|
Packit Service |
d1fe03 |
.TH IPTABLES 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
|
|
Packit Service |
d1fe03 |
.\" It is based on ipchains page.
|
|
Packit Service |
d1fe03 |
.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG)
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" ipchains page by Paul ``Rusty'' Russell March 1997
|
|
Packit Service |
d1fe03 |
.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" This program is free software; you can redistribute it and/or modify
|
|
Packit Service |
d1fe03 |
.\" it under the terms of the GNU General Public License as published by
|
|
Packit Service |
d1fe03 |
.\" the Free Software Foundation; either version 2 of the License, or
|
|
Packit Service |
d1fe03 |
.\" (at your option) any later version.
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" This program is distributed in the hope that it will be useful,
|
|
Packit Service |
d1fe03 |
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
d1fe03 |
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit Service |
d1fe03 |
.\" GNU General Public License for more details.
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" You should have received a copy of the GNU General Public License
|
|
Packit Service |
d1fe03 |
.\" along with this program; if not, write to the Free Software
|
|
Packit Service |
d1fe03 |
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.SH NAME
|
|
Packit Service |
d1fe03 |
iptables/ip6tables \(em administration tool for IPv4/IPv6 packet filtering and NAT
|
|
Packit Service |
d1fe03 |
.SH SYNOPSIS
|
|
Packit Service |
d1fe03 |
\fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
|
|
Packit Service |
d1fe03 |
\fIchain\fP \fIrule-specification\fP
|
|
Packit Service |
d1fe03 |
.P
|
|
Packit Service |
d1fe03 |
\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
|
|
Packit Service |
d1fe03 |
\fIchain rule-specification\fP
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum rule-specification\fP
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]]
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
\fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP} [\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP]
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
rule-specification = [\fImatches...\fP] [\fItarget\fP]
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
|
|
Packit Service |
d1fe03 |
.SH DESCRIPTION
|
|
Packit Service |
d1fe03 |
\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
|
|
Packit Service |
d1fe03 |
tables of IPv4 and IPv6 packet
|
|
Packit Service |
d1fe03 |
filter rules in the Linux kernel. Several different tables
|
|
Packit Service |
d1fe03 |
may be defined. Each table contains a number of built-in
|
|
Packit Service |
d1fe03 |
chains and may also contain user-defined chains.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
Each chain is a list of rules which can match a set of packets. Each
|
|
Packit Service |
d1fe03 |
rule specifies what to do with a packet that matches. This is called
|
|
Packit Service |
d1fe03 |
a `target', which may be a jump to a user-defined chain in the same
|
|
Packit Service |
d1fe03 |
table.
|
|
Packit Service |
d1fe03 |
.SH TARGETS
|
|
Packit Service |
d1fe03 |
A firewall rule specifies criteria for a packet and a target. If the
|
|
Packit Service |
d1fe03 |
packet does not match, the next rule in the chain is examined; if
|
|
Packit Service |
d1fe03 |
it does match, then the next rule is specified by the value of the
|
|
Packit Service |
d1fe03 |
target, which can be the name of a user-defined chain, one of the targets
|
|
Packit Service |
d1fe03 |
described in \fBiptables\-extensions\fP(8), or one of the
|
|
Packit Service |
d1fe03 |
special values \fBACCEPT\fP, \fBDROP\fP or \fBRETURN\fP.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
\fBACCEPT\fP means to let the packet through.
|
|
Packit Service |
d1fe03 |
\fBDROP\fP means to drop the packet on the floor.
|
|
Packit Service |
d1fe03 |
\fBRETURN\fP means stop traversing this chain and resume at the next
|
|
Packit Service |
d1fe03 |
rule in the
|
|
Packit Service |
d1fe03 |
previous (calling) chain. If the end of a built-in chain is reached
|
|
Packit Service |
d1fe03 |
or a rule in a built-in chain with target \fBRETURN\fP
|
|
Packit Service |
d1fe03 |
is matched, the target specified by the chain policy determines the
|
|
Packit Service |
d1fe03 |
fate of the packet.
|
|
Packit Service |
d1fe03 |
.SH TABLES
|
|
Packit Service |
d1fe03 |
There are currently five independent tables (which tables are present
|
|
Packit Service |
d1fe03 |
at any time depends on the kernel configuration options and which
|
|
Packit Service |
d1fe03 |
modules are present).
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-t\fP, \fB\-\-table\fP \fItable\fP
|
|
Packit Service |
d1fe03 |
This option specifies the packet matching table which the command
|
|
Packit Service |
d1fe03 |
should operate on. If the kernel is configured with automatic module
|
|
Packit Service |
d1fe03 |
loading, an attempt will be made to load the appropriate module for
|
|
Packit Service |
d1fe03 |
that table if it is not already there.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
The tables are as follows:
|
|
Packit Service |
d1fe03 |
.RS
|
|
Packit Service |
d1fe03 |
.TP .4i
|
|
Packit Service |
d1fe03 |
\fBfilter\fP:
|
|
Packit Service |
d1fe03 |
This is the default table (if no \-t option is passed). It contains
|
|
Packit Service |
d1fe03 |
the built-in chains \fBINPUT\fP (for packets destined to local sockets),
|
|
Packit Service |
d1fe03 |
\fBFORWARD\fP (for packets being routed through the box), and
|
|
Packit Service |
d1fe03 |
\fBOUTPUT\fP (for locally-generated packets).
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBnat\fP:
|
|
Packit Service |
d1fe03 |
This table is consulted when a packet that creates a new
|
|
Packit Service |
d1fe03 |
connection is encountered. It consists of four built-ins: \fBPREROUTING\fP
|
|
Packit Service |
d1fe03 |
(for altering packets as soon as they come in), \fBINPUT\fP (for altering
|
|
Packit Service |
d1fe03 |
packets destined for local sockets), \fBOUTPUT\fP
|
|
Packit Service |
d1fe03 |
(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
|
|
Packit Service |
d1fe03 |
(for altering packets as they are about to go out).
|
|
Packit Service |
d1fe03 |
IPv6 NAT support is available since kernel 3.7.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBmangle\fP:
|
|
Packit Service |
d1fe03 |
This table is used for specialized packet alteration. Until kernel
|
|
Packit Service |
d1fe03 |
2.4.17 it had two built-in chains: \fBPREROUTING\fP
|
|
Packit Service |
d1fe03 |
(for altering incoming packets before routing) and \fBOUTPUT\fP
|
|
Packit Service |
d1fe03 |
(for altering locally-generated packets before routing).
|
|
Packit Service |
d1fe03 |
Since kernel 2.4.18, three other built-in chains are also supported:
|
|
Packit Service |
d1fe03 |
\fBINPUT\fP (for packets coming into the box itself), \fBFORWARD\fP
|
|
Packit Service |
d1fe03 |
(for altering packets being routed through the box), and \fBPOSTROUTING\fP
|
|
Packit Service |
d1fe03 |
(for altering packets as they are about to go out).
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBraw\fP:
|
|
Packit Service |
d1fe03 |
This table is used mainly for configuring exemptions from connection
|
|
Packit Service |
d1fe03 |
tracking in combination with the NOTRACK target. It registers at the netfilter
|
|
Packit Service |
d1fe03 |
hooks with higher priority and is thus called before ip_conntrack, or any other
|
|
Packit Service |
d1fe03 |
IP tables. It provides the following built-in chains: \fBPREROUTING\fP
|
|
Packit Service |
d1fe03 |
(for packets arriving via any network interface) \fBOUTPUT\fP
|
|
Packit Service |
d1fe03 |
(for packets generated by local processes)
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBsecurity\fP:
|
|
Packit Service |
d1fe03 |
This table is used for Mandatory Access Control (MAC) networking rules, such
|
|
Packit Service |
d1fe03 |
as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
|
|
Packit Service |
d1fe03 |
Mandatory Access Control is implemented by Linux Security Modules such as
|
|
Packit Service |
d1fe03 |
SELinux. The security table is called after the filter table, allowing any
|
|
Packit Service |
d1fe03 |
Discretionary Access Control (DAC) rules in the filter table to take effect
|
|
Packit Service |
d1fe03 |
before MAC rules. This table provides the following built-in chains:
|
|
Packit Service |
d1fe03 |
\fBINPUT\fP (for packets coming into the box itself),
|
|
Packit Service |
d1fe03 |
\fBOUTPUT\fP (for altering locally-generated packets before routing), and
|
|
Packit Service |
d1fe03 |
\fBFORWARD\fP (for altering packets being routed through the box).
|
|
Packit Service |
d1fe03 |
.RE
|
|
Packit Service |
d1fe03 |
.SH OPTIONS
|
|
Packit Service |
d1fe03 |
The options that are recognized by
|
|
Packit Service |
d1fe03 |
\fBiptables\fP and \fBip6tables\fP can be divided into several different groups.
|
|
Packit Service |
d1fe03 |
.SS COMMANDS
|
|
Packit Service |
d1fe03 |
These options specify the desired action to perform. Only one of them
|
|
Packit Service |
d1fe03 |
can be specified on the command line unless otherwise stated
|
|
Packit Service |
d1fe03 |
below. For long versions of the command and option names, you
|
|
Packit Service |
d1fe03 |
need to use only enough letters to ensure that
|
|
Packit Service |
d1fe03 |
\fBiptables\fP can differentiate it from all other options.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
|
|
Packit Service |
d1fe03 |
Append one or more rules to the end of the selected chain.
|
|
Packit Service |
d1fe03 |
When the source and/or destination names resolve to more than one
|
|
Packit Service |
d1fe03 |
address, a rule will be added for each possible address combination.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-C\fP, \fB\-\-check\fP \fIchain rule-specification\fP
|
|
Packit Service |
d1fe03 |
Check whether a rule matching the specification does exist in the
|
|
Packit Service |
d1fe03 |
selected chain. This command uses the same logic as \fB\-D\fP to
|
|
Packit Service |
d1fe03 |
find a matching entry, but does not alter the existing iptables
|
|
Packit Service |
d1fe03 |
configuration and uses its exit code to indicate success or failure.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-D\fP, \fB\-\-delete\fP \fIchain rule-specification\fP
|
|
Packit Service |
d1fe03 |
.ns
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-D\fP, \fB\-\-delete\fP \fIchain rulenum\fP
|
|
Packit Service |
d1fe03 |
Delete one or more rules from the selected chain. There are two
|
|
Packit Service |
d1fe03 |
versions of this command: the rule can be specified as a number in the
|
|
Packit Service |
d1fe03 |
chain (starting at 1 for the first rule) or a rule to match.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-I\fP, \fB\-\-insert\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
|
|
Packit Service |
d1fe03 |
Insert one or more rules in the selected chain as the given rule
|
|
Packit Service |
d1fe03 |
number. So, if the rule number is 1, the rule or rules are inserted
|
|
Packit Service |
d1fe03 |
at the head of the chain. This is also the default if no rule number
|
|
Packit Service |
d1fe03 |
is specified.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-R\fP, \fB\-\-replace\fP \fIchain rulenum rule-specification\fP
|
|
Packit Service |
d1fe03 |
Replace a rule in the selected chain. If the source and/or
|
|
Packit Service |
d1fe03 |
destination names resolve to multiple addresses, the command will
|
|
Packit Service |
d1fe03 |
fail. Rules are numbered starting at 1.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-L\fP, \fB\-\-list\fP [\fIchain\fP]
|
|
Packit Service |
d1fe03 |
List all rules in the selected chain. If no chain is selected, all
|
|
Packit Service |
d1fe03 |
chains are listed. Like every other iptables command, it applies to the
|
|
Packit Service |
d1fe03 |
specified table (filter is the default), so NAT rules get listed by
|
|
Packit Service |
d1fe03 |
.nf
|
|
Packit Service |
d1fe03 |
iptables \-t nat \-n \-L
|
|
Packit Service |
d1fe03 |
.fi
|
|
Packit Service |
d1fe03 |
Please note that it is often used with the \fB\-n\fP
|
|
Packit Service |
d1fe03 |
option, in order to avoid long reverse DNS lookups.
|
|
Packit Service |
d1fe03 |
It is legal to specify the \fB\-Z\fP
|
|
Packit Service |
d1fe03 |
(zero) option as well, in which case the chain(s) will be atomically
|
|
Packit Service |
d1fe03 |
listed and zeroed. The exact output is affected by the other
|
|
Packit Service |
d1fe03 |
arguments given. The exact rules are suppressed until you use
|
|
Packit Service |
d1fe03 |
.nf
|
|
Packit Service |
d1fe03 |
iptables \-L \-v
|
|
Packit Service |
d1fe03 |
.fi
|
|
Packit Service |
d1fe03 |
or
|
|
Packit Service |
d1fe03 |
\fBiptables\-save\fP(8).
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
|
|
Packit Service |
d1fe03 |
Print all rules in the selected chain. If no chain is selected, all
|
|
Packit Service |
d1fe03 |
chains are printed like iptables-save. Like every other iptables command,
|
|
Packit Service |
d1fe03 |
it applies to the specified table (filter is the default).
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP]
|
|
Packit Service |
d1fe03 |
Flush the selected chain (all the chains in the table if none is given).
|
|
Packit Service |
d1fe03 |
This is equivalent to deleting all the rules one by one.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]]
|
|
Packit Service |
d1fe03 |
Zero the packet and byte counters in all chains, or only the given chain,
|
|
Packit Service |
d1fe03 |
or only the given rule in a chain. It is legal to
|
|
Packit Service |
d1fe03 |
specify the
|
|
Packit Service |
d1fe03 |
\fB\-L\fP, \fB\-\-list\fP
|
|
Packit Service |
d1fe03 |
(list) option as well, to see the counters immediately before they are
|
|
Packit Service |
d1fe03 |
cleared. (See above.)
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-N\fP, \fB\-\-new\-chain\fP \fIchain\fP
|
|
Packit Service |
d1fe03 |
Create a new user-defined chain by the given name. There must be no
|
|
Packit Service |
d1fe03 |
target of that name already.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-X\fP, \fB\-\-delete\-chain\fP [\fIchain\fP]
|
|
Packit Service |
d1fe03 |
Delete the optional user-defined chain specified. There must be no references
|
|
Packit Service |
d1fe03 |
to the chain. If there are, you must delete or replace the referring rules
|
|
Packit Service |
d1fe03 |
before the chain can be deleted. The chain must be empty, i.e. not contain
|
|
Packit Service |
d1fe03 |
any rules. If no argument is given, it will attempt to delete every
|
|
Packit Service |
d1fe03 |
non-builtin chain in the table.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
|
|
Packit Service |
d1fe03 |
Set the policy for the built-in (non-user-defined) chain to the given target.
|
|
Packit Service |
d1fe03 |
The policy target must be either \fBACCEPT\fP or \fBDROP\fP.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
|
|
Packit Service |
d1fe03 |
Rename the user specified chain to the user supplied name. This is
|
|
Packit Service |
d1fe03 |
cosmetic, and has no effect on the structure of the table.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-h\fP
|
|
Packit Service |
d1fe03 |
Help.
|
|
Packit Service |
d1fe03 |
Give a (currently very brief) description of the command syntax.
|
|
Packit Service |
d1fe03 |
.SS PARAMETERS
|
|
Packit Service |
d1fe03 |
The following parameters make up a rule specification (as used in the
|
|
Packit Service |
d1fe03 |
add, delete, insert, replace and append commands).
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-4\fP, \fB\-\-ipv4\fP
|
|
Packit Service |
d1fe03 |
This option has no effect in iptables and iptables-restore.
|
|
Packit Service |
d1fe03 |
If a rule using the \fB\-4\fP option is inserted with (and only with)
|
|
Packit Service |
d1fe03 |
ip6tables-restore, it will be silently ignored. Any other uses will throw an
|
|
Packit Service |
d1fe03 |
error. This option allows to put both IPv4 and IPv6 rules in a single rule file
|
|
Packit Service |
d1fe03 |
for use with both iptables-restore and ip6tables-restore.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-6\fP, \fB\-\-ipv6\fP
|
|
Packit Service |
d1fe03 |
If a rule using the \fB\-6\fP option is inserted with (and only with)
|
|
Packit Service |
d1fe03 |
iptables-restore, it will be silently ignored. Any other uses will throw an
|
|
Packit Service |
d1fe03 |
error. This option allows to put both IPv4 and IPv6 rules in a single rule file
|
|
Packit Service |
d1fe03 |
for use with both iptables-restore and ip6tables-restore.
|
|
Packit Service |
d1fe03 |
This option has no effect in ip6tables and ip6tables-restore.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
|
|
Packit Service |
d1fe03 |
The protocol of the rule or of the packet to check.
|
|
Packit Service |
d1fe03 |
The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
|
|
Packit Service |
d1fe03 |
\fBicmp\fP, \fBicmpv6\fP,\fBesp\fP, \fBah\fP, \fBsctp\fP, \fBmh\fP or the special keyword "\fBall\fP",
|
|
Packit Service |
d1fe03 |
or it can be a numeric value, representing one of these protocols or a
|
|
Packit Service |
d1fe03 |
different one. A protocol name from /etc/protocols is also allowed.
|
|
Packit Service |
d1fe03 |
A "!" argument before the protocol inverts the
|
|
Packit Service |
d1fe03 |
test. The number zero is equivalent to \fBall\fP. "\fBall\fP"
|
|
Packit Service |
d1fe03 |
will match with all protocols and is taken as default when this
|
|
Packit Service |
d1fe03 |
option is omitted.
|
|
Packit Service |
d1fe03 |
Note that, in ip6tables, IPv6 extension headers except \fBesp\fP are not allowed.
|
|
Packit Service |
d1fe03 |
\fBesp\fP and \fBipv6\-nonext\fP
|
|
Packit Service |
d1fe03 |
can be used with Kernel version 2.6.11 or later.
|
|
Packit Service |
d1fe03 |
The number zero is equivalent to \fBall\fP, which means that you cannot
|
|
Packit Service |
d1fe03 |
test the protocol field for the value 0 directly. To match on a HBH header,
|
|
Packit Service |
d1fe03 |
even if it were the last, you cannot use \fB\-p 0\fP, but always need
|
|
Packit Service |
d1fe03 |
\fB\-m hbh\fP.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
|
|
Packit Service |
d1fe03 |
Source specification. \fIAddress\fP
|
|
Packit Service |
d1fe03 |
can be either a network name, a hostname, a network IP address (with
|
|
Packit Service |
d1fe03 |
\fB/\fP\fImask\fP), or a plain IP address. Hostnames will
|
|
Packit Service |
d1fe03 |
be resolved once only, before the rule is submitted to the kernel.
|
|
Packit Service |
d1fe03 |
Please note that specifying any name to be resolved with a remote query such as
|
|
Packit Service |
d1fe03 |
DNS is a really bad idea.
|
|
Packit Service |
d1fe03 |
The \fImask\fP
|
|
Packit Service |
d1fe03 |
can be either an ipv4 network mask (for iptables) or a plain number,
|
|
Packit Service |
d1fe03 |
specifying the number of 1's at the left side of the network mask.
|
|
Packit Service |
d1fe03 |
Thus, an iptables mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
|
|
Packit Service |
d1fe03 |
A "!" argument before the address specification inverts the sense of
|
|
Packit Service |
d1fe03 |
the address. The flag \fB\-\-src\fP is an alias for this option.
|
|
Packit Service |
d1fe03 |
Multiple addresses can be specified, but this will \fBexpand to multiple
|
|
Packit Service |
d1fe03 |
rules\fP (when adding with \-A), or will cause multiple rules to be
|
|
Packit Service |
d1fe03 |
deleted (with \-D).
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
|
|
Packit Service |
d1fe03 |
Destination specification.
|
|
Packit Service |
d1fe03 |
See the description of the \fB\-s\fP
|
|
Packit Service |
d1fe03 |
(source) flag for a detailed description of the syntax. The flag
|
|
Packit Service |
d1fe03 |
\fB\-\-dst\fP is an alias for this option.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-m\fP, \fB\-\-match\fP \fImatch\fP
|
|
Packit Service |
d1fe03 |
Specifies a match to use, that is, an extension module that tests for a
|
|
Packit Service |
d1fe03 |
specific property. The set of matches make up the condition under which a
|
|
Packit Service |
d1fe03 |
target is invoked. Matches are evaluated first to last as specified on the
|
|
Packit Service |
d1fe03 |
command line and work in short-circuit fashion, i.e. if one extension yields
|
|
Packit Service |
d1fe03 |
false, evaluation will stop.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
|
|
Packit Service |
d1fe03 |
This specifies the target of the rule; i.e., what to do if the packet
|
|
Packit Service |
d1fe03 |
matches it. The target can be a user-defined chain (other than the
|
|
Packit Service |
d1fe03 |
one this rule is in), one of the special builtin targets which decide
|
|
Packit Service |
d1fe03 |
the fate of the packet immediately, or an extension (see \fBEXTENSIONS\fP
|
|
Packit Service |
d1fe03 |
below). If this
|
|
Packit Service |
d1fe03 |
option is omitted in a rule (and \fB\-g\fP
|
|
Packit Service |
d1fe03 |
is not used), then matching the rule will have no
|
|
Packit Service |
d1fe03 |
effect on the packet's fate, but the counters on the rule will be
|
|
Packit Service |
d1fe03 |
incremented.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-g\fP, \fB\-\-goto\fP \fIchain\fP
|
|
Packit Service |
d1fe03 |
This specifies that the processing should continue in a user
|
|
Packit Service |
d1fe03 |
specified chain. Unlike the \-\-jump option return will not continue
|
|
Packit Service |
d1fe03 |
processing in this chain but instead in the chain that called us via
|
|
Packit Service |
d1fe03 |
\-\-jump.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-i\fP, \fB\-\-in\-interface\fP \fIname\fP
|
|
Packit Service |
d1fe03 |
Name of an interface via which a packet was received (only for
|
|
Packit Service |
d1fe03 |
packets entering the \fBINPUT\fP, \fBFORWARD\fP and \fBPREROUTING\fP
|
|
Packit Service |
d1fe03 |
chains). When the "!" argument is used before the interface name, the
|
|
Packit Service |
d1fe03 |
sense is inverted. If the interface name ends in a "+", then any
|
|
Packit Service |
d1fe03 |
interface which begins with this name will match. If this option is
|
|
Packit Service |
d1fe03 |
omitted, any interface name will match.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-o\fP, \fB\-\-out\-interface\fP \fIname\fP
|
|
Packit Service |
d1fe03 |
Name of an interface via which a packet is going to be sent (for packets
|
|
Packit Service |
d1fe03 |
entering the \fBFORWARD\fP, \fBOUTPUT\fP and \fBPOSTROUTING\fP
|
|
Packit Service |
d1fe03 |
chains). When the "!" argument is used before the interface name, the
|
|
Packit Service |
d1fe03 |
sense is inverted. If the interface name ends in a "+", then any
|
|
Packit Service |
d1fe03 |
interface which begins with this name will match. If this option is
|
|
Packit Service |
d1fe03 |
omitted, any interface name will match.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
|
|
Packit Service |
d1fe03 |
This means that the rule only refers to second and further IPv4 fragments
|
|
Packit Service |
d1fe03 |
of fragmented packets. Since there is no way to tell the source or
|
|
Packit Service |
d1fe03 |
destination ports of such a packet (or ICMP type), such a packet will
|
|
Packit Service |
d1fe03 |
not match any rules which specify them. When the "!" argument
|
|
Packit Service |
d1fe03 |
precedes the "\-f" flag, the rule will only match head fragments, or
|
|
Packit Service |
d1fe03 |
unfragmented packets. This option is IPv4 specific, it is not available
|
|
Packit Service |
d1fe03 |
in ip6tables.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
|
|
Packit Service |
d1fe03 |
This enables the administrator to initialize the packet and byte
|
|
Packit Service |
d1fe03 |
counters of a rule (during \fBINSERT\fP, \fBAPPEND\fP, \fBREPLACE\fP
|
|
Packit Service |
d1fe03 |
operations).
|
|
Packit Service |
d1fe03 |
.SS "OTHER OPTIONS"
|
|
Packit Service |
d1fe03 |
The following additional options can be specified:
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-v\fP, \fB\-\-verbose\fP
|
|
Packit Service |
d1fe03 |
Verbose output. This option makes the list command show the interface
|
|
Packit Service |
d1fe03 |
name, the rule options (if any), and the TOS masks. The packet and
|
|
Packit Service |
d1fe03 |
byte counters are also listed, with the suffix 'K', 'M' or 'G' for
|
|
Packit Service |
d1fe03 |
1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
|
|
Packit Service |
d1fe03 |
the \fB\-x\fP flag to change this).
|
|
Packit Service |
d1fe03 |
For appending, insertion, deletion and replacement, this causes
|
|
Packit Service |
d1fe03 |
detailed information on the rule or rules to be printed. \fB\-v\fP may be
|
|
Packit Service |
d1fe03 |
specified multiple times to possibly emit more detailed debug statements.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-w\fP, \fB\-\-wait\fP [\fIseconds\fP]
|
|
Packit Service |
d1fe03 |
Wait for the xtables lock.
|
|
Packit Service |
d1fe03 |
To prevent multiple instances of the program from running concurrently,
|
|
Packit Service |
d1fe03 |
an attempt will be made to obtain an exclusive lock at launch. By default,
|
|
Packit Service |
d1fe03 |
the program will exit if the lock cannot be obtained. This option will
|
|
Packit Service |
d1fe03 |
make the program wait (indefinitely or for optional \fIseconds\fP) until
|
|
Packit Service |
d1fe03 |
the exclusive lock can be obtained.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP
|
|
Packit Service |
d1fe03 |
Interval to wait per each iteration.
|
|
Packit Service |
d1fe03 |
When running latency sensitive applications, waiting for the xtables lock
|
|
Packit Service |
d1fe03 |
for extended durations may not be acceptable. This option will make each
|
|
Packit Service |
d1fe03 |
iteration take the amount of time specified. The default interval is
|
|
Packit Service |
d1fe03 |
1 second. This option only works with \fB\-w\fP.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-n\fP, \fB\-\-numeric\fP
|
|
Packit Service |
d1fe03 |
Numeric output.
|
|
Packit Service |
d1fe03 |
IP addresses and port numbers will be printed in numeric format.
|
|
Packit Service |
d1fe03 |
By default, the program will try to display them as host names,
|
|
Packit Service |
d1fe03 |
network names, or services (whenever applicable).
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-x\fP, \fB\-\-exact\fP
|
|
Packit Service |
d1fe03 |
Expand numbers.
|
|
Packit Service |
d1fe03 |
Display the exact value of the packet and byte counters,
|
|
Packit Service |
d1fe03 |
instead of only the rounded number in K's (multiples of 1000)
|
|
Packit Service |
d1fe03 |
M's (multiples of 1000K) or G's (multiples of 1000M). This option is
|
|
Packit Service |
d1fe03 |
only relevant for the \fB\-L\fP command.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-\-line\-numbers\fP
|
|
Packit Service |
d1fe03 |
When listing rules, add line numbers to the beginning of each rule,
|
|
Packit Service |
d1fe03 |
corresponding to that rule's position in the chain.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-\-modprobe=\fP\fIcommand\fP
|
|
Packit Service |
d1fe03 |
When adding or inserting rules into a chain, use \fIcommand\fP
|
|
Packit Service |
d1fe03 |
to load any necessary modules (targets, match extensions, etc).
|
|
Packit Service |
d1fe03 |
.SH MATCH AND TARGET EXTENSIONS
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
iptables can use extended packet matching and target modules.
|
|
Packit Service |
d1fe03 |
A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
|
|
Packit Service |
d1fe03 |
.SH DIAGNOSTICS
|
|
Packit Service |
d1fe03 |
Various error messages are printed to standard error. The exit code
|
|
Packit Service |
d1fe03 |
is 0 for correct functioning. Errors which appear to be caused by
|
|
Packit Service |
d1fe03 |
invalid or abused command line parameters cause an exit code of 2, and
|
|
Packit Service |
d1fe03 |
other errors cause an exit code of 1.
|
|
Packit Service |
d1fe03 |
.SH BUGS
|
|
Packit Service |
d1fe03 |
Bugs? What's this? ;-)
|
|
Packit Service |
d1fe03 |
Well, you might want to have a look at http://bugzilla.netfilter.org/
|
|
Packit Service |
d1fe03 |
.SH COMPATIBILITY WITH IPCHAINS
|
|
Packit Service |
d1fe03 |
This \fBiptables\fP
|
|
Packit Service |
d1fe03 |
is very similar to ipchains by Rusty Russell. The main difference is
|
|
Packit Service |
d1fe03 |
that the chains \fBINPUT\fP and \fBOUTPUT\fP
|
|
Packit Service |
d1fe03 |
are only traversed for packets coming into the local host and
|
|
Packit Service |
d1fe03 |
originating from the local host respectively. Hence every packet only
|
|
Packit Service |
d1fe03 |
passes through one of the three chains (except loopback traffic, which
|
|
Packit Service |
d1fe03 |
involves both INPUT and OUTPUT chains); previously a forwarded packet
|
|
Packit Service |
d1fe03 |
would pass through all three.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
The other main difference is that \fB\-i\fP refers to the input interface;
|
|
Packit Service |
d1fe03 |
\fB\-o\fP refers to the output interface, and both are available for packets
|
|
Packit Service |
d1fe03 |
entering the \fBFORWARD\fP chain.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
The various forms of NAT have been separated out; \fBiptables\fP
|
|
Packit Service |
d1fe03 |
is a pure packet filter when using the default `filter' table, with
|
|
Packit Service |
d1fe03 |
optional extension modules. This should simplify much of the previous
|
|
Packit Service |
d1fe03 |
confusion over the combination of IP masquerading and packet filtering
|
|
Packit Service |
d1fe03 |
seen previously. So the following options are handled differently:
|
|
Packit Service |
d1fe03 |
.nf
|
|
Packit Service |
d1fe03 |
\-j MASQ
|
|
Packit Service |
d1fe03 |
\-M \-S
|
|
Packit Service |
d1fe03 |
\-M \-L
|
|
Packit Service |
d1fe03 |
.fi
|
|
Packit Service |
d1fe03 |
There are several other changes in iptables.
|
|
Packit Service |
d1fe03 |
.SH SEE ALSO
|
|
Packit Service |
d1fe03 |
\fBiptables\-apply\fP(8),
|
|
Packit Service |
d1fe03 |
\fBiptables\-save\fP(8),
|
|
Packit Service |
d1fe03 |
\fBiptables\-restore\fP(8),
|
|
Packit Service |
d1fe03 |
\fBiptables\-extensions\fP(8),
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
The packet-filtering-HOWTO details iptables usage for
|
|
Packit Service |
d1fe03 |
packet filtering, the NAT-HOWTO details NAT,
|
|
Packit Service |
d1fe03 |
the netfilter-extensions-HOWTO details the extensions that are
|
|
Packit Service |
d1fe03 |
not in the standard distribution,
|
|
Packit Service |
d1fe03 |
and the netfilter-hacking-HOWTO details the netfilter internals.
|
|
Packit Service |
d1fe03 |
.br
|
|
Packit Service |
d1fe03 |
See
|
|
Packit Service |
d1fe03 |
.BR "http://www.netfilter.org/" .
|
|
Packit Service |
d1fe03 |
.SH AUTHORS
|
|
Packit Service |
d1fe03 |
Rusty Russell originally wrote iptables, in early consultation with Michael
|
|
Packit Service |
d1fe03 |
Neuling.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
|
|
Packit Service |
d1fe03 |
selection framework in iptables, then wrote the mangle table, the owner match,
|
|
Packit Service |
d1fe03 |
the mark stuff, and ran around doing cool stuff everywhere.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
James Morris wrote the TOS target, and tos match.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
Jozsef Kadlecsik wrote the REJECT target.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as the TTL, DSCP, ECN matches and targets.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
The Netfilter Core Team is: Jozsef Kadlecsik, Pablo Neira Ayuso,
|
|
Packit Service |
d1fe03 |
Eric Leblond, Florian Westphal and Arturo Borrero Gonzalez.
|
|
Packit Service |
d1fe03 |
Emeritus Core Team members are: Marc
|
|
Packit Service |
d1fe03 |
Boucher, Martin Josefsson, Yasuyuki Kozakai, James Morris, Harald Welte and
|
|
Packit Service |
d1fe03 |
Rusty Russell.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
Man page originally written by Herve Eychenne <rv@wallfire.org>.
|
|
Packit Service |
d1fe03 |
.\" .. and did I mention that we are incredibly cool people?
|
|
Packit Service |
d1fe03 |
.\" .. sexy, too ..
|
|
Packit Service |
d1fe03 |
.\" .. witty, charming, powerful ..
|
|
Packit Service |
d1fe03 |
.\" .. and most of all, modest ..
|
|
Packit Service |
d1fe03 |
.SH VERSION
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
This manual page applies to iptables/ip6tables @PACKAGE_VERSION@.
|