Content-type: text/html

<HTML><HEAD>

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=koi8-r">

<TITLE>Manpage of IPTABLES</TITLE>

</HEAD><body bgcolor="#DDE1C2">

<LINK REL="stylesheet" href="/opennet3.css" type="text/css">

<!--htdig_noindex-->

<FORM method="get" action="http://www.opennet.ru/search.shtml">

<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0 WIDTH="100%">

<TR>

<TD VALIGN="BOTTOM" BGCOLOR="#E9EAD6" style="background: #E9EAD6 url('/back.gif') repeat-x bottom left">

<A HREF="http://www.opennet.ru/"><IMG SRC="/opennet2.gif" HEIGHT=60 WIDTH=249 ALT="The OpenNET Project" BORDER="0"></A><br>

</TD>

<TD BGCOLOR="#B0B190" WIDTH="1"><IMG SRC="/p.gif" HEIGHT=1 WIDTH=1 ALT=""></TD>

<TD VALIGN=TOP ALIGN=RIGHT WIDTH="470" BGCOLOR="#D9DAC6">

<TABLE BORDER=0 CELLPADDING=1 WIDTH="470">

<TR>

<TD HEIGHT=60 BGCOLOR="#D9DAC6">

<script language=JavaScript>          

var plugin=(navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"]) ? navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin : 0;         

if ( plugin ) {         

 plugin=parseInt(plugin.description.substring(plugin.description.indexOf(".")-2))>=6;         

}         

else if (navigator.userAgent && navigator.userAgent.indexOf("MSIE")>=0          

   && (navigator.userAgent.indexOf("Windows 95")>=0 || navigator.userAgent.indexOf("Windows 98")>=0 || navigator.userAgent.indexOf("Windows NT")>=0)) {         

 document.write('<SCR'+'IPT LANGUAGE=VBScript\> \n');         

 document.write('on error resume next \n');         

 document.write('plugin=( IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.6")))\n');         

 document.write('</SCRIPT\> \n');         

}         

if ( plugin ) {         

     var swf_url = '/img/securit2.swf' + '?link1=' + 'http://click.opennet.ru/cgi-bin/opennet/hjump.cgi?securit2';                                                

        document.write('<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,2,0" width=468 height=60>');                                                

        document.write('<param name=movie value="' + swf_url + '"><param name=menu value=false><param name=section value=1629><param name=quality value=high>');                                                

        document.write('<EM' + 'BED src="' + swf_url + '" quality=high ');                                                

        document.write('menu=false swLiveConnect=FALSE WIDTH=468 HEIGHT=60');                                                

        document.write('TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">');                                                    

        document.write('</embed>');                                                

        document.write(' </object>');                                                   

}else{     

document.write('<a href=http://click.opennet.ru/cgi-bin/opennet/hjump.cgi?securit_gif target=_blank><img src=/img/securit.gif width=468 height=60 border=0></a>');     

}     

</script>     

<noscript><a href=http://click.opennet.ru/cgi-bin/opennet/hjump.cgi?securit_gif target=_blank><img src=/img/securit.gif width=468 height=60 border=0></a></noscript>

</TD>

</TR>

</TABLE>

</TD>

<TD BGCOLOR="#B0B190" WIDTH="1"><IMG SRC="/p.gif" HEIGHT=1 WIDTH=1 ALT=""></TD>

<TD WIDTH="40" BGCOLOR="#E9EAD6" style="background: #E9EAD6 url('/back.gif') repeat-x bottom left">&nbsp;</TD>

<TD BGCOLOR="#B0B190" WIDTH="1"><IMG SRC="/p.gif" HEIGHT=1 WIDTH=1 ALT=""></TD>

<TD VALIGN=TOP ALIGN=RIGHT WIDTH="130" BGCOLOR="#E9EAD6" ROWSPAN=3>

<a href="http://www.lanbilling.ru/" target=_blank><img src="/img/lanbilling6.gif" width=130 height=125 border=0></a>

</TD>

</TR>

<TR BGCOLOR="#B0B190"><TD COLSPAN=6><IMG SRC="/p.gif" HEIGHT=1 WIDTH=1 ALT=""></TD></TR>

<TR BGCOLOR="#E9EAD6">

<TD ALIGN=CENTER COLSPAN=5>

<table width="100%">

<tr>

<td rowspan=2 width=300 nowrap class="h">

<INPUT type=hidden name=exclude value="index|/man.shtml"><A HREF="http://www.opennet.ru/search.shtml" class="h"><u>�����></A>&nbsp;(<A HREF="http://www.opennet.ru/keywords/" class="h">�����>):&nbsp;<INPUT type="text" size="20" name="words" value="" title='��� ������ � google �������� "g �����"'>

</td><td width="25%">

&nbsp;   <A HREF="http://www.opennet.ru/prog/sml/" class="h"><b><u>���������</b></A>

</td><td width="25%">

   <A HREF="http://www.opennet.ru/filebase.shtml" class="h"><b><u>������></b></A>

</td><td width="25%">

   <A HREF="http://www.opennet.ru/tips/sml/" class="h"><b><u>������></b></A>

</td><td width="25%">

   <A HREF="http://www.opennet.ru/forum/" class="h"><b><u>�����></b></A>

</td></tr>

<tr><td>

&nbsp;   <A HREF="http://wiki.opennet.ru" class="h"><b><u>WIKI</u></b></A>

</td><td class="h">

   <A HREF="http://www.opennet.ru/opennews/" class="h"><b><u>�������></b></A> (<a href="http://www.opennet.ru/news/opennet.shtml" class="h">+</a>)

</td><td>

   <A HREF="http://www.opennet.ru/man.shtml" class="h"><b><u>MAN'�></b></A>

</td><td>

   <A HREF="http://www.opennet.ru/docs/" class="h"><b><u>������������></b></A>

</td></tr>

</table>

</TD>

<TD BGCOLOR="#B0B190" WIDTH="1"><IMG SRC="/p.gif" HEIGHT=1 WIDTH=1 ALT=""></TD>

</TR>

<TR BGCOLOR="#B0B190"><TD COLSPAN=7><IMG SRC="/p.gif" HEIGHT=2 WIDTH=1 ALT=""></TD></TR>

</TABLE>

<div style="float: left; width: 279; text-align: left;padding-right: 60px;" id=adv><A HREF="http://www.ip-as.ru" target=_blank><IMG SRC="/img/ipas3.gif" BORDER="0" width="279" height="40"></A></div>

<div style="padding-top: 10px;position:absolute;left:50%;margin-left:-235px;width:470px;" id=adv2>

<script language="javascript" type="text/javascript"><!--

var RndNum4NoCash = Math.round(Math.random() * 1000000000);

var ar_Tail='unknown'; if (document.referrer) ar_Tail = escape(document.referrer);

document.write(

'<iframe src="http://ad.adriver.ru/cgi-bin/erle.cgi?'

+ 'sid=137477&bn=1&target=blank&bt=1&pz=0&rnd=' + RndNum4NoCash + '&tail256=' + ar_Tail

+ '" frameborder=0 vspace=0 hspace=0 width=468 height=60 marginwidth=0'

+ ' marginheight=0 scrolling=no></iframe>');

//--></script>

<noscript>

<a href="http://ad.adriver.ru/cgi-bin/click.cgi?sid=137477&bn=1&bt=1&pz=0&rnd=988794273" target=_blank>

<img src="http://ad.adriver.ru/cgi-bin/rle.cgi?sid=137477&bn=1&bt=1&pz=0&rnd=988794273" alt="-AdRiver-" border=0 width=468 height=60></a>

</noscript>

</div>

<div style="width: 279;float: right;" id=adv3><A HREF="http://job.samsung.ru" target=_blank><IMG SRC="/img/samsung_line8.gif" BORDER="0" width="279" height="40"></A></div>

<div style="clear: both;"></div>

<br>

<script language="JavaScript"><!--

d=document;a='';r=escape(d.referrer);a+=';r='+r;

js=10; d.write('<img src="http://top.list.ru/counter'+

'?id=77689;js='+js+a+';rand='+Math.random()+

'" alt="" height=1 width=1>');

if(js>11)d.write('<'+'!-- ')//--></script><noscript><img

src="http://top.list.ru/counter?js=na;id=77689"

height=1 width=1 alt="">

</noscript>

</FORM>

<!--/htdig_noindex-->

<table  BORDER=0 CELLSPACING=0 CELLPADDING=0 WIDTH="100%" style="margin-bottom: 5px;margin-top: 5px;">

<tr><td>

<TABLE  BORDER=0 CELLSPACING=0 CELLPADDING=4 BGCOLOR="#E9EAD6" WIDTH="100%">

<TR BGCOLOR="#C7CBB1"><TD><FONT COLOR="#000090">

<b><a href="http://www.opennet.ru/docs/">������� ������������</a> / 

<a href="http://www.opennet.ru/docs/135.shtml">������ "������������"</a> /

<a href="http://www.opennet.ru/docs/RUS/iptables/">���������� ���������>

</b>

</TD></TR>

</TABLE>

</TD></TR>

<TR BGCOLOR="#B0B190"><TD><IMG SRC="/p.gif" HEIGHT=3 WIDTH=1 ALT=""></TD></TR>

</TABLE>

<H1>IPTABLES</H1>

Section:    (8)<BR>Updated: Aug 11, 2000<BR><A HREF="#index">Index</A>

<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR>

<A NAME="lbAB">&nbsp;</A>

<H2>NAME</H2>

iptables - IP packet filter administration

<A NAME="lbAC">&nbsp;</A>

<H2>SYNOPSIS</H2>

<B>iptables -[ADC] </B>chain rule-specification [options]

<BR>

<B>iptables -[RI] </B>chain rulenum rule-specification [options]

<BR>

<B>iptables -D </B>chain rulenum [options]

<BR>

<B>iptables -[LFZ] </B>[chain] [options]

<BR>

<B>iptables -[NX] </B>chain

<BR>

<B>iptables -P </B>chain target [options]

<BR>

<B>iptables -E </B>old-chain-name new-chain-name

<A NAME="lbAD">&nbsp;</A>

<H2>DESCRIPTION</H2>

<B>Iptables</B>

is used to set up, maintain, and inspect the tables of IP packet

filter rules in the Linux kernel.  Several different tables

may be defined.  Each table contains a number of built-in

chains and may also contain user-defined chains.

<P>

Each chain is a list of rules which can match a set of packets.  Each

rule specifies what to do with a packet that matches.  This is called

a `target', which may be a jump to a user-defined chain in the same

table.

<P>

<A NAME="lbAE">&nbsp;</A>

<H2>TARGETS</H2>

A firewall rule specifies criteria for a packet, and a target.  If the

packet does not match, the next rule in the chain is the examined; if

it does match, then the next rule is specified by the value of the

target, which can be the name of a user-defined chain or one of the

special values 

<I>ACCEPT</I>,

<I>DROP</I>,

<I>QUEUE</I>,

or

<I>RETURN</I>.

<P>

<I>ACCEPT </I>

means to let the packet through.

<I>DROP</I>

means to drop the packet on the floor.

<I>QUEUE</I>

means to pass the packet to userspace (if supported by the kernel).

<I>RETURN</I>

means stop traversing this chain and resume at the next rule in the

previous (calling) chain.  If the end of a built-in chain is reached

or a rule in a built-in chain with target

<I>RETURN</I>

is matched, the target specified by the chain policy determines the

fate of the packet.

<A NAME="lbAF">&nbsp;</A>

<H2>TABLES</H2>

There are current three independent tables (which tables are present

at any time depends on the kernel configuration options and which

modules are present).

<DL COMPACT>

<DT><B>-t, --table</B>

<DD>

This option specifies the packet matching table which the command

should operate on.  If the kernel is configured with automatic module

loading, an attempt will be made to load the appropriate module for

that table if it is not already there.

<P>

The tables are as follows:

<DT><B>filter</B>

<DD>

This is the default table.  It contains the built-in chains INPUT (for

packets coming into the box itself), FORWARD (for packets being routed

through the box), and OUTPUT (for locally-generated packets).

<DT><B>nat</B>

<DD>

This table is consulted when a packet that creates a new

connection is encountered.  It consists of three built-ins: PREROUTING

(for altering packets as soon as they come in), OUTPUT (for altering

locally-generated packets before routing), and POSTROUTING (for

altering packets as they are about to go out).

<DT><B>mangle</B>

<DD>

This table is used for specialized packet alteration.  It has two

built-in chains: PREROUTING (for altering incoming packets before

routing) and OUTPUT (for altering locally-generated packets before

routing).

</DL>

<A NAME="lbAG">&nbsp;</A>

<H2>OPTIONS</H2>

The options that are recognized by

<B>iptables</B>

can be divided into several different groups.

<A NAME="lbAH">&nbsp;</A>

<H3>COMMANDS</H3>

These options specify the specific action to perform.  Only one of them

can be specified on the command line unless otherwise specified

below.  For all the long versions of the command and option names, you

need to use only enough letters to ensure that

<B>iptables</B>

can differentiate it from all other options.

<DL COMPACT>

<DT><B>-A, --append</B>

<DD>

Append one or more rules to the end of the selected chain.

When the source and/or destination names resolve to more than one

address, a rule will be added for each possible address combination.

<DT><B>-D, --delete</B>

<DD>

Delete one or more rules from the selected chain.  There are two

versions of this command: the rule can be specified as a number in the

chain (starting at 1 for the first rule) or a rule to match.

<DT><B>-R, --replace</B>

<DD>

Replace a rule in the selected chain.  If the source and/or

destination names resolve to multiple addresses, the command will

fail.  Rules are numbered starting at 1.

<DT><B>-I, --insert</B>

<DD>

Insert one or more rules in the selected chain as the given rule

number.  So, if the rule number is 1, the rule or rules are inserted

at the head of the chain.  This is also the default if no rule number

is specified.

<DT><B>-L, --list</B>

<DD>

List all rules in the selected chain.  If no chain is selected, all

chains are listed.  It is legal to specify the

<B>-Z</B>

(zero) option as well, in which case the chain(s) will be atomically

listed and zeroed.  The exact output is affected by the other

arguments given.

<DT><B>-F, --flush</B>

<DD>

Flush the selected chain.  This is equivalent to deleting all the

rules one by one.

<DT><B>-Z, --zero</B>

<DD>

Zero the packet and byte counters in all chains.  It is legal to

specify the

<B>-L, --list</B>

(list) option as well, to see the counters immediately before they are

cleared. (See above.)

<DT><B>-N, --new-chain</B>

<DD>

Create a new user-defined chain by the given name.  There must be no

target of that name already.

<DT><B>-X, --delete-chain</B>

<DD>

Delete the specified user-defined chain.  There must be no references

to the chain.  If there are, you must delete or replace the referring

rules before the chain can be deleted.  If no argument is given, it

will attempt to delete every non-builtin chain in the table.

<DT><B>-P, --policy</B>

<DD>

Set the policy for the chain to the given target.  See the section

<B>TARGETS</B>

for the legal targets.  Only non-user-defined chains can have policies,

and neither built-in nor user-defined chains can be policy targets.

<DT><B>-E, --rename-chain</B>

<DD>

Rename the user specified chain to the user supplied name.  This is

cosmetic, and has no effect on the structure of the table.

<DT><B>-h</B>

<DD>

Help.

Give a (currently very brief) description of the command syntax.

</DL>

<A NAME="lbAI">&nbsp;</A>

<H3>PARAMETERS</H3>

The following parameters make up a rule specification (as used in the

add, delete, insert, replace and append commands).

<DL COMPACT>

<DT><B>-p, --protocol </B>[!] <I>protocol</I>

<DD>

The protocol of the rule or of the packet to check.

The specified protocol can be one of

<I>tcp</I>,

<I>udp</I>,

<I>icmp</I>,

or

<I>all</I>,

or it can be a numeric value, representing one of these protocols or a

different one.  A protocol name from /etc/protocols is also allowed.

A "!" argument before the protocol inverts the

test.  The number zero is equivalent to

<I>all</I>.

Protocol

<I>all</I>

will match with all protocols and is taken as default when this

option is omitted.

<DT><B>-s, --source </B>[!] <I>address</I>[/<I>mask</I>]

<DD>

Source specification.

<I>Address</I>

can be either a hostname, a network name, or a plain IP address.

The

<I>mask</I>

can be either a network mask or a plain number,

specifying the number of 1's at the left side of the network mask.

Thus, a mask of

<I>24</I>

is equivalent to

<I>255.255.255.0</I>.

A "!" argument before the address specification inverts the sense of

the address. The flag

<B>--src</B>

is a convenient alias for this option.

<DT><B>-d, --destination </B>[!] <I>address</I>[/<I>mask</I>]

<DD>

Destination specification. 

See the description of the

<B>-s</B>

(source) flag for a detailed description of the syntax.  The flag

<B>--dst</B>

is an alias for this option.

<DT><B>-j, --jump </B><I>target</I>

<DD>

This specifies the target of the rule; i.e., what to do if the packet

matches it.  The target can be a user-defined chain (other than the

one this rule is in), one of the special builtin targets which decide

the fate of the packet immediately, or an extension (see

<B>EXTENSIONS</B>

below).  If this

option is omitted in a rule, then matching the rule will have no

effect on the packet's fate, but the counters on the rule will be

incremented.

<DT><B>-i, --in-interface </B>[!] [<I>name</I>]

<DD>

Optional name of an interface via which a packet is received (for

packets entering the 

<B>INPUT</B>,

<B>FORWARD</B>

and

<B>PREROUTING</B>

chains).  When the "!" argument is used before the interface name, the

sense is inverted.  If the interface name ends in a "+", then any

interface which begins with this name will match.  If this option is

omitted, the string "+" is assumed, which will match with any

interface name.

<DT><B>-o, --out-interface </B>[!] [<I>name</I>]

<DD>

Optional name of an interface via which a packet is going to

be sent (for packets entering the

<B>FORWARD</B>,

<B>OUTPUT</B>

and

<B>POSTROUTING</B>

chains).  When the "!" argument is used before the interface name,

the sense is inverted.  If the interface name ends in a "+", then any

interface which begins with this name will match.  If this option is

omitted, the string "+" is assumed, which will match with any

interface name.

<DT><B>[!]  -f, --fragment</B>

<DD>

This means that the rule only refers to second and further fragments

of fragmented packets.  Since there is no way to tell the source or

destination ports of such a packet (or ICMP type), such a packet will

not match any rules which specify them.  When the "!" argument

precedes the "-f" flag, the rule will only match head fragments, or

unfragmented packets.

<DT><B>-c, --set-counters  PKTS BYTES</B>

<DD>

This enables the administrater to initialize the packet and byte

counters of a rule (during

<B>INSERT,</B>

<B>APPEND,</B>

<B>REPLACE</B>

operations)

</DL>

<A NAME="lbAJ">&nbsp;</A>

<H3>OTHER OPTIONS</H3>

The following additional options can be specified:

<DL COMPACT>

<DT><B>-v, --verbose</B>

<DD>

Verbose output.  This option makes the list command show the interface

address, the rule options (if any), and the TOS masks.  The packet and

byte counters are also listed, with the suffix 'K', 'M' or 'G' for

1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see

the

<B>-x</B>

flag to change this).

For appending, insertion, deletion and replacement, this causes

detailed information on the rule or rules to be printed.

<DT><B>-n, --numeric</B>

<DD>

Numeric output.

IP addresses and port numbers will be printed in numeric format.

By default, the program will try to display them as host names,

network names, or services (whenever applicable).

<DT><B>-x, --exact</B>

<DD>

Expand numbers.

Display the exact value of the packet and byte counters,

instead of only the rounded number in K's (multiples of 1000)

M's (multiples of 1000K) or G's (multiples of 1000M).  This option is

only relevant for the 

<B>-L</B>

command.

<DT><B>--line-numbers</B>

<DD>

When listing rules, add line numbers to the beginning of each rule,

corresponding to that rule's position in the chain.

<DT><B>--modprobe=&lt;command&gt;</B>

<DD>

When adding or inserting rules into a chain, use

<B>command</B>

to load any necessary modules (targets, match extensions, etc).

</DL>

<A NAME="lbAK">&nbsp;</A>

<H2>MATCH EXTENSIONS</H2>

iptables can use extended packet matching modules.  These are loaded

in two ways: implicitly, when

<B>-p</B>

or

<B>--protocol</B>

is specified, or with the

<B>-m</B>

or

<B>--match</B>

options, followed by the matching module name; after these, various

extra command line options become available, depending on the specific

module.  You can specify multiple extended match modules in one line, and you can use the

<B>-h</B>

or

<B>--help</B>

options after the module has been specified to receive help specific

to that module.

<P>

The following are included in the base package, and most of these can

be preceded by a

<B>!</B>

to invert the sense of the match.

<A NAME="lbAL">&nbsp;</A>

<H3>tcp</H3>

These extensions are loaded if `--protocol tcp' is specified. It

provides the following options:

<DL COMPACT>

<DT><B>--source-port </B>[!] [<I>port[:port]</I>]

<DD>

Source port or port range specification. This can either be a service

name or a port number. An inclusive range can also be specified,

using the format

<I>port</I>:<I>port</I>.

If the first port is omitted, "0" is assumed; if the last is omitted,

"65535" is assumed.

If the second port greater then the first they will be swapped.

The flag

<B>--sport</B>

is an alias for this option.

<DT><B>--destination-port </B>[!] [<I>port[:port]</I>]

<DD>

Destination port or port range specification. The flag

<B>--dport</B>

is an alias for this option.

<DT><B>--tcp-flags </B>[!] <I>mask</I> <I>comp</I>

<DD>

Match when the TCP flags are as specified.  The first argument is the

flags which we should examine, written as a comma-separated list, and

the second argument is a comma-separated list of flags which must be

set.  Flags are: 

<B>SYN ACK FIN RST URG PSH ALL NONE</B>.

Hence the command

<BR>

<BR>&nbsp;iptables&nbsp;-A&nbsp;FORWARD&nbsp;-p&nbsp;tcp&nbsp;--tcp-flags&nbsp;SYN,ACK,FIN,RST&nbsp;SYN

<BR>

will only match packets with the SYN flag set, and the ACK, FIN and

RST flags unset.

<DT><B>[!] --syn</B>

<DD>

Only match TCP packets with the SYN bit set and the ACK and FIN bits

cleared.  Such packets are used to request TCP connection initiation;

for example, blocking such packets coming in an interface will prevent

incoming TCP connections, but outgoing TCP connections will be

unaffected.

It is equivalent to <B>--tcp-flags SYN,RST,ACK SYN</B>.

If the "!" flag precedes the "--syn", the sense of the

option is inverted.

<DT><B>--tcp-option </B>[!] <I>number</I>

<DD>

Match if TCP option set.

</DL>

<A NAME="lbAM">&nbsp;</A>

<H3>udp</H3>

These extensions are loaded if `--protocol udp' is specified.  It

provides the following options:

<DL COMPACT>

<DT><B>--source-port </B>[!] [<I>port[:port]</I>]

<DD>

Source port or port range specification.

See the description of the

<B>--source-port</B>

option of the TCP extension for details.

<DT><B>--destination-port </B>[!] [<I>port[:port]</I>]

<DD>

Destination port or port range specification.

See the description of the

<B>--destination-port</B>

option of the TCP extension for details.

</DL>

<A NAME="lbAN">&nbsp;</A>

<H3>icmp</H3>

This extension is loaded if `--protocol icmp' is specified.  It

provides the following option:

<DL COMPACT>

<DT><B>--icmp-type </B>[!] <I>typename</I>

<DD>

This allows specification of the ICMP type, which can be a numeric

ICMP type, or one of the ICMP type names shown by the command

<BR>

<BR>&nbsp;iptables&nbsp;-p&nbsp;icmp&nbsp;-h

<BR>

</DL>

<A NAME="lbAO">&nbsp;</A>

<H3>mac</H3>

<DL COMPACT>

<DT><B>--mac-source </B>[!] <I>address</I>

<DD>

Match source MAC address.  It must be of the form XX:XX:XX:XX:XX:XX.

Note that this only makes sense for packets entering the

<B>PREROUTING</B>,

<B>FORWARD</B>

or

<B>INPUT</B>

chains for packets coming from an ethernet device.

</DL>

<A NAME="lbAP">&nbsp;</A>

<H3>limit</H3>

This module matches at a limited rate using a token bucket filter: it

can be used in combination with the

<B>LOG</B>

target to give limited logging.  A rule using this extension will

match until this limit is reached (unless the `!' flag is used).

<DL COMPACT>

<DT><B>--limit </B><I>rate</I>

<DD>

Maximum average matching rate: specified as a number, with an optional

`/second', `/minute', `/hour', or `/day' suffix; the default is

3/hour.

<DT><B>--limit-burst </B><I>number</I>

<DD>

The maximum initial number of packets to match: this number gets

recharged by one every time the limit specified above is not reached,

up to this number; the default is 5.

</DL>

<A NAME="lbAQ">&nbsp;</A>

<H3>multiport</H3>

This module matches a set of source or destination ports. Up to 15

ports can be specified. It can only be used in conjunction with

<B>-p tcp</B>

or

<B>-p udp</B>.

<DL COMPACT>

<DT><B>--source-port</B> [<I>port[,port]</I>]

<DD>

Match if the source port is one of the given ports.

<DT><B>--destination-port</B> [<I>port[,port]</I>]

<DD>

Match if the destination port is one of the given ports.

<DT><B>--port</B> [<I>port[,port]</I>]

<DD>

Match if the both the source and destination ports are equal to each

other and to one of the given ports.

</DL>

<A NAME="lbAR">&nbsp;</A>

<H3>mark</H3>

This module matches the netfilter mark field associated with a packet

(which can be set using the

<B>MARK</B>

target below).

<DL COMPACT>

<DT><B>--mark </B><I>value[/mask]</I>

<DD>

Matches packets with the given unsigned mark value (if a mask is

specified, this is logically ANDed with the mask before the

comparison).

</DL>

<A NAME="lbAS">&nbsp;</A>

<H3>owner</H3>

This module attempts to match various characteristics of the packet

creator, for locally-generated packets.  It is only valid in the

<B>OUTPUT</B>

chain, and even this some packets (such as ICMP ping responses) may

have no owner, and hence never match.

<DL COMPACT>

<DT><B>--uid-owner </B><I>userid</I>

<DD>

Matches if the packet was created by a process with the given

effective user id.

<DT><B>--gid-owner </B><I>groupid</I>

<DD>

Matches if the packet was created by a process with the given

effective group id.

<DT><B>--pid-owner </B><I>processid</I>

<DD>

Matches if the packet was created by a process with the given

process id.

<DT><B>--sid-owner </B><I>sessionid</I>

<DD>

Matches if the packet was created by a process in the given session

group.

</DL>

<A NAME="lbAT">&nbsp;</A>

<H3>state</H3>

This module, when combined with connection tracking, allows access to

the connection tracking state for this packet.

<DL COMPACT>

<DT><B>--state </B><I>state</I>

<DD>

Where state is a comma separated list of the connection states to

match.  Possible states are 

<B>INVALID</B>

meaning that the packet is associated with no known connection,

<B>ESTABLISHED</B>

meaning that the packet is associated with a connection which has seen

packets in both directions,

<B>NEW</B>

meaning that the packet has started a new connection, or otherwise

associated with a connection which has not seen packets in both

directions, and

<B>RELATED</B>

meaning that the packet is starting a new connection, but is

associated with an existing connection, such as an FTP data transfer,

or an ICMP error.

</DL>

<A NAME="lbAU">&nbsp;</A>

<H3>unclean</H3>

This module takes no options, but attempts to match packets which seem

malformed or unusual.  This is regarded as experimental.

<A NAME="lbAV">&nbsp;</A>

<H3>tos</H3>

This module matches the 8 bits of Type of Service field in the IP

header (ie. including the precedence bits). 

<DL COMPACT>

<DT><B>--tos </B><I>tos</I>

<DD>

The argument is either a standard name, (use

<BR>

<BR>&nbsp;iptables&nbsp;-m&nbsp;tos&nbsp;-h

<BR>

to see the list), or a numeric value to match.

</DL>

<A NAME="lbAW">&nbsp;</A>

<H2>TARGET EXTENSIONS</H2>

iptables can use extended target modules: the following are included

in the standard distribution.

<A NAME="lbAX">&nbsp;</A>

<H3>LOG</H3>

Turn on kernel logging of matching packets.  When this option is set

for a rule, the Linux kernel will print some information on all

matching packets (like most IP header fields) via the kernel log

(where it can be read with

<I>dmesg</I>

or 

<I><A HREF="http://localhost/cgi-bin/man/man2html?8+syslogd">syslogd</A></I>(8)).

<DL COMPACT>

<DT><B>--log-level </B><I>level</I>

<DD>

Level of logging (numeric or see <I><A HREF="http://localhost/cgi-bin/man/man2html?5+syslog.conf">syslog.conf</A></I>(5)).

<DT><B>--log-prefix </B><I>prefix</I>

<DD>

Prefix log messages with the specified prefix; up to 29 letters long,

and useful for distinguishing messages in the logs.

<DT><B>--log-tcp-sequence</B>

<DD>

Log TCP sequence numbers. This is a security risk if the log is

readable by users.

<DT><B>--log-tcp-options</B>

<DD>

Log options from the TCP packet header.

<DT><B>--log-ip-options</B>

<DD>

Log options from the IP packet header.

</DL>

<A NAME="lbAY">&nbsp;</A>

<H3>MARK</H3>

This is used to set the netfilter mark value associated with the

packet.  It is only valid in the

<B>mangle</B>

table.

<DL COMPACT>

<DT><B>--set-mark </B><I>mark</I>

<DD>

</DL>

<A NAME="lbAZ">&nbsp;</A>

<H3>REJECT</H3>

This is used to send back an error packet in response to the matched

packet: otherwise it is equivalent to 

<B>DROP</B>.

This target is only valid in the

<B>INPUT</B>,

<B>FORWARD</B>

and

<B>OUTPUT</B>

chains, and user-defined chains which are only called from those

chains.  Several options control the nature of the error packet

returned:

<DL COMPACT>

<DT><B>--reject-with </B><I>type</I>

<DD>

The type given can be 

<B>icmp-net-unreachable</B>,

<B>icmp-host-unreachable</B>,

<B>icmp-port-unreachable</B>,

<B>icmp-proto-unreachable</B>,

<B>icmp-net-prohibited</B>or

<B>icmp-host-prohibited</B>,

which return the appropriate ICMP error message (port-unreachable is

the default).  The option 

<B>echo-reply</B>

is also allowed; it can only be used for rules which specify an ICMP

ping packet, and generates a ping reply.  Finally, the option

<B>tcp-reset</B>

can be used on rules which only match the TCP protocol: this causes a

TCP RST packet to be sent back.  This is mainly useful for blocking 

<I>ident</I>

probes which frequently occur when sending mail to broken mail hosts

(which won't accept your mail otherwise).

</DL>

<A NAME="lbBA">&nbsp;</A>

<H3>TOS</H3>

This is used to set the 8-bit Type of Service field in the IP header.

It is only valid in the

<B>mangle</B>

table.

<DL COMPACT>

<DT><B>--set-tos </B><I>tos</I>

<DD>

You can use a numeric TOS values, or use

<BR>

<BR>&nbsp;iptables&nbsp;-j&nbsp;TOS&nbsp;-h

<BR>

to see the list of valid TOS names.

</DL>

<A NAME="lbBB">&nbsp;</A>

<H3>MIRROR</H3>

This is an experimental demonstration target which inverts the source

and destination fields in the IP header and retransmits the packet.

It is only valid in the

<B>INPUT</B>,

<B>FORWARD</B>

and 

<B>PREROUTING</B>

chains, and user-defined chains which are only called from those

chains.  Note that the outgoing packets are

<B>NOT</B>

seen by any packet filtering chains, connection tracking or NAT, to

avoid loops and other problems.

<A NAME="lbBC">&nbsp;</A>

<H3>SNAT</H3>

This target is only valid in the 

<B>nat</B>

table, in the 

<B>POSTROUTING</B>

chain.  It specifies that the source address of the packet should be

modified (and all future packets in this connection will also be

mangled), and rules should cease being examined.  It takes one option:

<DL COMPACT>

<DT><B>--to-source  </B><I>&lt;ipaddr&gt;[-&lt;ipaddr&gt;][:port-port]</I>

<DD>

which can specify a single new source IP address, an inclusive range

of IP addresses, and optionally, a port range (which is only valid if

the rule also specifies

<B>-p tcp</B>

or

<B>-p udp</B>).

If no port range is specified, then source ports below 512 will be

mapped to other ports below 512: those between 512 and 1023 inclusive

will be mapped to ports below 1024, and other ports will be mapped to

1024 or above. Where possible, no port alteration will occur.

</DL>

<A NAME="lbBD">&nbsp;</A>

<H3>DNAT</H3>

This target is only valid in the 

<B>nat</B>

table, in the 

<B>PREROUTING</B>

and

<B>OUTPUT</B>

chains, and user-defined chains which are only called from those

chains.  It specifies that the destination address of the packet

should be modified (and all future packets in this connection will

also be mangled), and rules should cease being examined.  It takes one

option:

<DL COMPACT>

<DT><B>--to-destination </B><I>&lt;ipaddr&gt;[-&lt;ipaddr&gt;][:port-port]</I>

<DD>

which can specify a single new destination IP address, an inclusive

range of IP addresses, and optionally, a port range (which is only

valid if the rule also specifies

<B>-p tcp</B>

or

<B>-p udp</B>).

If no port range is specified, then the destination port will never be

modified.

</DL>

<A NAME="lbBE">&nbsp;</A>

<H3>MASQUERADE</H3>

This target is only valid in the 

<B>nat</B>

table, in the 

<B>POSTROUTING</B>

chain.  It should only be used with dynamically assigned IP (dialup)

connections: if you have a static IP address, you should use the SNAT

target.  Masquerading is equivalent to specifying a mapping to the IP

address of the interface the packet is going out, but also has the

effect that connections are 

<I>forgotten</I>

when the interface goes down.  This is the correct behavior when the

next dialup is unlikely to have the same interface address (and hence

any established connections are lost anyway).  It takes one option:

<DL COMPACT>

<DT><B>--to-ports </B><I>&lt;port&gt;[-&lt;port&gt;]</I>

<DD>

This specifies a range of source ports to use, overriding the default 

<B>SNAT</B>

source port-selection heuristics (see above).  This is only valid with

if the rule also specifies

<B>-p tcp</B>

or

<B>-p udp</B>).

</DL>

<A NAME="lbBF">&nbsp;</A>

<H3>REDIRECT</H3>

This target is only valid in the 

<B>nat</B>

table, in the 

<B>PREROUTING</B>

and