1IPTABLES(8)                                                        IPTABLES(8)
2
3
4

NAME

6       iptables - administration tool for IPv4 packet filtering and NAT
7

SYNOPSIS

9       iptables [-t table] -[AD] chain rule-specification [options]
10       iptables [-t table] -I chain [rulenum] rule-specification [options]
11       iptables [-t table] -R chain rulenum rule-specification [options]
12       iptables [-t table] -D chain rulenum [options]
13       iptables [-t table] -[LFZ] [chain] [options]
14       iptables [-t table] -N chain
15       iptables [-t table] -X [chain]
16       iptables [-t table] -P chain target [options]
17       iptables [-t table] -E old-chain-name new-chain-name
18

DESCRIPTION

20       Iptables  is  used  to  set  up, maintain, and inspect the tables of IP
21       packet filter rules in the Linux kernel.  Several different tables  may
22       be  defined.   Each  table contains a number of built-in chains and may
23       also contain user-defined chains.
24
25       Each chain is a list of rules which can match a set of  packets.   Each
26       rule specifies what to do with a packet that matches.  This is called a
27       `target', which may be a jump to a user-defined chain in the  same  ta‐
28       ble.
29
30

TARGETS

32       A  firewall rule specifies criteria for a packet, and a target.  If the
33       packet does not match, the next rule in the chain is the  examined;  if
34       it does match, then the next rule is specified by the value of the tar‐
35       get, which can be the name of a user-defined chain or one of  the  spe‐
36       cial values ACCEPT, DROP, QUEUE, or RETURN.
37
38       ACCEPT  means to let the packet through.  DROP means to drop the packet
39       on the floor.  QUEUE means to pass the packet to userspace.   (How  the
40       packet can be received by a userspace process differs by the particular
41       queue handler.  2.4.x and  2.6.x  kernels  up  to  2.6.13  include  the
42       ip_queue  queue handler.  Kernels 2.6.14 and later additionally include
43       the nfnetlink_queue queue handler.  Packets with a target of QUEUE will
44       be  sent  to queue number '0' in this case. Please also see the NFQUEUE
45       target as described  later  in  this  man  page.)   RETURN  means  stop
46       traversing  this  chain  and  resume  at  the next rule in the previous
47       (calling) chain.  If the end of a built-in chain is reached or  a  rule
48       in a built-in chain with target RETURN is matched, the target specified
49       by the chain policy determines the fate of the packet.
50

TABLES

52       There are currently three independent tables (which tables are  present
53       at  any time depends on the kernel configuration options and which mod‐
54       ules are present).
55
56       -t, --table table
57              This option specifies the packet matching table which  the  com‐
58              mand  should operate on.  If the kernel is configured with auto‐
59              matic module loading, an attempt will be made to load the appro‐
60              priate module for that table if it is not already there.
61
62              The tables are as follows:
63
64              filter:
65                  This  is  the default table (if no -t option is passed).  It
66                  contains the built-in chains INPUT (for packets destined  to
67                  local  sockets),  FORWARD  (for packets being routed through
68                  the box), and OUTPUT (for locally-generated packets).
69
70              nat:
71                  This table is consulted when a packet  that  creates  a  new
72                  connection  is encountered.  It consists of three built-ins:
73                  PREROUTING (for altering packets as soon as they  come  in),
74                  OUTPUT  (for altering locally-generated packets before rout‐
75                  ing), and POSTROUTING (for  altering  packets  as  they  are
76                  about to go out).
77
78              mangle:
79                  This table is used for specialized packet alteration.  Until
80                  kernel 2.4.17 it had two built-in  chains:  PREROUTING  (for
81                  altering  incoming  packets  before routing) and OUTPUT (for
82                  altering locally-generated packets before  routing).   Since
83                  kernel  2.4.18,  three  other  built-in chains are also sup‐
84                  ported: INPUT (for packets coming into the box itself), FOR‐
85                  WARD  (for  altering  packets being routed through the box),
86                  and POSTROUTING (for altering packets as they are  about  to
87                  go out).
88
89              raw:
90                  This  table  is  used mainly for configuring exemptions from
91                  connection tracking in combination with the NOTRACK  target.
92                  It registers at the netfilter hooks with higher priority and
93                  is thus called before ip_conntrack, or any other IP  tables.
94                  It  provides  the following built-in chains: PREROUTING (for
95                  packets arriving via  any  network  interface)  OUTPUT  (for
96                  packets generated by local processes)
97

OPTIONS

99       The options that are recognized by iptables can be divided into several
100       different groups.
101
102   COMMANDS
103       These options specify the specific action to perform.  Only one of them
104       can  be specified on the command line unless otherwise specified below.
105       For all the long versions of the command and option names, you need  to
106       use  only  enough  letters to ensure that iptables can differentiate it
107       from all other options.
108
109       -A, --append chain rule-specification
110              Append one or more rules to the end of the selected chain.  When
111              the  source  and/or  destination  names resolve to more than one
112              address, a rule will be added for each possible address combina‐
113              tion.
114
115       -D, --delete chain rule-specification
116       -D, --delete chain rulenum
117              Delete one or more rules from the selected chain.  There are two
118              versions of this command: the rule can be specified as a  number
119              in  the  chain  (starting  at 1 for the first rule) or a rule to
120              match.
121
122       -I, --insert chain [rulenum] rule-specification
123              Insert one or more rules in the selected chain as the given rule
124              number.   So,  if  the  rule  number is 1, the rule or rules are
125              inserted at the head of the chain.  This is also the default  if
126              no rule number is specified.
127
128       -R, --replace chain rulenum rule-specification
129              Replace a rule in the selected chain.  If the source and/or des‐
130              tination names resolve to multiple addresses, the  command  will
131              fail.  Rules are numbered starting at 1.
132
133       -L, --list [chain]
134              List  all rules in the selected chain.  If no chain is selected,
135              all chains are listed.  As  every  other  iptables  command,  it
136              applies  to  the specified table (filter is the default), so NAT
137              rules get listed by
138               iptables -t nat -n -L
139              Please note that it is often used with the -n option,  in  order
140              to  avoid  long reverse DNS lookups.  It is legal to specify the
141              -Z (zero) option as well, in which case  the  chain(s)  will  be
142              atomically  listed  and zeroed.  The exact output is affected by
143              the other arguments given. The exact rules are suppressed  until
144              you use
145               iptables -L -v
146
147       -F, --flush [chain]
148              Flush the selected chain (all the chains in the table if none is
149              given).  This is equivalent to deleting all  the  rules  one  by
150              one.
151
152       -Z, --zero [chain]
153              Zero the packet and byte counters in all chains.  It is legal to
154              specify the -L, --list (list) option as well, to see  the  coun‐
155              ters immediately before they are cleared. (See above.)
156
157       -N, --new-chain chain
158              Create  a  new user-defined chain by the given name.  There must
159              be no target of that name already.
160
161       -X, --delete-chain [chain]
162              Delete the optional user-defined chain specified.  There must be
163              no  references  to  the chain.  If there are, you must delete or
164              replace the referring rules before the  chain  can  be  deleted.
165              The  chain  must  be  empty,  i.e. not contain any rules.  If no
166              argument is given, it will attempt to delete  every  non-builtin
167              chain in the table.
168
169       -P, --policy chain target
170              Set  the policy for the chain to the given target.  See the sec‐
171              tion TARGETS for the legal targets.   Only  built-in  (non-user-
172              defined)  chains  can  have  policies,  and neither built-in nor
173              user-defined chains can be policy targets.
174
175       -E, --rename-chain old-chain new-chain
176              Rename the user specified chain to the user supplied name.  This
177              is cosmetic, and has no effect on the structure of the table.
178
179       -h     Help.   Give a (currently very brief) description of the command
180              syntax.
181
182   PARAMETERS
183       The following parameters make up a rule specification (as used  in  the
184       add, delete, insert, replace and append commands).
185
186       -p, --protocol [!] protocol
187              The  protocol of the rule or of the packet to check.  The speci‐
188              fied protocol can be one of tcp, udp, icmp, or all, or it can be
189              a  numeric  value, representing one of these protocols or a dif‐
190              ferent  one.   A  protocol  name  from  /etc/protocols  is  also
191              allowed.   A  "!" argument before the protocol inverts the test.
192              The number zero is equivalent to all.  Protocol all  will  match
193              with  all  protocols and is taken as default when this option is
194              omitted.
195
196       -s, --source [!] address[/mask]
197              Source specification.  Address can be either a network  name,  a
198              hostname  (please  note  that specifying any name to be resolved
199              with a remote query such as DNS is a really bad idea), a network
200              IP address (with /mask), or a plain IP address.  The mask can be
201              either a network mask or a plain number, specifying  the  number
202              of 1's at the left side of the network mask.  Thus, a mask of 24
203              is equivalent to  255.255.255.0.   A  "!"  argument  before  the
204              address specification inverts the sense of the address. The flag
205              --src is an alias for this option.
206
207       -d, --destination [!] address[/mask]
208              Destination  specification.   See  the  description  of  the  -s
209              (source)  flag  for  a  detailed description of the syntax.  The
210              flag --dst is an alias for this option.
211
212       -j, --jump target
213              This specifies the target of the rule; i.e., what to do  if  the
214              packet  matches  it.   The  target  can  be a user-defined chain
215              (other than the one this rule is in), one of the special builtin
216              targets  which  decide the fate of the packet immediately, or an
217              extension (see EXTENSIONS below).  If this option is omitted  in
218              a rule (and -g is not used), then matching the rule will have no
219              effect on the packet's fate, but the counters on the  rule  will
220              be incremented.
221
222       -g, --goto chain
223              This  specifies  that  the  processing should continue in a user
224              specified chain. Unlike the --jump option return will  not  con‐
225              tinue  processing  in  this  chain but instead in the chain that
226              called us via --jump.
227
228       -i, --in-interface [!] name
229              Name of an interface via which a packet was received  (only  for
230              packets  entering  the  INPUT,  FORWARD  and PREROUTING chains).
231              When the "!" argument is used before  the  interface  name,  the
232              sense  is  inverted.   If the interface name ends in a "+", then
233              any interface which begins with this name will match.   If  this
234              option is omitted, any interface name will match.
235
236       -o, --out-interface [!] name
237              Name of an interface via which a packet is going to be sent (for
238              packets entering the FORWARD, OUTPUT  and  POSTROUTING  chains).
239              When  the  "!"  argument  is used before the interface name, the
240              sense is inverted.  If the interface name ends in  a  "+",  then
241              any  interface  which begins with this name will match.  If this
242              option is omitted, any interface name will match.
243
244       [!]  -f, --fragment
245              This means that the rule only refers to second and further frag‐
246              ments  of fragmented packets.  Since there is no way to tell the
247              source or destination ports of such a  packet  (or  ICMP  type),
248              such a packet will not match any rules which specify them.  When
249              the "!" argument precedes the "-f"  flag,  the  rule  will  only
250              match head fragments, or unfragmented packets.
251
252       -c, --set-counters PKTS BYTES
253              This enables the administrator to initialize the packet and byte
254              counters of a rule (during INSERT, APPEND, REPLACE operations).
255
256   OTHER OPTIONS
257       The following additional options can be specified:
258
259       -v, --verbose
260              Verbose output.  This option makes the  list  command  show  the
261              interface  name,  the  rule options (if any), and the TOS masks.
262              The packet and byte counters are also listed,  with  the  suffix
263              'K',  'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipli‐
264              ers respectively (but see the -x  flag  to  change  this).   For
265              appending,  insertion,  deletion  and  replacement,  this causes
266              detailed information on the rule or rules to be printed.
267
268       -n, --numeric
269              Numeric output.  IP addresses and port numbers will  be  printed
270              in  numeric format.  By default, the program will try to display
271              them as host names, network names, or services (whenever  appli‐
272              cable).
273
274       -x, --exact
275              Expand  numbers.  Display the exact value of the packet and byte
276              counters, instead of only the rounded number in  K's  (multiples
277              of  1000)  M's (multiples of 1000K) or G's (multiples of 1000M).
278              This option is only relevant for the -L command.
279
280       --line-numbers
281              When listing rules, add line numbers to the  beginning  of  each
282              rule, corresponding to that rule's position in the chain.
283
284       --modprobe=command
285              When adding or inserting rules into a chain, use command to load
286              any necessary modules (targets, match extensions, etc).
287

MATCH EXTENSIONS

289       iptables can use extended packet matching modules.  These are loaded in
290       two  ways:  implicitly, when -p or --protocol is specified, or with the
291       -m or --match options, followed by  the  matching  module  name;  after
292       these,  various  extra command line options become available, depending
293       on the specific module.  You can specify multiple extended  match  mod‐
294       ules  in  one  line, and you can use the -h or --help options after the
295       module has been specified to receive help specific to that module.
296
297       The following are included in the base package, and most of  these  can
298       be preceded by a !  to invert the sense of the match.
299
300   addrtype
301       This module matches packets based on their address type.  Address types
302       are used within the kernel networking stack  and  categorize  addresses
303       into various groups.  The exact definition of that group depends on the
304       specific layer three protocol.
305
306       The following address types are possible:
307
308       UNSPEC an unspecified address (i.e. 0.0.0.0) UNICAST an unicast address
309              LOCAL  a  local address BROADCAST a broadcast address ANYCAST an
310              anycast packet MULTICAST a multicast address BLACKHOLE a  black‐
311              hole  address UNREACHABLE an unreachable address PROHIBIT a pro‐
312              hibited address THROW FIXME NAT FIXME XRESOLVE FIXME
313
314       --src-type type
315              Matches if the source address is of given type
316
317       --dst-type type
318              Matches if the destination address is of given type
319
320   ah
321       This module matches the SPIs in Authentication header of IPsec packets.
322
323       --ahspi [!] spi[:spi]
324
325   comment
326       Allows you to add comments (up to 256 characters) to any rule.
327
328       --comment comment
329
330       Example:
331              iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A pri‐
332              vatized IP block"
333
334   condition
335       This matches if a specific /proc filename is '0' or '1'.
336
337       --condition [!] filename
338              Match  on  boolean value stored in /proc/net/ipt_condition/file‐
339              name file
340
341   connbytes
342       Match by how many bytes or packets a connection  (or  one  of  the  two
343       flows  constituting the connection) have tranferred so far, or by aver‐
344       age bytes per packet.
345
346       The counters are 64bit and are thus not expected to overflow ;)
347
348       The primary use is to detect long-lived downloads and mark them  to  be
349       scheduled using a lower priority band in traffic control.
350
351       The  transfered  bytes  per  connection  can  also  be  viewed  through
352       /proc/net/ip_conntrack and accessed via ctnetlink
353
354       [!] --connbytes from:[to]
355              match packets  from  a  connection  whose  packets/bytes/average
356              packet size is more than FROM and less than TO bytes/packets. if
357              TO is omitted only FROM check is done.  "!"  is  used  to  match
358              packets not falling in the range.
359
360       --connbytes-dir [original|reply|both]
361              which packets to consider
362
363       --connbytes-mode [packets|bytes|avgpkt]
364              whether  to  check the amount of packets, number of bytes trans‐
365              ferred or the average size (in bytes) of all packets received so
366              far.  Note  that when "both" is used together with "avgpkt", and
367              data is going (mainly) only in one direction (for example HTTP),
368              the  average  packet  size will be about half of the actual data
369              packets.
370
371       Example:
372              iptables .. -m connbytes --connbytes  10000:100000  --connbytes-
373              dir both --connbytes-mode bytes ...
374
375   connmark
376       This  module matches the netfilter mark field associated with a connec‐
377       tion (which can be set using the CONNMARK target below).
378
379       --mark value[/mask]
380              Matches packets in connections with the given mark value  (if  a
381              mask  is specified, this is logically ANDed with the mark before
382              the comparison).
383
384   connrate
385       This module matches the current transfer rate in a connection.
386
387       --connrate [!] [from]:[to]
388              Match against the current connection transfer rate being  within
389              'from'  and 'to' bytes per second. When the "!" argument is used
390              before the range, the sense of the match is inverted.
391
392   conntrack
393       This module, when combined with connection tracking, allows  access  to
394       more  connection  tracking  information  than the "state" match.  (this
395       module is present only if iptables was compiled under a kernel support‐
396       ing this feature)
397
398       --ctstate state
399              Where  state  is a comma separated list of the connection states
400              to match.  Possible states are INVALID meaning that  the  packet
401              is associated with no known connection, ESTABLISHED meaning that
402              the packet is associated with a connection which has seen  pack‐
403              ets  in both directions, NEW meaning that the packet has started
404              a new connection, or  otherwise  associated  with  a  connection
405              which has not seen packets in both directions, and RELATED mean‐
406              ing that the packet is starting a new connection, but is associ‐
407              ated  with an existing connection, such as an FTP data transfer,
408              or an ICMP error.  SNAT A virtual state, matching if the  origi‐
409              nal  source  address differs from the reply destination.  DNAT A
410              virtual state, matching if the original destination differs from
411              the reply source.
412
413       --ctproto proto
414              Protocol to match (by number or name)
415
416       --ctorigsrc [!] address[/mask]
417              Match against original source address
418
419       --ctorigdst [!] address[/mask]
420              Match against original destination address
421
422       --ctreplsrc [!] address[/mask]
423              Match against reply source address
424
425       --ctrepldst [!] address[/mask]
426              Match against reply destination address
427
428       --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED][,...]
429              Match against internal conntrack states
430
431       --ctexpire time[:time]
432              Match remaining lifetime in seconds against given value or range
433              of values (inclusive)
434
435   dccp
436       --source-port,--sport [!] port[:port]
437
438       --destination-port,--dport [!] port[:port]
439
440       --dccp-types [!] mask
441              Match when the DCCP packet type is one of 'mask'.  'mask'  is  a
442              comma-separated list of packet types.  Packet types are: REQUEST
443              RESPONSE DATA ACK DATAACK  CLOSEREQ  CLOSE  RESET  SYNC  SYNCACK
444              INVALID.
445
446       --dccp-option [!] number
447              Match if DCP option set.
448
449   dscp
450       This module matches the 6 bit DSCP field within the TOS field in the IP
451       header.  DSCP has superseded TOS within the IETF.
452
453       --dscp value
454              Match against a numeric (decimal or hex) value [0-32].
455
456       --dscp-class DiffServ Class
457              Match the DiffServ class. This value may be any of the  BE,  EF,
458              AFxx  or  CSx  classes.   It  will  then  be converted into it's
459              according numeric value.
460
461   ecn
462       This allows you to match the ECN bits of the IPv4 and TCP header.   ECN
463       is  the  Explicit  Congestion  Notification  mechanism  as specified in
464       RFC3168
465
466       --ecn-tcp-cwr
467              This matches if the TCP ECN CWR (Congestion Window Received) bit
468              is set.
469
470       --ecn-tcp-ece
471              This matches if the TCP ECN ECE (ECN Echo) bit is set.
472
473       --ecn-ip-ect num
474              This  matches a particular IPv4 ECT (ECN-Capable Transport). You
475              have to specify a number between `0' and `3'.
476
477   esp
478       This module matches the SPIs in ESP header of IPsec packets.
479
480       --espspi [!] spi[:spi]
481
482   hashlimit
483       This patch adds a new match called 'hashlimit'.  The idea  is  to  have
484       something  like  'limit',  but  either  per destination-ip or per (des‐
485       tip,destport) tuple.
486
487       It gives you the ability to express
488
489               '1000 packets per second for every host in 192.168.0.0/16'
490
491               '100 packets per second for every service of 192.168.1.1'
492
493       with a single iptables rule.
494
495       --hashlimit rate
496              A rate just like the limit match
497
498       --hashlimit-burst num
499              Burst value, just like limit match
500
501       --hashlimit-mode dstip,srcip,dstport,srcport
502              A comma-separated list of objects to take into consideration
503
504       --hashlimit-name foo
505              The name for the /proc/net/ipt_hashlimit/foo entry
506
507       --hashlimit-htable-size num
508              The number of buckets of the hash table
509
510       --hashlimit-htable-max num
511              Maximum entries in the hash
512
513       --hashlimit-htable-expire num
514              After how many miliseconds do hash entries expire
515
516       --hashlimit-htable-gcinterval num
517              How many miliseconds between garbage collection intervals
518
519   helper
520       This module matches packets related to a specific conntrack-helper.
521
522       --helper string
523              Matches packets related to the specified conntrack-helper.
524
525              string can be "ftp" for packets  related  to  a  ftp-session  on
526              default  port.  For other ports append -portnr to the value, ie.
527              "ftp-2121".
528
529              Same rules apply for other conntrack-helpers.
530
531   icmp
532       This extension can be used if `--protocol icmp' is specified.  It  pro‐
533       vides the following option:
534
535       --icmp-type [!] typename
536              This  allows  specification  of  the  ICMP  type, which can be a
537              numeric ICMP type, or one of the ICMP type names  shown  by  the
538              command
539               iptables -p icmp -h
540
541   iprange
542       This matches on a given arbitrary range of IPv4 addresses
543
544       [!]--src-range ip-ip
545              Match source IP in the specified range.
546
547       [!]--dst-range ip-ip
548              Match destination IP in the specified range.
549
550   length
551       This  module matches the length of a packet against a specific value or
552       range of values.
553
554       --length [!] length[:length]
555
556   limit
557       This module matches at a limited rate using a token bucket  filter.   A
558       rule using this extension will match until this limit is reached.
559         It  can  be  used  in combination with the LOG target to give limited
560       logging, for example.
561
562       --limit rate
563              Maximum average matching rate: specified as a  number,  with  an
564              optional  `/second',  `/minute',  `/hour', or `/day' suffix; the
565              default is 3/hour.
566
567       --limit-burst number
568              Maximum initial number of packets to  match:  this  number  gets
569              recharged  by  one  every  time the limit specified above is not
570              reached, up to this number; the default is 5.
571
572   mac
573       --mac-source [!] address
574              Match  source  MAC  address.    It   must   be   of   the   form
575              XX:XX:XX:XX:XX:XX.   Note that this only makes sense for packets
576              coming from an Ethernet device and entering the PREROUTING, FOR‐
577              WARD or INPUT chains.
578
579   mark
580       This  module  matches the netfilter mark field associated with a packet
581       (which can be set using the MARK target below).
582
583       --mark value[/mask]
584              Matches packets with the given unsigned mark value (if a mask is
585              specified, this is logically ANDed with the mask before the com‐
586              parison).
587
588   multiport
589       This module matches a set of source or destination  ports.   Up  to  15
590       ports  can be specified.  A port range (port:port) counts as two ports.
591       It can only be used in conjunction with -p tcp or -p udp.
592
593       --source-ports [!] port[,port[,port:port...]]
594              Match if the source port is one of the given  ports.   The  flag
595              --sports is a convenient alias for this option.
596
597       --destination-ports [!] port[,port[,port:port...]]
598              Match  if  the  destination port is one of the given ports.  The
599              flag --dports is a convenient alias for this option.
600
601       --ports [!] port[,port[,port:port...]]
602              Match if either the source or destination ports are equal to one
603              of the given ports.
604
605   owner
606       This  module  attempts  to  match various characteristics of the packet
607       creator, for locally-generated packets.  It is only valid in the OUTPUT
608       chain,  and  even  this  some packets (such as ICMP ping responses) may
609       have no owner, and hence never match.
610
611       --uid-owner userid
612              Matches if the packet was created by a process  with  the  given
613              effective user id.
614
615       --gid-owner groupid
616              Matches  if  the  packet was created by a process with the given
617              effective group id.
618
619       --pid-owner processid
620              Matches if the packet was created by a process  with  the  given
621              process id.
622
623       --sid-owner sessionid
624              Matches if the packet was created by a process in the given ses‐
625              sion group.
626
627       --cmd-owner name
628              Matches if the packet was created by a process  with  the  given
629              command name.  (this option is present only if iptables was com‐
630              piled under a kernel supporting this feature)
631
632       NOTE: pid, sid and command matching are broken on SMP
633
634   physdev
635       This module matches  on  the  bridge  port  input  and  output  devices
636       enslaved  to  a bridge device. This module is a part of the infrastruc‐
637       ture that enables a transparent bridging IP firewall and is only useful
638       for kernel versions above version 2.5.44.
639
640       --physdev-in [!] name
641              Name  of  a bridge port via which a packet is received (only for
642              packets entering the INPUT, FORWARD and PREROUTING  chains).  If
643              the  interface  name  ends  in  a  "+", then any interface which
644              begins with this name will match. If the  packet  didn't  arrive
645              through  a  bridge  device, this packet won't match this option,
646              unless '!' is used.
647
648       --physdev-out [!] name
649              Name of a bridge port via which a packet is  going  to  be  sent
650              (for  packets  entering  the  FORWARD,  OUTPUT  and  POSTROUTING
651              chains).  If the interface name ends in a "+", then  any  inter‐
652              face  which  begins  with this name will match. Note that in the
653              nat and mangle OUTPUT chains one cannot match on the bridge out‐
654              put  port,  however  one  can in the filter OUTPUT chain. If the
655              packet won't leave by a bridge device or it is yet unknown  what
656              the  output  device  will  be,  then the packet won't match this
657              option, unless
658
659       [!] --physdev-is-in
660              Matches if the packet has entered through a bridge interface.
661
662       [!] --physdev-is-out
663              Matches if the packet will leave through a bridge interface.
664
665       [!] --physdev-is-bridged
666              Matches if the packet is being  bridged  and  therefore  is  not
667              being  routed.  This is only useful in the FORWARD and POSTROUT‐
668              ING chains.
669
670   pkttype
671       This module matches the link-layer packet type.
672
673       --pkt-type [unicast|broadcast|multicast]
674
675   policy
676       This modules matches the policy used by IPsec for handling a packet.
677
678       --dir in|out
679              Used to select whether to match the policy used  for  decapsula‐
680              tion  or  the policy that will be used for encapsulation.  in is
681              valid in the PREROUTING, INPUT and FORWARD chains, out is  valid
682              in the POSTROUTING, OUTPUT and FORWARD chains.
683
684       --pol none|ipsec
685              Matches if the packet is subject to IPsec processing.
686
687       --strict
688              Selects  whether  to match the exact policy or match if any rule
689              of the policy matches the given policy.
690
691       --reqid id
692              Matches the reqid of the policy rule. The reqid can be specified
693              with setkey(8) using unique:id as level.
694
695       --spi spi
696              Matches the SPI of the SA.
697
698       --proto ah|esp|ipcomp
699              Matches the encapsulation protocol.
700
701       --mode tunnel|transport
702              Matches the encapsulation mode.
703
704       --tunnel-src addr[/mask]
705              Matches  the source end-point address of a tunnel mode SA.  Only
706              valid with --mode tunnel.
707
708       --tunnel-dst addr[/mask]
709              Matches the destination end-point address of a tunnel  mode  SA.
710              Only valid with --mode tunnel.
711
712       --next Start  the next element in the policy specification. Can only be
713              used with --strict
714
715   quota
716       Implements network quotas by decrementing  a  byte  counter  with  each
717       packet.
718
719       --quota bytes
720              The quota in bytes.
721
722   realm
723       This  matches  the  routing  realm.  Routing realms are used in complex
724       routing setups involving dynamic routing protocols like BGP.
725
726       --realm [!] value[/mask]
727              Matches a given realm number (and optionally  mask).  If  not  a
728              number,  value can be a named realm from /etc/iproute2/rt_realms
729              (mask can not be used in that case).
730
731   recent
732       Allows you to dynamically create a list of IP addresses and then  match
733       against that list in a few different ways.
734
735       For example, you can create a `badguy' list out of people attempting to
736       connect to port 139 on your firewall and then DROP all  future  packets
737       from them without considering them.
738
739       --name name
740              Specify  the  list  to use for the commands. If no name is given
741              then 'DEFAULT' will be used.
742
743       [!] --set
744              This will add the source address of the packet to the  list.  If
745              the  source address is already in the list, this will update the
746              existing entry. This will always return success (or  failure  if
747              `!' is passed in).
748
749       [!] --rcheck
750              Check  if  the  source address of the packet is currently in the
751              list.
752
753       [!] --update
754              Like --rcheck, except it will update the "last  seen"  timestamp
755              if it matches.
756
757       [!] --remove
758              Check  if  the  source address of the packet is currently in the
759              list and if so that address will be removed from  the  list  and
760              the rule will return true. If the address is not found, false is
761              returned.
762
763       [!] --seconds seconds
764              This option must be used in conjunction with one of --rcheck  or
765              --update.  When  used, this will narrow the match to only happen
766              when the address is in the list and was  seen  within  the  last
767              given number of seconds.
768
769       [!] --hitcount hits
770              This  option must be used in conjunction with one of --rcheck or
771              --update. When used, this will narrow the match to  only  happen
772              when  the  address  is in the list and packets had been received
773              greater than or equal to the given value.  This  option  may  be
774              used  along  with  --seconds  to  create  an even narrower match
775              requiring a certain number of hits within a specific time frame.
776
777       --rttl This option must be used in conjunction with one of --rcheck  or
778              --update.  When  used, this will narrow the match to only happen
779              when the address is in the list  and  the  TTL  of  the  current
780              packet matches that of the packet which hit the --set rule. This
781              may be useful if you have  problems  with  people  faking  their
782              source  address in order to DoS you via this module by disallow‐
783              ing others access to your site by sending bogus packets to you.
784
785       Examples:
786
787              # iptables -A FORWARD -m recent --name badguy --rcheck --seconds
788              60 -j DROP
789
790              #  iptables  -A  FORWARD  -p  tcp  -i eth0 --dport 139 -m recent
791              --name badguy --set -j DROP
792
793       Official  website  (http://snowman.net/projects/ipt_recent/)  also  has
794       some examples of usage.
795
796       /proc/net/ipt_recent/*  are the current lists of addresses and informa‐
797       tion about each entry of each list.
798
799       Each file in /proc/net/ipt_recent/ can be read from to see the  current
800       list or written two using the following commands to modify the list:
801
802       echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
803              to Add to the DEFAULT list
804
805       echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
806              to Remove from the DEFAULT list
807
808       echo clear > /proc/net/ipt_recent/DEFAULT
809              to empty the DEFAULT list.
810
811       The module itself accepts parameters, defaults shown:
812
813       ip_list_tot=100
814              Number of addresses remembered per table
815
816       ip_pkt_list_tot=20
817              Number of packets per address remembered
818
819       ip_list_hash_size=0
820              Hash  table  size. 0 means to calculate it based on ip_list_tot,
821              default: 512
822
823       ip_list_perms=0644
824              Permissions for /proc/net/ipt_recent/* files
825
826       debug=0
827              Set to 1 to get lots of debugging info
828
829   sctp
830       --source-port,--sport [!] port[:port]
831
832       --destination-port,--dport [!] port[:port]
833
834       --chunk-types [!] all|any|only chunktype[:flags] [...]
835              The flag letter in upper case indicates  that  the  flag  is  to
836              match if set, in the lower case indicates to match if unset.
837
838              Chunk  types:  DATA  INIT  INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK
839              ABORT  SHUTDOWN  SHUTDOWN_ACK   ERROR   COOKIE_ECHO   COOKIE_ACK
840              ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK
841
842              chunk type            available flags
843              DATA                  U B E u b e
844              ABORT                 T t
845              SHUTDOWN_COMPLETE     T t
846
847              (lowercase means flag should be "off", uppercase means "on")
848
849       Examples:
850
851       iptables -A INPUT -p sctp --dport 80 -j DROP
852
853       iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP
854
855       iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT
856
857   set
858       This modules macthes IP sets which can be defined by ipset(8).
859
860       --set setname flag[,flag...]
861              where flags are src and/or dst and there can be no more than six
862              of them. Hence the command
863               iptables -A FORWARD -m set --set test src,dst
864              will match packets, for which (depending on the type of the set)
865              the  source address or port number of the packet can be found in
866              the specified set. If there is a binding belonging to the mached
867              set  element  or  there  is a default binding for the given set,
868              then the  rule  will  match  the  packet  only  if  additionally
869              (depending  on  the  type of the set) the destination address or
870              port number of the packet can be found in the set  according  to
871              the binding.
872
873   state
874       This  module,  when combined with connection tracking, allows access to
875       the connection tracking state for this packet.
876
877       --state state
878              Where state is a comma separated list of the  connection  states
879              to  match.   Possible states are INVALID meaning that the packet
880              could not be identified for some reason which  includes  running
881              out  of  memory  and  ICMP  errors which don't correspond to any
882              known connection, ESTABLISHED meaning that the packet is associ‐
883              ated  with  a  connection  which has seen packets in both direc‐
884              tions, NEW meaning that the packet has started a new connection,
885              or  otherwise  associated  with  a connection which has not seen
886              packets in both directions, and RELATED meaning that the  packet
887              is starting a new connection, but is associated with an existing
888              connection, such as an FTP data transfer, or an ICMP error.
889
890   string
891       This modules matches a given string  by  using  some  pattern  matching
892       strategy. It requires a linux kernel >= 2.6.14.
893
894       --algo  bm|kmp
895              Select  the  pattern matching strategy. (bm = Boyer-Moore, kmp =
896              Knuth-Pratt-Morris)
897
898       --from offset
899              Set the offset from which it starts looking for any matching. If
900              not passed, default is 0.
901
902       --to offset
903              Set the offset from which it starts looking for any matching. If
904              not passed, default is the packet size.
905
906       --string pattern
907              Matches the given pattern.   --hex-string  pattern  Matches  the
908              given pattern in hex notation.
909
910   tcp
911       These  extensions can be used if `--protocol tcp' is specified. It pro‐
912       vides the following options:
913
914       --source-port [!] port[:port]
915              Source port or port range specification. This can  either  be  a
916              service  name  or  a port number. An inclusive range can also be
917              specified, using the format port:port.  If  the  first  port  is
918              omitted,  "0"  is  assumed;  if  the last is omitted, "65535" is
919              assumed.  If the second port greater then the first they will be
920              swapped.   The  flag  --sport  is  a  convenient  alias for this
921              option.
922
923       --destination-port [!] port[:port]
924              Destination port or port range specification.  The flag  --dport
925              is a convenient alias for this option.
926
927       --tcp-flags [!] mask comp
928              Match  when  the TCP flags are as specified.  The first argument
929              is the flags which we should examine, written as  a  comma-sepa‐
930              rated list, and the second argument is a comma-separated list of
931              flags which must be set.  Flags are: SYN ACK FIN RST URG PSH ALL
932              NONE.  Hence the command
933               iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
934              will  only match packets with the SYN flag set, and the ACK, FIN
935              and RST flags unset.
936
937       [!] --syn
938              Only match TCP packets with the SYN bit set and the ACK,RST  and
939              FIN  bits cleared.  Such packets are used to request TCP connec‐
940              tion initiation; for example, blocking such packets coming in an
941              interface  will  prevent  incoming TCP connections, but outgoing
942              TCP connections will be unaffected.  It is equivalent to  --tcp-
943              flags  SYN,RST,ACK,FIN  SYN.   If  the  "!"  flag  precedes  the
944              "--syn", the sense of the option is inverted.
945
946       --tcp-option [!] number
947              Match if TCP option set.
948
949   tcpmss
950       This matches the TCP MSS  (maximum  segment  size)  field  of  the  TCP
951       header.  You can only use this on TCP SYN or SYN/ACK packets, since the
952       MSS is only negotiated during the TCP handshake at  connection  startup
953       time.
954
955       [!] --mss value[:value]
956              Match a given TCP MSS value or range.
957
958   tos
959       This  module  matches  the  8  bits  of Type of Service field in the IP
960       header (ie. including the precedence bits).
961
962       --tos tos
963              The argument is either a standard name, (use
964               iptables -m tos -h
965              to see the list), or a numeric value to match.
966
967   ttl
968       This module matches the time to live field in the IP header.
969
970       --ttl-eq ttl
971              Matches the given TTL value.
972
973       --ttl-gt ttl
974              Matches if TTL is greater than the given TTL value.
975
976       --ttl-lt ttl
977              Matches if TTL is less than the given TTL value.
978
979   udp
980       These extensions can be used if `--protocol udp' is specified.  It pro‐
981       vides the following options:
982
983       --source-port [!] port[:port]
984              Source port or port range specification.  See the description of
985              the --source-port option of the TCP extension for details.
986
987       --destination-port [!] port[:port]
988              Destination port or port range specification.  See the  descrip‐
989              tion  of  the --destination-port option of the TCP extension for
990              details.
991
992   unclean
993       This module takes no options, but attempts to match packets which  seem
994       malformed or unusual.  This is regarded as experimental.
995

TARGET EXTENSIONS

997       iptables can use extended target modules: the following are included in
998       the standard distribution.
999
1000   CLASSIFY
1001       This module allows you to set the skb->priority value (and  thus  clas‐
1002       sify the packet into a specific CBQ class).
1003
1004       --set-class MAJOR:MINOR
1005              Set the major and minor class value.
1006
1007   CLUSTERIP
1008       This  module  allows  you  to  configure a simple cluster of nodes that
1009       share a certain IP and MAC address without an explicit load balancer in
1010       front  of  them.   Connections  are  statically distributed between the
1011       nodes in this cluster.
1012
1013       --new  Create a new ClusterIP.  You always have  to  set  this  on  the
1014              first rule for a given ClusterIP.
1015
1016       --hashmode mode
1017              Specify  the hashing mode.  Has to be one of sourceip, sourceip-
1018              sourceport, sourceip-sourceport-destport
1019
1020       --clustermac mac
1021              Specify the ClusterIP MAC address.  Has to be a link-layer  mul‐
1022              ticast address
1023
1024       --total-nodes num
1025              Number of total nodes within this cluster.
1026
1027       --local-node num
1028              Local node number within this cluster.
1029
1030       --hash-init rnd
1031              Specify the random seed used for hash initialization.
1032
1033   CONNMARK
1034       This module sets the netfilter mark value associated with a connection
1035
1036       --set-mark mark[/mask]
1037              Set connection mark. If a mask is specified then only those bits
1038              set in the mask is modified.
1039
1040       --save-mark [--mask mask]
1041              Copy the netfilter packet mark value to the connection mark.  If
1042              a mask is specified then only those bits are copied.
1043
1044       --restore-mark [--mask mask]
1045              Copy the connection mark value to the packet. If a mask is spec‐
1046              ified then only those bits are copied. This is only valid in the
1047              mangle table.
1048
1049   CONNSECMARK
1050       This  module  copies  security markings from packets to connections (if
1051       unlabeled), and from connections back to packets (also  only  if  unla‐
1052       beled).   Typically  used in conjunction with SECMARK, it is only valid
1053       in the mangle table.
1054
1055       --save If the packet has a security marking, copy it to the  connection
1056              if the connection is not marked.
1057
1058       --restore
1059              If  the packet does not have a security marking, and the connec‐
1060              tion does, copy the security marking from the connection to  the
1061              packet.
1062
1063
1064   DNAT
1065       This  target is only valid in the nat table, in the PREROUTING and OUT‐
1066       PUT chains, and user-defined chains which are only  called  from  those
1067       chains.  It specifies that the destination address of the packet should
1068       be modified (and all future packets in this  connection  will  also  be
1069       mangled),  and rules should cease being examined.  It takes one type of
1070       option:
1071
1072       --to-destination [ipaddr][-ipaddr][:port-port]
1073              which can specify a single new destination IP address, an inclu‐
1074              sive  range of IP addresses, and optionally, a port range (which
1075              is only valid if the rule also specifies -p tcp or -p udp).   If
1076              no port range is specified, then the destination port will never
1077              be modified. If no IP address is specified then only the  desti‐
1078              nation port will be modified.
1079
1080              In  Kernels  up  to  2.6.10 you can add several --to-destination
1081              options.  For those kernels, if you specify more than one desti‐
1082              nation  address,  either  via an address range or multiple --to-
1083              destination options, a simple round-robin (one after another  in
1084              cycle)  load  balancing  takes  place  between  these addresses.
1085              Later Kernels (>= 2.6.11-rc1) don't have the ability to  NAT  to
1086              multiple ranges anymore.
1087
1088       --random
1089              If  option --random is used then port mapping will be randomized
1090              (kernel >= 2.6.22).
1091
1092   DSCP
1093       This target allows to alter the value of the DSCP bits within  the  TOS
1094       header  of  the IPv4 packet.  As this manipulates a packet, it can only
1095       be used in the mangle table.
1096
1097       --set-dscp value
1098              Set the DSCP field to a numerical value (can be decimal or hex)
1099
1100       --set-dscp-class class
1101              Set the DSCP field to a DiffServ class.
1102
1103   ECN
1104       This target allows to selectively work around known ECN blackholes.  It
1105       can only be used in the mangle table.
1106
1107       --ecn-tcp-remove
1108              Remove all ECN bits from the TCP header.  Of course, it can only
1109              be used in conjunction with -p tcp.
1110
1111   LOG
1112       Turn on kernel logging of matching packets.  When this  option  is  set
1113       for  a rule, the Linux kernel will print some information on all match‐
1114       ing packets (like most IP header fields) via the kernel log  (where  it
1115       can be read with dmesg or syslogd(8)).  This is a "non-terminating tar‐
1116       get", i.e. rule traversal continues at the next rule.  So if  you  want
1117       to  LOG  the  packets  you refuse, use two separate rules with the same
1118       matching criteria, first using target LOG then DROP (or REJECT).
1119
1120       --log-level level
1121              Level of logging (numeric or see syslog.conf(5)).
1122
1123       --log-prefix prefix
1124              Prefix log messages with the specified prefix; up to 29  letters
1125              long, and useful for distinguishing messages in the logs.
1126
1127       --log-tcp-sequence
1128              Log  TCP sequence numbers. This is a security risk if the log is
1129              readable by users.
1130
1131       --log-tcp-options
1132              Log options from the TCP packet header.
1133
1134       --log-ip-options
1135              Log options from the IP packet header.
1136
1137       --log-uid
1138              Log the userid of the process which generated the packet.
1139
1140   MARK
1141       This is used to set  the  netfilter  mark  value  associated  with  the
1142       packet.   It  is only valid in the mangle table.  It can for example be
1143       used in conjunction with iproute2.
1144
1145       --set-mark value
1146              Set nfmark value
1147
1148       --and-mark value
1149              Binary AND the nfmark with value
1150
1151       --or-mark value
1152              Binary OR  the nfmark with value
1153
1154   MASQUERADE
1155       This target is only valid in the nat table, in the  POSTROUTING  chain.
1156       It  should  only  be used with dynamically assigned IP (dialup) connec‐
1157       tions: if you have a static IP address, you should use the SNAT target.
1158       Masquerading is equivalent to specifying a mapping to the IP address of
1159       the interface the packet is going out, but also  has  the  effect  that
1160       connections  are  forgotten  when the interface goes down.  This is the
1161       correct behavior when the next dialup is  unlikely  to  have  the  same
1162       interface  address (and hence any established connections are lost any‐
1163       way).  It takes one option:
1164
1165       --to-ports port[-port]
1166              This specifies a range of source ports to  use,  overriding  the
1167              default SNAT source port-selection heuristics (see above).  This
1168              is only valid if the rule also specifies -p tcp or -p udp.
1169
1170       --random
1171              Randomize source port mapping If option --random  is  used  then
1172              port mapping will be randomized (kernel >= 2.6.21).
1173
1174   MIRROR
1175       This  is  an experimental demonstration target which inverts the source
1176       and destination fields in the IP header and retransmits the packet.  It
1177       is  only  valid  in the INPUT, FORWARD and PREROUTING chains, and user-
1178       defined chains which are only called from those chains.  Note that  the
1179       outgoing  packets  are NOT seen by any packet filtering chains, connec‐
1180       tion tracking or NAT, to avoid loops and other problems.
1181
1182   NETMAP
1183       This target allows you to statically map a whole network  of  addresses
1184       onto  another  network of addresses.  It can only be used from rules in
1185       the nat table.
1186
1187       --to address[/mask]
1188              Network address to map to.  The resulting address will  be  con‐
1189              structed  in  the  following way: All 'one' bits in the mask are
1190              filled in from the new `address'.  All bits that are zero in the
1191              mask are filled in from the original address.
1192
1193   NFQUEUE
1194       This  target  is an extension of the QUEUE target. As opposed to QUEUE,
1195       it allows you to put a packet into any specific  queue,  identified  by
1196       its 16-bit queue number.
1197
1198       --queue-num value
1199              This  specifies the QUEUE number to use. Valud queue numbers are
1200              0 to 65535. The default value is 0.
1201
1202       It can only be used with Kernel versions  2.6.14  or  later,  since  it
1203       requires
1204              the nfnetlink_queue kernel support.
1205
1206   NOTRACK
1207       This  target disables connection tracking for all packets matching that
1208       rule.
1209
1210       It can only be used in the
1211              raw table.
1212
1213   REDIRECT
1214       This target is only valid in the nat table, in the PREROUTING and  OUT‐
1215       PUT  chains,  and  user-defined chains which are only called from those
1216       chains.  It redirects the packet to the machine itself by changing  the
1217       destination  IP  to  the  primary  address  of  the  incoming interface
1218       (locally-generated packets are mapped to the  127.0.0.1  address).   It
1219       takes one option:
1220
1221       --to-ports port[-port]
1222              This  specifies  a  destination  port  or range of ports to use:
1223              without this, the destination port is never  altered.   This  is
1224              only valid if the rule also specifies -p tcp or -p udp.
1225
1226       --random
1227              If  option --random is used then port mapping will be randomized
1228              (kernel >= 2.6.22).
1229
1230   REJECT
1231       This is used to send back an error packet in response  to  the  matched
1232       packet:  otherwise it is equivalent to DROP so it is a terminating TAR‐
1233       GET, ending rule traversal.  This target is only valid  in  the  INPUT,
1234       FORWARD  and  OUTPUT  chains,  and  user-defined  chains which are only
1235       called from those chains.  The following option controls the nature  of
1236       the error packet returned:
1237
1238       --reject-with type
1239              The type given can be
1240               icmp-net-unreachable
1241               icmp-host-unreachable
1242               icmp-port-unreachable
1243               icmp-proto-unreachable
1244               icmp-net-prohibited
1245               icmp-host-prohibited or
1246               icmp-admin-prohibited (*)
1247              which  return  the appropriate ICMP error message (port-unreach‐
1248              able is the default).  The option tcp-reset can be used on rules
1249              which  only match the TCP protocol: this causes a TCP RST packet
1250              to be sent back.  This  is  mainly  useful  for  blocking  ident
1251              (113/tcp)  probes  which  frequently  occur when sending mail to
1252              broken mail hosts (which won't accept your mail otherwise).
1253
1254       (*) Using icmp-admin-prohibited with kernels that  do  not  support  it
1255       will result in a plain DROP instead of REJECT
1256
1257   SAME
1258       Similar  to SNAT/DNAT depending on chain: it takes a range of addresses
1259       (`--to 1.2.3.4-1.2.3.7') and gives a client the  same  source-/destina‐
1260       tion-address for each connection.
1261
1262       --to <ipaddr>-<ipaddr>
1263              Addresses  to map source to. May be specified more than once for
1264              multiple ranges.
1265
1266       --nodst
1267              Don't use the destination-ip in the calculations when  selecting
1268              the new source-ip
1269
1270       --random
1271              Port  mapping  will be forcely randomized to avoid attacks based
1272              on port prediction (kernel >= 2.6.21).
1273
1274   SECMARK
1275       This is used to set the security mark value associated with the  packet
1276       for  use  by  security subsystems such as SELinux.  It is only valid in
1277       the mangle table.
1278
1279       --selctx security_context
1280
1281   SET
1282       This modules adds and/or deletes entries from  IP  sets  which  can  be
1283       defined by ipset(8).
1284
1285       --add-set setname flag[,flag...]
1286              add the address(es)/port(s) of the packet to the sets
1287
1288       --del-set setname flag[,flag...]
1289              delete  the  address(es)/port(s)  of  the  packet from the sets,
1290              where flags are src and/or dst and there can be no more than six
1291              of them.
1292
1293       The bindings to follow must previously be defined in order to use
1294              multilevel adding/deleting by the SET target.
1295
1296   SNAT
1297       This  target  is only valid in the nat table, in the POSTROUTING chain.
1298       It specifies that the source address of the packet should  be  modified
1299       (and  all  future packets in this connection will also be mangled), and
1300       rules should cease being examined.  It takes one type of option:
1301
1302       --to-source  ipaddr[-ipaddr][:port-port]
1303              which can specify a single new source IP address,  an  inclusive
1304              range  of  IP  addresses, and optionally, a port range (which is
1305              only valid if the rule also specifies -p tcp or -p udp).  If  no
1306              port  range  is  specified,  then source ports below 512 will be
1307              mapped to other ports below 512:  those  between  512  and  1023
1308              inclusive  will  be  mapped to ports below 1024, and other ports
1309              will be mapped to 1024 or above. Where possible, no port  alter‐
1310              ation will
1311
1312              In  Kernels  up  to  2.6.10,  you  can  add  several --to-source
1313              options.  For those kernels, if you specify more than one source
1314              address,  either  via  an  address range or multiple --to-source
1315              options, a simple round-robin (one after another in cycle) takes
1316              place  between  these  addresses.  Later Kernels (>= 2.6.11-rc1)
1317              don't have the ability to NAT to multiple ranges anymore.
1318
1319       --random
1320              If option --random is used then port mapping will be  randomized
1321              (kernel >= 2.6.21).
1322
1323   TCPMSS
1324       This  target  allows to alter the MSS value of TCP SYN packets, to con‐
1325       trol the maximum size for that connection (usually limiting it to  your
1326       outgoing  interface's MTU minus 40).  Of course, it can only be used in
1327       conjunction with -p tcp.  It is only valid in the mangle table.
1328       This target is used to overcome criminally braindead  ISPs  or  servers
1329       which  block  ICMP  Fragmentation Needed packets.  The symptoms of this
1330       problem are that everything works fine from your Linux firewall/router,
1331       but machines behind it can never exchange large packets:
1332        1) Web browsers connect, then hang with no data received.
1333        2) Small mail works fine, but large emails hang.
1334        3) ssh works fine, but scp hangs after initial handshaking.
1335       Workaround:  activate  this option and add a rule to your firewall con‐
1336       figuration like:
1337        iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1338                    -j TCPMSS --clamp-mss-to-pmtu
1339
1340       --set-mss value
1341              Explicitly set MSS option to specified value.
1342
1343       --clamp-mss-to-pmtu
1344              Automatically clamp MSS value to (path_MTU - 40).
1345
1346       These options are mutually exclusive.
1347
1348   TOS
1349       This is used to set the 8-bit Type of Service field in the  IP  header.
1350       It is only valid in the mangle table.
1351
1352       --set-tos tos
1353              You can use a numeric TOS values, or use
1354               iptables -j TOS -h
1355              to see the list of valid TOS names.
1356
1357   TTL
1358       This is used to modify the IPv4 TTL header field.  The TTL field deter‐
1359       mines how many hops (routers) a packet can traverse until it's time  to
1360       live is exceeded.
1361
1362       Setting  or  incrementing the TTL field can potentially be very danger‐
1363       ous,
1364              so it should be avoided at any cost.
1365
1366       Don't ever set or increment the value on packets that leave your  local
1367       network!
1368              mangle table.
1369
1370       --ttl-set value
1371              Set the TTL value to `value'.
1372
1373       --ttl-dec value
1374              Decrement the TTL value `value' times.
1375
1376       --ttl-inc value
1377              Increment the TTL value `value' times.
1378
1379   ULOG
1380       This  target provides userspace logging of matching packets.  When this
1381       target is set for a rule, the Linux kernel will multicast  this  packet
1382       through a netlink socket. One or more userspace processes may then sub‐
1383       scribe to various multicast groups and receive the packets.  Like  LOG,
1384       this  is  a  "non-terminating target", i.e. rule traversal continues at
1385       the next rule.
1386
1387       --ulog-nlgroup nlgroup
1388              This specifies the netlink group (1-32) to which the  packet  is
1389              sent.  Default value is 1.
1390
1391       --ulog-prefix prefix
1392              Prefix  log messages with the specified prefix; up to 32 charac‐
1393              ters long, and useful for distinguishing messages in the logs.
1394
1395       --ulog-cprange size
1396              Number of bytes to be copied to userspace.  A value of 0  always
1397              copies the entire packet, regardless of its size.  Default is 0.
1398
1399       --ulog-qthreshold size
1400              Number of packet to queue inside kernel.  Setting this value to,
1401              e.g. 10 accumulates ten packets inside the kernel and  transmits
1402              them  as one netlink multipart message to userspace.  Default is
1403              1 (for backwards compatibility).
1404

DIAGNOSTICS

1406       Various error messages are printed to standard error.  The exit code is
1407       0 for correct functioning.  Errors which appear to be caused by invalid
1408       or abused command line parameters cause an exit code of  2,  and  other
1409       errors cause an exit code of 1.
1410

BUGS

1412       Bugs?   What's  this?  ;-)  Well,  you  might  want  to  have a look at
1413       http://bugzilla.netfilter.org/
1414

COMPATIBILITY WITH IPCHAINS

1416       This iptables is very similar to ipchains by Rusty Russell.   The  main
1417       difference  is  that the chains INPUT and OUTPUT are only traversed for
1418       packets coming into the local host and originating from the local  host
1419       respectively.   Hence every packet only passes through one of the three
1420       chains (except loopback traffic, which involves both INPUT  and  OUTPUT
1421       chains); previously a forwarded packet would pass through all three.
1422
1423       The  other main difference is that -i refers to the input interface; -o
1424       refers to the output interface, and  both  are  available  for  packets
1425       entering the FORWARD chain.
1426
1427       iptables is a pure packet filter when using the default `filter' table,
1428       with optional extension modules.  This should simplify much of the pre‐
1429       vious confusion over the combination of IP masquerading and packet fil‐
1430       tering seen previously.  So the following options are  handled  differ‐
1431       ently:
1432        -j MASQ
1433        -M -S
1434        -M -L
1435       There are several other changes in iptables.
1436

SEE ALSO

1438       iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8),
1439       ip6tables-restore(8), libipq(3).
1440
1441       The packet-filtering-HOWTO details iptables usage for packet filtering,
1442       the  NAT-HOWTO  details NAT, the netfilter-extensions-HOWTO details the
1443       extensions that are not in the standard distribution, and  the  netfil‐
1444       ter-hacking-HOWTO details the netfilter internals.
1445       See http://www.netfilter.org/.
1446

AUTHORS

1448       Rusty  Russell  originally  wrote  iptables, in early consultation with
1449       Michael Neuling.
1450
1451       Marc Boucher made Rusty abandon ipnatctl  by  lobbying  for  a  generic
1452       packet  selection  framework  in iptables, then wrote the mangle table,
1453       the owner match, the mark stuff, and ran around doing cool stuff every‐
1454       where.
1455
1456       James Morris wrote the TOS target, and tos match.
1457
1458       Jozsef Kadlecsik wrote the REJECT target.
1459
1460       Harald  Welte  wrote  the  ULOG and NFQUEUE target, the new libiptc, as
1461       well as the TTL, DSCP, ECN matches and targets.
1462
1463       The Netfilter Core Team is: Marc Boucher,  Martin  Josefsson,  Yasuyuki
1464       Kozakai,  Jozsef  Kadlecsik, Patrick McHardy, James Morris, Pablo Neira
1465       Ayuso, Harald Welte and Rusty Russell.
1466
1467       Man page originally written by Herve Eychenne <rv@wallfire.org>.
1468
1469
1470
1471                                 Mar 09, 2002                      IPTABLES(8)
Impressum