Penguin
Recent Changes
Annotated edit history of iptables(8) version 2, including all changes. View license author blame.
Rev Author # Line
2 WikiAdmin 1
2
3
4
1 WikiAdmin 5 IPTABLES
2 WikiAdmin 6
7
8
1 WikiAdmin 9
10 !!!IPTABLES
11 NAME
12 SYNOPSIS
13 DESCRIPTION
14 TARGETS
15 TABLES
16 OPTIONS
17 MATCH EXTENSIONS
18 TARGET EXTENSIONS
19 EXTRA EXTENSIONS
20 DIAGNOSTICS
21 BUGS
22 COMPATIBILITY WITH IPCHAINS
23 SEE ALSO
24 AUTHORS
2 WikiAdmin 25
1 WikiAdmin 26 ----
2 WikiAdmin 27
28
29
1 WikiAdmin 30
31 !!NAME
2 WikiAdmin 32
33
34
35
1 WikiAdmin 36 iptables - IP packet filter administration
2 WikiAdmin 37
1 WikiAdmin 38
39 !!SYNOPSIS
2 WikiAdmin 40
41
42
43
44
1 WikiAdmin 45 __iptables -[[ADC]__ chain rule-specification
46 [[options]
47 __iptables -I__ chain [[rulenum] rule-specification
48 [[options]
49 __iptables -R__ chain rulenum rule-specification
50 [[options]
51 __iptables -D__ chain rulenum [[options]
52 __iptables -[[LFZ]__ [[chain] [[options]
53 __iptables -N__ chain
54 __iptables -X__ [[chain]
55 __iptables -P__ chain target [[options]
56 __iptables -E__ old-chain-name new-chain-name
2 WikiAdmin 57
1 WikiAdmin 58
59 !!DESCRIPTION
2 WikiAdmin 60
61
62
63
64
1 WikiAdmin 65 __Iptables__ is used to set up, maintain, and inspect the
66 tables of IP packet filter rules in the Linux kernel.
67 Several different tables may be defined. Each table contains
68 a number of built-in chains and may also contain
69 user-defined chains.
2 WikiAdmin 70
71
72
73
74
1 WikiAdmin 75 Each chain is a list of rules which can match a set of
76 packets. Each rule specifies what to do with a packet that
77 matches. This is called a `target', which may be a jump to a
78 user-defined chain in the same table.
2 WikiAdmin 79
1 WikiAdmin 80
81 !!TARGETS
2 WikiAdmin 82
83
84
85
86
1 WikiAdmin 87 A firewall rule specifies criteria for a packet, and a
88 target. If the packet does not match, the next rule in the
89 chain is the examined; if it does match, then the next rule
90 is specified by the value of the target, which can be the
91 name of a user-defined chain or one of the special values
92 ''ACCEPT'', ''DROP'', ''QUEUE'', or
93 ''RETURN''.
2 WikiAdmin 94
95
96
97
98
1 WikiAdmin 99 ''ACCEPT'' means to let the packet through. ''DROP''
100 means to drop the packet on the floor. ''QUEUE'' means to
101 pass the packet to userspace (if supported by the kernel).
102 ''RETURN'' means stop traversing this chain and resume at
103 the next rule in the previous (calling) chain. If the end of
104 a built-in chain is reached or a rule in a built-in chain
105 with target ''RETURN'' is matched, the target specified
106 by the chain policy determines the fate of the
107 packet.
2 WikiAdmin 108
1 WikiAdmin 109
110 !!TABLES
2 WikiAdmin 111
112
113
114
115
1 WikiAdmin 116 There are current three independent tables (which tables are
117 present at any time depends on the kernel configuration
118 options and which modules are present).
2 WikiAdmin 119
120
121
122
123
1 WikiAdmin 124 __-t, --table__ ''table''
2 WikiAdmin 125
126
127
128
129
1 WikiAdmin 130 This option specifies the packet matching table which the
131 command should operate on. If the kernel is configured with
132 automatic module loading, an attempt will be made to load
133 the appropriate module for that table if it is not already
134 there.
2 WikiAdmin 135
136
137
138
139
1 WikiAdmin 140 The tables are as follows:
2 WikiAdmin 141
142
143
144
145
1 WikiAdmin 146 __filter__
2 WikiAdmin 147
148
149
150
151
1 WikiAdmin 152 This is the default table. It contains the built-in chains
153 INPUT (for packets coming into the box itself), FORWARD (for
154 packets being routed through the box), and OUTPUT (for
155 locally-generated packets).
2 WikiAdmin 156
157
158
159
160
1 WikiAdmin 161 __nat__
2 WikiAdmin 162
163
164
165
166
1 WikiAdmin 167 This table is consulted when a packet that creates a new
168 connection is encountered. It consists of three built-ins:
169 PREROUTING (for altering packets as soon as they come in),
170 OUTPUT (for altering locally-generated packets before
171 routing), and POSTROUTING (for altering packets as they are
172 about to go out).
2 WikiAdmin 173
174
175
176
177
1 WikiAdmin 178 __mangle__
2 WikiAdmin 179
180
181
182
183
1 WikiAdmin 184 This table is used for specialized packet alteration. Until
185 kernel 2.4.17 it had two built-in chains: PREROUTING (for
186 altering incoming packets before routing) and OUTPUT (for
187 altering locally-generated packets before routing). Since
188 kernel 2.4.18, three other built-in chains are also
189 supported : INPUT (for packets coming into the box itself),
190 FORWARD (for altering packets being routed through the box),
191 and POSTROUTING (for altering packets as they are about to
192 go out).
2 WikiAdmin 193
1 WikiAdmin 194
195 !!OPTIONS
2 WikiAdmin 196
197
198
199
200
1 WikiAdmin 201 The options that are recognized by __iptables__ can be
202 divided into several different groups.
2 WikiAdmin 203
204
205
206
207
1 WikiAdmin 208 __COMMANDS__
2 WikiAdmin 209
210
211
212
213
1 WikiAdmin 214 These options specify the specific action to perform. Only
215 one of them can be specified on the command line unless
216 otherwise specified below. For all the long versions of the
217 command and option names, you need to use only enough
218 letters to ensure that __iptables__ can differentiate it
219 from all other options.
2 WikiAdmin 220
221
222
223
224
1 WikiAdmin 225 __-A, --append__ ''chain
226 rule-specification''
2 WikiAdmin 227
228
229
230
231
1 WikiAdmin 232 Append one or more rules to the end of the selected chain.
233 When the source and/or destination names resolve to more
234 than one address, a rule will be added for each possible
235 address combination.
2 WikiAdmin 236
237
238
239
240
1 WikiAdmin 241 __-D, --delete__ ''chain
242 rule-specification''
2 WikiAdmin 243
244
245
246
247
1 WikiAdmin 248 __-D, --delete__ ''chain rulenum''
2 WikiAdmin 249
250
251
252
253
1 WikiAdmin 254 Delete one or more rules from the selected chain. There are
255 two versions of this command: the rule can be specified as a
256 number in the chain (starting at 1 for the first rule) or a
257 rule to match.
2 WikiAdmin 258
259
260
261
262
1 WikiAdmin 263 __-I, --insert__ ''chain'' [[''rulenum'']
264 ''rule-specification''
2 WikiAdmin 265
266
267
268
269
1 WikiAdmin 270 Insert one or more rules in the selected chain as the given
271 rule number. So, if the rule number is 1, the rule or rules
272 are inserted at the head of the chain. This is also the
273 default if no rule number is specified.
2 WikiAdmin 274
275
276
277
278
1 WikiAdmin 279 __-R, --replace__ ''chain rulenum
280 rule-specification''
2 WikiAdmin 281
282
283
284
285
1 WikiAdmin 286 Replace a rule in the selected chain. If the source and/or
287 destination names resolve to multiple addresses, the command
288 will fail. Rules are numbered starting at 1.
2 WikiAdmin 289
290
291
292
293
1 WikiAdmin 294 __-L, --list__ [[''chain'']
2 WikiAdmin 295
296
297
298
299
1 WikiAdmin 300 List all rules in the selected chain. If no chain is
301 selected, all chains are listed. As every other iptables
302 command, it applies to the specified table (filter is the
303 default), so NAT rules get listed by
304 iptables -t nat -n -L
305 Please note that it is often used with the __-n__ option,
306 in order to avoid long reverse DNS lookups. It is legal to
307 specify the __-Z__ (zero) option as well, in which case
308 the chain(s) will be atomically listed and zeroed. The exact
309 output is affected by the other arguments
310 given.
2 WikiAdmin 311
312
313
314
315
1 WikiAdmin 316 __-F, --flush__ [[''chain'']
2 WikiAdmin 317
318
319
320
321
1 WikiAdmin 322 Flush the selected chain (all the chains in the table if
323 none is given). This is equivalent to deleting all the rules
324 one by one.
2 WikiAdmin 325
326
327
328
329
1 WikiAdmin 330 __-Z, --zero__ [[''chain'']
2 WikiAdmin 331
332
333
334
335
1 WikiAdmin 336 Zero the packet and byte counters in all chains. It is legal
337 to specify the __-L, --list__ (list) option as well, to
338 see the counters immediately before they are cleared. (See
339 above.)
2 WikiAdmin 340
341
342
343
344
1 WikiAdmin 345 __-N, --new-chain__ ''chain''
2 WikiAdmin 346
347
348
349
350
1 WikiAdmin 351 Create a new user-defined chain by the given name. There
352 must be no target of that name already.
2 WikiAdmin 353
354
355
356
357
1 WikiAdmin 358 __-X, --delete-chain__ [[''chain'']
2 WikiAdmin 359
360
361
362
363
1 WikiAdmin 364 Delete the optional user-defined chain specified. There must
365 be no references to the chain. If there are, you must delete
366 or replace the referring rules before the chain can be
367 deleted. If no argument is given, it will attempt to delete
368 every non-builtin chain in the table.
2 WikiAdmin 369
370
371
372
373
1 WikiAdmin 374 __-P, --policy__ ''chain target''
2 WikiAdmin 375
376
377
378
379
1 WikiAdmin 380 Set the policy for the chain to the given target. See the
381 section __TARGETS__ for the legal targets. Only built-in
382 (non-user-defined) chains can have policies, and neither
383 built-in nor user-defined chains can be policy
384 targets.
2 WikiAdmin 385
386
387
388
389
1 WikiAdmin 390 __-E, --rename-chain__ ''old-chain
391 new-chain''
2 WikiAdmin 392
393
394
395
396
1 WikiAdmin 397 Rename the user specified chain to the user supplied name.
398 This is cosmetic, and has no effect on the structure of the
399 table.
2 WikiAdmin 400
401
402
403
404
1 WikiAdmin 405 __-h__
2 WikiAdmin 406
407
408
409
410
1 WikiAdmin 411 Help. Give a (currently very brief) description of the
412 command syntax.
2 WikiAdmin 413
414
415
416
417
1 WikiAdmin 418 __PARAMETERS__
2 WikiAdmin 419
420
421
422
423
1 WikiAdmin 424 The following parameters make up a rule specification (as
425 used in the add, delete, insert, replace and append
426 commands).
2 WikiAdmin 427
428
429
430
431
1 WikiAdmin 432 __-p, --protocol__ [[!] ''protocol''
2 WikiAdmin 433
434
435
436
437
1 WikiAdmin 438 The protocol of the rule or of the packet to check. The
439 specified protocol can be one of ''tcp'', ''udp'',
440 ''icmp'', or ''all'', or it can be a numeric value,
441 representing one of these protocols or a different one. A
442 protocol name from /etc/protocols is also allowed. A
443 "!" argument before the protocol inverts the test.
444 The number zero is equivalent to ''all''. Protocol
445 ''all'' will match with all protocols and is taken as
446 default when this option is omitted.
2 WikiAdmin 447
448
449
450
451
1 WikiAdmin 452 __-s, --source__ [[!]
453 ''address''[[/''mask'']
2 WikiAdmin 454
455
456
457
458
1 WikiAdmin 459 Source specification. ''Address'' can be either a network
460 name, a hostname (please note that specifying any name to be
461 resolved with a remote query such as DNS is a really bad
462 idea), a network IP address (with /mask), or a plain IP
463 address. The ''mask'' can be either a network mask or a
464 plain number, specifying the number of 1's at the left side
465 of the network mask. Thus, a mask of ''24'' is equivalent
466 to ''255.255.255.0''. A "!" argument before the
467 address specification inverts the sense of the address. The
468 flag __--src__ is an alias for this option.
2 WikiAdmin 469
470
471
472
473
1 WikiAdmin 474 __-d, --destination__ [[!]
475 ''address''[[/''mask'']
2 WikiAdmin 476
477
478
479
480
1 WikiAdmin 481 Destination specification. See the description of the
482 __-s__ (source) flag for a detailed description of the
483 syntax. The flag __--dst__ is an alias for this
484 option.
2 WikiAdmin 485
486
487
488
489
1 WikiAdmin 490 __-j, --jump__ ''target''
2 WikiAdmin 491
492
493
494
495
1 WikiAdmin 496 This specifies the target of the rule; i.e., what to do if
497 the packet matches it. The target can be a user-defined
498 chain (other than the one this rule is in), one of the
499 special builtin targets which decide the fate of the packet
500 immediately, or an extension (see __EXTENSIONS__ below).
501 If this option is omitted in a rule, then matching the rule
502 will have no effect on the packet's fate, but the counters
503 on the rule will be incremented.
2 WikiAdmin 504
505
506
507
508
1 WikiAdmin 509 __-i, --in-interface__ [[!] ''name''
2 WikiAdmin 510
511
512
513
514
1 WikiAdmin 515 Name of an interface via which a packet is going to be
516 received (only for packets entering the __INPUT__,
517 __FORWARD__ and __PREROUTING__ chains). When the
518 "!" argument is used before the interface name,
519 the sense is inverted. If the interface name ends in a
520 "+", then any interface which begins with this
521 name will match. If this option is omitted, any interface
522 name will match.
2 WikiAdmin 523
524
525
526
527
1 WikiAdmin 528 __-o, --out-interface__ [[!] ''name''
2 WikiAdmin 529
530
531
532
533
1 WikiAdmin 534 Name of an interface via which a packet is going to be sent
535 (for packets entering the __FORWARD__, __OUTPUT__ and
536 __POSTROUTING__ chains). When the "!" argument
537 is used before the interface name, the sense is inverted. If
538 the interface name ends in a "+", then any
539 interface which begins with this name will match. If this
540 option is omitted, any interface name will
541 match.
2 WikiAdmin 542
543
544
545
546
1 WikiAdmin 547 __[[!] -f, --fragment__
2 WikiAdmin 548
549
550
551
552
1 WikiAdmin 553 This means that the rule only refers to second and further
554 fragments of fragmented packets. Since there is no way to
555 tell the source or destination ports of such a packet (or
556 ICMP type), such a packet will not match any rules which
557 specify them. When the "!" argument precedes the
558 "-f" flag, the rule will only match head
559 fragments, or unfragmented packets.
2 WikiAdmin 560
561
562
563
564
1 WikiAdmin 565 __-c, --set-counters__ ''PKTS BYTES''
2 WikiAdmin 566
567
568
569
570
1 WikiAdmin 571 This enables the administrater to initialize the packet and
572 byte counters of a rule (during __INSERT, APPEND,__
573 __REPLACE__ operations).
2 WikiAdmin 574
575
576
577
578
1 WikiAdmin 579 __OTHER OPTIONS__
2 WikiAdmin 580
581
582
583
584
1 WikiAdmin 585 The following additional options can be
586 specified:
2 WikiAdmin 587
588
589
590
591
1 WikiAdmin 592 __-v, --verbose__
2 WikiAdmin 593
594
595
596
597
1 WikiAdmin 598 Verbose output. This option makes the list command show the
599 interface address, the rule options (if any), and the TOS
600 masks. The packet and byte counters are also listed, with
601 the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and
602 1,000,000,000 multipliers respectively (but see the
603 __-x__ flag to change this). For appending, insertion,
604 deletion and replacement, this causes detailed information
605 on the rule or rules to be printed.
2 WikiAdmin 606
607
608
609
610
1 WikiAdmin 611 __-n, --numeric__
2 WikiAdmin 612
613
614
615
616
1 WikiAdmin 617 Numeric output. IP addresses and port numbers will be
618 printed in numeric format. By default, the program will try
619 to display them as host names, network names, or services
620 (whenever applicable).
2 WikiAdmin 621
622
623
624
625
1 WikiAdmin 626 __-x, --exact__
2 WikiAdmin 627
628
629
630
631
1 WikiAdmin 632 Expand numbers. Display the exact value of the packet and
633 byte counters, instead of only the rounded number in K's
634 (multiples of 1000) M's (multiples of 1000K) or G's
635 (multiples of 1000M). This option is only relevant for the
636 __-L__ command.
2 WikiAdmin 637
638
639
640
641
1 WikiAdmin 642 __--line-numbers__
2 WikiAdmin 643
644
645
646
647
1 WikiAdmin 648 When listing rules, add line numbers to the beginning of
649 each rule, corresponding to that rule's position in the
650 chain.
2 WikiAdmin 651
652
653
654
655
1 WikiAdmin 656 __--modprobe=command__
2 WikiAdmin 657
658
659
660
661
1 WikiAdmin 662 When adding or inserting rules into a chain, use
663 __command__ to load any necessary modules (targets, match
664 extensions, etc).
2 WikiAdmin 665
1 WikiAdmin 666
667 !!MATCH EXTENSIONS
2 WikiAdmin 668
669
670
671
672
1 WikiAdmin 673 iptables can use extended packet matching modules. These are
674 loaded in two ways: implicitly, when __-p__ or
675 __--protocol__ is specified, or with the __-m__ or
676 __--match__ options, followed by the matching module
677 name; after these, various extra command line options become
678 available, depending on the specific module. You can specify
679 multiple extended match modules in one line, and you can use
680 the __-h__ or __--help__ options after the module has
681 been specified to receive help specific to that
682 module.
2 WikiAdmin 683
684
685
686
687
1 WikiAdmin 688 The following are included in the base package, and most of
689 these can be preceded by a __!__ to invert the sense of
690 the match.
2 WikiAdmin 691
692
693
694
695
1 WikiAdmin 696 __tcp__
2 WikiAdmin 697
698
699
700
701
1 WikiAdmin 702 These extensions are loaded if `--protocol tcp' is
703 specified. It provides the following options:
2 WikiAdmin 704
705
706
707
708
1 WikiAdmin 709 __--source-port__ [[!]
710 ''port''[[:''port'']
2 WikiAdmin 711
712
713
714
715
1 WikiAdmin 716 Source port or port range specification. This can either be
717 a service name or a port number. An inclusive range can also
718 be specified, using the format ''port'':''port''. If
719 the first port is omitted, "0" is assumed; if the
720 last is omitted, "65535" is assumed. If the second
721 port greater then the first they will be swapped. The flag
722 __--sport__ is a convenient alias for this
723 option.
2 WikiAdmin 724
725
726
727
728
1 WikiAdmin 729 __--destination-port__ [[!]
730 ''port''[[:''port'']
2 WikiAdmin 731
732
733
734
735
1 WikiAdmin 736 Destination port or port range specification. The flag
737 __--dport__ is a convenient alias for this
738 option.
2 WikiAdmin 739
740
741
742
743
1 WikiAdmin 744 __--tcp-flags__ [[!] ''mask comp''
2 WikiAdmin 745
746
747
748
749
1 WikiAdmin 750 Match when the TCP flags are as specified. The first
751 argument is the flags which we should examine, written as a
752 comma-separated list, and the second argument is a
753 comma-separated list of flags which must be set. Flags are:
754 __SYN ACK FIN RST URG PSH ALL NONE__. Hence the
755 command
756 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST
757 SYN
758 will only match packets with the SYN flag set, and the ACK,
759 FIN and RST flags unset.
2 WikiAdmin 760
761
762
763
764
1 WikiAdmin 765 __[[!] --syn__
2 WikiAdmin 766
767
768
769
770
1 WikiAdmin 771 Only match TCP packets with the SYN bit set and the ACK and
772 FIN bits cleared. Such packets are used to request TCP
773 connection initiation; for example, blocking such packets
774 coming in an interface will prevent incoming TCP
775 connections, but outgoing TCP connections will be
776 unaffected. It is equivalent to __--tcp-flags SYN,RST,ACK__
777 __SYN__. If the "!" flag precedes the
778 "--syn", the sense of the option is
779 inverted.
2 WikiAdmin 780
781
782
783
784
1 WikiAdmin 785 __--tcp-option__ [[!] ''number''
2 WikiAdmin 786
787
788
789
790
1 WikiAdmin 791 Match if TCP option set.
2 WikiAdmin 792
793
794
795
796
1 WikiAdmin 797 __--mss__ ''value''[[:''value'']
2 WikiAdmin 798
799
800
801
802
1 WikiAdmin 803 Match TCP SYN or SYN/ACK packets with the specified MSS
804 value (or range), which control the maximum packet size for
805 that connection.
2 WikiAdmin 806
807
808
809
810
1 WikiAdmin 811 __udp__
2 WikiAdmin 812
813
814
815
816
1 WikiAdmin 817 These extensions are loaded if `--protocol udp' is
818 specified. It provides the following options:
2 WikiAdmin 819
820
821
822
823
1 WikiAdmin 824 __--source-port__ [[!]
825 ''port''[[:''port'']
2 WikiAdmin 826
827
828
829
830
1 WikiAdmin 831 Source port or port range specification. See the description
832 of the __--source-port__ option of the TCP extension for
833 details.
2 WikiAdmin 834
835
836
837
838
1 WikiAdmin 839 __--destination-port__ [[!]
840 ''port''[[:''port'']
2 WikiAdmin 841
842
843
844
845
1 WikiAdmin 846 Destination port or port range specification. See the
847 description of the __--destination-port__ option of the
848 TCP extension for details.
2 WikiAdmin 849
850
851
852
853
1 WikiAdmin 854 __icmp__
2 WikiAdmin 855
856
857
858
859
1 WikiAdmin 860 This extension is loaded if `--protocol icmp' is specified.
861 It provides the following option:
2 WikiAdmin 862
863
864
865
866
1 WikiAdmin 867 __--icmp-type__ [[!] ''typename''
2 WikiAdmin 868
869
870
871
872
1 WikiAdmin 873 This allows specification of the ICMP type, which can be a
874 numeric ICMP type, or one of the ICMP type names shown by
875 the command
876 iptables -p icmp -h
2 WikiAdmin 877
878
879
880
881
1 WikiAdmin 882 __mac__
2 WikiAdmin 883
884
885
886
887
1 WikiAdmin 888 __--mac-source__ [[!] ''address''
2 WikiAdmin 889
890
891
892
893
1 WikiAdmin 894 Match source MAC address. It must be of the form
895 XX:XX:XX:XX:XX:XX. Note that this only makes sense for
896 packets coming from an Ethernet device and entering the
897 __PREROUTING__, __FORWARD__ or __INPUT__
898 chains.
2 WikiAdmin 899
900
901
902
903
1 WikiAdmin 904 __limit__
2 WikiAdmin 905
906
907
908
909
1 WikiAdmin 910 This module matches at a limited rate using a token bucket
911 filter. A rule using this extension will match until this
912 limit is reached (unless the `!' flag is used). It can be
913 used in combination with the __LOG__ target to give
914 limited logging, for example.
2 WikiAdmin 915
916
917
918
919
1 WikiAdmin 920 __--limit__ ''rate''
2 WikiAdmin 921
922
923
924
925
1 WikiAdmin 926 Maximum average matching rate: specified as a number, with
927 an optional `/second', `/minute', `/hour', or `/day' suffix;
928 the default is 3/hour.
2 WikiAdmin 929
930
931
932
933
1 WikiAdmin 934 __--limit-burst__ ''number''
2 WikiAdmin 935
936
937
938
939
1 WikiAdmin 940 Maximum initial number of packets to match: this number gets
941 recharged by one every time the limit specified above is not
942 reached, up to this number; the default is 5.
2 WikiAdmin 943
944
945
946
947
1 WikiAdmin 948 __multiport__
2 WikiAdmin 949
950
951
952
953
1 WikiAdmin 954 This module matches a set of source or destination ports. Up
955 to 15 ports can be specified. It can only be used in
956 conjunction with __-p tcp__ or __-p__
957 __udp__.
2 WikiAdmin 958
959
960
961
962
1 WikiAdmin 963 __--source-ports__
964 ''port''[[,''port''[[,''port''...]]
2 WikiAdmin 965
966
967
968
969
1 WikiAdmin 970 Match if the source port is one of the given ports. The flag
971 __--sports__ is a convenient alias for this
972 option.
2 WikiAdmin 973
974
975
976
977
1 WikiAdmin 978 __--destination-ports__
979 ''port''[[,''port''[[,''port''...]]
2 WikiAdmin 980
981
982
983
984
1 WikiAdmin 985 Match if the destination port is one of the given ports. The
986 flag __--dports__ is a convenient alias for this
987 option.
2 WikiAdmin 988
989
990
991
992
1 WikiAdmin 993 __--ports__
994 ''port''[[,''port''[[,''port''...]]
2 WikiAdmin 995
996
997
998
999
1 WikiAdmin 1000 Match if the both the source and destination ports are equal
1001 to each other and to one of the given ports.
2 WikiAdmin 1002
1003
1004
1005
1006
1 WikiAdmin 1007 __mark__
2 WikiAdmin 1008
1009
1010
1011
1012
1 WikiAdmin 1013 This module matches the netfilter mark field associated with
1014 a packet (which can be set using the __MARK__ target
1015 below).
2 WikiAdmin 1016
1017
1018
1019
1020
1 WikiAdmin 1021 __--mark__ ''value''[[/''mask'']
2 WikiAdmin 1022
1023
1024
1025
1026
1 WikiAdmin 1027 Matches packets with the given unsigned mark value (if a
1028 mask is specified, this is logically ANDed with the mask
1029 before the comparison).
2 WikiAdmin 1030
1031
1032
1033
1034
1 WikiAdmin 1035 __owner__
2 WikiAdmin 1036
1037
1038
1039
1040
1 WikiAdmin 1041 This module attempts to match various characteristics of the
1042 packet creator, for locally-generated packets. It is only
1043 valid in the __OUTPUT__ chain, and even this some packets
1044 (such as ICMP ping responses) may have no owner, and hence
1045 never match.
2 WikiAdmin 1046
1047
1048
1049
1050
1 WikiAdmin 1051 __--uid-owner__ ''userid''
2 WikiAdmin 1052
1053
1054
1055
1056
1 WikiAdmin 1057 Matches if the packet was created by a process with the
1058 given effective user id.
2 WikiAdmin 1059
1060
1061
1062
1063
1 WikiAdmin 1064 __--gid-owner__ ''groupid''
2 WikiAdmin 1065
1066
1067
1068
1069
1 WikiAdmin 1070 Matches if the packet was created by a process with the
1071 given effective group id.
2 WikiAdmin 1072
1073
1074
1075
1076
1 WikiAdmin 1077 __--pid-owner__ ''processid''
2 WikiAdmin 1078
1079
1080
1081
1082
1 WikiAdmin 1083 Matches if the packet was created by a process with the
1084 given process id.
2 WikiAdmin 1085
1086
1087
1088
1089
1 WikiAdmin 1090 __--sid-owner__ ''sessionid''
2 WikiAdmin 1091
1092
1093
1094
1095
1 WikiAdmin 1096 Matches if the packet was created by a process in the given
1097 session group.
2 WikiAdmin 1098
1099
1100
1101
1102
1 WikiAdmin 1103 __--cmd-owner__ ''name''
2 WikiAdmin 1104
1105
1106
1107
1108
1 WikiAdmin 1109 Matches if the packet was created by a process with the
1110 given command name. (this option is present only if iptables
1111 was compiled under a kernel supporting this
1112 feature)
2 WikiAdmin 1113
1114
1115
1116
1117
1 WikiAdmin 1118 __state__
2 WikiAdmin 1119
1120
1121
1122
1123
1 WikiAdmin 1124 This module, when combined with connection tracking, allows
1125 access to the connection tracking state for this
1126 packet.
2 WikiAdmin 1127
1128
1129
1130
1131
1 WikiAdmin 1132 __--state__ ''state''
2 WikiAdmin 1133
1134
1135
1136
1137
1 WikiAdmin 1138 Where state is a comma separated list of the connection
1139 states to match. Possible states are __INVALID__ meaning
1140 that the packet is associated with no known connection,
1141 __ESTABLISHED__ meaning that the packet is associated
1142 with a connection which has seen packets in both directions,
1143 __NEW__ meaning that the packet has started a new
1144 connection, or otherwise associated with a connection which
1145 has not seen packets in both directions, and __RELATED__
1146 meaning that the packet is starting a new connection, but is
1147 associated with an existing connection, such as an FTP data
1148 transfer, or an ICMP error.
2 WikiAdmin 1149
1150
1151
1152
1153
1 WikiAdmin 1154 __tos__
2 WikiAdmin 1155
1156
1157
1158
1159
1 WikiAdmin 1160 This module matches the 8 bits of Type of Service field in
1161 the IP header (ie. including the precedence
1162 bits).
2 WikiAdmin 1163
1164
1165
1166
1167
1 WikiAdmin 1168 __--tos__ ''tos''
2 WikiAdmin 1169
1170
1171
1172
1173
1 WikiAdmin 1174 The argument is either a standard name, (use
1175 iptables -m tos -h
1176 to see the list), or a numeric value to match.
2 WikiAdmin 1177
1178
1179
1180
1181
1 WikiAdmin 1182 __ah__
2 WikiAdmin 1183
1184
1185
1186
1187
1 WikiAdmin 1188 This module matches the SPIs in AH header of IPSec
1189 packets.
2 WikiAdmin 1190
1191
1192
1193
1194
1 WikiAdmin 1195 __--ahspi__ [[!] ''spi''[[:''spi'']
2 WikiAdmin 1196
1197
1198
1199
1200
1 WikiAdmin 1201 __esp__
2 WikiAdmin 1202
1203
1204
1205
1206
1 WikiAdmin 1207 This module matches the SPIs in ESP header of IPSec
1208 packets.
2 WikiAdmin 1209
1210
1211
1212
1213
1 WikiAdmin 1214 __--espspi__ [[!] ''spi''[[:''spi'']
2 WikiAdmin 1215
1216
1217
1218
1219
1 WikiAdmin 1220 __length__
2 WikiAdmin 1221
1222
1223
1224
1225
1 WikiAdmin 1226 This module matches the length of a packet against a
1227 specific value or range of values.
2 WikiAdmin 1228
1229
1230
1231
1232
1 WikiAdmin 1233 __--length__ ''length''[[:''length'']
2 WikiAdmin 1234
1235
1236
1237
1238
1 WikiAdmin 1239 __ttl__
2 WikiAdmin 1240
1241
1242
1243
1244
1 WikiAdmin 1245 This module matches the time to live field in the IP
1246 header.
2 WikiAdmin 1247
1248
1249
1250
1251
1 WikiAdmin 1252 __--ttl__ ''ttl''
2 WikiAdmin 1253
1254
1255
1256
1257
1 WikiAdmin 1258 Matches the given TTL value.
2 WikiAdmin 1259
1260
1261
1262
1263
1 WikiAdmin 1264 __owner__
2 WikiAdmin 1265
1266
1267
1268
1269
1 WikiAdmin 1270 This module attempts to match various characteristics of the
1271 packet creator, for locally-generated packets. It is only
1272 valid in the __OUTPUT__ chain, and even this some packets
1273 (such as ICMP ping responses) may have no owner, and hence
1274 never match. This is regarded as experimental.
2 WikiAdmin 1275
1276
1277
1278
1279
1 WikiAdmin 1280 __--uid-owner__ ''userid''
2 WikiAdmin 1281
1282
1283
1284
1285
1 WikiAdmin 1286 Matches if the packet was created by a process with the
1287 given effective user id.
2 WikiAdmin 1288
1289
1290
1291
1292
1 WikiAdmin 1293 __--gid-owner__ ''groupid''
2 WikiAdmin 1294
1295
1296
1297
1298
1 WikiAdmin 1299 Matches if the packet was created by a process with the
1300 given effective group id.
2 WikiAdmin 1301
1302
1303
1304
1305
1 WikiAdmin 1306 __--pid-owner__ ''processid''
2 WikiAdmin 1307
1308
1309
1310
1311
1 WikiAdmin 1312 Matches if the packet was created by a process with the
1313 given process id.
2 WikiAdmin 1314
1315
1316
1317
1318
1 WikiAdmin 1319 __--sid-owner__ ''sessionid''
2 WikiAdmin 1320
1321
1322
1323
1324
1 WikiAdmin 1325 Matches if the packet was created by a process in the given
1326 session group.
2 WikiAdmin 1327
1328
1329
1330
1331
1 WikiAdmin 1332 __unclean__
2 WikiAdmin 1333
1334
1335
1336
1337
1 WikiAdmin 1338 This module takes no options, but attempts to match packets
1339 which seem malformed or unusual. This is regarded as
1340 experimental.
2 WikiAdmin 1341
1 WikiAdmin 1342
1343 !!TARGET EXTENSIONS
2 WikiAdmin 1344
1345
1346
1347
1348
1 WikiAdmin 1349 iptables can use extended target modules: the following are
1350 included in the standard distribution.
2 WikiAdmin 1351
1352
1353
1354
1355
1 WikiAdmin 1356 __LOG__
2 WikiAdmin 1357
1358
1359
1360
1361
1 WikiAdmin 1362 Turn on kernel logging of matching packets. When this option
1363 is set for a rule, the Linux kernel will print some
1364 information on all matching packets (like most IP header
1365 fields) via the kernel log (where it can be read with
1366 ''dmesg'' or ''syslogd''(8)). This is a
1367 "non-terminating target", i.e. rule traversal
1368 continues at the next rule. So if you want to LOG the
1369 packets you refuse, use two separate rules with the same
1370 matching criterias, first using target LOG then DROP (or
1371 REJECT).
2 WikiAdmin 1372
1373
1374
1375
1376
1 WikiAdmin 1377 __--log-level__ ''level''
2 WikiAdmin 1378
1379
1380
1381
1382
1 WikiAdmin 1383 Level of logging (numeric or see
1384 ''syslog.conf''(5)).
2 WikiAdmin 1385
1386
1387
1388
1389
1 WikiAdmin 1390 __--log-prefix__ ''prefix''
2 WikiAdmin 1391
1392
1393
1394
1395
1 WikiAdmin 1396 Prefix log messages with the specified prefix; up to 29
1397 letters long, and useful for distinguishing messages in the
1398 logs.
2 WikiAdmin 1399
1400
1401
1402
1403
1 WikiAdmin 1404 __--log-tcp-sequence__
2 WikiAdmin 1405
1406
1407
1408
1409
1 WikiAdmin 1410 Log TCP sequence numbers. This is a security risk if the log
1411 is readable by users.
2 WikiAdmin 1412
1413
1414
1415
1416
1 WikiAdmin 1417 __--log-tcp-options__
2 WikiAdmin 1418
1419
1420
1421
1422
1 WikiAdmin 1423 Log options from the TCP packet header.
2 WikiAdmin 1424
1425
1426
1427
1428
1 WikiAdmin 1429 __--log-ip-options__
2 WikiAdmin 1430
1431
1432
1433
1434
1 WikiAdmin 1435 Log options from the IP packet header.
2 WikiAdmin 1436
1437
1438
1439
1440
1 WikiAdmin 1441 __MARK__
2 WikiAdmin 1442
1443
1444
1445
1446
1 WikiAdmin 1447 This is used to set the netfilter mark value associated with
1448 the packet. It is only valid in the __mangle__ table. It
1449 can for example be used in conjunction with
1450 iproute2.
2 WikiAdmin 1451
1452
1453
1454
1455
1 WikiAdmin 1456 __--set-mark__ ''mark''
2 WikiAdmin 1457
1458
1459
1460
1461
1 WikiAdmin 1462 __REJECT__
2 WikiAdmin 1463
1464
1465
1466
1467
1 WikiAdmin 1468 This is used to send back an error packet in response to the
1469 matched packet: otherwise it is equivalent to __DROP__ so
1470 it is a terminating TARGET, ending rule traversal. This
1471 target is only valid in the __INPUT__, __FORWARD__ and
1472 __OUTPUT__ chains, and user-defined chains which are only
1473 called from those chains. The following option controls the
1474 nature of the error packet returned:
2 WikiAdmin 1475
1476
1477
1478
1479
1 WikiAdmin 1480 __--reject-with__ ''type''
2 WikiAdmin 1481
1482
1483
1484
1485
1 WikiAdmin 1486 The type given can be __icmp-net-unreachable__,
1487 __icmp-host-unreachable__, __icmp-port-unreachable__,
1488 __icmp-proto-unreachable__, __icmp-net-prohibited or__
1489 __icmp-host-prohibited__, which return the appropriate ICMP
1490 error message (__port-unreachable__ is the default). The
1491 option __tcp-reset__ can be used on rules which only
1492 match the TCP protocol: this causes a TCP RST packet to be
1493 sent back. This is mainly useful for blocking ''ident''
1494 (113/tcp) probes which frequently occur when sending mail to
1495 broken mail hosts (which won't accept your mail
1496 otherwise).
2 WikiAdmin 1497
1498
1499
1500
1501
1 WikiAdmin 1502 __TOS__
2 WikiAdmin 1503
1504
1505
1506
1507
1 WikiAdmin 1508 This is used to set the 8-bit Type of Service field in the
1509 IP header. It is only valid in the __mangle__
1510 table.
2 WikiAdmin 1511
1512
1513
1514
1515
1 WikiAdmin 1516 __--set-tos__ ''tos''
2 WikiAdmin 1517
1518
1519
1520
1521
1 WikiAdmin 1522 You can use a numeric TOS values, or use
1523 iptables -j TOS -h
1524 to see the list of valid TOS names.
2 WikiAdmin 1525
1526
1527
1528
1529
1 WikiAdmin 1530 __MIRROR__
2 WikiAdmin 1531
1532
1533
1534
1535
1 WikiAdmin 1536 This is an experimental demonstration target which inverts
1537 the source and destination fields in the IP header and
1538 retransmits the packet. It is only valid in the
1539 __INPUT__, __FORWARD__ and __PREROUTING__ chains,
1540 and user-defined chains which are only called from those
1541 chains. Note that the outgoing packets are __NOT__ seen
1542 by any packet filtering chains, connection tracking or NAT,
1543 to avoid loops and other problems.
2 WikiAdmin 1544
1545
1546
1547
1548
1 WikiAdmin 1549 __SNAT__
2 WikiAdmin 1550
1551
1552
1553
1554
1 WikiAdmin 1555 This target is only valid in the __nat__ table, in the
1556 __POSTROUTING__ chain. It specifies that the source
1557 address of the packet should be modified (and all future
1558 packets in this connection will also be mangled), and rules
1559 should cease being examined. It takes one
1560 option:
2 WikiAdmin 1561
1562
1563
1564
1565
1 WikiAdmin 1566 __--to-source__
1567 ''ipaddr''[[-''ipaddr''][[:''port''-''port'']
2 WikiAdmin 1568
1569
1570
1571
1572
1 WikiAdmin 1573 which can specify a single new source IP address, an
1574 inclusive range of IP addresses, and optionally, a port
1575 range (which is only valid if the rule also specifies __-p__
1576 __tcp__ or __-p udp__). If no port range is specified,
1577 then source ports below 512 will be mapped to other ports
1578 below 512: those between 512 and 1023 inclusive will be
1579 mapped to ports below 1024, and other ports will be mapped
1580 to 1024 or above. Where possible, no port alteration will
1581 occur.
2 WikiAdmin 1582
1583
1584
1585
1586
1 WikiAdmin 1587 __DNAT__
2 WikiAdmin 1588
1589
1590
1591
1592
1 WikiAdmin 1593 This target is only valid in the __nat__ table, in the
1594 __PREROUTING__ and __OUTPUT__ chains, and user-defined
1595 chains which are only called from those chains. It specifies
1596 that the destination address of the packet should be
1597 modified (and all future packets in this connection will
1598 also be mangled), and rules should cease being examined. It
1599 takes one option:
2 WikiAdmin 1600
1601
1602
1603
1604
1 WikiAdmin 1605 __--to-destination__
1606 ''ipaddr''[[-''ipaddr''][[:''port''-''port'']
2 WikiAdmin 1607
1608
1609
1610
1611
1 WikiAdmin 1612 which can specify a single new destination IP address, an
1613 inclusive range of IP addresses, and optionally, a port
1614 range (which is only valid if the rule also specifies __-p__
1615 __tcp__ or __-p udp__). If no port range is specified,
1616 then the destination port will never be
1617 modified.
2 WikiAdmin 1618
1619
1620
1621
1622
1 WikiAdmin 1623 __MASQUERADE__
2 WikiAdmin 1624
1625
1626
1627
1628
1 WikiAdmin 1629 This target is only valid in the __nat__ table, in the
1630 __POSTROUTING__ chain. It should only be used with
1631 dynamically assigned IP (dialup) connections: if you have a
1632 static IP address, you should use the SNAT target.
1633 Masquerading is equivalent to specifying a mapping to the IP
1634 address of the interface the packet is going out, but also
1635 has the effect that connections are ''forgotten'' when
1636 the interface goes down. This is the correct behavior when
1637 the next dialup is unlikely to have the same interface
1638 address (and hence any established connections are lost
1639 anyway). It takes one option:
2 WikiAdmin 1640
1641
1642
1643
1644
1 WikiAdmin 1645 __--to-ports__ ''port''[[-''port'']
2 WikiAdmin 1646
1647
1648
1649
1650
1 WikiAdmin 1651 This specifies a range of source ports to use, overriding
1652 the default __SNAT__ source port-selection heuristics
1653 (see above). This is only valid if the rule also specifies
1654 __-p tcp__ or __-p udp__.
2 WikiAdmin 1655
1656
1657
1658
1659
1 WikiAdmin 1660 __REDIRECT__
2 WikiAdmin 1661
1662
1663
1664
1665
1 WikiAdmin 1666 This target is only valid in the __nat__ table, in the
1667 __PREROUTING__ and __OUTPUT__ chains, and user-defined
1668 chains which are only called from those chains. It alters
1669 the destination IP address to send the packet to the machine
1670 itself (locally-generated packets are mapped to the
1671 127.0.0.1 address). It takes one option:
2 WikiAdmin 1672
1673
1674
1675
1676
1 WikiAdmin 1677 __--to-ports__ ''port''[[-''port'']
2 WikiAdmin 1678
1679
1680
1681
1682
1 WikiAdmin 1683 This specifies a destination port or range of ports to use:
1684 without this, the destination port is never altered. This is
1685 only valid if the rule also specifies __-p tcp__ or __-p__
1686 __udp__.
2 WikiAdmin 1687
1688
1689
1690
1691
1 WikiAdmin 1692 __ULOG__
2 WikiAdmin 1693
1694
1695
1696
1697
1 WikiAdmin 1698 This target provides userspace logging of matching packets.
1699 When this target is set for a rule, the Linux kernel will
1700 multicast this packet through a ''netlink'' socket. One
1701 or more userspace processes may then subscribe to various
1702 multicast groups and receive the packets.
2 WikiAdmin 1703
1704
1705
1706
1707
1 WikiAdmin 1708 __--ulog-nlgroup__ ''nlgroup''
2 WikiAdmin 1709
1710
1711
1712
1713
1 WikiAdmin 1714 This specifies the netlink group (1-32) to which the packet
1715 is sent. Default value is 1.
2 WikiAdmin 1716
1717
1718
1719
1720
1 WikiAdmin 1721 __--ulog-prefix__ ''prefix''
2 WikiAdmin 1722
1723
1724
1725
1726
1 WikiAdmin 1727 Prefix log messages with the specified prefix; up to 32
1728 characters long, and useful fro distinguishing messages in
1729 the logs.
2 WikiAdmin 1730
1731
1732
1733
1734
1 WikiAdmin 1735 __--ulog-cprange__ ''size''
2 WikiAdmin 1736
1737
1738
1739
1740
1 WikiAdmin 1741 Number of bytes to be copied to userspace. A value of 0
1742 always copies the entire packet, regardless of its size.
1743 Default is 0.
2 WikiAdmin 1744
1745
1746
1747
1748
1 WikiAdmin 1749 __--ulog-qthreshold__ ''size''
2 WikiAdmin 1750
1751
1752
1753
1754
1 WikiAdmin 1755 Number of packet to queue inside kernel. Setting this value
1756 to, e.g. 10 accumulates ten packets inside the kernel and
1757 transmits them as one netlink multipart message to
1758 userspace. Default is 1 (for backwards
1759 compatibility).
2 WikiAdmin 1760
1761
1762
1763
1764
1 WikiAdmin 1765 __TCPMSS__
2 WikiAdmin 1766
1767
1768
1769
1770
1 WikiAdmin 1771 This target allows to alter the MSS value of TCP SYN
1772 packets, to control the maximum size for that connection
1773 (usually limiting it to your outgoing interface's MTU minus
1774 40). Of course, it can only be used in conjunction with
1775 __-p tcp__.
1776 This target is used to overcome criminally braindead ISPs or
1777 servers which block ICMP Fragmentation Needed packets. The
1778 symptoms of this problem are that everything works fine from
1779 your Linux firewall/router, but machines behind it can never
1780 exchange large packets:
1781 1) Web browsers connect, then hang with no data
1782 received.
1783 2) Small mail works fine, but large emails hang.
1784 3) ssh works fine, but scp hangs after initial
1785 handshaking.
1786 Workaround: activate this option and add a rule to your
1787 firewall configuration like:
1788 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1789 -j TCPMSS --clamp-mss-to-pmtu
2 WikiAdmin 1790
1791
1792
1793
1794
1 WikiAdmin 1795 __--set-mss__ ''value''
2 WikiAdmin 1796
1797
1798
1799
1800
1 WikiAdmin 1801 Explicitly set MSS option to specified value.
2 WikiAdmin 1802
1803
1804
1805
1806
1 WikiAdmin 1807 __--clamp-mss-to-pmtu__
2 WikiAdmin 1808
1809
1810
1811
1812
1 WikiAdmin 1813 Automatically clamp MSS value to (path_MTU -
1814 40).
2 WikiAdmin 1815
1816
1817
1818
1819
1 WikiAdmin 1820 These options are mutually exclusive.
2 WikiAdmin 1821
1 WikiAdmin 1822
1823 !!EXTRA EXTENSIONS
2 WikiAdmin 1824
1825
1826
1827
1828
1 WikiAdmin 1829 The following extensions are not included by default in the
1830 standard distribution.
2 WikiAdmin 1831
1832
1833
1834
1835
1 WikiAdmin 1836 __TTL__
2 WikiAdmin 1837
1838
1839
1840
1841
1 WikiAdmin 1842 This target is used to modify the time to live field in the
1843 IP header. It is only valid in the __mangle__
1844 table.
2 WikiAdmin 1845
1846
1847
1848
1849
1 WikiAdmin 1850 __--ttl-set__ ''ttl''
2 WikiAdmin 1851
1852
1853
1854
1855
1 WikiAdmin 1856 Set the TTL to the given value.
2 WikiAdmin 1857
1858
1859
1860
1861
1 WikiAdmin 1862 __--ttl-dec__ ''ttl''
2 WikiAdmin 1863
1864
1865
1866
1867
1 WikiAdmin 1868 Decrement the TTL by the given value.
2 WikiAdmin 1869
1870
1871
1872
1873
1 WikiAdmin 1874 __--ttl-inc__ ''ttl''
2 WikiAdmin 1875
1876
1877
1878
1879
1 WikiAdmin 1880 Increment the TTL by the given value.
2 WikiAdmin 1881
1 WikiAdmin 1882
1883 !!DIAGNOSTICS
2 WikiAdmin 1884
1885
1886
1887
1888
1 WikiAdmin 1889 Various error messages are printed to standard error. The
1890 exit code is 0 for correct functioning. Errors which appear
1891 to be caused by invalid or abused command line parameters
1892 cause an exit code of 2, and other errors cause an exit code
1893 of 1.
2 WikiAdmin 1894
1 WikiAdmin 1895
1896 !!BUGS
2 WikiAdmin 1897
1898
1899
1900
1901
1 WikiAdmin 1902 Check is not implemented (yet).
2 WikiAdmin 1903
1 WikiAdmin 1904
1905 !!COMPATIBILITY WITH IPCHAINS
2 WikiAdmin 1906
1907
1908
1909
1910
1 WikiAdmin 1911 This __iptables__ is very similar to ipchains by Rusty
1912 Russell. The main difference is that the chains __INPUT__
1913 and __OUTPUT__ are only traversed for packets coming into
1914 the local host and originating from the local host
1915 respectively. Hence every packet only passes through one of
1916 the three chains; previously a forwarded packet would pass
1917 through all three.
2 WikiAdmin 1918
1919
1920
1921
1922
1 WikiAdmin 1923 The other main difference is that __-i__ refers to the
1924 input interface; __-o__ refers to the output interface,
1925 and both are available for packets entering the
1926 __FORWARD__ chain.
2 WikiAdmin 1927
1928
1929
1930
1931
1 WikiAdmin 1932 __iptables__ is a pure packet filter when using the
1933 default `filter' table, with optional extension modules.
1934 This should simplify much of the previous confusion over the
1935 combination of IP masquerading and packet filtering seen
1936 previously. So the following options are handled
1937 differently:
1938 -j MASQ
1939 -M -S
1940 -M -L
1941 There are several other changes in iptables.
2 WikiAdmin 1942
1 WikiAdmin 1943
1944 !!SEE ALSO
2 WikiAdmin 1945
1946
1947
1948
1949
1 WikiAdmin 1950 The packet-filtering-HOWTO, which details more iptables
1951 usage for packet filtering, the NAT-HOWTO, which details
1952 NAT, and the netfilter-hacking-HOWTO which details the
1953 internals.
1954 See __http://www.netfilter.org/__.
2 WikiAdmin 1955
1 WikiAdmin 1956
1957 !!AUTHORS
2 WikiAdmin 1958
1959
1960
1961
1962
1 WikiAdmin 1963 Rusty Russell wrote iptables, in early consultation with
1964 Michael Neuling.
2 WikiAdmin 1965
1966
1967
1968
1969
1 WikiAdmin 1970 Marc Boucher made Rusty abandon ipnatctl by lobbying for a
1971 generic packet selection framework in iptables, then wrote
1972 the mangle table, the owner match, the mark stuff, and ran
1973 around doing cool stuff everywhere.
2 WikiAdmin 1974
1975
1976
1977
1978
1 WikiAdmin 1979 James Morris wrote the TOS target, and tos
1980 match.
2 WikiAdmin 1981
1982
1983
1984
1985
1 WikiAdmin 1986 Jozsef Kadlecsik wrote the REJECT target.
2 WikiAdmin 1987
1988
1989
1990
1991
1 WikiAdmin 1992 Harald Welte wrote the ULOG target, TTL match+target and
1993 libipulog.
2 WikiAdmin 1994
1995
1996
1997
1998
1 WikiAdmin 1999 The Netfilter Core Team is: Marc Boucher, Jozsef Kadlecsik,
2000 James Morris, Harald Welte and Rusty Russell.
2 WikiAdmin 2001
2002
2003
2004
2005
1 WikiAdmin 2006 Man page written by Herve Eychenne
2007 <rv@wallfire.org>.
2008 ----
This page is a man page (or other imported legacy content). We are unable to automatically determine the license status of this page.