated with a connection which has not seen packets in
522 both directions, and
523 ESTABLISHED
525 meaning that the packet is associated with a connection which
526 has seen packets in both directions,
527 RELATED
529 meaning that the packet is starting a new connection, but is
530 associated with an existing connection, such as an FTP data
531 transfer, or an ICMP error.
532 UNTRACKED
534 meaning that the packet is not tracked at all, which happens if
535 you use the NOTRACK target in raw table.
536 SNAT A virtual state, matching if the original source address differs
538 from the reply destination.
539 DNAT A virtual state, matching if the original destination differs
541 from the reply source.
542 Statuses for --ctstatus:
544 NONE None of the below.
546 EXPECTED
548 This is an expected connection (i.e. a conntrack helper set it
549 up)
550 SEEN_REPLY
552 Conntrack has seen packets in both directions.
553 ASSURED
555 Conntrack entry should never be early-expired.
556 CONFIRMED
558 Connection is confirmed: originating packet has left box.
559 dccp
561 [!] --source-port,--sport port[:port]
562 [!] --destination-port,--dport port[:port]
564 [!] --dccp-types mask
566 Match when the DCCP packet type is one of 'mask'. 'mask' is a
567 comma-separated list of packet types. Packet types are: REQUEST
568 RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK
569 INVALID.
570 [!] --dccp-option number
572 Match if DCP option set.
573 dscp
575 This module matches the 6 bit DSCP field within the TOS field in the IP
576 header. DSCP has superseded TOS within the IETF.
577 [!] --dscp value
579 Match against a numeric (decimal or hex) value [0-63].
580 [!] --dscp-class class
582 Match the DiffServ class. This value may be any of the BE, EF,
583 AFxx or CSx classes. It will then be converted into its accord‐
584 ing numeric value.
585 dst
587 This module matches the parameters in Destination Options header
588 [!] --dst-len length
590 Total length of this header in octets.
591 --dst-opts type[:length][,type[:length]...]
593 numeric type of option and the length of the option data in
594 octets.
595 esp
597 This module matches the SPIs in ESP header of IPsec packets.
598 [!] --espspi spi[:spi]
600 eui64
602 This module matches the EUI-64 part of a stateless autoconfigured IPv6
603 address. It compares the EUI-64 derived from the source MAC address in
604 Ethernet frame with the lower 64 bits of the IPv6 source address. But
605 "Universal/Local" bit is not compared. This module doesn't match other
606 link layer frame, and is only valid in the PREROUTING, INPUT and FOR‐
607 WARD chains.
608 frag
610 This module matches the parameters in Fragment header.
611 [!] --fragid id[:id]
613 Matches the given Identification or range of it.
614 [!] --fraglen length
616 This option cannot be used with kernel version 2.6.10 or later.
617 The length of Fragment header is static and this option doesn't
618 make sense.
619 --fragres
621 Matches if the reserved fields are filled with zero.
622 --fragfirst
624 Matches on the first fragment.
625 --fragmore
627 Matches if there are more fragments.
628 --fraglast
630 Matches if this is the last fragment.
631 hashlimit
633 hashlimit uses hash buckets to express a rate limiting match (like the
634 limit match) for a group of connections using a single iptables rule.
635 Grouping can be done per-hostgroup (source and/or destination address)
636 and/or per-port. It gives you the ability to express "N packets per
637 time quantum per group":
638 matching on source host
640 "1000 packets per second for every host in 192.168.0.0/16"
641 matching on source port
643 "100 packets per second for every service of 192.168.1.1"
644 matching on subnet
646 "10000 packets per minute for every /28 subnet in 10.0.0.0/8"
647 A hash limit option (--hashlimit-upto, --hashlimit-above) and --hash‐
649 limit-name are required.
650 --hashlimit-upto amount[/second|/minute|/hour|/day]
652 Match if the rate is below or equal to amount/quantum. It is
653 specified as a number, with an optional time quantum suffix; the
654 default is 3/hour.
655 --hashlimit-above amount[/second|/minute|/hour|/day]
657 Match if the rate is above amount/quantum.
658 --hashlimit-burst amount
660 Maximum initial number of packets to match: this number gets
661 recharged by one every time the limit specified above is not
662 reached, up to this number; the default is 5.
663 --hashlimit-mode {srcip|srcport|dstip|dstport},...
665 A comma-separated list of objects to take into consideration. If
666 no --hashlimit-mode option is given, hashlimit acts like limit,
667 but at the expensive of doing the hash housekeeping.
668 --hashlimit-srcmask prefix
670 When --hashlimit-mode srcip is used, all source addresses
671 encountered will be grouped according to the given prefix length
672 and the so-created subnet will be subject to hashlimit. prefix
673 must be between (inclusive) 0 and 32. Note that --hashlimit-src‐
674 mask 0 is basically doing the same thing as not specifying srcip
675 for --hashlimit-mode, but is technically more expensive.
676 --hashlimit-dstmask prefix
678 Like --hashlimit-srcmask, but for destination addresses.
679 --hashlimit-name foo
681 The name for the /proc/net/ipt_hashlimit/foo entry.
682 --hashlimit-htable-size buckets
684 The number of buckets of the hash table
685 --hashlimit-htable-max entries
687 Maximum entries in the hash.
688 --hashlimit-htable-expire msec
690 After how many milliseconds do hash entries expire.
691 --hashlimit-htable-gcinterval msec
693 How many milliseconds between garbage collection intervals.
694 hbh
696 This module matches the parameters in Hop-by-Hop Options header
697 [!] --hbh-len length
699 Total length of this header in octets.
700 --hbh-opts type[:length][,type[:length]...]
702 numeric type of option and the length of the option data in
703 octets.
704 helper
706 This module matches packets related to a specific conntrack-helper.
707 [!] --helper string
709 Matches packets related to the specified conntrack-helper.
710 string can be "ftp" for packets related to a ftp-session on
712 default port. For other ports append -portnr to the value, ie.
713 "ftp-2121".
714 Same rules apply for other conntrack-helpers.
716 hl
718 This module matches the Hop Limit field in the IPv6 header.
719 [!] --hl-eq value
721 Matches if Hop Limit equals value.
722 --hl-lt value
724 Matches if Hop Limit is less than value.
725 --hl-gt value
727 Matches if Hop Limit is greater than value.
728 icmp6
730 This extension can be used if `--protocol ipv6-icmp' or `--protocol
731 icmpv6' is specified. It provides the following option:
732 [!] --icmpv6-type type[/code]|typename
734 This allows specification of the ICMPv6 type, which can be a
735 numeric ICMPv6 type, type and code, or one of the ICMPv6 type
736 names shown by the command
737 ip6tables -p ipv6-icmp -h
738 iprange
740 This matches on a given arbitrary range of IP addresses.
741 [!] --src-range from[-to]
743 Match source IP in the specified range.
744 [!] --dst-range from[-to]
746 Match destination IP in the specified range.
747 ipv6header
749 This module matches IPv6 extension headers and/or upper layer header.
750 --soft Matches if the packet includes any of the headers specified with
752 --header.
753 [!] --header header[,header...]
755 Matches the packet which EXACTLY includes all specified headers.
756 The headers encapsulated with ESP header are out of scope. Pos‐
757 sible header types can be:
758 hop|hop-by-hop
760 Hop-by-Hop Options header
761 dst Destination Options header
763 route Routing header
765 frag Fragment header
767 auth Authentication header
769 esp Encapsulating Security Payload header
771 none No Next header which matches 59 in the 'Next Header field' of
773 IPv6 header or any IPv6 extension headers
774 proto which matches any upper layer protocol header. A protocol name
776 from /etc/protocols and numeric value also allowed. The number
777 255 is equivalent to proto.
778 length
780 This module matches the length of the layer-3 payload (e.g. layer-4
781 packet) of a packet against a specific value or range of values.
782 [!] --length length[:length]
784 limit
786 This module matches at a limited rate using a token bucket filter. A
787 rule using this extension will match until this limit is reached
788 (unless the `!' flag is used). It can be used in combination with the
789 LOG target to give limited logging, for example.
790 --limit rate[/second|/minute|/hour|/day]
792 Maximum average matching rate: specified as a number, with an
793 optional `/second', `/minute', `/hour', or `/day' suffix; the
794 default is 3/hour.
795 --limit-burst number
797 Maximum initial number of packets to match: this number gets
798 recharged by one every time the limit specified above is not
799 reached, up to this number; the default is 5.
800 mac
802 [!] --mac-source address
803 Match source MAC address. It must be of the form
804 XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets
805 coming from an Ethernet device and entering the PREROUTING, FOR‐
806 WARD or INPUT chains.
807 mark
809 This module matches the netfilter mark field associated with a packet
810 (which can be set using the MARK target below).
811 [!] --mark value[/mask]
813 Matches packets with the given unsigned mark value (if a mask is
814 specified, this is logically ANDed with the mask before the com‐
815 parison).
816 mh
818 This extension is loaded if `--protocol ipv6-mh' or `--protocol mh' is
819 specified. It provides the following option:
820 [!] --mh-type type[:type]
822 This allows specification of the Mobility Header(MH) type, which
823 can be a numeric MH type, type or one of the MH type names shown
824 by the command
825 ip6tables -p ipv6-mh -h
826 multiport
828 This module matches a set of source or destination ports. Up to 15
829 ports can be specified. A port range (port:port) counts as two ports.
830 It can only be used in conjunction with -p tcp or -p udp.
831 [!] --source-ports,--sports port[,port|,port:port]...
833 Match if the source port is one of the given ports. The flag
834 --sports is a convenient alias for this option. Multiple ports
835 or port ranges are separated using a comma, and a port range is
836 specified using a colon. 53,1024:65535 would therefore match
837 ports 53 and all from 1024 through 65535.
838 [!] --destination-ports,--dports port[,port|,port:port]...
840 Match if the destination port is one of the given ports. The
841 flag --dports is a convenient alias for this option.
842 [!] --ports port[,port|,port:port]...
844 Match if either the source or destination ports are equal to one
845 of the given ports.
846 owner
848 This module attempts to match various characteristics of the packet
849 creator, for locally generated packets. This match is only valid in the
850 OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket
851 associated with them. Packets from kernel threads do have a socket, but
852 usually no owner.
853 [!] --uid-owner username
855 [!] --uid-owner userid[-userid]
857 Matches if the packet socket's file structure (if it has one) is
858 owned by the given user. You may also specify a numerical UID,
859 or an UID range.
860 [!] --gid-owner groupname
862 [!] --gid-owner groupid[-groupid]
864 Matches if the packet socket's file structure is owned by the
865 given group. You may also specify a numerical GID, or a GID
866 range.
867 [!] --socket-exists
869 Matches if the packet is associated with a socket.
870 physdev
872 This module matches on the bridge port input and output devices
873 enslaved to a bridge device. This module is a part of the infrastruc‐
874 ture that enables a transparent bridging IP firewall and is only useful
875 for kernel versions above version 2.5.44.
876 [!] --physdev-in name
878 Name of a bridge port via which a packet is received (only for
879 packets entering the INPUT, FORWARD and PREROUTING chains). If
880 the interface name ends in a "+", then any interface which
881 begins with this name will match. If the packet didn't arrive
882 through a bridge device, this packet won't match this option,
883 unless '!' is used.
884 [!] --physdev-out name
886 Name of a bridge port via which a packet is going to be sent
887 (for packets entering the FORWARD, OUTPUT and POSTROUTING
888 chains). If the interface name ends in a "+", then any inter‐
889 face which begins with this name will match. Note that in the
890 nat and mangle OUTPUT chains one cannot match on the bridge out‐
891 put port, however one can in the filter OUTPUT chain. If the
892 packet won't leave by a bridge device or if it is yet unknown
893 what the output device will be, then the packet won't match this
894 option, unless '!' is used.
895 [!] --physdev-is-in
897 Matches if the packet has entered through a bridge interface.
898 [!] --physdev-is-out
900 Matches if the packet will leave through a bridge interface.
901 [!] --physdev-is-bridged
903 Matches if the packet is being bridged and therefore is not
904 being routed. This is only useful in the FORWARD and POSTROUT‐
905 ING chains.
906 pkttype
908 This module matches the link-layer packet type.
909 [!] --pkt-type {unicast|broadcast|multicast}
911 policy
913 This modules matches the policy used by IPsec for handling a packet.
914 --dir {in|out}
916 Used to select whether to match the policy used for decapsula‐
917 tion or the policy that will be used for encapsulation. in is
918 valid in the PREROUTING, INPUT and FORWARD chains, out is valid
919 in the POSTROUTING, OUTPUT and FORWARD chains.
920 --pol {none|ipsec}
922 Matches if the packet is subject to IPsec processing.
923 --strict
925 Selects whether to match the exact policy or match if any rule
926 of the policy matches the given policy.
927 [!] --reqid id
929 Matches the reqid of the policy rule. The reqid can be specified
930 with setkey(8) using unique:id as level.
931 [!] --spi spi
933 Matches the SPI of the SA.
934 [!] --proto {ah|esp|ipcomp}
936 Matches the encapsulation protocol.
937 [!] --mode {tunnel|transport}
939 Matches the encapsulation mode.
940 [!] --tunnel-src addr[/mask]
942 Matches the source end-point address of a tunnel mode SA. Only
943 valid with --mode tunnel.
944 [!] --tunnel-dst addr[/mask]
946 Matches the destination end-point address of a tunnel mode SA.
947 Only valid with --mode tunnel.
948 --next Start the next element in the policy specification. Can only be
950 used with --strict.
951 quota
953 Implements network quotas by decrementing a byte counter with each
954 packet.
955 [!] --quota bytes
957 The quota in bytes.
958 rateest
960 The rate estimator can match on estimated rates as collected by the
961 RATEEST target. It supports matching on absolute bps/pps values, com‐
962 paring two rate estimators and matching on the difference between two
963 rate estimators.
964 --rateest1 name
966 Name of the first rate estimator.
967 --rateest2 name
969 Name of the second rate estimator (if difference is to be calcu‐
970 lated).
971 --rateest-delta
973 Compare difference(s) to given rate(s)
974 --rateest-bps1 value
976 --rateest-bps2 value
978 Compare bytes per second.
979 --rateest-pps1 value
981 --rateest-pps2 value
983 Compare packets per second.
984 [!] --rateest-lt
986 Match if rate is less than given rate/estimator.
987 [!] --rateest-gt
989 Match if rate is greater than given rate/estimator.
990 [!] --rateest-eq
992 Match if rate is equal to given rate/estimator.
993 Example: This is what can be used to route outgoing data connections
995 from an FTP server over two lines based on the available bandwidth at
996 the time the data connection was started:
997 # Estimate outgoing rates
999 iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name
1001 eth0 --rateest-interval 250ms --rateest-ewma 0.5s
1002 iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name
1004 ppp0 --rateest-interval 250ms --rateest-ewma 0.5s
1005 # Mark based on available bandwidth
1007 iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper
1009 --helper ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1
1010 2.5mbit --rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK
1011 --set-mark 1
1012 iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper
1014 --helper ftp -m rateest --rateest-delta --rateest1 ppp0 --rateest-bps1
1015 2mbit --rateest-gt --rateest2 eth0 --rateest-bps2 2.5mbit -j CONNMARK
1016 --set-mark 2
1017 iptables -t mangle -A balance -j CONNMARK --restore-mark
1019 recent
1021 Allows you to dynamically create a list of IP addresses and then match
1022 against that list in a few different ways.
1023 For example, you can create a "badguy" list out of people attempting to
1025 connect to port 139 on your firewall and then DROP all future packets
1026 from them without considering them.
1027 --set, --rcheck, --update and --remove are mutually exclusive.
1029 --name name
1031 Specify the list to use for the commands. If no name is given
1032 then DEFAULT will be used.
1033 [!] --set
1035 This will add the source address of the packet to the list. If
1036 the source address is already in the list, this will update the
1037 existing entry. This will always return success (or failure if !
1038 is passed in).
1039 --rsource
1041 Match/save the source address of each packet in the recent list
1042 table. This is the default.
1043 --rdest
1045 Match/save the destination address of each packet in the recent
1046 list table.
1047 [!] --rcheck
1049 Check if the source address of the packet is currently in the
1050 list.
1051 [!] --update
1053 Like --rcheck, except it will update the "last seen" timestamp
1054 if it matches.
1055 [!] --remove
1057 Check if the source address of the packet is currently in the
1058 list and if so that address will be removed from the list and
1059 the rule will return true. If the address is not found, false is
1060 returned.
1061 --seconds seconds
1063 This option must be used in conjunction with one of --rcheck or
1064 --update. When used, this will narrow the match to only happen
1065 when the address is in the list and was seen within the last
1066 given number of seconds.
1067 --hitcount hits
1069 This option must be used in conjunction with one of --rcheck or
1070 --update. When used, this will narrow the match to only happen
1071 when the address is in the list and packets had been received
1072 greater than or equal to the given value. This option may be
1073 used along with --seconds to create an even narrower match
1074 requiring a certain number of hits within a specific time frame.
1075 The maximum value for the hitcount parameter is given by the
1076 "ip_pkt_list_tot" parameter of the xt_recent kernel module.
1077 Exceeding this value on the command line will cause the rule to
1078 be rejected.
1079 --rttl This option may only be used in conjunction with one of --rcheck
1081 or --update. When used, this will narrow the match to only hap‐
1082 pen when the address is in the list and the TTL of the current
1083 packet matches that of the packet which hit the --set rule. This
1084 may be useful if you have problems with people faking their
1085 source address in order to DoS you via this module by disallow‐
1086 ing others access to your site by sending bogus packets to you.
1087 Examples:
1089 iptables -A FORWARD -m recent --name badguy --rcheck --seconds
1091 60 -j DROP
1092 iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name
1094 badguy --set -j DROP
1095 Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/)
1097 also has some examples of usage.
1098 /proc/net/xt_recent/* are the current lists of addresses and informa‐
1100 tion about each entry of each list.
1101 Each file in /proc/net/xt_recent/ can be read from to see the current
1103 list or written two using the following commands to modify the list:
1104 echo +addr >/proc/net/xt_recent/DEFAULT
1106 to add addr to the DEFAULT list
1107 echo -addr >/proc/net/xt_recent/DEFAULT
1109 to remove addr from the DEFAULT list
1110 echo / >/proc/net/xt_recent/DEFAULT
1112 to flush the DEFAULT list (remove all entries).
1113 The module itself accepts parameters, defaults shown:
1115 ip_list_tot=100
1117 Number of addresses remembered per table.
1118 ip_pkt_list_tot=20
1120 Number of packets per address remembered.
1121 ip_list_hash_size=0
1123 Hash table size. 0 means to calculate it based on ip_list_tot,
1124 default: 512.
1125 ip_list_perms=0644
1127 Permissions for /proc/net/xt_recent/* files.
1128 ip_list_uid=0
1130 Numerical UID for ownership of /proc/net/xt_recent/* files.
1131 ip_list_gid=0
1133 Numerical GID for ownership of /proc/net/xt_recent/* files.
1134 rt
1136 Match on IPv6 routing header
1137 [!] --rt-type type
1139 Match the type (numeric).
1140 [!] --rt-segsleft num[:num]
1142 Match the `segments left' field (range).
1143 [!] --rt-len length
1145 Match the length of this header.
1146 --rt-0-res
1148 Match the reserved field, too (type=0)
1149 --rt-0-addrs addr[,addr...]
1151 Match type=0 addresses (list).
1152 --rt-0-not-strict
1154 List of type=0 addresses is not a strict list.
1155 sctp
1157 [!] --source-port,--sport port[:port]
1158 [!] --destination-port,--dport port[:port]
1160 [!] --chunk-types {all|any|only} chunktype[:flags] [...]
1162 The flag letter in upper case indicates that the flag is to
1163 match if set, in the lower case indicates to match if unset.
1164 Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK
1166 ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK
1167 ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN
1168 chunk type available flags
1170 DATA I U B E i u b e
1171 ABORT T t
1172 SHUTDOWN_COMPLETE T t
1173 (lowercase means flag should be "off", uppercase means "on")
1175 Examples:
1177 iptables -A INPUT -p sctp --dport 80 -j DROP
1179 iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP
1181 iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT
1183 set
1185 This module matches IP sets which can be defined by ipset(8).
1186 [!] --match-set setname flag[,flag]...
1188 where flags are the comma separated list of src and/or dst spec‐
1189 ifications and there can be no more than six of them. Hence the
1190 command
1191 iptables -A FORWARD -m set --match-set test src,dst
1193 will match packets, for which (if the set type is ipportmap) the
1195 source address and destination port pair can be found in the
1196 specified set. If the set type of the specified set is single
1197 dimension (for example ipmap), then the command will match pack‐
1198 ets for which the source address can be found in the specified
1199 set.
1200 The option --match-set can be replaced by --set if that does not clash
1202 with an option of other extensions.
1203 Use of -m set requires that ipset kernel support is provided. As stan‐
1205 dard kernels do not ship this currently, the ipset or Xtables-addons
1206 package needs to be installed.
1207 state
1209 This module, when combined with connection tracking, allows access to
1210 the connection tracking state for this packet.
1211 [!] --state state
1213 Where state is a comma separated list of the connection states
1214 to match. Possible states are INVALID meaning that the packet
1215 could not be identified for some reason which includes running
1216 out of memory and ICMP errors which don't correspond to any
1217 known connection, ESTABLISHED meaning that the packet is associ‐
1218 ated with a connection which has seen packets in both direc‐
1219 tions, NEW meaning that the packet has started a new connection,
1220 or otherwise associated with a connection which has not seen
1221 packets in both directions, and RELATED meaning that the packet
1222 is starting a new connection, but is associated with an existing
1223 connection, such as an FTP data transfer, or an ICMP error.
1224 UNTRACKED meaning that the packet is not tracked at all, which
1225 happens if you use the NOTRACK target in raw table.
1226 statistic
1228 This module matches packets based on some statistic condition. It sup‐
1229 ports two distinct modes settable with the --mode option.
1230 Supported options:
1232 --mode mode
1234 Set the matching mode of the matching rule, supported modes are
1235 random and nth.
1236 --probability p
1238 Set the probability from 0 to 1 for a packet to be randomly
1239 matched. It works only with the random mode.
1240 --every n
1242 Match one packet every nth packet. It works only with the nth
1243 mode (see also the --packet option).
1244 --packet p
1246 Set the initial counter value (0 <= p <= n-1, default 0) for the
1247 nth mode.
1248 string
1250 This modules matches a given string by using some pattern matching
1251 strategy. It requires a linux kernel >= 2.6.14.
1252 --algo {bm|kmp}
1254 Select the pattern matching strategy. (bm = Boyer-Moore, kmp =
1255 Knuth-Pratt-Morris)
1256 --from offset
1258 Set the offset from which it starts looking for any matching. If
1259 not passed, default is 0.
1260 --to offset
1262 Set the offset up to which should be scanned. That is, byte off‐
1263 set-1 (counting from 0) is the last one that is scanned. If not
1264 passed, default is the packet size.
1265 [!] --string pattern
1267 Matches the given pattern.
1268 [!] --hex-string pattern
1270 Matches the given pattern in hex notation.
1271 tcp
1273 These extensions can be used if `--protocol tcp' is specified. It pro‐
1274 vides the following options:
1275 [!] --source-port,--sport port[:port]
1277 Source port or port range specification. This can either be a
1278 service name or a port number. An inclusive range can also be
1279 specified, using the format first:last. If the first port is
1280 omitted, "0" is assumed; if the last is omitted, "65535" is
1281 assumed. If the first port is greater than the second one they
1282 will be swapped. The flag --sport is a convenient alias for
1283 this option.
1284 [!] --destination-port,--dport port[:port]
1286 Destination port or port range specification. The flag --dport
1287 is a convenient alias for this option.
1288 [!] --tcp-flags mask comp
1290 Match when the TCP flags are as specified. The first argument
1291 mask is the flags which we should examine, written as a comma-
1292 separated list, and the second argument comp is a comma-sepa‐
1293 rated list of flags which must be set. Flags are: SYN ACK FIN
1294 RST URG PSH ALL NONE. Hence the command
1295 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
1296 will only match packets with the SYN flag set, and the ACK, FIN
1297 and RST flags unset.
1298 [!] --syn
1300 Only match TCP packets with the SYN bit set and the ACK,RST and
1301 FIN bits cleared. Such packets are used to request TCP connec‐
1302 tion initiation; for example, blocking such packets coming in an
1303 interface will prevent incoming TCP connections, but outgoing
1304 TCP connections will be unaffected. It is equivalent to
1305 --tcp-flags SYN,RST,ACK,FIN SYN. If the "!" flag precedes the
1306 "--syn", the sense of the option is inverted.
1307 [!] --tcp-option number
1309 Match if TCP option set.
1310 tcpmss
1312 This matches the TCP MSS (maximum segment size) field of the TCP
1313 header. You can only use this on TCP SYN or SYN/ACK packets, since the
1314 MSS is only negotiated during the TCP handshake at connection startup
1315 time.
1316 [!] --mss value[:value]
1318 Match a given TCP MSS value or range.
1319 time
1321 This matches if the packet arrival time/date is within a given range.
1322 All options are optional, but are ANDed when specified.
1323 --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
1325 --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
1327 Only match during the given time, which must be in ISO 8601 "T"
1329 notation. The possible time range is 1970-01-01T00:00:00 to
1330 2038-01-19T04:17:07.
1331 If --datestart or --datestop are not specified, it will default
1333 to 1970-01-01 and 2038-01-19, respectively.
1334 --timestart hh:mm[:ss]
1336 --timestop hh:mm[:ss]
1338 Only match during the given daytime. The possible time range is
1340 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03")
1341 and correctly interpreted as base-10.
1342 [!] --monthdays day[,day...]
1344 Only match on the given days of the month. Possible values are 1
1346 to 31. Note that specifying 31 will of course not match on
1347 months which do not have a 31st day; the same goes for 28- or
1348 29-day February.
1349 [!] --weekdays day[,day...]
1351 Only match on the given weekdays. Possible values are Mon, Tue,
1353 Wed, Thu, Fri, Sat, Sun, or values from 1 to 7, respectively.
1354 You may also use two-character variants (Mo, Tu, etc.).
1355 --utc
1357 Interpret the times given for --datestart, --datestop, --times‐
1359 tart and --timestop to be UTC.
1360 --localtz
1362 Interpret the times given for --datestart, --datestop, --times‐
1364 tart and --timestop to be local kernel time. (Default)
1365 EXAMPLES. To match on weekends, use:
1367 -m time --weekdays Sa,Su
1369 Or, to match (once) on a national holiday block:
1371 -m time --datestart 2007-12-24 --datestop 2007-12-27
1373 Since the stop time is actually inclusive, you would need the following
1375 stop time to not match the first second of the new day:
1376 -m time --datestart 2007-01-01T17:00 --datestop
1378 2007-01-01T23:59:59
1379 During lunch hour:
1381 -m time --timestart 12:30 --timestop 13:30
1383 The fourth Friday in the month:
1385 -m time --weekdays Fr --monthdays 22,23,24,25,26,27,28
1387 (Note that this exploits a certain mathematical property. It is not
1389 possible to say "fourth Thursday OR fourth Friday" in one rule. It is
1390 possible with multiple rules, though.)
1391 tos
1393 This module matches the 8-bit Type of Service field in the IPv4 header
1394 (i.e. including the "Precedence" bits) or the (also 8-bit) Priority
1395 field in the IPv6 header.
1396 [!] --tos value[/mask]
1398 Matches packets with the given TOS mark value. If a mask is
1399 specified, it is logically ANDed with the TOS mark before the
1400 comparison.
1401 [!] --tos symbol
1403 You can specify a symbolic name when using the tos match for
1404 IPv4. The list of recognized TOS names can be obtained by call‐
1405 ing iptables with -m tos -h. Note that this implies a mask of
1406 0x3F, i.e. all but the ECN bits.
1407 u32
1409 U32 tests whether quantities of up to 4 bytes extracted from a packet
1410 have specified values. The specification of what to extract is general
1411 enough to find data at given offsets from tcp headers or payloads.
1412 [!] --u32 tests
1414 The argument amounts to a program in a small language described
1415 below.
1416 tests := location "=" value | tests "&&" location "=" value
1418 value := range | value "," range
1420 range := number | number ":" number
1422 a single number, n, is interpreted the same as n:n. n:m is interpreted
1424 as the range of numbers >=n and <=m.
1425 location := number | location operator number
1427 operator := "&" | "<<" | ">>" | "@"
1429 The operators &, <<, >> and && mean the same as in C. The = is really
1431 a set membership operator and the value syntax describes a set. The @
1432 operator is what allows moving to the next header and is described fur‐
1433 ther below.
1434 There are currently some artificial implementation limits on the size
1436 of the tests:
1437 * no more than 10 of "=" (and 9 "&&"s) in the u32 argument
1439 * no more than 10 ranges (and 9 commas) per value
1441 * no more than 10 numbers (and 9 operators) per location
1443 To describe the meaning of location, imagine the following machine that
1445 interprets it. There are three registers:
1446 A is of type char *, initially the address of the IP header
1448 B and C are unsigned 32 bit integers, initially zero
1450 The instructions are:
1452 number B = number;
1454 C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3)
1456 &number C = C & number
1458 << number C = C << number
1460 >> number C = C >> number
1462 @number A = A + C; then do the instruction number
1464 Any access of memory outside [skb->data,skb->end] causes the match to
1466 fail. Otherwise the result of the computation is the final value of C.
1467 Whitespace is allowed but not required in the tests. However, the char‐
1469 acters that do occur there are likely to require shell quoting, so it
1470 is a good idea to enclose the arguments in quotes.
1471 Example:
1473 match IP packets with total length >= 256
1475 The IP header contains a total length field in bytes 2-3.
1477 --u32 "0 & 0xFFFF = 0x100:0xFFFF"
1479 read bytes 0-3
1481 AND that with 0xFFFF (giving bytes 2-3), and test whether that
1483 is in the range [0x100:0xFFFF]
1484 Example: (more realistic, hence more complicated)
1486 match ICMP packets with icmp type 0
1488 First test that it is an ICMP packet, true iff byte 9 (protocol)
1490 = 1
1491 --u32 "6 & 0xFF = 1 && ...
1493 read bytes 6-9, use & to throw away bytes 6-8 and compare the
1495 result to 1. Next test that it is not a fragment. (If so, it
1496 might be part of such a packet but we cannot always tell.) N.B.:
1497 This test is generally needed if you want to match anything
1498 beyond the IP header. The last 6 bits of byte 6 and all of byte
1499 7 are 0 iff this is a complete packet (not a fragment). Alterna‐
1500 tively, you can allow first fragments by only testing the last 5
1501 bits of byte 6.
1502 ... 4 & 0x3FFF = 0 && ...
1504 Last test: the first byte past the IP header (the type) is 0.
1506 This is where we have to use the @syntax. The length of the IP
1507 header (IHL) in 32 bit words is stored in the right half of byte
1508 0 of the IP header itself.
1509 ... 0 >> 22 & 0x3C @ 0 >> 24 = 0"
1511 The first 0 means read bytes 0-3, >>22 means shift that 22 bits
1513 to the right. Shifting 24 bits would give the first byte, so
1514 only 22 bits is four times that plus a few more bits. &3C then
1515 eliminates the two extra bits on the right and the first four
1516 bits of the first byte. For instance, if IHL=5, then the IP
1517 header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in
1518 binary) xxxx0101 yyzzzzzz, >>22 gives the 10 bit value
1519 xxxx0101yy and &3C gives 010100. @ means to use this number as a
1520 new offset into the packet, and read four bytes starting from
1521 there. This is the first 4 bytes of the ICMP payload, of which
1522 byte 0 is the ICMP type. Therefore, we simply shift the value 24
1523 to the right to throw out all but the first byte and compare the
1524 result with 0.
1525 Example:
1527 TCP payload bytes 8-12 is any of 1, 2, 5 or 8
1529 First we test that the packet is a tcp packet (similar to ICMP).
1531 --u32 "6 & 0xFF = 6 && ...
1533 Next, test that it is not a fragment (same as above).
1535 ... 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8"
1537 0>>22&3C as above computes the number of bytes in the IP header.
1539 @ makes this the new offset into the packet, which is the start
1540 of the TCP header. The length of the TCP header (again in 32 bit
1541 words) is the left half of byte 12 of the TCP header. The
1542 12>>26&3C computes this length in bytes (similar to the IP
1543 header before). "@" makes this the new offset, which is the
1544 start of the TCP payload. Finally, 8 reads bytes 8-12 of the
1545 payload and = checks whether the result is any of 1, 2, 5 or 8.
1546 udp
1548 These extensions can be used if `--protocol udp' is specified. It pro‐
1549 vides the following options:
1550 [!] --source-port,--sport port[:port]
1552 Source port or port range specification. See the description of
1553 the --source-port option of the TCP extension for details.
1554 [!] --destination-port,--dport port[:port]
1556 Destination port or port range specification. See the descrip‐
1557 tion of the --destination-port option of the TCP extension for
1558 details.
1559
1561 ip6tables can use extended target modules: the following are included
1562 in the standard distribution.
1563 CLASSIFY
1565 This module allows you to set the skb->priority value (and thus clas‐
1566 sify the packet into a specific CBQ class).
1567 --set-class major:minor
1569 Set the major and minor class value. The values are always
1570 interpreted as hexadecimal even if no 0x prefix is given.
1571 CONNMARK
1573 This module sets the netfilter mark value associated with a connection.
1574 The mark is 32 bits wide.
1575 --set-xmark value[/mask]
1577 Zero out the bits given by mask and XOR value into the ctmark.
1578 --save-mark [--nfmask nfmask] [--ctmask ctmask]
1580 Copy the packet mark (nfmark) to the connection mark (ctmark)
1581 using the given masks. The new nfmark value is determined as
1582 follows:
1583 ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)
1585 i.e. ctmask defines what bits to clear and nfmask what bits of
1587 the nfmark to XOR into the ctmark. ctmask and nfmask default to
1588 0xFFFFFFFF.
1589 --restore-mark [--nfmask nfmask] [--ctmask ctmask]
1591 Copy the connection mark (ctmark) to the packet mark (nfmark)
1592 using the given masks. The new ctmark value is determined as
1593 follows:
1594 nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask);
1596 i.e. nfmask defines what bits to clear and ctmask what bits of
1598 the ctmark to XOR into the nfmark. ctmask and nfmask default to
1599 0xFFFFFFFF.
1600 --restore-mark is only valid in the mangle table.
1602 The following mnemonics are available for --set-xmark:
1604 --and-mark bits
1606 Binary AND the ctmark with bits. (Mnemonic for --set-xmark
1607 0/invbits, where invbits is the binary negation of bits.)
1608 --or-mark bits
1610 Binary OR the ctmark with bits. (Mnemonic for --set-xmark
1611 bits/bits.)
1612 --xor-mark bits
1614 Binary XOR the ctmark with bits. (Mnemonic for --set-xmark
1615 bits/0.)
1616 --set-mark value[/mask]
1618 Set the connection mark. If a mask is specified then only those
1619 bits set in the mask are modified.
1620 --save-mark [--mask mask]
1622 Copy the nfmark to the ctmark. If a mask is specified, only
1623 those bits are copied.
1624 --restore-mark [--mask mask]
1626 Copy the ctmark to the nfmark. If a mask is specified, only
1627 those bits are copied. This is only valid in the mangle table.
1628 CONNSECMARK
1630 This module copies security markings from packets to connections (if
1631 unlabeled), and from connections back to packets (also only if unla‐
1632 beled). Typically used in conjunction with SECMARK, it is only valid
1633 in the mangle table.
1634 --save If the packet has a security marking, copy it to the connection
1636 if the connection is not marked.
1637 --restore
1639 If the packet does not have a security marking, and the connec‐
1640 tion does, copy the security marking from the connection to the
1641 packet.
1642 CT
1645 The CT target allows to set parameters for a packet or its associated
1646 connection. The target attaches a "template" connection tracking entry
1647 to the packet, which is then used by the conntrack core when initializ‐
1648 ing a new ct entry. This target is thus only valid in the "raw" table.
1649 --notrack
1651 Disables connection tracking for this packet.
1652 --helper name
1654 Use the helper identified by name for the connection. This is
1655 more flexible than loading the conntrack helper modules with
1656 preset ports.
1657 --ctevents event[,...]
1659 Only generate the specified conntrack events for this connec‐
1660 tion. Possible event types are: new, related, destroy, reply,
1661 assured, protoinfo, helper, mark (this refers to the ctmark, not
1662 nfmark), natseqinfo, secmark (ctsecmark).
1663 --expevents event[,...]
1665 Only generate the specified expectation events for this connec‐
1666 tion. Possible event types are: new.
1667 --zone id
1669 Assign this packet to zone id and only have lookups done in that
1670 zone. By default, packets have zone 0.
1671 DSCP
1673 This target allows to alter the value of the DSCP bits within the TOS
1674 header of the IPv4 packet. As this manipulates a packet, it can only
1675 be used in the mangle table.
1676 --set-dscp value
1678 Set the DSCP field to a numerical value (can be decimal or hex)
1679 --set-dscp-class class
1681 Set the DSCP field to a DiffServ class.
1682 HL
1684 This is used to modify the Hop Limit field in IPv6 header. The Hop
1685 Limit field is similar to what is known as TTL value in IPv4. Setting
1686 or incrementing the Hop Limit field can potentially be very dangerous,
1687 so it should be avoided at any cost. This target is only valid in man‐
1688 gle table.
1689 Don't ever set or increment the value on packets that leave your local
1691 network!
1692 --hl-set value
1694 Set the Hop Limit to `value'.
1695 --hl-dec value
1697 Decrement the Hop Limit `value' times.
1698 --hl-inc value
1700 Increment the Hop Limit `value' times.
1701 LOG
1703 Turn on kernel logging of matching packets. When this option is set
1704 for a rule, the Linux kernel will print some information on all match‐
1705 ing packets (like most IPv6 IPv6-header fields) via the kernel log
1706 (where it can be read with dmesg or syslogd(8)). This is a "non-termi‐
1707 nating target", i.e. rule traversal continues at the next rule. So if
1708 you want to LOG the packets you refuse, use two separate rules with the
1709 same matching criteria, first using target LOG then DROP (or REJECT).
1710 --log-level level
1712 Level of logging (numeric or see syslog.conf(5)).
1713 --log-prefix prefix
1715 Prefix log messages with the specified prefix; up to 29 letters
1716 long, and useful for distinguishing messages in the logs.
1717 --log-tcp-sequence
1719 Log TCP sequence numbers. This is a security risk if the log is
1720 readable by users.
1721 --log-tcp-options
1723 Log options from the TCP packet header.
1724 --log-ip-options
1726 Log options from the IPv6 packet header.
1727 --log-uid
1729 Log the userid of the process which generated the packet.
1730 MARK
1732 This target is used to set the Netfilter mark value associated with the
1733 packet. It can, for example, be used in conjunction with routing based
1734 on fwmark (needs iproute2). If you plan on doing so, note that the mark
1735 needs to be set in the PREROUTING chain of the mangle table to affect
1736 routing. The mark field is 32 bits wide.
1737 --set-xmark value[/mask]
1739 Zeroes out the bits given by mask and XORs value into the packet
1740 mark ("nfmark"). If mask is omitted, 0xFFFFFFFF is assumed.
1741 --set-mark value[/mask]
1743 Zeroes out the bits given by mask and ORs value into the packet
1744 mark. If mask is omitted, 0xFFFFFFFF is assumed.
1745 The following mnemonics are available:
1747 --and-mark bits
1749 Binary AND the nfmark with bits. (Mnemonic for --set-xmark
1750 0/invbits, where invbits is the binary negation of bits.)
1751 --or-mark bits
1753 Binary OR the nfmark with bits. (Mnemonic for --set-xmark
1754 bits/bits.)
1755 --xor-mark bits
1757 Binary XOR the nfmark with bits. (Mnemonic for --set-xmark
1758 bits/0.)
1759 NFLOG
1761 This target provides logging of matching packets. When this target is
1762 set for a rule, the Linux kernel will pass the packet to the loaded
1763 logging backend to log the packet. This is usually used in combination
1764 with nfnetlink_log as logging backend, which will multicast the packet
1765 through a netlink socket to the specified multicast group. One or more
1766 userspace processes may subscribe to the group to receive the packets.
1767 Like LOG, this is a non-terminating target, i.e. rule traversal contin‐
1768 ues at the next rule.
1769 --nflog-group nlgroup
1771 The netlink group (1 - 2^32-1) to which packets are (only appli‐
1772 cable for nfnetlink_log). The default value is 0.
1773 --nflog-prefix prefix
1775 A prefix string to include in the log message, up to 64 charac‐
1776 ters long, useful for distinguishing messages in the logs.
1777 --nflog-range size
1779 The number of bytes to be copied to userspace (only applicable
1780 for nfnetlink_log). nfnetlink_log instances may specify their
1781 own range, this option overrides it.
1782 --nflog-threshold size
1784 Number of packets to queue inside the kernel before sending them
1785 to userspace (only applicable for nfnetlink_log). Higher values
1786 result in less overhead per packet, but increase delay until the
1787 packets reach userspace. The default value is 1.
1788 NFQUEUE
1790 This target is an extension of the QUEUE target. As opposed to QUEUE,
1791 it allows you to put a packet into any specific queue, identified by
1792 its 16-bit queue number. It can only be used with Kernel versions
1793 2.6.14 or later, since it requires the nfnetlink_queue kernel support.
1794 The queue-balance option was added in Linux 2.6.31.
1795 --queue-num value
1797 This specifies the QUEUE number to use. Valid queue numbers are
1798 0 to 65535. The default value is 0.
1799 --queue-balance value:value
1801 This specifies a range of queues to use. Packets are then bal‐
1802 anced across the given queues. This is useful for multicore
1803 systems: start multiple instances of the userspace program on
1804 queues x, x+1, .. x+n and use "--queue-balance x:x+n". Packets
1805 belonging to the same connection are put into the same nfqueue.
1806 NOTRACK
1808 This target disables connection tracking for all packets matching that
1809 rule.
1810 It can only be used in the raw table.
1812 RATEEST
1814 The RATEEST target collects statistics, performs rate estimation calcu‐
1815 lation and saves the results for later evaluation using the rateest
1816 match.
1817 --rateest-name name
1819 Count matched packets into the pool referred to by name, which
1820 is freely choosable.
1821 --rateest-interval amount{s|ms|us}
1823 Rate measurement interval, in seconds, milliseconds or microsec‐
1824 onds.
1825 --rateest-ewmalog value
1827 Rate measurement averaging time constant.
1828 REJECT
1830 This is used to send back an error packet in response to the matched
1831 packet: otherwise it is equivalent to DROP so it is a terminating TAR‐
1832 GET, ending rule traversal. This target is only valid in the INPUT,
1833 FORWARD and OUTPUT chains, and user-defined chains which are only
1834 called from those chains. The following option controls the nature of
1835 the error packet returned:
1836 --reject-with type
1838 The type given can be icmp6-no-route, no-route, icmp6-adm-pro‐
1839 hibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach,
1840 icmp6-port-unreachable or port-unreach which return the appro‐
1841 priate ICMPv6 error message (port-unreach is the default).
1842 Finally, the option tcp-reset can be used on rules which only
1843 match the TCP protocol: this causes a TCP RST packet to be sent
1844 back. This is mainly useful for blocking ident (113/tcp) probes
1845 which frequently occur when sending mail to broken mail hosts
1846 (which won't accept your mail otherwise). tcp-reset can only be
1847 used with kernel versions 2.6.14 or later.
1848 SECMARK
1850 This is used to set the security mark value associated with the packet
1851 for use by security subsystems such as SELinux. It is only valid in
1852 the mangle table. The mark is 32 bits wide.
1853 --selctx security_context
1855 SET
1857 This modules adds and/or deletes entries from IP sets which can be
1858 defined by ipset(8).
1859 --add-set setname flag[,flag...]
1861 add the address(es)/port(s) of the packet to the sets
1862 --del-set setname flag[,flag...]
1864 delete the address(es)/port(s) of the packet from the sets
1865 where flags are src and/or dst specifications and there can be
1867 no more than six of them.
1868 Use of -j SET requires that ipset kernel support is provided. As stan‐
1870 dard kernels do not ship this currently, the ipset or Xtables-addons
1871 package needs to be installed.
1872 TCPMSS
1874 This target allows to alter the MSS value of TCP SYN packets, to con‐
1875 trol the maximum size for that connection (usually limiting it to your
1876 outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respec‐
1877 tively). Of course, it can only be used in conjunction with -p tcp.
1878 This target is used to overcome criminally braindead ISPs or servers
1880 which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
1881 packets. The symptoms of this problem are that everything works fine
1882 from your Linux firewall/router, but machines behind it can never
1883 exchange large packets:
1884 1) Web browsers connect, then hang with no data received.
1885 2) Small mail works fine, but large emails hang.
1886 3) ssh works fine, but scp hangs after initial handshaking.
1887 Workaround: activate this option and add a rule to your firewall con‐
1888 figuration like:
1889 iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
1891 -j TCPMSS --clamp-mss-to-pmtu
1892 --set-mss value
1894 Explicitly sets MSS option to specified value. If the MSS of the
1895 packet is already lower than value, it will not be increased
1896 (from Linux 2.6.25 onwards) to avoid more problems with hosts
1897 relying on a proper MSS.
1898 --clamp-mss-to-pmtu
1900 Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60
1901 for IPv6). This may not function as desired where asymmetric
1902 routes with differing path MTU exist — the kernel uses the path
1903 MTU which it would use to send packets from itself to the source
1904 and destination IP addresses. Prior to Linux 2.6.25, only the
1905 path MTU to the destination IP address was considered by this
1906 option; subsequent kernels also consider the path MTU to the
1907 source IP address.
1908 These options are mutually exclusive.
1910 TCPOPTSTRIP
1912 This target will strip TCP options off a TCP packet. (It will actually
1913 replace them by NO-OPs.) As such, you will need to add the -p tcp
1914 parameters.
1915 --strip-options option[,option...]
1917 Strip the given option(s). The options may be specified by TCP
1918 option number or by symbolic name. The list of recognized
1919 options can be obtained by calling iptables with -j TCPOPTSTRIP
1920 -h.
1921 TEE
1923 The TEE target will clone a packet and redirect this clone to another
1924 machine on the local network segment. In other words, the nexthop must
1925 be the target, or you will have to configure the nexthop to forward it
1926 further if so desired.
1927 --gateway ipaddr
1929 Send the cloned packet to the host reachable at the given IP
1930 address. Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is
1931 invalid.
1932 To forward all incoming traffic on eth0 to an Network Layer logging
1934 box:
1935 -t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1
1937 TOS
1939 This module sets the Type of Service field in the IPv4 header (includ‐
1940 ing the "precedence" bits) or the Priority field in the IPv6 header.
1941 Note that TOS shares the same bits as DSCP and ECN. The TOS target is
1942 only valid in the mangle table.
1943 --set-tos value[/mask]
1945 Zeroes out the bits given by mask and XORs value into the
1946 TOS/Priority field. If mask is omitted, 0xFF is assumed.
1947 --set-tos symbol
1949 You can specify a symbolic name when using the TOS target for
1950 IPv4. It implies a mask of 0xFF. The list of recognized TOS
1951 names can be obtained by calling iptables with -j TOS -h.
1952 The following mnemonics are available:
1954 --and-tos bits
1956 Binary AND the TOS value with bits. (Mnemonic for --set-tos
1957 0/invbits, where invbits is the binary negation of bits.)
1958 --or-tos bits
1960 Binary OR the TOS value with bits. (Mnemonic for --set-tos
1961 bits/bits.)
1962 --xor-tos bits
1964 Binary XOR the TOS value with bits. (Mnemonic for --set-tos
1965 bits/0.)
1966 TRACE
1968 This target marks packes so that the kernel will log every rule which
1969 match the packets as those traverse the tables, chains, rules. (The
1970 ipt_LOG or ip6t_LOG module is required for the logging.) The packets
1971 are logged with the string prefix: "TRACE: tablename:chain‐
1972 name:type:rulenum " where type can be "rule" for plain rule, "return"
1973 for implicit rule at the end of a user defined chain and "policy" for
1974 the policy of the built in chains.
1975 It can only be used in the raw table.
1976
1978 Various error messages are printed to standard error. The exit code is
1979 0 for correct functioning. Errors which appear to be caused by invalid
1980 or abused command line parameters cause an exit code of 2, and other
1981 errors cause an exit code of 1.
1982
1984 Bugs? What's this? ;-) Well... the counters are not reliable on
1985 sparc64.
1986
1988 This ip6tables is very similar to ipchains by Rusty Russell. The main
1989 difference is that the chains INPUT and OUTPUT are only traversed for
1990 packets coming into the local host and originating from the local host
1991 respectively. Hence every packet only passes through one of the three
1992 chains (except loopback traffic, which involves both INPUT and OUTPUT
1993 chains); previously a forwarded packet would pass through all three.
1994 The other main difference is that -i refers to the input interface; -o
1996 refers to the output interface, and both are available for packets
1997 entering the FORWARD chain. There are several other changes in
1998 ip6tables.
1999
2001 ip6tables-save(8), ip6tables-restore(8), iptables(8), iptables-save(8),
2002 iptables-restore(8), libipq(3).
2003 The packet-filtering-HOWTO details iptables usage for packet filtering,
2005 the netfilter-extensions-HOWTO details the extensions that are not in
2006 the standard distribution, and the netfilter-hacking-HOWTO details the
2007 netfilter internals.
2008 See http://www.netfilter.org/.
2009
2011 Rusty Russell wrote iptables, in early consultation with Michael Neul‐
2012 ing.
2013 Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic
2015 packet selection framework in iptables, then wrote the mangle table,
2016 the owner match, the mark stuff, and ran around doing cool stuff every‐
2017 where.
2018 James Morris wrote the TOS target, and tos match.
2020 Jozsef Kadlecsik wrote the REJECT target.
2022 Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as
2024 well as TTL match+target and libipulog.
2025 The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki
2027 Kozakai, Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira
2028 Ayuso, Harald Welte and Rusty Russell.
2029 ip6tables man page created by Andras Kis-Szabo, based on iptables man
2031 page written by Herve Eychenne <rv@wallfire.org>.
2032iptables 1.4.4 IP6TABLES(8)