1IP6TABLES(8)                                                      IP6TABLES(8)
2
3
4

NAME

6       ip6tables - IPv6 packet filter administration
7

SYNOPSIS

9       ip6tables [-t table] -[AD] chain rule-specification [options]
10       ip6tables [-t table] -I chain [rulenum] rule-specification [options]
11       ip6tables [-t table] -R chain rulenum rule-specification [options]
12       ip6tables [-t table] -D chain rulenum [options]
13       ip6tables [-t table] -[LFZ] [chain] [options]
14       ip6tables [-t table] -N chain
15       ip6tables [-t table] -X [chain]
16       ip6tables [-t table] -P chain target [options]
17       ip6tables [-t table] -E old-chain-name new-chain-name
18

DESCRIPTION

20       Ip6tables  is  used to set up, maintain, and inspect the tables of IPv6
21       packet filter rules in the Linux kernel.  Several different tables  may
22       be  defined.   Each  table contains a number of built-in chains and may
23       also contain user-defined chains.
24
25       Each chain is a list of rules which can match a set of  packets.   Each
26       rule specifies what to do with a packet that matches.  This is called a
27       `target', which may be a jump to a user-defined chain in the  same  ta‐
28       ble.
29
30

TARGETS

32       A  firewall rule specifies criteria for a packet, and a target.  If the
33       packet does not match, the next rule in the chain is the  examined;  if
34       it does match, then the next rule is specified by the value of the tar‐
35       get, which can be the name of a user-defined chain or one of  the  spe‐
36       cial values ACCEPT, DROP, QUEUE, or RETURN.
37
38       ACCEPT  means to let the packet through.  DROP means to drop the packet
39       on the floor.  QUEUE means to pass the packet to userspace.   (How  the
40       packet can be received by a userspace process differs by the particular
41       queue handler.  2.4.x and  2.6.x  kernels  up  to  2.6.13  include  the
42       ip_queue  queue handler.  Kernels 2.6.14 and later additionally include
43       the nfnetlink_queue queue handler.  Packets with a target of QUEUE will
44       be  sent  to queue number '0' in this case. Please also see the NFQUEUE
45       target as described  later  in  this  man  page.)   RETURN  means  stop
46       traversing  this  chain  and  resume  at  the next rule in the previous
47       (calling) chain.  If the end of a built-in chain is reached or  a  rule
48       in a built-in chain with target RETURN is matched, the target specified
49       by the chain policy determines the fate of the packet.
50

TABLES

52       There are currently two independent tables (which tables are present at
53       any  time depends on the kernel configuration options and which modules
54       are present), as nat table has not been implemented yet.
55
56       -t, --table table
57              This option specifies the packet matching table which  the  com‐
58              mand  should operate on.  If the kernel is configured with auto‐
59              matic module loading, an attempt will be made to load the appro‐
60              priate module for that table if it is not already there.
61
62              The tables are as follows:
63
64              filter:
65                  This  is  the default table (if no -t option is passed).  It
66                  contains the built-in chains INPUT (for packets coming  into
67                  the  box  itself), FORWARD (for packets being routed through
68                  the box), and OUTPUT (for locally-generated packets).
69
70              mangle:
71                  This table is used for specialized packet alteration.  Until
72                  kernel  2.4.17  it  had two built-in chains: PREROUTING (for
73                  altering incoming packets before routing)  and  OUTPUT  (for
74                  altering  locally-generated  packets before routing).  Since
75                  kernel 2.4.18, three other built-in  chains  are  also  sup‐
76                  ported: INPUT (for packets coming into the box itself), FOR‐
77                  WARD (for altering packets being routed  through  the  box),
78                  and  POSTROUTING  (for altering packets as they are about to
79                  go out).
80
81              raw:
82                  This table is used mainly for  configuring  exemptions  from
83                  connection  tracking in combination with the NOTRACK target.
84                  It registers at the netfilter hooks with higher priority and
85                  is thus called before nf_conntrack, or any other IP6 tables.
86                  It provides the following built-in chains:  PREROUTING  (for
87                  packets  arriving  via  any  network  interface) OUTPUT (for
88                  packets generated by local processes)
89

OPTIONS

91       The options that are recognized by ip6tables can be divided  into  sev‐
92       eral different groups.
93
94   COMMANDS
95       These options specify the specific action to perform.  Only one of them
96       can be specified on the command line unless otherwise specified  below.
97       For  all the long versions of the command and option names, you need to
98       use only enough letters to ensure that ip6tables can  differentiate  it
99       from all other options.
100
101       -A, --append chain rule-specification
102              Append one or more rules to the end of the selected chain.  When
103              the source and/or destination names resolve  to  more  than  one
104              address, a rule will be added for each possible address combina‐
105              tion.
106
107       -D, --delete chain rule-specification
108       -D, --delete chain rulenum
109              Delete one or more rules from the selected chain.  There are two
110              versions  of this command: the rule can be specified as a number
111              in the chain (starting at 1 for the first rule)  or  a  rule  to
112              match.
113
114       -I, --insert
115              Insert one or more rules in the selected chain as the given rule
116              number.  So, if the rule number is 1,  the  rule  or  rules  are
117              inserted  at the head of the chain.  This is also the default if
118              no rule number is specified.
119
120       -R, --replace chain rulenum rule-specification
121              Replace a rule in the selected chain.  If the source and/or des‐
122              tination  names  resolve to multiple addresses, the command will
123              fail.  Rules are numbered starting at 1.
124
125       -L, --list [chain]
126              List all rules in the selected chain.  If no chain is  selected,
127              all  chains  are  listed.   As  every other iptables command, it
128              applies to the specified table (filter is the default), so  man‐
129              gle rules get listed by
130               ip6tables -t mangle -n -L
131              Please  note  that it is often used with the -n option, in order
132              to avoid long reverse DNS lookups.  It is legal to  specify  the
133              -Z  (zero)  option  as  well, in which case the chain(s) will be
134              atomically listed and zeroed.  The exact output is  affected  by
135              the  other arguments given. The exact rules are suppressed until
136              you use
137               ip6tables -L -v
138
139       -F, --flush [chain]
140              Flush the selected chain (all the chains in the table if none is
141              given).   This  is  equivalent  to deleting all the rules one by
142              one.
143
144       -Z, --zero [chain]
145              Zero the packet and byte counters in all chains.  It is legal to
146              specify  the  -L, --list (list) option as well, to see the coun‐
147              ters immediately before they are cleared. (See above.)
148
149       -N, --new-chain chain
150              Create a new user-defined chain by the given name.   There  must
151              be no target of that name already.
152
153       -X, --delete-chain [chain]
154              Delete the optional user-defined chain specified.  There must be
155              no references to the chain.  If there are, you  must  delete  or
156              replace the referring rules before the chain can be deleted.  If
157              no argument is given, it  will  attempt  to  delete  every  non-
158              builtin chain in the table.
159
160       -P, --policy chain target
161              Set  the policy for the chain to the given target.  See the sec‐
162              tion TARGETS for the legal targets.   Only  built-in  (non-user-
163              defined)  chains  can  have  policies,  and neither built-in nor
164              user-defined chains can be policy targets.
165
166       -E, --rename-chain old-chain new-chain
167              Rename the user specified chain to the user supplied name.  This
168              is cosmetic, and has no effect on the structure of the table.
169
170       -h     Help.   Give a (currently very brief) description of the command
171              syntax.
172
173   PARAMETERS
174       The following parameters make up a rule specification (as used  in  the
175       add, delete, insert, replace and append commands).
176
177       -p, --protocol [!] protocol
178              The  protocol of the rule or of the packet to check.  The speci‐
179              fied protocol can be one of tcp, udp, icmpv6, esp,  all,  or  it
180              can be a numeric value, representing one of these protocols or a
181              different one. A  protocol  name  from  /etc/protocols  is  also
182              allowed.  But IPv6 extension headers except esp are not allowed.
183              esp, and ipv6-nonext can be used with Kernel version  2.6.11  or
184              later.   A  "!"  argument  before the protocol inverts the test.
185              The number zero is equivalent to all.  Protocol all  will  match
186              with  all  protocols and is taken as default when this option is
187              omitted.
188
189       -s, --source [!] address[/mask]
190              Source specification.  Address can be either a hostname  (please
191              note that specifying any name to be resolved with a remote query
192              such as DNS is a really bad idea), a network IPv6 address  (with
193              /mask),  or  a plain IPv6 address.  (the network name isn't sup‐
194              ported now).  The mask can be either a network mask or  a  plain
195              number,  specifying  the  number  of 1's at the left side of the
196              network  mask.   Thus,  a  mask   of   64   is   equivalent   to
197              ffff:ffff:ffff:ffff:0000:0000:0000:0000.   A "!" argument before
198              the address specification inverts the sense of the address.  The
199              flag --src is an alias for this option.
200
201       -d, --destination [!] address[/mask]
202              Destination  specification.   See  the  description  of  the  -s
203              (source) flag for a detailed description  of  the  syntax.   The
204              flag --dst is an alias for this option.
205
206       -j, --jump target
207              This  specifies  the target of the rule; i.e., what to do if the
208              packet matches it.  The  target  can  be  a  user-defined  chain
209              (other than the one this rule is in), one of the special builtin
210              targets which decide the fate of the packet immediately,  or  an
211              extension  (see EXTENSIONS below).  If this option is omitted in
212              a rule, then matching the  rule  will  have  no  effect  on  the
213              packet's fate, but the counters on the rule will be incremented.
214
215       -i, --in-interface [!] name
216              Name  of an interface via which a packet is going to be received
217              (only for packets entering the  INPUT,  FORWARD  and  PREROUTING
218              chains).   When  the  "!"  argument is used before the interface
219              name, the sense is inverted.  If the interface name  ends  in  a
220              "+",  then any interface which begins with this name will match.
221              If this option is omitted, any interface name will match.
222
223       -o, --out-interface [!] name
224              Name of an interface via which a packet is going to be sent (for
225              packets  entering  the FORWARD and OUTPUT chains).  When the "!"
226              argument is  used  before  the  interface  name,  the  sense  is
227              inverted.   If the interface name ends in a "+", then any inter‐
228              face which begins with this name will match.  If this option  is
229              omitted, any interface name will match.
230
231       -c, --set-counters  PKTS BYTES
232              This enables the administrator to initialize the packet and byte
233              counters of a rule (during INSERT, APPEND, REPLACE operations).
234
235   OTHER OPTIONS
236       The following additional options can be specified:
237
238       -v, --verbose
239              Verbose output.  This option makes the  list  command  show  the
240              interface  name,  the  rule options (if any), and the TOS masks.
241              The packet and byte counters are also listed,  with  the  suffix
242              'K',  'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipli‐
243              ers respectively (but see the -x  flag  to  change  this).   For
244              appending,  insertion,  deletion  and  replacement,  this causes
245              detailed information on the rule or rules to be printed.
246
247       -n, --numeric
248              Numeric output.  IP addresses and port numbers will  be  printed
249              in  numeric format.  By default, the program will try to display
250              them as host names, network names, or services (whenever  appli‐
251              cable).
252
253       -x, --exact
254              Expand  numbers.  Display the exact value of the packet and byte
255              counters, instead of only the rounded number in  K's  (multiples
256              of  1000)  M's (multiples of 1000K) or G's (multiples of 1000M).
257              This option is only relevant for the -L command.
258
259       --line-numbers
260              When listing rules, add line numbers to the  beginning  of  each
261              rule, corresponding to that rule's position in the chain.
262
263       --modprobe=command
264              When adding or inserting rules into a chain, use command to load
265              any necessary modules (targets, match extensions, etc).
266

MATCH EXTENSIONS

268       ip6tables can use extended packet matching modules.  These  are  loaded
269       in  two  ways:  implicitly, when -p or --protocol is specified, or with
270       the -m or --match options, followed by the matching module name;  after
271       these,  various  extra command line options become available, depending
272       on the specific module.  You can specify multiple extended  match  mod‐
273       ules  in  one  line, and you can use the -h or --help options after the
274       module has been specified to receive help specific to that module.
275
276       The following are included in the base package, and most of  these  can
277       be preceded by a !  to invert the sense of the match.
278
279   ah
280       This  module  matches  the parameters in Authentication header of IPsec
281       packets.
282
283       --ahspi [!] spi[:spi]
284              Matches SPI.
285
286       --ahlen [!] length
287              Total length of this header in octets.
288
289       --ahres
290              Matches if the reserved field is filled with zero.
291
292   condition
293       This matches if a specific /proc filename is '0' or '1'.
294
295       --condition [!] filename
296              Match on boolean value stored in  /proc/net/ip6t_condition/file‐
297              name file
298
299   dst
300       This module matches the parameters in Destination Options header
301
302       --dst-len [!] length
303              Total length of this header in octets.
304
305       --dst-opts type[:length][,type[:length]...]
306              numeric  type  of  option  and  the length of the option data in
307              octets.
308
309   esp
310       This module matches the SPIs in ESP header of IPsec packets.
311
312       --espspi [!] spi[:spi]
313
314   eui64
315       This module matches the EUI-64 part of a stateless autoconfigured  IPv6
316       address.  It compares the EUI-64 derived from the source MAC address in
317       Ethernet frame with the lower 64 bits of the IPv6 source  address.  But
318       "Universal/Local"  bit is not compared. This module doesn't match other
319       link layer frame, and is only valid in the PREROUTING, INPUT  and  FOR‐
320       WARD chains.
321
322   frag
323       This module matches the parameters in Fragment header.
324
325       --fragid [!] id[:id]
326              Matches the given Identification or range of it.
327
328       --fraglen [!] length
329              This  option cannot be used with kernel version 2.6.10 or later.
330              The length of Fragment header is static and this option  doesn't
331              make sense.
332
333       --fragres
334              Matches if the reserved fields are filled with zero.
335
336       --fragfirst
337              Matches on the first fragment.
338
339       [--fragmore]
340              Matches if there are more fragments.
341
342       [--fraglast]
343              Matches if this is the last fragement.
344
345   hbh
346       This module matches the parameters in Hop-by-Hop Options header
347
348       --hbh-len [!] length
349              Total length of this header in octets.
350
351       --hbh-opts type[:length][,type[:length]...]
352              numeric  type  of  option  and  the length of the option data in
353              octets.
354
355   hl
356       This module matches the Hop Limit field in the IPv6 header.
357
358       --hl-eq [!] value
359              Matches if Hop Limit equals value.
360
361       --hl-lt value
362              Matches if Hop Limit is less than value.
363
364       --hl-gt value
365              Matches if Hop Limit is greater than value.
366
367   icmp6
368       This extension can be used if  `--protocol  ipv6-icmp'  or  `--protocol
369       icmpv6' is specified. It provides the following option:
370
371       --icmpv6-type [!] type[/code]|typename
372              This  allows  specification  of  the ICMPv6 type, which can be a
373              numeric ICMPv6 type, type and code, or one of  the  ICMPv6  type
374              names shown by the command
375               ip6tables -p ipv6-icmp -h
376
377   ipv6header
378       This module matches IPv6 extension headers and/or upper layer header.
379
380       --header [!] header[,header...]
381              Matches the packet which EXACTLY includes all specified headers.
382              The headers encapsulated with  ESP  header  are  out  of  scope.
383              header  can  be  hop|hop-by-hop (Hop-by-Hop Options header), dst
384              (Destination  Options  header),  route  (Routing  header),  frag
385              (Fragment  header),  auth (Authentication header), esp (Encapsu‐
386              lating Security Payload header), none  (No  Next  header)  which
387              matches 59 in the 'Next Header field' of IPv6 header or any IPv6
388              extension headers, or proto which matches any upper layer proto‐
389              col  header.  A  protocol  name  from /etc/protocols and numeric
390              value also allowed. The number 255 is equivalent to proto.
391
392       [--soft]
393              Matches if  the  packet  includes  all  specified  headers  with
394              --header, AT LEAST.
395
396   length
397       This  module matches the length of the IPv6 payload in octets, or range
398       of it.  IPv6 header itself isn't counted.
399
400       --length [!] length[:length]
401
402   limit
403       This module matches at a limited rate using a token bucket  filter.   A
404       rule using this extension will match until this limit is reached.
405         It  can  be  used  in combination with the LOG target to give limited
406       logging, for example.
407
408       --limit rate
409              Maximum average matching rate: specified as a  number,  with  an
410              optional  `/second',  `/minute',  `/hour', or `/day' suffix; the
411              default is 3/hour.
412
413       --limit-burst number
414              Maximum initial number of packets to  match:  this  number  gets
415              recharged  by  one  every  time the limit specified above is not
416              reached, up to this number; the default is 5.
417
418   mac
419       --mac-source [!] address
420              Match  source  MAC  address.    It   must   be   of   the   form
421              XX:XX:XX:XX:XX:XX.   Note that this only makes sense for packets
422              coming from an Ethernet device and entering the PREROUTING, FOR‐
423              WARD or INPUT chains.
424
425   mark
426       This  module  matches the netfilter mark field associated with a packet
427       (which can be set using the MARK target below).
428
429       --mark value[/mask]
430              Matches packets with the given unsigned mark value (if a mask is
431              specified, this is logically ANDed with the mask before the com‐
432              parison).
433
434   mh
435       This extension is loaded if `--protocol ipv6-mh' or `--protocol mh'  is
436       specified. It provides the following option:
437
438       --mh-type [!] type[:type]
439              This allows specification of the Mobility Header(MH) type, which
440              can be a numeric MH type, type or one of the MH type names shown
441              by the command
442               ip6tables -p ipv6-mh -h
443
444   multiport
445       This  module  matches  a  set of source or destination ports.  Up to 15
446       ports can be specified.  It can only be used in conjunction with -p tcp
447       or -p udp.
448
449       --source-ports [!] port[,port[,port...]]
450              Match  if  the  source port is one of the given ports.  The flag
451              --sports is a convenient alias for this option.
452
453       --destination-ports [!] port[,port[,port...]]
454              Match if the destination port is one of the  given  ports.   The
455              flag --dports is a convenient alias for this option.
456
457       --ports [!] port[,port[,port...]]
458              Match  if the both the source and destination ports are equal to
459              each other and to one of the given ports.
460
461   owner
462       This module attempts to match various  characteristics  of  the  packet
463       creator, for locally-generated packets.  It is only valid in the OUTPUT
464       chain, and even this some packets (such as ICMPv6 ping  responses)  may
465       have  no  owner, and hence never match.  This is regarded as experimen‐
466       tal.
467
468       --uid-owner userid
469              Matches if the packet was created by a process  with  the  given
470              effective user id.
471
472       --gid-owner groupid
473              Matches  if  the  packet was created by a process with the given
474              effective group id.
475
476       --pid-owner processid
477              Matches if the packet was created by a process  with  the  given
478              process id.
479
480       --sid-owner sessionid
481              Matches if the packet was created by a process in the given ses‐
482              sion group.
483
484       NOTE: pid, sid and command matching are broken on SMP
485
486   physdev
487       This module matches  on  the  bridge  port  input  and  output  devices
488       enslaved  to  a bridge device. This module is a part of the infrastruc‐
489       ture that enables a transparent bridging IP firewall and is only useful
490       for kernel versions above version 2.5.44.
491
492       --physdev-in [!] name
493              Name  of  a bridge port via which a packet is received (only for
494              packets entering the INPUT, FORWARD and PREROUTING  chains).  If
495              the  interface  name  ends  in  a  "+", then any interface which
496              begins with this name will match. If the  packet  didn't  arrive
497              through  a  bridge  device, this packet won't match this option,
498              unless '!' is used.
499
500       --physdev-out [!] name
501              Name of a bridge port via which a packet is  going  to  be  sent
502              (for  packets  entering  the  FORWARD,  OUTPUT  and  POSTROUTING
503              chains).  If the interface name ends in a "+", then  any  inter‐
504              face  which  begins  with this name will match. Note that in the
505              nat and mangle OUTPUT chains one cannot match on the bridge out‐
506              put  port,  however  one  can in the filter OUTPUT chain. If the
507              packet won't leave by a bridge device or it is yet unknown  what
508              the  output  device  will  be,  then the packet won't match this
509              option, unless
510
511       [!] --physdev-is-in
512              Matches if the packet has entered through a bridge interface.
513
514       [!] --physdev-is-out
515              Matches if the packet will leave through a bridge interface.
516
517       [!] --physdev-is-bridged
518              Matches if the packet is being  bridged  and  therefore  is  not
519              being  routed.  This is only useful in the FORWARD and POSTROUT‐
520              ING chains.
521
522   policy
523       This modules matches the policy used by IPsec for handling a packet.
524
525       --dir in|out
526              Used to select whether to match the policy used  for  decapsula‐
527              tion  or  the policy that will be used for encapsulation.  in is
528              valid in the PREROUTING, INPUT and FORWARD chains, out is  valid
529              in the POSTROUTING, OUTPUT and FORWARD chains.
530
531       --pol none|ipsec
532              Matches if the packet is subject to IPsec processing.
533
534       --strict
535              Selects  whether  to match the exact policy or match if any rule
536              of the policy matches the given policy.
537
538       --reqid id
539              Matches the reqid of the policy rule. The reqid can be specified
540              with setkey(8) using unique:id as level.
541
542       --spi spi
543              Matches the SPI of the SA.
544
545       --proto ah|esp|ipcomp
546              Matches the encapsulation protocol.
547
548       --mode tunnel|transport
549              Matches the encapsulation mode.
550
551       --tunnel-src addr[/mask]
552              Matches  the source end-point address of a tunnel mode SA.  Only
553              valid with --mode tunnel.
554
555       --tunnel-dst addr[/mask]
556              Matches the destination end-point address of a tunnel  mode  SA.
557              Only valid with --mode tunnel.
558
559       --next Start  the next element in the policy specification. Can only be
560              used with --strict
561
562   rt
563       Match on IPv6 routing header
564
565       --rt-type [!] type
566              Match the type (numeric).
567
568       --rt-segsleft [!] num[:num]
569              Match the `segments left' field (range).
570
571       --rt-len [!] length
572              Match the length of this header.
573
574       --rt-0-res
575              Match the reserved field, too (type=0)
576
577       --rt-0-addrs ADDR[,ADDR...]
578              Match type=0 addresses (list).
579
580       --rt-0-not-strict
581              List of type=0 addresses is not a strict list.
582
583   tcp
584       These extensions can be used if `--protocol tcp' is specified. It  pro‐
585       vides the following options:
586
587       --source-port [!] port[:port]
588              Source  port  or  port range specification. This can either be a
589              service name or a port number. An inclusive range  can  also  be
590              specified,  using  the  format  port:port.  If the first port is
591              omitted, "0" is assumed; if the  last  is  omitted,  "65535"  is
592              assumed.  If the second port greater then the first they will be
593              swapped.  The flag  --sport  is  a  convenient  alias  for  this
594              option.
595
596       --destination-port [!] port[:port]
597              Destination  port or port range specification.  The flag --dport
598              is a convenient alias for this option.
599
600       --tcp-flags [!] mask comp
601              Match when the TCP flags are as specified.  The  first  argument
602              is  the  flags which we should examine, written as a comma-sepa‐
603              rated list, and the second argument is a comma-separated list of
604              flags which must be set.  Flags are: SYN ACK FIN RST URG PSH ALL
605              NONE.  Hence the command
606               ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
607              will only match packets with the SYN flag set, and the ACK,  FIN
608              and RST flags unset.
609
610       [!] --syn
611              Only  match TCP packets with the SYN bit set and the ACK and RST
612              bits cleared.  Such packets are used to request  TCP  connection
613              initiation;  for  example,  blocking  such  packets coming in an
614              interface will prevent incoming TCP  connections,  but  outgoing
615              TCP  connections will be unaffected.  It is equivalent to --tcp-
616              flags SYN,RST,ACK SYN.  If the "!" flag  precedes  the  "--syn",
617              the sense of the option is inverted.
618
619       --tcp-option [!] number
620              Match if TCP option set.
621
622   udp
623       These extensions can be used if `--protocol udp' is specified.  It pro‐
624       vides the following options:
625
626       --source-port [!] port[:port]
627              Source port or port range specification.  See the description of
628              the --source-port option of the TCP extension for details.
629
630       --destination-port [!] port[:port]
631              Destination  port or port range specification.  See the descrip‐
632              tion of the --destination-port option of the TCP  extension  for
633              details.
634

TARGET EXTENSIONS

636       ip6tables  can  use extended target modules: the following are included
637       in the standard distribution.
638
639   CONNSECMARK
640       This module copies security markings from packets  to  connections  (if
641       unlabeled),  and  from  connections back to packets (also only if unla‐
642       beled).  Typically used in conjunction with SECMARK, it is  only  valid
643       in the mangle table.
644
645       --save If  the packet has a security marking, copy it to the connection
646              if the connection is not marked.
647
648       --restore
649              If the packet does not have a security marking, and the  connec‐
650              tion  does, copy the security marking from the connection to the
651              packet.
652
653
654   HL
655       This is used to modify the Hop Limit field  in  IPv6  header.  The  Hop
656       Limit  field is similar to what is known as TTL value in IPv4.  Setting
657       or incrementing the Hop Limit field can potentially be very  dangerous,
658       so  it should be avoided at any cost. This target is only valid in man‐
659       gle table.
660
661       Don't ever set or increment the value on packets that leave your  local
662       network!
663
664       --hl-set value
665              Set the Hop Limit to `value'.
666
667       --hl-dec value
668              Decrement the Hop Limit `value' times.
669
670       --hl-inc value
671              Increment the Hop Limit `value' times.
672
673   LOG
674       Turn  on  kernel  logging of matching packets.  When this option is set
675       for a rule, the Linux kernel will print some information on all  match‐
676       ing  packets  (like  most  IPv6  IPv6-header fields) via the kernel log
677       (where it can be read with dmesg or syslogd(8)).  This is a "non-termi‐
678       nating  target", i.e. rule traversal continues at the next rule.  So if
679       you want to LOG the packets you refuse, use two separate rules with the
680       same matching criteria, first using target LOG then DROP (or REJECT).
681
682       --log-level level
683              Level of logging (numeric or see syslog.conf(5)).
684
685       --log-prefix prefix
686              Prefix  log messages with the specified prefix; up to 29 letters
687              long, and useful for distinguishing messages in the logs.
688
689       --log-tcp-sequence
690              Log TCP sequence numbers. This is a security risk if the log  is
691              readable by users.
692
693       --log-tcp-options
694              Log options from the TCP packet header.
695
696       --log-ip-options
697              Log options from the IPv6 packet header.
698
699       --log-uid
700              Log the userid of the process which generated the packet.
701
702   MARK
703       This  is  used  to  set  the  netfilter  mark value associated with the
704       packet.  It is only valid in the mangle table.
705
706       --set-mark mark
707
708   NFQUEUE
709       This target is an extension of the QUEUE target. As opposed  to  QUEUE,
710       it  allows  you  to put a packet into any specific queue, identified by
711       its 16-bit queue number.
712
713       --queue-num value
714              This specifies the QUEUE number to use. Valud queue numbers  are
715              0 to 65535. The default value is 0.
716
717       It  can  only  be  used  with Kernel versions 2.6.14 or later, since it
718       requires
719              the nfnetlink_queue kernel support.
720
721   REJECT
722       This is used to send back an error packet in response  to  the  matched
723       packet:  otherwise it is equivalent to DROP so it is a terminating TAR‐
724       GET, ending rule traversal.  This target is only valid  in  the  INPUT,
725       FORWARD  and  OUTPUT  chains,  and  user-defined  chains which are only
726       called from those chains.  The following option controls the nature  of
727       the error packet returned:
728
729       --reject-with type
730              The type given can be
731               icmp6-no-route
732               no-route
733               icmp6-adm-prohibited
734               adm-prohibited
735               icmp6-addr-unreachable
736               addr-unreach
737               icmp6-port-unreachable
738               port-unreach
739              which  return the appropriate ICMPv6 error message (port-unreach
740              is the default). Finally, the option tcp-reset can  be  used  on
741              rules  which  only match the TCP protocol: this causes a TCP RST
742              packet to be sent back.  This  is  mainly  useful  for  blocking
743              ident  (113/tcp) probes which frequently occur when sending mail
744              to broken mail hosts (which won't accept your  mail  otherwise).
745              tcp-reset can only be used with kernel versions 2.6.14 or later.
746
747
748   SECMARK
749       This  is used to set the security mark value associated with the packet
750       for use by security subsystems such as SELinux.  It is  only  valid  in
751       the mangle table.
752
753       --selctx security_context
754
755   TCPMSS
756       This  target  allows to alter the MSS value of TCP SYN packets, to con‐
757       trol the maximum size for that connection (usually limiting it to  your
758       outgoing  interface's MTU minus 60).  Of course, it can only be used in
759       conjunction with -p tcp.  It is only valid in the mangle table.
760       This target is used to overcome criminally braindead  ISPs  or  servers
761       which  block  ICMPv6 Packet Too Big packets or are unable to send them.
762       The symptoms of this problem are that everything works fine  from  your
763       Linux  firewall/router, but machines behind it can never exchange large
764       packets:
765        1) Web browsers connect, then hang with no data received.
766        2) Small mail works fine, but large emails hang.
767        3) ssh works fine, but scp hangs after initial handshaking.
768       Workaround: activate this option and add a rule to your  firewall  con‐
769       figuration like:
770        ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
771                    -j TCPMSS --clamp-mss-to-pmtu
772
773       --set-mss value
774              Explicitly set MSS option to specified value.
775
776       --clamp-mss-to-pmtu
777              Automatically clamp MSS value to (path_MTU - 60).
778
779       These options are mutually exclusive.
780
781

DIAGNOSTICS

783       Various error messages are printed to standard error.  The exit code is
784       0 for correct functioning.  Errors which appear to be caused by invalid
785       or  abused  command  line parameters cause an exit code of 2, and other
786       errors cause an exit code of 1.
787

BUGS

789       Bugs?  What's this? ;-)  Well...  the  counters  are  not  reliable  on
790       sparc64.
791

COMPATIBILITY WITH IPCHAINS

793       This  ip6tables is very similar to ipchains by Rusty Russell.  The main
794       difference is that the chains INPUT and OUTPUT are only  traversed  for
795       packets  coming into the local host and originating from the local host
796       respectively.  Hence every packet only passes through one of the  three
797       chains  (except  loopback traffic, which involves both INPUT and OUTPUT
798       chains); previously a forwarded packet would pass through all three.
799
800       The other main difference is that -i refers to the input interface;  -o
801       refers  to  the  output  interface,  and both are available for packets
802       entering the  FORWARD  chain.   There  are  several  other  changes  in
803       ip6tables.
804

SEE ALSO

806       ip6tables-save(8), ip6tables-restore(8), iptables(8), iptables-save(8),
807       iptables-restore(8), libipq(3).
808
809       The packet-filtering-HOWTO details iptables usage for packet filtering,
810       the  NAT-HOWTO  details NAT, the netfilter-extensions-HOWTO details the
811       extensions that are not in the standard distribution, and  the  netfil‐
812       ter-hacking-HOWTO details the netfilter internals.
813       See http://www.netfilter.org/.
814

AUTHORS

816       Rusty  Russell wrote iptables, in early consultation with Michael Neul‐
817       ing.
818
819       Marc Boucher made Rusty abandon ipnatctl  by  lobbying  for  a  generic
820       packet  selection  framework  in iptables, then wrote the mangle table,
821       the owner match, the mark stuff, and ran around doing cool stuff every‐
822       where.
823
824       James Morris wrote the TOS target, and tos match.
825
826       Jozsef Kadlecsik wrote the REJECT target.
827
828       Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, aswell
829       as TTL match+target and libipulog.
830
831       The Netfilter Core Team is: Marc Boucher,  Martin  Josefsson,  Yasuyuki
832       Kozakai,  Jozsef  Kadlecsik, Patrick McHardy, James Morris, Pablo Neira
833       Ayuso, Harald Welte and Rusty Russell.
834
835       ip6tables man page created by Andras Kis-Szabo, based on  iptables  man
836       page written by Herve Eychenne <rv@wallfire.org>.
837
838
839
840                                 Jan 22, 2006                     IP6TABLES(8)
Impressum