iptables(8)


NAME

   iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering
   and NAT

SYNOPSIS

   iptables [-t table] {-A|-C|-D} chain rule-specification

   ip6tables [-t table] {-A|-C|-D} chain rule-specification

   iptables [-t table] -I chain [rulenum] rule-specification

   iptables [-t table] -R chain rulenum rule-specification

   iptables [-t table] -D chain rulenum

   iptables [-t table] -S [chain [rulenum]]

   iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]

   iptables [-t table] -N chain

   iptables [-t table] -X [chain]

   iptables [-t table] -P chain target

   iptables [-t table] -E old-chain-name new-chain-name

   rule-specification = [matches...] [target]

   match = -m matchname [per-match-options]

   target = -j targetname [per-target-options]

DESCRIPTION

   Iptables and ip6tables are used to set up, maintain,  and  inspect  the
   tables  of  IPv4  and  IPv6  packet  filter  rules in the Linux kernel.
   Several different tables may be defined.  Each table contains a  number
   of built-in chains and may also contain user-defined chains.

   Each  chain  is a list of rules which can match a set of packets.  Each
   rule specifies what to do with a packet that matches.  This is called a
   `target',  which  may  be  a  jump  to a user-defined chain in the same
   table.

TARGETS

   A firewall rule specifies criteria for a packet and a target.   If  the
   packet  does  not  match, the next rule in the chain is examined; if it
   does match, then the next rule is specified by the value of the target,
   which  can  be  the  name  of  a user-defined chain, one of the targets
   described in iptables-extensions(8),  or  one  of  the  special  values
   ACCEPT, DROP or RETURN.

   ACCEPT  means to let the packet through.  DROP means to drop the packet
   on the floor.  RETURN means stop traversing this chain  and  resume  at
   the  next rule in the previous (calling) chain.  If the end of a built-
   in chain is reached or a rule in a built-in chain with target RETURN is
   matched,  the  target specified by the chain policy determines the fate
   of the packet.

TABLES

   There are currently five independent tables (which tables  are  present
   at  any  time  depends  on  the  kernel configuration options and which
   modules are present).

   -t, --table table
          This option  specifies  the  packet  matching  table  which  the
          command  should  operate  on.   If the kernel is configured with
          automatic module loading, an attempt will be made  to  load  the
          appropriate module for that table if it is not already there.

          The tables are as follows:

          filter:
              This  is  the  default table (if no -t option is passed). It
              contains the built-in chains INPUT (for packets destined  to
              local  sockets),  FORWARD  (for packets being routed through
              the box), and OUTPUT (for locally-generated packets).

          nat:
              This table is consulted when a packet  that  creates  a  new
              connection  is encountered.  It consists of three built-ins:
              PREROUTING (for altering packets as soon as they  come  in),
              OUTPUT   (for   altering  locally-generated  packets  before
              routing), and POSTROUTING (for altering packets as they  are
              about  to  go  out).   IPv6  NAT  support is available since
              kernel 3.7.

          mangle:
              This table is used for specialized packet alteration.  Until
              kernel  2.4.17  it  had two built-in chains: PREROUTING (for
              altering incoming packets before routing)  and  OUTPUT  (for
              altering  locally-generated  packets before routing).  Since
              kernel  2.4.18,  three  other  built-in  chains   are   also
              supported:  INPUT  (for packets coming into the box itself),
              FORWARD (for altering packets being routed through the box),
              and  POSTROUTING  (for altering packets as they are about to
              go out).

          raw:
              This table is used mainly for  configuring  exemptions  from
              connection  tracking in combination with the NOTRACK target.
              It registers at the netfilter hooks with higher priority and
              is  thus called before ip_conntrack, or any other IP tables.
              It provides the following built-in chains:  PREROUTING  (for
              packets  arriving  via  any  network  interface) OUTPUT (for
              packets generated by local processes)

          security:
              This table  is  used  for  Mandatory  Access  Control  (MAC)
              networking  rules,  such as those enabled by the SECMARK and
              CONNSECMARK   targets.    Mandatory   Access   Control    is
              implemented  by Linux Security Modules such as SELinux.  The
              security table is called after the  filter  table,  allowing
              any  Discretionary  Access Control (DAC) rules in the filter
              table to take effect before MAC rules.  This table  provides
              the  following  built-in  chains:  INPUT (for packets coming
              into the box itself), OUTPUT (for altering locally-generated
              packets  before  routing), and FORWARD (for altering packets
              being routed through the box).

OPTIONS

   The options that are  recognized  by  iptables  and  ip6tables  can  be
   divided into several different groups.

   COMMANDS
   These  options  specify the desired action to perform. Only one of them
   can be specified on the command line unless otherwise stated below. For
   long  versions  of  the  command and option names, you need to use only
   enough letters to ensure that iptables can differentiate  it  from  all
   other options.

   -A, --append chain rule-specification
          Append one or more rules to the end of the selected chain.  When
          the source and/or destination names resolve  to  more  than  one
          address,  a  rule  will  be  added  for  each  possible  address
          combination.

   -C, --check chain rule-specification
          Check whether a rule matching the specification  does  exist  in
          the  selected  chain.  This command uses the same logic as -D to
          find a matching entry, but does not alter the existing  iptables
          configuration  and  uses  its  exit  code to indicate success or
          failure.

   -D, --delete chain rule-specification
   -D, --delete chain rulenum
          Delete one or more rules from the selected chain.  There are two
          versions  of this command: the rule can be specified as a number
          in the chain (starting at 1 for the first rule)  or  a  rule  to
          match.

   -I, --insert chain [rulenum] rule-specification
          Insert one or more rules in the selected chain as the given rule
          number.  So, if the rule number is 1,  the  rule  or  rules  are
          inserted  at the head of the chain.  This is also the default if
          no rule number is specified.

   -R, --replace chain rulenum rule-specification
          Replace a rule in the selected  chain.   If  the  source  and/or
          destination  names  resolve  to  multiple addresses, the command
          will fail.  Rules are numbered starting at 1.

   -L, --list [chain]
          List all rules in the selected chain.  If no chain is  selected,
          all  chains  are  listed.  Like every other iptables command, it
          applies to the specified table (filter is the default),  so  NAT
          rules get listed by
           iptables -t nat -n -L
          Please  note  that it is often used with the -n option, in order
          to avoid long reverse DNS lookups.  It is legal to  specify  the
          -Z  (zero)  option  as  well, in which case the chain(s) will be
          atomically listed and zeroed.  The exact output is  affected  by
          the  other arguments given. The exact rules are suppressed until
          you use
           iptables -L -v

   -S, --list-rules [chain]
          Print all rules in the selected chain.  If no chain is selected,
          all  chains  are  printed  like  iptables-save. Like every other
          iptables command, it applies to the specified table  (filter  is
          the default).

   -F, --flush [chain]
          Flush the selected chain (all the chains in the table if none is
          given).  This is equivalent to deleting all  the  rules  one  by
          one.

   -Z, --zero [chain [rulenum]]
          Zero  the  packet  and  byte counters in all chains, or only the
          given chain, or only the given rule in a chain. It is  legal  to
          specify  the  -L,  --list  (list)  option  as  well,  to see the
          counters immediately before they are cleared. (See above.)

   -N, --new-chain chain
          Create a new user-defined chain by the given name.   There  must
          be no target of that name already.

   -X, --delete-chain [chain]
          Delete the optional user-defined chain specified.  There must be
          no references to the chain.  If there are, you  must  delete  or
          replace  the  referring  rules  before the chain can be deleted.
          The chain must be empty, i.e. not  contain  any  rules.   If  no
          argument  is  given, it will attempt to delete every non-builtin
          chain in the table.

   -P, --policy chain target
          Set the policy for the built-in (non-user-defined) chain to  the
          given target.  The policy target must be either ACCEPT or DROP.

   -E, --rename-chain old-chain new-chain
          Rename the user specified chain to the user supplied name.  This
          is cosmetic, and has no effect on the structure of the table.

   -h     Help.  Give a (currently very brief) description of the  command
          syntax.

   PARAMETERS
   The  following  parameters make up a rule specification (as used in the
   add, delete, insert, replace and append commands).

   -4, --ipv4
          This option has no effect in iptables and iptables-restore.   If
          a  rule  using  the  -4  option is inserted with (and only with)
          ip6tables-restore, it will be silently ignored. Any  other  uses
          will throw an error. This option allows IPv4 and IPv6 rules in a
          single  rule  file  for  use  with  both  iptables-restore   and
          ip6tables-restore.

   -6, --ipv6
          If  a  rule using the -6 option is inserted with (and only with)
          iptables-restore, it will be silently ignored.  Any  other  uses
          will throw an error. This option allows IPv4 and IPv6 rules in a
          single  rule  file  for  use  with  both  iptables-restore   and
          ip6tables-restore.   This  option has no effect in ip6tables and
          ip6tables-restore.

   [!] -p, --protocol protocol
          The protocol of the  rule  or  of  the  packet  to  check.   The
          specified  protocol  can  be  one  of  tcp,  udp, udplite, icmp,
          icmpv6,esp, ah, sctp, mh or the special keyword "all", or it can
          be  a  numeric  value,  representing one of these protocols or a
          different one.  A protocol  name  from  /etc/protocols  is  also
          allowed.   A  "!" argument before the protocol inverts the test.
          The number zero is equivalent to all. "all" will match with  all
          protocols  and  is taken as default when this option is omitted.
          Note that, in ip6tables, IPv6 extension headers except  esp  are
          not  allowed.   esp  and  ipv6-nonext  can  be  used with Kernel
          version 2.6.11 or later.  The number zero is equivalent to  all,
          which  means  that  you  cannot  test the protocol field for the
          value 0 directly. To match on a HBH header, even if it were  the
          last, you cannot use -p 0, but always need -m hbh.

   [!] -s, --source address[/mask][,...]
          Source  specification.  Address  can be either a network name, a
          hostname, a network IP address  (with  /mask),  or  a  plain  IP
          address.  Hostnames  will be resolved once only, before the rule
          is submitted to the kernel.  Please  note  that  specifying  any
          name  to be resolved with a remote query such as DNS is a really
          bad idea.  The mask can be either  an  ipv4  network  mask  (for
          iptables) or a plain number, specifying the number of 1's at the
          left side of the network mask.  Thus, an iptables mask of 24  is
          equivalent  to 255.255.255.0.  A "!" argument before the address
          specification inverts the sense of the address. The  flag  --src
          is  an  alias  for  this  option.   Multiple  addresses  can  be
          specified, but this will expand to multiple rules  (when  adding
          with -A), or will cause multiple rules to be deleted (with -D).

   [!] -d, --destination address[/mask][,...]
          Destination  specification.   See  the  description  of  the  -s
          (source) flag for a detailed description  of  the  syntax.   The
          flag --dst is an alias for this option.

   -m, --match match
          Specifies  a  match  to  use,  that is, an extension module that
          tests for a specific property. The set of matches  make  up  the
          condition under which a target is invoked. Matches are evaluated
          first to last as specified on  the  command  line  and  work  in
          short-circuit  fashion,  i.e.  if  one  extension  yields false,
          evaluation will stop.

   -j, --jump target
          This specifies the target of the rule; i.e., what to do  if  the
          packet  matches  it.   The  target  can  be a user-defined chain
          (other than the one this rule is in), one of the special builtin
          targets  which  decide the fate of the packet immediately, or an
          extension (see EXTENSIONS below).  If this option is omitted  in
          a rule (and -g is not used), then matching the rule will have no
          effect on the packet's fate, but the counters on the  rule  will
          be incremented.

   -g, --goto chain
          This  specifies  that  the  processing should continue in a user
          specified chain.  Unlike  the  --jump  option  return  will  not
          continue  processing in this chain but instead in the chain that
          called us via --jump.

   [!] -i, --in-interface name
          Name of an interface via which a packet was received  (only  for
          packets  entering  the  INPUT,  FORWARD  and PREROUTING chains).
          When the "!" argument is used before  the  interface  name,  the
          sense  is  inverted.   If the interface name ends in a "+", then
          any interface which begins with this name will match.   If  this
          option is omitted, any interface name will match.

   [!] -o, --out-interface name
          Name of an interface via which a packet is going to be sent (for
          packets entering the FORWARD, OUTPUT  and  POSTROUTING  chains).
          When  the  "!"  argument  is used before the interface name, the
          sense is inverted.  If the interface name ends in  a  "+",  then
          any  interface  which begins with this name will match.  If this
          option is omitted, any interface name will match.

   [!] -f, --fragment
          This means that the rule only refers to second and further  IPv4
          fragments  of fragmented packets.  Since there is no way to tell
          the source or destination ports of such a packet (or ICMP type),
          such a packet will not match any rules which specify them.  When
          the "!" argument precedes the "-f"  flag,  the  rule  will  only
          match  head  fragments,  or unfragmented packets. This option is
          IPv4 specific, it is not available in ip6tables.

   -c, --set-counters packets bytes
          This enables the administrator to initialize the packet and byte
          counters of a rule (during INSERT, APPEND, REPLACE operations).

   OTHER OPTIONS
   The following additional options can be specified:

   -v, --verbose
          Verbose  output.   This  option  makes the list command show the
          interface name, the rule options (if any), and  the  TOS  masks.
          The  packet  and  byte counters are also listed, with the suffix
          'K',  'M'  or  'G'  for  1000,   1,000,000   and   1,000,000,000
          multipliers  respectively  (but see the -x flag to change this).
          For appending, insertion, deletion and replacement, this  causes
          detailed  information on the rule or rules to be printed. -v may
          be specified multiple times to possibly emit more detailed debug
          statements.

   -w, --wait [seconds]
          Wait for the xtables lock.  To prevent multiple instances of the
          program from running concurrently, an attempt will  be  made  to
          obtain  an  exclusive  lock  at launch.  By default, the program
          will exit if the lock cannot be obtained.  This option will make
          the  program  wait  (indefinitely or for optional seconds) until
          the exclusive lock can be obtained.

   -n, --numeric
          Numeric output.  IP addresses and port numbers will  be  printed
          in  numeric format.  By default, the program will try to display
          them  as  host  names,  network  names,  or  services  (whenever
          applicable).

   -x, --exact
          Expand  numbers.  Display the exact value of the packet and byte
          counters, instead of only the rounded number in  K's  (multiples
          of  1000)  M's (multiples of 1000K) or G's (multiples of 1000M).
          This option is only relevant for the -L command.

   --line-numbers
          When listing rules, add line numbers to the  beginning  of  each
          rule, corresponding to that rule's position in the chain.

   --modprobe=command
          When adding or inserting rules into a chain, use command to load
          any necessary modules (targets, match extensions, etc).

MATCH AND TARGET EXTENSIONS

   iptables can use extended packet matching and target modules.   A  list
   of these is available in the iptables-extensions(8) manpage.

DIAGNOSTICS

   Various error messages are printed to standard error.  The exit code is
   0 for correct functioning.  Errors which appear to be caused by invalid
   or  abused  command  line parameters cause an exit code of 2, and other
   errors cause an exit code of 1.

BUGS

   Bugs?  What's this? ;-)  Well,  you  might  want  to  have  a  look  at
   http://bugzilla.netfilter.org/

COMPATIBILITY WITH IPCHAINS

   This  iptables  is very similar to ipchains by Rusty Russell.  The main
   difference is that the chains INPUT and OUTPUT are only  traversed  for
   packets  coming into the local host and originating from the local host
   respectively.  Hence every packet only passes through one of the  three
   chains  (except  loopback traffic, which involves both INPUT and OUTPUT
   chains); previously a forwarded packet would pass through all three.

   The other main difference is that -i refers to the input interface;  -o
   refers  to  the  output  interface,  and both are available for packets
   entering the FORWARD chain.

   The various forms of NAT have been separated out; iptables  is  a  pure
   packet  filter  when  using  the  default `filter' table, with optional
   extension modules.  This should simplify much of the previous confusion
   over  the  combination  of  IP  masquerading  and packet filtering seen
   previously.  So the following options are handled differently:
    -j MASQ
    -M -S
    -M -L
   There are several other changes in iptables.

SEE ALSO

   iptables-apply(8),        iptables-save(8),        iptables-restore(8),
   iptables-extensions(8),

   The packet-filtering-HOWTO details iptables usage for packet filtering,
   the NAT-HOWTO details NAT, the netfilter-extensions-HOWTO  details  the
   extensions   that  are  not  in  the  standard  distribution,  and  the
   netfilter-hacking-HOWTO details the netfilter internals.
   See http://www.netfilter.org/.

AUTHORS

   Rusty Russell originally wrote iptables,  in  early  consultation  with
   Michael Neuling.

   Marc  Boucher  made  Rusty  abandon  ipnatctl by lobbying for a generic
   packet selection framework in iptables, then wrote  the  mangle  table,
   the  owner  match,  the  mark  stuff,  and  ran around doing cool stuff
   everywhere.

   James Morris wrote the TOS target, and tos match.

   Jozsef Kadlecsik wrote the REJECT target.

   Harald Welte wrote the ULOG and NFQUEUE target,  the  new  libiptc,  as
   well as the TTL, DSCP, ECN matches and targets.

   The  Netfilter  Core  Team is: Jozsef Kadlecsik, Patrick McHardy, Pablo
   Neira Ayuso, Eric Leblond and  Florian  Westphal.  Emeritus  Core  Team
   members  are:  Marc  Boucher, Martin Josefsson, Yasuyuki Kozakai, James
   Morris, Harald Welte and Rusty Russell.

   Man page originally written by Herve Eychenne <rv@wallfire.org>.

VERSION

   This manual page applies to iptables/ip6tables 1.6.0.





Opportunity


Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.

Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.





Free Software


Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.


Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.





Free Books


The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.


Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.





Education


Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.


Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.