Penguin

Differences between current version and predecessor to the previous major change of iptables(8).

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 2 Last edited on Sunday, July 28, 2002 2:59:31 pm by WikiAdmin
Older page: version 1 Last edited on Sunday, July 28, 2002 2:57:07 pm by WikiAdmin Revert
@@ -1,5 +1,12 @@
+  
+  
+  
+  
 IPTABLES 
+  
+  
+  
  
 !!!IPTABLES 
 NAME 
 SYNOPSIS 
@@ -14,14 +21,28 @@
 BUGS 
 COMPATIBILITY WITH IPCHAINS 
 SEE ALSO 
 AUTHORS 
+  
 ---- 
+  
+  
+  
  
 !!NAME 
+  
+  
+  
+  
 iptables - IP packet filter administration 
+  
  
 !!SYNOPSIS 
+  
+  
+  
+  
+  
 __iptables -[[ADC]__ chain rule-specification 
 [[options] 
 __iptables -I__ chain [[rulenum] rule-specification 
 [[options] 
@@ -32,28 +53,50 @@
 __iptables -N__ chain 
 __iptables -X__ [[chain] 
 __iptables -P__ chain target [[options] 
 __iptables -E__ old-chain-name new-chain-name 
+  
  
 !!DESCRIPTION 
+  
+  
+  
+  
+  
 __Iptables__ is used to set up, maintain, and inspect the 
 tables of IP packet filter rules in the Linux kernel. 
 Several different tables may be defined. Each table contains 
 a number of built-in chains and may also contain 
 user-defined chains. 
+  
+  
+  
+  
+  
 Each chain is a list of rules which can match a set of 
 packets. Each rule specifies what to do with a packet that 
 matches. This is called a `target', which may be a jump to a 
 user-defined chain in the same table. 
+  
  
 !!TARGETS 
+  
+  
+  
+  
+  
 A firewall rule specifies criteria for a packet, and a 
 target. If the packet does not match, the next rule in the 
 chain is the examined; if it does match, then the next rule 
 is specified by the value of the target, which can be the 
 name of a user-defined chain or one of the special values 
 ''ACCEPT'', ''DROP'', ''QUEUE'', or 
 ''RETURN''. 
+  
+  
+  
+  
+  
 ''ACCEPT'' means to let the packet through. ''DROP'' 
 means to drop the packet on the floor. ''QUEUE'' means to 
 pass the packet to userspace (if supported by the kernel). 
 ''RETURN'' means stop traversing this chain and resume at 
@@ -61,33 +104,84 @@
 a built-in chain is reached or a rule in a built-in chain 
 with target ''RETURN'' is matched, the target specified 
 by the chain policy determines the fate of the 
 packet. 
+  
  
 !!TABLES 
+  
+  
+  
+  
+  
 There are current three independent tables (which tables are 
 present at any time depends on the kernel configuration 
 options and which modules are present). 
+  
+  
+  
+  
+  
 __-t, --table__ ''table'' 
+  
+  
+  
+  
+  
 This option specifies the packet matching table which the 
 command should operate on. If the kernel is configured with 
 automatic module loading, an attempt will be made to load 
 the appropriate module for that table if it is not already 
 there. 
+  
+  
+  
+  
+  
 The tables are as follows: 
+  
+  
+  
+  
+  
 __filter__ 
+  
+  
+  
+  
+  
 This is the default table. It contains the built-in chains 
 INPUT (for packets coming into the box itself), FORWARD (for 
 packets being routed through the box), and OUTPUT (for 
 locally-generated packets). 
+  
+  
+  
+  
+  
 __nat__ 
+  
+  
+  
+  
+  
 This table is consulted when a packet that creates a new 
 connection is encountered. It consists of three built-ins: 
 PREROUTING (for altering packets as soon as they come in), 
 OUTPUT (for altering locally-generated packets before 
 routing), and POSTROUTING (for altering packets as they are 
 about to go out). 
+  
+  
+  
+  
+  
 __mangle__ 
+  
+  
+  
+  
+  
 This table is used for specialized packet alteration. Until 
 kernel 2.4.17 it had two built-in chains: PREROUTING (for 
 altering incoming packets before routing) and OUTPUT (for 
 altering locally-generated packets before routing). Since 
@@ -95,44 +189,115 @@
 supported : INPUT (for packets coming into the box itself), 
 FORWARD (for altering packets being routed through the box), 
 and POSTROUTING (for altering packets as they are about to 
 go out). 
+  
  
 !!OPTIONS 
+  
+  
+  
+  
+  
 The options that are recognized by __iptables__ can be 
 divided into several different groups. 
+  
+  
+  
+  
+  
 __COMMANDS__ 
+  
+  
+  
+  
+  
 These options specify the specific action to perform. Only 
 one of them can be specified on the command line unless 
 otherwise specified below. For all the long versions of the 
 command and option names, you need to use only enough 
 letters to ensure that __iptables__ can differentiate it 
 from all other options. 
+  
+  
+  
+  
+  
 __-A, --append__ ''chain 
 rule-specification'' 
+  
+  
+  
+  
+  
 Append one or more rules to the end of the selected chain. 
 When the source and/or destination names resolve to more 
 than one address, a rule will be added for each possible 
 address combination. 
+  
+  
+  
+  
+  
 __-D, --delete__ ''chain 
 rule-specification'' 
+  
+  
+  
+  
+  
 __-D, --delete__ ''chain rulenum'' 
+  
+  
+  
+  
+  
 Delete one or more rules from the selected chain. There are 
 two versions of this command: the rule can be specified as a 
 number in the chain (starting at 1 for the first rule) or a 
 rule to match. 
+  
+  
+  
+  
+  
 __-I, --insert__ ''chain'' [[''rulenum''] 
 ''rule-specification'' 
+  
+  
+  
+  
+  
 Insert one or more rules in the selected chain as the given 
 rule number. So, if the rule number is 1, the rule or rules 
 are inserted at the head of the chain. This is also the 
 default if no rule number is specified. 
+  
+  
+  
+  
+  
 __-R, --replace__ ''chain rulenum 
 rule-specification'' 
+  
+  
+  
+  
+  
 Replace a rule in the selected chain. If the source and/or 
 destination names resolve to multiple addresses, the command 
 will fail. Rules are numbered starting at 1. 
+  
+  
+  
+  
+  
 __-L, --list__ [[''chain''] 
+  
+  
+  
+  
+  
 List all rules in the selected chain. If no chain is 
 selected, all chains are listed. As every other iptables 
 command, it applies to the specified table (filter is the 
 default), so NAT rules get listed by 
@@ -142,45 +307,135 @@
 specify the __-Z__ (zero) option as well, in which case 
 the chain(s) will be atomically listed and zeroed. The exact 
 output is affected by the other arguments 
 given. 
+  
+  
+  
+  
+  
 __-F, --flush__ [[''chain''] 
+  
+  
+  
+  
+  
 Flush the selected chain (all the chains in the table if 
 none is given). This is equivalent to deleting all the rules 
 one by one. 
+  
+  
+  
+  
+  
 __-Z, --zero__ [[''chain''] 
+  
+  
+  
+  
+  
 Zero the packet and byte counters in all chains. It is legal 
 to specify the __-L, --list__ (list) option as well, to 
 see the counters immediately before they are cleared. (See 
 above.) 
+  
+  
+  
+  
+  
 __-N, --new-chain__ ''chain'' 
+  
+  
+  
+  
+  
 Create a new user-defined chain by the given name. There 
 must be no target of that name already. 
+  
+  
+  
+  
+  
 __-X, --delete-chain__ [[''chain''] 
+  
+  
+  
+  
+  
 Delete the optional user-defined chain specified. There must 
 be no references to the chain. If there are, you must delete 
 or replace the referring rules before the chain can be 
 deleted. If no argument is given, it will attempt to delete 
 every non-builtin chain in the table. 
+  
+  
+  
+  
+  
 __-P, --policy__ ''chain target'' 
+  
+  
+  
+  
+  
 Set the policy for the chain to the given target. See the 
 section __TARGETS__ for the legal targets. Only built-in 
 (non-user-defined) chains can have policies, and neither 
 built-in nor user-defined chains can be policy 
 targets. 
+  
+  
+  
+  
+  
 __-E, --rename-chain__ ''old-chain 
 new-chain'' 
+  
+  
+  
+  
+  
 Rename the user specified chain to the user supplied name. 
 This is cosmetic, and has no effect on the structure of the 
 table. 
+  
+  
+  
+  
+  
 __-h__ 
+  
+  
+  
+  
+  
 Help. Give a (currently very brief) description of the 
 command syntax. 
+  
+  
+  
+  
+  
 __PARAMETERS__ 
+  
+  
+  
+  
+  
 The following parameters make up a rule specification (as 
 used in the add, delete, insert, replace and append 
 commands). 
+  
+  
+  
+  
+  
 __-p, --protocol__ [[!] ''protocol'' 
+  
+  
+  
+  
+  
 The protocol of the rule or of the packet to check. The 
 specified protocol can be one of ''tcp'', ''udp'', 
 ''icmp'', or ''all'', or it can be a numeric value, 
 representing one of these protocols or a different one. A 
@@ -188,10 +443,20 @@
 "!" argument before the protocol inverts the test. 
 The number zero is equivalent to ''all''. Protocol 
 ''all'' will match with all protocols and is taken as 
 default when this option is omitted. 
+  
+  
+  
+  
+  
 __-s, --source__ [[!] 
 ''address''[[/''mask''] 
+  
+  
+  
+  
+  
 Source specification. ''Address'' can be either a network 
 name, a hostname (please note that specifying any name to be 
 resolved with a remote query such as DNS is a really bad 
 idea), a network IP address (with /mask), or a plain IP 
@@ -200,86 +465,212 @@
 of the network mask. Thus, a mask of ''24'' is equivalent 
 to ''255.255.255.0''. A "!" argument before the 
 address specification inverts the sense of the address. The 
 flag __--src__ is an alias for this option. 
+  
+  
+  
+  
+  
 __-d, --destination__ [[!] 
 ''address''[[/''mask''] 
+  
+  
+  
+  
+  
 Destination specification. See the description of the 
 __-s__ (source) flag for a detailed description of the 
 syntax. The flag __--dst__ is an alias for this 
 option. 
+  
+  
+  
+  
+  
 __-j, --jump__ ''target'' 
+  
+  
+  
+  
+  
 This specifies the target of the rule; i.e., what to do if 
 the packet matches it. The target can be a user-defined 
 chain (other than the one this rule is in), one of the 
 special builtin targets which decide the fate of the packet 
 immediately, or an extension (see __EXTENSIONS__ below). 
 If this option is omitted in a rule, then matching the rule 
 will have no effect on the packet's fate, but the counters 
 on the rule will be incremented. 
+  
+  
+  
+  
+  
 __-i, --in-interface__ [[!] ''name'' 
+  
+  
+  
+  
+  
 Name of an interface via which a packet is going to be 
 received (only for packets entering the __INPUT__, 
 __FORWARD__ and __PREROUTING__ chains). When the 
 "!" argument is used before the interface name, 
 the sense is inverted. If the interface name ends in a 
 "+", then any interface which begins with this 
 name will match. If this option is omitted, any interface 
 name will match. 
+  
+  
+  
+  
+  
 __-o, --out-interface__ [[!] ''name'' 
+  
+  
+  
+  
+  
 Name of an interface via which a packet is going to be sent 
 (for packets entering the __FORWARD__, __OUTPUT__ and 
 __POSTROUTING__ chains). When the "!" argument 
 is used before the interface name, the sense is inverted. If 
 the interface name ends in a "+", then any 
 interface which begins with this name will match. If this 
 option is omitted, any interface name will 
 match. 
+  
+  
+  
+  
+  
 __[[!] -f, --fragment__ 
+  
+  
+  
+  
+  
 This means that the rule only refers to second and further 
 fragments of fragmented packets. Since there is no way to 
 tell the source or destination ports of such a packet (or 
 ICMP type), such a packet will not match any rules which 
 specify them. When the "!" argument precedes the 
 "-f" flag, the rule will only match head 
 fragments, or unfragmented packets. 
+  
+  
+  
+  
+  
 __-c, --set-counters__ ''PKTS BYTES'' 
+  
+  
+  
+  
+  
 This enables the administrater to initialize the packet and 
 byte counters of a rule (during __INSERT, APPEND,__ 
 __REPLACE__ operations). 
+  
+  
+  
+  
+  
 __OTHER OPTIONS__ 
+  
+  
+  
+  
+  
 The following additional options can be 
 specified: 
+  
+  
+  
+  
+  
 __-v, --verbose__ 
+  
+  
+  
+  
+  
 Verbose output. This option makes the list command show the 
 interface address, the rule options (if any), and the TOS 
 masks. The packet and byte counters are also listed, with 
 the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 
 1,000,000,000 multipliers respectively (but see the 
 __-x__ flag to change this). For appending, insertion, 
 deletion and replacement, this causes detailed information 
 on the rule or rules to be printed. 
+  
+  
+  
+  
+  
 __-n, --numeric__ 
+  
+  
+  
+  
+  
 Numeric output. IP addresses and port numbers will be 
 printed in numeric format. By default, the program will try 
 to display them as host names, network names, or services 
 (whenever applicable). 
+  
+  
+  
+  
+  
 __-x, --exact__ 
+  
+  
+  
+  
+  
 Expand numbers. Display the exact value of the packet and 
 byte counters, instead of only the rounded number in K's 
 (multiples of 1000) M's (multiples of 1000K) or G's 
 (multiples of 1000M). This option is only relevant for the 
 __-L__ command. 
+  
+  
+  
+  
+  
 __--line-numbers__ 
+  
+  
+  
+  
+  
 When listing rules, add line numbers to the beginning of 
 each rule, corresponding to that rule's position in the 
 chain. 
+  
+  
+  
+  
+  
 __--modprobe=command__ 
+  
+  
+  
+  
+  
 When adding or inserting rules into a chain, use 
 __command__ to load any necessary modules (targets, match 
 extensions, etc). 
+  
  
 !!MATCH EXTENSIONS 
+  
+  
+  
+  
+  
 iptables can use extended packet matching modules. These are 
 loaded in two ways: implicitly, when __-p__ or 
 __--protocol__ is specified, or with the __-m__ or 
 __--match__ options, followed by the matching module 
@@ -288,30 +679,75 @@
 multiple extended match modules in one line, and you can use 
 the __-h__ or __--help__ options after the module has 
 been specified to receive help specific to that 
 module. 
+  
+  
+  
+  
+  
 The following are included in the base package, and most of 
 these can be preceded by a __!__ to invert the sense of 
 the match. 
+  
+  
+  
+  
+  
 __tcp__ 
+  
+  
+  
+  
+  
 These extensions are loaded if `--protocol tcp' is 
 specified. It provides the following options: 
+  
+  
+  
+  
+  
 __--source-port__ [[!] 
 ''port''[[:''port''] 
+  
+  
+  
+  
+  
 Source port or port range specification. This can either be 
 a service name or a port number. An inclusive range can also 
 be specified, using the format ''port'':''port''. If 
 the first port is omitted, "0" is assumed; if the 
 last is omitted, "65535" is assumed. If the second 
 port greater then the first they will be swapped. The flag 
 __--sport__ is a convenient alias for this 
 option. 
+  
+  
+  
+  
+  
 __--destination-port__ [[!] 
 ''port''[[:''port''] 
+  
+  
+  
+  
+  
 Destination port or port range specification. The flag 
 __--dport__ is a convenient alias for this 
 option. 
+  
+  
+  
+  
+  
 __--tcp-flags__ [[!] ''mask comp'' 
+  
+  
+  
+  
+  
 Match when the TCP flags are as specified. The first 
 argument is the flags which we should examine, written as a 
 comma-separated list, and the second argument is a 
 comma-separated list of flags which must be set. Flags are: 
@@ -320,9 +756,19 @@
 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST 
 SYN 
 will only match packets with the SYN flag set, and the ACK, 
 FIN and RST flags unset. 
+  
+  
+  
+  
+  
 __[[!] --syn__ 
+  
+  
+  
+  
+  
 Only match TCP packets with the SYN bit set and the ACK and 
 FIN bits cleared. Such packets are used to request TCP 
 connection initiation; for example, blocking such packets 
 coming in an interface will prevent incoming TCP 
@@ -330,111 +776,366 @@
 unaffected. It is equivalent to __--tcp-flags SYN,RST,ACK__ 
 __SYN__. If the "!" flag precedes the 
 "--syn", the sense of the option is 
 inverted. 
+  
+  
+  
+  
+  
 __--tcp-option__ [[!] ''number'' 
+  
+  
+  
+  
+  
 Match if TCP option set. 
+  
+  
+  
+  
+  
 __--mss__ ''value''[[:''value''] 
+  
+  
+  
+  
+  
 Match TCP SYN or SYN/ACK packets with the specified MSS 
 value (or range), which control the maximum packet size for 
 that connection. 
+  
+  
+  
+  
+  
 __udp__ 
+  
+  
+  
+  
+  
 These extensions are loaded if `--protocol udp' is 
 specified. It provides the following options: 
+  
+  
+  
+  
+  
 __--source-port__ [[!] 
 ''port''[[:''port''] 
+  
+  
+  
+  
+  
 Source port or port range specification. See the description 
 of the __--source-port__ option of the TCP extension for 
 details. 
+  
+  
+  
+  
+  
 __--destination-port__ [[!] 
 ''port''[[:''port''] 
+  
+  
+  
+  
+  
 Destination port or port range specification. See the 
 description of the __--destination-port__ option of the 
 TCP extension for details. 
+  
+  
+  
+  
+  
 __icmp__ 
+  
+  
+  
+  
+  
 This extension is loaded if `--protocol icmp' is specified. 
 It provides the following option: 
+  
+  
+  
+  
+  
 __--icmp-type__ [[!] ''typename'' 
+  
+  
+  
+  
+  
 This allows specification of the ICMP type, which can be a 
 numeric ICMP type, or one of the ICMP type names shown by 
 the command 
 iptables -p icmp -h 
+  
+  
+  
+  
+  
 __mac__ 
+  
+  
+  
+  
+  
 __--mac-source__ [[!] ''address'' 
+  
+  
+  
+  
+  
 Match source MAC address. It must be of the form 
 XX:XX:XX:XX:XX:XX. Note that this only makes sense for 
 packets coming from an Ethernet device and entering the 
 __PREROUTING__, __FORWARD__ or __INPUT__ 
 chains. 
+  
+  
+  
+  
+  
 __limit__ 
+  
+  
+  
+  
+  
 This module matches at a limited rate using a token bucket 
 filter. A rule using this extension will match until this 
 limit is reached (unless the `!' flag is used). It can be 
 used in combination with the __LOG__ target to give 
 limited logging, for example. 
+  
+  
+  
+  
+  
 __--limit__ ''rate'' 
+  
+  
+  
+  
+  
 Maximum average matching rate: specified as a number, with 
 an optional `/second', `/minute', `/hour', or `/day' suffix; 
 the default is 3/hour. 
+  
+  
+  
+  
+  
 __--limit-burst__ ''number'' 
+  
+  
+  
+  
+  
 Maximum initial number of packets to match: this number gets 
 recharged by one every time the limit specified above is not 
 reached, up to this number; the default is 5. 
+  
+  
+  
+  
+  
 __multiport__ 
+  
+  
+  
+  
+  
 This module matches a set of source or destination ports. Up 
 to 15 ports can be specified. It can only be used in 
 conjunction with __-p tcp__ or __-p__ 
 __udp__. 
+  
+  
+  
+  
+  
 __--source-ports__ 
 ''port''[[,''port''[[,''port''...]] 
+  
+  
+  
+  
+  
 Match if the source port is one of the given ports. The flag 
 __--sports__ is a convenient alias for this 
 option. 
+  
+  
+  
+  
+  
 __--destination-ports__ 
 ''port''[[,''port''[[,''port''...]] 
+  
+  
+  
+  
+  
 Match if the destination port is one of the given ports. The 
 flag __--dports__ is a convenient alias for this 
 option. 
+  
+  
+  
+  
+  
 __--ports__ 
 ''port''[[,''port''[[,''port''...]] 
+  
+  
+  
+  
+  
 Match if the both the source and destination ports are equal 
 to each other and to one of the given ports. 
+  
+  
+  
+  
+  
 __mark__ 
+  
+  
+  
+  
+  
 This module matches the netfilter mark field associated with 
 a packet (which can be set using the __MARK__ target 
 below). 
+  
+  
+  
+  
+  
 __--mark__ ''value''[[/''mask''] 
+  
+  
+  
+  
+  
 Matches packets with the given unsigned mark value (if a 
 mask is specified, this is logically ANDed with the mask 
 before the comparison). 
+  
+  
+  
+  
+  
 __owner__ 
+  
+  
+  
+  
+  
 This module attempts to match various characteristics of the 
 packet creator, for locally-generated packets. It is only 
 valid in the __OUTPUT__ chain, and even this some packets 
 (such as ICMP ping responses) may have no owner, and hence 
 never match. 
+  
+  
+  
+  
+  
 __--uid-owner__ ''userid'' 
+  
+  
+  
+  
+  
 Matches if the packet was created by a process with the 
 given effective user id. 
+  
+  
+  
+  
+  
 __--gid-owner__ ''groupid'' 
+  
+  
+  
+  
+  
 Matches if the packet was created by a process with the 
 given effective group id. 
+  
+  
+  
+  
+  
 __--pid-owner__ ''processid'' 
+  
+  
+  
+  
+  
 Matches if the packet was created by a process with the 
 given process id. 
+  
+  
+  
+  
+  
 __--sid-owner__ ''sessionid'' 
+  
+  
+  
+  
+  
 Matches if the packet was created by a process in the given 
 session group. 
+  
+  
+  
+  
+  
 __--cmd-owner__ ''name'' 
+  
+  
+  
+  
+  
 Matches if the packet was created by a process with the 
 given command name. (this option is present only if iptables 
 was compiled under a kernel supporting this 
 feature) 
+  
+  
+  
+  
+  
 __state__ 
+  
+  
+  
+  
+  
 This module, when combined with connection tracking, allows 
 access to the connection tracking state for this 
 packet. 
+  
+  
+  
+  
+  
 __--state__ ''state'' 
+  
+  
+  
+  
+  
 Where state is a comma separated list of the connection 
 states to match. Possible states are __INVALID__ meaning 
 that the packet is associated with no known connection, 
 __ESTABLISHED__ meaning that the packet is associated 
@@ -444,60 +1145,221 @@
 has not seen packets in both directions, and __RELATED__ 
 meaning that the packet is starting a new connection, but is 
 associated with an existing connection, such as an FTP data 
 transfer, or an ICMP error. 
+  
+  
+  
+  
+  
 __tos__ 
+  
+  
+  
+  
+  
 This module matches the 8 bits of Type of Service field in 
 the IP header (ie. including the precedence 
 bits). 
+  
+  
+  
+  
+  
 __--tos__ ''tos'' 
+  
+  
+  
+  
+  
 The argument is either a standard name, (use 
 iptables -m tos -h 
 to see the list), or a numeric value to match. 
+  
+  
+  
+  
+  
 __ah__ 
+  
+  
+  
+  
+  
 This module matches the SPIs in AH header of IPSec 
 packets. 
+  
+  
+  
+  
+  
 __--ahspi__ [[!] ''spi''[[:''spi''] 
+  
+  
+  
+  
+  
 __esp__ 
+  
+  
+  
+  
+  
 This module matches the SPIs in ESP header of IPSec 
 packets. 
+  
+  
+  
+  
+  
 __--espspi__ [[!] ''spi''[[:''spi''] 
+  
+  
+  
+  
+  
 __length__ 
+  
+  
+  
+  
+  
 This module matches the length of a packet against a 
 specific value or range of values. 
+  
+  
+  
+  
+  
 __--length__ ''length''[[:''length''] 
+  
+  
+  
+  
+  
 __ttl__ 
+  
+  
+  
+  
+  
 This module matches the time to live field in the IP 
 header. 
+  
+  
+  
+  
+  
 __--ttl__ ''ttl'' 
+  
+  
+  
+  
+  
 Matches the given TTL value. 
+  
+  
+  
+  
+  
 __owner__ 
+  
+  
+  
+  
+  
 This module attempts to match various characteristics of the 
 packet creator, for locally-generated packets. It is only 
 valid in the __OUTPUT__ chain, and even this some packets 
 (such as ICMP ping responses) may have no owner, and hence 
 never match. This is regarded as experimental. 
+  
+  
+  
+  
+  
 __--uid-owner__ ''userid'' 
+  
+  
+  
+  
+  
 Matches if the packet was created by a process with the 
 given effective user id. 
+  
+  
+  
+  
+  
 __--gid-owner__ ''groupid'' 
+  
+  
+  
+  
+  
 Matches if the packet was created by a process with the 
 given effective group id. 
+  
+  
+  
+  
+  
 __--pid-owner__ ''processid'' 
+  
+  
+  
+  
+  
 Matches if the packet was created by a process with the 
 given process id. 
+  
+  
+  
+  
+  
 __--sid-owner__ ''sessionid'' 
+  
+  
+  
+  
+  
 Matches if the packet was created by a process in the given 
 session group. 
+  
+  
+  
+  
+  
 __unclean__ 
+  
+  
+  
+  
+  
 This module takes no options, but attempts to match packets 
 which seem malformed or unusual. This is regarded as 
 experimental. 
+  
  
 !!TARGET EXTENSIONS 
+  
+  
+  
+  
+  
 iptables can use extended target modules: the following are 
 included in the standard distribution. 
+  
+  
+  
+  
+  
 __LOG__ 
+  
+  
+  
+  
+  
 Turn on kernel logging of matching packets. When this option 
 is set for a rule, the Linux kernel will print some 
 information on all matching packets (like most IP header 
 fields) via the kernel log (where it can be read with 
@@ -506,37 +1368,122 @@
 continues at the next rule. So if you want to LOG the 
 packets you refuse, use two separate rules with the same 
 matching criterias, first using target LOG then DROP (or 
 REJECT). 
+  
+  
+  
+  
+  
 __--log-level__ ''level'' 
+  
+  
+  
+  
+  
 Level of logging (numeric or see 
 ''syslog.conf''(5)). 
+  
+  
+  
+  
+  
 __--log-prefix__ ''prefix'' 
+  
+  
+  
+  
+  
 Prefix log messages with the specified prefix; up to 29 
 letters long, and useful for distinguishing messages in the 
 logs. 
+  
+  
+  
+  
+  
 __--log-tcp-sequence__ 
+  
+  
+  
+  
+  
 Log TCP sequence numbers. This is a security risk if the log 
 is readable by users. 
+  
+  
+  
+  
+  
 __--log-tcp-options__ 
+  
+  
+  
+  
+  
 Log options from the TCP packet header. 
+  
+  
+  
+  
+  
 __--log-ip-options__ 
+  
+  
+  
+  
+  
 Log options from the IP packet header. 
+  
+  
+  
+  
+  
 __MARK__ 
+  
+  
+  
+  
+  
 This is used to set the netfilter mark value associated with 
 the packet. It is only valid in the __mangle__ table. It 
 can for example be used in conjunction with 
 iproute2. 
+  
+  
+  
+  
+  
 __--set-mark__ ''mark'' 
+  
+  
+  
+  
+  
 __REJECT__ 
+  
+  
+  
+  
+  
 This is used to send back an error packet in response to the 
 matched packet: otherwise it is equivalent to __DROP__ so 
 it is a terminating TARGET, ending rule traversal. This 
 target is only valid in the __INPUT__, __FORWARD__ and 
 __OUTPUT__ chains, and user-defined chains which are only 
 called from those chains. The following option controls the 
 nature of the error packet returned: 
+  
+  
+  
+  
+  
 __--reject-with__ ''type'' 
+  
+  
+  
+  
+  
 The type given can be __icmp-net-unreachable__, 
 __icmp-host-unreachable__, __icmp-port-unreachable__, 
 __icmp-proto-unreachable__, __icmp-net-prohibited or__ 
 __icmp-host-prohibited__, which return the appropriate ICMP 
@@ -546,34 +1493,84 @@
 sent back. This is mainly useful for blocking ''ident'' 
 (113/tcp) probes which frequently occur when sending mail to 
 broken mail hosts (which won't accept your mail 
 otherwise). 
+  
+  
+  
+  
+  
 __TOS__ 
+  
+  
+  
+  
+  
 This is used to set the 8-bit Type of Service field in the 
 IP header. It is only valid in the __mangle__ 
 table. 
+  
+  
+  
+  
+  
 __--set-tos__ ''tos'' 
+  
+  
+  
+  
+  
 You can use a numeric TOS values, or use 
 iptables -j TOS -h 
 to see the list of valid TOS names. 
+  
+  
+  
+  
+  
 __MIRROR__ 
+  
+  
+  
+  
+  
 This is an experimental demonstration target which inverts 
 the source and destination fields in the IP header and 
 retransmits the packet. It is only valid in the 
 __INPUT__, __FORWARD__ and __PREROUTING__ chains, 
 and user-defined chains which are only called from those 
 chains. Note that the outgoing packets are __NOT__ seen 
 by any packet filtering chains, connection tracking or NAT, 
 to avoid loops and other problems. 
+  
+  
+  
+  
+  
 __SNAT__ 
+  
+  
+  
+  
+  
 This target is only valid in the __nat__ table, in the 
 __POSTROUTING__ chain. It specifies that the source 
 address of the packet should be modified (and all future 
 packets in this connection will also be mangled), and rules 
 should cease being examined. It takes one 
 option: 
+  
+  
+  
+  
+  
 __--to-source__ 
 ''ipaddr''[[-''ipaddr''][[:''port''-''port''] 
+  
+  
+  
+  
+  
 which can specify a single new source IP address, an 
 inclusive range of IP addresses, and optionally, a port 
 range (which is only valid if the rule also specifies __-p__ 
 __tcp__ or __-p udp__). If no port range is specified, 
@@ -581,25 +1578,55 @@
 below 512: those between 512 and 1023 inclusive will be 
 mapped to ports below 1024, and other ports will be mapped 
 to 1024 or above. Where possible, no port alteration will 
 occur. 
+  
+  
+  
+  
+  
 __DNAT__ 
+  
+  
+  
+  
+  
 This target is only valid in the __nat__ table, in the 
 __PREROUTING__ and __OUTPUT__ chains, and user-defined 
 chains which are only called from those chains. It specifies 
 that the destination address of the packet should be 
 modified (and all future packets in this connection will 
 also be mangled), and rules should cease being examined. It 
 takes one option: 
+  
+  
+  
+  
+  
 __--to-destination__ 
 ''ipaddr''[[-''ipaddr''][[:''port''-''port''] 
+  
+  
+  
+  
+  
 which can specify a single new destination IP address, an 
 inclusive range of IP addresses, and optionally, a port 
 range (which is only valid if the rule also specifies __-p__ 
 __tcp__ or __-p udp__). If no port range is specified, 
 then the destination port will never be 
 modified. 
+  
+  
+  
+  
+  
 __MASQUERADE__ 
+  
+  
+  
+  
+  
 This target is only valid in the __nat__ table, in the 
 __POSTROUTING__ chain. It should only be used with 
 dynamically assigned IP (dialup) connections: if you have a 
 static IP address, you should use the SNAT target. 
@@ -609,49 +1636,139 @@
 the interface goes down. This is the correct behavior when 
 the next dialup is unlikely to have the same interface 
 address (and hence any established connections are lost 
 anyway). It takes one option: 
+  
+  
+  
+  
+  
 __--to-ports__ ''port''[[-''port''] 
+  
+  
+  
+  
+  
 This specifies a range of source ports to use, overriding 
 the default __SNAT__ source port-selection heuristics 
 (see above). This is only valid if the rule also specifies 
 __-p tcp__ or __-p udp__. 
+  
+  
+  
+  
+  
 __REDIRECT__ 
+  
+  
+  
+  
+  
 This target is only valid in the __nat__ table, in the 
 __PREROUTING__ and __OUTPUT__ chains, and user-defined 
 chains which are only called from those chains. It alters 
 the destination IP address to send the packet to the machine 
 itself (locally-generated packets are mapped to the 
 127.0.0.1 address). It takes one option: 
+  
+  
+  
+  
+  
 __--to-ports__ ''port''[[-''port''] 
+  
+  
+  
+  
+  
 This specifies a destination port or range of ports to use: 
 without this, the destination port is never altered. This is 
 only valid if the rule also specifies __-p tcp__ or __-p__ 
 __udp__. 
+  
+  
+  
+  
+  
 __ULOG__ 
+  
+  
+  
+  
+  
 This target provides userspace logging of matching packets. 
 When this target is set for a rule, the Linux kernel will 
 multicast this packet through a ''netlink'' socket. One 
 or more userspace processes may then subscribe to various 
 multicast groups and receive the packets. 
+  
+  
+  
+  
+  
 __--ulog-nlgroup__ ''nlgroup'' 
+  
+  
+  
+  
+  
 This specifies the netlink group (1-32) to which the packet 
 is sent. Default value is 1. 
+  
+  
+  
+  
+  
 __--ulog-prefix__ ''prefix'' 
+  
+  
+  
+  
+  
 Prefix log messages with the specified prefix; up to 32 
 characters long, and useful fro distinguishing messages in 
 the logs. 
+  
+  
+  
+  
+  
 __--ulog-cprange__ ''size'' 
+  
+  
+  
+  
+  
 Number of bytes to be copied to userspace. A value of 0 
 always copies the entire packet, regardless of its size. 
 Default is 0. 
+  
+  
+  
+  
+  
 __--ulog-qthreshold__ ''size'' 
+  
+  
+  
+  
+  
 Number of packet to queue inside kernel. Setting this value 
 to, e.g. 10 accumulates ten packets inside the kernel and 
 transmits them as one netlink multipart message to 
 userspace. Default is 1 (for backwards 
 compatibility). 
+  
+  
+  
+  
+  
 __TCPMSS__ 
+  
+  
+  
+  
+  
 This target allows to alter the MSS value of TCP SYN 
 packets, to control the maximum size for that connection 
 (usually limiting it to your outgoing interface's MTU minus 
 40). Of course, it can only be used in conjunction with 
@@ -669,51 +1786,150 @@
 Workaround: activate this option and add a rule to your 
 firewall configuration like: 
 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 
 -j TCPMSS --clamp-mss-to-pmtu 
+  
+  
+  
+  
+  
 __--set-mss__ ''value'' 
+  
+  
+  
+  
+  
 Explicitly set MSS option to specified value. 
+  
+  
+  
+  
+  
 __--clamp-mss-to-pmtu__ 
+  
+  
+  
+  
+  
 Automatically clamp MSS value to (path_MTU - 
 40). 
+  
+  
+  
+  
+  
 These options are mutually exclusive. 
+  
  
 !!EXTRA EXTENSIONS 
+  
+  
+  
+  
+  
 The following extensions are not included by default in the 
 standard distribution. 
+  
+  
+  
+  
+  
 __TTL__ 
+  
+  
+  
+  
+  
 This target is used to modify the time to live field in the 
 IP header. It is only valid in the __mangle__ 
 table. 
+  
+  
+  
+  
+  
 __--ttl-set__ ''ttl'' 
+  
+  
+  
+  
+  
 Set the TTL to the given value. 
+  
+  
+  
+  
+  
 __--ttl-dec__ ''ttl'' 
+  
+  
+  
+  
+  
 Decrement the TTL by the given value. 
+  
+  
+  
+  
+  
 __--ttl-inc__ ''ttl'' 
+  
+  
+  
+  
+  
 Increment the TTL by the given value. 
+  
  
 !!DIAGNOSTICS 
+  
+  
+  
+  
+  
 Various error messages are printed to standard error. The 
 exit code is 0 for correct functioning. Errors which appear 
 to be caused by invalid or abused command line parameters 
 cause an exit code of 2, and other errors cause an exit code 
 of 1. 
+  
  
 !!BUGS 
+  
+  
+  
+  
+  
 Check is not implemented (yet). 
+  
  
 !!COMPATIBILITY WITH IPCHAINS 
+  
+  
+  
+  
+  
 This __iptables__ is very similar to ipchains by Rusty 
 Russell. The main difference is that the chains __INPUT__ 
 and __OUTPUT__ are only traversed for packets coming into 
 the local host and originating from the local host 
 respectively. Hence every packet only passes through one of 
 the three chains; previously a forwarded packet would pass 
 through all three. 
+  
+  
+  
+  
+  
 The other main difference is that __-i__ refers to the 
 input interface; __-o__ refers to the output interface, 
 and both are available for packets entering the 
 __FORWARD__ chain. 
+  
+  
+  
+  
+  
 __iptables__ is a pure packet filter when using the 
 default `filter' table, with optional extension modules. 
 This should simplify much of the previous confusion over the 
 combination of IP masquerading and packet filtering seen 
@@ -722,29 +1938,71 @@
 -j MASQ 
 -M -S 
 -M -L 
 There are several other changes in iptables. 
+  
  
 !!SEE ALSO 
+  
+  
+  
+  
+  
 The packet-filtering-HOWTO, which details more iptables 
 usage for packet filtering, the NAT-HOWTO, which details 
 NAT, and the netfilter-hacking-HOWTO which details the 
 internals. 
 See __http://www.netfilter.org/__. 
+  
  
 !!AUTHORS 
+  
+  
+  
+  
+  
 Rusty Russell wrote iptables, in early consultation with 
 Michael Neuling. 
+  
+  
+  
+  
+  
 Marc Boucher made Rusty abandon ipnatctl by lobbying for a 
 generic packet selection framework in iptables, then wrote 
 the mangle table, the owner match, the mark stuff, and ran 
 around doing cool stuff everywhere. 
+  
+  
+  
+  
+  
 James Morris wrote the TOS target, and tos 
 match. 
+  
+  
+  
+  
+  
 Jozsef Kadlecsik wrote the REJECT target. 
+  
+  
+  
+  
+  
 Harald Welte wrote the ULOG target, TTL match+target and 
 libipulog. 
+  
+  
+  
+  
+  
 The Netfilter Core Team is: Marc Boucher, Jozsef Kadlecsik, 
 James Morris, Harald Welte and Rusty Russell. 
+  
+  
+  
+  
+  
 Man page written by Herve Eychenne 
 <rv@wallfire.org>. 
 ---- 
This page is a man page (or other imported legacy content). We are unable to automatically determine the license status of this page.