Andy Spencer | 14bca55 | 2013-05-19 17:01:06 +0000 | [diff] [blame] | 1 | .TH IPTABLES 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@" |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 2 | .\" |
| 3 | .\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999) |
| 4 | .\" It is based on ipchains page. |
| 5 | .\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG) |
| 6 | .\" |
| 7 | .\" ipchains page by Paul ``Rusty'' Russell March 1997 |
| 8 | .\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl> |
| 9 | .\" |
| 10 | .\" This program is free software; you can redistribute it and/or modify |
| 11 | .\" it under the terms of the GNU General Public License as published by |
| 12 | .\" the Free Software Foundation; either version 2 of the License, or |
| 13 | .\" (at your option) any later version. |
| 14 | .\" |
| 15 | .\" This program is distributed in the hope that it will be useful, |
| 16 | .\" but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 17 | .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 18 | .\" GNU General Public License for more details. |
| 19 | .\" |
| 20 | .\" You should have received a copy of the GNU General Public License |
| 21 | .\" along with this program; if not, write to the Free Software |
| 22 | .\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
| 23 | .\" |
| 24 | .\" |
| 25 | .SH NAME |
Florian Westphal | c25defa | 2013-07-14 19:32:12 +0200 | [diff] [blame] | 26 | iptables/ip6tables \(em administration tool for IPv4/IPv6 packet filtering and NAT |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 27 | .SH SYNOPSIS |
Stefan Tomanek | d59b9db | 2011-03-08 22:42:51 +0100 | [diff] [blame] | 28 | \fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP} |
| 29 | \fIchain\fP \fIrule-specification\fP |
Florian Westphal | c25defa | 2013-07-14 19:32:12 +0200 | [diff] [blame] | 30 | .P |
| 31 | \fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP} |
| 32 | \fIchain rule-specification\fP |
Jan Engelhardt | 8a679dc | 2008-10-29 09:48:23 +0100 | [diff] [blame] | 33 | .PP |
Jan Engelhardt | 1791a45 | 2009-02-20 16:39:54 +0100 | [diff] [blame] | 34 | \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP |
Jan Engelhardt | 8a679dc | 2008-10-29 09:48:23 +0100 | [diff] [blame] | 35 | .PP |
Jan Engelhardt | 1791a45 | 2009-02-20 16:39:54 +0100 | [diff] [blame] | 36 | \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum rule-specification\fP |
Jan Engelhardt | 8a679dc | 2008-10-29 09:48:23 +0100 | [diff] [blame] | 37 | .PP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 38 | \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP |
Jan Engelhardt | 8a679dc | 2008-10-29 09:48:23 +0100 | [diff] [blame] | 39 | .PP |
Jan Engelhardt | 1791a45 | 2009-02-20 16:39:54 +0100 | [diff] [blame] | 40 | \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]] |
Jan Engelhardt | 8a679dc | 2008-10-29 09:48:23 +0100 | [diff] [blame] | 41 | .PP |
Jan Engelhardt | fe086ba | 2009-08-19 22:36:03 +0200 | [diff] [blame] | 42 | \fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP} [\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP] |
Jan Engelhardt | 8a679dc | 2008-10-29 09:48:23 +0100 | [diff] [blame] | 43 | .PP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 44 | \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP |
Jan Engelhardt | 8a679dc | 2008-10-29 09:48:23 +0100 | [diff] [blame] | 45 | .PP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 46 | \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP] |
Jan Engelhardt | 8a679dc | 2008-10-29 09:48:23 +0100 | [diff] [blame] | 47 | .PP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 48 | \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP |
Jan Engelhardt | 8a679dc | 2008-10-29 09:48:23 +0100 | [diff] [blame] | 49 | .PP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 50 | \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP |
Jan Engelhardt | 6362bc8 | 2008-10-29 09:48:59 +0100 | [diff] [blame] | 51 | .PP |
| 52 | rule-specification = [\fImatches...\fP] [\fItarget\fP] |
| 53 | .PP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 54 | match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP] |
Jan Engelhardt | 6362bc8 | 2008-10-29 09:48:59 +0100 | [diff] [blame] | 55 | .PP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 56 | target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP] |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 57 | .SH DESCRIPTION |
Florian Westphal | c25defa | 2013-07-14 19:32:12 +0200 | [diff] [blame] | 58 | \fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the |
| 59 | tables of IPv4 and IPv6 packet |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 60 | filter rules in the Linux kernel. Several different tables |
| 61 | may be defined. Each table contains a number of built-in |
| 62 | chains and may also contain user-defined chains. |
Jan Engelhardt | 0c2b5a4 | 2009-01-08 18:04:40 +0100 | [diff] [blame] | 63 | .PP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 64 | Each chain is a list of rules which can match a set of packets. Each |
| 65 | rule specifies what to do with a packet that matches. This is called |
| 66 | a `target', which may be a jump to a user-defined chain in the same |
| 67 | table. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 68 | .SH TARGETS |
Jan Engelhardt | 6cf172e | 2008-03-10 17:48:59 +0100 | [diff] [blame] | 69 | A firewall rule specifies criteria for a packet and a target. If the |
Florian Westphal | 54fccb1 | 2013-07-12 23:14:27 +0200 | [diff] [blame] | 70 | packet does not match, the next rule in the chain is examined; if |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 71 | it does match, then the next rule is specified by the value of the |
Florian Westphal | 54fccb1 | 2013-07-12 23:14:27 +0200 | [diff] [blame] | 72 | target, which can be the name of a user-defined chain, one of the targets |
| 73 | described in \fBiptables\-extensions\fP(8), or one of the |
| 74 | special values \fBACCEPT\fP, \fBDROP\fP or \fBRETURN\fP. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 75 | .PP |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 76 | \fBACCEPT\fP means to let the packet through. |
| 77 | \fBDROP\fP means to drop the packet on the floor. |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 78 | \fBRETURN\fP means stop traversing this chain and resume at the next |
| 79 | rule in the |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 80 | previous (calling) chain. If the end of a built-in chain is reached |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 81 | or a rule in a built-in chain with target \fBRETURN\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 82 | is matched, the target specified by the chain policy determines the |
| 83 | fate of the packet. |
| 84 | .SH TABLES |
Pablo Neira Ayuso | e422fd2 | 2013-02-17 14:05:35 +0100 | [diff] [blame] | 85 | There are currently five independent tables (which tables are present |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 86 | at any time depends on the kernel configuration options and which |
| 87 | modules are present). |
| 88 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 89 | \fB\-t\fP, \fB\-\-table\fP \fItable\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 90 | This option specifies the packet matching table which the command |
| 91 | should operate on. If the kernel is configured with automatic module |
| 92 | loading, an attempt will be made to load the appropriate module for |
| 93 | that table if it is not already there. |
| 94 | |
| 95 | The tables are as follows: |
| 96 | .RS |
| 97 | .TP .4i |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 98 | \fBfilter\fP: |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 99 | This is the default table (if no \-t option is passed). It contains |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 100 | the built-in chains \fBINPUT\fP (for packets destined to local sockets), |
| 101 | \fBFORWARD\fP (for packets being routed through the box), and |
| 102 | \fBOUTPUT\fP (for locally-generated packets). |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 103 | .TP |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 104 | \fBnat\fP: |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 105 | This table is consulted when a packet that creates a new |
Florian Westphal | d7b813f | 2016-04-26 18:15:43 +0200 | [diff] [blame] | 106 | connection is encountered. It consists of four built-ins: \fBPREROUTING\fP |
| 107 | (for altering packets as soon as they come in), \fBINPUT\fP (for altering |
| 108 | packets destined for local sockets), \fBOUTPUT\fP |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 109 | (for altering locally-generated packets before routing), and \fBPOSTROUTING\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 110 | (for altering packets as they are about to go out). |
Florian Westphal | c25defa | 2013-07-14 19:32:12 +0200 | [diff] [blame] | 111 | IPv6 NAT support is available since kernel 3.7. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 112 | .TP |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 113 | \fBmangle\fP: |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 114 | This table is used for specialized packet alteration. Until kernel |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 115 | 2.4.17 it had two built-in chains: \fBPREROUTING\fP |
| 116 | (for altering incoming packets before routing) and \fBOUTPUT\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 117 | (for altering locally-generated packets before routing). |
| 118 | Since kernel 2.4.18, three other built-in chains are also supported: |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 119 | \fBINPUT\fP (for packets coming into the box itself), \fBFORWARD\fP |
| 120 | (for altering packets being routed through the box), and \fBPOSTROUTING\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 121 | (for altering packets as they are about to go out). |
Harald Welte | a188599 | 2004-10-06 12:32:54 +0000 | [diff] [blame] | 122 | .TP |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 123 | \fBraw\fP: |
Harald Welte | a188599 | 2004-10-06 12:32:54 +0000 | [diff] [blame] | 124 | This table is used mainly for configuring exemptions from connection |
| 125 | tracking in combination with the NOTRACK target. It registers at the netfilter |
| 126 | hooks with higher priority and is thus called before ip_conntrack, or any other |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 127 | IP tables. It provides the following built-in chains: \fBPREROUTING\fP |
| 128 | (for packets arriving via any network interface) \fBOUTPUT\fP |
Harald Welte | a188599 | 2004-10-06 12:32:54 +0000 | [diff] [blame] | 129 | (for packets generated by local processes) |
Mark Montague | df37d99 | 2011-04-04 14:54:52 +0200 | [diff] [blame] | 130 | .TP |
| 131 | \fBsecurity\fP: |
| 132 | This table is used for Mandatory Access Control (MAC) networking rules, such |
| 133 | as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets. |
| 134 | Mandatory Access Control is implemented by Linux Security Modules such as |
| 135 | SELinux. The security table is called after the filter table, allowing any |
| 136 | Discretionary Access Control (DAC) rules in the filter table to take effect |
| 137 | before MAC rules. This table provides the following built-in chains: |
| 138 | \fBINPUT\fP (for packets coming into the box itself), |
| 139 | \fBOUTPUT\fP (for altering locally-generated packets before routing), and |
| 140 | \fBFORWARD\fP (for altering packets being routed through the box). |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 141 | .RE |
| 142 | .SH OPTIONS |
| 143 | The options that are recognized by |
Florian Westphal | c25defa | 2013-07-14 19:32:12 +0200 | [diff] [blame] | 144 | \fBiptables\fP and \fBip6tables\fP can be divided into several different groups. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 145 | .SS COMMANDS |
Jan Engelhardt | 6cf172e | 2008-03-10 17:48:59 +0100 | [diff] [blame] | 146 | These options specify the desired action to perform. Only one of them |
| 147 | can be specified on the command line unless otherwise stated |
| 148 | below. For long versions of the command and option names, you |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 149 | need to use only enough letters to ensure that |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 150 | \fBiptables\fP can differentiate it from all other options. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 151 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 152 | \fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 153 | Append one or more rules to the end of the selected chain. |
| 154 | When the source and/or destination names resolve to more than one |
| 155 | address, a rule will be added for each possible address combination. |
| 156 | .TP |
Stefan Tomanek | d59b9db | 2011-03-08 22:42:51 +0100 | [diff] [blame] | 157 | \fB\-C\fP, \fB\-\-check\fP \fIchain rule-specification\fP |
| 158 | Check whether a rule matching the specification does exist in the |
| 159 | selected chain. This command uses the same logic as \fB\-D\fP to |
| 160 | find a matching entry, but does not alter the existing iptables |
| 161 | configuration and uses its exit code to indicate success or failure. |
| 162 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 163 | \fB\-D\fP, \fB\-\-delete\fP \fIchain rule-specification\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 164 | .ns |
| 165 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 166 | \fB\-D\fP, \fB\-\-delete\fP \fIchain rulenum\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 167 | Delete one or more rules from the selected chain. There are two |
| 168 | versions of this command: the rule can be specified as a number in the |
| 169 | chain (starting at 1 for the first rule) or a rule to match. |
| 170 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 171 | \fB\-I\fP, \fB\-\-insert\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 172 | Insert one or more rules in the selected chain as the given rule |
| 173 | number. So, if the rule number is 1, the rule or rules are inserted |
| 174 | at the head of the chain. This is also the default if no rule number |
| 175 | is specified. |
| 176 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 177 | \fB\-R\fP, \fB\-\-replace\fP \fIchain rulenum rule-specification\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 178 | Replace a rule in the selected chain. If the source and/or |
| 179 | destination names resolve to multiple addresses, the command will |
| 180 | fail. Rules are numbered starting at 1. |
| 181 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 182 | \fB\-L\fP, \fB\-\-list\fP [\fIchain\fP] |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 183 | List all rules in the selected chain. If no chain is selected, all |
Jan Engelhardt | 6cf172e | 2008-03-10 17:48:59 +0100 | [diff] [blame] | 184 | chains are listed. Like every other iptables command, it applies to the |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 185 | specified table (filter is the default), so NAT rules get listed by |
| 186 | .nf |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 187 | iptables \-t nat \-n \-L |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 188 | .fi |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 189 | Please note that it is often used with the \fB\-n\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 190 | option, in order to avoid long reverse DNS lookups. |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 191 | It is legal to specify the \fB\-Z\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 192 | (zero) option as well, in which case the chain(s) will be atomically |
| 193 | listed and zeroed. The exact output is affected by the other |
| 194 | arguments given. The exact rules are suppressed until you use |
| 195 | .nf |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 196 | iptables \-L \-v |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 197 | .fi |
Florian Westphal | 7e120ef | 2016-01-05 00:29:10 +0100 | [diff] [blame] | 198 | or |
| 199 | \fBiptables\-save\fP(8). |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 200 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 201 | \fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP] |
Henrik Nordstrom | 96296cf | 2008-05-13 13:08:26 +0200 | [diff] [blame] | 202 | Print all rules in the selected chain. If no chain is selected, all |
Jan Engelhardt | 352ccfb | 2009-08-20 17:15:22 +0200 | [diff] [blame] | 203 | chains are printed like iptables-save. Like every other iptables command, |
Henrik Nordstrom | 96296cf | 2008-05-13 13:08:26 +0200 | [diff] [blame] | 204 | it applies to the specified table (filter is the default). |
| 205 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 206 | \fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP] |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 207 | Flush the selected chain (all the chains in the table if none is given). |
| 208 | This is equivalent to deleting all the rules one by one. |
| 209 | .TP |
Jan Engelhardt | fe086ba | 2009-08-19 22:36:03 +0200 | [diff] [blame] | 210 | \fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]] |
| 211 | Zero the packet and byte counters in all chains, or only the given chain, |
| 212 | or only the given rule in a chain. It is legal to |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 213 | specify the |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 214 | \fB\-L\fP, \fB\-\-list\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 215 | (list) option as well, to see the counters immediately before they are |
| 216 | cleared. (See above.) |
| 217 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 218 | \fB\-N\fP, \fB\-\-new\-chain\fP \fIchain\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 219 | Create a new user-defined chain by the given name. There must be no |
| 220 | target of that name already. |
| 221 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 222 | \fB\-X\fP, \fB\-\-delete\-chain\fP [\fIchain\fP] |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 223 | Delete the optional user-defined chain specified. There must be no references |
Harald Welte | 3a02693 | 2005-11-22 22:22:28 +0000 | [diff] [blame] | 224 | to the chain. If there are, you must delete or replace the referring rules |
| 225 | before the chain can be deleted. The chain must be empty, i.e. not contain |
| 226 | any rules. If no argument is given, it will attempt to delete every |
| 227 | non-builtin chain in the table. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 228 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 229 | \fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP |
Florian Westphal | 69f3f84 | 2014-04-17 13:03:00 +0200 | [diff] [blame] | 230 | Set the policy for the built-in (non-user-defined) chain to the given target. |
| 231 | The policy target must be either \fBACCEPT\fP or \fBDROP\fP. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 232 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 233 | \fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 234 | Rename the user specified chain to the user supplied name. This is |
| 235 | cosmetic, and has no effect on the structure of the table. |
| 236 | .TP |
Laurence J. Lane | cfb048f | 2009-08-20 17:14:25 +0200 | [diff] [blame] | 237 | \fB\-h\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 238 | Help. |
| 239 | Give a (currently very brief) description of the command syntax. |
| 240 | .SS PARAMETERS |
| 241 | The following parameters make up a rule specification (as used in the |
| 242 | add, delete, insert, replace and append commands). |
| 243 | .TP |
Jan Engelhardt | 983196c | 2012-12-25 13:11:28 +0000 | [diff] [blame] | 244 | \fB\-4\fP, \fB\-\-ipv4\fP |
| 245 | This option has no effect in iptables and iptables-restore. |
Florian Westphal | c25defa | 2013-07-14 19:32:12 +0200 | [diff] [blame] | 246 | If a rule using the \fB\-4\fP option is inserted with (and only with) |
| 247 | ip6tables-restore, it will be silently ignored. Any other uses will throw an |
| 248 | error. This option allows to put both IPv4 and IPv6 rules in a single rule file |
| 249 | for use with both iptables-restore and ip6tables-restore. |
Jan Engelhardt | 983196c | 2012-12-25 13:11:28 +0000 | [diff] [blame] | 250 | .TP |
| 251 | \fB\-6\fP, \fB\-\-ipv6\fP |
| 252 | If a rule using the \fB\-6\fP option is inserted with (and only with) |
| 253 | iptables-restore, it will be silently ignored. Any other uses will throw an |
| 254 | error. This option allows to put both IPv4 and IPv6 rules in a single rule file |
| 255 | for use with both iptables-restore and ip6tables-restore. |
Florian Westphal | c25defa | 2013-07-14 19:32:12 +0200 | [diff] [blame] | 256 | This option has no effect in ip6tables and ip6tables-restore. |
Jan Engelhardt | 983196c | 2012-12-25 13:11:28 +0000 | [diff] [blame] | 257 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 258 | [\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 259 | The protocol of the rule or of the packet to check. |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 260 | The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP, |
Florian Westphal | c25defa | 2013-07-14 19:32:12 +0200 | [diff] [blame] | 261 | \fBicmp\fP, \fBicmpv6\fP,\fBesp\fP, \fBah\fP, \fBsctp\fP, \fBmh\fP or the special keyword "\fBall\fP", |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 262 | or it can be a numeric value, representing one of these protocols or a |
| 263 | different one. A protocol name from /etc/protocols is also allowed. |
| 264 | A "!" argument before the protocol inverts the |
Jan Engelhardt | 10345ca | 2011-05-21 00:58:44 +0200 | [diff] [blame] | 265 | test. The number zero is equivalent to \fBall\fP. "\fBall\fP" |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 266 | will match with all protocols and is taken as default when this |
| 267 | option is omitted. |
Florian Westphal | c25defa | 2013-07-14 19:32:12 +0200 | [diff] [blame] | 268 | Note that, in ip6tables, IPv6 extension headers except \fBesp\fP are not allowed. |
| 269 | \fBesp\fP and \fBipv6\-nonext\fP |
| 270 | can be used with Kernel version 2.6.11 or later. |
| 271 | The number zero is equivalent to \fBall\fP, which means that you cannot |
| 272 | test the protocol field for the value 0 directly. To match on a HBH header, |
| 273 | even if it were the last, you cannot use \fB\-p 0\fP, but always need |
| 274 | \fB\-m hbh\fP. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 275 | .TP |
Michael Granzow | 332e4ac | 2009-04-09 18:24:36 +0100 | [diff] [blame] | 276 | [\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP] |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 277 | Source specification. \fIAddress\fP |
Jan Engelhardt | 1bd2f0a | 2009-11-18 00:00:37 +0100 | [diff] [blame] | 278 | can be either a network name, a hostname, a network IP address (with |
| 279 | \fB/\fP\fImask\fP), or a plain IP address. Hostnames will |
| 280 | be resolved once only, before the rule is submitted to the kernel. |
| 281 | Please note that specifying any name to be resolved with a remote query such as |
| 282 | DNS is a really bad idea. |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 283 | The \fImask\fP |
Florian Westphal | c25defa | 2013-07-14 19:32:12 +0200 | [diff] [blame] | 284 | can be either an ipv4 network mask (for iptables) or a plain number, |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 285 | specifying the number of 1's at the left side of the network mask. |
Florian Westphal | c25defa | 2013-07-14 19:32:12 +0200 | [diff] [blame] | 286 | Thus, an iptables mask of \fI24\fP is equivalent to \fI255.255.255.0\fP. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 287 | A "!" argument before the address specification inverts the sense of |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 288 | the address. The flag \fB\-\-src\fP is an alias for this option. |
Michael Granzow | 332e4ac | 2009-04-09 18:24:36 +0100 | [diff] [blame] | 289 | Multiple addresses can be specified, but this will \fBexpand to multiple |
| 290 | rules\fP (when adding with \-A), or will cause multiple rules to be |
| 291 | deleted (with \-D). |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 292 | .TP |
Michael Granzow | 332e4ac | 2009-04-09 18:24:36 +0100 | [diff] [blame] | 293 | [\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP] |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 294 | Destination specification. |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 295 | See the description of the \fB\-s\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 296 | (source) flag for a detailed description of the syntax. The flag |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 297 | \fB\-\-dst\fP is an alias for this option. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 298 | .TP |
Jan Engelhardt | db1414e | 2012-12-25 13:11:27 +0000 | [diff] [blame] | 299 | \fB\-m\fP, \fB\-\-match\fP \fImatch\fP |
| 300 | Specifies a match to use, that is, an extension module that tests for a |
| 301 | specific property. The set of matches make up the condition under which a |
| 302 | target is invoked. Matches are evaluated first to last as specified on the |
| 303 | command line and work in short-circuit fashion, i.e. if one extension yields |
| 304 | false, evaluation will stop. |
| 305 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 306 | \fB\-j\fP, \fB\-\-jump\fP \fItarget\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 307 | This specifies the target of the rule; i.e., what to do if the packet |
| 308 | matches it. The target can be a user-defined chain (other than the |
| 309 | one this rule is in), one of the special builtin targets which decide |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 310 | the fate of the packet immediately, or an extension (see \fBEXTENSIONS\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 311 | below). If this |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 312 | option is omitted in a rule (and \fB\-g\fP |
Henrik Nordstrom | 17fc163 | 2005-11-05 09:26:40 +0000 | [diff] [blame] | 313 | is not used), then matching the rule will have no |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 314 | effect on the packet's fate, but the counters on the rule will be |
| 315 | incremented. |
| 316 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 317 | \fB\-g\fP, \fB\-\-goto\fP \fIchain\fP |
Henrik Nordstrom | 17fc163 | 2005-11-05 09:26:40 +0000 | [diff] [blame] | 318 | This specifies that the processing should continue in a user |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 319 | specified chain. Unlike the \-\-jump option return will not continue |
Henrik Nordstrom | 17fc163 | 2005-11-05 09:26:40 +0000 | [diff] [blame] | 320 | processing in this chain but instead in the chain that called us via |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 321 | \-\-jump. |
Henrik Nordstrom | 17fc163 | 2005-11-05 09:26:40 +0000 | [diff] [blame] | 322 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 323 | [\fB!\fP] \fB\-i\fP, \fB\-\-in\-interface\fP \fIname\fP |
Matthew Strait | 403cf6a | 2004-03-17 14:26:08 +0000 | [diff] [blame] | 324 | Name of an interface via which a packet was received (only for |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 325 | packets entering the \fBINPUT\fP, \fBFORWARD\fP and \fBPREROUTING\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 326 | chains). When the "!" argument is used before the interface name, the |
| 327 | sense is inverted. If the interface name ends in a "+", then any |
| 328 | interface which begins with this name will match. If this option is |
| 329 | omitted, any interface name will match. |
| 330 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 331 | [\fB!\fP] \fB\-o\fP, \fB\-\-out\-interface\fP \fIname\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 332 | Name of an interface via which a packet is going to be sent (for packets |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 333 | entering the \fBFORWARD\fP, \fBOUTPUT\fP and \fBPOSTROUTING\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 334 | chains). When the "!" argument is used before the interface name, the |
| 335 | sense is inverted. If the interface name ends in a "+", then any |
| 336 | interface which begins with this name will match. If this option is |
| 337 | omitted, any interface name will match. |
| 338 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 339 | [\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP |
Florian Westphal | c25defa | 2013-07-14 19:32:12 +0200 | [diff] [blame] | 340 | This means that the rule only refers to second and further IPv4 fragments |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 341 | of fragmented packets. Since there is no way to tell the source or |
| 342 | destination ports of such a packet (or ICMP type), such a packet will |
| 343 | not match any rules which specify them. When the "!" argument |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 344 | precedes the "\-f" flag, the rule will only match head fragments, or |
Florian Westphal | c25defa | 2013-07-14 19:32:12 +0200 | [diff] [blame] | 345 | unfragmented packets. This option is IPv4 specific, it is not available |
| 346 | in ip6tables. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 347 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 348 | \fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 349 | This enables the administrator to initialize the packet and byte |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 350 | counters of a rule (during \fBINSERT\fP, \fBAPPEND\fP, \fBREPLACE\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 351 | operations). |
| 352 | .SS "OTHER OPTIONS" |
| 353 | The following additional options can be specified: |
| 354 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 355 | \fB\-v\fP, \fB\-\-verbose\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 356 | Verbose output. This option makes the list command show the interface |
| 357 | name, the rule options (if any), and the TOS masks. The packet and |
| 358 | byte counters are also listed, with the suffix 'K', 'M' or 'G' for |
| 359 | 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 360 | the \fB\-x\fP flag to change this). |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 361 | For appending, insertion, deletion and replacement, this causes |
Jan Engelhardt | 1c9508e | 2011-06-30 13:19:15 +0200 | [diff] [blame] | 362 | detailed information on the rule or rules to be printed. \fB\-v\fP may be |
| 363 | specified multiple times to possibly emit more detailed debug statements. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 364 | .TP |
Jiri Popelka | aaa4ace | 2014-07-04 15:50:41 +0200 | [diff] [blame] | 365 | \fB\-w\fP, \fB\-\-wait\fP [\fIseconds\fP] |
Phil Oester | 93587a0 | 2013-05-31 09:07:04 -0400 | [diff] [blame] | 366 | Wait for the xtables lock. |
| 367 | To prevent multiple instances of the program from running concurrently, |
| 368 | an attempt will be made to obtain an exclusive lock at launch. By default, |
| 369 | the program will exit if the lock cannot be obtained. This option will |
Jiri Popelka | aaa4ace | 2014-07-04 15:50:41 +0200 | [diff] [blame] | 370 | make the program wait (indefinitely or for optional \fIseconds\fP) until |
| 371 | the exclusive lock can be obtained. |
Phil Oester | 93587a0 | 2013-05-31 09:07:04 -0400 | [diff] [blame] | 372 | .TP |
Subash Abhinov Kasiviswanathan | e8f857a | 2016-06-23 18:44:06 -0600 | [diff] [blame] | 373 | \fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP |
| 374 | Interval to wait per each iteration. |
| 375 | When running latency sensitive applications, waiting for the xtables lock |
| 376 | for extended durations may not be acceptable. This option will make each |
| 377 | iteration take the amount of time specified. The default interval is |
| 378 | 1 second. This option only works with \fB\-w\fP. |
| 379 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 380 | \fB\-n\fP, \fB\-\-numeric\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 381 | Numeric output. |
| 382 | IP addresses and port numbers will be printed in numeric format. |
| 383 | By default, the program will try to display them as host names, |
| 384 | network names, or services (whenever applicable). |
| 385 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 386 | \fB\-x\fP, \fB\-\-exact\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 387 | Expand numbers. |
| 388 | Display the exact value of the packet and byte counters, |
| 389 | instead of only the rounded number in K's (multiples of 1000) |
| 390 | M's (multiples of 1000K) or G's (multiples of 1000M). This option is |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 391 | only relevant for the \fB\-L\fP command. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 392 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 393 | \fB\-\-line\-numbers\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 394 | When listing rules, add line numbers to the beginning of each rule, |
| 395 | corresponding to that rule's position in the chain. |
| 396 | .TP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 397 | \fB\-\-modprobe=\fP\fIcommand\fP |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 398 | When adding or inserting rules into a chain, use \fIcommand\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 399 | to load any necessary modules (targets, match extensions, etc). |
Jan Engelhardt | 4496801 | 2012-09-28 10:43:06 +0200 | [diff] [blame] | 400 | .SH MATCH AND TARGET EXTENSIONS |
Jan Engelhardt | 70af559 | 2011-12-18 02:44:05 +0100 | [diff] [blame] | 401 | .PP |
Jan Engelhardt | 4496801 | 2012-09-28 10:43:06 +0200 | [diff] [blame] | 402 | iptables can use extended packet matching and target modules. |
| 403 | A list of these is available in the \fBiptables\-extensions\fP(8) manpage. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 404 | .SH DIAGNOSTICS |
| 405 | Various error messages are printed to standard error. The exit code |
| 406 | is 0 for correct functioning. Errors which appear to be caused by |
| 407 | invalid or abused command line parameters cause an exit code of 2, and |
| 408 | other errors cause an exit code of 1. |
| 409 | .SH BUGS |
| 410 | Bugs? What's this? ;-) |
Harald Welte | 64d900f | 2005-06-24 16:37:00 +0000 | [diff] [blame] | 411 | Well, you might want to have a look at http://bugzilla.netfilter.org/ |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 412 | .SH COMPATIBILITY WITH IPCHAINS |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 413 | This \fBiptables\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 414 | is very similar to ipchains by Rusty Russell. The main difference is |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 415 | that the chains \fBINPUT\fP and \fBOUTPUT\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 416 | are only traversed for packets coming into the local host and |
| 417 | originating from the local host respectively. Hence every packet only |
| 418 | passes through one of the three chains (except loopback traffic, which |
| 419 | involves both INPUT and OUTPUT chains); previously a forwarded packet |
| 420 | would pass through all three. |
| 421 | .PP |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 422 | The other main difference is that \fB\-i\fP refers to the input interface; |
| 423 | \fB\-o\fP refers to the output interface, and both are available for packets |
Jan Engelhardt | 55dffef | 2008-07-03 20:27:50 +0200 | [diff] [blame] | 424 | entering the \fBFORWARD\fP chain. |
| 425 | .PP |
| 426 | The various forms of NAT have been separated out; \fBiptables\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 427 | is a pure packet filter when using the default `filter' table, with |
| 428 | optional extension modules. This should simplify much of the previous |
| 429 | confusion over the combination of IP masquerading and packet filtering |
| 430 | seen previously. So the following options are handled differently: |
| 431 | .nf |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 432 | \-j MASQ |
| 433 | \-M \-S |
| 434 | \-M \-L |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 435 | .fi |
| 436 | There are several other changes in iptables. |
| 437 | .SH SEE ALSO |
Jan Engelhardt | 7b5ba43 | 2012-09-28 10:57:45 +0200 | [diff] [blame] | 438 | \fBiptables\-apply\fP(8), |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 439 | \fBiptables\-save\fP(8), |
| 440 | \fBiptables\-restore\fP(8), |
Jan Engelhardt | 4496801 | 2012-09-28 10:43:06 +0200 | [diff] [blame] | 441 | \fBiptables\-extensions\fP(8), |
Jan Engelhardt | 0e8984a | 2009-01-12 07:06:12 +0100 | [diff] [blame] | 442 | .PP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 443 | The packet-filtering-HOWTO details iptables usage for |
| 444 | packet filtering, the NAT-HOWTO details NAT, |
| 445 | the netfilter-extensions-HOWTO details the extensions that are |
| 446 | not in the standard distribution, |
| 447 | and the netfilter-hacking-HOWTO details the netfilter internals. |
| 448 | .br |
| 449 | See |
| 450 | .BR "http://www.netfilter.org/" . |
| 451 | .SH AUTHORS |
Harald Welte | 7bdfca4 | 2005-07-28 15:24:02 +0000 | [diff] [blame] | 452 | Rusty Russell originally wrote iptables, in early consultation with Michael |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 453 | Neuling. |
| 454 | .PP |
| 455 | Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet |
| 456 | selection framework in iptables, then wrote the mangle table, the owner match, |
| 457 | the mark stuff, and ran around doing cool stuff everywhere. |
| 458 | .PP |
| 459 | James Morris wrote the TOS target, and tos match. |
| 460 | .PP |
| 461 | Jozsef Kadlecsik wrote the REJECT target. |
| 462 | .PP |
Harald Welte | 7bdfca4 | 2005-07-28 15:24:02 +0000 | [diff] [blame] | 463 | Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as the TTL, DSCP, ECN matches and targets. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 464 | .PP |
Pablo Neira Ayuso | 1a519e8 | 2014-03-07 18:40:41 +0100 | [diff] [blame] | 465 | The Netfilter Core Team is: Jozsef Kadlecsik, Patrick McHardy, Pablo Neira |
| 466 | Ayuso, Eric Leblond and Florian Westphal. Emeritus Core Team members are: Marc |
| 467 | Boucher, Martin Josefsson, Yasuyuki Kozakai, James Morris, Harald Welte and |
| 468 | Rusty Russell. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 469 | .PP |
Harald Welte | 7bdfca4 | 2005-07-28 15:24:02 +0000 | [diff] [blame] | 470 | Man page originally written by Herve Eychenne <rv@wallfire.org>. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 471 | .\" .. and did I mention that we are incredibly cool people? |
| 472 | .\" .. sexy, too .. |
| 473 | .\" .. witty, charming, powerful .. |
| 474 | .\" .. and most of all, modest .. |
Jan Engelhardt | f96cb80 | 2011-03-01 12:51:21 +0100 | [diff] [blame] | 475 | .SH VERSION |
| 476 | .PP |
Jiri Popelka | 02cf06e | 2014-03-07 16:23:03 +0100 | [diff] [blame] | 477 | This manual page applies to iptables/ip6tables @PACKAGE_VERSION@. |