Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 1 | .TH IPTABLES 8 "Mar 20, 2000" "" "" |
| 2 | .\" |
| 3 | .\" Man page written by Herve Eychenne <eychenne@info.enserb.u-bordeaux.fr> |
| 4 | .\" It is based on ipchains man page. |
| 5 | .\" |
| 6 | .\" ipchains page by Paul ``Rusty'' Russell March 1997 |
| 7 | .\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl> (see README) |
| 8 | .\" |
| 9 | .\" This program is free software; you can redistribute it and/or modify |
| 10 | .\" it under the terms of the GNU General Public License as published by |
| 11 | .\" the Free Software Foundation; either version 2 of the License, or |
| 12 | .\" (at your option) any later version. |
| 13 | .\" |
| 14 | .\" This program is distributed in the hope that it will be useful, |
| 15 | .\" but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 16 | .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 17 | .\" GNU General Public License for more details. |
| 18 | .\" |
| 19 | .\" You should have received a copy of the GNU General Public License |
| 20 | .\" along with this program; if not, write to the Free Software |
| 21 | .\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
| 22 | .\" |
| 23 | .\" |
| 24 | .SH NAME |
| 25 | iptables \- IP packet filter administration |
| 26 | .SH SYNOPSIS |
| 27 | .BR "iptables -[ADC] " "chain rule-specification [options]" |
| 28 | .br |
| 29 | .BR "iptables -[RI] " "chain rulenum rule-specification [options]" |
| 30 | .br |
| 31 | .BR "iptables -D " "chain rulenum [options]" |
| 32 | .br |
| 33 | .BR "iptables -[LFZ] " "[chain] [options]" |
| 34 | .br |
| 35 | .BR "iptables -[NX] " "chain" |
| 36 | .br |
| 37 | .BR "iptables -P " "chain target [options]" |
| 38 | .br |
| 39 | .BR "iptables -E " "old-chain-name new-chain-name" |
| 40 | .SH DESCRIPTION |
| 41 | .B Iptables |
| 42 | is used to set up, maintain, and inspect the tables of IP packet |
| 43 | filter rules in the Linux kernel. There are several different tables |
| 44 | which may be defined, and each table contains a number of built-in |
| 45 | chains, and may contain user-defined chains. |
| 46 | |
| 47 | Each chain is a list of rules which can match a set of packets: each |
| 48 | rule specifies what to do with a packet which matches. This is called |
| 49 | a `target', which may be a jump to a user-defined chain in the same |
| 50 | table. |
| 51 | |
| 52 | .SH TARGETS |
| 53 | A firewall rule specifies criteria for a packet, and a target. If the |
| 54 | packet does not match, the next rule in the chain is the examined; if |
| 55 | it does match, then the next rule is specified by the value of the |
| 56 | target, which can be the name of a user-defined chain, or one of the |
| 57 | special values |
| 58 | .IR ACCEPT , |
| 59 | .IR DROP , |
| 60 | .IR QUEUE , |
| 61 | or |
| 62 | .IR RETURN . |
| 63 | .PP |
| 64 | .I ACCEPT |
| 65 | means to let the packet through. |
| 66 | .I DROP |
| 67 | means to drop the packet on the floor. |
| 68 | .I QUEUE |
| 69 | means to pass the packet to userspace. |
| 70 | .I RETURN |
| 71 | means stop traversing this chain, and resume at the next rule in the |
| 72 | previous (calling) chain. If the end of a built-in chain is reached, |
| 73 | or a rule in a built-in chain with target |
| 74 | .I RETURN |
| 75 | is matched, the target specified by the chain policy determines the |
| 76 | fate of the packet. |
| 77 | .SH TABLES |
| 78 | There are current three tables (which tables are present at any time |
| 79 | depends on the kernel configuration options and which modules are |
| 80 | present). |
| 81 | .TP |
| 82 | .B "-t, --table" |
| 83 | This option specifies the packet matching table which the command |
| 84 | should operate on. If the kernel is configured with automatic module |
| 85 | loading, an attempt will be made to load the appropriate module for |
| 86 | that table if it is not already there. |
| 87 | |
| 88 | The tables are as follows: |
| 89 | .BR "filter" |
| 90 | This is the default table, and contains the built-in chains INPUT (for |
| 91 | packets coming into the box itself), FORWARD (for packets being routed |
| 92 | through the box), and OUTPUT (for locally-generated packets). |
| 93 | .BR "nat" |
| 94 | This table is consulted when a packet which is creates a new |
| 95 | connection is encountered. It consists of three built-ins: PREROUTING |
| 96 | (for altering packets as soon as they come in), OUTPUT (for altering |
| 97 | locally-generated packets before routing), and POSTROUTING (for |
| 98 | altering packets as they are about to go out). |
| 99 | .BR "mangle" |
| 100 | This table is used for specialized packet alteration. It has two |
| 101 | built-in chains: PREROUTING (for altering incoming packets before |
| 102 | routing) and OUTPUT (for altering locally-generated packets before |
| 103 | routing). |
| 104 | .SH OPTIONS |
| 105 | The options that are recognized by |
| 106 | .B iptables |
| 107 | can be divided into several different groups. |
| 108 | .SS COMMANDS |
| 109 | These options specify the specific action to perform; only one of them |
| 110 | can be specified on the command line, unless otherwise specified |
| 111 | below. For all the long versions of the command and option names, you |
| 112 | only need to use enough letters to ensure that |
| 113 | .B iptables |
| 114 | can differentiate it from all other options. |
| 115 | .TP |
| 116 | .BR "-A, --append" |
| 117 | Append one or more rules to the end of the selected chain. |
| 118 | When the source and/or destination names resolve to more than one |
| 119 | address, a rule will be added for each possible address combination. |
| 120 | .TP |
| 121 | .BR "-D, --delete" |
| 122 | Delete one or more rules from the selected chain. There are two |
| 123 | versions of this command: the rule can be specified as a number in the |
| 124 | chain (starting at 1 for the first rule) or a rule to match. |
| 125 | .TP |
| 126 | .B "-R, --replace" |
| 127 | Replace a rule in the selected chain. If the source and/or |
| 128 | destination names resolve to multiple addresses, the command will |
| 129 | fail. Rules are numbered starting at 1. |
| 130 | .TP |
| 131 | .B "-I, --insert" |
| 132 | Insert one or more rules in the selected chain as the given rule |
| 133 | number. So, if the rule number is 1, the rule or rules are inserted |
| 134 | at the head of the chain. This is also the default if no rule number |
| 135 | is specified. |
| 136 | .TP |
| 137 | .B "-L, --list" |
| 138 | List all rules in the selected chain. If no chain is selected, all |
| 139 | chains are listed. It is legal to specify the |
| 140 | .B -Z |
| 141 | (zero) option as well, in which case the chain(s) will be atomically |
| 142 | listed and zeroed. The exact output is effected by the other |
| 143 | arguments given. |
| 144 | .TP |
| 145 | .B "-F, --flush" |
| 146 | Flush the selected chain. This is equivalent to deleting all the |
| 147 | rules one by one. |
| 148 | .TP |
| 149 | .B "-Z, --zero" |
| 150 | Zero the packet and byte counters in all chains. It is legal to |
| 151 | specify the |
| 152 | .B "-L, --list" |
| 153 | (list) option as well, to see the counters immediately before they are |
| 154 | cleared; see above. |
| 155 | .TP |
| 156 | .B "-N, --new-chain" |
| 157 | Create a new user-defined chain of the given name. There must be no |
| 158 | target of that name already. |
| 159 | .TP |
| 160 | .B "-X, --delete-chain" |
| 161 | Delete the specified user-defined chain. There must be no references |
| 162 | to the chain (if there are you must delete or replace the referring |
| 163 | rules before the chain can be deleted). If no argument is given, it |
| 164 | will attempt to delete every non-builtin chain. |
| 165 | .TP |
| 166 | .B "-P, --policy" |
| 167 | Set the policy for the chain to the given target. See the section |
| 168 | .TP |
| 169 | .B "-E, --rename-chain" |
| 170 | Rename the user specified chain to the user supplied name; this is |
| 171 | cosmetic, and has no effect on the structure of the table. |
| 172 | .B TARGETS |
| 173 | for the legal targets. Only non-userdefined chains can have policies, |
| 174 | and neither built-in nor user-defined chains can be policy targets. |
| 175 | .TP |
| 176 | .B -h |
| 177 | Help. |
| 178 | Give a (currently very brief) description of the command syntax. |
| 179 | .SS PARAMETERS |
| 180 | The following parameters make up a rule specification (as used in the |
| 181 | add, delete, replace, append and check commands). |
| 182 | .TP |
Rusty Russell | 2e0a321 | 2000-04-19 11:23:18 +0000 | [diff] [blame] | 183 | .BR "-p, --protocol " "[!] \fIprotocol\fP" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 184 | The protocol of the rule or of the packet to check. |
| 185 | The specified protocol can be one of |
| 186 | .IR tcp , |
| 187 | .IR udp , |
| 188 | .IR icmp , |
| 189 | or |
| 190 | .IR all , |
| 191 | or it can be a numeric value, representing one of these protocols or a |
| 192 | different one. Also a protocol name from /etc/protocols is allowed. |
| 193 | A "!" argument before the protocol inverts the |
| 194 | test. The number zero is equivalent to |
| 195 | .IR all . |
| 196 | Protocol |
| 197 | .I all |
| 198 | will match with all protocols and is taken as default when this |
| 199 | option is omitted. |
| 200 | .I All |
| 201 | may not be used in in combination with the check command. |
| 202 | .TP |
| 203 | .BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]" |
| 204 | Source specification. |
| 205 | .I Address |
| 206 | can be either a hostname, a network name, or a plain IP address. |
| 207 | The |
| 208 | .I mask |
| 209 | can be either a network mask or a plain number, |
| 210 | specifying the number of 1's at the left side of the network mask. |
| 211 | Thus, a mask of |
| 212 | .I 24 |
| 213 | is equivalent to |
| 214 | .IR 255.255.255.0 . |
| 215 | A "!" argument before the address specification inverts the sense of |
| 216 | the address. The flag |
| 217 | .B --src |
| 218 | is a convenient alias for this option. |
| 219 | .TP |
| 220 | .BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]" |
| 221 | Destination specification. |
| 222 | See the description of the |
| 223 | .B -s |
| 224 | (source) flag for a detailed description of the syntax. The flag |
| 225 | .B --dst |
| 226 | is an alias for this option. |
| 227 | .TP |
| 228 | .BI "-j, --jump " "target" |
| 229 | This specifies the target of the rule; ie. what to do if the packet |
| 230 | matches it. The target can be a user-defined chain (not the one this |
| 231 | rule is in), one of the special builtin targets which decide the fate |
| 232 | of the packet immediately, or an extension (see |
| 233 | .B EXTENSIONS |
| 234 | below). If this |
| 235 | option is omitted in a rule, then matching the rule will have no |
| 236 | effect on the packet's fate, but the counters on the rule will be |
| 237 | incremented. |
| 238 | .TP |
| 239 | .BR "-i, --in-interface " "[!] [\fIname\fP]" |
| 240 | Optional name of an interface via which a packet is received (for |
| 241 | packets entering the |
| 242 | .BR INPUT , |
| 243 | .B FORWARD |
| 244 | and |
| 245 | .B PREROUTING |
| 246 | chains). When the "!" argument is used before the interface name, the |
| 247 | sense is inverted. If the interface name ends in a "+", then any |
| 248 | interface which begins with this name will match. If this option is |
| 249 | omitted, the string "+" is assumed, which will match with any |
| 250 | interface name. |
| 251 | .TP |
| 252 | .BR "-o, --out-interface " "[!] [\fIname\fP]" |
| 253 | Optional name of an interface via which a packet is going to |
| 254 | be sent (for packets entering the |
| 255 | .BR FORWARD , |
| 256 | .B OUTPUT |
| 257 | and |
| 258 | .B POSTROUTING |
| 259 | chains). When the "!" argument is used before the interface name, |
| 260 | the sense is inverted. If the interface name ends in a "+", then any |
| 261 | interface which begins with this name will match. If this option is |
| 262 | omitted, the string "+" is assumed, which will match with any |
| 263 | interface name. |
| 264 | .TP |
| 265 | .B "[!] " "-f, --fragment" |
| 266 | This means that the rule only refers to second and further fragments |
| 267 | of fragmented packets. Since there is no way to tell the source or |
| 268 | destination ports of such a packet (or ICMP type), such a packet will |
| 269 | not match any rules which specify them. When the "!" argument |
| 270 | precedes the "-f" flag, the sense is inverted. |
| 271 | .SS "OTHER OPTIONS" |
| 272 | The following additional options can be specified: |
| 273 | .TP |
| 274 | .B "-v, --verbose" |
| 275 | Verbose output. This option makes the list command show the interface |
| 276 | address, the rule options (if any), and the TOS masks. The packet and |
| 277 | byte counters are also listed, with the suffix 'K', 'M' or 'G' for |
| 278 | 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see |
| 279 | the |
| 280 | .B -x |
| 281 | flag to change this). |
| 282 | For appending, insertion, deletion and replacement, this causes |
| 283 | detailed information on the rule or rules to be printed. |
| 284 | .TP |
| 285 | .B "-n, --numeric" |
| 286 | Numeric output. |
| 287 | IP addresses and port numbers will be printed in numeric format. |
| 288 | By default, the program will try to display them as host names, |
| 289 | network names, or services (whenever applicable). |
| 290 | .TP |
| 291 | .B "-x, --exact" |
| 292 | Expand numbers. |
| 293 | Display the exact value of the packet and byte counters, |
| 294 | instead of only the rounded number in K's (multiples of 1000) |
| 295 | M's (multiples of 1000K) or G's (multiples of 1000M). This option is |
Marc Boucher | f127a19 | 2000-03-20 08:32:15 +0000 | [diff] [blame] | 296 | only relevant for the |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 297 | .B -L |
| 298 | command. |
| 299 | .TP |
| 300 | .B "--line-numbers" |
| 301 | When listing rules, add line numbers to the beginning of each rule, |
| 302 | corresponding to that rule's position in the chain. |
| 303 | .SH MATCH EXTENSIONS |
| 304 | iptables can use extended packet matching modules. The following are |
Marc Boucher | f127a19 | 2000-03-20 08:32:15 +0000 | [diff] [blame] | 305 | included in the base package, and most of these can be preceded by a |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 306 | .B ! |
| 307 | to invert the sense of the match. |
| 308 | .SS tcp |
| 309 | These extensions are loaded if `--protocol tcp' is specified, and no |
| 310 | other match is specified. It provides the following options: |
| 311 | .TP |
| 312 | .BR "--source-port " "[!] [\fIport[:port]\fP] or [\fIport[-port]]\fP]" |
| 313 | Source port or port range specification. This can either be a service |
| 314 | name or a port number. An inclusive range can also be specified, |
| 315 | using the format |
| 316 | .IR port : port |
| 317 | or |
| 318 | .IR port - port . |
| 319 | If the first port is omitted, "0" is assumed; if the last is omitted, |
| 320 | "65535" is assumed. |
| 321 | If the second port greater then the first they will be swapped. |
| 322 | The flag |
| 323 | .B --sport |
| 324 | is an alias for this option. |
| 325 | .TP |
| 326 | .BR "--destination-port " "[!] [\fIport[:port]\fP] or [\fIport[-port]]\fP" |
| 327 | Destination port or port range specification. The flag |
| 328 | .B --dport |
| 329 | is an alias for this option. |
| 330 | .TP |
| 331 | .BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP" |
| 332 | Match when the TCP flags are as specified. The first argument is the |
| 333 | flags which we should examine, written as a comma-separated list, and |
| 334 | the second argument is a comma-separated list of flags which must be |
| 335 | set. Flags are: |
| 336 | .BR "SYN ACK FIN RST URG PSH ALL NONE" . |
| 337 | Hence the command |
| 338 | .br |
Marc Boucher | f127a19 | 2000-03-20 08:32:15 +0000 | [diff] [blame] | 339 | iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 340 | .br |
| 341 | will only match packets with the SYN flag set, and the ACK, FIN and |
| 342 | RST flags unset. |
| 343 | .TP |
| 344 | .B "[!] --syn" |
| 345 | Only match TCP packets with the SYN bit set and the ACK and FIN bits |
| 346 | cleared. Such packets are used to request TCP connection initiation; |
| 347 | for example, blocking such packets coming in an interface will prevent |
| 348 | incoming TCP connections, but outgoing TCP connections will be |
| 349 | unaffected. |
| 350 | It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP. |
| 351 | If the "!" flag precedes the "--syn", the sense of the |
| 352 | option is inverted. |
| 353 | .TP |
| 354 | .BR "--tcp-option " "[!] \fInumber\fP" |
| 355 | Match if TCP option set. |
| 356 | .SS udp |
| 357 | These extensions are loaded if `--protocol udp' is specified, and no |
| 358 | other match is specified. It provides the following options: |
| 359 | .TP |
| 360 | .BR "--source-port " "[!] [\fIport[:port]\fP] or [\fIport[-port]]\fP" |
| 361 | Source port or port range specification. |
| 362 | See the description of the |
| 363 | .B --source-port |
| 364 | option of the TCP extension for details. |
| 365 | .TP |
| 366 | .BR "--destination-port " "[!] [\fIport[:port]\fP] or [\fIport[-port]]\fP" |
| 367 | Destination port or port range specification. |
| 368 | See the description of the |
| 369 | .B --destination-port |
| 370 | option of the TCP extension for details. |
| 371 | .SS icmp |
| 372 | This extension is loaded if `--protocol icmp' is specified, and no |
| 373 | other match is specified. It provides the following option: |
| 374 | .TP |
| 375 | .BR "--icmp-type " "[!] \fItypename\fP" |
| 376 | This allows specification of the ICMP type, which can be a numeric |
| 377 | ICMP type, or one of the ICMP type names shown by the command |
| 378 | .br |
| 379 | iptables -p icmp -h |
| 380 | .br |
| 381 | .SS mac |
| 382 | .TP |
| 383 | .BR "--mac-source " "[!] \fIaddress\fP" |
| 384 | Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. |
| 385 | Note that this only makes sense for packets entering the |
| 386 | .BR PREROUTING , |
| 387 | or |
| 388 | .B INPUT |
| 389 | chains from an ethernet device. |
| 390 | .SS limit |
| 391 | This module matches at a limited rate using a token bucket filter: it |
| 392 | can be used in combination with the LOG target to give limited |
| 393 | logging. A rule using this extension will match until this limit is |
| 394 | reached (unless the `!' flag is used). |
| 395 | .TP |
| 396 | .BI "--limit " "rate" |
| 397 | Maximum average matching rate: specified as a number, with an optional |
| 398 | `/second', `/minute', `/hour', or `/day' suffix; the default is |
| 399 | 3/hour. |
| 400 | .TP |
| 401 | .BI "--limit-burst " "number" |
| 402 | The maximum initial number of packets to match: this number gets |
| 403 | recharged by one every time the limit specified above is not reached, |
| 404 | up to this number; the default is 5. |
| 405 | .SS multiport |
| 406 | This module matches a set of source or destination ports. Up to 15 |
| 407 | ports can be specified. It can only be used in conjunction with |
| 408 | .B "-p tcp" |
| 409 | or |
| 410 | .BR "-p udp" . |
| 411 | .TP |
| 412 | .BR "--source-port" " [\fIport[,port]\fP]" |
| 413 | Match if the source port is one of the given ports. |
| 414 | .TP |
| 415 | .BR "--destination-port" " [\fIport[,port]\fP]" |
| 416 | Match if the destination port is one of the given ports. |
| 417 | .TP |
| 418 | .BR "--port" " [\fIport[,port]\fP]" |
| 419 | Match if the both the source and destination ports are equal to each |
| 420 | other and to one of the given ports. |
| 421 | .SS mark |
| 422 | This module matches the netfilter mark field associated with a packet |
| 423 | (which can be set using the |
| 424 | .B MARK |
| 425 | target below). |
| 426 | .TP |
| 427 | .BI "--mark " "value[/mask]" |
| 428 | Matches packets with the given unsigned mark value (if a mask is |
| 429 | specified, this is logically ANDed with the mark before the |
| 430 | comparison). |
| 431 | .SS owner |
| 432 | This module attempts to match various characteristics of the packet |
| 433 | creator, for locally-generated packets. It is only valid in the |
| 434 | OUTPUT chain, and even this some packets (such as ICMP ping responses) |
| 435 | may have no owner, and hence never match. |
| 436 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 437 | .BI "--uid-owner " "userid" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 438 | Matches if the packet was created by a process with the given |
| 439 | effective user id. |
| 440 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 441 | .BI "--gid-owner " "groupid" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 442 | Matches if the packet was created by a process with the given |
| 443 | effective group id. |
| 444 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 445 | .BI "--pid-owner " "processid" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 446 | Matches if the packet was created by a process with the given |
| 447 | process id. |
| 448 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 449 | .BI "--sid-owner " "sessionid" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 450 | Matches if the packet was created by a process in the given session |
| 451 | group. |
| 452 | .SS state |
| 453 | This module, when combined with connection tracking, allows access to |
| 454 | the connection tracking state for this packet. |
| 455 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 456 | .BI "--state " "state" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 457 | Where state is a comma separated list of the connection states to |
| 458 | match. Possible states are |
| 459 | .B INVALID |
| 460 | meaning that the packet is associated with no known connection, |
| 461 | .B ESTABLISHED |
| 462 | meaning that the packet is associated with a connection which has seen |
| 463 | packets in both directions, |
| 464 | .B NEW |
| 465 | meaning that the packet has started a new connection, or otherwise |
| 466 | associated with a connection which has not seen packets in both |
| 467 | directions, and |
| 468 | .B RELATED |
| 469 | meaning that the packet is starting a new connection, but is |
| 470 | associated with an existing connection, such as an FTP data transfer, |
| 471 | or an ICMP error. |
| 472 | .SS unclean |
| 473 | This module takes no options, but attempts to match packets which seem |
| 474 | malformed or unusual. This is regarded as experimental. |
| 475 | .SS tos |
| 476 | This module matches the 8 bits of Type of Service field in the IP |
| 477 | header (ie. including the precedence bits). |
| 478 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 479 | .BI "--tos " "tos" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 480 | The argument is either a standard name, (use |
| 481 | .br |
| 482 | iptables -m tos -h |
| 483 | .br |
| 484 | to see the list), or a numeric value to match. |
| 485 | .SH TARGET EXTENSIONS |
| 486 | iptables can use extended target modules: the following are included |
| 487 | in the standard distribution. |
| 488 | .SS LOG |
| 489 | Turn on kernel logging of matching packets. When this option is set |
| 490 | for a rule, the Linux kernel will print some information on all |
| 491 | matching packets (like most IP header fields) via |
| 492 | .IR printk (). |
| 493 | .TP |
| 494 | .BI "--log-level " "level" |
| 495 | Level of logging (numeric or see \fIsyslog.conf\fP(5)). |
| 496 | .TP |
| 497 | .BI "--log-prefix " "prefix" |
| 498 | Prefix log messages with the specified prefix; up to 14 letters long, |
| 499 | and useful for distinguishing messages in the logs. |
| 500 | .TP |
| 501 | .B --log-tcp-sequence |
| 502 | Log TCP sequence numbers. This is a security risk if the log is |
| 503 | readable by users. |
| 504 | .TP |
| 505 | .B --log-tcp-options |
| 506 | Log options from the TCP packet header. |
| 507 | .TP |
| 508 | .B --log-ip-options |
| 509 | Log options from the IP packet header. |
| 510 | .SS MARK |
| 511 | This is used to set the netfilter mark value associated with the |
| 512 | packet. It is only valid in the |
| 513 | .B mangle |
| 514 | table. |
| 515 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 516 | .BI "--set-mark " "mark" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 517 | .SS REJECT |
| 518 | This is used to send back an error packet in response to the matched |
| 519 | packet: otherwise it is equivalent to |
| 520 | .BR DROP . |
| 521 | This target is only valid in the |
| 522 | .BR INPUT , |
| 523 | .B FORWARD |
| 524 | and |
| 525 | .B OUTPUT |
Rusty Russell | 9cadb43 | 2000-05-10 00:18:06 +0000 | [diff] [blame] | 526 | chains, and user-defined chains which are only called from those |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 527 | chains. Several options control the nature of the error packet |
| 528 | returned: |
| 529 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 530 | .BI "--reject-with " "type" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 531 | The type given can be |
| 532 | .BR icmp-net-unreachable , |
| 533 | .BR icmp-host-unreachable , |
| 534 | .BR icmp-port-unreachable or |
| 535 | .BR icmp-proto-unreachable |
Rusty Russell | ddd5b3b | 2000-05-31 06:32:47 +0000 | [diff] [blame^] | 536 | which return the appropriate ICMP error message (port-unreachable is |
Rusty Russell | a1ce9f9 | 2000-03-24 08:39:16 +0000 | [diff] [blame] | 537 | the default). The option |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 538 | .B echo-reply |
Rusty Russell | a1ce9f9 | 2000-03-24 08:39:16 +0000 | [diff] [blame] | 539 | is also allowed; it can only be used for rules which specify an ICMP |
| 540 | ping packet, and generates a ping reply. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 541 | .SS TOS |
| 542 | This is used to set the 8-bit Type of Service field in the IP header. |
| 543 | It is only valid in the |
| 544 | .B mangle |
| 545 | table. |
| 546 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 547 | .BI "--set-tos " "tos" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 548 | You can use a numeric TOS values, or use |
| 549 | .br |
| 550 | iptables -j TOS -h |
| 551 | .br |
| 552 | to see the list of valid TOS names. |
| 553 | .SS MIRROR |
| 554 | This is an experimental demonstration target which inverts the source |
| 555 | and destination fields in the IP header and retransmits the packet. |
| 556 | It is only valid in the |
| 557 | .BR INPUT , |
| 558 | .B FORWARD |
| 559 | and |
| 560 | .B OUTPUT |
Rusty Russell | 9cadb43 | 2000-05-10 00:18:06 +0000 | [diff] [blame] | 561 | chains, and user-defined chains which are only called from those chains. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 562 | .SS SNAT |
| 563 | This target is only valid in the |
| 564 | .B nat |
| 565 | table, in the |
| 566 | .B POSTROUTING |
| 567 | chain. It specifies that the source address of the packet should be |
| 568 | modified (and all future packets in this connection will also be |
| 569 | mangled), and rules should cease being examined. It takes one option: |
| 570 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 571 | .BI "--to-source " "<ipaddr>[-<ipaddr>][:port-port]" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 572 | which can specify a single new source IP address, an inclusive range |
| 573 | of IP addresses, and optionally, a port range (which is only valid if |
| 574 | the rule also specifies |
| 575 | .B "-p tcp" |
| 576 | or |
| 577 | .BR "-p udp" ). |
| 578 | If no port range is specified, then source ports below 512 will be |
| 579 | mapped to other ports below 512: those between 1024 will be mapped to |
| 580 | ports below 1024, and other ports will be mapped to 1024 or above. |
| 581 | Where possible, no port alteration will occur. |
| 582 | .SS DNAT |
| 583 | This target is only valid in the |
| 584 | .B nat |
| 585 | table, in the |
| 586 | .B PREROUTING |
| 587 | and |
| 588 | .B OUTPUT |
Rusty Russell | 9cadb43 | 2000-05-10 00:18:06 +0000 | [diff] [blame] | 589 | chains, and user-defined chains which are only called from those |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 590 | chains. It specifies that the destination address of the packet |
| 591 | should be modified (and all future packets in this connection will |
| 592 | also be mangled), and rules should cease being examined. It takes one |
| 593 | option: |
| 594 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 595 | .BI "--to-destination " "<ipaddr>[-<ipaddr>][:port-port]" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 596 | which can specify a single new destination IP address, an inclusive |
| 597 | range of IP addresses, and optionally, a port range (which is only |
| 598 | valid if the rule also specifies |
| 599 | .B "-p tcp" |
| 600 | or |
| 601 | .BR "-p udp" ). |
| 602 | If no port range is specified, then the destination port will never be |
| 603 | modified. |
| 604 | .SS MASQUERADE |
| 605 | This target is only valid in the |
| 606 | .B nat |
| 607 | table, in the |
| 608 | .B POSTROUTING |
| 609 | chain. It should only be used with dynamically assigned IP (dialup) |
| 610 | connections: if you have a static IP address, you should use the SNAT |
| 611 | target. Masquerading is equivalent to specifying a mapping to the IP |
| 612 | address of the interface the packet is going out, but also has the |
| 613 | effect that connections are |
| 614 | .I forgotten |
Marc Boucher | f127a19 | 2000-03-20 08:32:15 +0000 | [diff] [blame] | 615 | when the interface goes down. This is the correct behavior when the |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 616 | next dialup is unlikely to have the same interface address (and hence |
| 617 | any established connections are lost anyway). It takes one option: |
| 618 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 619 | .BI "--to-ports " "<port>[-<port>]" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 620 | This specifies a range of source ports to use, overriding the default |
| 621 | .B SNAT |
| 622 | source port-selection heuristics (see above). This is only valid with |
| 623 | if the rule also specifies |
| 624 | .B "-p tcp" |
| 625 | or |
| 626 | .BR "-p udp" ). |
| 627 | .SS REDIRECT |
| 628 | This target is only valid in the |
| 629 | .B nat |
| 630 | table, in the |
| 631 | .B PREROUTING |
| 632 | and |
| 633 | .B OUTPUT |
Rusty Russell | 9cadb43 | 2000-05-10 00:18:06 +0000 | [diff] [blame] | 634 | chains, and user-defined chains which are only called from those |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 635 | chains. It alters the destination IP address to send the packet to |
| 636 | the machine itself (locally-generated packets are mapped to the |
Rusty Russell | 9cadb43 | 2000-05-10 00:18:06 +0000 | [diff] [blame] | 637 | 127.0.0.1 address). It takes one option: |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 638 | .TP |
Bert Hubert | 20ecf7a | 2000-03-24 01:56:37 +0000 | [diff] [blame] | 639 | .BI "--to-ports " "<port>[-<port>]" |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 640 | This specifies a destination port or range or ports to use: without |
| 641 | this, the destination port is never altered. This is only valid with |
| 642 | if the rule also specifies |
| 643 | .B "-p tcp" |
| 644 | or |
| 645 | .BR "-p udp" ). |
| 646 | .TP |
| 647 | .SH DIAGNOSTICS |
| 648 | Various error messages are printed to standard error. The exit code |
| 649 | is 0 for correct functioning. Errors which appear to be caused by |
| 650 | invalid or abused command line parameters cause an exit code of 2, and |
| 651 | other errors cause an exit code of 1. |
| 652 | .SH BUGS |
| 653 | Check is not implemented (yet). |
| 654 | .SH COMPATIBILITY WITH IPCHAINS |
| 655 | This |
| 656 | .B iptables |
| 657 | is very similar to ipchains by Rusty Russell. The main difference is |
| 658 | that the chains |
| 659 | .B INPUT |
| 660 | and |
| 661 | .B OUTPUT |
| 662 | are only traversed for packets coming into the local host and |
| 663 | originating from the local host respectively. Hence every packet only |
| 664 | passes through one of the three chains; previously a forwarded packet |
| 665 | would pass through all three. |
| 666 | .PP |
| 667 | The other main difference is that |
| 668 | .B -i |
| 669 | refers to the input interface; |
| 670 | .B -o |
| 671 | refers to the output interface, and both are available for packets |
| 672 | entering the |
| 673 | .B FORWARD |
| 674 | chain. |
| 675 | .PP The various forms of NAT have been separated out; |
| 676 | .B iptables |
| 677 | is a pure packet filter when using the default `filter' table, with |
| 678 | optional extension modules. This should simplify much of the previous |
| 679 | confusion over the combination of IP masquerading and packet filtering |
| 680 | seen previously. So the following options are handled differently: |
| 681 | .br |
| 682 | -j MASQ |
| 683 | .br |
| 684 | -M -S |
| 685 | .br |
| 686 | -M -L |
| 687 | .br |
| 688 | There are several other changes in iptables. |
| 689 | .SH SEE ALSO |
| 690 | The iptables-HOWTO, which details more iptables usage, and the |
| 691 | netfilter-hacking-HOWTO which details the internals. |
Marc Boucher | f127a19 | 2000-03-20 08:32:15 +0000 | [diff] [blame] | 692 | .SH AUTHORS |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 693 | Rusty Russell wrote iptables, in early consultation with Michael |
| 694 | Neuling. |
| 695 | .PP |
Marc Boucher | f127a19 | 2000-03-20 08:32:15 +0000 | [diff] [blame] | 696 | Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet |
| 697 | selection framework in iptables, then wrote the mangle table, the owner match, |
| 698 | the mark stuff, and ran around doing cool stuff everywhere. |
Marc Boucher | e6869a8 | 2000-03-20 06:03:29 +0000 | [diff] [blame] | 699 | .PP |
| 700 | James Morris wrote the TOS target, and tos match. |
| 701 | .PP |
| 702 | Jozsef Kadlecsik wrote the REJECT target. |
| 703 | .PP |
| 704 | The Netfilter Core Team is: Marc Boucher, Rusty Russell. |
| 705 | .\" .. and did I mention that we are incredibly cool people? |