Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 1 | .TH IPTABLES 8 "Mar 09, 2002" "" "" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 2 | .\" |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 3 | .\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999) |
| 4 | .\" It is based on ipchains page. |
Hervé Eychenne | cea2ca3 | 2002-05-27 11:16:09 +0000 | [diff] [blame] | 5 | .\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG) |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 6 | .\" |
| 7 | .\" ipchains page by Paul ``Rusty'' Russell March 1997 |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 8 | .\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl> |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 9 | .\" |
| 10 | .\" This program is free software; you can redistribute it and/or modify |
| 11 | .\" it under the terms of the GNU General Public License as published by |
| 12 | .\" the Free Software Foundation; either version 2 of the License, or |
| 13 | .\" (at your option) any later version. |
| 14 | .\" |
| 15 | .\" This program is distributed in the hope that it will be useful, |
| 16 | .\" but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 17 | .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 18 | .\" GNU General Public License for more details. |
| 19 | .\" |
| 20 | .\" You should have received a copy of the GNU General Public License |
| 21 | .\" along with this program; if not, write to the Free Software |
| 22 | .\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
| 23 | .\" |
| 24 | .\" |
| 25 | .SH NAME |
Hervé Eychenne | cea2ca3 | 2002-05-27 11:16:09 +0000 | [diff] [blame] | 26 | iptables \- administration tool for IPv4 packet filtering and NAT |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 27 | .SH SYNOPSIS |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 28 | .BR "iptables [-t table] -[AD] " "chain rule-specification [options]" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 29 | .br |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 30 | .BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]" |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 31 | .br |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 32 | .BR "iptables [-t table] -R " "chain rulenum rule-specification [options]" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 33 | .br |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 34 | .BR "iptables [-t table] -D " "chain rulenum [options]" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 35 | .br |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 36 | .BR "iptables [-t table] -[LFZ] " "[chain] [options]" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 37 | .br |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 38 | .BR "iptables [-t table] -N " "chain" |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 39 | .br |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 40 | .BR "iptables [-t table] -X " "[chain]" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 41 | .br |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 42 | .BR "iptables [-t table] -P " "chain target [options]" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 43 | .br |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 44 | .BR "iptables [-t table] -E " "old-chain-name new-chain-name" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 45 | .SH DESCRIPTION |
| 46 | .B Iptables |
| 47 | is used to set up, maintain, and inspect the tables of IP packet |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 48 | filter rules in the Linux kernel. Several different tables |
| 49 | may be defined. Each table contains a number of built-in |
| 50 | chains and may also contain user-defined chains. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 51 | |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 52 | Each chain is a list of rules which can match a set of packets. Each |
| 53 | rule specifies what to do with a packet that matches. This is called |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 54 | a `target', which may be a jump to a user-defined chain in the same |
| 55 | table. |
| 56 | |
| 57 | .SH TARGETS |
| 58 | A firewall rule specifies criteria for a packet, and a target. If the |
| 59 | packet does not match, the next rule in the chain is the examined; if |
| 60 | it does match, then the next rule is specified by the value of the |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 61 | target, which can be the name of a user-defined chain or one of the |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 62 | special values |
| 63 | .IR ACCEPT , |
| 64 | .IR DROP , |
| 65 | .IR QUEUE , |
| 66 | or |
| 67 | .IR RETURN . |
| 68 | .PP |
| 69 | .I ACCEPT |
| 70 | means to let the packet through. |
| 71 | .I DROP |
| 72 | means to drop the packet on the floor. |
| 73 | .I QUEUE |
Rusty Russell | 363112d | 2000-08-11 13:49:26 +0000 | [diff] [blame] | 74 | means to pass the packet to userspace (if supported by the kernel). |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 75 | .I RETURN |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 76 | means stop traversing this chain and resume at the next rule in the |
| 77 | previous (calling) chain. If the end of a built-in chain is reached |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 78 | or a rule in a built-in chain with target |
| 79 | .I RETURN |
| 80 | is matched, the target specified by the chain policy determines the |
| 81 | fate of the packet. |
| 82 | .SH TABLES |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 83 | There are currently three independent tables (which tables are present |
Rusty Russell | 363112d | 2000-08-11 13:49:26 +0000 | [diff] [blame] | 84 | at any time depends on the kernel configuration options and which |
| 85 | modules are present). |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 86 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 87 | .BI "-t, --table " "table" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 88 | This option specifies the packet matching table which the command |
| 89 | should operate on. If the kernel is configured with automatic module |
| 90 | loading, an attempt will be made to load the appropriate module for |
| 91 | that table if it is not already there. |
| 92 | |
| 93 | The tables are as follows: |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 94 | .RS |
| 95 | .TP .4i |
| 96 | .BR "filter" : |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 97 | This is the default table (if no -t option is passed). It contains |
| 98 | the built-in chains |
Hervé Eychenne | cea2ca3 | 2002-05-27 11:16:09 +0000 | [diff] [blame] | 99 | .B INPUT |
| 100 | (for packets coming into the box itself), |
| 101 | .B FORWARD |
| 102 | (for packets being routed through the box), and |
| 103 | .B OUTPUT |
| 104 | (for locally-generated packets). |
Harald Welte | 87d4be4 | 2001-07-05 06:26:37 +0000 | [diff] [blame] | 105 | .TP |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 106 | .BR "nat" : |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 107 | This table is consulted when a packet that creates a new |
Hervé Eychenne | cea2ca3 | 2002-05-27 11:16:09 +0000 | [diff] [blame] | 108 | connection is encountered. It consists of three built-ins: |
| 109 | .B PREROUTING |
| 110 | (for altering packets as soon as they come in), |
| 111 | .B OUTPUT |
| 112 | (for altering locally-generated packets before routing), and |
| 113 | .B POSTROUTING |
| 114 | (for altering packets as they are about to go out). |
Harald Welte | 87d4be4 | 2001-07-05 06:26:37 +0000 | [diff] [blame] | 115 | .TP |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 116 | .BR "mangle" : |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 117 | This table is used for specialized packet alteration. Until kernel |
Hervé Eychenne | cea2ca3 | 2002-05-27 11:16:09 +0000 | [diff] [blame] | 118 | 2.4.17 it had two built-in chains: |
| 119 | .B PREROUTING |
| 120 | (for altering incoming packets before routing) and |
| 121 | .B OUTPUT |
| 122 | (for altering locally-generated packets before routing). |
| 123 | Since kernel 2.4.18, three other built-in chains are also supported: |
| 124 | .B INPUT |
| 125 | (for packets coming into the box itself), |
| 126 | .B FORWARD |
| 127 | (for altering packets being routed through the box), and |
| 128 | .B POSTROUTING |
| 129 | (for altering packets as they are about to go out). |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 130 | .RE |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 131 | .SH OPTIONS |
| 132 | The options that are recognized by |
| 133 | .B iptables |
| 134 | can be divided into several different groups. |
| 135 | .SS COMMANDS |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 136 | These options specify the specific action to perform. Only one of them |
| 137 | can be specified on the command line unless otherwise specified |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 138 | below. For all the long versions of the command and option names, you |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 139 | need to use only enough letters to ensure that |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 140 | .B iptables |
| 141 | can differentiate it from all other options. |
| 142 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 143 | .BI "-A, --append " "chain rule-specification" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 144 | Append one or more rules to the end of the selected chain. |
| 145 | When the source and/or destination names resolve to more than one |
| 146 | address, a rule will be added for each possible address combination. |
| 147 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 148 | .BI "-D, --delete " "chain rule-specification" |
| 149 | .ns |
| 150 | .TP |
| 151 | .BI "-D, --delete " "chain rulenum" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 152 | Delete one or more rules from the selected chain. There are two |
| 153 | versions of this command: the rule can be specified as a number in the |
| 154 | chain (starting at 1 for the first rule) or a rule to match. |
| 155 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 156 | .BR "-I, --insert " "\fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 157 | Insert one or more rules in the selected chain as the given rule |
| 158 | number. So, if the rule number is 1, the rule or rules are inserted |
| 159 | at the head of the chain. This is also the default if no rule number |
| 160 | is specified. |
| 161 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 162 | .BI "-R, --replace " "chain rulenum rule-specification" |
| 163 | Replace a rule in the selected chain. If the source and/or |
| 164 | destination names resolve to multiple addresses, the command will |
| 165 | fail. Rules are numbered starting at 1. |
| 166 | .TP |
| 167 | .BR "-L, --list " "[\fIchain\fP]" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 168 | List all rules in the selected chain. If no chain is selected, all |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 169 | chains are listed. As every other iptables command, it applies to the |
| 170 | specified table (filter is the default), so NAT rules get listed by |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 171 | .nf |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 172 | iptables -t nat -n -L |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 173 | .fi |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 174 | Please note that it is often used with the |
| 175 | .B -n |
| 176 | option, in order to avoid long reverse DNS lookups. |
| 177 | It is legal to specify the |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 178 | .B -Z |
| 179 | (zero) option as well, in which case the chain(s) will be atomically |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 180 | listed and zeroed. The exact output is affected by the other |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 181 | arguments given. The exact rules are suppressed until you use |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 182 | .nf |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 183 | iptables -L -v |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 184 | .fi |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 185 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 186 | .BR "-F, --flush " "[\fIchain\fP]" |
| 187 | Flush the selected chain (all the chains in the table if none is given). |
| 188 | This is equivalent to deleting all the rules one by one. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 189 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 190 | .BR "-Z, --zero " "[\fIchain\fP]" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 191 | Zero the packet and byte counters in all chains. It is legal to |
| 192 | specify the |
| 193 | .B "-L, --list" |
| 194 | (list) option as well, to see the counters immediately before they are |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 195 | cleared. (See above.) |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 196 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 197 | .BI "-N, --new-chain " "chain" |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 198 | Create a new user-defined chain by the given name. There must be no |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 199 | target of that name already. |
| 200 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 201 | .BR "-X, --delete-chain " "[\fIchain\fP]" |
| 202 | Delete the optional user-defined chain specified. There must be no references |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 203 | to the chain. If there are, you must delete or replace the referring |
| 204 | rules before the chain can be deleted. If no argument is given, it |
Rusty Russell | 363112d | 2000-08-11 13:49:26 +0000 | [diff] [blame] | 205 | will attempt to delete every non-builtin chain in the table. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 206 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 207 | .BI "-P, --policy " "chain target" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 208 | Set the policy for the chain to the given target. See the section |
Rusty Russell | 363112d | 2000-08-11 13:49:26 +0000 | [diff] [blame] | 209 | .B TARGETS |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 210 | for the legal targets. Only built-in (non-user-defined) chains can have |
| 211 | policies, and neither built-in nor user-defined chains can be policy |
| 212 | targets. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 213 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 214 | .BI "-E, --rename-chain " "old-chain new-chain" |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 215 | Rename the user specified chain to the user supplied name. This is |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 216 | cosmetic, and has no effect on the structure of the table. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 217 | .TP |
| 218 | .B -h |
| 219 | Help. |
| 220 | Give a (currently very brief) description of the command syntax. |
| 221 | .SS PARAMETERS |
| 222 | The following parameters make up a rule specification (as used in the |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 223 | add, delete, insert, replace and append commands). |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 224 | .TP |
Rusty Russell | 2e0a321 | 2000-04-19 11:23:18 +0000 | [diff] [blame] | 225 | .BR "-p, --protocol " "[!] \fIprotocol\fP" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 226 | The protocol of the rule or of the packet to check. |
| 227 | The specified protocol can be one of |
| 228 | .IR tcp , |
| 229 | .IR udp , |
| 230 | .IR icmp , |
| 231 | or |
| 232 | .IR all , |
| 233 | or it can be a numeric value, representing one of these protocols or a |
Rusty Russell | 363112d | 2000-08-11 13:49:26 +0000 | [diff] [blame] | 234 | different one. A protocol name from /etc/protocols is also allowed. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 235 | A "!" argument before the protocol inverts the |
| 236 | test. The number zero is equivalent to |
| 237 | .IR all . |
| 238 | Protocol |
| 239 | .I all |
| 240 | will match with all protocols and is taken as default when this |
| 241 | option is omitted. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 242 | .TP |
| 243 | .BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]" |
| 244 | Source specification. |
| 245 | .I Address |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 246 | can be either a network name, a hostname (please note that specifying |
| 247 | any name to be resolved with a remote query such as DNS is a really bad idea), |
| 248 | a network IP address (with /mask), or a plain IP address. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 249 | The |
| 250 | .I mask |
| 251 | can be either a network mask or a plain number, |
| 252 | specifying the number of 1's at the left side of the network mask. |
| 253 | Thus, a mask of |
| 254 | .I 24 |
| 255 | is equivalent to |
| 256 | .IR 255.255.255.0 . |
| 257 | A "!" argument before the address specification inverts the sense of |
| 258 | the address. The flag |
| 259 | .B --src |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 260 | is an alias for this option. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 261 | .TP |
| 262 | .BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]" |
| 263 | Destination specification. |
| 264 | See the description of the |
| 265 | .B -s |
| 266 | (source) flag for a detailed description of the syntax. The flag |
| 267 | .B --dst |
| 268 | is an alias for this option. |
| 269 | .TP |
| 270 | .BI "-j, --jump " "target" |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 271 | This specifies the target of the rule; i.e., what to do if the packet |
| 272 | matches it. The target can be a user-defined chain (other than the |
| 273 | one this rule is in), one of the special builtin targets which decide |
| 274 | the fate of the packet immediately, or an extension (see |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 275 | .B EXTENSIONS |
| 276 | below). If this |
| 277 | option is omitted in a rule, then matching the rule will have no |
| 278 | effect on the packet's fate, but the counters on the rule will be |
| 279 | incremented. |
| 280 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 281 | .BR "-i, --in-interface " "[!] \fIname\fP" |
| 282 | Name of an interface via which a packet is going to be received (only for |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 283 | packets entering the |
| 284 | .BR INPUT , |
| 285 | .B FORWARD |
| 286 | and |
| 287 | .B PREROUTING |
| 288 | chains). When the "!" argument is used before the interface name, the |
| 289 | sense is inverted. If the interface name ends in a "+", then any |
| 290 | interface which begins with this name will match. If this option is |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 291 | omitted, any interface name will match. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 292 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 293 | .BR "-o, --out-interface " "[!] \fIname\fP" |
| 294 | Name of an interface via which a packet is going to be sent (for packets |
| 295 | entering the |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 296 | .BR FORWARD , |
| 297 | .B OUTPUT |
| 298 | and |
| 299 | .B POSTROUTING |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 300 | chains). When the "!" argument is used before the interface name, the |
| 301 | sense is inverted. If the interface name ends in a "+", then any |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 302 | interface which begins with this name will match. If this option is |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 303 | omitted, any interface name will match. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 304 | .TP |
| 305 | .B "[!] " "-f, --fragment" |
| 306 | This means that the rule only refers to second and further fragments |
| 307 | of fragmented packets. Since there is no way to tell the source or |
| 308 | destination ports of such a packet (or ICMP type), such a packet will |
| 309 | not match any rules which specify them. When the "!" argument |
Rusty Russell | 363112d | 2000-08-11 13:49:26 +0000 | [diff] [blame] | 310 | precedes the "-f" flag, the rule will only match head fragments, or |
| 311 | unfragmented packets. |
Harald Welte | ccd49e5 | 2001-01-23 22:54:34 +0000 | [diff] [blame] | 312 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 313 | .BI "-c, --set-counters " "PKTS BYTES" |
Fabrice MARIE | b0d8460 | 2002-06-14 07:39:58 +0000 | [diff] [blame] | 314 | This enables the administrator to initialize the packet and byte |
Harald Welte | ccd49e5 | 2001-01-23 22:54:34 +0000 | [diff] [blame] | 315 | counters of a rule (during |
| 316 | .B INSERT, |
| 317 | .B APPEND, |
| 318 | .B REPLACE |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 319 | operations). |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 320 | .SS "OTHER OPTIONS" |
| 321 | The following additional options can be specified: |
| 322 | .TP |
| 323 | .B "-v, --verbose" |
| 324 | Verbose output. This option makes the list command show the interface |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 325 | name, the rule options (if any), and the TOS masks. The packet and |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 326 | byte counters are also listed, with the suffix 'K', 'M' or 'G' for |
| 327 | 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see |
| 328 | the |
| 329 | .B -x |
| 330 | flag to change this). |
| 331 | For appending, insertion, deletion and replacement, this causes |
| 332 | detailed information on the rule or rules to be printed. |
| 333 | .TP |
| 334 | .B "-n, --numeric" |
| 335 | Numeric output. |
| 336 | IP addresses and port numbers will be printed in numeric format. |
| 337 | By default, the program will try to display them as host names, |
| 338 | network names, or services (whenever applicable). |
| 339 | .TP |
| 340 | .B "-x, --exact" |
| 341 | Expand numbers. |
| 342 | Display the exact value of the packet and byte counters, |
| 343 | instead of only the rounded number in K's (multiples of 1000) |
| 344 | M's (multiples of 1000K) or G's (multiples of 1000M). This option is |
Marc Boucher | f127a19 | 2000-03-20 08:32:15 +0000 | [diff] [blame] | 345 | only relevant for the |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 346 | .B -L |
| 347 | command. |
| 348 | .TP |
| 349 | .B "--line-numbers" |
| 350 | When listing rules, add line numbers to the beginning of each rule, |
| 351 | corresponding to that rule's position in the chain. |
Chapman Brad | 45493a8 | 2001-02-23 09:08:13 +0000 | [diff] [blame] | 352 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 353 | .B "--modprobe=command" |
Chapman Brad | 45493a8 | 2001-02-23 09:08:13 +0000 | [diff] [blame] | 354 | When adding or inserting rules into a chain, use |
| 355 | .B command |
| 356 | to load any necessary modules (targets, match extensions, etc). |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 357 | .SH MATCH EXTENSIONS |
Rusty Russell | 363112d | 2000-08-11 13:49:26 +0000 | [diff] [blame] | 358 | iptables can use extended packet matching modules. These are loaded |
| 359 | in two ways: implicitly, when |
| 360 | .B -p |
| 361 | or |
| 362 | .B --protocol |
| 363 | is specified, or with the |
| 364 | .B -m |
| 365 | or |
| 366 | .B --match |
| 367 | options, followed by the matching module name; after these, various |
| 368 | extra command line options become available, depending on the specific |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 369 | module. You can specify multiple extended match modules in one line, |
| 370 | and you can use the |
Rusty Russell | 363112d | 2000-08-11 13:49:26 +0000 | [diff] [blame] | 371 | .B -h |
| 372 | or |
| 373 | .B --help |
| 374 | options after the module has been specified to receive help specific |
| 375 | to that module. |
| 376 | |
| 377 | The following are included in the base package, and most of these can |
| 378 | be preceded by a |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 379 | .B ! |
| 380 | to invert the sense of the match. |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 381 | .SS ah |
| 382 | This module matches the SPIs in AH header of IPSec packets. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 383 | .TP |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 384 | .BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]" |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 385 | .SS conntrack |
| 386 | This module, when combined with connection tracking, allows access to |
| 387 | more connection tracking information than the "state" match. |
| 388 | (this module is present only if iptables was compiled under a kernel |
| 389 | supporting this feature) |
| 390 | .TP |
| 391 | .BI "--ctstate " "state" |
| 392 | Where state is a comma separated list of the connection states to |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 393 | match. Possible states are |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 394 | .B INVALID |
| 395 | meaning that the packet is associated with no known connection, |
| 396 | .B ESTABLISHED |
| 397 | meaning that the packet is associated with a connection which has seen |
| 398 | packets in both directions, |
| 399 | .B NEW |
| 400 | meaning that the packet has started a new connection, or otherwise |
| 401 | associated with a connection which has not seen packets in both |
| 402 | directions, and |
| 403 | .B RELATED |
| 404 | meaning that the packet is starting a new connection, but is |
| 405 | associated with an existing connection, such as an FTP data transfer, |
| 406 | or an ICMP error. |
| 407 | .B SNAT |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 408 | A virtual state, matching if the original source address differs from |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 409 | the reply destination. |
| 410 | .B DNAT |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 411 | A virtual state, matching if the original destination differs from the |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 412 | reply source. |
| 413 | .TP |
| 414 | .BI "--ctproto " "proto" |
| 415 | Protocol to match (by number or name) |
| 416 | .TP |
| 417 | .BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]" |
| 418 | Match against original source address |
| 419 | .TP |
| 420 | .BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]" |
| 421 | Match against original destination address |
| 422 | .TP |
| 423 | .BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]" |
| 424 | Match against reply source address |
| 425 | .TP |
| 426 | .BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]" |
| 427 | Match against reply destination address |
| 428 | .TP |
| 429 | .BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]" |
| 430 | Match against internal conntrack states |
| 431 | .TP |
| 432 | .BI "--ctexpire " "\fItime\fP[\fI:time\fP]" |
| 433 | Match remaining lifetime in seconds against given value |
| 434 | or range of values (inclusive) |
| 435 | .SS dscp |
| 436 | This module matches the 6 bit DSCP field within the TOS field in the |
| 437 | IP header. DSCP has superseded TOS within the IETF. |
| 438 | .TP |
| 439 | .BI "--dscp " "value" |
| 440 | Match against a numeric (decimal or hex) value [0-32]. |
| 441 | .TP |
| 442 | .BI "--dscp-class " "\fIDiffServ Class\fP" |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 443 | Match the DiffServ class. This value may be any of the |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 444 | BE, EF, AFxx or CSx classes. It will then be converted |
| 445 | into it's according numeric value. |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 446 | .SS esp |
| 447 | This module matches the SPIs in ESP header of IPSec packets. |
| 448 | .TP |
| 449 | .BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]" |
Hervé Eychenne | 9230c11 | 2003-03-03 22:23:22 +0000 | [diff] [blame] | 450 | .SS helper |
| 451 | This module matches packets related to a specific conntrack-helper. |
| 452 | .TP |
| 453 | .BI "--helper " "string" |
| 454 | Matches packets related to the specified conntrack-helper. |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 455 | .RS |
| 456 | .PP |
Hervé Eychenne | 9230c11 | 2003-03-03 22:23:22 +0000 | [diff] [blame] | 457 | string can be "ftp" for packets related to a ftp-session on default port. |
| 458 | For other ports append -portnr to the value, ie. "ftp-2121". |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 459 | .PP |
Hervé Eychenne | 9230c11 | 2003-03-03 22:23:22 +0000 | [diff] [blame] | 460 | Same rules apply for other conntrack-helpers. |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 461 | .RE |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 462 | .SS icmp |
| 463 | This extension is loaded if `--protocol icmp' is specified. It |
| 464 | provides the following option: |
| 465 | .TP |
| 466 | .BR "--icmp-type " "[!] \fItypename\fP" |
| 467 | This allows specification of the ICMP type, which can be a numeric |
| 468 | ICMP type, or one of the ICMP type names shown by the command |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 469 | .nf |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 470 | iptables -p icmp -h |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 471 | .fi |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 472 | .SS length |
| 473 | This module matches the length of a packet against a specific value |
| 474 | or range of values. |
| 475 | .TP |
| 476 | .BR "--length " "\fIlength\fP[:\fIlength\fP]" |
| 477 | .SS limit |
| 478 | This module matches at a limited rate using a token bucket filter. |
| 479 | A rule using this extension will match until this limit is reached |
| 480 | (unless the `!' flag is used). It can be used in combination with the |
| 481 | .B LOG |
| 482 | target to give limited logging, for example. |
| 483 | .TP |
| 484 | .BI "--limit " "rate" |
| 485 | Maximum average matching rate: specified as a number, with an optional |
| 486 | `/second', `/minute', `/hour', or `/day' suffix; the default is |
| 487 | 3/hour. |
| 488 | .TP |
| 489 | .BI "--limit-burst " "number" |
| 490 | Maximum initial number of packets to match: this number gets |
| 491 | recharged by one every time the limit specified above is not reached, |
| 492 | up to this number; the default is 5. |
| 493 | .SS mac |
| 494 | .TP |
| 495 | .BR "--mac-source " "[!] \fIaddress\fP" |
| 496 | Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. |
| 497 | Note that this only makes sense for packets coming from an Ethernet device |
| 498 | and entering the |
| 499 | .BR PREROUTING , |
| 500 | .B FORWARD |
| 501 | or |
| 502 | .B INPUT |
| 503 | chains. |
| 504 | .SS mark |
| 505 | This module matches the netfilter mark field associated with a packet |
| 506 | (which can be set using the |
| 507 | .B MARK |
| 508 | target below). |
| 509 | .TP |
| 510 | .BR "--mark " "\fIvalue\fP[/\fImask\fP]" |
| 511 | Matches packets with the given unsigned mark value (if a mask is |
| 512 | specified, this is logically ANDed with the mask before the |
| 513 | comparison). |
| 514 | .SS multiport |
| 515 | This module matches a set of source or destination ports. Up to 15 |
| 516 | ports can be specified. It can only be used in conjunction with |
| 517 | .B "-p tcp" |
| 518 | or |
| 519 | .BR "-p udp" . |
| 520 | .TP |
| 521 | .BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" |
| 522 | Match if the source port is one of the given ports. The flag |
| 523 | .B --sports |
| 524 | is a convenient alias for this option. |
| 525 | .TP |
| 526 | .BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" |
| 527 | Match if the destination port is one of the given ports. The flag |
| 528 | .B --dports |
| 529 | is a convenient alias for this option. |
| 530 | .TP |
| 531 | .BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" |
| 532 | Match if the both the source and destination ports are equal to each |
| 533 | other and to one of the given ports. |
| 534 | .SS owner |
| 535 | This module attempts to match various characteristics of the packet |
| 536 | creator, for locally-generated packets. It is only valid in the |
| 537 | .B OUTPUT |
| 538 | chain, and even this some packets (such as ICMP ping responses) may |
| 539 | have no owner, and hence never match. |
| 540 | .TP |
| 541 | .BI "--uid-owner " "userid" |
| 542 | Matches if the packet was created by a process with the given |
| 543 | effective user id. |
| 544 | .TP |
| 545 | .BI "--gid-owner " "groupid" |
| 546 | Matches if the packet was created by a process with the given |
| 547 | effective group id. |
| 548 | .TP |
| 549 | .BI "--pid-owner " "processid" |
| 550 | Matches if the packet was created by a process with the given |
| 551 | process id. |
| 552 | .TP |
| 553 | .BI "--sid-owner " "sessionid" |
| 554 | Matches if the packet was created by a process in the given session |
| 555 | group. |
| 556 | .TP |
| 557 | .BI "--cmd-owner " "name" |
| 558 | Matches if the packet was created by a process with the given command name. |
| 559 | (this option is present only if iptables was compiled under a kernel |
| 560 | supporting this feature) |
| 561 | .SS physdev |
| 562 | This module matches on the bridge port input and output devices enslaved |
Bart De Schuymer | 30596a5 | 2003-04-27 10:01:44 +0000 | [diff] [blame] | 563 | to a bridge device. This module is a part of the infrastructure that enables |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 564 | a transparent bridging IP firewall and is only useful for kernel versions |
| 565 | above version 2.5.44. |
| 566 | .TP |
| 567 | .B --physdev-in name |
| 568 | Name of a bridge port via which a packet is received (only for |
| 569 | packets entering the |
| 570 | .BR INPUT , |
| 571 | .B FORWARD |
| 572 | and |
| 573 | .B PREROUTING |
| 574 | chains). If the interface name ends in a "+", then any |
Bart De Schuymer | 30596a5 | 2003-04-27 10:01:44 +0000 | [diff] [blame] | 575 | interface which begins with this name will match. If the packet didn't arrive |
| 576 | through a bridge device, this packet won't match this option, unless '!' is used. |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 577 | .TP |
| 578 | .B --physdev-out name |
| 579 | Name of a bridge port via which a packet is going to be sent (for packets |
| 580 | entering the |
| 581 | .BR FORWARD , |
| 582 | .B OUTPUT |
| 583 | and |
| 584 | .B POSTROUTING |
| 585 | chains). If the interface name ends in a "+", then any |
| 586 | interface which begins with this name will match. Note that in the |
| 587 | .BR nat " and " mangle |
| 588 | .B OUTPUT |
| 589 | chains one cannot match on the bridge output port, however one can in the |
| 590 | .B "filter OUTPUT" |
Bart De Schuymer | 30596a5 | 2003-04-27 10:01:44 +0000 | [diff] [blame] | 591 | chain. If the packet won't leave by a bridge device or it is yet unknown what |
| 592 | the output device will be, then the packet won't match this option, unless |
| 593 | '!' is used. |
| 594 | .TP |
| 595 | .B --physdev-is-in |
| 596 | Matches if the packet has entered through a bridge interface. |
| 597 | .TP |
| 598 | .B --physdev-is-out |
| 599 | Matches if the packet will leave through a bridge interface. |
| 600 | .TP |
| 601 | .B --physdev-is-bridged |
| 602 | Matches if the packet is being bridged and therefore is not being routed. |
| 603 | This is only useful in the FORWARD and POSTROUTING chains. |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 604 | .SS pkttype |
| 605 | This module matches the link-layer packet type. |
| 606 | .TP |
| 607 | .BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]" |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 608 | .SS state |
| 609 | This module, when combined with connection tracking, allows access to |
| 610 | the connection tracking state for this packet. |
| 611 | .TP |
| 612 | .BI "--state " "state" |
| 613 | Where state is a comma separated list of the connection states to |
| 614 | match. Possible states are |
| 615 | .B INVALID |
Cedric Blancher | dfb0a58 | 2003-06-29 17:35:03 +0000 | [diff] [blame] | 616 | meaning that the packet could not be identified for some reason which |
| 617 | includes running out of memory and ICMP errors which don't correspond to any |
| 618 | known connection, |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 619 | .B ESTABLISHED |
| 620 | meaning that the packet is associated with a connection which has seen |
| 621 | packets in both directions, |
| 622 | .B NEW |
| 623 | meaning that the packet has started a new connection, or otherwise |
| 624 | associated with a connection which has not seen packets in both |
| 625 | directions, and |
| 626 | .B RELATED |
| 627 | meaning that the packet is starting a new connection, but is |
| 628 | associated with an existing connection, such as an FTP data transfer, |
| 629 | or an ICMP error. |
| 630 | .SS tcp |
| 631 | These extensions are loaded if `--protocol tcp' is specified. It |
| 632 | provides the following options: |
| 633 | .TP |
| 634 | .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" |
| 635 | Source port or port range specification. This can either be a service |
| 636 | name or a port number. An inclusive range can also be specified, |
| 637 | using the format |
| 638 | .IR port : port . |
| 639 | If the first port is omitted, "0" is assumed; if the last is omitted, |
| 640 | "65535" is assumed. |
| 641 | If the second port greater then the first they will be swapped. |
| 642 | The flag |
| 643 | .B --sport |
| 644 | is a convenient alias for this option. |
| 645 | .TP |
| 646 | .BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" |
| 647 | Destination port or port range specification. The flag |
| 648 | .B --dport |
| 649 | is a convenient alias for this option. |
| 650 | .TP |
| 651 | .BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP" |
| 652 | Match when the TCP flags are as specified. The first argument is the |
| 653 | flags which we should examine, written as a comma-separated list, and |
| 654 | the second argument is a comma-separated list of flags which must be |
| 655 | set. Flags are: |
| 656 | .BR "SYN ACK FIN RST URG PSH ALL NONE" . |
| 657 | Hence the command |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 658 | .nf |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 659 | iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 660 | .fi |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 661 | will only match packets with the SYN flag set, and the ACK, FIN and |
| 662 | RST flags unset. |
| 663 | .TP |
| 664 | .B "[!] --syn" |
| 665 | Only match TCP packets with the SYN bit set and the ACK and RST bits |
| 666 | cleared. Such packets are used to request TCP connection initiation; |
| 667 | for example, blocking such packets coming in an interface will prevent |
| 668 | incoming TCP connections, but outgoing TCP connections will be |
| 669 | unaffected. |
| 670 | It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP. |
| 671 | If the "!" flag precedes the "--syn", the sense of the |
| 672 | option is inverted. |
| 673 | .TP |
| 674 | .BR "--tcp-option " "[!] \fInumber\fP" |
| 675 | Match if TCP option set. |
| 676 | .TP |
| 677 | .BR "--mss " "\fIvalue\fP[:\fIvalue\fP]" |
| 678 | Match TCP SYN or SYN/ACK packets with the specified MSS value (or range), |
| 679 | which control the maximum packet size for that connection. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 680 | .SS tos |
| 681 | This module matches the 8 bits of Type of Service field in the IP |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 682 | header (ie. including the precedence bits). |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 683 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 684 | .BI "--tos " "tos" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 685 | The argument is either a standard name, (use |
| 686 | .br |
| 687 | iptables -m tos -h |
| 688 | .br |
| 689 | to see the list), or a numeric value to match. |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 690 | .SS ttl |
| 691 | This module matches the time to live field in the IP header. |
| 692 | .TP |
| 693 | .BI "--ttl " "ttl" |
| 694 | Matches the given TTL value. |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 695 | .SS udp |
| 696 | These extensions are loaded if `--protocol udp' is specified. It |
| 697 | provides the following options: |
| 698 | .TP |
| 699 | .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" |
| 700 | Source port or port range specification. |
| 701 | See the description of the |
| 702 | .B --source-port |
| 703 | option of the TCP extension for details. |
| 704 | .TP |
| 705 | .BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" |
| 706 | Destination port or port range specification. |
| 707 | See the description of the |
| 708 | .B --destination-port |
| 709 | option of the TCP extension for details. |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 710 | .SS unclean |
| 711 | This module takes no options, but attempts to match packets which seem |
| 712 | malformed or unusual. This is regarded as experimental. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 713 | .SH TARGET EXTENSIONS |
| 714 | iptables can use extended target modules: the following are included |
| 715 | in the standard distribution. |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 716 | .SS DNAT |
| 717 | This target is only valid in the |
| 718 | .B nat |
| 719 | table, in the |
| 720 | .B PREROUTING |
| 721 | and |
| 722 | .B OUTPUT |
| 723 | chains, and user-defined chains which are only called from those |
| 724 | chains. It specifies that the destination address of the packet |
| 725 | should be modified (and all future packets in this connection will |
| 726 | also be mangled), and rules should cease being examined. It takes one |
| 727 | type of option: |
| 728 | .TP |
| 729 | .BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" |
| 730 | which can specify a single new destination IP address, an inclusive |
| 731 | range of IP addresses, and optionally, a port range (which is only |
| 732 | valid if the rule also specifies |
| 733 | .B "-p tcp" |
| 734 | or |
| 735 | .BR "-p udp" ). |
| 736 | If no port range is specified, then the destination port will never be |
| 737 | modified. |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 738 | .RS |
| 739 | .PP |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 740 | You can add several --to-destination options. If you specify more |
| 741 | than one destination address, either via an address range or multiple |
| 742 | --to-destination options, a simple round-robin (one after another in |
| 743 | cycle) load balancing takes place between these adresses. |
| 744 | .SS DSCP |
| 745 | This target allows to alter the value of the DSCP bits within the TOS |
| 746 | header of the IPv4 packet. As this manipulates a packet, it can only |
| 747 | be used in the mangle table. |
| 748 | .TP |
| 749 | .BI "--set-dscp " "value" |
| 750 | Set the DSCP field to a numerical value (can be decimal or hex) |
| 751 | .TP |
| 752 | .BI "--set-dscp-class " "class" |
| 753 | Set the DSCP field to a DiffServ class. |
| 754 | .SS ECN |
| 755 | This target allows to selectively work around known ECN blackholes. |
| 756 | It can only be used in the mangle table. |
| 757 | .TP |
| 758 | .BI "--ecn-tcp-remove" |
| 759 | Remove all ECN bits from the TCP header. Of course, it can only be used |
| 760 | in conjunction with |
| 761 | .BR "-p tcp" . |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 762 | .SS LOG |
| 763 | Turn on kernel logging of matching packets. When this option is set |
| 764 | for a rule, the Linux kernel will print some information on all |
Rusty Russell | 363112d | 2000-08-11 13:49:26 +0000 | [diff] [blame] | 765 | matching packets (like most IP header fields) via the kernel log |
| 766 | (where it can be read with |
| 767 | .I dmesg |
| 768 | or |
| 769 | .IR syslogd (8)). |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 770 | This is a "non-terminating target", i.e. rule traversal continues at |
| 771 | the next rule. So if you want to LOG the packets you refuse, use two |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 772 | separate rules with the same matching criteria, first using target LOG |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 773 | then DROP (or REJECT). |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 774 | .TP |
| 775 | .BI "--log-level " "level" |
| 776 | Level of logging (numeric or see \fIsyslog.conf\fP(5)). |
| 777 | .TP |
| 778 | .BI "--log-prefix " "prefix" |
Rusty Russell | f81427e | 2000-09-13 04:20:38 +0000 | [diff] [blame] | 779 | Prefix log messages with the specified prefix; up to 29 letters long, |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 780 | and useful for distinguishing messages in the logs. |
| 781 | .TP |
| 782 | .B --log-tcp-sequence |
| 783 | Log TCP sequence numbers. This is a security risk if the log is |
| 784 | readable by users. |
| 785 | .TP |
| 786 | .B --log-tcp-options |
| 787 | Log options from the TCP packet header. |
| 788 | .TP |
| 789 | .B --log-ip-options |
| 790 | Log options from the IP packet header. |
| 791 | .SS MARK |
| 792 | This is used to set the netfilter mark value associated with the |
| 793 | packet. It is only valid in the |
| 794 | .B mangle |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 795 | table. It can for example be used in conjunction with iproute2. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 796 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 797 | .BI "--set-mark " "mark" |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 798 | .SS MASQUERADE |
| 799 | This target is only valid in the |
| 800 | .B nat |
| 801 | table, in the |
| 802 | .B POSTROUTING |
| 803 | chain. It should only be used with dynamically assigned IP (dialup) |
| 804 | connections: if you have a static IP address, you should use the SNAT |
| 805 | target. Masquerading is equivalent to specifying a mapping to the IP |
| 806 | address of the interface the packet is going out, but also has the |
| 807 | effect that connections are |
| 808 | .I forgotten |
| 809 | when the interface goes down. This is the correct behavior when the |
| 810 | next dialup is unlikely to have the same interface address (and hence |
| 811 | any established connections are lost anyway). It takes one option: |
| 812 | .TP |
| 813 | .BR "--to-ports " "\fIport\fP[-\fIport\fP]" |
| 814 | This specifies a range of source ports to use, overriding the default |
| 815 | .B SNAT |
| 816 | source port-selection heuristics (see above). This is only valid |
| 817 | if the rule also specifies |
| 818 | .B "-p tcp" |
| 819 | or |
| 820 | .BR "-p udp" . |
| 821 | .SS MIRROR |
| 822 | This is an experimental demonstration target which inverts the source |
| 823 | and destination fields in the IP header and retransmits the packet. |
| 824 | It is only valid in the |
| 825 | .BR INPUT , |
| 826 | .B FORWARD |
| 827 | and |
| 828 | .B PREROUTING |
| 829 | chains, and user-defined chains which are only called from those |
| 830 | chains. Note that the outgoing packets are |
| 831 | .B NOT |
| 832 | seen by any packet filtering chains, connection tracking or NAT, to |
| 833 | avoid loops and other problems. |
| 834 | .SS REDIRECT |
| 835 | This target is only valid in the |
| 836 | .B nat |
| 837 | table, in the |
| 838 | .B PREROUTING |
| 839 | and |
| 840 | .B OUTPUT |
| 841 | chains, and user-defined chains which are only called from those |
| 842 | chains. It alters the destination IP address to send the packet to |
| 843 | the machine itself (locally-generated packets are mapped to the |
| 844 | 127.0.0.1 address). It takes one option: |
| 845 | .TP |
| 846 | .BR "--to-ports " "\fIport\fP[-\fIport\fP]" |
| 847 | This specifies a destination port or range of ports to use: without |
| 848 | this, the destination port is never altered. This is only valid |
| 849 | if the rule also specifies |
| 850 | .B "-p tcp" |
| 851 | or |
| 852 | .BR "-p udp" . |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 853 | .SS REJECT |
| 854 | This is used to send back an error packet in response to the matched |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 855 | packet: otherwise it is equivalent to |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 856 | .B DROP |
| 857 | so it is a terminating TARGET, ending rule traversal. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 858 | This target is only valid in the |
| 859 | .BR INPUT , |
| 860 | .B FORWARD |
| 861 | and |
| 862 | .B OUTPUT |
Rusty Russell | 9cadb43 | 2000-05-10 00:18:06 +0000 | [diff] [blame] | 863 | chains, and user-defined chains which are only called from those |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 864 | chains. The following option controls the nature of the error packet |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 865 | returned: |
| 866 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 867 | .BI "--reject-with " "type" |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 868 | The type given can be |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 869 | .nf |
| 870 | .B " icmp-net-unreachable" |
| 871 | .B " icmp-host-unreachable" |
| 872 | .B " icmp-port-unreachable" |
| 873 | .B " icmp-proto-unreachable" |
| 874 | .B " icmp-net-prohibited" |
| 875 | .B " icmp-host-prohibited or" |
| 876 | .B " icmp-admin-prohibited (*)" |
| 877 | .fi |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 878 | which return the appropriate ICMP error message (\fBport-unreachable\fP is |
| 879 | the default). The option |
Rusty Russell | 14f390f | 2000-07-30 01:10:04 +0000 | [diff] [blame] | 880 | .B tcp-reset |
Rusty Russell | 363112d | 2000-08-11 13:49:26 +0000 | [diff] [blame] | 881 | can be used on rules which only match the TCP protocol: this causes a |
| 882 | TCP RST packet to be sent back. This is mainly useful for blocking |
| 883 | .I ident |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 884 | (113/tcp) probes which frequently occur when sending mail to broken mail |
| 885 | hosts (which won't accept your mail otherwise). |
Harald Welte | 5a52c51 | 2003-05-24 11:44:18 +0000 | [diff] [blame] | 886 | .TP |
| 887 | (*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 888 | .SS SNAT |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 889 | This target is only valid in the |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 890 | .B nat |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 891 | table, in the |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 892 | .B POSTROUTING |
| 893 | chain. It specifies that the source address of the packet should be |
| 894 | modified (and all future packets in this connection will also be |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 895 | mangled), and rules should cease being examined. It takes one type |
| 896 | of option: |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 897 | .TP |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 898 | .BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 899 | which can specify a single new source IP address, an inclusive range |
| 900 | of IP addresses, and optionally, a port range (which is only valid if |
| 901 | the rule also specifies |
| 902 | .B "-p tcp" |
| 903 | or |
| 904 | .BR "-p udp" ). |
| 905 | If no port range is specified, then source ports below 512 will be |
Harald Welte | 0112abb | 2001-02-19 21:48:13 +0000 | [diff] [blame] | 906 | mapped to other ports below 512: those between 512 and 1023 inclusive |
| 907 | will be mapped to ports below 1024, and other ports will be mapped to |
| 908 | 1024 or above. Where possible, no port alteration will occur. |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 909 | .RS |
| 910 | .PP |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 911 | You can add several --to-source options. If you specify more |
| 912 | than one source address, either via an address range or multiple |
| 913 | --to-source options, a simple round-robin (one after another in |
| 914 | cycle) takes place between these adresses. |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 915 | .SS TCPMSS |
| 916 | This target allows to alter the MSS value of TCP SYN packets, to control |
| 917 | the maximum size for that connection (usually limiting it to your |
Hervé Eychenne | cea2ca3 | 2002-05-27 11:16:09 +0000 | [diff] [blame] | 918 | outgoing interface's MTU minus 40). Of course, it can only be used |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 919 | in conjunction with |
| 920 | .BR "-p tcp" . |
| 921 | .br |
| 922 | This target is used to overcome criminally braindead ISPs or servers |
| 923 | which block ICMP Fragmentation Needed packets. The symptoms of this |
| 924 | problem are that everything works fine from your Linux |
| 925 | firewall/router, but machines behind it can never exchange large |
| 926 | packets: |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 927 | .PD 0 |
| 928 | .RS 0.1i |
| 929 | .TP 0.3i |
| 930 | 1) |
| 931 | Web browsers connect, then hang with no data received. |
| 932 | .TP |
| 933 | 2) |
| 934 | Small mail works fine, but large emails hang. |
| 935 | .TP |
| 936 | 3) |
| 937 | ssh works fine, but scp hangs after initial handshaking. |
| 938 | .RE |
| 939 | .PD |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 940 | Workaround: activate this option and add a rule to your firewall |
| 941 | configuration like: |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 942 | .nf |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 943 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\ |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 944 | -j TCPMSS --clamp-mss-to-pmtu |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 945 | .fi |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 946 | .TP |
| 947 | .BI "--set-mss " "value" |
| 948 | Explicitly set MSS option to specified value. |
| 949 | .TP |
| 950 | .B "--clamp-mss-to-pmtu" |
| 951 | Automatically clamp MSS value to (path_MTU - 40). |
| 952 | .TP |
| 953 | These options are mutually exclusive. |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 954 | .SS TOS |
| 955 | This is used to set the 8-bit Type of Service field in the IP header. |
| 956 | It is only valid in the |
| 957 | .B mangle |
| 958 | table. |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 959 | .TP |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 960 | .BI "--set-tos " "tos" |
| 961 | You can use a numeric TOS values, or use |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 962 | .nf |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 963 | iptables -j TOS -h |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 964 | .fi |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 965 | to see the list of valid TOS names. |
| 966 | .SS ULOG |
| 967 | This target provides userspace logging of matching packets. When this |
| 968 | target is set for a rule, the Linux kernel will multicast this packet |
| 969 | through a |
| 970 | .IR netlink |
| 971 | socket. One or more userspace processes may then subscribe to various |
| 972 | multicast groups and receive the packets. |
| 973 | Like LOG, this is a "non-terminating target", i.e. rule traversal |
| 974 | continues at the next rule. |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 975 | .TP |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 976 | .BI "--ulog-nlgroup " "nlgroup" |
| 977 | This specifies the netlink group (1-32) to which the packet is sent. |
| 978 | Default value is 1. |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 979 | .TP |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 980 | .BI "--ulog-prefix " "prefix" |
| 981 | Prefix log messages with the specified prefix; up to 32 characters |
| 982 | long, and useful for distinguishing messages in the logs. |
| 983 | .TP |
| 984 | .BI "--ulog-cprange " "size" |
| 985 | Number of bytes to be copied to userspace. A value of 0 always copies |
| 986 | the entire packet, regardless of its size. Default is 0. |
| 987 | .TP |
| 988 | .BI "--ulog-qthreshold " "size" |
| 989 | Number of packet to queue inside kernel. Setting this value to, e.g. 10 |
| 990 | accumulates ten packets inside the kernel and transmits them as one |
| 991 | netlink multipart message to userspace. Default is 1 (for backwards |
| 992 | compatibility). |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 993 | .br |
Rusty Russell | 86573e5 | 2000-10-11 06:01:13 +0000 | [diff] [blame] | 994 | .SH DIAGNOSTICS |
| 995 | Various error messages are printed to standard error. The exit code |
| 996 | is 0 for correct functioning. Errors which appear to be caused by |
| 997 | invalid or abused command line parameters cause an exit code of 2, and |
| 998 | other errors cause an exit code of 1. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 999 | .SH BUGS |
Hervé Eychenne | cea2ca3 | 2002-05-27 11:16:09 +0000 | [diff] [blame] | 1000 | Bugs? What's this? ;-) |
Hervé Eychenne | e644cb0 | 2002-06-22 18:23:48 +0000 | [diff] [blame] | 1001 | Well... the counters are not reliable on sparc64. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 1002 | .SH COMPATIBILITY WITH IPCHAINS |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 1003 | This |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 1004 | .B iptables |
| 1005 | is very similar to ipchains by Rusty Russell. The main difference is |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 1006 | that the chains |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 1007 | .B INPUT |
| 1008 | and |
| 1009 | .B OUTPUT |
| 1010 | are only traversed for packets coming into the local host and |
| 1011 | originating from the local host respectively. Hence every packet only |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 1012 | passes through one of the three chains (except loopback traffic, which |
| 1013 | involves both INPUT and OUTPUT chains); previously a forwarded packet |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 1014 | would pass through all three. |
| 1015 | .PP |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 1016 | The other main difference is that |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 1017 | .B -i |
| 1018 | refers to the input interface; |
| 1019 | .B -o |
| 1020 | refers to the output interface, and both are available for packets |
| 1021 | entering the |
| 1022 | .B FORWARD |
| 1023 | chain. |
| 1024 | .PP The various forms of NAT have been separated out; |
| 1025 | .B iptables |
| 1026 | is a pure packet filter when using the default `filter' table, with |
| 1027 | optional extension modules. This should simplify much of the previous |
| 1028 | confusion over the combination of IP masquerading and packet filtering |
| 1029 | seen previously. So the following options are handled differently: |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 1030 | .nf |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 1031 | -j MASQ |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 1032 | -M -S |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 1033 | -M -L |
Hervé Eychenne | f3ed860 | 2003-06-29 18:00:08 +0000 | [diff] [blame] | 1034 | .fi |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 1035 | There are several other changes in iptables. |
| 1036 | .SH SEE ALSO |
Hervé Eychenne | cea2ca3 | 2002-05-27 11:16:09 +0000 | [diff] [blame] | 1037 | .BR iptables-save (8), |
| 1038 | .BR iptables-restore (8), |
| 1039 | .BR ip6tables (8), |
| 1040 | .BR ip6tables-save (8), |
Harald Welte | 282d669 | 2003-02-14 07:34:09 +0000 | [diff] [blame] | 1041 | .BR ip6tables-restore (8). |
Hervé Eychenne | cea2ca3 | 2002-05-27 11:16:09 +0000 | [diff] [blame] | 1042 | .P |
| 1043 | The packet-filtering-HOWTO details iptables usage for |
| 1044 | packet filtering, the NAT-HOWTO details NAT, |
| 1045 | the netfilter-extensions-HOWTO details the extensions that are |
| 1046 | not in the standard distribution, |
| 1047 | and the netfilter-hacking-HOWTO details the netfilter internals. |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 1048 | .br |
| 1049 | See |
| 1050 | .BR "http://www.netfilter.org/" . |
Marc Boucher | f127a19 | 2000-03-20 08:32:15 +0000 | [diff] [blame] | 1051 | .SH AUTHORS |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 1052 | Rusty Russell wrote iptables, in early consultation with Michael |
| 1053 | Neuling. |
| 1054 | .PP |
Marc Boucher | f127a19 | 2000-03-20 08:32:15 +0000 | [diff] [blame] | 1055 | Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet |
| 1056 | selection framework in iptables, then wrote the mangle table, the owner match, |
| 1057 | the mark stuff, and ran around doing cool stuff everywhere. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 1058 | .PP |
| 1059 | James Morris wrote the TOS target, and tos match. |
| 1060 | .PP |
| 1061 | Jozsef Kadlecsik wrote the REJECT target. |
| 1062 | .PP |
Harald Welte | bfc3369 | 2002-08-07 09:52:22 +0000 | [diff] [blame] | 1063 | Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets. |
Rusty Russell | 5245182 | 2000-08-27 07:47:46 +0000 | [diff] [blame] | 1064 | .PP |
Joszef Kadlecsik | 2c386d2 | 2003-05-12 11:38:16 +0000 | [diff] [blame] | 1065 | The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik, |
| 1066 | James Morris, Harald Welte and Rusty Russell. |
Hervé Eychenne | 9e51806 | 2002-03-14 09:25:40 +0000 | [diff] [blame] | 1067 | .PP |
| 1068 | Man page written by Herve Eychenne <rv@wallfire.org>. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 1069 | .\" .. and did I mention that we are incredibly cool people? |
Rusty Russell | 363112d | 2000-08-11 13:49:26 +0000 | [diff] [blame] | 1070 | .\" .. sexy, too .. |
Rusty Russell | 86573e5 | 2000-10-11 06:01:13 +0000 | [diff] [blame] | 1071 | .\" .. witty, charming, powerful .. |
James Morris | 060ae4c | 2000-10-29 01:29:57 +0000 | [diff] [blame] | 1072 | .\" .. and most of all, modest .. |