version 2, including all changes.
.
Rev |
Author |
# |
Line |
2 |
WikiAdmin |
1 |
|
|
|
2 |
|
|
|
3 |
|
|
|
4 |
|
1 |
WikiAdmin |
5 |
IPTABLES |
2 |
WikiAdmin |
6 |
|
|
|
7 |
|
|
|
8 |
|
1 |
WikiAdmin |
9 |
|
|
|
10 |
!!!IPTABLES |
|
|
11 |
NAME |
|
|
12 |
SYNOPSIS |
|
|
13 |
DESCRIPTION |
|
|
14 |
TARGETS |
|
|
15 |
TABLES |
|
|
16 |
OPTIONS |
|
|
17 |
MATCH EXTENSIONS |
|
|
18 |
TARGET EXTENSIONS |
|
|
19 |
EXTRA EXTENSIONS |
|
|
20 |
DIAGNOSTICS |
|
|
21 |
BUGS |
|
|
22 |
COMPATIBILITY WITH IPCHAINS |
|
|
23 |
SEE ALSO |
|
|
24 |
AUTHORS |
2 |
WikiAdmin |
25 |
|
1 |
WikiAdmin |
26 |
---- |
2 |
WikiAdmin |
27 |
|
|
|
28 |
|
|
|
29 |
|
1 |
WikiAdmin |
30 |
|
|
|
31 |
!!NAME |
2 |
WikiAdmin |
32 |
|
|
|
33 |
|
|
|
34 |
|
|
|
35 |
|
1 |
WikiAdmin |
36 |
iptables - IP packet filter administration |
2 |
WikiAdmin |
37 |
|
1 |
WikiAdmin |
38 |
|
|
|
39 |
!!SYNOPSIS |
2 |
WikiAdmin |
40 |
|
|
|
41 |
|
|
|
42 |
|
|
|
43 |
|
|
|
44 |
|
1 |
WikiAdmin |
45 |
__iptables -[[ADC]__ chain rule-specification |
|
|
46 |
[[options] |
|
|
47 |
__iptables -I__ chain [[rulenum] rule-specification |
|
|
48 |
[[options] |
|
|
49 |
__iptables -R__ chain rulenum rule-specification |
|
|
50 |
[[options] |
|
|
51 |
__iptables -D__ chain rulenum [[options] |
|
|
52 |
__iptables -[[LFZ]__ [[chain] [[options] |
|
|
53 |
__iptables -N__ chain |
|
|
54 |
__iptables -X__ [[chain] |
|
|
55 |
__iptables -P__ chain target [[options] |
|
|
56 |
__iptables -E__ old-chain-name new-chain-name |
2 |
WikiAdmin |
57 |
|
1 |
WikiAdmin |
58 |
|
|
|
59 |
!!DESCRIPTION |
2 |
WikiAdmin |
60 |
|
|
|
61 |
|
|
|
62 |
|
|
|
63 |
|
|
|
64 |
|
1 |
WikiAdmin |
65 |
__Iptables__ is used to set up, maintain, and inspect the |
|
|
66 |
tables of IP packet filter rules in the Linux kernel. |
|
|
67 |
Several different tables may be defined. Each table contains |
|
|
68 |
a number of built-in chains and may also contain |
|
|
69 |
user-defined chains. |
2 |
WikiAdmin |
70 |
|
|
|
71 |
|
|
|
72 |
|
|
|
73 |
|
|
|
74 |
|
1 |
WikiAdmin |
75 |
Each chain is a list of rules which can match a set of |
|
|
76 |
packets. Each rule specifies what to do with a packet that |
|
|
77 |
matches. This is called a `target', which may be a jump to a |
|
|
78 |
user-defined chain in the same table. |
2 |
WikiAdmin |
79 |
|
1 |
WikiAdmin |
80 |
|
|
|
81 |
!!TARGETS |
2 |
WikiAdmin |
82 |
|
|
|
83 |
|
|
|
84 |
|
|
|
85 |
|
|
|
86 |
|
1 |
WikiAdmin |
87 |
A firewall rule specifies criteria for a packet, and a |
|
|
88 |
target. If the packet does not match, the next rule in the |
|
|
89 |
chain is the examined; if it does match, then the next rule |
|
|
90 |
is specified by the value of the target, which can be the |
|
|
91 |
name of a user-defined chain or one of the special values |
|
|
92 |
''ACCEPT'', ''DROP'', ''QUEUE'', or |
|
|
93 |
''RETURN''. |
2 |
WikiAdmin |
94 |
|
|
|
95 |
|
|
|
96 |
|
|
|
97 |
|
|
|
98 |
|
1 |
WikiAdmin |
99 |
''ACCEPT'' means to let the packet through. ''DROP'' |
|
|
100 |
means to drop the packet on the floor. ''QUEUE'' means to |
|
|
101 |
pass the packet to userspace (if supported by the kernel). |
|
|
102 |
''RETURN'' means stop traversing this chain and resume at |
|
|
103 |
the next rule in the previous (calling) chain. If the end of |
|
|
104 |
a built-in chain is reached or a rule in a built-in chain |
|
|
105 |
with target ''RETURN'' is matched, the target specified |
|
|
106 |
by the chain policy determines the fate of the |
|
|
107 |
packet. |
2 |
WikiAdmin |
108 |
|
1 |
WikiAdmin |
109 |
|
|
|
110 |
!!TABLES |
2 |
WikiAdmin |
111 |
|
|
|
112 |
|
|
|
113 |
|
|
|
114 |
|
|
|
115 |
|
1 |
WikiAdmin |
116 |
There are current three independent tables (which tables are |
|
|
117 |
present at any time depends on the kernel configuration |
|
|
118 |
options and which modules are present). |
2 |
WikiAdmin |
119 |
|
|
|
120 |
|
|
|
121 |
|
|
|
122 |
|
|
|
123 |
|
1 |
WikiAdmin |
124 |
__-t, --table__ ''table'' |
2 |
WikiAdmin |
125 |
|
|
|
126 |
|
|
|
127 |
|
|
|
128 |
|
|
|
129 |
|
1 |
WikiAdmin |
130 |
This option specifies the packet matching table which the |
|
|
131 |
command should operate on. If the kernel is configured with |
|
|
132 |
automatic module loading, an attempt will be made to load |
|
|
133 |
the appropriate module for that table if it is not already |
|
|
134 |
there. |
2 |
WikiAdmin |
135 |
|
|
|
136 |
|
|
|
137 |
|
|
|
138 |
|
|
|
139 |
|
1 |
WikiAdmin |
140 |
The tables are as follows: |
2 |
WikiAdmin |
141 |
|
|
|
142 |
|
|
|
143 |
|
|
|
144 |
|
|
|
145 |
|
1 |
WikiAdmin |
146 |
__filter__ |
2 |
WikiAdmin |
147 |
|
|
|
148 |
|
|
|
149 |
|
|
|
150 |
|
|
|
151 |
|
1 |
WikiAdmin |
152 |
This is the default table. It contains the built-in chains |
|
|
153 |
INPUT (for packets coming into the box itself), FORWARD (for |
|
|
154 |
packets being routed through the box), and OUTPUT (for |
|
|
155 |
locally-generated packets). |
2 |
WikiAdmin |
156 |
|
|
|
157 |
|
|
|
158 |
|
|
|
159 |
|
|
|
160 |
|
1 |
WikiAdmin |
161 |
__nat__ |
2 |
WikiAdmin |
162 |
|
|
|
163 |
|
|
|
164 |
|
|
|
165 |
|
|
|
166 |
|
1 |
WikiAdmin |
167 |
This table is consulted when a packet that creates a new |
|
|
168 |
connection is encountered. It consists of three built-ins: |
|
|
169 |
PREROUTING (for altering packets as soon as they come in), |
|
|
170 |
OUTPUT (for altering locally-generated packets before |
|
|
171 |
routing), and POSTROUTING (for altering packets as they are |
|
|
172 |
about to go out). |
2 |
WikiAdmin |
173 |
|
|
|
174 |
|
|
|
175 |
|
|
|
176 |
|
|
|
177 |
|
1 |
WikiAdmin |
178 |
__mangle__ |
2 |
WikiAdmin |
179 |
|
|
|
180 |
|
|
|
181 |
|
|
|
182 |
|
|
|
183 |
|
1 |
WikiAdmin |
184 |
This table is used for specialized packet alteration. Until |
|
|
185 |
kernel 2.4.17 it had two built-in chains: PREROUTING (for |
|
|
186 |
altering incoming packets before routing) and OUTPUT (for |
|
|
187 |
altering locally-generated packets before routing). Since |
|
|
188 |
kernel 2.4.18, three other built-in chains are also |
|
|
189 |
supported : INPUT (for packets coming into the box itself), |
|
|
190 |
FORWARD (for altering packets being routed through the box), |
|
|
191 |
and POSTROUTING (for altering packets as they are about to |
|
|
192 |
go out). |
2 |
WikiAdmin |
193 |
|
1 |
WikiAdmin |
194 |
|
|
|
195 |
!!OPTIONS |
2 |
WikiAdmin |
196 |
|
|
|
197 |
|
|
|
198 |
|
|
|
199 |
|
|
|
200 |
|
1 |
WikiAdmin |
201 |
The options that are recognized by __iptables__ can be |
|
|
202 |
divided into several different groups. |
2 |
WikiAdmin |
203 |
|
|
|
204 |
|
|
|
205 |
|
|
|
206 |
|
|
|
207 |
|
1 |
WikiAdmin |
208 |
__COMMANDS__ |
2 |
WikiAdmin |
209 |
|
|
|
210 |
|
|
|
211 |
|
|
|
212 |
|
|
|
213 |
|
1 |
WikiAdmin |
214 |
These options specify the specific action to perform. Only |
|
|
215 |
one of them can be specified on the command line unless |
|
|
216 |
otherwise specified below. For all the long versions of the |
|
|
217 |
command and option names, you need to use only enough |
|
|
218 |
letters to ensure that __iptables__ can differentiate it |
|
|
219 |
from all other options. |
2 |
WikiAdmin |
220 |
|
|
|
221 |
|
|
|
222 |
|
|
|
223 |
|
|
|
224 |
|
1 |
WikiAdmin |
225 |
__-A, --append__ ''chain |
|
|
226 |
rule-specification'' |
2 |
WikiAdmin |
227 |
|
|
|
228 |
|
|
|
229 |
|
|
|
230 |
|
|
|
231 |
|
1 |
WikiAdmin |
232 |
Append one or more rules to the end of the selected chain. |
|
|
233 |
When the source and/or destination names resolve to more |
|
|
234 |
than one address, a rule will be added for each possible |
|
|
235 |
address combination. |
2 |
WikiAdmin |
236 |
|
|
|
237 |
|
|
|
238 |
|
|
|
239 |
|
|
|
240 |
|
1 |
WikiAdmin |
241 |
__-D, --delete__ ''chain |
|
|
242 |
rule-specification'' |
2 |
WikiAdmin |
243 |
|
|
|
244 |
|
|
|
245 |
|
|
|
246 |
|
|
|
247 |
|
1 |
WikiAdmin |
248 |
__-D, --delete__ ''chain rulenum'' |
2 |
WikiAdmin |
249 |
|
|
|
250 |
|
|
|
251 |
|
|
|
252 |
|
|
|
253 |
|
1 |
WikiAdmin |
254 |
Delete one or more rules from the selected chain. There are |
|
|
255 |
two versions of this command: the rule can be specified as a |
|
|
256 |
number in the chain (starting at 1 for the first rule) or a |
|
|
257 |
rule to match. |
2 |
WikiAdmin |
258 |
|
|
|
259 |
|
|
|
260 |
|
|
|
261 |
|
|
|
262 |
|
1 |
WikiAdmin |
263 |
__-I, --insert__ ''chain'' [[''rulenum''] |
|
|
264 |
''rule-specification'' |
2 |
WikiAdmin |
265 |
|
|
|
266 |
|
|
|
267 |
|
|
|
268 |
|
|
|
269 |
|
1 |
WikiAdmin |
270 |
Insert one or more rules in the selected chain as the given |
|
|
271 |
rule number. So, if the rule number is 1, the rule or rules |
|
|
272 |
are inserted at the head of the chain. This is also the |
|
|
273 |
default if no rule number is specified. |
2 |
WikiAdmin |
274 |
|
|
|
275 |
|
|
|
276 |
|
|
|
277 |
|
|
|
278 |
|
1 |
WikiAdmin |
279 |
__-R, --replace__ ''chain rulenum |
|
|
280 |
rule-specification'' |
2 |
WikiAdmin |
281 |
|
|
|
282 |
|
|
|
283 |
|
|
|
284 |
|
|
|
285 |
|
1 |
WikiAdmin |
286 |
Replace a rule in the selected chain. If the source and/or |
|
|
287 |
destination names resolve to multiple addresses, the command |
|
|
288 |
will fail. Rules are numbered starting at 1. |
2 |
WikiAdmin |
289 |
|
|
|
290 |
|
|
|
291 |
|
|
|
292 |
|
|
|
293 |
|
1 |
WikiAdmin |
294 |
__-L, --list__ [[''chain''] |
2 |
WikiAdmin |
295 |
|
|
|
296 |
|
|
|
297 |
|
|
|
298 |
|
|
|
299 |
|
1 |
WikiAdmin |
300 |
List all rules in the selected chain. If no chain is |
|
|
301 |
selected, all chains are listed. As every other iptables |
|
|
302 |
command, it applies to the specified table (filter is the |
|
|
303 |
default), so NAT rules get listed by |
|
|
304 |
iptables -t nat -n -L |
|
|
305 |
Please note that it is often used with the __-n__ option, |
|
|
306 |
in order to avoid long reverse DNS lookups. It is legal to |
|
|
307 |
specify the __-Z__ (zero) option as well, in which case |
|
|
308 |
the chain(s) will be atomically listed and zeroed. The exact |
|
|
309 |
output is affected by the other arguments |
|
|
310 |
given. |
2 |
WikiAdmin |
311 |
|
|
|
312 |
|
|
|
313 |
|
|
|
314 |
|
|
|
315 |
|
1 |
WikiAdmin |
316 |
__-F, --flush__ [[''chain''] |
2 |
WikiAdmin |
317 |
|
|
|
318 |
|
|
|
319 |
|
|
|
320 |
|
|
|
321 |
|
1 |
WikiAdmin |
322 |
Flush the selected chain (all the chains in the table if |
|
|
323 |
none is given). This is equivalent to deleting all the rules |
|
|
324 |
one by one. |
2 |
WikiAdmin |
325 |
|
|
|
326 |
|
|
|
327 |
|
|
|
328 |
|
|
|
329 |
|
1 |
WikiAdmin |
330 |
__-Z, --zero__ [[''chain''] |
2 |
WikiAdmin |
331 |
|
|
|
332 |
|
|
|
333 |
|
|
|
334 |
|
|
|
335 |
|
1 |
WikiAdmin |
336 |
Zero the packet and byte counters in all chains. It is legal |
|
|
337 |
to specify the __-L, --list__ (list) option as well, to |
|
|
338 |
see the counters immediately before they are cleared. (See |
|
|
339 |
above.) |
2 |
WikiAdmin |
340 |
|
|
|
341 |
|
|
|
342 |
|
|
|
343 |
|
|
|
344 |
|
1 |
WikiAdmin |
345 |
__-N, --new-chain__ ''chain'' |
2 |
WikiAdmin |
346 |
|
|
|
347 |
|
|
|
348 |
|
|
|
349 |
|
|
|
350 |
|
1 |
WikiAdmin |
351 |
Create a new user-defined chain by the given name. There |
|
|
352 |
must be no target of that name already. |
2 |
WikiAdmin |
353 |
|
|
|
354 |
|
|
|
355 |
|
|
|
356 |
|
|
|
357 |
|
1 |
WikiAdmin |
358 |
__-X, --delete-chain__ [[''chain''] |
2 |
WikiAdmin |
359 |
|
|
|
360 |
|
|
|
361 |
|
|
|
362 |
|
|
|
363 |
|
1 |
WikiAdmin |
364 |
Delete the optional user-defined chain specified. There must |
|
|
365 |
be no references to the chain. If there are, you must delete |
|
|
366 |
or replace the referring rules before the chain can be |
|
|
367 |
deleted. If no argument is given, it will attempt to delete |
|
|
368 |
every non-builtin chain in the table. |
2 |
WikiAdmin |
369 |
|
|
|
370 |
|
|
|
371 |
|
|
|
372 |
|
|
|
373 |
|
1 |
WikiAdmin |
374 |
__-P, --policy__ ''chain target'' |
2 |
WikiAdmin |
375 |
|
|
|
376 |
|
|
|
377 |
|
|
|
378 |
|
|
|
379 |
|
1 |
WikiAdmin |
380 |
Set the policy for the chain to the given target. See the |
|
|
381 |
section __TARGETS__ for the legal targets. Only built-in |
|
|
382 |
(non-user-defined) chains can have policies, and neither |
|
|
383 |
built-in nor user-defined chains can be policy |
|
|
384 |
targets. |
2 |
WikiAdmin |
385 |
|
|
|
386 |
|
|
|
387 |
|
|
|
388 |
|
|
|
389 |
|
1 |
WikiAdmin |
390 |
__-E, --rename-chain__ ''old-chain |
|
|
391 |
new-chain'' |
2 |
WikiAdmin |
392 |
|
|
|
393 |
|
|
|
394 |
|
|
|
395 |
|
|
|
396 |
|
1 |
WikiAdmin |
397 |
Rename the user specified chain to the user supplied name. |
|
|
398 |
This is cosmetic, and has no effect on the structure of the |
|
|
399 |
table. |
2 |
WikiAdmin |
400 |
|
|
|
401 |
|
|
|
402 |
|
|
|
403 |
|
|
|
404 |
|
1 |
WikiAdmin |
405 |
__-h__ |
2 |
WikiAdmin |
406 |
|
|
|
407 |
|
|
|
408 |
|
|
|
409 |
|
|
|
410 |
|
1 |
WikiAdmin |
411 |
Help. Give a (currently very brief) description of the |
|
|
412 |
command syntax. |
2 |
WikiAdmin |
413 |
|
|
|
414 |
|
|
|
415 |
|
|
|
416 |
|
|
|
417 |
|
1 |
WikiAdmin |
418 |
__PARAMETERS__ |
2 |
WikiAdmin |
419 |
|
|
|
420 |
|
|
|
421 |
|
|
|
422 |
|
|
|
423 |
|
1 |
WikiAdmin |
424 |
The following parameters make up a rule specification (as |
|
|
425 |
used in the add, delete, insert, replace and append |
|
|
426 |
commands). |
2 |
WikiAdmin |
427 |
|
|
|
428 |
|
|
|
429 |
|
|
|
430 |
|
|
|
431 |
|
1 |
WikiAdmin |
432 |
__-p, --protocol__ [[!] ''protocol'' |
2 |
WikiAdmin |
433 |
|
|
|
434 |
|
|
|
435 |
|
|
|
436 |
|
|
|
437 |
|
1 |
WikiAdmin |
438 |
The protocol of the rule or of the packet to check. The |
|
|
439 |
specified protocol can be one of ''tcp'', ''udp'', |
|
|
440 |
''icmp'', or ''all'', or it can be a numeric value, |
|
|
441 |
representing one of these protocols or a different one. A |
|
|
442 |
protocol name from /etc/protocols is also allowed. A |
|
|
443 |
"!" argument before the protocol inverts the test. |
|
|
444 |
The number zero is equivalent to ''all''. Protocol |
|
|
445 |
''all'' will match with all protocols and is taken as |
|
|
446 |
default when this option is omitted. |
2 |
WikiAdmin |
447 |
|
|
|
448 |
|
|
|
449 |
|
|
|
450 |
|
|
|
451 |
|
1 |
WikiAdmin |
452 |
__-s, --source__ [[!] |
|
|
453 |
''address''[[/''mask''] |
2 |
WikiAdmin |
454 |
|
|
|
455 |
|
|
|
456 |
|
|
|
457 |
|
|
|
458 |
|
1 |
WikiAdmin |
459 |
Source specification. ''Address'' can be either a network |
|
|
460 |
name, a hostname (please note that specifying any name to be |
|
|
461 |
resolved with a remote query such as DNS is a really bad |
|
|
462 |
idea), a network IP address (with /mask), or a plain IP |
|
|
463 |
address. The ''mask'' can be either a network mask or a |
|
|
464 |
plain number, specifying the number of 1's at the left side |
|
|
465 |
of the network mask. Thus, a mask of ''24'' is equivalent |
|
|
466 |
to ''255.255.255.0''. A "!" argument before the |
|
|
467 |
address specification inverts the sense of the address. The |
|
|
468 |
flag __--src__ is an alias for this option. |
2 |
WikiAdmin |
469 |
|
|
|
470 |
|
|
|
471 |
|
|
|
472 |
|
|
|
473 |
|
1 |
WikiAdmin |
474 |
__-d, --destination__ [[!] |
|
|
475 |
''address''[[/''mask''] |
2 |
WikiAdmin |
476 |
|
|
|
477 |
|
|
|
478 |
|
|
|
479 |
|
|
|
480 |
|
1 |
WikiAdmin |
481 |
Destination specification. See the description of the |
|
|
482 |
__-s__ (source) flag for a detailed description of the |
|
|
483 |
syntax. The flag __--dst__ is an alias for this |
|
|
484 |
option. |
2 |
WikiAdmin |
485 |
|
|
|
486 |
|
|
|
487 |
|
|
|
488 |
|
|
|
489 |
|
1 |
WikiAdmin |
490 |
__-j, --jump__ ''target'' |
2 |
WikiAdmin |
491 |
|
|
|
492 |
|
|
|
493 |
|
|
|
494 |
|
|
|
495 |
|
1 |
WikiAdmin |
496 |
This specifies the target of the rule; i.e., what to do if |
|
|
497 |
the packet matches it. The target can be a user-defined |
|
|
498 |
chain (other than the one this rule is in), one of the |
|
|
499 |
special builtin targets which decide the fate of the packet |
|
|
500 |
immediately, or an extension (see __EXTENSIONS__ below). |
|
|
501 |
If this option is omitted in a rule, then matching the rule |
|
|
502 |
will have no effect on the packet's fate, but the counters |
|
|
503 |
on the rule will be incremented. |
2 |
WikiAdmin |
504 |
|
|
|
505 |
|
|
|
506 |
|
|
|
507 |
|
|
|
508 |
|
1 |
WikiAdmin |
509 |
__-i, --in-interface__ [[!] ''name'' |
2 |
WikiAdmin |
510 |
|
|
|
511 |
|
|
|
512 |
|
|
|
513 |
|
|
|
514 |
|
1 |
WikiAdmin |
515 |
Name of an interface via which a packet is going to be |
|
|
516 |
received (only for packets entering the __INPUT__, |
|
|
517 |
__FORWARD__ and __PREROUTING__ chains). When the |
|
|
518 |
"!" argument is used before the interface name, |
|
|
519 |
the sense is inverted. If the interface name ends in a |
|
|
520 |
"+", then any interface which begins with this |
|
|
521 |
name will match. If this option is omitted, any interface |
|
|
522 |
name will match. |
2 |
WikiAdmin |
523 |
|
|
|
524 |
|
|
|
525 |
|
|
|
526 |
|
|
|
527 |
|
1 |
WikiAdmin |
528 |
__-o, --out-interface__ [[!] ''name'' |
2 |
WikiAdmin |
529 |
|
|
|
530 |
|
|
|
531 |
|
|
|
532 |
|
|
|
533 |
|
1 |
WikiAdmin |
534 |
Name of an interface via which a packet is going to be sent |
|
|
535 |
(for packets entering the __FORWARD__, __OUTPUT__ and |
|
|
536 |
__POSTROUTING__ chains). When the "!" argument |
|
|
537 |
is used before the interface name, the sense is inverted. If |
|
|
538 |
the interface name ends in a "+", then any |
|
|
539 |
interface which begins with this name will match. If this |
|
|
540 |
option is omitted, any interface name will |
|
|
541 |
match. |
2 |
WikiAdmin |
542 |
|
|
|
543 |
|
|
|
544 |
|
|
|
545 |
|
|
|
546 |
|
1 |
WikiAdmin |
547 |
__[[!] -f, --fragment__ |
2 |
WikiAdmin |
548 |
|
|
|
549 |
|
|
|
550 |
|
|
|
551 |
|
|
|
552 |
|
1 |
WikiAdmin |
553 |
This means that the rule only refers to second and further |
|
|
554 |
fragments of fragmented packets. Since there is no way to |
|
|
555 |
tell the source or destination ports of such a packet (or |
|
|
556 |
ICMP type), such a packet will not match any rules which |
|
|
557 |
specify them. When the "!" argument precedes the |
|
|
558 |
"-f" flag, the rule will only match head |
|
|
559 |
fragments, or unfragmented packets. |
2 |
WikiAdmin |
560 |
|
|
|
561 |
|
|
|
562 |
|
|
|
563 |
|
|
|
564 |
|
1 |
WikiAdmin |
565 |
__-c, --set-counters__ ''PKTS BYTES'' |
2 |
WikiAdmin |
566 |
|
|
|
567 |
|
|
|
568 |
|
|
|
569 |
|
|
|
570 |
|
1 |
WikiAdmin |
571 |
This enables the administrater to initialize the packet and |
|
|
572 |
byte counters of a rule (during __INSERT, APPEND,__ |
|
|
573 |
__REPLACE__ operations). |
2 |
WikiAdmin |
574 |
|
|
|
575 |
|
|
|
576 |
|
|
|
577 |
|
|
|
578 |
|
1 |
WikiAdmin |
579 |
__OTHER OPTIONS__ |
2 |
WikiAdmin |
580 |
|
|
|
581 |
|
|
|
582 |
|
|
|
583 |
|
|
|
584 |
|
1 |
WikiAdmin |
585 |
The following additional options can be |
|
|
586 |
specified: |
2 |
WikiAdmin |
587 |
|
|
|
588 |
|
|
|
589 |
|
|
|
590 |
|
|
|
591 |
|
1 |
WikiAdmin |
592 |
__-v, --verbose__ |
2 |
WikiAdmin |
593 |
|
|
|
594 |
|
|
|
595 |
|
|
|
596 |
|
|
|
597 |
|
1 |
WikiAdmin |
598 |
Verbose output. This option makes the list command show the |
|
|
599 |
interface address, the rule options (if any), and the TOS |
|
|
600 |
masks. The packet and byte counters are also listed, with |
|
|
601 |
the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and |
|
|
602 |
1,000,000,000 multipliers respectively (but see the |
|
|
603 |
__-x__ flag to change this). For appending, insertion, |
|
|
604 |
deletion and replacement, this causes detailed information |
|
|
605 |
on the rule or rules to be printed. |
2 |
WikiAdmin |
606 |
|
|
|
607 |
|
|
|
608 |
|
|
|
609 |
|
|
|
610 |
|
1 |
WikiAdmin |
611 |
__-n, --numeric__ |
2 |
WikiAdmin |
612 |
|
|
|
613 |
|
|
|
614 |
|
|
|
615 |
|
|
|
616 |
|
1 |
WikiAdmin |
617 |
Numeric output. IP addresses and port numbers will be |
|
|
618 |
printed in numeric format. By default, the program will try |
|
|
619 |
to display them as host names, network names, or services |
|
|
620 |
(whenever applicable). |
2 |
WikiAdmin |
621 |
|
|
|
622 |
|
|
|
623 |
|
|
|
624 |
|
|
|
625 |
|
1 |
WikiAdmin |
626 |
__-x, --exact__ |
2 |
WikiAdmin |
627 |
|
|
|
628 |
|
|
|
629 |
|
|
|
630 |
|
|
|
631 |
|
1 |
WikiAdmin |
632 |
Expand numbers. Display the exact value of the packet and |
|
|
633 |
byte counters, instead of only the rounded number in K's |
|
|
634 |
(multiples of 1000) M's (multiples of 1000K) or G's |
|
|
635 |
(multiples of 1000M). This option is only relevant for the |
|
|
636 |
__-L__ command. |
2 |
WikiAdmin |
637 |
|
|
|
638 |
|
|
|
639 |
|
|
|
640 |
|
|
|
641 |
|
1 |
WikiAdmin |
642 |
__--line-numbers__ |
2 |
WikiAdmin |
643 |
|
|
|
644 |
|
|
|
645 |
|
|
|
646 |
|
|
|
647 |
|
1 |
WikiAdmin |
648 |
When listing rules, add line numbers to the beginning of |
|
|
649 |
each rule, corresponding to that rule's position in the |
|
|
650 |
chain. |
2 |
WikiAdmin |
651 |
|
|
|
652 |
|
|
|
653 |
|
|
|
654 |
|
|
|
655 |
|
1 |
WikiAdmin |
656 |
__--modprobe=command__ |
2 |
WikiAdmin |
657 |
|
|
|
658 |
|
|
|
659 |
|
|
|
660 |
|
|
|
661 |
|
1 |
WikiAdmin |
662 |
When adding or inserting rules into a chain, use |
|
|
663 |
__command__ to load any necessary modules (targets, match |
|
|
664 |
extensions, etc). |
2 |
WikiAdmin |
665 |
|
1 |
WikiAdmin |
666 |
|
|
|
667 |
!!MATCH EXTENSIONS |
2 |
WikiAdmin |
668 |
|
|
|
669 |
|
|
|
670 |
|
|
|
671 |
|
|
|
672 |
|
1 |
WikiAdmin |
673 |
iptables can use extended packet matching modules. These are |
|
|
674 |
loaded in two ways: implicitly, when __-p__ or |
|
|
675 |
__--protocol__ is specified, or with the __-m__ or |
|
|
676 |
__--match__ options, followed by the matching module |
|
|
677 |
name; after these, various extra command line options become |
|
|
678 |
available, depending on the specific module. You can specify |
|
|
679 |
multiple extended match modules in one line, and you can use |
|
|
680 |
the __-h__ or __--help__ options after the module has |
|
|
681 |
been specified to receive help specific to that |
|
|
682 |
module. |
2 |
WikiAdmin |
683 |
|
|
|
684 |
|
|
|
685 |
|
|
|
686 |
|
|
|
687 |
|
1 |
WikiAdmin |
688 |
The following are included in the base package, and most of |
|
|
689 |
these can be preceded by a __!__ to invert the sense of |
|
|
690 |
the match. |
2 |
WikiAdmin |
691 |
|
|
|
692 |
|
|
|
693 |
|
|
|
694 |
|
|
|
695 |
|
1 |
WikiAdmin |
696 |
__tcp__ |
2 |
WikiAdmin |
697 |
|
|
|
698 |
|
|
|
699 |
|
|
|
700 |
|
|
|
701 |
|
1 |
WikiAdmin |
702 |
These extensions are loaded if `--protocol tcp' is |
|
|
703 |
specified. It provides the following options: |
2 |
WikiAdmin |
704 |
|
|
|
705 |
|
|
|
706 |
|
|
|
707 |
|
|
|
708 |
|
1 |
WikiAdmin |
709 |
__--source-port__ [[!] |
|
|
710 |
''port''[[:''port''] |
2 |
WikiAdmin |
711 |
|
|
|
712 |
|
|
|
713 |
|
|
|
714 |
|
|
|
715 |
|
1 |
WikiAdmin |
716 |
Source port or port range specification. This can either be |
|
|
717 |
a service name or a port number. An inclusive range can also |
|
|
718 |
be specified, using the format ''port'':''port''. If |
|
|
719 |
the first port is omitted, "0" is assumed; if the |
|
|
720 |
last is omitted, "65535" is assumed. If the second |
|
|
721 |
port greater then the first they will be swapped. The flag |
|
|
722 |
__--sport__ is a convenient alias for this |
|
|
723 |
option. |
2 |
WikiAdmin |
724 |
|
|
|
725 |
|
|
|
726 |
|
|
|
727 |
|
|
|
728 |
|
1 |
WikiAdmin |
729 |
__--destination-port__ [[!] |
|
|
730 |
''port''[[:''port''] |
2 |
WikiAdmin |
731 |
|
|
|
732 |
|
|
|
733 |
|
|
|
734 |
|
|
|
735 |
|
1 |
WikiAdmin |
736 |
Destination port or port range specification. The flag |
|
|
737 |
__--dport__ is a convenient alias for this |
|
|
738 |
option. |
2 |
WikiAdmin |
739 |
|
|
|
740 |
|
|
|
741 |
|
|
|
742 |
|
|
|
743 |
|
1 |
WikiAdmin |
744 |
__--tcp-flags__ [[!] ''mask comp'' |
2 |
WikiAdmin |
745 |
|
|
|
746 |
|
|
|
747 |
|
|
|
748 |
|
|
|
749 |
|
1 |
WikiAdmin |
750 |
Match when the TCP flags are as specified. The first |
|
|
751 |
argument is the flags which we should examine, written as a |
|
|
752 |
comma-separated list, and the second argument is a |
|
|
753 |
comma-separated list of flags which must be set. Flags are: |
|
|
754 |
__SYN ACK FIN RST URG PSH ALL NONE__. Hence the |
|
|
755 |
command |
|
|
756 |
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST |
|
|
757 |
SYN |
|
|
758 |
will only match packets with the SYN flag set, and the ACK, |
|
|
759 |
FIN and RST flags unset. |
2 |
WikiAdmin |
760 |
|
|
|
761 |
|
|
|
762 |
|
|
|
763 |
|
|
|
764 |
|
1 |
WikiAdmin |
765 |
__[[!] --syn__ |
2 |
WikiAdmin |
766 |
|
|
|
767 |
|
|
|
768 |
|
|
|
769 |
|
|
|
770 |
|
1 |
WikiAdmin |
771 |
Only match TCP packets with the SYN bit set and the ACK and |
|
|
772 |
FIN bits cleared. Such packets are used to request TCP |
|
|
773 |
connection initiation; for example, blocking such packets |
|
|
774 |
coming in an interface will prevent incoming TCP |
|
|
775 |
connections, but outgoing TCP connections will be |
|
|
776 |
unaffected. It is equivalent to __--tcp-flags SYN,RST,ACK__ |
|
|
777 |
__SYN__. If the "!" flag precedes the |
|
|
778 |
"--syn", the sense of the option is |
|
|
779 |
inverted. |
2 |
WikiAdmin |
780 |
|
|
|
781 |
|
|
|
782 |
|
|
|
783 |
|
|
|
784 |
|
1 |
WikiAdmin |
785 |
__--tcp-option__ [[!] ''number'' |
2 |
WikiAdmin |
786 |
|
|
|
787 |
|
|
|
788 |
|
|
|
789 |
|
|
|
790 |
|
1 |
WikiAdmin |
791 |
Match if TCP option set. |
2 |
WikiAdmin |
792 |
|
|
|
793 |
|
|
|
794 |
|
|
|
795 |
|
|
|
796 |
|
1 |
WikiAdmin |
797 |
__--mss__ ''value''[[:''value''] |
2 |
WikiAdmin |
798 |
|
|
|
799 |
|
|
|
800 |
|
|
|
801 |
|
|
|
802 |
|
1 |
WikiAdmin |
803 |
Match TCP SYN or SYN/ACK packets with the specified MSS |
|
|
804 |
value (or range), which control the maximum packet size for |
|
|
805 |
that connection. |
2 |
WikiAdmin |
806 |
|
|
|
807 |
|
|
|
808 |
|
|
|
809 |
|
|
|
810 |
|
1 |
WikiAdmin |
811 |
__udp__ |
2 |
WikiAdmin |
812 |
|
|
|
813 |
|
|
|
814 |
|
|
|
815 |
|
|
|
816 |
|
1 |
WikiAdmin |
817 |
These extensions are loaded if `--protocol udp' is |
|
|
818 |
specified. It provides the following options: |
2 |
WikiAdmin |
819 |
|
|
|
820 |
|
|
|
821 |
|
|
|
822 |
|
|
|
823 |
|
1 |
WikiAdmin |
824 |
__--source-port__ [[!] |
|
|
825 |
''port''[[:''port''] |
2 |
WikiAdmin |
826 |
|
|
|
827 |
|
|
|
828 |
|
|
|
829 |
|
|
|
830 |
|
1 |
WikiAdmin |
831 |
Source port or port range specification. See the description |
|
|
832 |
of the __--source-port__ option of the TCP extension for |
|
|
833 |
details. |
2 |
WikiAdmin |
834 |
|
|
|
835 |
|
|
|
836 |
|
|
|
837 |
|
|
|
838 |
|
1 |
WikiAdmin |
839 |
__--destination-port__ [[!] |
|
|
840 |
''port''[[:''port''] |
2 |
WikiAdmin |
841 |
|
|
|
842 |
|
|
|
843 |
|
|
|
844 |
|
|
|
845 |
|
1 |
WikiAdmin |
846 |
Destination port or port range specification. See the |
|
|
847 |
description of the __--destination-port__ option of the |
|
|
848 |
TCP extension for details. |
2 |
WikiAdmin |
849 |
|
|
|
850 |
|
|
|
851 |
|
|
|
852 |
|
|
|
853 |
|
1 |
WikiAdmin |
854 |
__icmp__ |
2 |
WikiAdmin |
855 |
|
|
|
856 |
|
|
|
857 |
|
|
|
858 |
|
|
|
859 |
|
1 |
WikiAdmin |
860 |
This extension is loaded if `--protocol icmp' is specified. |
|
|
861 |
It provides the following option: |
2 |
WikiAdmin |
862 |
|
|
|
863 |
|
|
|
864 |
|
|
|
865 |
|
|
|
866 |
|
1 |
WikiAdmin |
867 |
__--icmp-type__ [[!] ''typename'' |
2 |
WikiAdmin |
868 |
|
|
|
869 |
|
|
|
870 |
|
|
|
871 |
|
|
|
872 |
|
1 |
WikiAdmin |
873 |
This allows specification of the ICMP type, which can be a |
|
|
874 |
numeric ICMP type, or one of the ICMP type names shown by |
|
|
875 |
the command |
|
|
876 |
iptables -p icmp -h |
2 |
WikiAdmin |
877 |
|
|
|
878 |
|
|
|
879 |
|
|
|
880 |
|
|
|
881 |
|
1 |
WikiAdmin |
882 |
__mac__ |
2 |
WikiAdmin |
883 |
|
|
|
884 |
|
|
|
885 |
|
|
|
886 |
|
|
|
887 |
|
1 |
WikiAdmin |
888 |
__--mac-source__ [[!] ''address'' |
2 |
WikiAdmin |
889 |
|
|
|
890 |
|
|
|
891 |
|
|
|
892 |
|
|
|
893 |
|
1 |
WikiAdmin |
894 |
Match source MAC address. It must be of the form |
|
|
895 |
XX:XX:XX:XX:XX:XX. Note that this only makes sense for |
|
|
896 |
packets coming from an Ethernet device and entering the |
|
|
897 |
__PREROUTING__, __FORWARD__ or __INPUT__ |
|
|
898 |
chains. |
2 |
WikiAdmin |
899 |
|
|
|
900 |
|
|
|
901 |
|
|
|
902 |
|
|
|
903 |
|
1 |
WikiAdmin |
904 |
__limit__ |
2 |
WikiAdmin |
905 |
|
|
|
906 |
|
|
|
907 |
|
|
|
908 |
|
|
|
909 |
|
1 |
WikiAdmin |
910 |
This module matches at a limited rate using a token bucket |
|
|
911 |
filter. A rule using this extension will match until this |
|
|
912 |
limit is reached (unless the `!' flag is used). It can be |
|
|
913 |
used in combination with the __LOG__ target to give |
|
|
914 |
limited logging, for example. |
2 |
WikiAdmin |
915 |
|
|
|
916 |
|
|
|
917 |
|
|
|
918 |
|
|
|
919 |
|
1 |
WikiAdmin |
920 |
__--limit__ ''rate'' |
2 |
WikiAdmin |
921 |
|
|
|
922 |
|
|
|
923 |
|
|
|
924 |
|
|
|
925 |
|
1 |
WikiAdmin |
926 |
Maximum average matching rate: specified as a number, with |
|
|
927 |
an optional `/second', `/minute', `/hour', or `/day' suffix; |
|
|
928 |
the default is 3/hour. |
2 |
WikiAdmin |
929 |
|
|
|
930 |
|
|
|
931 |
|
|
|
932 |
|
|
|
933 |
|
1 |
WikiAdmin |
934 |
__--limit-burst__ ''number'' |
2 |
WikiAdmin |
935 |
|
|
|
936 |
|
|
|
937 |
|
|
|
938 |
|
|
|
939 |
|
1 |
WikiAdmin |
940 |
Maximum initial number of packets to match: this number gets |
|
|
941 |
recharged by one every time the limit specified above is not |
|
|
942 |
reached, up to this number; the default is 5. |
2 |
WikiAdmin |
943 |
|
|
|
944 |
|
|
|
945 |
|
|
|
946 |
|
|
|
947 |
|
1 |
WikiAdmin |
948 |
__multiport__ |
2 |
WikiAdmin |
949 |
|
|
|
950 |
|
|
|
951 |
|
|
|
952 |
|
|
|
953 |
|
1 |
WikiAdmin |
954 |
This module matches a set of source or destination ports. Up |
|
|
955 |
to 15 ports can be specified. It can only be used in |
|
|
956 |
conjunction with __-p tcp__ or __-p__ |
|
|
957 |
__udp__. |
2 |
WikiAdmin |
958 |
|
|
|
959 |
|
|
|
960 |
|
|
|
961 |
|
|
|
962 |
|
1 |
WikiAdmin |
963 |
__--source-ports__ |
|
|
964 |
''port''[[,''port''[[,''port''...]] |
2 |
WikiAdmin |
965 |
|
|
|
966 |
|
|
|
967 |
|
|
|
968 |
|
|
|
969 |
|
1 |
WikiAdmin |
970 |
Match if the source port is one of the given ports. The flag |
|
|
971 |
__--sports__ is a convenient alias for this |
|
|
972 |
option. |
2 |
WikiAdmin |
973 |
|
|
|
974 |
|
|
|
975 |
|
|
|
976 |
|
|
|
977 |
|
1 |
WikiAdmin |
978 |
__--destination-ports__ |
|
|
979 |
''port''[[,''port''[[,''port''...]] |
2 |
WikiAdmin |
980 |
|
|
|
981 |
|
|
|
982 |
|
|
|
983 |
|
|
|
984 |
|
1 |
WikiAdmin |
985 |
Match if the destination port is one of the given ports. The |
|
|
986 |
flag __--dports__ is a convenient alias for this |
|
|
987 |
option. |
2 |
WikiAdmin |
988 |
|
|
|
989 |
|
|
|
990 |
|
|
|
991 |
|
|
|
992 |
|
1 |
WikiAdmin |
993 |
__--ports__ |
|
|
994 |
''port''[[,''port''[[,''port''...]] |
2 |
WikiAdmin |
995 |
|
|
|
996 |
|
|
|
997 |
|
|
|
998 |
|
|
|
999 |
|
1 |
WikiAdmin |
1000 |
Match if the both the source and destination ports are equal |
|
|
1001 |
to each other and to one of the given ports. |
2 |
WikiAdmin |
1002 |
|
|
|
1003 |
|
|
|
1004 |
|
|
|
1005 |
|
|
|
1006 |
|
1 |
WikiAdmin |
1007 |
__mark__ |
2 |
WikiAdmin |
1008 |
|
|
|
1009 |
|
|
|
1010 |
|
|
|
1011 |
|
|
|
1012 |
|
1 |
WikiAdmin |
1013 |
This module matches the netfilter mark field associated with |
|
|
1014 |
a packet (which can be set using the __MARK__ target |
|
|
1015 |
below). |
2 |
WikiAdmin |
1016 |
|
|
|
1017 |
|
|
|
1018 |
|
|
|
1019 |
|
|
|
1020 |
|
1 |
WikiAdmin |
1021 |
__--mark__ ''value''[[/''mask''] |
2 |
WikiAdmin |
1022 |
|
|
|
1023 |
|
|
|
1024 |
|
|
|
1025 |
|
|
|
1026 |
|
1 |
WikiAdmin |
1027 |
Matches packets with the given unsigned mark value (if a |
|
|
1028 |
mask is specified, this is logically ANDed with the mask |
|
|
1029 |
before the comparison). |
2 |
WikiAdmin |
1030 |
|
|
|
1031 |
|
|
|
1032 |
|
|
|
1033 |
|
|
|
1034 |
|
1 |
WikiAdmin |
1035 |
__owner__ |
2 |
WikiAdmin |
1036 |
|
|
|
1037 |
|
|
|
1038 |
|
|
|
1039 |
|
|
|
1040 |
|
1 |
WikiAdmin |
1041 |
This module attempts to match various characteristics of the |
|
|
1042 |
packet creator, for locally-generated packets. It is only |
|
|
1043 |
valid in the __OUTPUT__ chain, and even this some packets |
|
|
1044 |
(such as ICMP ping responses) may have no owner, and hence |
|
|
1045 |
never match. |
2 |
WikiAdmin |
1046 |
|
|
|
1047 |
|
|
|
1048 |
|
|
|
1049 |
|
|
|
1050 |
|
1 |
WikiAdmin |
1051 |
__--uid-owner__ ''userid'' |
2 |
WikiAdmin |
1052 |
|
|
|
1053 |
|
|
|
1054 |
|
|
|
1055 |
|
|
|
1056 |
|
1 |
WikiAdmin |
1057 |
Matches if the packet was created by a process with the |
|
|
1058 |
given effective user id. |
2 |
WikiAdmin |
1059 |
|
|
|
1060 |
|
|
|
1061 |
|
|
|
1062 |
|
|
|
1063 |
|
1 |
WikiAdmin |
1064 |
__--gid-owner__ ''groupid'' |
2 |
WikiAdmin |
1065 |
|
|
|
1066 |
|
|
|
1067 |
|
|
|
1068 |
|
|
|
1069 |
|
1 |
WikiAdmin |
1070 |
Matches if the packet was created by a process with the |
|
|
1071 |
given effective group id. |
2 |
WikiAdmin |
1072 |
|
|
|
1073 |
|
|
|
1074 |
|
|
|
1075 |
|
|
|
1076 |
|
1 |
WikiAdmin |
1077 |
__--pid-owner__ ''processid'' |
2 |
WikiAdmin |
1078 |
|
|
|
1079 |
|
|
|
1080 |
|
|
|
1081 |
|
|
|
1082 |
|
1 |
WikiAdmin |
1083 |
Matches if the packet was created by a process with the |
|
|
1084 |
given process id. |
2 |
WikiAdmin |
1085 |
|
|
|
1086 |
|
|
|
1087 |
|
|
|
1088 |
|
|
|
1089 |
|
1 |
WikiAdmin |
1090 |
__--sid-owner__ ''sessionid'' |
2 |
WikiAdmin |
1091 |
|
|
|
1092 |
|
|
|
1093 |
|
|
|
1094 |
|
|
|
1095 |
|
1 |
WikiAdmin |
1096 |
Matches if the packet was created by a process in the given |
|
|
1097 |
session group. |
2 |
WikiAdmin |
1098 |
|
|
|
1099 |
|
|
|
1100 |
|
|
|
1101 |
|
|
|
1102 |
|
1 |
WikiAdmin |
1103 |
__--cmd-owner__ ''name'' |
2 |
WikiAdmin |
1104 |
|
|
|
1105 |
|
|
|
1106 |
|
|
|
1107 |
|
|
|
1108 |
|
1 |
WikiAdmin |
1109 |
Matches if the packet was created by a process with the |
|
|
1110 |
given command name. (this option is present only if iptables |
|
|
1111 |
was compiled under a kernel supporting this |
|
|
1112 |
feature) |
2 |
WikiAdmin |
1113 |
|
|
|
1114 |
|
|
|
1115 |
|
|
|
1116 |
|
|
|
1117 |
|
1 |
WikiAdmin |
1118 |
__state__ |
2 |
WikiAdmin |
1119 |
|
|
|
1120 |
|
|
|
1121 |
|
|
|
1122 |
|
|
|
1123 |
|
1 |
WikiAdmin |
1124 |
This module, when combined with connection tracking, allows |
|
|
1125 |
access to the connection tracking state for this |
|
|
1126 |
packet. |
2 |
WikiAdmin |
1127 |
|
|
|
1128 |
|
|
|
1129 |
|
|
|
1130 |
|
|
|
1131 |
|
1 |
WikiAdmin |
1132 |
__--state__ ''state'' |
2 |
WikiAdmin |
1133 |
|
|
|
1134 |
|
|
|
1135 |
|
|
|
1136 |
|
|
|
1137 |
|
1 |
WikiAdmin |
1138 |
Where state is a comma separated list of the connection |
|
|
1139 |
states to match. Possible states are __INVALID__ meaning |
|
|
1140 |
that the packet is associated with no known connection, |
|
|
1141 |
__ESTABLISHED__ meaning that the packet is associated |
|
|
1142 |
with a connection which has seen packets in both directions, |
|
|
1143 |
__NEW__ meaning that the packet has started a new |
|
|
1144 |
connection, or otherwise associated with a connection which |
|
|
1145 |
has not seen packets in both directions, and __RELATED__ |
|
|
1146 |
meaning that the packet is starting a new connection, but is |
|
|
1147 |
associated with an existing connection, such as an FTP data |
|
|
1148 |
transfer, or an ICMP error. |
2 |
WikiAdmin |
1149 |
|
|
|
1150 |
|
|
|
1151 |
|
|
|
1152 |
|
|
|
1153 |
|
1 |
WikiAdmin |
1154 |
__tos__ |
2 |
WikiAdmin |
1155 |
|
|
|
1156 |
|
|
|
1157 |
|
|
|
1158 |
|
|
|
1159 |
|
1 |
WikiAdmin |
1160 |
This module matches the 8 bits of Type of Service field in |
|
|
1161 |
the IP header (ie. including the precedence |
|
|
1162 |
bits). |
2 |
WikiAdmin |
1163 |
|
|
|
1164 |
|
|
|
1165 |
|
|
|
1166 |
|
|
|
1167 |
|
1 |
WikiAdmin |
1168 |
__--tos__ ''tos'' |
2 |
WikiAdmin |
1169 |
|
|
|
1170 |
|
|
|
1171 |
|
|
|
1172 |
|
|
|
1173 |
|
1 |
WikiAdmin |
1174 |
The argument is either a standard name, (use |
|
|
1175 |
iptables -m tos -h |
|
|
1176 |
to see the list), or a numeric value to match. |
2 |
WikiAdmin |
1177 |
|
|
|
1178 |
|
|
|
1179 |
|
|
|
1180 |
|
|
|
1181 |
|
1 |
WikiAdmin |
1182 |
__ah__ |
2 |
WikiAdmin |
1183 |
|
|
|
1184 |
|
|
|
1185 |
|
|
|
1186 |
|
|
|
1187 |
|
1 |
WikiAdmin |
1188 |
This module matches the SPIs in AH header of IPSec |
|
|
1189 |
packets. |
2 |
WikiAdmin |
1190 |
|
|
|
1191 |
|
|
|
1192 |
|
|
|
1193 |
|
|
|
1194 |
|
1 |
WikiAdmin |
1195 |
__--ahspi__ [[!] ''spi''[[:''spi''] |
2 |
WikiAdmin |
1196 |
|
|
|
1197 |
|
|
|
1198 |
|
|
|
1199 |
|
|
|
1200 |
|
1 |
WikiAdmin |
1201 |
__esp__ |
2 |
WikiAdmin |
1202 |
|
|
|
1203 |
|
|
|
1204 |
|
|
|
1205 |
|
|
|
1206 |
|
1 |
WikiAdmin |
1207 |
This module matches the SPIs in ESP header of IPSec |
|
|
1208 |
packets. |
2 |
WikiAdmin |
1209 |
|
|
|
1210 |
|
|
|
1211 |
|
|
|
1212 |
|
|
|
1213 |
|
1 |
WikiAdmin |
1214 |
__--espspi__ [[!] ''spi''[[:''spi''] |
2 |
WikiAdmin |
1215 |
|
|
|
1216 |
|
|
|
1217 |
|
|
|
1218 |
|
|
|
1219 |
|
1 |
WikiAdmin |
1220 |
__length__ |
2 |
WikiAdmin |
1221 |
|
|
|
1222 |
|
|
|
1223 |
|
|
|
1224 |
|
|
|
1225 |
|
1 |
WikiAdmin |
1226 |
This module matches the length of a packet against a |
|
|
1227 |
specific value or range of values. |
2 |
WikiAdmin |
1228 |
|
|
|
1229 |
|
|
|
1230 |
|
|
|
1231 |
|
|
|
1232 |
|
1 |
WikiAdmin |
1233 |
__--length__ ''length''[[:''length''] |
2 |
WikiAdmin |
1234 |
|
|
|
1235 |
|
|
|
1236 |
|
|
|
1237 |
|
|
|
1238 |
|
1 |
WikiAdmin |
1239 |
__ttl__ |
2 |
WikiAdmin |
1240 |
|
|
|
1241 |
|
|
|
1242 |
|
|
|
1243 |
|
|
|
1244 |
|
1 |
WikiAdmin |
1245 |
This module matches the time to live field in the IP |
|
|
1246 |
header. |
2 |
WikiAdmin |
1247 |
|
|
|
1248 |
|
|
|
1249 |
|
|
|
1250 |
|
|
|
1251 |
|
1 |
WikiAdmin |
1252 |
__--ttl__ ''ttl'' |
2 |
WikiAdmin |
1253 |
|
|
|
1254 |
|
|
|
1255 |
|
|
|
1256 |
|
|
|
1257 |
|
1 |
WikiAdmin |
1258 |
Matches the given TTL value. |
2 |
WikiAdmin |
1259 |
|
|
|
1260 |
|
|
|
1261 |
|
|
|
1262 |
|
|
|
1263 |
|
1 |
WikiAdmin |
1264 |
__owner__ |
2 |
WikiAdmin |
1265 |
|
|
|
1266 |
|
|
|
1267 |
|
|
|
1268 |
|
|
|
1269 |
|
1 |
WikiAdmin |
1270 |
This module attempts to match various characteristics of the |
|
|
1271 |
packet creator, for locally-generated packets. It is only |
|
|
1272 |
valid in the __OUTPUT__ chain, and even this some packets |
|
|
1273 |
(such as ICMP ping responses) may have no owner, and hence |
|
|
1274 |
never match. This is regarded as experimental. |
2 |
WikiAdmin |
1275 |
|
|
|
1276 |
|
|
|
1277 |
|
|
|
1278 |
|
|
|
1279 |
|
1 |
WikiAdmin |
1280 |
__--uid-owner__ ''userid'' |
2 |
WikiAdmin |
1281 |
|
|
|
1282 |
|
|
|
1283 |
|
|
|
1284 |
|
|
|
1285 |
|
1 |
WikiAdmin |
1286 |
Matches if the packet was created by a process with the |
|
|
1287 |
given effective user id. |
2 |
WikiAdmin |
1288 |
|
|
|
1289 |
|
|
|
1290 |
|
|
|
1291 |
|
|
|
1292 |
|
1 |
WikiAdmin |
1293 |
__--gid-owner__ ''groupid'' |
2 |
WikiAdmin |
1294 |
|
|
|
1295 |
|
|
|
1296 |
|
|
|
1297 |
|
|
|
1298 |
|
1 |
WikiAdmin |
1299 |
Matches if the packet was created by a process with the |
|
|
1300 |
given effective group id. |
2 |
WikiAdmin |
1301 |
|
|
|
1302 |
|
|
|
1303 |
|
|
|
1304 |
|
|
|
1305 |
|
1 |
WikiAdmin |
1306 |
__--pid-owner__ ''processid'' |
2 |
WikiAdmin |
1307 |
|
|
|
1308 |
|
|
|
1309 |
|
|
|
1310 |
|
|
|
1311 |
|
1 |
WikiAdmin |
1312 |
Matches if the packet was created by a process with the |
|
|
1313 |
given process id. |
2 |
WikiAdmin |
1314 |
|
|
|
1315 |
|
|
|
1316 |
|
|
|
1317 |
|
|
|
1318 |
|
1 |
WikiAdmin |
1319 |
__--sid-owner__ ''sessionid'' |
2 |
WikiAdmin |
1320 |
|
|
|
1321 |
|
|
|
1322 |
|
|
|
1323 |
|
|
|
1324 |
|
1 |
WikiAdmin |
1325 |
Matches if the packet was created by a process in the given |
|
|
1326 |
session group. |
2 |
WikiAdmin |
1327 |
|
|
|
1328 |
|
|
|
1329 |
|
|
|
1330 |
|
|
|
1331 |
|
1 |
WikiAdmin |
1332 |
__unclean__ |
2 |
WikiAdmin |
1333 |
|
|
|
1334 |
|
|
|
1335 |
|
|
|
1336 |
|
|
|
1337 |
|
1 |
WikiAdmin |
1338 |
This module takes no options, but attempts to match packets |
|
|
1339 |
which seem malformed or unusual. This is regarded as |
|
|
1340 |
experimental. |
2 |
WikiAdmin |
1341 |
|
1 |
WikiAdmin |
1342 |
|
|
|
1343 |
!!TARGET EXTENSIONS |
2 |
WikiAdmin |
1344 |
|
|
|
1345 |
|
|
|
1346 |
|
|
|
1347 |
|
|
|
1348 |
|
1 |
WikiAdmin |
1349 |
iptables can use extended target modules: the following are |
|
|
1350 |
included in the standard distribution. |
2 |
WikiAdmin |
1351 |
|
|
|
1352 |
|
|
|
1353 |
|
|
|
1354 |
|
|
|
1355 |
|
1 |
WikiAdmin |
1356 |
__LOG__ |
2 |
WikiAdmin |
1357 |
|
|
|
1358 |
|
|
|
1359 |
|
|
|
1360 |
|
|
|
1361 |
|
1 |
WikiAdmin |
1362 |
Turn on kernel logging of matching packets. When this option |
|
|
1363 |
is set for a rule, the Linux kernel will print some |
|
|
1364 |
information on all matching packets (like most IP header |
|
|
1365 |
fields) via the kernel log (where it can be read with |
|
|
1366 |
''dmesg'' or ''syslogd''(8)). This is a |
|
|
1367 |
"non-terminating target", i.e. rule traversal |
|
|
1368 |
continues at the next rule. So if you want to LOG the |
|
|
1369 |
packets you refuse, use two separate rules with the same |
|
|
1370 |
matching criterias, first using target LOG then DROP (or |
|
|
1371 |
REJECT). |
2 |
WikiAdmin |
1372 |
|
|
|
1373 |
|
|
|
1374 |
|
|
|
1375 |
|
|
|
1376 |
|
1 |
WikiAdmin |
1377 |
__--log-level__ ''level'' |
2 |
WikiAdmin |
1378 |
|
|
|
1379 |
|
|
|
1380 |
|
|
|
1381 |
|
|
|
1382 |
|
1 |
WikiAdmin |
1383 |
Level of logging (numeric or see |
|
|
1384 |
''syslog.conf''(5)). |
2 |
WikiAdmin |
1385 |
|
|
|
1386 |
|
|
|
1387 |
|
|
|
1388 |
|
|
|
1389 |
|
1 |
WikiAdmin |
1390 |
__--log-prefix__ ''prefix'' |
2 |
WikiAdmin |
1391 |
|
|
|
1392 |
|
|
|
1393 |
|
|
|
1394 |
|
|
|
1395 |
|
1 |
WikiAdmin |
1396 |
Prefix log messages with the specified prefix; up to 29 |
|
|
1397 |
letters long, and useful for distinguishing messages in the |
|
|
1398 |
logs. |
2 |
WikiAdmin |
1399 |
|
|
|
1400 |
|
|
|
1401 |
|
|
|
1402 |
|
|
|
1403 |
|
1 |
WikiAdmin |
1404 |
__--log-tcp-sequence__ |
2 |
WikiAdmin |
1405 |
|
|
|
1406 |
|
|
|
1407 |
|
|
|
1408 |
|
|
|
1409 |
|
1 |
WikiAdmin |
1410 |
Log TCP sequence numbers. This is a security risk if the log |
|
|
1411 |
is readable by users. |
2 |
WikiAdmin |
1412 |
|
|
|
1413 |
|
|
|
1414 |
|
|
|
1415 |
|
|
|
1416 |
|
1 |
WikiAdmin |
1417 |
__--log-tcp-options__ |
2 |
WikiAdmin |
1418 |
|
|
|
1419 |
|
|
|
1420 |
|
|
|
1421 |
|
|
|
1422 |
|
1 |
WikiAdmin |
1423 |
Log options from the TCP packet header. |
2 |
WikiAdmin |
1424 |
|
|
|
1425 |
|
|
|
1426 |
|
|
|
1427 |
|
|
|
1428 |
|
1 |
WikiAdmin |
1429 |
__--log-ip-options__ |
2 |
WikiAdmin |
1430 |
|
|
|
1431 |
|
|
|
1432 |
|
|
|
1433 |
|
|
|
1434 |
|
1 |
WikiAdmin |
1435 |
Log options from the IP packet header. |
2 |
WikiAdmin |
1436 |
|
|
|
1437 |
|
|
|
1438 |
|
|
|
1439 |
|
|
|
1440 |
|
1 |
WikiAdmin |
1441 |
__MARK__ |
2 |
WikiAdmin |
1442 |
|
|
|
1443 |
|
|
|
1444 |
|
|
|
1445 |
|
|
|
1446 |
|
1 |
WikiAdmin |
1447 |
This is used to set the netfilter mark value associated with |
|
|
1448 |
the packet. It is only valid in the __mangle__ table. It |
|
|
1449 |
can for example be used in conjunction with |
|
|
1450 |
iproute2. |
2 |
WikiAdmin |
1451 |
|
|
|
1452 |
|
|
|
1453 |
|
|
|
1454 |
|
|
|
1455 |
|
1 |
WikiAdmin |
1456 |
__--set-mark__ ''mark'' |
2 |
WikiAdmin |
1457 |
|
|
|
1458 |
|
|
|
1459 |
|
|
|
1460 |
|
|
|
1461 |
|
1 |
WikiAdmin |
1462 |
__REJECT__ |
2 |
WikiAdmin |
1463 |
|
|
|
1464 |
|
|
|
1465 |
|
|
|
1466 |
|
|
|
1467 |
|
1 |
WikiAdmin |
1468 |
This is used to send back an error packet in response to the |
|
|
1469 |
matched packet: otherwise it is equivalent to __DROP__ so |
|
|
1470 |
it is a terminating TARGET, ending rule traversal. This |
|
|
1471 |
target is only valid in the __INPUT__, __FORWARD__ and |
|
|
1472 |
__OUTPUT__ chains, and user-defined chains which are only |
|
|
1473 |
called from those chains. The following option controls the |
|
|
1474 |
nature of the error packet returned: |
2 |
WikiAdmin |
1475 |
|
|
|
1476 |
|
|
|
1477 |
|
|
|
1478 |
|
|
|
1479 |
|
1 |
WikiAdmin |
1480 |
__--reject-with__ ''type'' |
2 |
WikiAdmin |
1481 |
|
|
|
1482 |
|
|
|
1483 |
|
|
|
1484 |
|
|
|
1485 |
|
1 |
WikiAdmin |
1486 |
The type given can be __icmp-net-unreachable__, |
|
|
1487 |
__icmp-host-unreachable__, __icmp-port-unreachable__, |
|
|
1488 |
__icmp-proto-unreachable__, __icmp-net-prohibited or__ |
|
|
1489 |
__icmp-host-prohibited__, which return the appropriate ICMP |
|
|
1490 |
error message (__port-unreachable__ is the default). The |
|
|
1491 |
option __tcp-reset__ can be used on rules which only |
|
|
1492 |
match the TCP protocol: this causes a TCP RST packet to be |
|
|
1493 |
sent back. This is mainly useful for blocking ''ident'' |
|
|
1494 |
(113/tcp) probes which frequently occur when sending mail to |
|
|
1495 |
broken mail hosts (which won't accept your mail |
|
|
1496 |
otherwise). |
2 |
WikiAdmin |
1497 |
|
|
|
1498 |
|
|
|
1499 |
|
|
|
1500 |
|
|
|
1501 |
|
1 |
WikiAdmin |
1502 |
__TOS__ |
2 |
WikiAdmin |
1503 |
|
|
|
1504 |
|
|
|
1505 |
|
|
|
1506 |
|
|
|
1507 |
|
1 |
WikiAdmin |
1508 |
This is used to set the 8-bit Type of Service field in the |
|
|
1509 |
IP header. It is only valid in the __mangle__ |
|
|
1510 |
table. |
2 |
WikiAdmin |
1511 |
|
|
|
1512 |
|
|
|
1513 |
|
|
|
1514 |
|
|
|
1515 |
|
1 |
WikiAdmin |
1516 |
__--set-tos__ ''tos'' |
2 |
WikiAdmin |
1517 |
|
|
|
1518 |
|
|
|
1519 |
|
|
|
1520 |
|
|
|
1521 |
|
1 |
WikiAdmin |
1522 |
You can use a numeric TOS values, or use |
|
|
1523 |
iptables -j TOS -h |
|
|
1524 |
to see the list of valid TOS names. |
2 |
WikiAdmin |
1525 |
|
|
|
1526 |
|
|
|
1527 |
|
|
|
1528 |
|
|
|
1529 |
|
1 |
WikiAdmin |
1530 |
__MIRROR__ |
2 |
WikiAdmin |
1531 |
|
|
|
1532 |
|
|
|
1533 |
|
|
|
1534 |
|
|
|
1535 |
|
1 |
WikiAdmin |
1536 |
This is an experimental demonstration target which inverts |
|
|
1537 |
the source and destination fields in the IP header and |
|
|
1538 |
retransmits the packet. It is only valid in the |
|
|
1539 |
__INPUT__, __FORWARD__ and __PREROUTING__ chains, |
|
|
1540 |
and user-defined chains which are only called from those |
|
|
1541 |
chains. Note that the outgoing packets are __NOT__ seen |
|
|
1542 |
by any packet filtering chains, connection tracking or NAT, |
|
|
1543 |
to avoid loops and other problems. |
2 |
WikiAdmin |
1544 |
|
|
|
1545 |
|
|
|
1546 |
|
|
|
1547 |
|
|
|
1548 |
|
1 |
WikiAdmin |
1549 |
__SNAT__ |
2 |
WikiAdmin |
1550 |
|
|
|
1551 |
|
|
|
1552 |
|
|
|
1553 |
|
|
|
1554 |
|
1 |
WikiAdmin |
1555 |
This target is only valid in the __nat__ table, in the |
|
|
1556 |
__POSTROUTING__ chain. It specifies that the source |
|
|
1557 |
address of the packet should be modified (and all future |
|
|
1558 |
packets in this connection will also be mangled), and rules |
|
|
1559 |
should cease being examined. It takes one |
|
|
1560 |
option: |
2 |
WikiAdmin |
1561 |
|
|
|
1562 |
|
|
|
1563 |
|
|
|
1564 |
|
|
|
1565 |
|
1 |
WikiAdmin |
1566 |
__--to-source__ |
|
|
1567 |
''ipaddr''[[-''ipaddr''][[:''port''-''port''] |
2 |
WikiAdmin |
1568 |
|
|
|
1569 |
|
|
|
1570 |
|
|
|
1571 |
|
|
|
1572 |
|
1 |
WikiAdmin |
1573 |
which can specify a single new source IP address, an |
|
|
1574 |
inclusive range of IP addresses, and optionally, a port |
|
|
1575 |
range (which is only valid if the rule also specifies __-p__ |
|
|
1576 |
__tcp__ or __-p udp__). If no port range is specified, |
|
|
1577 |
then source ports below 512 will be mapped to other ports |
|
|
1578 |
below 512: those between 512 and 1023 inclusive will be |
|
|
1579 |
mapped to ports below 1024, and other ports will be mapped |
|
|
1580 |
to 1024 or above. Where possible, no port alteration will |
|
|
1581 |
occur. |
2 |
WikiAdmin |
1582 |
|
|
|
1583 |
|
|
|
1584 |
|
|
|
1585 |
|
|
|
1586 |
|
1 |
WikiAdmin |
1587 |
__DNAT__ |
2 |
WikiAdmin |
1588 |
|
|
|
1589 |
|
|
|
1590 |
|
|
|
1591 |
|
|
|
1592 |
|
1 |
WikiAdmin |
1593 |
This target is only valid in the __nat__ table, in the |
|
|
1594 |
__PREROUTING__ and __OUTPUT__ chains, and user-defined |
|
|
1595 |
chains which are only called from those chains. It specifies |
|
|
1596 |
that the destination address of the packet should be |
|
|
1597 |
modified (and all future packets in this connection will |
|
|
1598 |
also be mangled), and rules should cease being examined. It |
|
|
1599 |
takes one option: |
2 |
WikiAdmin |
1600 |
|
|
|
1601 |
|
|
|
1602 |
|
|
|
1603 |
|
|
|
1604 |
|
1 |
WikiAdmin |
1605 |
__--to-destination__ |
|
|
1606 |
''ipaddr''[[-''ipaddr''][[:''port''-''port''] |
2 |
WikiAdmin |
1607 |
|
|
|
1608 |
|
|
|
1609 |
|
|
|
1610 |
|
|
|
1611 |
|
1 |
WikiAdmin |
1612 |
which can specify a single new destination IP address, an |
|
|
1613 |
inclusive range of IP addresses, and optionally, a port |
|
|
1614 |
range (which is only valid if the rule also specifies __-p__ |
|
|
1615 |
__tcp__ or __-p udp__). If no port range is specified, |
|
|
1616 |
then the destination port will never be |
|
|
1617 |
modified. |
2 |
WikiAdmin |
1618 |
|
|
|
1619 |
|
|
|
1620 |
|
|
|
1621 |
|
|
|
1622 |
|
1 |
WikiAdmin |
1623 |
__MASQUERADE__ |
2 |
WikiAdmin |
1624 |
|
|
|
1625 |
|
|
|
1626 |
|
|
|
1627 |
|
|
|
1628 |
|
1 |
WikiAdmin |
1629 |
This target is only valid in the __nat__ table, in the |
|
|
1630 |
__POSTROUTING__ chain. It should only be used with |
|
|
1631 |
dynamically assigned IP (dialup) connections: if you have a |
|
|
1632 |
static IP address, you should use the SNAT target. |
|
|
1633 |
Masquerading is equivalent to specifying a mapping to the IP |
|
|
1634 |
address of the interface the packet is going out, but also |
|
|
1635 |
has the effect that connections are ''forgotten'' when |
|
|
1636 |
the interface goes down. This is the correct behavior when |
|
|
1637 |
the next dialup is unlikely to have the same interface |
|
|
1638 |
address (and hence any established connections are lost |
|
|
1639 |
anyway). It takes one option: |
2 |
WikiAdmin |
1640 |
|
|
|
1641 |
|
|
|
1642 |
|
|
|
1643 |
|
|
|
1644 |
|
1 |
WikiAdmin |
1645 |
__--to-ports__ ''port''[[-''port''] |
2 |
WikiAdmin |
1646 |
|
|
|
1647 |
|
|
|
1648 |
|
|
|
1649 |
|
|
|
1650 |
|
1 |
WikiAdmin |
1651 |
This specifies a range of source ports to use, overriding |
|
|
1652 |
the default __SNAT__ source port-selection heuristics |
|
|
1653 |
(see above). This is only valid if the rule also specifies |
|
|
1654 |
__-p tcp__ or __-p udp__. |
2 |
WikiAdmin |
1655 |
|
|
|
1656 |
|
|
|
1657 |
|
|
|
1658 |
|
|
|
1659 |
|
1 |
WikiAdmin |
1660 |
__REDIRECT__ |
2 |
WikiAdmin |
1661 |
|
|
|
1662 |
|
|
|
1663 |
|
|
|
1664 |
|
|
|
1665 |
|
1 |
WikiAdmin |
1666 |
This target is only valid in the __nat__ table, in the |
|
|
1667 |
__PREROUTING__ and __OUTPUT__ chains, and user-defined |
|
|
1668 |
chains which are only called from those chains. It alters |
|
|
1669 |
the destination IP address to send the packet to the machine |
|
|
1670 |
itself (locally-generated packets are mapped to the |
|
|
1671 |
127.0.0.1 address). It takes one option: |
2 |
WikiAdmin |
1672 |
|
|
|
1673 |
|
|
|
1674 |
|
|
|
1675 |
|
|
|
1676 |
|
1 |
WikiAdmin |
1677 |
__--to-ports__ ''port''[[-''port''] |
2 |
WikiAdmin |
1678 |
|
|
|
1679 |
|
|
|
1680 |
|
|
|
1681 |
|
|
|
1682 |
|
1 |
WikiAdmin |
1683 |
This specifies a destination port or range of ports to use: |
|
|
1684 |
without this, the destination port is never altered. This is |
|
|
1685 |
only valid if the rule also specifies __-p tcp__ or __-p__ |
|
|
1686 |
__udp__. |
2 |
WikiAdmin |
1687 |
|
|
|
1688 |
|
|
|
1689 |
|
|
|
1690 |
|
|
|
1691 |
|
1 |
WikiAdmin |
1692 |
__ULOG__ |
2 |
WikiAdmin |
1693 |
|
|
|
1694 |
|
|
|
1695 |
|
|
|
1696 |
|
|
|
1697 |
|
1 |
WikiAdmin |
1698 |
This target provides userspace logging of matching packets. |
|
|
1699 |
When this target is set for a rule, the Linux kernel will |
|
|
1700 |
multicast this packet through a ''netlink'' socket. One |
|
|
1701 |
or more userspace processes may then subscribe to various |
|
|
1702 |
multicast groups and receive the packets. |
2 |
WikiAdmin |
1703 |
|
|
|
1704 |
|
|
|
1705 |
|
|
|
1706 |
|
|
|
1707 |
|
1 |
WikiAdmin |
1708 |
__--ulog-nlgroup__ ''nlgroup'' |
2 |
WikiAdmin |
1709 |
|
|
|
1710 |
|
|
|
1711 |
|
|
|
1712 |
|
|
|
1713 |
|
1 |
WikiAdmin |
1714 |
This specifies the netlink group (1-32) to which the packet |
|
|
1715 |
is sent. Default value is 1. |
2 |
WikiAdmin |
1716 |
|
|
|
1717 |
|
|
|
1718 |
|
|
|
1719 |
|
|
|
1720 |
|
1 |
WikiAdmin |
1721 |
__--ulog-prefix__ ''prefix'' |
2 |
WikiAdmin |
1722 |
|
|
|
1723 |
|
|
|
1724 |
|
|
|
1725 |
|
|
|
1726 |
|
1 |
WikiAdmin |
1727 |
Prefix log messages with the specified prefix; up to 32 |
|
|
1728 |
characters long, and useful fro distinguishing messages in |
|
|
1729 |
the logs. |
2 |
WikiAdmin |
1730 |
|
|
|
1731 |
|
|
|
1732 |
|
|
|
1733 |
|
|
|
1734 |
|
1 |
WikiAdmin |
1735 |
__--ulog-cprange__ ''size'' |
2 |
WikiAdmin |
1736 |
|
|
|
1737 |
|
|
|
1738 |
|
|
|
1739 |
|
|
|
1740 |
|
1 |
WikiAdmin |
1741 |
Number of bytes to be copied to userspace. A value of 0 |
|
|
1742 |
always copies the entire packet, regardless of its size. |
|
|
1743 |
Default is 0. |
2 |
WikiAdmin |
1744 |
|
|
|
1745 |
|
|
|
1746 |
|
|
|
1747 |
|
|
|
1748 |
|
1 |
WikiAdmin |
1749 |
__--ulog-qthreshold__ ''size'' |
2 |
WikiAdmin |
1750 |
|
|
|
1751 |
|
|
|
1752 |
|
|
|
1753 |
|
|
|
1754 |
|
1 |
WikiAdmin |
1755 |
Number of packet to queue inside kernel. Setting this value |
|
|
1756 |
to, e.g. 10 accumulates ten packets inside the kernel and |
|
|
1757 |
transmits them as one netlink multipart message to |
|
|
1758 |
userspace. Default is 1 (for backwards |
|
|
1759 |
compatibility). |
2 |
WikiAdmin |
1760 |
|
|
|
1761 |
|
|
|
1762 |
|
|
|
1763 |
|
|
|
1764 |
|
1 |
WikiAdmin |
1765 |
__TCPMSS__ |
2 |
WikiAdmin |
1766 |
|
|
|
1767 |
|
|
|
1768 |
|
|
|
1769 |
|
|
|
1770 |
|
1 |
WikiAdmin |
1771 |
This target allows to alter the MSS value of TCP SYN |
|
|
1772 |
packets, to control the maximum size for that connection |
|
|
1773 |
(usually limiting it to your outgoing interface's MTU minus |
|
|
1774 |
40). Of course, it can only be used in conjunction with |
|
|
1775 |
__-p tcp__. |
|
|
1776 |
This target is used to overcome criminally braindead ISPs or |
|
|
1777 |
servers which block ICMP Fragmentation Needed packets. The |
|
|
1778 |
symptoms of this problem are that everything works fine from |
|
|
1779 |
your Linux firewall/router, but machines behind it can never |
|
|
1780 |
exchange large packets: |
|
|
1781 |
1) Web browsers connect, then hang with no data |
|
|
1782 |
received. |
|
|
1783 |
2) Small mail works fine, but large emails hang. |
|
|
1784 |
3) ssh works fine, but scp hangs after initial |
|
|
1785 |
handshaking. |
|
|
1786 |
Workaround: activate this option and add a rule to your |
|
|
1787 |
firewall configuration like: |
|
|
1788 |
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ |
|
|
1789 |
-j TCPMSS --clamp-mss-to-pmtu |
2 |
WikiAdmin |
1790 |
|
|
|
1791 |
|
|
|
1792 |
|
|
|
1793 |
|
|
|
1794 |
|
1 |
WikiAdmin |
1795 |
__--set-mss__ ''value'' |
2 |
WikiAdmin |
1796 |
|
|
|
1797 |
|
|
|
1798 |
|
|
|
1799 |
|
|
|
1800 |
|
1 |
WikiAdmin |
1801 |
Explicitly set MSS option to specified value. |
2 |
WikiAdmin |
1802 |
|
|
|
1803 |
|
|
|
1804 |
|
|
|
1805 |
|
|
|
1806 |
|
1 |
WikiAdmin |
1807 |
__--clamp-mss-to-pmtu__ |
2 |
WikiAdmin |
1808 |
|
|
|
1809 |
|
|
|
1810 |
|
|
|
1811 |
|
|
|
1812 |
|
1 |
WikiAdmin |
1813 |
Automatically clamp MSS value to (path_MTU - |
|
|
1814 |
40). |
2 |
WikiAdmin |
1815 |
|
|
|
1816 |
|
|
|
1817 |
|
|
|
1818 |
|
|
|
1819 |
|
1 |
WikiAdmin |
1820 |
These options are mutually exclusive. |
2 |
WikiAdmin |
1821 |
|
1 |
WikiAdmin |
1822 |
|
|
|
1823 |
!!EXTRA EXTENSIONS |
2 |
WikiAdmin |
1824 |
|
|
|
1825 |
|
|
|
1826 |
|
|
|
1827 |
|
|
|
1828 |
|
1 |
WikiAdmin |
1829 |
The following extensions are not included by default in the |
|
|
1830 |
standard distribution. |
2 |
WikiAdmin |
1831 |
|
|
|
1832 |
|
|
|
1833 |
|
|
|
1834 |
|
|
|
1835 |
|
1 |
WikiAdmin |
1836 |
__TTL__ |
2 |
WikiAdmin |
1837 |
|
|
|
1838 |
|
|
|
1839 |
|
|
|
1840 |
|
|
|
1841 |
|
1 |
WikiAdmin |
1842 |
This target is used to modify the time to live field in the |
|
|
1843 |
IP header. It is only valid in the __mangle__ |
|
|
1844 |
table. |
2 |
WikiAdmin |
1845 |
|
|
|
1846 |
|
|
|
1847 |
|
|
|
1848 |
|
|
|
1849 |
|
1 |
WikiAdmin |
1850 |
__--ttl-set__ ''ttl'' |
2 |
WikiAdmin |
1851 |
|
|
|
1852 |
|
|
|
1853 |
|
|
|
1854 |
|
|
|
1855 |
|
1 |
WikiAdmin |
1856 |
Set the TTL to the given value. |
2 |
WikiAdmin |
1857 |
|
|
|
1858 |
|
|
|
1859 |
|
|
|
1860 |
|
|
|
1861 |
|
1 |
WikiAdmin |
1862 |
__--ttl-dec__ ''ttl'' |
2 |
WikiAdmin |
1863 |
|
|
|
1864 |
|
|
|
1865 |
|
|
|
1866 |
|
|
|
1867 |
|
1 |
WikiAdmin |
1868 |
Decrement the TTL by the given value. |
2 |
WikiAdmin |
1869 |
|
|
|
1870 |
|
|
|
1871 |
|
|
|
1872 |
|
|
|
1873 |
|
1 |
WikiAdmin |
1874 |
__--ttl-inc__ ''ttl'' |
2 |
WikiAdmin |
1875 |
|
|
|
1876 |
|
|
|
1877 |
|
|
|
1878 |
|
|
|
1879 |
|
1 |
WikiAdmin |
1880 |
Increment the TTL by the given value. |
2 |
WikiAdmin |
1881 |
|
1 |
WikiAdmin |
1882 |
|
|
|
1883 |
!!DIAGNOSTICS |
2 |
WikiAdmin |
1884 |
|
|
|
1885 |
|
|
|
1886 |
|
|
|
1887 |
|
|
|
1888 |
|
1 |
WikiAdmin |
1889 |
Various error messages are printed to standard error. The |
|
|
1890 |
exit code is 0 for correct functioning. Errors which appear |
|
|
1891 |
to be caused by invalid or abused command line parameters |
|
|
1892 |
cause an exit code of 2, and other errors cause an exit code |
|
|
1893 |
of 1. |
2 |
WikiAdmin |
1894 |
|
1 |
WikiAdmin |
1895 |
|
|
|
1896 |
!!BUGS |
2 |
WikiAdmin |
1897 |
|
|
|
1898 |
|
|
|
1899 |
|
|
|
1900 |
|
|
|
1901 |
|
1 |
WikiAdmin |
1902 |
Check is not implemented (yet). |
2 |
WikiAdmin |
1903 |
|
1 |
WikiAdmin |
1904 |
|
|
|
1905 |
!!COMPATIBILITY WITH IPCHAINS |
2 |
WikiAdmin |
1906 |
|
|
|
1907 |
|
|
|
1908 |
|
|
|
1909 |
|
|
|
1910 |
|
1 |
WikiAdmin |
1911 |
This __iptables__ is very similar to ipchains by Rusty |
|
|
1912 |
Russell. The main difference is that the chains __INPUT__ |
|
|
1913 |
and __OUTPUT__ are only traversed for packets coming into |
|
|
1914 |
the local host and originating from the local host |
|
|
1915 |
respectively. Hence every packet only passes through one of |
|
|
1916 |
the three chains; previously a forwarded packet would pass |
|
|
1917 |
through all three. |
2 |
WikiAdmin |
1918 |
|
|
|
1919 |
|
|
|
1920 |
|
|
|
1921 |
|
|
|
1922 |
|
1 |
WikiAdmin |
1923 |
The other main difference is that __-i__ refers to the |
|
|
1924 |
input interface; __-o__ refers to the output interface, |
|
|
1925 |
and both are available for packets entering the |
|
|
1926 |
__FORWARD__ chain. |
2 |
WikiAdmin |
1927 |
|
|
|
1928 |
|
|
|
1929 |
|
|
|
1930 |
|
|
|
1931 |
|
1 |
WikiAdmin |
1932 |
__iptables__ is a pure packet filter when using the |
|
|
1933 |
default `filter' table, with optional extension modules. |
|
|
1934 |
This should simplify much of the previous confusion over the |
|
|
1935 |
combination of IP masquerading and packet filtering seen |
|
|
1936 |
previously. So the following options are handled |
|
|
1937 |
differently: |
|
|
1938 |
-j MASQ |
|
|
1939 |
-M -S |
|
|
1940 |
-M -L |
|
|
1941 |
There are several other changes in iptables. |
2 |
WikiAdmin |
1942 |
|
1 |
WikiAdmin |
1943 |
|
|
|
1944 |
!!SEE ALSO |
2 |
WikiAdmin |
1945 |
|
|
|
1946 |
|
|
|
1947 |
|
|
|
1948 |
|
|
|
1949 |
|
1 |
WikiAdmin |
1950 |
The packet-filtering-HOWTO, which details more iptables |
|
|
1951 |
usage for packet filtering, the NAT-HOWTO, which details |
|
|
1952 |
NAT, and the netfilter-hacking-HOWTO which details the |
|
|
1953 |
internals. |
|
|
1954 |
See __http://www.netfilter.org/__. |
2 |
WikiAdmin |
1955 |
|
1 |
WikiAdmin |
1956 |
|
|
|
1957 |
!!AUTHORS |
2 |
WikiAdmin |
1958 |
|
|
|
1959 |
|
|
|
1960 |
|
|
|
1961 |
|
|
|
1962 |
|
1 |
WikiAdmin |
1963 |
Rusty Russell wrote iptables, in early consultation with |
|
|
1964 |
Michael Neuling. |
2 |
WikiAdmin |
1965 |
|
|
|
1966 |
|
|
|
1967 |
|
|
|
1968 |
|
|
|
1969 |
|
1 |
WikiAdmin |
1970 |
Marc Boucher made Rusty abandon ipnatctl by lobbying for a |
|
|
1971 |
generic packet selection framework in iptables, then wrote |
|
|
1972 |
the mangle table, the owner match, the mark stuff, and ran |
|
|
1973 |
around doing cool stuff everywhere. |
2 |
WikiAdmin |
1974 |
|
|
|
1975 |
|
|
|
1976 |
|
|
|
1977 |
|
|
|
1978 |
|
1 |
WikiAdmin |
1979 |
James Morris wrote the TOS target, and tos |
|
|
1980 |
match. |
2 |
WikiAdmin |
1981 |
|
|
|
1982 |
|
|
|
1983 |
|
|
|
1984 |
|
|
|
1985 |
|
1 |
WikiAdmin |
1986 |
Jozsef Kadlecsik wrote the REJECT target. |
2 |
WikiAdmin |
1987 |
|
|
|
1988 |
|
|
|
1989 |
|
|
|
1990 |
|
|
|
1991 |
|
1 |
WikiAdmin |
1992 |
Harald Welte wrote the ULOG target, TTL match+target and |
|
|
1993 |
libipulog. |
2 |
WikiAdmin |
1994 |
|
|
|
1995 |
|
|
|
1996 |
|
|
|
1997 |
|
|
|
1998 |
|
1 |
WikiAdmin |
1999 |
The Netfilter Core Team is: Marc Boucher, Jozsef Kadlecsik, |
|
|
2000 |
James Morris, Harald Welte and Rusty Russell. |
2 |
WikiAdmin |
2001 |
|
|
|
2002 |
|
|
|
2003 |
|
|
|
2004 |
|
|
|
2005 |
|
1 |
WikiAdmin |
2006 |
Man page written by Herve Eychenne |
|
|
2007 |
<rv@wallfire.org>. |
|
|
2008 |
---- |