Differences between current version and predecessor to the previous major change of iptables(8).
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 2 | Last edited on Sunday, July 28, 2002 2:59:31 pm | by WikiAdmin | |
Older page: | version 1 | Last edited on Sunday, July 28, 2002 2:57:07 pm | by WikiAdmin | Revert |
@@ -1,5 +1,12 @@
+
+
+
+
IPTABLES
+
+
+
!!!IPTABLES
NAME
SYNOPSIS
@@ -14,14 +21,28 @@
BUGS
COMPATIBILITY WITH IPCHAINS
SEE ALSO
AUTHORS
+
----
+
+
+
!!NAME
+
+
+
+
iptables - IP packet filter administration
+
!!SYNOPSIS
+
+
+
+
+
__iptables -[[ADC]__ chain rule-specification
[[options]
__iptables -I__ chain [[rulenum] rule-specification
[[options]
@@ -32,28 +53,50 @@
__iptables -N__ chain
__iptables -X__ [[chain]
__iptables -P__ chain target [[options]
__iptables -E__ old-chain-name new-chain-name
+
!!DESCRIPTION
+
+
+
+
+
__Iptables__ is used to set up, maintain, and inspect the
tables of IP packet filter rules in the Linux kernel.
Several different tables may be defined. Each table contains
a number of built-in chains and may also contain
user-defined chains.
+
+
+
+
+
Each chain is a list of rules which can match a set of
packets. Each rule specifies what to do with a packet that
matches. This is called a `target', which may be a jump to a
user-defined chain in the same table.
+
!!TARGETS
+
+
+
+
+
A firewall rule specifies criteria for a packet, and a
target. If the packet does not match, the next rule in the
chain is the examined; if it does match, then the next rule
is specified by the value of the target, which can be the
name of a user-defined chain or one of the special values
''ACCEPT'', ''DROP'', ''QUEUE'', or
''RETURN''.
+
+
+
+
+
''ACCEPT'' means to let the packet through. ''DROP''
means to drop the packet on the floor. ''QUEUE'' means to
pass the packet to userspace (if supported by the kernel).
''RETURN'' means stop traversing this chain and resume at
@@ -61,33 +104,84 @@
a built-in chain is reached or a rule in a built-in chain
with target ''RETURN'' is matched, the target specified
by the chain policy determines the fate of the
packet.
+
!!TABLES
+
+
+
+
+
There are current three independent tables (which tables are
present at any time depends on the kernel configuration
options and which modules are present).
+
+
+
+
+
__-t, --table__ ''table''
+
+
+
+
+
This option specifies the packet matching table which the
command should operate on. If the kernel is configured with
automatic module loading, an attempt will be made to load
the appropriate module for that table if it is not already
there.
+
+
+
+
+
The tables are as follows:
+
+
+
+
+
__filter__
+
+
+
+
+
This is the default table. It contains the built-in chains
INPUT (for packets coming into the box itself), FORWARD (for
packets being routed through the box), and OUTPUT (for
locally-generated packets).
+
+
+
+
+
__nat__
+
+
+
+
+
This table is consulted when a packet that creates a new
connection is encountered. It consists of three built-ins:
PREROUTING (for altering packets as soon as they come in),
OUTPUT (for altering locally-generated packets before
routing), and POSTROUTING (for altering packets as they are
about to go out).
+
+
+
+
+
__mangle__
+
+
+
+
+
This table is used for specialized packet alteration. Until
kernel 2.4.17 it had two built-in chains: PREROUTING (for
altering incoming packets before routing) and OUTPUT (for
altering locally-generated packets before routing). Since
@@ -95,44 +189,115 @@
supported : INPUT (for packets coming into the box itself),
FORWARD (for altering packets being routed through the box),
and POSTROUTING (for altering packets as they are about to
go out).
+
!!OPTIONS
+
+
+
+
+
The options that are recognized by __iptables__ can be
divided into several different groups.
+
+
+
+
+
__COMMANDS__
+
+
+
+
+
These options specify the specific action to perform. Only
one of them can be specified on the command line unless
otherwise specified below. For all the long versions of the
command and option names, you need to use only enough
letters to ensure that __iptables__ can differentiate it
from all other options.
+
+
+
+
+
__-A, --append__ ''chain
rule-specification''
+
+
+
+
+
Append one or more rules to the end of the selected chain.
When the source and/or destination names resolve to more
than one address, a rule will be added for each possible
address combination.
+
+
+
+
+
__-D, --delete__ ''chain
rule-specification''
+
+
+
+
+
__-D, --delete__ ''chain rulenum''
+
+
+
+
+
Delete one or more rules from the selected chain. There are
two versions of this command: the rule can be specified as a
number in the chain (starting at 1 for the first rule) or a
rule to match.
+
+
+
+
+
__-I, --insert__ ''chain'' [[''rulenum'']
''rule-specification''
+
+
+
+
+
Insert one or more rules in the selected chain as the given
rule number. So, if the rule number is 1, the rule or rules
are inserted at the head of the chain. This is also the
default if no rule number is specified.
+
+
+
+
+
__-R, --replace__ ''chain rulenum
rule-specification''
+
+
+
+
+
Replace a rule in the selected chain. If the source and/or
destination names resolve to multiple addresses, the command
will fail. Rules are numbered starting at 1.
+
+
+
+
+
__-L, --list__ [[''chain'']
+
+
+
+
+
List all rules in the selected chain. If no chain is
selected, all chains are listed. As every other iptables
command, it applies to the specified table (filter is the
default), so NAT rules get listed by
@@ -142,45 +307,135 @@
specify the __-Z__ (zero) option as well, in which case
the chain(s) will be atomically listed and zeroed. The exact
output is affected by the other arguments
given.
+
+
+
+
+
__-F, --flush__ [[''chain'']
+
+
+
+
+
Flush the selected chain (all the chains in the table if
none is given). This is equivalent to deleting all the rules
one by one.
+
+
+
+
+
__-Z, --zero__ [[''chain'']
+
+
+
+
+
Zero the packet and byte counters in all chains. It is legal
to specify the __-L, --list__ (list) option as well, to
see the counters immediately before they are cleared. (See
above.)
+
+
+
+
+
__-N, --new-chain__ ''chain''
+
+
+
+
+
Create a new user-defined chain by the given name. There
must be no target of that name already.
+
+
+
+
+
__-X, --delete-chain__ [[''chain'']
+
+
+
+
+
Delete the optional user-defined chain specified. There must
be no references to the chain. If there are, you must delete
or replace the referring rules before the chain can be
deleted. If no argument is given, it will attempt to delete
every non-builtin chain in the table.
+
+
+
+
+
__-P, --policy__ ''chain target''
+
+
+
+
+
Set the policy for the chain to the given target. See the
section __TARGETS__ for the legal targets. Only built-in
(non-user-defined) chains can have policies, and neither
built-in nor user-defined chains can be policy
targets.
+
+
+
+
+
__-E, --rename-chain__ ''old-chain
new-chain''
+
+
+
+
+
Rename the user specified chain to the user supplied name.
This is cosmetic, and has no effect on the structure of the
table.
+
+
+
+
+
__-h__
+
+
+
+
+
Help. Give a (currently very brief) description of the
command syntax.
+
+
+
+
+
__PARAMETERS__
+
+
+
+
+
The following parameters make up a rule specification (as
used in the add, delete, insert, replace and append
commands).
+
+
+
+
+
__-p, --protocol__ [[!] ''protocol''
+
+
+
+
+
The protocol of the rule or of the packet to check. The
specified protocol can be one of ''tcp'', ''udp'',
''icmp'', or ''all'', or it can be a numeric value,
representing one of these protocols or a different one. A
@@ -188,10 +443,20 @@
"!" argument before the protocol inverts the test.
The number zero is equivalent to ''all''. Protocol
''all'' will match with all protocols and is taken as
default when this option is omitted.
+
+
+
+
+
__-s, --source__ [[!]
''address''[[/''mask'']
+
+
+
+
+
Source specification. ''Address'' can be either a network
name, a hostname (please note that specifying any name to be
resolved with a remote query such as DNS is a really bad
idea), a network IP address (with /mask), or a plain IP
@@ -200,86 +465,212 @@
of the network mask. Thus, a mask of ''24'' is equivalent
to ''255.255.255.0''. A "!" argument before the
address specification inverts the sense of the address. The
flag __--src__ is an alias for this option.
+
+
+
+
+
__-d, --destination__ [[!]
''address''[[/''mask'']
+
+
+
+
+
Destination specification. See the description of the
__-s__ (source) flag for a detailed description of the
syntax. The flag __--dst__ is an alias for this
option.
+
+
+
+
+
__-j, --jump__ ''target''
+
+
+
+
+
This specifies the target of the rule; i.e., what to do if
the packet matches it. The target can be a user-defined
chain (other than the one this rule is in), one of the
special builtin targets which decide the fate of the packet
immediately, or an extension (see __EXTENSIONS__ below).
If this option is omitted in a rule, then matching the rule
will have no effect on the packet's fate, but the counters
on the rule will be incremented.
+
+
+
+
+
__-i, --in-interface__ [[!] ''name''
+
+
+
+
+
Name of an interface via which a packet is going to be
received (only for packets entering the __INPUT__,
__FORWARD__ and __PREROUTING__ chains). When the
"!" argument is used before the interface name,
the sense is inverted. If the interface name ends in a
"+", then any interface which begins with this
name will match. If this option is omitted, any interface
name will match.
+
+
+
+
+
__-o, --out-interface__ [[!] ''name''
+
+
+
+
+
Name of an interface via which a packet is going to be sent
(for packets entering the __FORWARD__, __OUTPUT__ and
__POSTROUTING__ chains). When the "!" argument
is used before the interface name, the sense is inverted. If
the interface name ends in a "+", then any
interface which begins with this name will match. If this
option is omitted, any interface name will
match.
+
+
+
+
+
__[[!] -f, --fragment__
+
+
+
+
+
This means that the rule only refers to second and further
fragments of fragmented packets. Since there is no way to
tell the source or destination ports of such a packet (or
ICMP type), such a packet will not match any rules which
specify them. When the "!" argument precedes the
"-f" flag, the rule will only match head
fragments, or unfragmented packets.
+
+
+
+
+
__-c, --set-counters__ ''PKTS BYTES''
+
+
+
+
+
This enables the administrater to initialize the packet and
byte counters of a rule (during __INSERT, APPEND,__
__REPLACE__ operations).
+
+
+
+
+
__OTHER OPTIONS__
+
+
+
+
+
The following additional options can be
specified:
+
+
+
+
+
__-v, --verbose__
+
+
+
+
+
Verbose output. This option makes the list command show the
interface address, the rule options (if any), and the TOS
masks. The packet and byte counters are also listed, with
the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and
1,000,000,000 multipliers respectively (but see the
__-x__ flag to change this). For appending, insertion,
deletion and replacement, this causes detailed information
on the rule or rules to be printed.
+
+
+
+
+
__-n, --numeric__
+
+
+
+
+
Numeric output. IP addresses and port numbers will be
printed in numeric format. By default, the program will try
to display them as host names, network names, or services
(whenever applicable).
+
+
+
+
+
__-x, --exact__
+
+
+
+
+
Expand numbers. Display the exact value of the packet and
byte counters, instead of only the rounded number in K's
(multiples of 1000) M's (multiples of 1000K) or G's
(multiples of 1000M). This option is only relevant for the
__-L__ command.
+
+
+
+
+
__--line-numbers__
+
+
+
+
+
When listing rules, add line numbers to the beginning of
each rule, corresponding to that rule's position in the
chain.
+
+
+
+
+
__--modprobe=command__
+
+
+
+
+
When adding or inserting rules into a chain, use
__command__ to load any necessary modules (targets, match
extensions, etc).
+
!!MATCH EXTENSIONS
+
+
+
+
+
iptables can use extended packet matching modules. These are
loaded in two ways: implicitly, when __-p__ or
__--protocol__ is specified, or with the __-m__ or
__--match__ options, followed by the matching module
@@ -288,30 +679,75 @@
multiple extended match modules in one line, and you can use
the __-h__ or __--help__ options after the module has
been specified to receive help specific to that
module.
+
+
+
+
+
The following are included in the base package, and most of
these can be preceded by a __!__ to invert the sense of
the match.
+
+
+
+
+
__tcp__
+
+
+
+
+
These extensions are loaded if `--protocol tcp' is
specified. It provides the following options:
+
+
+
+
+
__--source-port__ [[!]
''port''[[:''port'']
+
+
+
+
+
Source port or port range specification. This can either be
a service name or a port number. An inclusive range can also
be specified, using the format ''port'':''port''. If
the first port is omitted, "0" is assumed; if the
last is omitted, "65535" is assumed. If the second
port greater then the first they will be swapped. The flag
__--sport__ is a convenient alias for this
option.
+
+
+
+
+
__--destination-port__ [[!]
''port''[[:''port'']
+
+
+
+
+
Destination port or port range specification. The flag
__--dport__ is a convenient alias for this
option.
+
+
+
+
+
__--tcp-flags__ [[!] ''mask comp''
+
+
+
+
+
Match when the TCP flags are as specified. The first
argument is the flags which we should examine, written as a
comma-separated list, and the second argument is a
comma-separated list of flags which must be set. Flags are:
@@ -320,9 +756,19 @@
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST
SYN
will only match packets with the SYN flag set, and the ACK,
FIN and RST flags unset.
+
+
+
+
+
__[[!] --syn__
+
+
+
+
+
Only match TCP packets with the SYN bit set and the ACK and
FIN bits cleared. Such packets are used to request TCP
connection initiation; for example, blocking such packets
coming in an interface will prevent incoming TCP
@@ -330,111 +776,366 @@
unaffected. It is equivalent to __--tcp-flags SYN,RST,ACK__
__SYN__. If the "!" flag precedes the
"--syn", the sense of the option is
inverted.
+
+
+
+
+
__--tcp-option__ [[!] ''number''
+
+
+
+
+
Match if TCP option set.
+
+
+
+
+
__--mss__ ''value''[[:''value'']
+
+
+
+
+
Match TCP SYN or SYN/ACK packets with the specified MSS
value (or range), which control the maximum packet size for
that connection.
+
+
+
+
+
__udp__
+
+
+
+
+
These extensions are loaded if `--protocol udp' is
specified. It provides the following options:
+
+
+
+
+
__--source-port__ [[!]
''port''[[:''port'']
+
+
+
+
+
Source port or port range specification. See the description
of the __--source-port__ option of the TCP extension for
details.
+
+
+
+
+
__--destination-port__ [[!]
''port''[[:''port'']
+
+
+
+
+
Destination port or port range specification. See the
description of the __--destination-port__ option of the
TCP extension for details.
+
+
+
+
+
__icmp__
+
+
+
+
+
This extension is loaded if `--protocol icmp' is specified.
It provides the following option:
+
+
+
+
+
__--icmp-type__ [[!] ''typename''
+
+
+
+
+
This allows specification of the ICMP type, which can be a
numeric ICMP type, or one of the ICMP type names shown by
the command
iptables -p icmp -h
+
+
+
+
+
__mac__
+
+
+
+
+
__--mac-source__ [[!] ''address''
+
+
+
+
+
Match source MAC address. It must be of the form
XX:XX:XX:XX:XX:XX. Note that this only makes sense for
packets coming from an Ethernet device and entering the
__PREROUTING__, __FORWARD__ or __INPUT__
chains.
+
+
+
+
+
__limit__
+
+
+
+
+
This module matches at a limited rate using a token bucket
filter. A rule using this extension will match until this
limit is reached (unless the `!' flag is used). It can be
used in combination with the __LOG__ target to give
limited logging, for example.
+
+
+
+
+
__--limit__ ''rate''
+
+
+
+
+
Maximum average matching rate: specified as a number, with
an optional `/second', `/minute', `/hour', or `/day' suffix;
the default is 3/hour.
+
+
+
+
+
__--limit-burst__ ''number''
+
+
+
+
+
Maximum initial number of packets to match: this number gets
recharged by one every time the limit specified above is not
reached, up to this number; the default is 5.
+
+
+
+
+
__multiport__
+
+
+
+
+
This module matches a set of source or destination ports. Up
to 15 ports can be specified. It can only be used in
conjunction with __-p tcp__ or __-p__
__udp__.
+
+
+
+
+
__--source-ports__
''port''[[,''port''[[,''port''...]]
+
+
+
+
+
Match if the source port is one of the given ports. The flag
__--sports__ is a convenient alias for this
option.
+
+
+
+
+
__--destination-ports__
''port''[[,''port''[[,''port''...]]
+
+
+
+
+
Match if the destination port is one of the given ports. The
flag __--dports__ is a convenient alias for this
option.
+
+
+
+
+
__--ports__
''port''[[,''port''[[,''port''...]]
+
+
+
+
+
Match if the both the source and destination ports are equal
to each other and to one of the given ports.
+
+
+
+
+
__mark__
+
+
+
+
+
This module matches the netfilter mark field associated with
a packet (which can be set using the __MARK__ target
below).
+
+
+
+
+
__--mark__ ''value''[[/''mask'']
+
+
+
+
+
Matches packets with the given unsigned mark value (if a
mask is specified, this is logically ANDed with the mask
before the comparison).
+
+
+
+
+
__owner__
+
+
+
+
+
This module attempts to match various characteristics of the
packet creator, for locally-generated packets. It is only
valid in the __OUTPUT__ chain, and even this some packets
(such as ICMP ping responses) may have no owner, and hence
never match.
+
+
+
+
+
__--uid-owner__ ''userid''
+
+
+
+
+
Matches if the packet was created by a process with the
given effective user id.
+
+
+
+
+
__--gid-owner__ ''groupid''
+
+
+
+
+
Matches if the packet was created by a process with the
given effective group id.
+
+
+
+
+
__--pid-owner__ ''processid''
+
+
+
+
+
Matches if the packet was created by a process with the
given process id.
+
+
+
+
+
__--sid-owner__ ''sessionid''
+
+
+
+
+
Matches if the packet was created by a process in the given
session group.
+
+
+
+
+
__--cmd-owner__ ''name''
+
+
+
+
+
Matches if the packet was created by a process with the
given command name. (this option is present only if iptables
was compiled under a kernel supporting this
feature)
+
+
+
+
+
__state__
+
+
+
+
+
This module, when combined with connection tracking, allows
access to the connection tracking state for this
packet.
+
+
+
+
+
__--state__ ''state''
+
+
+
+
+
Where state is a comma separated list of the connection
states to match. Possible states are __INVALID__ meaning
that the packet is associated with no known connection,
__ESTABLISHED__ meaning that the packet is associated
@@ -444,60 +1145,221 @@
has not seen packets in both directions, and __RELATED__
meaning that the packet is starting a new connection, but is
associated with an existing connection, such as an FTP data
transfer, or an ICMP error.
+
+
+
+
+
__tos__
+
+
+
+
+
This module matches the 8 bits of Type of Service field in
the IP header (ie. including the precedence
bits).
+
+
+
+
+
__--tos__ ''tos''
+
+
+
+
+
The argument is either a standard name, (use
iptables -m tos -h
to see the list), or a numeric value to match.
+
+
+
+
+
__ah__
+
+
+
+
+
This module matches the SPIs in AH header of IPSec
packets.
+
+
+
+
+
__--ahspi__ [[!] ''spi''[[:''spi'']
+
+
+
+
+
__esp__
+
+
+
+
+
This module matches the SPIs in ESP header of IPSec
packets.
+
+
+
+
+
__--espspi__ [[!] ''spi''[[:''spi'']
+
+
+
+
+
__length__
+
+
+
+
+
This module matches the length of a packet against a
specific value or range of values.
+
+
+
+
+
__--length__ ''length''[[:''length'']
+
+
+
+
+
__ttl__
+
+
+
+
+
This module matches the time to live field in the IP
header.
+
+
+
+
+
__--ttl__ ''ttl''
+
+
+
+
+
Matches the given TTL value.
+
+
+
+
+
__owner__
+
+
+
+
+
This module attempts to match various characteristics of the
packet creator, for locally-generated packets. It is only
valid in the __OUTPUT__ chain, and even this some packets
(such as ICMP ping responses) may have no owner, and hence
never match. This is regarded as experimental.
+
+
+
+
+
__--uid-owner__ ''userid''
+
+
+
+
+
Matches if the packet was created by a process with the
given effective user id.
+
+
+
+
+
__--gid-owner__ ''groupid''
+
+
+
+
+
Matches if the packet was created by a process with the
given effective group id.
+
+
+
+
+
__--pid-owner__ ''processid''
+
+
+
+
+
Matches if the packet was created by a process with the
given process id.
+
+
+
+
+
__--sid-owner__ ''sessionid''
+
+
+
+
+
Matches if the packet was created by a process in the given
session group.
+
+
+
+
+
__unclean__
+
+
+
+
+
This module takes no options, but attempts to match packets
which seem malformed or unusual. This is regarded as
experimental.
+
!!TARGET EXTENSIONS
+
+
+
+
+
iptables can use extended target modules: the following are
included in the standard distribution.
+
+
+
+
+
__LOG__
+
+
+
+
+
Turn on kernel logging of matching packets. When this option
is set for a rule, the Linux kernel will print some
information on all matching packets (like most IP header
fields) via the kernel log (where it can be read with
@@ -506,37 +1368,122 @@
continues at the next rule. So if you want to LOG the
packets you refuse, use two separate rules with the same
matching criterias, first using target LOG then DROP (or
REJECT).
+
+
+
+
+
__--log-level__ ''level''
+
+
+
+
+
Level of logging (numeric or see
''syslog.conf''(5)).
+
+
+
+
+
__--log-prefix__ ''prefix''
+
+
+
+
+
Prefix log messages with the specified prefix; up to 29
letters long, and useful for distinguishing messages in the
logs.
+
+
+
+
+
__--log-tcp-sequence__
+
+
+
+
+
Log TCP sequence numbers. This is a security risk if the log
is readable by users.
+
+
+
+
+
__--log-tcp-options__
+
+
+
+
+
Log options from the TCP packet header.
+
+
+
+
+
__--log-ip-options__
+
+
+
+
+
Log options from the IP packet header.
+
+
+
+
+
__MARK__
+
+
+
+
+
This is used to set the netfilter mark value associated with
the packet. It is only valid in the __mangle__ table. It
can for example be used in conjunction with
iproute2.
+
+
+
+
+
__--set-mark__ ''mark''
+
+
+
+
+
__REJECT__
+
+
+
+
+
This is used to send back an error packet in response to the
matched packet: otherwise it is equivalent to __DROP__ so
it is a terminating TARGET, ending rule traversal. This
target is only valid in the __INPUT__, __FORWARD__ and
__OUTPUT__ chains, and user-defined chains which are only
called from those chains. The following option controls the
nature of the error packet returned:
+
+
+
+
+
__--reject-with__ ''type''
+
+
+
+
+
The type given can be __icmp-net-unreachable__,
__icmp-host-unreachable__, __icmp-port-unreachable__,
__icmp-proto-unreachable__, __icmp-net-prohibited or__
__icmp-host-prohibited__, which return the appropriate ICMP
@@ -546,34 +1493,84 @@
sent back. This is mainly useful for blocking ''ident''
(113/tcp) probes which frequently occur when sending mail to
broken mail hosts (which won't accept your mail
otherwise).
+
+
+
+
+
__TOS__
+
+
+
+
+
This is used to set the 8-bit Type of Service field in the
IP header. It is only valid in the __mangle__
table.
+
+
+
+
+
__--set-tos__ ''tos''
+
+
+
+
+
You can use a numeric TOS values, or use
iptables -j TOS -h
to see the list of valid TOS names.
+
+
+
+
+
__MIRROR__
+
+
+
+
+
This is an experimental demonstration target which inverts
the source and destination fields in the IP header and
retransmits the packet. It is only valid in the
__INPUT__, __FORWARD__ and __PREROUTING__ chains,
and user-defined chains which are only called from those
chains. Note that the outgoing packets are __NOT__ seen
by any packet filtering chains, connection tracking or NAT,
to avoid loops and other problems.
+
+
+
+
+
__SNAT__
+
+
+
+
+
This target is only valid in the __nat__ table, in the
__POSTROUTING__ chain. It specifies that the source
address of the packet should be modified (and all future
packets in this connection will also be mangled), and rules
should cease being examined. It takes one
option:
+
+
+
+
+
__--to-source__
''ipaddr''[[-''ipaddr''][[:''port''-''port'']
+
+
+
+
+
which can specify a single new source IP address, an
inclusive range of IP addresses, and optionally, a port
range (which is only valid if the rule also specifies __-p__
__tcp__ or __-p udp__). If no port range is specified,
@@ -581,25 +1578,55 @@
below 512: those between 512 and 1023 inclusive will be
mapped to ports below 1024, and other ports will be mapped
to 1024 or above. Where possible, no port alteration will
occur.
+
+
+
+
+
__DNAT__
+
+
+
+
+
This target is only valid in the __nat__ table, in the
__PREROUTING__ and __OUTPUT__ chains, and user-defined
chains which are only called from those chains. It specifies
that the destination address of the packet should be
modified (and all future packets in this connection will
also be mangled), and rules should cease being examined. It
takes one option:
+
+
+
+
+
__--to-destination__
''ipaddr''[[-''ipaddr''][[:''port''-''port'']
+
+
+
+
+
which can specify a single new destination IP address, an
inclusive range of IP addresses, and optionally, a port
range (which is only valid if the rule also specifies __-p__
__tcp__ or __-p udp__). If no port range is specified,
then the destination port will never be
modified.
+
+
+
+
+
__MASQUERADE__
+
+
+
+
+
This target is only valid in the __nat__ table, in the
__POSTROUTING__ chain. It should only be used with
dynamically assigned IP (dialup) connections: if you have a
static IP address, you should use the SNAT target.
@@ -609,49 +1636,139 @@
the interface goes down. This is the correct behavior when
the next dialup is unlikely to have the same interface
address (and hence any established connections are lost
anyway). It takes one option:
+
+
+
+
+
__--to-ports__ ''port''[[-''port'']
+
+
+
+
+
This specifies a range of source ports to use, overriding
the default __SNAT__ source port-selection heuristics
(see above). This is only valid if the rule also specifies
__-p tcp__ or __-p udp__.
+
+
+
+
+
__REDIRECT__
+
+
+
+
+
This target is only valid in the __nat__ table, in the
__PREROUTING__ and __OUTPUT__ chains, and user-defined
chains which are only called from those chains. It alters
the destination IP address to send the packet to the machine
itself (locally-generated packets are mapped to the
127.0.0.1 address). It takes one option:
+
+
+
+
+
__--to-ports__ ''port''[[-''port'']
+
+
+
+
+
This specifies a destination port or range of ports to use:
without this, the destination port is never altered. This is
only valid if the rule also specifies __-p tcp__ or __-p__
__udp__.
+
+
+
+
+
__ULOG__
+
+
+
+
+
This target provides userspace logging of matching packets.
When this target is set for a rule, the Linux kernel will
multicast this packet through a ''netlink'' socket. One
or more userspace processes may then subscribe to various
multicast groups and receive the packets.
+
+
+
+
+
__--ulog-nlgroup__ ''nlgroup''
+
+
+
+
+
This specifies the netlink group (1-32) to which the packet
is sent. Default value is 1.
+
+
+
+
+
__--ulog-prefix__ ''prefix''
+
+
+
+
+
Prefix log messages with the specified prefix; up to 32
characters long, and useful fro distinguishing messages in
the logs.
+
+
+
+
+
__--ulog-cprange__ ''size''
+
+
+
+
+
Number of bytes to be copied to userspace. A value of 0
always copies the entire packet, regardless of its size.
Default is 0.
+
+
+
+
+
__--ulog-qthreshold__ ''size''
+
+
+
+
+
Number of packet to queue inside kernel. Setting this value
to, e.g. 10 accumulates ten packets inside the kernel and
transmits them as one netlink multipart message to
userspace. Default is 1 (for backwards
compatibility).
+
+
+
+
+
__TCPMSS__
+
+
+
+
+
This target allows to alter the MSS value of TCP SYN
packets, to control the maximum size for that connection
(usually limiting it to your outgoing interface's MTU minus
40). Of course, it can only be used in conjunction with
@@ -669,51 +1786,150 @@
Workaround: activate this option and add a rule to your
firewall configuration like:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
+
+
+
+
+
__--set-mss__ ''value''
+
+
+
+
+
Explicitly set MSS option to specified value.
+
+
+
+
+
__--clamp-mss-to-pmtu__
+
+
+
+
+
Automatically clamp MSS value to (path_MTU -
40).
+
+
+
+
+
These options are mutually exclusive.
+
!!EXTRA EXTENSIONS
+
+
+
+
+
The following extensions are not included by default in the
standard distribution.
+
+
+
+
+
__TTL__
+
+
+
+
+
This target is used to modify the time to live field in the
IP header. It is only valid in the __mangle__
table.
+
+
+
+
+
__--ttl-set__ ''ttl''
+
+
+
+
+
Set the TTL to the given value.
+
+
+
+
+
__--ttl-dec__ ''ttl''
+
+
+
+
+
Decrement the TTL by the given value.
+
+
+
+
+
__--ttl-inc__ ''ttl''
+
+
+
+
+
Increment the TTL by the given value.
+
!!DIAGNOSTICS
+
+
+
+
+
Various error messages are printed to standard error. The
exit code is 0 for correct functioning. Errors which appear
to be caused by invalid or abused command line parameters
cause an exit code of 2, and other errors cause an exit code
of 1.
+
!!BUGS
+
+
+
+
+
Check is not implemented (yet).
+
!!COMPATIBILITY WITH IPCHAINS
+
+
+
+
+
This __iptables__ is very similar to ipchains by Rusty
Russell. The main difference is that the chains __INPUT__
and __OUTPUT__ are only traversed for packets coming into
the local host and originating from the local host
respectively. Hence every packet only passes through one of
the three chains; previously a forwarded packet would pass
through all three.
+
+
+
+
+
The other main difference is that __-i__ refers to the
input interface; __-o__ refers to the output interface,
and both are available for packets entering the
__FORWARD__ chain.
+
+
+
+
+
__iptables__ is a pure packet filter when using the
default `filter' table, with optional extension modules.
This should simplify much of the previous confusion over the
combination of IP masquerading and packet filtering seen
@@ -722,29 +1938,71 @@
-j MASQ
-M -S
-M -L
There are several other changes in iptables.
+
!!SEE ALSO
+
+
+
+
+
The packet-filtering-HOWTO, which details more iptables
usage for packet filtering, the NAT-HOWTO, which details
NAT, and the netfilter-hacking-HOWTO which details the
internals.
See __http://www.netfilter.org/__.
+
!!AUTHORS
+
+
+
+
+
Rusty Russell wrote iptables, in early consultation with
Michael Neuling.
+
+
+
+
+
Marc Boucher made Rusty abandon ipnatctl by lobbying for a
generic packet selection framework in iptables, then wrote
the mangle table, the owner match, the mark stuff, and ran
around doing cool stuff everywhere.
+
+
+
+
+
James Morris wrote the TOS target, and tos
match.
+
+
+
+
+
Jozsef Kadlecsik wrote the REJECT target.
+
+
+
+
+
Harald Welte wrote the ULOG target, TTL match+target and
libipulog.
+
+
+
+
+
The Netfilter Core Team is: Marc Boucher, Jozsef Kadlecsik,
James Morris, Harald Welte and Rusty Russell.
+
+
+
+
+
Man page written by Herve Eychenne
<rv@wallfire.org>.
----