1IPTABLES(8) IPTABLES(8)
2
3
4
6 iptables - administration tool for IPv4 packet filtering and NAT
7
9 iptables [-t table] -[AD] chain rule-specification [options]
10 iptables [-t table] -I chain [rulenum] rule-specification [options]
11 iptables [-t table] -R chain rulenum rule-specification [options]
12 iptables [-t table] -D chain rulenum [options]
13 iptables [-t table] -[LFZ] [chain] [options]
14 iptables [-t table] -N chain
15 iptables [-t table] -X [chain]
16 iptables [-t table] -P chain target [options]
17 iptables [-t table] -E old-chain-name new-chain-name
18
20 Iptables is used to set up, maintain, and inspect the tables of IP
21 packet filter rules in the Linux kernel. Several different tables may
22 be defined. Each table contains a number of built-in chains and may
23 also contain user-defined chains.
24
25 Each chain is a list of rules which can match a set of packets. Each
26 rule specifies what to do with a packet that matches. This is called a
27 `target', which may be a jump to a user-defined chain in the same ta‐
28 ble.
29
30
32 A firewall rule specifies criteria for a packet, and a target. If the
33 packet does not match, the next rule in the chain is the examined; if
34 it does match, then the next rule is specified by the value of the tar‐
35 get, which can be the name of a user-defined chain or one of the spe‐
36 cial values ACCEPT, DROP, QUEUE, or RETURN.
37
38 ACCEPT means to let the packet through. DROP means to drop the packet
39 on the floor. QUEUE means to pass the packet to userspace. (How the
40 packet can be received by a userspace process differs by the particular
41 queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the
42 ip_queue queue handler. Kernels 2.6.14 and later additionally include
43 the nfnetlink_queue queue handler. Packets with a target of QUEUE will
44 be sent to queue number '0' in this case. Please also see the NFQUEUE
45 target as described later in this man page.) RETURN means stop
46 traversing this chain and resume at the next rule in the previous
47 (calling) chain. If the end of a built-in chain is reached or a rule
48 in a built-in chain with target RETURN is matched, the target specified
49 by the chain policy determines the fate of the packet.
50
52 There are currently three independent tables (which tables are present
53 at any time depends on the kernel configuration options and which mod‐
54 ules are present).
55
56 -t, --table table
57 This option specifies the packet matching table which the com‐
58 mand should operate on. If the kernel is configured with auto‐
59 matic module loading, an attempt will be made to load the appro‐
60 priate module for that table if it is not already there.
61
62 The tables are as follows:
63
64 filter:
65 This is the default table (if no -t option is passed). It
66 contains the built-in chains INPUT (for packets destined to
67 local sockets), FORWARD (for packets being routed through
68 the box), and OUTPUT (for locally-generated packets).
69
70 nat:
71 This table is consulted when a packet that creates a new
72 connection is encountered. It consists of three built-ins:
73 PREROUTING (for altering packets as soon as they come in),
74 OUTPUT (for altering locally-generated packets before rout‐
75 ing), and POSTROUTING (for altering packets as they are
76 about to go out).
77
78 mangle:
79 This table is used for specialized packet alteration. Until
80 kernel 2.4.17 it had two built-in chains: PREROUTING (for
81 altering incoming packets before routing) and OUTPUT (for
82 altering locally-generated packets before routing). Since
83 kernel 2.4.18, three other built-in chains are also sup‐
84 ported: INPUT (for packets coming into the box itself), FOR‐
85 WARD (for altering packets being routed through the box),
86 and POSTROUTING (for altering packets as they are about to
87 go out).
88
89 raw:
90 This table is used mainly for configuring exemptions from
91 connection tracking in combination with the NOTRACK target.
92 It registers at the netfilter hooks with higher priority and
93 is thus called before ip_conntrack, or any other IP tables.
94 It provides the following built-in chains: PREROUTING (for
95 packets arriving via any network interface) OUTPUT (for
96 packets generated by local processes)
97
99 The options that are recognized by iptables can be divided into several
100 different groups.
101
102 COMMANDS
103 These options specify the specific action to perform. Only one of them
104 can be specified on the command line unless otherwise specified below.
105 For all the long versions of the command and option names, you need to
106 use only enough letters to ensure that iptables can differentiate it
107 from all other options.
108
109 -A, --append chain rule-specification
110 Append one or more rules to the end of the selected chain. When
111 the source and/or destination names resolve to more than one
112 address, a rule will be added for each possible address combina‐
113 tion.
114
115 -D, --delete chain rule-specification
116 -D, --delete chain rulenum
117 Delete one or more rules from the selected chain. There are two
118 versions of this command: the rule can be specified as a number
119 in the chain (starting at 1 for the first rule) or a rule to
120 match.
121
122 -I, --insert chain [rulenum] rule-specification
123 Insert one or more rules in the selected chain as the given rule
124 number. So, if the rule number is 1, the rule or rules are
125 inserted at the head of the chain. This is also the default if
126 no rule number is specified.
127
128 -R, --replace chain rulenum rule-specification
129 Replace a rule in the selected chain. If the source and/or des‐
130 tination names resolve to multiple addresses, the command will
131 fail. Rules are numbered starting at 1.
132
133 -L, --list [chain]
134 List all rules in the selected chain. If no chain is selected,
135 all chains are listed. As every other iptables command, it
136 applies to the specified table (filter is the default), so NAT
137 rules get listed by
138 iptables -t nat -n -L
139 Please note that it is often used with the -n option, in order
140 to avoid long reverse DNS lookups. It is legal to specify the
141 -Z (zero) option as well, in which case the chain(s) will be
142 atomically listed and zeroed. The exact output is affected by
143 the other arguments given. The exact rules are suppressed until
144 you use
145 iptables -L -v
146
147 -F, --flush [chain]
148 Flush the selected chain (all the chains in the table if none is
149 given). This is equivalent to deleting all the rules one by
150 one.
151
152 -Z, --zero [chain]
153 Zero the packet and byte counters in all chains. It is legal to
154 specify the -L, --list (list) option as well, to see the coun‐
155 ters immediately before they are cleared. (See above.)
156
157 -N, --new-chain chain
158 Create a new user-defined chain by the given name. There must
159 be no target of that name already.
160
161 -X, --delete-chain [chain]
162 Delete the optional user-defined chain specified. There must be
163 no references to the chain. If there are, you must delete or
164 replace the referring rules before the chain can be deleted.
165 The chain must be empty, i.e. not contain any rules. If no
166 argument is given, it will attempt to delete every non-builtin
167 chain in the table.
168
169 -P, --policy chain target
170 Set the policy for the chain to the given target. See the sec‐
171 tion TARGETS for the legal targets. Only built-in (non-user-
172 defined) chains can have policies, and neither built-in nor
173 user-defined chains can be policy targets.
174
175 -E, --rename-chain old-chain new-chain
176 Rename the user specified chain to the user supplied name. This
177 is cosmetic, and has no effect on the structure of the table.
178
179 -h Help. Give a (currently very brief) description of the command
180 syntax.
181
182 PARAMETERS
183 The following parameters make up a rule specification (as used in the
184 add, delete, insert, replace and append commands).
185
186 -p, --protocol [!] protocol
187 The protocol of the rule or of the packet to check. The speci‐
188 fied protocol can be one of tcp, udp, icmp, or all, or it can be
189 a numeric value, representing one of these protocols or a dif‐
190 ferent one. A protocol name from /etc/protocols is also
191 allowed. A "!" argument before the protocol inverts the test.
192 The number zero is equivalent to all. Protocol all will match
193 with all protocols and is taken as default when this option is
194 omitted.
195
196 -s, --source [!] address[/mask]
197 Source specification. Address can be either a network name, a
198 hostname (please note that specifying any name to be resolved
199 with a remote query such as DNS is a really bad idea), a network
200 IP address (with /mask), or a plain IP address. The mask can be
201 either a network mask or a plain number, specifying the number
202 of 1's at the left side of the network mask. Thus, a mask of 24
203 is equivalent to 255.255.255.0. A "!" argument before the
204 address specification inverts the sense of the address. The flag
205 --src is an alias for this option.
206
207 -d, --destination [!] address[/mask]
208 Destination specification. See the description of the -s
209 (source) flag for a detailed description of the syntax. The
210 flag --dst is an alias for this option.
211
212 -j, --jump target
213 This specifies the target of the rule; i.e., what to do if the
214 packet matches it. The target can be a user-defined chain
215 (other than the one this rule is in), one of the special builtin
216 targets which decide the fate of the packet immediately, or an
217 extension (see EXTENSIONS below). If this option is omitted in
218 a rule (and -g is not used), then matching the rule will have no
219 effect on the packet's fate, but the counters on the rule will
220 be incremented.
221
222 -g, --goto chain
223 This specifies that the processing should continue in a user
224 specified chain. Unlike the --jump option return will not con‐
225 tinue processing in this chain but instead in the chain that
226 called us via --jump.
227
228 -i, --in-interface [!] name
229 Name of an interface via which a packet was received (only for
230 packets entering the INPUT, FORWARD and PREROUTING chains).
231 When the "!" argument is used before the interface name, the
232 sense is inverted. If the interface name ends in a "+", then
233 any interface which begins with this name will match. If this
234 option is omitted, any interface name will match.
235
236 -o, --out-interface [!] name
237 Name of an interface via which a packet is going to be sent (for
238 packets entering the FORWARD, OUTPUT and POSTROUTING chains).
239 When the "!" argument is used before the interface name, the
240 sense is inverted. If the interface name ends in a "+", then
241 any interface which begins with this name will match. If this
242 option is omitted, any interface name will match.
243
244 [!] -f, --fragment
245 This means that the rule only refers to second and further frag‐
246 ments of fragmented packets. Since there is no way to tell the
247 source or destination ports of such a packet (or ICMP type),
248 such a packet will not match any rules which specify them. When
249 the "!" argument precedes the "-f" flag, the rule will only
250 match head fragments, or unfragmented packets.
251
252 -c, --set-counters PKTS BYTES
253 This enables the administrator to initialize the packet and byte
254 counters of a rule (during INSERT, APPEND, REPLACE operations).
255
256 OTHER OPTIONS
257 The following additional options can be specified:
258
259 -v, --verbose
260 Verbose output. This option makes the list command show the
261 interface name, the rule options (if any), and the TOS masks.
262 The packet and byte counters are also listed, with the suffix
263 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipli‐
264 ers respectively (but see the -x flag to change this). For
265 appending, insertion, deletion and replacement, this causes
266 detailed information on the rule or rules to be printed.
267
268 -n, --numeric
269 Numeric output. IP addresses and port numbers will be printed
270 in numeric format. By default, the program will try to display
271 them as host names, network names, or services (whenever appli‐
272 cable).
273
274 -x, --exact
275 Expand numbers. Display the exact value of the packet and byte
276 counters, instead of only the rounded number in K's (multiples
277 of 1000) M's (multiples of 1000K) or G's (multiples of 1000M).
278 This option is only relevant for the -L command.
279
280 --line-numbers
281 When listing rules, add line numbers to the beginning of each
282 rule, corresponding to that rule's position in the chain.
283
284 --modprobe=command
285 When adding or inserting rules into a chain, use command to load
286 any necessary modules (targets, match extensions, etc).
287
289 iptables can use extended packet matching modules. These are loaded in
290 two ways: implicitly, when -p or --protocol is specified, or with the
291 -m or --match options, followed by the matching module name; after
292 these, various extra command line options become available, depending
293 on the specific module. You can specify multiple extended match mod‐
294 ules in one line, and you can use the -h or --help options after the
295 module has been specified to receive help specific to that module.
296
297 The following are included in the base package, and most of these can
298 be preceded by a ! to invert the sense of the match.
299
300 addrtype
301 This module matches packets based on their address type. Address types
302 are used within the kernel networking stack and categorize addresses
303 into various groups. The exact definition of that group depends on the
304 specific layer three protocol.
305
306 The following address types are possible:
307
308 UNSPEC an unspecified address (i.e. 0.0.0.0) UNICAST an unicast address
309 LOCAL a local address BROADCAST a broadcast address ANYCAST an
310 anycast packet MULTICAST a multicast address BLACKHOLE a black‐
311 hole address UNREACHABLE an unreachable address PROHIBIT a pro‐
312 hibited address THROW FIXME NAT FIXME XRESOLVE FIXME
313
314 --src-type type
315 Matches if the source address is of given type
316
317 --dst-type type
318 Matches if the destination address is of given type
319
320 ah
321 This module matches the SPIs in Authentication header of IPsec packets.
322
323 --ahspi [!] spi[:spi]
324
325 comment
326 Allows you to add comments (up to 256 characters) to any rule.
327
328 --comment comment
329
330 Example:
331 iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A pri‐
332 vatized IP block"
333
334 condition
335 This matches if a specific /proc filename is '0' or '1'.
336
337 --condition [!] filename
338 Match on boolean value stored in /proc/net/ipt_condition/file‐
339 name file
340
341 connbytes
342 Match by how many bytes or packets a connection (or one of the two
343 flows constituting the connection) have tranferred so far, or by aver‐
344 age bytes per packet.
345
346 The counters are 64bit and are thus not expected to overflow ;)
347
348 The primary use is to detect long-lived downloads and mark them to be
349 scheduled using a lower priority band in traffic control.
350
351 The transfered bytes per connection can also be viewed through
352 /proc/net/ip_conntrack and accessed via ctnetlink
353
354 [!] --connbytes from:[to]
355 match packets from a connection whose packets/bytes/average
356 packet size is more than FROM and less than TO bytes/packets. if
357 TO is omitted only FROM check is done. "!" is used to match
358 packets not falling in the range.
359
360 --connbytes-dir [original|reply|both]
361 which packets to consider
362
363 --connbytes-mode [packets|bytes|avgpkt]
364 whether to check the amount of packets, number of bytes trans‐
365 ferred or the average size (in bytes) of all packets received so
366 far. Note that when "both" is used together with "avgpkt", and
367 data is going (mainly) only in one direction (for example HTTP),
368 the average packet size will be about half of the actual data
369 packets.
370
371 Example:
372 iptables .. -m connbytes --connbytes 10000:100000 --connbytes-
373 dir both --connbytes-mode bytes ...
374
375 connmark
376 This module matches the netfilter mark field associated with a connec‐
377 tion (which can be set using the CONNMARK target below).
378
379 --mark value[/mask]
380 Matches packets in connections with the given mark value (if a
381 mask is specified, this is logically ANDed with the mark before
382 the comparison).
383
384 connrate
385 This module matches the current transfer rate in a connection.
386
387 --connrate [!] [from]:[to]
388 Match against the current connection transfer rate being within
389 'from' and 'to' bytes per second. When the "!" argument is used
390 before the range, the sense of the match is inverted.
391
392 conntrack
393 This module, when combined with connection tracking, allows access to
394 more connection tracking information than the "state" match. (this
395 module is present only if iptables was compiled under a kernel support‐
396 ing this feature)
397
398 --ctstate state
399 Where state is a comma separated list of the connection states
400 to match. Possible states are INVALID meaning that the packet
401 is associated with no known connection, ESTABLISHED meaning that
402 the packet is associated with a connection which has seen pack‐
403 ets in both directions, NEW meaning that the packet has started
404 a new connection, or otherwise associated with a connection
405 which has not seen packets in both directions, and RELATED mean‐
406 ing that the packet is starting a new connection, but is associ‐
407 ated with an existing connection, such as an FTP data transfer,
408 or an ICMP error. SNAT A virtual state, matching if the origi‐
409 nal source address differs from the reply destination. DNAT A
410 virtual state, matching if the original destination differs from
411 the reply source.
412
413 --ctproto proto
414 Protocol to match (by number or name)
415
416 --ctorigsrc [!] address[/mask]
417 Match against original source address
418
419 --ctorigdst [!] address[/mask]
420 Match against original destination address
421
422 --ctreplsrc [!] address[/mask]
423 Match against reply source address
424
425 --ctrepldst [!] address[/mask]
426 Match against reply destination address
427
428 --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED][,...]
429 Match against internal conntrack states
430
431 --ctexpire time[:time]
432 Match remaining lifetime in seconds against given value or range
433 of values (inclusive)
434
435 dccp
436 --source-port,--sport [!] port[:port]
437
438 --destination-port,--dport [!] port[:port]
439
440 --dccp-types [!] mask
441 Match when the DCCP packet type is one of 'mask'. 'mask' is a
442 comma-separated list of packet types. Packet types are: REQUEST
443 RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK
444 INVALID.
445
446 --dccp-option [!] number
447 Match if DCP option set.
448
449 dscp
450 This module matches the 6 bit DSCP field within the TOS field in the IP
451 header. DSCP has superseded TOS within the IETF.
452
453 --dscp value
454 Match against a numeric (decimal or hex) value [0-32].
455
456 --dscp-class DiffServ Class
457 Match the DiffServ class. This value may be any of the BE, EF,
458 AFxx or CSx classes. It will then be converted into it's
459 according numeric value.
460
461 ecn
462 This allows you to match the ECN bits of the IPv4 and TCP header. ECN
463 is the Explicit Congestion Notification mechanism as specified in
464 RFC3168
465
466 --ecn-tcp-cwr
467 This matches if the TCP ECN CWR (Congestion Window Received) bit
468 is set.
469
470 --ecn-tcp-ece
471 This matches if the TCP ECN ECE (ECN Echo) bit is set.
472
473 --ecn-ip-ect num
474 This matches a particular IPv4 ECT (ECN-Capable Transport). You
475 have to specify a number between `0' and `3'.
476
477 esp
478 This module matches the SPIs in ESP header of IPsec packets.
479
480 --espspi [!] spi[:spi]
481
482 hashlimit
483 This patch adds a new match called 'hashlimit'. The idea is to have
484 something like 'limit', but either per destination-ip or per (des‐
485 tip,destport) tuple.
486
487 It gives you the ability to express
488
489 '1000 packets per second for every host in 192.168.0.0/16'
490
491 '100 packets per second for every service of 192.168.1.1'
492
493 with a single iptables rule.
494
495 --hashlimit rate
496 A rate just like the limit match
497
498 --hashlimit-burst num
499 Burst value, just like limit match
500
501 --hashlimit-mode dstip,srcip,dstport,srcport
502 A comma-separated list of objects to take into consideration
503
504 --hashlimit-name foo
505 The name for the /proc/net/ipt_hashlimit/foo entry
506
507 --hashlimit-htable-size num
508 The number of buckets of the hash table
509
510 --hashlimit-htable-max num
511 Maximum entries in the hash
512
513 --hashlimit-htable-expire num
514 After how many miliseconds do hash entries expire
515
516 --hashlimit-htable-gcinterval num
517 How many miliseconds between garbage collection intervals
518
519 helper
520 This module matches packets related to a specific conntrack-helper.
521
522 --helper string
523 Matches packets related to the specified conntrack-helper.
524
525 string can be "ftp" for packets related to a ftp-session on
526 default port. For other ports append -portnr to the value, ie.
527 "ftp-2121".
528
529 Same rules apply for other conntrack-helpers.
530
531 icmp
532 This extension can be used if `--protocol icmp' is specified. It pro‐
533 vides the following option:
534
535 --icmp-type [!] typename
536 This allows specification of the ICMP type, which can be a
537 numeric ICMP type, or one of the ICMP type names shown by the
538 command
539 iptables -p icmp -h
540
541 iprange
542 This matches on a given arbitrary range of IPv4 addresses
543
544 [!]--src-range ip-ip
545 Match source IP in the specified range.
546
547 [!]--dst-range ip-ip
548 Match destination IP in the specified range.
549
550 length
551 This module matches the length of a packet against a specific value or
552 range of values.
553
554 --length [!] length[:length]
555
556 limit
557 This module matches at a limited rate using a token bucket filter. A
558 rule using this extension will match until this limit is reached.
559 It can be used in combination with the LOG target to give limited
560 logging, for example.
561
562 --limit rate
563 Maximum average matching rate: specified as a number, with an
564 optional `/second', `/minute', `/hour', or `/day' suffix; the
565 default is 3/hour.
566
567 --limit-burst number
568 Maximum initial number of packets to match: this number gets
569 recharged by one every time the limit specified above is not
570 reached, up to this number; the default is 5.
571
572 mac
573 --mac-source [!] address
574 Match source MAC address. It must be of the form
575 XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets
576 coming from an Ethernet device and entering the PREROUTING, FOR‐
577 WARD or INPUT chains.
578
579 mark
580 This module matches the netfilter mark field associated with a packet
581 (which can be set using the MARK target below).
582
583 --mark value[/mask]
584 Matches packets with the given unsigned mark value (if a mask is
585 specified, this is logically ANDed with the mask before the com‐
586 parison).
587
588 multiport
589 This module matches a set of source or destination ports. Up to 15
590 ports can be specified. A port range (port:port) counts as two ports.
591 It can only be used in conjunction with -p tcp or -p udp.
592
593 --source-ports [!] port[,port[,port:port...]]
594 Match if the source port is one of the given ports. The flag
595 --sports is a convenient alias for this option.
596
597 --destination-ports [!] port[,port[,port:port...]]
598 Match if the destination port is one of the given ports. The
599 flag --dports is a convenient alias for this option.
600
601 --ports [!] port[,port[,port:port...]]
602 Match if either the source or destination ports are equal to one
603 of the given ports.
604
605 owner
606 This module attempts to match various characteristics of the packet
607 creator, for locally-generated packets. It is only valid in the OUTPUT
608 chain, and even this some packets (such as ICMP ping responses) may
609 have no owner, and hence never match.
610
611 --uid-owner userid
612 Matches if the packet was created by a process with the given
613 effective user id.
614
615 --gid-owner groupid
616 Matches if the packet was created by a process with the given
617 effective group id.
618
619 --pid-owner processid
620 Matches if the packet was created by a process with the given
621 process id.
622
623 --sid-owner sessionid
624 Matches if the packet was created by a process in the given ses‐
625 sion group.
626
627 --cmd-owner name
628 Matches if the packet was created by a process with the given
629 command name. (this option is present only if iptables was com‐
630 piled under a kernel supporting this feature)
631
632 NOTE: pid, sid and command matching are broken on SMP
633
634 physdev
635 This module matches on the bridge port input and output devices
636 enslaved to a bridge device. This module is a part of the infrastruc‐
637 ture that enables a transparent bridging IP firewall and is only useful
638 for kernel versions above version 2.5.44.
639
640 --physdev-in [!] name
641 Name of a bridge port via which a packet is received (only for
642 packets entering the INPUT, FORWARD and PREROUTING chains). If
643 the interface name ends in a "+", then any interface which
644 begins with this name will match. If the packet didn't arrive
645 through a bridge device, this packet won't match this option,
646 unless '!' is used.
647
648 --physdev-out [!] name
649 Name of a bridge port via which a packet is going to be sent
650 (for packets entering the FORWARD, OUTPUT and POSTROUTING
651 chains). If the interface name ends in a "+", then any inter‐
652 face which begins with this name will match. Note that in the
653 nat and mangle OUTPUT chains one cannot match on the bridge out‐
654 put port, however one can in the filter OUTPUT chain. If the
655 packet won't leave by a bridge device or it is yet unknown what
656 the output device will be, then the packet won't match this
657 option, unless
658
659 [!] --physdev-is-in
660 Matches if the packet has entered through a bridge interface.
661
662 [!] --physdev-is-out
663 Matches if the packet will leave through a bridge interface.
664
665 [!] --physdev-is-bridged
666 Matches if the packet is being bridged and therefore is not
667 being routed. This is only useful in the FORWARD and POSTROUT‐
668 ING chains.
669
670 pkttype
671 This module matches the link-layer packet type.
672
673 --pkt-type [unicast|broadcast|multicast]
674
675 policy
676 This modules matches the policy used by IPsec for handling a packet.
677
678 --dir in|out
679 Used to select whether to match the policy used for decapsula‐
680 tion or the policy that will be used for encapsulation. in is
681 valid in the PREROUTING, INPUT and FORWARD chains, out is valid
682 in the POSTROUTING, OUTPUT and FORWARD chains.
683
684 --pol none|ipsec
685 Matches if the packet is subject to IPsec processing.
686
687 --strict
688 Selects whether to match the exact policy or match if any rule
689 of the policy matches the given policy.
690
691 --reqid id
692 Matches the reqid of the policy rule. The reqid can be specified
693 with setkey(8) using unique:id as level.
694
695 --spi spi
696 Matches the SPI of the SA.
697
698 --proto ah|esp|ipcomp
699 Matches the encapsulation protocol.
700
701 --mode tunnel|transport
702 Matches the encapsulation mode.
703
704 --tunnel-src addr[/mask]
705 Matches the source end-point address of a tunnel mode SA. Only
706 valid with --mode tunnel.
707
708 --tunnel-dst addr[/mask]
709 Matches the destination end-point address of a tunnel mode SA.
710 Only valid with --mode tunnel.
711
712 --next Start the next element in the policy specification. Can only be
713 used with --strict
714
715 quota
716 Implements network quotas by decrementing a byte counter with each
717 packet.
718
719 --quota bytes
720 The quota in bytes.
721
722 realm
723 This matches the routing realm. Routing realms are used in complex
724 routing setups involving dynamic routing protocols like BGP.
725
726 --realm [!] value[/mask]
727 Matches a given realm number (and optionally mask). If not a
728 number, value can be a named realm from /etc/iproute2/rt_realms
729 (mask can not be used in that case).
730
731 recent
732 Allows you to dynamically create a list of IP addresses and then match
733 against that list in a few different ways.
734
735 For example, you can create a `badguy' list out of people attempting to
736 connect to port 139 on your firewall and then DROP all future packets
737 from them without considering them.
738
739 --name name
740 Specify the list to use for the commands. If no name is given
741 then 'DEFAULT' will be used.
742
743 [!] --set
744 This will add the source address of the packet to the list. If
745 the source address is already in the list, this will update the
746 existing entry. This will always return success (or failure if
747 `!' is passed in).
748
749 [!] --rcheck
750 Check if the source address of the packet is currently in the
751 list.
752
753 [!] --update
754 Like --rcheck, except it will update the "last seen" timestamp
755 if it matches.
756
757 [!] --remove
758 Check if the source address of the packet is currently in the
759 list and if so that address will be removed from the list and
760 the rule will return true. If the address is not found, false is
761 returned.
762
763 [!] --seconds seconds
764 This option must be used in conjunction with one of --rcheck or
765 --update. When used, this will narrow the match to only happen
766 when the address is in the list and was seen within the last
767 given number of seconds.
768
769 [!] --hitcount hits
770 This option must be used in conjunction with one of --rcheck or
771 --update. When used, this will narrow the match to only happen
772 when the address is in the list and packets had been received
773 greater than or equal to the given value. This option may be
774 used along with --seconds to create an even narrower match
775 requiring a certain number of hits within a specific time frame.
776
777 --rttl This option must be used in conjunction with one of --rcheck or
778 --update. When used, this will narrow the match to only happen
779 when the address is in the list and the TTL of the current
780 packet matches that of the packet which hit the --set rule. This
781 may be useful if you have problems with people faking their
782 source address in order to DoS you via this module by disallow‐
783 ing others access to your site by sending bogus packets to you.
784
785 Examples:
786
787 # iptables -A FORWARD -m recent --name badguy --rcheck --seconds
788 60 -j DROP
789
790 # iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent
791 --name badguy --set -j DROP
792
793 Official website (http://snowman.net/projects/ipt_recent/) also has
794 some examples of usage.
795
796 /proc/net/ipt_recent/* are the current lists of addresses and informa‐
797 tion about each entry of each list.
798
799 Each file in /proc/net/ipt_recent/ can be read from to see the current
800 list or written two using the following commands to modify the list:
801
802 echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
803 to Add to the DEFAULT list
804
805 echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
806 to Remove from the DEFAULT list
807
808 echo clear > /proc/net/ipt_recent/DEFAULT
809 to empty the DEFAULT list.
810
811 The module itself accepts parameters, defaults shown:
812
813 ip_list_tot=100
814 Number of addresses remembered per table
815
816 ip_pkt_list_tot=20
817 Number of packets per address remembered
818
819 ip_list_hash_size=0
820 Hash table size. 0 means to calculate it based on ip_list_tot,
821 default: 512
822
823 ip_list_perms=0644
824 Permissions for /proc/net/ipt_recent/* files
825
826 debug=0
827 Set to 1 to get lots of debugging info
828
829 sctp
830 --source-port,--sport [!] port[:port]
831
832 --destination-port,--dport [!] port[:port]
833
834 --chunk-types [!] all|any|only chunktype[:flags] [...]
835 The flag letter in upper case indicates that the flag is to
836 match if set, in the lower case indicates to match if unset.
837
838 Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK
839 ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK
840 ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK
841
842 chunk type available flags
843 DATA U B E u b e
844 ABORT T t
845 SHUTDOWN_COMPLETE T t
846
847 (lowercase means flag should be "off", uppercase means "on")
848
849 Examples:
850
851 iptables -A INPUT -p sctp --dport 80 -j DROP
852
853 iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP
854
855 iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT
856
857 set
858 This modules macthes IP sets which can be defined by ipset(8).
859
860 --set setname flag[,flag...]
861 where flags are src and/or dst and there can be no more than six
862 of them. Hence the command
863 iptables -A FORWARD -m set --set test src,dst
864 will match packets, for which (depending on the type of the set)
865 the source address or port number of the packet can be found in
866 the specified set. If there is a binding belonging to the mached
867 set element or there is a default binding for the given set,
868 then the rule will match the packet only if additionally
869 (depending on the type of the set) the destination address or
870 port number of the packet can be found in the set according to
871 the binding.
872
873 state
874 This module, when combined with connection tracking, allows access to
875 the connection tracking state for this packet.
876
877 --state state
878 Where state is a comma separated list of the connection states
879 to match. Possible states are INVALID meaning that the packet
880 could not be identified for some reason which includes running
881 out of memory and ICMP errors which don't correspond to any
882 known connection, ESTABLISHED meaning that the packet is associ‐
883 ated with a connection which has seen packets in both direc‐
884 tions, NEW meaning that the packet has started a new connection,
885 or otherwise associated with a connection which has not seen
886 packets in both directions, and RELATED meaning that the packet
887 is starting a new connection, but is associated with an existing
888 connection, such as an FTP data transfer, or an ICMP error.
889
890 string
891 This modules matches a given string by using some pattern matching
892 strategy. It requires a linux kernel >= 2.6.14.
893
894 --algo bm|kmp
895 Select the pattern matching strategy. (bm = Boyer-Moore, kmp =
896 Knuth-Pratt-Morris)
897
898 --from offset
899 Set the offset from which it starts looking for any matching. If
900 not passed, default is 0.
901
902 --to offset
903 Set the offset from which it starts looking for any matching. If
904 not passed, default is the packet size.
905
906 --string pattern
907 Matches the given pattern. --hex-string pattern Matches the
908 given pattern in hex notation.
909
910 tcp
911 These extensions can be used if `--protocol tcp' is specified. It pro‐
912 vides the following options:
913
914 --source-port [!] port[:port]
915 Source port or port range specification. This can either be a
916 service name or a port number. An inclusive range can also be
917 specified, using the format port:port. If the first port is
918 omitted, "0" is assumed; if the last is omitted, "65535" is
919 assumed. If the second port greater then the first they will be
920 swapped. The flag --sport is a convenient alias for this
921 option.
922
923 --destination-port [!] port[:port]
924 Destination port or port range specification. The flag --dport
925 is a convenient alias for this option.
926
927 --tcp-flags [!] mask comp
928 Match when the TCP flags are as specified. The first argument
929 is the flags which we should examine, written as a comma-sepa‐
930 rated list, and the second argument is a comma-separated list of
931 flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL
932 NONE. Hence the command
933 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
934 will only match packets with the SYN flag set, and the ACK, FIN
935 and RST flags unset.
936
937 [!] --syn
938 Only match TCP packets with the SYN bit set and the ACK,RST and
939 FIN bits cleared. Such packets are used to request TCP connec‐
940 tion initiation; for example, blocking such packets coming in an
941 interface will prevent incoming TCP connections, but outgoing
942 TCP connections will be unaffected. It is equivalent to --tcp-
943 flags SYN,RST,ACK,FIN SYN. If the "!" flag precedes the
944 "--syn", the sense of the option is inverted.
945
946 --tcp-option [!] number
947 Match if TCP option set.
948
949 tcpmss
950 This matches the TCP MSS (maximum segment size) field of the TCP
951 header. You can only use this on TCP SYN or SYN/ACK packets, since the
952 MSS is only negotiated during the TCP handshake at connection startup
953 time.
954
955 [!] --mss value[:value]
956 Match a given TCP MSS value or range.
957
958 tos
959 This module matches the 8 bits of Type of Service field in the IP
960 header (ie. including the precedence bits).
961
962 --tos tos
963 The argument is either a standard name, (use
964 iptables -m tos -h
965 to see the list), or a numeric value to match.
966
967 ttl
968 This module matches the time to live field in the IP header.
969
970 --ttl-eq ttl
971 Matches the given TTL value.
972
973 --ttl-gt ttl
974 Matches if TTL is greater than the given TTL value.
975
976 --ttl-lt ttl
977 Matches if TTL is less than the given TTL value.
978
979 udp
980 These extensions can be used if `--protocol udp' is specified. It pro‐
981 vides the following options:
982
983 --source-port [!] port[:port]
984 Source port or port range specification. See the description of
985 the --source-port option of the TCP extension for details.
986
987 --destination-port [!] port[:port]
988 Destination port or port range specification. See the descrip‐
989 tion of the --destination-port option of the TCP extension for
990 details.
991
992 unclean
993 This module takes no options, but attempts to match packets which seem
994 malformed or unusual. This is regarded as experimental.
995
997 iptables can use extended target modules: the following are included in
998 the standard distribution.
999
1000 CLASSIFY
1001 This module allows you to set the skb->priority value (and thus clas‐
1002 sify the packet into a specific CBQ class).
1003
1004 --set-class MAJOR:MINOR
1005 Set the major and minor class value.
1006
1007 CLUSTERIP
1008 This module allows you to configure a simple cluster of nodes that
1009 share a certain IP and MAC address without an explicit load balancer in
1010 front of them. Connections are statically distributed between the
1011 nodes in this cluster.
1012
1013 --new Create a new ClusterIP. You always have to set this on the
1014 first rule for a given ClusterIP.
1015
1016 --hashmode mode
1017 Specify the hashing mode. Has to be one of sourceip, sourceip-
1018 sourceport, sourceip-sourceport-destport
1019
1020 --clustermac mac
1021 Specify the ClusterIP MAC address. Has to be a link-layer mul‐
1022 ticast address
1023
1024 --total-nodes num
1025 Number of total nodes within this cluster.
1026
1027 --local-node num
1028 Local node number within this cluster.
1029
1030 --hash-init rnd
1031 Specify the random seed used for hash initialization.
1032
1033 CONNMARK
1034 This module sets the netfilter mark value associated with a connection
1035
1036 --set-mark mark[/mask]
1037 Set connection mark. If a mask is specified then only those bits
1038 set in the mask is modified.
1039
1040 --save-mark [--mask mask]
1041 Copy the netfilter packet mark value to the connection mark. If
1042 a mask is specified then only those bits are copied.
1043
1044 --restore-mark [--mask mask]
1045 Copy the connection mark value to the packet. If a mask is spec‐
1046 ified then only those bits are copied. This is only valid in the
1047 mangle table.
1048
1049 CONNSECMARK
1050 This module copies security markings from packets to connections (if
1051 unlabeled), and from connections back to packets (also only if unla‐
1052 beled). Typically used in conjunction with SECMARK, it is only valid
1053 in the mangle table.
1054
1055 --save If the packet has a security marking, copy it to the connection
1056 if the connection is not marked.
1057
1058 --restore
1059 If the packet does not have a security marking, and the connec‐
1060 tion does, copy the security marking from the connection to the
1061 packet.
1062
1063
1064 DNAT
1065 This target is only valid in the nat table, in the PREROUTING and OUT‐
1066 PUT chains, and user-defined chains which are only called from those
1067 chains. It specifies that the destination address of the packet should
1068 be modified (and all future packets in this connection will also be
1069 mangled), and rules should cease being examined. It takes one type of
1070 option:
1071
1072 --to-destination [ipaddr][-ipaddr][:port-port]
1073 which can specify a single new destination IP address, an inclu‐
1074 sive range of IP addresses, and optionally, a port range (which
1075 is only valid if the rule also specifies -p tcp or -p udp). If
1076 no port range is specified, then the destination port will never
1077 be modified. If no IP address is specified then only the desti‐
1078 nation port will be modified.
1079
1080 In Kernels up to 2.6.10 you can add several --to-destination
1081 options. For those kernels, if you specify more than one desti‐
1082 nation address, either via an address range or multiple --to-
1083 destination options, a simple round-robin (one after another in
1084 cycle) load balancing takes place between these addresses.
1085 Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to
1086 multiple ranges anymore.
1087
1088 --random
1089 If option --random is used then port mapping will be randomized
1090 (kernel >= 2.6.22).
1091
1092 DSCP
1093 This target allows to alter the value of the DSCP bits within the TOS
1094 header of the IPv4 packet. As this manipulates a packet, it can only
1095 be used in the mangle table.
1096
1097 --set-dscp value
1098 Set the DSCP field to a numerical value (can be decimal or hex)
1099
1100 --set-dscp-class class
1101 Set the DSCP field to a DiffServ class.
1102
1103 ECN
1104 This target allows to selectively work around known ECN blackholes. It
1105 can only be used in the mangle table.
1106
1107 --ecn-tcp-remove
1108 Remove all ECN bits from the TCP header. Of course, it can only
1109 be used in conjunction with -p tcp.
1110
1111 LOG
1112 Turn on kernel logging of matching packets. When this option is set
1113 for a rule, the Linux kernel will print some information on all match‐
1114 ing packets (like most IP header fields) via the kernel log (where it
1115 can be read with dmesg or syslogd(8)). This is a "non-terminating tar‐
1116 get", i.e. rule traversal continues at the next rule. So if you want
1117 to LOG the packets you refuse, use two separate rules with the same
1118 matching criteria, first using target LOG then DROP (or REJECT).
1119
1120 --log-level level
1121 Level of logging (numeric or see syslog.conf(5)).
1122
1123 --log-prefix prefix
1124 Prefix log messages with the specified prefix; up to 29 letters
1125 long, and useful for distinguishing messages in the logs.
1126
1127 --log-tcp-sequence
1128 Log TCP sequence numbers. This is a security risk if the log is
1129 readable by users.
1130
1131 --log-tcp-options
1132 Log options from the TCP packet header.
1133
1134 --log-ip-options
1135 Log options from the IP packet header.
1136
1137 --log-uid
1138 Log the userid of the process which generated the packet.
1139
1140 MARK
1141 This is used to set the netfilter mark value associated with the
1142 packet. It is only valid in the mangle table. It can for example be
1143 used in conjunction with iproute2.
1144
1145 --set-mark value
1146 Set nfmark value
1147
1148 --and-mark value
1149 Binary AND the nfmark with value
1150
1151 --or-mark value
1152 Binary OR the nfmark with value
1153
1154 MASQUERADE
1155 This target is only valid in the nat table, in the POSTROUTING chain.
1156 It should only be used with dynamically assigned IP (dialup) connec‐
1157 tions: if you have a static IP address, you should use the SNAT target.
1158 Masquerading is equivalent to specifying a mapping to the IP address of
1159 the interface the packet is going out, but also has the effect that
1160 connections are forgotten when the interface goes down. This is the
1161 correct behavior when the next dialup is unlikely to have the same
1162 interface address (and hence any established connections are lost any‐
1163 way). It takes one option:
1164
1165 --to-ports port[-port]
1166 This specifies a range of source ports to use, overriding the
1167 default SNAT source port-selection heuristics (see above). This
1168 is only valid if the rule also specifies -p tcp or -p udp.
1169
1170 --random
1171 Randomize source port mapping If option --random is used then
1172 port mapping will be randomized (kernel >= 2.6.21).
1173
1174 MIRROR
1175 This is an experimental demonstration target which inverts the source
1176 and destination fields in the IP header and retransmits the packet. It
1177 is only valid in the INPUT, FORWARD and PREROUTING chains, and user-
1178 defined chains which are only called from those chains. Note that the
1179 outgoing packets are NOT seen by any packet filtering chains, connec‐
1180 tion tracking or NAT, to avoid loops and other problems.
1181
1182 NETMAP
1183 This target allows you to statically map a whole network of addresses
1184 onto another network of addresses. It can only be used from rules in
1185 the nat table.
1186
1187 --to address[/mask]
1188 Network address to map to. The resulting address will be con‐
1189 structed in the following way: All 'one' bits in the mask are
1190 filled in from the new `address'. All bits that are zero in the
1191 mask are filled in from the original address.
1192
1193 NFQUEUE
1194 This target is an extension of the QUEUE target. As opposed to QUEUE,
1195 it allows you to put a packet into any specific queue, identified by
1196 its 16-bit queue number.
1197
1198 --queue-num value
1199 This specifies the QUEUE number to use. Valud queue numbers are
1200 0 to 65535. The default value is 0.
1201
1202 It can only be used with Kernel versions 2.6.14 or later, since it
1203 requires
1204 the nfnetlink_queue kernel support.
1205
1206 NOTRACK
1207 This target disables connection tracking for all packets matching that
1208 rule.
1209
1210 It can only be used in the
1211 raw table.
1212
1213 REDIRECT
1214 This target is only valid in the nat table, in the PREROUTING and OUT‐
1215 PUT chains, and user-defined chains which are only called from those
1216 chains. It redirects the packet to the machine itself by changing the
1217 destination IP to the primary address of the incoming interface
1218 (locally-generated packets are mapped to the 127.0.0.1 address). It
1219 takes one option:
1220
1221 --to-ports port[-port]
1222 This specifies a destination port or range of ports to use:
1223 without this, the destination port is never altered. This is
1224 only valid if the rule also specifies -p tcp or -p udp.
1225
1226 --random
1227 If option --random is used then port mapping will be randomized
1228 (kernel >= 2.6.22).
1229
1230 REJECT
1231 This is used to send back an error packet in response to the matched
1232 packet: otherwise it is equivalent to DROP so it is a terminating TAR‐
1233 GET, ending rule traversal. This target is only valid in the INPUT,
1234 FORWARD and OUTPUT chains, and user-defined chains which are only
1235 called from those chains. The following option controls the nature of
1236 the error packet returned:
1237
1238 --reject-with type
1239 The type given can be
1240 icmp-net-unreachable
1241 icmp-host-unreachable
1242 icmp-port-unreachable
1243 icmp-proto-unreachable
1244 icmp-net-prohibited
1245 icmp-host-prohibited or
1246 icmp-admin-prohibited (*)
1247 which return the appropriate ICMP error message (port-unreach‐
1248 able is the default). The option tcp-reset can be used on rules
1249 which only match the TCP protocol: this causes a TCP RST packet
1250 to be sent back. This is mainly useful for blocking ident
1251 (113/tcp) probes which frequently occur when sending mail to
1252 broken mail hosts (which won't accept your mail otherwise).
1253
1254 (*) Using icmp-admin-prohibited with kernels that do not support it
1255 will result in a plain DROP instead of REJECT
1256
1257 SAME
1258 Similar to SNAT/DNAT depending on chain: it takes a range of addresses
1259 (`--to 1.2.3.4-1.2.3.7') and gives a client the same source-/destina‐
1260 tion-address for each connection.
1261
1262 --to <ipaddr>-<ipaddr>
1263 Addresses to map source to. May be specified more than once for
1264 multiple ranges.
1265
1266 --nodst
1267 Don't use the destination-ip in the calculations when selecting
1268 the new source-ip
1269
1270 --random
1271 Port mapping will be forcely randomized to avoid attacks based
1272 on port prediction (kernel >= 2.6.21).
1273
1274 SECMARK
1275 This is used to set the security mark value associated with the packet
1276 for use by security subsystems such as SELinux. It is only valid in
1277 the mangle table.
1278
1279 --selctx security_context
1280
1281 SET
1282 This modules adds and/or deletes entries from IP sets which can be
1283 defined by ipset(8).
1284
1285 --add-set setname flag[,flag...]
1286 add the address(es)/port(s) of the packet to the sets
1287
1288 --del-set setname flag[,flag...]
1289 delete the address(es)/port(s) of the packet from the sets,
1290 where flags are src and/or dst and there can be no more than six
1291 of them.
1292
1293 The bindings to follow must previously be defined in order to use
1294 multilevel adding/deleting by the SET target.
1295
1296 SNAT
1297 This target is only valid in the nat table, in the POSTROUTING chain.
1298 It specifies that the source address of the packet should be modified
1299 (and all future packets in this connection will also be mangled), and
1300 rules should cease being examined. It takes one type of option:
1301
1302 --to-source ipaddr[-ipaddr][:port-port]
1303 which can specify a single new source IP address, an inclusive
1304 range of IP addresses, and optionally, a port range (which is
1305 only valid if the rule also specifies -p tcp or -p udp). If no
1306 port range is specified, then source ports below 512 will be
1307 mapped to other ports below 512: those between 512 and 1023
1308 inclusive will be mapped to ports below 1024, and other ports
1309 will be mapped to 1024 or above. Where possible, no port alter‐
1310 ation will
1311
1312 In Kernels up to 2.6.10, you can add several --to-source
1313 options. For those kernels, if you specify more than one source
1314 address, either via an address range or multiple --to-source
1315 options, a simple round-robin (one after another in cycle) takes
1316 place between these addresses. Later Kernels (>= 2.6.11-rc1)
1317 don't have the ability to NAT to multiple ranges anymore.
1318
1319 --random
1320 If option --random is used then port mapping will be randomized
1321 (kernel >= 2.6.21).
1322
1323 TCPMSS
1324 This target allows to alter the MSS value of TCP SYN packets, to con‐
1325 trol the maximum size for that connection (usually limiting it to your
1326 outgoing interface's MTU minus 40). Of course, it can only be used in
1327 conjunction with -p tcp. It is only valid in the mangle table.
1328 This target is used to overcome criminally braindead ISPs or servers
1329 which block ICMP Fragmentation Needed packets. The symptoms of this
1330 problem are that everything works fine from your Linux firewall/router,
1331 but machines behind it can never exchange large packets:
1332 1) Web browsers connect, then hang with no data received.
1333 2) Small mail works fine, but large emails hang.
1334 3) ssh works fine, but scp hangs after initial handshaking.
1335 Workaround: activate this option and add a rule to your firewall con‐
1336 figuration like:
1337 iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1338 -j TCPMSS --clamp-mss-to-pmtu
1339
1340 --set-mss value
1341 Explicitly set MSS option to specified value.
1342
1343 --clamp-mss-to-pmtu
1344 Automatically clamp MSS value to (path_MTU - 40).
1345
1346 These options are mutually exclusive.
1347
1348 TOS
1349 This is used to set the 8-bit Type of Service field in the IP header.
1350 It is only valid in the mangle table.
1351
1352 --set-tos tos
1353 You can use a numeric TOS values, or use
1354 iptables -j TOS -h
1355 to see the list of valid TOS names.
1356
1357 TTL
1358 This is used to modify the IPv4 TTL header field. The TTL field deter‐
1359 mines how many hops (routers) a packet can traverse until it's time to
1360 live is exceeded.
1361
1362 Setting or incrementing the TTL field can potentially be very danger‐
1363 ous,
1364 so it should be avoided at any cost.
1365
1366 Don't ever set or increment the value on packets that leave your local
1367 network!
1368 mangle table.
1369
1370 --ttl-set value
1371 Set the TTL value to `value'.
1372
1373 --ttl-dec value
1374 Decrement the TTL value `value' times.
1375
1376 --ttl-inc value
1377 Increment the TTL value `value' times.
1378
1379 ULOG
1380 This target provides userspace logging of matching packets. When this
1381 target is set for a rule, the Linux kernel will multicast this packet
1382 through a netlink socket. One or more userspace processes may then sub‐
1383 scribe to various multicast groups and receive the packets. Like LOG,
1384 this is a "non-terminating target", i.e. rule traversal continues at
1385 the next rule.
1386
1387 --ulog-nlgroup nlgroup
1388 This specifies the netlink group (1-32) to which the packet is
1389 sent. Default value is 1.
1390
1391 --ulog-prefix prefix
1392 Prefix log messages with the specified prefix; up to 32 charac‐
1393 ters long, and useful for distinguishing messages in the logs.
1394
1395 --ulog-cprange size
1396 Number of bytes to be copied to userspace. A value of 0 always
1397 copies the entire packet, regardless of its size. Default is 0.
1398
1399 --ulog-qthreshold size
1400 Number of packet to queue inside kernel. Setting this value to,
1401 e.g. 10 accumulates ten packets inside the kernel and transmits
1402 them as one netlink multipart message to userspace. Default is
1403 1 (for backwards compatibility).
1404
1406 Various error messages are printed to standard error. The exit code is
1407 0 for correct functioning. Errors which appear to be caused by invalid
1408 or abused command line parameters cause an exit code of 2, and other
1409 errors cause an exit code of 1.
1410
1412 Bugs? What's this? ;-) Well, you might want to have a look at
1413 http://bugzilla.netfilter.org/
1414
1416 This iptables is very similar to ipchains by Rusty Russell. The main
1417 difference is that the chains INPUT and OUTPUT are only traversed for
1418 packets coming into the local host and originating from the local host
1419 respectively. Hence every packet only passes through one of the three
1420 chains (except loopback traffic, which involves both INPUT and OUTPUT
1421 chains); previously a forwarded packet would pass through all three.
1422
1423 The other main difference is that -i refers to the input interface; -o
1424 refers to the output interface, and both are available for packets
1425 entering the FORWARD chain.
1426
1427 iptables is a pure packet filter when using the default `filter' table,
1428 with optional extension modules. This should simplify much of the pre‐
1429 vious confusion over the combination of IP masquerading and packet fil‐
1430 tering seen previously. So the following options are handled differ‐
1431 ently:
1432 -j MASQ
1433 -M -S
1434 -M -L
1435 There are several other changes in iptables.
1436
1438 iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8),
1439 ip6tables-restore(8), libipq(3).
1440
1441 The packet-filtering-HOWTO details iptables usage for packet filtering,
1442 the NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the
1443 extensions that are not in the standard distribution, and the netfil‐
1444 ter-hacking-HOWTO details the netfilter internals.
1445 See http://www.netfilter.org/.
1446
1448 Rusty Russell originally wrote iptables, in early consultation with
1449 Michael Neuling.
1450
1451 Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic
1452 packet selection framework in iptables, then wrote the mangle table,
1453 the owner match, the mark stuff, and ran around doing cool stuff every‐
1454 where.
1455
1456 James Morris wrote the TOS target, and tos match.
1457
1458 Jozsef Kadlecsik wrote the REJECT target.
1459
1460 Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as
1461 well as the TTL, DSCP, ECN matches and targets.
1462
1463 The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki
1464 Kozakai, Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira
1465 Ayuso, Harald Welte and Rusty Russell.
1466
1467 Man page originally written by Herve Eychenne <rv@wallfire.org>.
1468
1469
1470
1471 Mar 09, 2002 IPTABLES(8)