iptables command [options] System administration command. Configure netfilter filtering rules. In the 2.

4 kernel, the ipchains firewall capabilities are replaced with the netfilter kernel module. netfilter can be configured to work ust like ipchains, but it also comes with the module iptables, which is similar to ipchains but e!tensible. iptables rules consist of some matching criteria and a target, a result to be applied if the packet matches the criteria. "he rules are organi#ed into chains. $ou can use these rules to build a firewall, mas%uerade your local area network, or ust re ect certain kinds of network connections. "here are three built&in tables for iptables, one for network filtering 'filter(, one for )etwork *ddress "ranslation 'nat(, and the last for speciali#ed packet alterations 'mangle(. +irewall rules are organi#ed into chains, ordered check lists of rules that the kernel works through looking for matches. "he filter table has three built&in chains, INPUT, OUTPUT, and FORWARD. "he INPUT and OUTPUT chains handle packets originating from or destined for the host system. "he FORWARD chain handles mail ust passing through the host system. "he nat table also has three built&in chains, PREROUTING, POSTROUTING, and OUTPUT. mangle has only two chains, PREROUTING and OUTPUT. netfilter checks packets entering the system. *fter applying any PREROUTING rules it passes them to the INPUT chain or to the FORWARD chain if the packet is ust passing through. -pon lea.ing, the system packets are passed to the OUTPUT chain and then on to any POSTROUTING rules. /ach of these chains has a default target, a policy, in case no match is found. -ser&defined chains can also be created and used as targets for packets but do not ha.e default policies. If no match can be found in a user&defined chain, the packet is returned to the chain from which it was called and tested against the ne!t rule in that chain. iptables only changes the rules in the running kernel. 0hen the system is powered off, all changes are lost. $ou can use the iptables-sa e command to make a script you can run with iptables-rest!re to restore your firewall settings. Such a script is often called at bootup. 1any distributions will ha.e an iptables initiali#ation script that uses the output from iptables-sa e. Commands iptables is always in.oked with one of the following commands, -A chain rules, --appen" chain rules *ppend new rules to chain. -I chain number rules, --insert chain number rules Insert rules into chain at the ordinal position gi.en by number. -D chain rules, --"elete chain rules 2elete rules from chain. 3ules can be specified by their ordinal number in the chain as well as by a general rule description. -R chain number rule, --replace chain number rule 3eplace a rule in chain. "he rule to be replaced is specified by its ordinal number. -# chain rule, --chec$ chain rules Check how chain will handle a network packet that matches the gi.en rule. "he rule must describe the source, destination, protocol, and interface of the packet to be constructed. -% [chain], --list $PARAMETER 4ist the rules in chain or all chains if chain is not specified.

-F [chain], --fl&sh chain 3emo.e all rules from chain or from all chains if chain is not specified. -' [chain], --(er! chain 5ero the packet and byte counters in chain. If no chain is specified, all chains will be reset. 0hen used without specifying a chain and combined with the -% command, it lists the current counter .alues before they are reset chain. -N chain, --ne)-chain chain Create a new chain. "he chain6s name must be uni%ue. "his is how userdefined chains are created. -* [chain], --"elete-chain chain 2elete the specified user&defined chain or all user&defined chains if no chain is specified. -P chain target, --p!lic+ chain target Set the default policy for a built&in chain7 the target itself cannot be a chain. -E old-chain new-chain, --rename-chain old-chain new-chain 3ename old-chain to new-chain. -h ,icmp8rint a brief help message. If the option icmp is gi.en, print a list of .alid IC18 types. Targets * target may be the name of a chain or one of the following special .alues. A##EPT 4et the packet through. DROP 2rop the packet. .UEUE Send packets to the user space for processing. RETURN Stop tra.ersing the current chain and return to the point in the pre.ious chain from which this one was called. If RETURN is the target of a rule in a built&in chain, the built&in chain6s default policy is applied. Rule specification parameters "hese options are used to create rules for use with the preceding commands. 3ules consist of some matching criteria and usually a target to ump to ' -/( if the match is made. 1any of the parameters for these matching rules can be e!pressed as a negati.e with an e!clamation point '9( meaning :not.: "hose rules will match e.erything e!cept the gi.en parameter. -p ,0- name, --pr!t!c!l [0]$PARAMETER 1atch packets of protocol name. "he .alue of name can be gi.en as a name or number as found in the file /etc/protocols. "he most common .alues are tcp, &"p, icmp, or the special .alue all. "he number ; is e%ui.alent to all and this is the default .alue when this option is not used. If there are e!tended matching rules associated with the specified protocol, they will be loaded automatically. $ou need not use the -m option to load them. -s ,0- address[<mask] [0] [port], --s!&rce [0] address[<mask] [0] [port] 1atch packets with the source address. "he address may be supplied as a hostname, a network name, or an I8 address. "he optional mask is the netmask to use and may be supplied either in the traditional form 'e.g., <2==.2==.2==.;( or in the modern form 'e.g., <24(. -" ,0- address[<mask] [0] [port], --"estinati!n [0] address[<mask] [port] 1atch packets from the destination address. See the description of -s for the synta! of this option.

-/ target, --/&mp target >ump to a special target or a user&defined chain. If this option is not specified for a rule, matching the rule only increases the rule6s counters, and the packet is tested against the ne!t rule. -i ,0- name[?], --in-interface name[?] 1atch packets being recei.ed from interface name. name is the network interface used by your system 'e.g., eth1 or ppp1(. * 2 can be used as a wildcard, so ppp2 would match any interface name beginning with ppp -! ,0- name[?], --!&t-interface name[?] 1atch packets being sent from interface name. See the description of -i for the synta! for name. ,0- -f3 ,0---fragment $PARAMETER "he rule applies only to the second or further fragments of a fragmented packet. Options - 3 -- erb!se @erbose mode. -n3 --n&meric 8rint all I8 address and port numbers in numeric form. Ay default, te!t names are displayed when possible. -43 --e4act /!pand all numbers in a listing '-%(. 2isplay the e!act .alue of the packet and byte counters instead of rounded figures. -m module, --match /!plicitly load matching rule e!tensions associated with module. See the following section, :1atch /!tensions.: -h ,icmp-3 --help ,icmp8rint help message. If icmp is specified, a list of .alid IC18 type names will be printed. -h can also be used with the -m option to get help on an e!tension module. --line-n&mbers -sed with the -% command. *dd the line number to the beginning of each rule in a listing, indicating its position in the chain. Match extensions Se.eral kernel modules come with netfilter to e!tend matching capabilities of rules. "hose associated with particular protocols are loaded automatically when the -p option is used to specify the protocol. Bthers need to be loaded e!plicitly with the -m option. tcp 4oaded when -p tcp is the only protocol specified. --s!&rce-p!rt ,0- [port][,port], --sp!rt [0] [port][,port] 1atch the specified source ports. -sing the colon specifies an inclusi.e range of ser.ices to match. If the first port is omitted, ; is the default. If the second port is omitted, C==D= is the default. $ou can also use a dash instead of a colon to specify the range. --"estinati!n-p!rt ,0- [port][,port], --"p!rt [0] [port][,port] 1atch the specified destination ports. "he synta! is the same as for --s!&rce-p!rt. --tcp-flags ,0- mask comp 1atch the packets with the "C8 flags specified by mask and comp. mask is a comma&separated list of flags that should be e!amined. comp is a comma&separated list of flags that must be set for the rule to match. @alid flags are S$), *CE, +I), 3S", -3F, 8SG, *44, and )B)/.

,0- --s+n 1atch packets with the S$) bit set and the *CE and +I) bits cleared. "hese are packets that re%uest "C8 connections7 blocking them pre.ents incoming connections. Shorthand for -tcp-flags S5N3RST3A#6 S5N. &"p 4oaded when -p &"p is the only protocol specified. --s!&rce-p!rt ,0- [port][,port], --sp!rt [0] [port][,port] 1atch the specified source ports. "he synta! is the same as for the --s!&rce-p!rt option of the "C8 e!tension. --"estinati!n-p!rt ,0- [port][,port], --"p!rt [0] [port][,port] 1atch the specified destination ports. "he synta! is the same as for --s!&rce-p!rt option of the "C8 e!tension. icmp 4oaded when -p icmp is the only protocol specified. --icmp-t+pe ,0- type 1atch the specified icmp type. type may be a numeric IC18 type or one of the IC18 type names shown by the command iptables p icmp -h. mac 4oaded e!plicitly with the -m option. --mac-s!&rce ,0- address 1atch the source address that transmitted the packet. address must be gi.en in colon&separated he!byte notation 'for e!ample, -mac-s!&rce 117817197:;7##7<=. limit 4oaded e!plicitly with the -m option. "he limit e!tensions are used to limit the number of packets matched. "his is useful when combined with the %OG target. 3ules using this e!tension match until the specified limit is reached. --limit rate 1atch addresses at the gi.en rate. rate is specified as a number with an optional >sec!n", >min&te, h!&r, or >"a+ suffi!. 0hen this option is not set, the default is 'D<hour'. --limit-b&rst [number] Set the ma!imum number of packets to match in a burst. Bnce the number has been reached, no more packets are matched for this rule until the number has recharged. It recharges at the rate set by the --limit option. 0hen not specified, the default is =. m&ltip!rt 4oaded e!plicitly with the -m option. "he m&ltip!rt e!tensions match sets of source or destination ports. "hese rules can be used only in con unction with -p tcp and -p &"p. -p to H= ports can be specified in a comma&separated list. --s!&rce-p!rt [ports] 1atch the gi.en source ports. --"estinati!n-p!rt [ports] 1atch the gi.en destination ports. --p!rt [ports] 1atch if the packet has the same source and destination port and that port is one of the gi.en ports. mar$ 4oaded e!plicitly with the -m option. "his module works with the ?AR6 e!tension target, --mar$ alue[<mask] 1atch the gi.en unsigned mark .alue. If a mask is specified, it is logically *)2ed with the mark before comparison.

!)ner 4oaded e!plicitly with the -m option. "he !)ner e!tensions match a local packet6s creator6s user, group process, and session I2s. "his makes sense only as a part of the OUTPUT chain. --&i"-!)ner userid
http://www.onlamp.com/linux/cmd/i/iptables.html (6 of 9) [29/03/02 19:2 :31! B63eilly )etwork, 4inu! Command 2irectory, iptables [1arch H=, 2;;2]

1atch packets created by a process owned by userid. --gi"-!)ner groupid 1atch packets created by a process owned by groupid. --pi"-!)ner processid 1atch packets created by process I2 processid. --si"-!)ner sessionid 1atch packets created by a process in the session sessionid. state 4oaded e!plicitly with the -m option. "his module matches the connection state of a packet. --state states 1atch the packet if it has one of the states in the commaseparated list states. @alid states are IN@A%ID, ESTA<%ISAED, NEW, and RE%ATED. t!s 4oaded e!plicitly with the -m option. "his module matches the "ype of Ser.ice field in a packet6s header. --t!s alue 1atch the packet if it has a "BS of alue. alue can be a numeric .alue or a "ype of Ser.ice name. iptables -m t!s -h will gi.e you a list of .alid "BS .alues. Target extensions /!tension targets are optional additional targets supported by separate kernel modules. "hey ha.e their own associated options. %OG 4og the packet6s information in the system log. --l!g-le el le el Set the syslog le.el by name or number 'as defined by syslog!conf(. --l!g-prefi4 prefi" Aegin each log entry with the string prefi". "he prefi! string may be up to D; characters long. --l!g-tcp-seB&ence 4og the "C8 se%uence numbers. "his is a security risk if your log is readable by users. --l!g-tcp-!pti!ns 4og options from the "C8 packet header. --l!g-ip-!pti!ns 4og options from the I8 packet header. ?AR6 -sed to mark packets with an unsigned integer .alue you can use later with the mar$ matching e!tension. @alid only with the mangle table. --set-mar$ alue 1ark the packet with alue. RECE#T 2rop the packet and, if appropriate, send an IC18 message back to the sender indicating the packet was dropped. If the packet was an IC18 error message, an unknown IC18 type, or a nonhead fragment, or if too many IC18 messages ha.e already been sent to this address, no message is sent.

--re/ect-)ith type Send the specified IC18 message type. @alid .alues are icmpnet&nreachable, icmp-h!st- &nreachable, icmp-p!rt&nreachable, or icmp-pr!t!-&nreachable. If the packet was an IC18 ping packet, type may also be ech!-repl+. TOS Set the "ype of Ser.ice field in the I8 header. TOS is a .alid target only for rules in the mangle table. --set-t!s alue Set the "BS field to alue. $ou can specify this as an I&bit .alue or as a "BS name. $ou can get a list of .alid names using iptables -/ TOS -h. SNAT 1odify the source address of the packet and all future packets in the current connection. SNAT is .alid only as a part of the POSTROUTING chain in the nat table. --t!-s!&rce address[&address][port&port] Specify the new source address or range of addresses. If a tcp or &"p protocol has been specified with the -p option, source ports may also be specified. If none is specified, map the new source to the same port if possible. If not, map ports below =H2 to other ports below =H2, those between =H2 and H;24 to other ports below H;24, and ports abo.e H;24 to other ports abo.e H;24. DNAT 1odify the destination address of the packet and all future packets in the current connection. DNAT is .alid only as a part of the POSTROUTING chain in the nat table. --t!-"estinati!n address[&address][port&port] Specify the new destination address or range of addresses. "he arguments for this option are the same as the --t!-s!&rce argument for the SNAT e!tension target. ?AS.UERADE 1as%uerade the packet so it appears that it originated from the current system. 3e.erse packets from mas%ueraded connections are unmas%ueraded automatically. "his is a legal target only for chains in the nat table that handle incoming packets and should be used only with dynamic I8 addresses 'like dial&up.( +or static addresses use DNAT. --t!-p!rts port[&port] Specify the port or range of ports to use when mas%uerading. "his option is only .alid if a tcp or &"p protocol has been specified with the -p option. If this option is not used, the mas%ueraded packet6s port will not be changed. REDIRE#T [&&to&port port] 3edirect the packet to a local port. "his is useful for creating transparent pro!ies. --t!-p!rts port[&port] Specify the port or range of ports on the local system to which the packet should be redirected. "his option is .alid only if a tcp or &"p protocol has been specified with the -p option. If this option is not used, the redirected packet6s port will not be changed.

iptables-rest!re [file] System administration command. 3estore firewall rules. iptables-rest!re takes commands generated by iptables-sa e and uses them to restore the firewall rules for each chain. Bften used by initiali#ation scripts to restore firewall settings on boot. file is the name of a file whose contents were generated by iptables-sa e. If not specified, the command takes its input from stdin. "his command was not completed at the time this book went to print. "here may be options not listed here.

iptables-sa e [chain] System administration command. 8rint the I8 firewall rules currently stored in the kernel to stdout. If no chain is gi.en, all chains will be printed. Butput may be redirected to a file that can later be used by iptables-rest!re to restore the firewall. "his command was not completed at the time this book went to print. "here may be options not listed here.