1 | Content-type: text/html
|
2 |
|
3 | <HTML><HEAD>
|
4 | <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=koi8-r">
|
5 | <TITLE>Manpage of IPTABLES</TITLE>
|
6 | </HEAD><body bgcolor="#DDE1C2">
|
7 | <LINK REL="stylesheet" href="/opennet3.css" type="text/css">
|
8 | <!--htdig_noindex-->
|
9 | <FORM method="get" action="http://www.opennet.ru/search.shtml">
|
10 | <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0 WIDTH="100%">
|
11 | <TR>
|
12 | <TD VALIGN="BOTTOM" BGCOLOR="#E9EAD6" style="background: #E9EAD6 url('/back.gif') repeat-x bottom left">
|
13 | <A HREF="http://www.opennet.ru/"><IMG SRC="/opennet2.gif" HEIGHT=60 WIDTH=249 ALT="The OpenNET Project" BORDER="0"></A><br>
|
14 | </TD>
|
15 |
|
16 | <TD BGCOLOR="#B0B190" WIDTH="1"><IMG SRC="/p.gif" HEIGHT=1 WIDTH=1 ALT=""></TD>
|
17 |
|
18 | <TD VALIGN=TOP ALIGN=RIGHT WIDTH="470" BGCOLOR="#D9DAC6">
|
19 | <TABLE BORDER=0 CELLPADDING=1 WIDTH="470">
|
20 | <TR>
|
21 | <TD HEIGHT=60 BGCOLOR="#D9DAC6">
|
22 |
|
23 | <script language=JavaScript>
|
24 | var plugin=(navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"]) ? navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin : 0;
|
25 |
|
26 | if ( plugin ) {
|
27 |
|
28 | plugin=parseInt(plugin.description.substring(plugin.description.indexOf(".")-2))>=6;
|
29 |
|
30 | }
|
31 |
|
32 | else if (navigator.userAgent && navigator.userAgent.indexOf("MSIE")>=0
|
33 |
|
34 | && (navigator.userAgent.indexOf("Windows 95")>=0 || navigator.userAgent.indexOf("Windows 98")>=0 || navigator.userAgent.indexOf("Windows NT")>=0)) {
|
35 |
|
36 | document.write('<SCR'+'IPT LANGUAGE=VBScript\> \n');
|
37 |
|
38 | document.write('on error resume next \n');
|
39 |
|
40 | document.write('plugin=( IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.6")))\n');
|
41 |
|
42 | document.write('</SCRIPT\> \n');
|
43 |
|
44 | }
|
45 |
|
46 | if ( plugin ) {
|
47 |
|
48 | var swf_url = '/img/securit2.swf' + '?link1=' + 'http://click.opennet.ru/cgi-bin/opennet/hjump.cgi?securit2';
|
49 | document.write('<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,2,0" width=468 height=60>');
|
50 | document.write('<param name=movie value="' + swf_url + '"><param name=menu value=false><param name=section value=1629><param name=quality value=high>');
|
51 | document.write('<EM' + 'BED src="' + swf_url + '" quality=high ');
|
52 | document.write('menu=false swLiveConnect=FALSE WIDTH=468 HEIGHT=60');
|
53 | document.write('TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">');
|
54 | document.write('</embed>');
|
55 | document.write(' </object>');
|
56 | }else{
|
57 | document.write('<a href=http://click.opennet.ru/cgi-bin/opennet/hjump.cgi?securit_gif target=_blank><img src=/img/securit.gif width=468 height=60 border=0></a>');
|
58 | }
|
59 | </script>
|
60 | <noscript><a href=http://click.opennet.ru/cgi-bin/opennet/hjump.cgi?securit_gif target=_blank><img src=/img/securit.gif width=468 height=60 border=0></a></noscript>
|
61 |
|
62 |
|
63 | </TD>
|
64 | </TR>
|
65 | </TABLE>
|
66 | </TD>
|
67 |
|
68 | <TD BGCOLOR="#B0B190" WIDTH="1"><IMG SRC="/p.gif" HEIGHT=1 WIDTH=1 ALT=""></TD>
|
69 | <TD WIDTH="40" BGCOLOR="#E9EAD6" style="background: #E9EAD6 url('/back.gif') repeat-x bottom left"> </TD>
|
70 | <TD BGCOLOR="#B0B190" WIDTH="1"><IMG SRC="/p.gif" HEIGHT=1 WIDTH=1 ALT=""></TD>
|
71 |
|
72 | <TD VALIGN=TOP ALIGN=RIGHT WIDTH="130" BGCOLOR="#E9EAD6" ROWSPAN=3>
|
73 | <a href="http://www.lanbilling.ru/" target=_blank><img src="/img/lanbilling6.gif" width=130 height=125 border=0></a>
|
74 | </TD>
|
75 |
|
76 | </TR>
|
77 |
|
78 | <TR BGCOLOR="#B0B190"><TD COLSPAN=6><IMG SRC="/p.gif" HEIGHT=1 WIDTH=1 ALT=""></TD></TR>
|
79 |
|
80 |
|
81 | <TR BGCOLOR="#E9EAD6">
|
82 | <TD ALIGN=CENTER COLSPAN=5>
|
83 | <table width="100%">
|
84 | <tr>
|
85 | <td rowspan=2 width=300 nowrap class="h">
|
86 | <INPUT type=hidden name=exclude value="index|/man.shtml"><A HREF="http://www.opennet.ru/search.shtml" class="h"><u>></A> (<A HREF="http://www.opennet.ru/keywords/" class="h">>): <INPUT type="text" size="20" name="words" value="" title=' google "g "'>
|
87 | </td><td width="25%">
|
88 | <A HREF="http://www.opennet.ru/prog/sml/" class="h"><b><u></b></A>
|
89 | </td><td width="25%">
|
90 | <A HREF="http://www.opennet.ru/filebase.shtml" class="h"><b><u>></b></A>
|
91 | </td><td width="25%">
|
92 | <A HREF="http://www.opennet.ru/tips/sml/" class="h"><b><u>></b></A>
|
93 | </td><td width="25%">
|
94 | <A HREF="http://www.opennet.ru/forum/" class="h"><b><u>></b></A>
|
95 | </td></tr>
|
96 | <tr><td>
|
97 | <A HREF="http://wiki.opennet.ru" class="h"><b><u>WIKI</u></b></A>
|
98 | </td><td class="h">
|
99 | <A HREF="http://www.opennet.ru/opennews/" class="h"><b><u>></b></A> (<a href="http://www.opennet.ru/news/opennet.shtml" class="h">+</a>)
|
100 | </td><td>
|
101 | <A HREF="http://www.opennet.ru/man.shtml" class="h"><b><u>MAN'></b></A>
|
102 | </td><td>
|
103 | <A HREF="http://www.opennet.ru/docs/" class="h"><b><u>></b></A>
|
104 | </td></tr>
|
105 | </table>
|
106 | </TD>
|
107 | <TD BGCOLOR="#B0B190" WIDTH="1"><IMG SRC="/p.gif" HEIGHT=1 WIDTH=1 ALT=""></TD>
|
108 | </TR>
|
109 | <TR BGCOLOR="#B0B190"><TD COLSPAN=7><IMG SRC="/p.gif" HEIGHT=2 WIDTH=1 ALT=""></TD></TR>
|
110 | </TABLE>
|
111 |
|
112 | <div style="float: left; width: 279; text-align: left;padding-right: 60px;" id=adv><A HREF="http://www.ip-as.ru" target=_blank><IMG SRC="/img/ipas3.gif" BORDER="0" width="279" height="40"></A></div>
|
113 | <div style="padding-top: 10px;position:absolute;left:50%;margin-left:-235px;width:470px;" id=adv2>
|
114 | <script language="javascript" type="text/javascript"><!--
|
115 | var RndNum4NoCash = Math.round(Math.random() * 1000000000);
|
116 | var ar_Tail='unknown'; if (document.referrer) ar_Tail = escape(document.referrer);
|
117 | document.write(
|
118 | '<iframe src="http://ad.adriver.ru/cgi-bin/erle.cgi?'
|
119 | + 'sid=137477&bn=1&target=blank&bt=1&pz=0&rnd=' + RndNum4NoCash + '&tail256=' + ar_Tail
|
120 | + '" frameborder=0 vspace=0 hspace=0 width=468 height=60 marginwidth=0'
|
121 | + ' marginheight=0 scrolling=no></iframe>');
|
122 | //--></script>
|
123 | <noscript>
|
124 | <a href="http://ad.adriver.ru/cgi-bin/click.cgi?sid=137477&bn=1&bt=1&pz=0&rnd=988794273" target=_blank>
|
125 | <img src="http://ad.adriver.ru/cgi-bin/rle.cgi?sid=137477&bn=1&bt=1&pz=0&rnd=988794273" alt="-AdRiver-" border=0 width=468 height=60></a>
|
126 | </noscript>
|
127 |
|
128 | </div>
|
129 | <div style="width: 279;float: right;" id=adv3><A HREF="http://job.samsung.ru" target=_blank><IMG SRC="/img/samsung_line8.gif" BORDER="0" width="279" height="40"></A></div>
|
130 | <div style="clear: both;"></div>
|
131 | <br>
|
132 |
|
133 | <script language="JavaScript"><!--
|
134 | d=document;a='';r=escape(d.referrer);a+=';r='+r;
|
135 | js=10; d.write('<img src="http://top.list.ru/counter'+
|
136 | '?id=77689;js='+js+a+';rand='+Math.random()+
|
137 | '" alt="" height=1 width=1>');
|
138 | if(js>11)d.write('<'+'!-- ')//--></script><noscript><img
|
139 | src="http://top.list.ru/counter?js=na;id=77689"
|
140 | height=1 width=1 alt="">
|
141 | </noscript>
|
142 |
|
143 | </FORM>
|
144 | <!--/htdig_noindex-->
|
145 |
|
146 |
|
147 | <table BORDER=0 CELLSPACING=0 CELLPADDING=0 WIDTH="100%" style="margin-bottom: 5px;margin-top: 5px;">
|
148 | <tr><td>
|
149 | <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=4 BGCOLOR="#E9EAD6" WIDTH="100%">
|
150 | <TR BGCOLOR="#C7CBB1"><TD><FONT COLOR="#000090">
|
151 | <b><a href="http://www.opennet.ru/docs/"> </a> /
|
152 | <a href="http://www.opennet.ru/docs/135.shtml"> ""</a> /
|
153 | <a href="http://www.opennet.ru/docs/RUS/iptables/"> >
|
154 | </b>
|
155 | </TD></TR>
|
156 | </TABLE>
|
157 | </TD></TR>
|
158 | <TR BGCOLOR="#B0B190"><TD><IMG SRC="/p.gif" HEIGHT=3 WIDTH=1 ALT=""></TD></TR>
|
159 | </TABLE>
|
160 |
|
161 | <H1>IPTABLES</H1>
|
162 | Section: (8)<BR>Updated: Aug 11, 2000<BR><A HREF="#index">Index</A>
|
163 | <A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
164 |
|
165 |
|
166 |
|
167 |
|
168 |
|
169 |
|
170 |
|
171 |
|
172 |
|
173 |
|
174 |
|
175 |
|
176 |
|
177 |
|
178 |
|
179 |
|
180 |
|
181 |
|
182 |
|
183 |
|
184 |
|
185 |
|
186 |
|
187 | <A NAME="lbAB"> </A>
|
188 | <H2>NAME</H2>
|
189 |
|
190 | iptables - IP packet filter administration
|
191 | <A NAME="lbAC"> </A>
|
192 | <H2>SYNOPSIS</H2>
|
193 |
|
194 | <B>iptables -[ADC] </B>chain rule-specification [options]
|
195 |
|
196 | <BR>
|
197 |
|
198 | <B>iptables -[RI] </B>chain rulenum rule-specification [options]
|
199 |
|
200 | <BR>
|
201 |
|
202 | <B>iptables -D </B>chain rulenum [options]
|
203 |
|
204 | <BR>
|
205 |
|
206 | <B>iptables -[LFZ] </B>[chain] [options]
|
207 |
|
208 | <BR>
|
209 |
|
210 | <B>iptables -[NX] </B>chain
|
211 |
|
212 | <BR>
|
213 |
|
214 | <B>iptables -P </B>chain target [options]
|
215 |
|
216 | <BR>
|
217 |
|
218 | <B>iptables -E </B>old-chain-name new-chain-name
|
219 |
|
220 | <A NAME="lbAD"> </A>
|
221 | <H2>DESCRIPTION</H2>
|
222 |
|
223 | <B>Iptables</B>
|
224 |
|
225 | is used to set up, maintain, and inspect the tables of IP packet
|
226 | filter rules in the Linux kernel. Several different tables
|
227 | may be defined. Each table contains a number of built-in
|
228 | chains and may also contain user-defined chains.
|
229 | <P>
|
230 | Each chain is a list of rules which can match a set of packets. Each
|
231 | rule specifies what to do with a packet that matches. This is called
|
232 | a `target', which may be a jump to a user-defined chain in the same
|
233 | table.
|
234 | <P>
|
235 | <A NAME="lbAE"> </A>
|
236 | <H2>TARGETS</H2>
|
237 |
|
238 | A firewall rule specifies criteria for a packet, and a target. If the
|
239 | packet does not match, the next rule in the chain is the examined; if
|
240 | it does match, then the next rule is specified by the value of the
|
241 | target, which can be the name of a user-defined chain or one of the
|
242 | special values
|
243 | <I>ACCEPT</I>,
|
244 |
|
245 | <I>DROP</I>,
|
246 |
|
247 | <I>QUEUE</I>,
|
248 |
|
249 | or
|
250 | <I>RETURN</I>.
|
251 |
|
252 | <P>
|
253 |
|
254 | <I>ACCEPT </I>
|
255 |
|
256 | means to let the packet through.
|
257 | <I>DROP</I>
|
258 |
|
259 | means to drop the packet on the floor.
|
260 | <I>QUEUE</I>
|
261 |
|
262 | means to pass the packet to userspace (if supported by the kernel).
|
263 | <I>RETURN</I>
|
264 |
|
265 | means stop traversing this chain and resume at the next rule in the
|
266 | previous (calling) chain. If the end of a built-in chain is reached
|
267 | or a rule in a built-in chain with target
|
268 | <I>RETURN</I>
|
269 |
|
270 | is matched, the target specified by the chain policy determines the
|
271 | fate of the packet.
|
272 | <A NAME="lbAF"> </A>
|
273 | <H2>TABLES</H2>
|
274 |
|
275 | There are current three independent tables (which tables are present
|
276 | at any time depends on the kernel configuration options and which
|
277 | modules are present).
|
278 | <DL COMPACT>
|
279 | <DT><B>-t, --table</B>
|
280 |
|
281 | <DD>
|
282 | This option specifies the packet matching table which the command
|
283 | should operate on. If the kernel is configured with automatic module
|
284 | loading, an attempt will be made to load the appropriate module for
|
285 | that table if it is not already there.
|
286 | <P>
|
287 | The tables are as follows:
|
288 | <DT><B>filter</B>
|
289 |
|
290 | <DD>
|
291 | This is the default table. It contains the built-in chains INPUT (for
|
292 | packets coming into the box itself), FORWARD (for packets being routed
|
293 | through the box), and OUTPUT (for locally-generated packets).
|
294 | <DT><B>nat</B>
|
295 |
|
296 | <DD>
|
297 | This table is consulted when a packet that creates a new
|
298 | connection is encountered. It consists of three built-ins: PREROUTING
|
299 | (for altering packets as soon as they come in), OUTPUT (for altering
|
300 | locally-generated packets before routing), and POSTROUTING (for
|
301 | altering packets as they are about to go out).
|
302 | <DT><B>mangle</B>
|
303 |
|
304 | <DD>
|
305 | This table is used for specialized packet alteration. It has two
|
306 | built-in chains: PREROUTING (for altering incoming packets before
|
307 | routing) and OUTPUT (for altering locally-generated packets before
|
308 | routing).
|
309 | </DL>
|
310 | <A NAME="lbAG"> </A>
|
311 | <H2>OPTIONS</H2>
|
312 |
|
313 | The options that are recognized by
|
314 | <B>iptables</B>
|
315 |
|
316 | can be divided into several different groups.
|
317 | <A NAME="lbAH"> </A>
|
318 | <H3>COMMANDS</H3>
|
319 |
|
320 | These options specify the specific action to perform. Only one of them
|
321 | can be specified on the command line unless otherwise specified
|
322 | below. For all the long versions of the command and option names, you
|
323 | need to use only enough letters to ensure that
|
324 | <B>iptables</B>
|
325 |
|
326 | can differentiate it from all other options.
|
327 | <DL COMPACT>
|
328 | <DT><B>-A, --append</B>
|
329 |
|
330 | <DD>
|
331 | Append one or more rules to the end of the selected chain.
|
332 | When the source and/or destination names resolve to more than one
|
333 | address, a rule will be added for each possible address combination.
|
334 | <DT><B>-D, --delete</B>
|
335 |
|
336 | <DD>
|
337 | Delete one or more rules from the selected chain. There are two
|
338 | versions of this command: the rule can be specified as a number in the
|
339 | chain (starting at 1 for the first rule) or a rule to match.
|
340 | <DT><B>-R, --replace</B>
|
341 |
|
342 | <DD>
|
343 | Replace a rule in the selected chain. If the source and/or
|
344 | destination names resolve to multiple addresses, the command will
|
345 | fail. Rules are numbered starting at 1.
|
346 | <DT><B>-I, --insert</B>
|
347 |
|
348 | <DD>
|
349 | Insert one or more rules in the selected chain as the given rule
|
350 | number. So, if the rule number is 1, the rule or rules are inserted
|
351 | at the head of the chain. This is also the default if no rule number
|
352 | is specified.
|
353 | <DT><B>-L, --list</B>
|
354 |
|
355 | <DD>
|
356 | List all rules in the selected chain. If no chain is selected, all
|
357 | chains are listed. It is legal to specify the
|
358 | <B>-Z</B>
|
359 |
|
360 | (zero) option as well, in which case the chain(s) will be atomically
|
361 | listed and zeroed. The exact output is affected by the other
|
362 | arguments given.
|
363 | <DT><B>-F, --flush</B>
|
364 |
|
365 | <DD>
|
366 | Flush the selected chain. This is equivalent to deleting all the
|
367 | rules one by one.
|
368 | <DT><B>-Z, --zero</B>
|
369 |
|
370 | <DD>
|
371 | Zero the packet and byte counters in all chains. It is legal to
|
372 | specify the
|
373 | <B>-L, --list</B>
|
374 |
|
375 | (list) option as well, to see the counters immediately before they are
|
376 | cleared. (See above.)
|
377 | <DT><B>-N, --new-chain</B>
|
378 |
|
379 | <DD>
|
380 | Create a new user-defined chain by the given name. There must be no
|
381 | target of that name already.
|
382 | <DT><B>-X, --delete-chain</B>
|
383 |
|
384 | <DD>
|
385 | Delete the specified user-defined chain. There must be no references
|
386 | to the chain. If there are, you must delete or replace the referring
|
387 | rules before the chain can be deleted. If no argument is given, it
|
388 | will attempt to delete every non-builtin chain in the table.
|
389 | <DT><B>-P, --policy</B>
|
390 |
|
391 | <DD>
|
392 | Set the policy for the chain to the given target. See the section
|
393 | <B>TARGETS</B>
|
394 |
|
395 | for the legal targets. Only non-user-defined chains can have policies,
|
396 | and neither built-in nor user-defined chains can be policy targets.
|
397 | <DT><B>-E, --rename-chain</B>
|
398 |
|
399 | <DD>
|
400 | Rename the user specified chain to the user supplied name. This is
|
401 | cosmetic, and has no effect on the structure of the table.
|
402 | <DT><B>-h</B>
|
403 |
|
404 | <DD>
|
405 | Help.
|
406 | Give a (currently very brief) description of the command syntax.
|
407 | </DL>
|
408 | <A NAME="lbAI"> </A>
|
409 | <H3>PARAMETERS</H3>
|
410 |
|
411 | The following parameters make up a rule specification (as used in the
|
412 | add, delete, insert, replace and append commands).
|
413 | <DL COMPACT>
|
414 | <DT><B>-p, --protocol </B>[!] <I>protocol</I>
|
415 |
|
416 | <DD>
|
417 | The protocol of the rule or of the packet to check.
|
418 | The specified protocol can be one of
|
419 | <I>tcp</I>,
|
420 |
|
421 | <I>udp</I>,
|
422 |
|
423 | <I>icmp</I>,
|
424 |
|
425 | or
|
426 | <I>all</I>,
|
427 |
|
428 | or it can be a numeric value, representing one of these protocols or a
|
429 | different one. A protocol name from /etc/protocols is also allowed.
|
430 | A "!" argument before the protocol inverts the
|
431 | test. The number zero is equivalent to
|
432 | <I>all</I>.
|
433 |
|
434 | Protocol
|
435 | <I>all</I>
|
436 |
|
437 | will match with all protocols and is taken as default when this
|
438 | option is omitted.
|
439 | <DT><B>-s, --source </B>[!] <I>address</I>[/<I>mask</I>]
|
440 |
|
441 | <DD>
|
442 | Source specification.
|
443 | <I>Address</I>
|
444 |
|
445 | can be either a hostname, a network name, or a plain IP address.
|
446 | The
|
447 | <I>mask</I>
|
448 |
|
449 | can be either a network mask or a plain number,
|
450 | specifying the number of 1's at the left side of the network mask.
|
451 | Thus, a mask of
|
452 | <I>24</I>
|
453 |
|
454 | is equivalent to
|
455 | <I>255.255.255.0</I>.
|
456 |
|
457 | A "!" argument before the address specification inverts the sense of
|
458 | the address. The flag
|
459 | <B>--src</B>
|
460 |
|
461 | is a convenient alias for this option.
|
462 | <DT><B>-d, --destination </B>[!] <I>address</I>[/<I>mask</I>]
|
463 |
|
464 | <DD>
|
465 | Destination specification.
|
466 | See the description of the
|
467 | <B>-s</B>
|
468 |
|
469 | (source) flag for a detailed description of the syntax. The flag
|
470 | <B>--dst</B>
|
471 |
|
472 | is an alias for this option.
|
473 | <DT><B>-j, --jump </B><I>target</I>
|
474 |
|
475 | <DD>
|
476 | This specifies the target of the rule; i.e., what to do if the packet
|
477 | matches it. The target can be a user-defined chain (other than the
|
478 | one this rule is in), one of the special builtin targets which decide
|
479 | the fate of the packet immediately, or an extension (see
|
480 | <B>EXTENSIONS</B>
|
481 |
|
482 | below). If this
|
483 | option is omitted in a rule, then matching the rule will have no
|
484 | effect on the packet's fate, but the counters on the rule will be
|
485 | incremented.
|
486 | <DT><B>-i, --in-interface </B>[!] [<I>name</I>]
|
487 |
|
488 | <DD>
|
489 | Optional name of an interface via which a packet is received (for
|
490 | packets entering the
|
491 | <B>INPUT</B>,
|
492 |
|
493 | <B>FORWARD</B>
|
494 |
|
495 | and
|
496 | <B>PREROUTING</B>
|
497 |
|
498 | chains). When the "!" argument is used before the interface name, the
|
499 | sense is inverted. If the interface name ends in a "+", then any
|
500 | interface which begins with this name will match. If this option is
|
501 | omitted, the string "+" is assumed, which will match with any
|
502 | interface name.
|
503 | <DT><B>-o, --out-interface </B>[!] [<I>name</I>]
|
504 |
|
505 | <DD>
|
506 | Optional name of an interface via which a packet is going to
|
507 | be sent (for packets entering the
|
508 | <B>FORWARD</B>,
|
509 |
|
510 | <B>OUTPUT</B>
|
511 |
|
512 | and
|
513 | <B>POSTROUTING</B>
|
514 |
|
515 | chains). When the "!" argument is used before the interface name,
|
516 | the sense is inverted. If the interface name ends in a "+", then any
|
517 | interface which begins with this name will match. If this option is
|
518 | omitted, the string "+" is assumed, which will match with any
|
519 | interface name.
|
520 | <DT><B>[!] -f, --fragment</B>
|
521 |
|
522 | <DD>
|
523 | This means that the rule only refers to second and further fragments
|
524 | of fragmented packets. Since there is no way to tell the source or
|
525 | destination ports of such a packet (or ICMP type), such a packet will
|
526 | not match any rules which specify them. When the "!" argument
|
527 | precedes the "-f" flag, the rule will only match head fragments, or
|
528 | unfragmented packets.
|
529 | <DT><B>-c, --set-counters PKTS BYTES</B>
|
530 |
|
531 | <DD>
|
532 | This enables the administrater to initialize the packet and byte
|
533 | counters of a rule (during
|
534 | <B>INSERT,</B>
|
535 |
|
536 | <B>APPEND,</B>
|
537 |
|
538 | <B>REPLACE</B>
|
539 |
|
540 | operations)
|
541 | </DL>
|
542 | <A NAME="lbAJ"> </A>
|
543 | <H3>OTHER OPTIONS</H3>
|
544 |
|
545 | The following additional options can be specified:
|
546 | <DL COMPACT>
|
547 | <DT><B>-v, --verbose</B>
|
548 |
|
549 | <DD>
|
550 | Verbose output. This option makes the list command show the interface
|
551 | address, the rule options (if any), and the TOS masks. The packet and
|
552 | byte counters are also listed, with the suffix 'K', 'M' or 'G' for
|
553 | 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
|
554 | the
|
555 | <B>-x</B>
|
556 |
|
557 | flag to change this).
|
558 | For appending, insertion, deletion and replacement, this causes
|
559 | detailed information on the rule or rules to be printed.
|
560 | <DT><B>-n, --numeric</B>
|
561 |
|
562 | <DD>
|
563 | Numeric output.
|
564 | IP addresses and port numbers will be printed in numeric format.
|
565 | By default, the program will try to display them as host names,
|
566 | network names, or services (whenever applicable).
|
567 | <DT><B>-x, --exact</B>
|
568 |
|
569 | <DD>
|
570 | Expand numbers.
|
571 | Display the exact value of the packet and byte counters,
|
572 | instead of only the rounded number in K's (multiples of 1000)
|
573 | M's (multiples of 1000K) or G's (multiples of 1000M). This option is
|
574 | only relevant for the
|
575 | <B>-L</B>
|
576 |
|
577 | command.
|
578 | <DT><B>--line-numbers</B>
|
579 |
|
580 | <DD>
|
581 | When listing rules, add line numbers to the beginning of each rule,
|
582 | corresponding to that rule's position in the chain.
|
583 | <DT><B>--modprobe=<command></B>
|
584 |
|
585 | <DD>
|
586 | When adding or inserting rules into a chain, use
|
587 | <B>command</B>
|
588 |
|
589 | to load any necessary modules (targets, match extensions, etc).
|
590 | </DL>
|
591 | <A NAME="lbAK"> </A>
|
592 | <H2>MATCH EXTENSIONS</H2>
|
593 |
|
594 | iptables can use extended packet matching modules. These are loaded
|
595 | in two ways: implicitly, when
|
596 | <B>-p</B>
|
597 |
|
598 | or
|
599 | <B>--protocol</B>
|
600 |
|
601 | is specified, or with the
|
602 | <B>-m</B>
|
603 |
|
604 | or
|
605 | <B>--match</B>
|
606 |
|
607 | options, followed by the matching module name; after these, various
|
608 | extra command line options become available, depending on the specific
|
609 | module. You can specify multiple extended match modules in one line, and you can use the
|
610 | <B>-h</B>
|
611 |
|
612 | or
|
613 | <B>--help</B>
|
614 |
|
615 | options after the module has been specified to receive help specific
|
616 | to that module.
|
617 | <P>
|
618 | The following are included in the base package, and most of these can
|
619 | be preceded by a
|
620 | <B>!</B>
|
621 |
|
622 | to invert the sense of the match.
|
623 | <A NAME="lbAL"> </A>
|
624 | <H3>tcp</H3>
|
625 |
|
626 | These extensions are loaded if `--protocol tcp' is specified. It
|
627 | provides the following options:
|
628 | <DL COMPACT>
|
629 | <DT><B>--source-port </B>[!] [<I>port[:port]</I>]
|
630 |
|
631 | <DD>
|
632 | Source port or port range specification. This can either be a service
|
633 | name or a port number. An inclusive range can also be specified,
|
634 | using the format
|
635 | <I>port</I>:<I>port</I>.
|
636 |
|
637 | If the first port is omitted, "0" is assumed; if the last is omitted,
|
638 | "65535" is assumed.
|
639 | If the second port greater then the first they will be swapped.
|
640 | The flag
|
641 | <B>--sport</B>
|
642 |
|
643 | is an alias for this option.
|
644 | <DT><B>--destination-port </B>[!] [<I>port[:port]</I>]
|
645 |
|
646 | <DD>
|
647 | Destination port or port range specification. The flag
|
648 | <B>--dport</B>
|
649 |
|
650 | is an alias for this option.
|
651 | <DT><B>--tcp-flags </B>[!] <I>mask</I> <I>comp</I>
|
652 |
|
653 | <DD>
|
654 | Match when the TCP flags are as specified. The first argument is the
|
655 | flags which we should examine, written as a comma-separated list, and
|
656 | the second argument is a comma-separated list of flags which must be
|
657 | set. Flags are:
|
658 | <B>SYN ACK FIN RST URG PSH ALL NONE</B>.
|
659 |
|
660 | Hence the command
|
661 | <BR>
|
662 |
|
663 | <BR> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
|
664 | <BR>
|
665 |
|
666 | will only match packets with the SYN flag set, and the ACK, FIN and
|
667 | RST flags unset.
|
668 | <DT><B>[!] --syn</B>
|
669 |
|
670 | <DD>
|
671 | Only match TCP packets with the SYN bit set and the ACK and FIN bits
|
672 | cleared. Such packets are used to request TCP connection initiation;
|
673 | for example, blocking such packets coming in an interface will prevent
|
674 | incoming TCP connections, but outgoing TCP connections will be
|
675 | unaffected.
|
676 | It is equivalent to <B>--tcp-flags SYN,RST,ACK SYN</B>.
|
677 | If the "!" flag precedes the "--syn", the sense of the
|
678 | option is inverted.
|
679 | <DT><B>--tcp-option </B>[!] <I>number</I>
|
680 |
|
681 | <DD>
|
682 | Match if TCP option set.
|
683 | </DL>
|
684 | <A NAME="lbAM"> </A>
|
685 | <H3>udp</H3>
|
686 |
|
687 | These extensions are loaded if `--protocol udp' is specified. It
|
688 | provides the following options:
|
689 | <DL COMPACT>
|
690 | <DT><B>--source-port </B>[!] [<I>port[:port]</I>]
|
691 |
|
692 | <DD>
|
693 | Source port or port range specification.
|
694 | See the description of the
|
695 | <B>--source-port</B>
|
696 |
|
697 | option of the TCP extension for details.
|
698 | <DT><B>--destination-port </B>[!] [<I>port[:port]</I>]
|
699 |
|
700 | <DD>
|
701 | Destination port or port range specification.
|
702 | See the description of the
|
703 | <B>--destination-port</B>
|
704 |
|
705 | option of the TCP extension for details.
|
706 | </DL>
|
707 | <A NAME="lbAN"> </A>
|
708 | <H3>icmp</H3>
|
709 |
|
710 | This extension is loaded if `--protocol icmp' is specified. It
|
711 | provides the following option:
|
712 | <DL COMPACT>
|
713 | <DT><B>--icmp-type </B>[!] <I>typename</I>
|
714 |
|
715 | <DD>
|
716 | This allows specification of the ICMP type, which can be a numeric
|
717 | ICMP type, or one of the ICMP type names shown by the command
|
718 | <BR>
|
719 |
|
720 | <BR> iptables -p icmp -h
|
721 | <BR>
|
722 |
|
723 | </DL>
|
724 | <A NAME="lbAO"> </A>
|
725 | <H3>mac</H3>
|
726 |
|
727 | <DL COMPACT>
|
728 | <DT><B>--mac-source </B>[!] <I>address</I>
|
729 |
|
730 | <DD>
|
731 | Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
|
732 | Note that this only makes sense for packets entering the
|
733 | <B>PREROUTING</B>,
|
734 |
|
735 | <B>FORWARD</B>
|
736 |
|
737 | or
|
738 | <B>INPUT</B>
|
739 |
|
740 | chains for packets coming from an ethernet device.
|
741 | </DL>
|
742 | <A NAME="lbAP"> </A>
|
743 | <H3>limit</H3>
|
744 |
|
745 | This module matches at a limited rate using a token bucket filter: it
|
746 | can be used in combination with the
|
747 | <B>LOG</B>
|
748 |
|
749 | target to give limited logging. A rule using this extension will
|
750 | match until this limit is reached (unless the `!' flag is used).
|
751 | <DL COMPACT>
|
752 | <DT><B>--limit </B><I>rate</I>
|
753 |
|
754 | <DD>
|
755 | Maximum average matching rate: specified as a number, with an optional
|
756 | `/second', `/minute', `/hour', or `/day' suffix; the default is
|
757 | 3/hour.
|
758 | <DT><B>--limit-burst </B><I>number</I>
|
759 |
|
760 | <DD>
|
761 | The maximum initial number of packets to match: this number gets
|
762 | recharged by one every time the limit specified above is not reached,
|
763 | up to this number; the default is 5.
|
764 | </DL>
|
765 | <A NAME="lbAQ"> </A>
|
766 | <H3>multiport</H3>
|
767 |
|
768 | This module matches a set of source or destination ports. Up to 15
|
769 | ports can be specified. It can only be used in conjunction with
|
770 | <B>-p tcp</B>
|
771 |
|
772 | or
|
773 | <B>-p udp</B>.
|
774 |
|
775 | <DL COMPACT>
|
776 | <DT><B>--source-port</B> [<I>port[,port]</I>]
|
777 |
|
778 | <DD>
|
779 | Match if the source port is one of the given ports.
|
780 | <DT><B>--destination-port</B> [<I>port[,port]</I>]
|
781 |
|
782 | <DD>
|
783 | Match if the destination port is one of the given ports.
|
784 | <DT><B>--port</B> [<I>port[,port]</I>]
|
785 |
|
786 | <DD>
|
787 | Match if the both the source and destination ports are equal to each
|
788 | other and to one of the given ports.
|
789 | </DL>
|
790 | <A NAME="lbAR"> </A>
|
791 | <H3>mark</H3>
|
792 |
|
793 | This module matches the netfilter mark field associated with a packet
|
794 | (which can be set using the
|
795 | <B>MARK</B>
|
796 |
|
797 | target below).
|
798 | <DL COMPACT>
|
799 | <DT><B>--mark </B><I>value[/mask]</I>
|
800 |
|
801 | <DD>
|
802 | Matches packets with the given unsigned mark value (if a mask is
|
803 | specified, this is logically ANDed with the mask before the
|
804 | comparison).
|
805 | </DL>
|
806 | <A NAME="lbAS"> </A>
|
807 | <H3>owner</H3>
|
808 |
|
809 | This module attempts to match various characteristics of the packet
|
810 | creator, for locally-generated packets. It is only valid in the
|
811 | <B>OUTPUT</B>
|
812 |
|
813 | chain, and even this some packets (such as ICMP ping responses) may
|
814 | have no owner, and hence never match.
|
815 | <DL COMPACT>
|
816 | <DT><B>--uid-owner </B><I>userid</I>
|
817 |
|
818 | <DD>
|
819 | Matches if the packet was created by a process with the given
|
820 | effective user id.
|
821 | <DT><B>--gid-owner </B><I>groupid</I>
|
822 |
|
823 | <DD>
|
824 | Matches if the packet was created by a process with the given
|
825 | effective group id.
|
826 | <DT><B>--pid-owner </B><I>processid</I>
|
827 |
|
828 | <DD>
|
829 | Matches if the packet was created by a process with the given
|
830 | process id.
|
831 | <DT><B>--sid-owner </B><I>sessionid</I>
|
832 |
|
833 | <DD>
|
834 | Matches if the packet was created by a process in the given session
|
835 | group.
|
836 | </DL>
|
837 | <A NAME="lbAT"> </A>
|
838 | <H3>state</H3>
|
839 |
|
840 | This module, when combined with connection tracking, allows access to
|
841 | the connection tracking state for this packet.
|
842 | <DL COMPACT>
|
843 | <DT><B>--state </B><I>state</I>
|
844 |
|
845 | <DD>
|
846 | Where state is a comma separated list of the connection states to
|
847 | match. Possible states are
|
848 | <B>INVALID</B>
|
849 |
|
850 | meaning that the packet is associated with no known connection,
|
851 | <B>ESTABLISHED</B>
|
852 |
|
853 | meaning that the packet is associated with a connection which has seen
|
854 | packets in both directions,
|
855 | <B>NEW</B>
|
856 |
|
857 | meaning that the packet has started a new connection, or otherwise
|
858 | associated with a connection which has not seen packets in both
|
859 | directions, and
|
860 | <B>RELATED</B>
|
861 |
|
862 | meaning that the packet is starting a new connection, but is
|
863 | associated with an existing connection, such as an FTP data transfer,
|
864 | or an ICMP error.
|
865 | </DL>
|
866 | <A NAME="lbAU"> </A>
|
867 | <H3>unclean</H3>
|
868 |
|
869 | This module takes no options, but attempts to match packets which seem
|
870 | malformed or unusual. This is regarded as experimental.
|
871 | <A NAME="lbAV"> </A>
|
872 | <H3>tos</H3>
|
873 |
|
874 | This module matches the 8 bits of Type of Service field in the IP
|
875 | header (ie. including the precedence bits).
|
876 | <DL COMPACT>
|
877 | <DT><B>--tos </B><I>tos</I>
|
878 |
|
879 | <DD>
|
880 | The argument is either a standard name, (use
|
881 | <BR>
|
882 |
|
883 | <BR> iptables -m tos -h
|
884 | <BR>
|
885 |
|
886 | to see the list), or a numeric value to match.
|
887 | </DL>
|
888 | <A NAME="lbAW"> </A>
|
889 | <H2>TARGET EXTENSIONS</H2>
|
890 |
|
891 | iptables can use extended target modules: the following are included
|
892 | in the standard distribution.
|
893 | <A NAME="lbAX"> </A>
|
894 | <H3>LOG</H3>
|
895 |
|
896 | Turn on kernel logging of matching packets. When this option is set
|
897 | for a rule, the Linux kernel will print some information on all
|
898 | matching packets (like most IP header fields) via the kernel log
|
899 | (where it can be read with
|
900 | <I>dmesg</I>
|
901 |
|
902 | or
|
903 | <I><A HREF="http://localhost/cgi-bin/man/man2html?8+syslogd">syslogd</A></I>(8)).
|
904 |
|
905 | <DL COMPACT>
|
906 | <DT><B>--log-level </B><I>level</I>
|
907 |
|
908 | <DD>
|
909 | Level of logging (numeric or see <I><A HREF="http://localhost/cgi-bin/man/man2html?5+syslog.conf">syslog.conf</A></I>(5)).
|
910 | <DT><B>--log-prefix </B><I>prefix</I>
|
911 |
|
912 | <DD>
|
913 | Prefix log messages with the specified prefix; up to 29 letters long,
|
914 | and useful for distinguishing messages in the logs.
|
915 | <DT><B>--log-tcp-sequence</B>
|
916 |
|
917 | <DD>
|
918 | Log TCP sequence numbers. This is a security risk if the log is
|
919 | readable by users.
|
920 | <DT><B>--log-tcp-options</B>
|
921 |
|
922 | <DD>
|
923 | Log options from the TCP packet header.
|
924 | <DT><B>--log-ip-options</B>
|
925 |
|
926 | <DD>
|
927 | Log options from the IP packet header.
|
928 | </DL>
|
929 | <A NAME="lbAY"> </A>
|
930 | <H3>MARK</H3>
|
931 |
|
932 | This is used to set the netfilter mark value associated with the
|
933 | packet. It is only valid in the
|
934 | <B>mangle</B>
|
935 |
|
936 | table.
|
937 | <DL COMPACT>
|
938 | <DT><B>--set-mark </B><I>mark</I>
|
939 |
|
940 | <DD>
|
941 | </DL>
|
942 | <A NAME="lbAZ"> </A>
|
943 | <H3>REJECT</H3>
|
944 |
|
945 | This is used to send back an error packet in response to the matched
|
946 | packet: otherwise it is equivalent to
|
947 | <B>DROP</B>.
|
948 |
|
949 | This target is only valid in the
|
950 | <B>INPUT</B>,
|
951 |
|
952 | <B>FORWARD</B>
|
953 |
|
954 | and
|
955 | <B>OUTPUT</B>
|
956 |
|
957 | chains, and user-defined chains which are only called from those
|
958 | chains. Several options control the nature of the error packet
|
959 | returned:
|
960 | <DL COMPACT>
|
961 | <DT><B>--reject-with </B><I>type</I>
|
962 |
|
963 | <DD>
|
964 | The type given can be
|
965 | <B>icmp-net-unreachable</B>,
|
966 |
|
967 | <B>icmp-host-unreachable</B>,
|
968 |
|
969 | <B>icmp-port-unreachable</B>,
|
970 |
|
971 | <B>icmp-proto-unreachable</B>,
|
972 |
|
973 | <B>icmp-net-prohibited</B>or
|
974 |
|
975 | <B>icmp-host-prohibited</B>,
|
976 |
|
977 | which return the appropriate ICMP error message (port-unreachable is
|
978 | the default). The option
|
979 | <B>echo-reply</B>
|
980 |
|
981 | is also allowed; it can only be used for rules which specify an ICMP
|
982 | ping packet, and generates a ping reply. Finally, the option
|
983 | <B>tcp-reset</B>
|
984 |
|
985 | can be used on rules which only match the TCP protocol: this causes a
|
986 | TCP RST packet to be sent back. This is mainly useful for blocking
|
987 | <I>ident</I>
|
988 |
|
989 | probes which frequently occur when sending mail to broken mail hosts
|
990 | (which won't accept your mail otherwise).
|
991 | </DL>
|
992 | <A NAME="lbBA"> </A>
|
993 | <H3>TOS</H3>
|
994 |
|
995 | This is used to set the 8-bit Type of Service field in the IP header.
|
996 | It is only valid in the
|
997 | <B>mangle</B>
|
998 |
|
999 | table.
|
1000 | <DL COMPACT>
|
1001 | <DT><B>--set-tos </B><I>tos</I>
|
1002 |
|
1003 | <DD>
|
1004 | You can use a numeric TOS values, or use
|
1005 | <BR>
|
1006 |
|
1007 | <BR> iptables -j TOS -h
|
1008 | <BR>
|
1009 |
|
1010 | to see the list of valid TOS names.
|
1011 | </DL>
|
1012 | <A NAME="lbBB"> </A>
|
1013 | <H3>MIRROR</H3>
|
1014 |
|
1015 | This is an experimental demonstration target which inverts the source
|
1016 | and destination fields in the IP header and retransmits the packet.
|
1017 | It is only valid in the
|
1018 | <B>INPUT</B>,
|
1019 |
|
1020 | <B>FORWARD</B>
|
1021 |
|
1022 | and
|
1023 | <B>PREROUTING</B>
|
1024 |
|
1025 | chains, and user-defined chains which are only called from those
|
1026 | chains. Note that the outgoing packets are
|
1027 | <B>NOT</B>
|
1028 |
|
1029 | seen by any packet filtering chains, connection tracking or NAT, to
|
1030 | avoid loops and other problems.
|
1031 | <A NAME="lbBC"> </A>
|
1032 | <H3>SNAT</H3>
|
1033 |
|
1034 | This target is only valid in the
|
1035 | <B>nat</B>
|
1036 |
|
1037 | table, in the
|
1038 | <B>POSTROUTING</B>
|
1039 |
|
1040 | chain. It specifies that the source address of the packet should be
|
1041 | modified (and all future packets in this connection will also be
|
1042 | mangled), and rules should cease being examined. It takes one option:
|
1043 | <DL COMPACT>
|
1044 | <DT><B>--to-source </B><I><ipaddr>[-<ipaddr>][:port-port]</I>
|
1045 |
|
1046 | <DD>
|
1047 | which can specify a single new source IP address, an inclusive range
|
1048 | of IP addresses, and optionally, a port range (which is only valid if
|
1049 | the rule also specifies
|
1050 | <B>-p tcp</B>
|
1051 |
|
1052 | or
|
1053 | <B>-p udp</B>).
|
1054 |
|
1055 | If no port range is specified, then source ports below 512 will be
|
1056 | mapped to other ports below 512: those between 512 and 1023 inclusive
|
1057 | will be mapped to ports below 1024, and other ports will be mapped to
|
1058 | 1024 or above. Where possible, no port alteration will occur.
|
1059 | </DL>
|
1060 | <A NAME="lbBD"> </A>
|
1061 | <H3>DNAT</H3>
|
1062 |
|
1063 | This target is only valid in the
|
1064 | <B>nat</B>
|
1065 |
|
1066 | table, in the
|
1067 | <B>PREROUTING</B>
|
1068 |
|
1069 | and
|
1070 | <B>OUTPUT</B>
|
1071 |
|
1072 | chains, and user-defined chains which are only called from those
|
1073 | chains. It specifies that the destination address of the packet
|
1074 | should be modified (and all future packets in this connection will
|
1075 | also be mangled), and rules should cease being examined. It takes one
|
1076 | option:
|
1077 | <DL COMPACT>
|
1078 | <DT><B>--to-destination </B><I><ipaddr>[-<ipaddr>][:port-port]</I>
|
1079 |
|
1080 | <DD>
|
1081 | which can specify a single new destination IP address, an inclusive
|
1082 | range of IP addresses, and optionally, a port range (which is only
|
1083 | valid if the rule also specifies
|
1084 | <B>-p tcp</B>
|
1085 |
|
1086 | or
|
1087 | <B>-p udp</B>).
|
1088 |
|
1089 | If no port range is specified, then the destination port will never be
|
1090 | modified.
|
1091 | </DL>
|
1092 | <A NAME="lbBE"> </A>
|
1093 | <H3>MASQUERADE</H3>
|
1094 |
|
1095 | This target is only valid in the
|
1096 | <B>nat</B>
|
1097 |
|
1098 | table, in the
|
1099 | <B>POSTROUTING</B>
|
1100 |
|
1101 | chain. It should only be used with dynamically assigned IP (dialup)
|
1102 | connections: if you have a static IP address, you should use the SNAT
|
1103 | target. Masquerading is equivalent to specifying a mapping to the IP
|
1104 | address of the interface the packet is going out, but also has the
|
1105 | effect that connections are
|
1106 | <I>forgotten</I>
|
1107 |
|
1108 | when the interface goes down. This is the correct behavior when the
|
1109 | next dialup is unlikely to have the same interface address (and hence
|
1110 | any established connections are lost anyway). It takes one option:
|
1111 | <DL COMPACT>
|
1112 | <DT><B>--to-ports </B><I><port>[-<port>]</I>
|
1113 |
|
1114 | <DD>
|
1115 | This specifies a range of source ports to use, overriding the default
|
1116 | <B>SNAT</B>
|
1117 |
|
1118 | source port-selection heuristics (see above). This is only valid with
|
1119 | if the rule also specifies
|
1120 | <B>-p tcp</B>
|
1121 |
|
1122 | or
|
1123 | <B>-p udp</B>).
|
1124 |
|
1125 | </DL>
|
1126 | <A NAME="lbBF"> </A>
|
1127 | <H3>REDIRECT</H3>
|
1128 |
|
1129 | This target is only valid in the
|
1130 | <B>nat</B>
|
1131 |
|
1132 | table, in the
|
1133 | <B>PREROUTING</B>
|
1134 |
|
1135 | and
|
1136 | <B>OUTPUT</B>
|
1137 |
|
1138 | chains, and user-defined chains which are only called from those
|
1139 | chains. It alters the destination IP address to send the packet to
|
1140 | the machine itself (locally-generated packets are mapped to the
|
1141 | 127.0.0.1 address). It takes one option:
|
1142 | <DL COMPACT>
|
1143 | <DT><B>--to-ports </B><I><port>[-<port>]</I>
|
1144 |
|
1145 | <DD>
|
1146 | This specifies a destination port or range or ports to use: without
|
1147 | this, the destination port is never altered. This is only valid with
|
1148 | if the rule also specifies
|
1149 | <B>-p tcp</B>
|
1150 |
|
1151 | or
|
1152 | <B>-p udp</B>).
|
1153 |
|
1154 | </DL>
|
1155 | <A NAME="lbBG"> </A>
|
1156 | <H2>EXTRA EXTENSIONS</H2>
|
1157 |
|
1158 | The following extensions are not included by default in the standard
|
1159 | distribution.
|
1160 | <A NAME="lbBH"> </A>
|
1161 | <H3>ttl</H3>
|
1162 |
|
1163 | This module matches the time to live field in the IP header.
|
1164 | <DL COMPACT>
|
1165 | <DT><B>--ttl </B><I>ttl</I>
|
1166 |
|
1167 | <DD>
|
1168 | Matches the given TTL value.
|
1169 | </DL>
|
1170 | <A NAME="lbBI"> </A>
|
1171 | <H3>TTL</H3>
|
1172 |
|
1173 | This target is used to modify the time to live field in the IP header.
|
1174 | It is only valid in the
|
1175 | <B>mangle</B>
|
1176 |
|
1177 | table.
|
1178 | <DL COMPACT>
|
1179 | <DT><B>--ttl-set </B><I>ttl</I>
|
1180 |
|
1181 | <DD>
|
1182 | Set the TTL to the given value.
|
1183 | <DT><B>--ttl-dec </B><I>ttl</I>
|
1184 |
|
1185 | <DD>
|
1186 | Decrement the TTL by the given value.
|
1187 | <DT><B>--ttl-inc </B><I>ttl</I>
|
1188 |
|
1189 | <DD>
|
1190 | Increment the TTL by the given value.
|
1191 | </DL>
|
1192 | <A NAME="lbBJ"> </A>
|
1193 | <H3>ULOG</H3>
|
1194 |
|
1195 | This target provides userspace logging of matching packets. When this
|
1196 | target is set for a rule, the Linux kernel will multicast this packet
|
1197 | through a
|
1198 | <I>netlink</I>
|
1199 |
|
1200 | socket. One or more userspace processes may then subscribe to various
|
1201 | multicast groups and receive the packets.
|
1202 | <DL COMPACT>
|
1203 | <DT><B>--ulog-nlgroup </B><I><nlgroup></I>
|
1204 |
|
1205 | <DD>
|
1206 | This specifies the netlink group (1-32) to which the packet is sent.
|
1207 | Default value is 1.
|
1208 | <DT><B>--ulog-prefix </B><I><prefix></I>
|
1209 |
|
1210 | <DD>
|
1211 | Prefix log messages with the specified prefix; up to 32 characters
|
1212 | long, and useful fro distinguishing messages in the logs.
|
1213 | <DT><B>--ulog-cprange </B><I><size></I>
|
1214 |
|
1215 | <DD>
|
1216 | Number of bytes to be copied to userspace. A value of 0 always copies
|
1217 | the entire packet, regardless of its size. Default is 0
|
1218 | <DT><B>--ulog-qthreshold </B><I><size></I>
|
1219 |
|
1220 | <DD>
|
1221 | Number of packet to queue inside kernel. Setting this value to, e.g. 10
|
1222 | accumulates ten packets inside the kernel and transmits them as one
|
1223 | netlink multipart message to userspace. Default is 1 (for backwards
|
1224 | compatibility)
|
1225 | </DL>
|
1226 | <A NAME="lbBK"> </A>
|
1227 | <H2>DIAGNOSTICS</H2>
|
1228 |
|
1229 | Various error messages are printed to standard error. The exit code
|
1230 | is 0 for correct functioning. Errors which appear to be caused by
|
1231 | invalid or abused command line parameters cause an exit code of 2, and
|
1232 | other errors cause an exit code of 1.
|
1233 | <A NAME="lbBL"> </A>
|
1234 | <H2>BUGS</H2>
|
1235 |
|
1236 | Check is not implemented (yet).
|
1237 | <A NAME="lbBM"> </A>
|
1238 | <H2>COMPATIBILITY WITH IPCHAINS</H2>
|
1239 |
|
1240 | This
|
1241 | <B>iptables</B>
|
1242 |
|
1243 | is very similar to ipchains by Rusty Russell. The main difference is
|
1244 | that the chains
|
1245 | <B>INPUT</B>
|
1246 |
|
1247 | and
|
1248 | <B>OUTPUT</B>
|
1249 |
|
1250 | are only traversed for packets coming into the local host and
|
1251 | originating from the local host respectively. Hence every packet only
|
1252 | passes through one of the three chains; previously a forwarded packet
|
1253 | would pass through all three.
|
1254 | <P>
|
1255 |
|
1256 | The other main difference is that
|
1257 | <B>-i</B>
|
1258 |
|
1259 | refers to the input interface;
|
1260 | <B>-o</B>
|
1261 |
|
1262 | refers to the output interface, and both are available for packets
|
1263 | entering the
|
1264 | <B>FORWARD</B>
|
1265 |
|
1266 | chain.
|
1267 | <P>
|
1268 |
|
1269 | <B>iptables </B>
|
1270 |
|
1271 | is a pure packet filter when using the default `filter' table, with
|
1272 | optional extension modules. This should simplify much of the previous
|
1273 | confusion over the combination of IP masquerading and packet filtering
|
1274 | seen previously. So the following options are handled differently:
|
1275 | <BR>
|
1276 |
|
1277 | <BR> -j MASQ
|
1278 | <BR>
|
1279 |
|
1280 | <BR> -M -S
|
1281 | <BR>
|
1282 |
|
1283 | <BR> -M -L
|
1284 | <BR>
|
1285 |
|
1286 | There are several other changes in iptables.
|
1287 | <A NAME="lbBN"> </A>
|
1288 | <H2>SEE ALSO</H2>
|
1289 |
|
1290 | The packet-filtering-HOWTO, which details more iptables usage for packet filtering, the NAT-HOWTO,
|
1291 | which details NAT, and the netfilter-hacking-HOWTO which details the
|
1292 | internals.
|
1293 | <A NAME="lbBO"> </A>
|
1294 | <H2>AUTHORS</H2>
|
1295 |
|
1296 | Rusty Russell wrote iptables, in early consultation with Michael
|
1297 | Neuling.
|
1298 | <P>
|
1299 |
|
1300 | Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
|
1301 | selection framework in iptables, then wrote the mangle table, the owner match,
|
1302 | the mark stuff, and ran around doing cool stuff everywhere.
|
1303 | <P>
|
1304 |
|
1305 | James Morris wrote the TOS target, and tos match.
|
1306 | <P>
|
1307 |
|
1308 | Jozsef Kadlecsik wrote the REJECT target.
|
1309 | <P>
|
1310 |
|
1311 | Harald Welte wrote the ULOG target, TTL match+target and libipulog.
|
1312 | <P>
|
1313 |
|
1314 | The Netfilter Core Team is: Marc Boucher, James Morris, Harald Welte
|
1315 | and Rusty Russell.
|
1316 |
|
1317 |
|
1318 |
|
1319 |
|
1320 | <P>
|
1321 |
|
1322 | <HR>
|
1323 | <A NAME="index"> </A><H2>Index</H2>
|
1324 | <DL>
|
1325 | <DT><A HREF="#lbAB">NAME</A><DD>
|
1326 | <DT><A HREF="#lbAC">SYNOPSIS</A><DD>
|
1327 | <DT><A HREF="#lbAD">DESCRIPTION</A><DD>
|
1328 | <DT><A HREF="#lbAE">TARGETS</A><DD>
|
1329 | <DT><A HREF="#lbAF">TABLES</A><DD>
|
1330 | <DT><A HREF="#lbAG">OPTIONS</A><DD>
|
1331 | <DL>
|
1332 | <DT><A HREF="#lbAH">COMMANDS</A><DD>
|
1333 | <DT><A HREF="#lbAI">PARAMETERS</A><DD>
|
1334 | <DT><A HREF="#lbAJ">OTHER OPTIONS</A><DD>
|
1335 | </DL>
|
1336 | <DT><A HREF="#lbAK">MATCH EXTENSIONS</A><DD>
|
1337 | <DL>
|
1338 | <DT><A HREF="#lbAL">tcp</A><DD>
|
1339 | <DT><A HREF="#lbAM">udp</A><DD>
|
1340 | <DT><A HREF="#lbAN">icmp</A><DD>
|
1341 | <DT><A HREF="#lbAO">mac</A><DD>
|
1342 | <DT><A HREF="#lbAP">limit</A><DD>
|
1343 | <DT><A HREF="#lbAQ">multiport</A><DD>
|
1344 | <DT><A HREF="#lbAR">mark</A><DD>
|
1345 | <DT><A HREF="#lbAS">owner</A><DD>
|
1346 | <DT><A HREF="#lbAT">state</A><DD>
|
1347 | <DT><A HREF="#lbAU">unclean</A><DD>
|
1348 | <DT><A HREF="#lbAV">tos</A><DD>
|
1349 | </DL>
|
1350 | <DT><A HREF="#lbAW">TARGET EXTENSIONS</A><DD>
|
1351 | <DL>
|
1352 | <DT><A HREF="#lbAX">LOG</A><DD>
|
1353 | <DT><A HREF="#lbAY">MARK</A><DD>
|
1354 | <DT><A HREF="#lbAZ">REJECT</A><DD>
|
1355 | <DT><A HREF="#lbBA">TOS</A><DD>
|
1356 | <DT><A HREF="#lbBB">MIRROR</A><DD>
|
1357 | <DT><A HREF="#lbBC">SNAT</A><DD>
|
1358 | <DT><A HREF="#lbBD">DNAT</A><DD>
|
1359 | <DT><A HREF="#lbBE">MASQUERADE</A><DD>
|
1360 | <DT><A HREF="#lbBF">REDIRECT</A><DD>
|
1361 | </DL>
|
1362 | <DT><A HREF="#lbBG">EXTRA EXTENSIONS</A><DD>
|
1363 | <DL>
|
1364 | <DT><A HREF="#lbBH">ttl</A><DD>
|
1365 | <DT><A HREF="#lbBI">TTL</A><DD>
|
1366 | <DT><A HREF="#lbBJ">ULOG</A><DD>
|
1367 | </DL>
|
1368 | <DT><A HREF="#lbBK">DIAGNOSTICS</A><DD>
|
1369 | <DT><A HREF="#lbBL">BUGS</A><DD>
|
1370 | <DT><A HREF="#lbBM">COMPATIBILITY WITH IPCHAINS</A><DD>
|
1371 | <DT><A HREF="#lbBN">SEE ALSO</A><DD>
|
1372 | <DT><A HREF="#lbBO">AUTHORS</A><DD>
|
1373 | </DL>
|
1374 | <HR>
|
1375 | This document was created by
|
1376 | <A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>,
|
1377 | using the manual pages.<BR>
|
1378 | Time: 17:14:16 GMT, November 14, 2001
|
1379 |
|
1380 | <!--htdig_noindex-->
|
1381 | <br>
|
1382 |
|
1383 | <table id=ibm_adv><tr valign=top><td width="383">
|
1384 | <iframe src="http://www.opennet.ru/adv_ibm.htm" height="240" width="383" scrolling="no" name="ibm" border="0" frameborder="0" target="_blank"></iframe>
|
1385 | </td><td>
|
1386 |
|
1387 |
|
1388 | <table width="95%" align="center" bgcolor="#441144" border="1" cellpadding="2" cellspacing="0">
|
1389 | <tbody>
|
1390 |
|
1391 | <tr>
|
1392 | <td align="center" bgcolor="#ffffff">
|
1393 | <a target="_blank" href="http://www.linuxcenter.ru/linuxformat-2011/?sid=nP5OTFA1"
|
1394 | title=" Linux Format">
|
1395 | <font size="4" color="#5b1900" face="sans-serif">
|
1396 | <b> !</b>
|
1397 | </font>
|
1398 | </a>
|
1399 | </td>
|
1400 | </tr>
|
1401 | <tr>
|
1402 | <td align="left" bgcolor="#ffffff">
|
1403 | <p width="20%" size="2" color="#5b1900" face="sans-serif">
|
1404 | <a target="_blank" href="http://www.linuxcenter.ru/linuxformat-2011/?sid=nP5OTFA1">
|
1405 | <img src="http://linuxcenter.ru/images/cd/id5773.jpg" align="left" hspace='8' vspace='0' border='0'
|
1406 | title=' Linux Format' width="130" height="130" />
|
1407 | </a>
|
1408 | Linux Format
|
1409 | . <b> Lemote Yeeloong</b> GNU/Linux, ,
|
1410 | Linux: <b>, , </b>.
|
1411 | </p>
|
1412 | <p>
|
1413 | , <b> 15 2011 </b>
|
1414 | Linux Format 2011. , Linux Format 6
|
1415 | 12 2011 , .
|
1416 | </p>
|
1417 | <p>
|
1418 | 2011 , - www.linuxformat.ru.
|
1419 | </p>
|
1420 | <p>
|
1421 | <a href="http://www.linuxcenter.ru/linuxformat-2011/?sid=nP5OTFA1">http://www.linuxcenter.ru/linuxformat-2011</a>
|
1422 | </p>
|
1423 | </td>
|
1424 | </tr>
|
1425 | </tbody>
|
1426 | </table>
|
1427 |
|
1428 | </td></tr></table>
|
1429 |
|
1430 | <!--/htdig_noindex-->
|
1431 |
|
1432 |
|
1433 | <!-- footer -->
|
1434 | <!--htdig_noindex-->
|
1435 | <br>
|
1436 | <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=1 WIDTH="100%" BGCOLOR="#B0B190">
|
1437 | <TR><TD>
|
1438 | <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0 WIDTH="100%" VALIGN="MIDDLE">
|
1439 | <TR>
|
1440 | <TD WIDTH="35%" BGCOLOR="#E9EAD6" ALIGN=LEFT>
|
1441 | <FONT SIZE="-1">
|
1442 | <A HREF="/cgi-bin/opennet/bookmark.cgi"> ><BR>
|
1443 | <A HREF="/cgi-bin/opennet/bookmark.cgi?submit=add" target="blank_"> >
|
1444 | </FONT>
|
1445 | </TD>
|
1446 | <TD WIDTH="65%" ALIGN=RIGHT BGCOLOR="#E9EAD6">
|
1447 | <FONT SIZE="-1">Created 1996-2011 by <B><A HREF="/contact.shtml" title="email mc@tyumen.ru">Maxim Chirkov</A></B></FONT> <BR>
|
1448 | <FONT SIZE="-1"><A HREF="http://www.opennet.ru/add.shtml">>, <A HREF="http://www.opennet.ru/reklama.shtml">>, <A HREF="http://www.opennet.ru/banners2.shtml"></A>, <A HREF="http://www.opennet.ru/guide.shtml"></A></FONT>
|
1449 | </TD>
|
1450 | </TR>
|
1451 | </TABLE>
|
1452 | </TD></TR>
|
1453 | </TABLE>
|
1454 |
|
1455 |
|
1456 | <div align=right><table><tr><td>
|
1457 | <a target=_blank href="http://www.runnet.ru"><img src="/img/runnet.gif" border=0 height=31 width=88 alt="RUNNet"></a>
|
1458 | <a target=_blank href="http://top.list.ru/jump?from=77689"><img src="http://top.list.ru/counter?id=77689;t=75;l=1" border=0 height=31 width=38 alt="TopList"></a>
|
1459 | <script type="text/javascript"><!--
|
1460 | document.write("<a href='http://www.liveinternet.ru/click' "+
|
1461 | "target=_blank><img src='//counter.yadro.ru/hit?t45.6;r"+
|
1462 | escape(document.referrer)+((typeof(screen)=="undefined")?"":
|
1463 | ";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?
|
1464 | screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+
|
1465 | ";"+Math.random()+
|
1466 | "' alt='' title='LiveInternet' "+
|
1467 | "border='0' width='31' height='31'><\/a>")
|
1468 | //--></script>
|
1469 | <a target=_blank href="http://counter.rambler.ru/top100/"><img src="http://counter.rambler.ru/top100.cnt?10566" width=1 height=1 border=0><img src="/banner.gif" width=88 height=31 border=0></a>
|
1470 | </td></tr></table>
|
1471 | </div>
|
1472 | </form>
|
1473 | <!--/htdig_noindex-->
|
1474 | <!-- end of footer -->
|
1475 |
|
1476 | </BODY>
|
1477 | </HTML>
|