iptables(8) - administration tool for IPv4 packet filtering and NAT
-t, --table table
       This option specifies the packet matching table which the  command  should  operate  on.   If  the
       kernel  is  configured  with  automatic  module  loading,  an  attempt  will  be  made to load the
       appropriate module for that table if it is not already there.

              The tables are as follows:

              filter:
                  This is the default table (if no -t option is passed). It contains the built-in  chains  INPUT
                  (for  packets  destined to local sockets), FORWARD (for packets being routed through the box),
                  and OUTPUT (for locally-generated packets).

              nat:
                  This table is consulted when a packet that  creates  a  new  connection  is  encountered.   It
                  consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT
                  (for altering locally-generated packets before routing), and POSTROUTING (for altering packets
                  as they are about to go out).

              mangle:
                  This table is used for specialized packet alteration.  Until kernel 2.4.17 it had two built-in
                  chains: PREROUTING (for altering incoming packets before routing)  and  OUTPUT  (for  altering
                  locally-generated  packets  before routing).  Since kernel 2.4.18, three other built-in chains
                  are also supported: INPUT (for packets coming into the  box  itself),  FORWARD  (for  altering
                  packets being routed through the box), and POSTROUTING (for altering packets as they are about
                  to go out).

              raw:
                  This table is used mainly for configuring exemptions from connection tracking  in  combination
                  with the NOTRACK target.  It registers at the netfilter hooks with higher priority and is thus
                  called before ip_conntrack, or any other  IP  tables.   It  provides  the  following  built-in
                  chains:  PREROUTING  (for  packets  arriving  via  any  network interface) OUTPUT (for packets
                  generated by local processes)

              security:
                  This table is used for Mandatory Access Control (MAC) networking rules, such as those  enabled
                  by  the  SECMARK  and  CONNSECMARK  targets.  Mandatory Access Control is implemented by Linux
                  Security Modules such as SELinux.  The security  table  is  called  after  the  filter  table,
                  allowing  any  Discretionary  Access  Control  (DAC)  rules in the filter table to take effect
                  before MAC rules.  This table provides the  following  built-in  chains:  INPUT  (for  packets
                  coming  into  the box itself), OUTPUT (for altering locally-generated packets before routing),
                  and FORWARD (for altering packets being routed through the box).
-A, --append chain rule-specification
       Append one or more rules to the end of the selected chain.  When  the  source  and/or  destination
       names  resolve  to  more  than  one  address,  a  rule  will  be  added  for each possible address
       combination.
-C, --check chain rule-specification
       Check whether a rule matching the specification does exist in the  selected  chain.  This  command
       uses  the  same  logic  as  -D  to find a matching entry, but does not alter the existing iptables
       configuration and uses its exit code to indicate success or failure.
-D, --delete chain rule-specification
-D, --delete chain rulenum
       Delete one or more rules from the selected chain.  There are two versions  of  this  command:  the
       rule  can  be  specified  as a number in the chain (starting at 1 for the first rule) or a rule to
       match.
-I, --insert chain [rulenum] rule-specification
       Insert one or more rules in the selected chain as the given rule number.  So, if the  rule  number
       is  1,  the  rule  or rules are inserted at the head of the chain.  This is also the default if no
       rule number is specified.
-R, --replace chain rulenum rule-specification
       Replace a rule in the selected chain.  If the source and/or destination names resolve to  multiple
       addresses, the command will fail.  Rules are numbered starting at 1.
-L, --list [chain]
       List  all rules in the selected chain.  If no chain is selected, all chains are listed. Like every
       other iptables command, it applies to the specified table (filter is the default),  so  NAT  rules
       get listed by
        iptables -t nat -n -L
       Please  note that it is often used with the -n option, in order to avoid long reverse DNS lookups.
       It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically
       listed and zeroed.  The exact output is affected by the other arguments given. The exact rules are
       suppressed until you use
        iptables -L -v
-S, --list-rules [chain]
       Print all rules in the selected chain.  If no chain is  selected,  all  chains  are  printed  like
       iptables-save. Like every other iptables command, it applies to the specified table (filter is the
       default).
-F, --flush [chain]
       Flush the selected chain (all the chains in the table if none is given).  This  is  equivalent  to
       deleting all the rules one by one.
-Z, --zero [chain [rulenum]]
       Zero  the  packet and byte counters in all chains, or only the given chain, or only the given rule
       in a chain. It is legal to specify the -L, --list (list) option  as  well,  to  see  the  counters
       immediately before they are cleared. (See above.)
-N, --new-chain chain
       Create a new user-defined chain by the given name.  There must be no target of that name already.
-X, --delete-chain [chain]
       Delete  the  optional user-defined chain specified.  There must be no references to the chain.  If
       there are, you must delete or replace the referring rules before the chain can  be  deleted.   The
       chain  must  be  empty,  i.e.  not contain any rules.  If no argument is given, it will attempt to
       delete every non-builtin chain in the table.
-P, --policy chain target
       Set the policy for the chain to the given target.  See the section TARGETS for the legal  targets.
       Only  built-in  (non-user-defined) chains can have policies, and neither built-in nor user-defined
       chains can be policy targets.
-E, --rename-chain old-chain new-chain
       Rename the user specified chain to the user supplied name.  This is cosmetic, and has no effect on
       the structure of the table.
-h     Help.  Give a (currently very brief) description of the command syntax.
[!] -p, --protocol protocol
       The protocol of the rule or of the packet to check.  The specified protocol can  be  one  of  tcp,
       udp,  udplite,  icmp,  esp,  ah,  sctp or the special keyword "all", or it can be a numeric value,
       representing one of these protocols or a different one.  A protocol name  from  /etc/protocols  is
       also allowed.  A "!" argument before the protocol inverts the test.  The number zero is equivalent
       to all. "all" will match with all protocols and is taken as default when this option is omitted.
[!] -s, --source address[/mask][,...]
       Source specification. Address can be either a network name, a hostname, a network IP address (with
       /mask),  or a plain IP address. Hostnames will be resolved once only, before the rule is submitted
       to the kernel.  Please note that specifying any name to be resolved with a remote  query  such  as
       DNS is a really bad idea.  The mask can be either a network mask or a plain number, specifying the
       number of 1's at the left side of the  network  mask.   Thus,  a  mask  of  24  is  equivalent  to
       255.255.255.0.   A "!" argument before the address specification inverts the sense of the address.
       The flag --src is an alias for this option.  Multiple addresses can be specified,  but  this  will
       expand  to  multiple rules (when adding with -A), or will cause multiple rules to be deleted (with
       -D).
[!] -d, --destination address[/mask][,...]
       Destination specification.  See the description of the -s (source) flag for a detailed description
       of the syntax.  The flag --dst is an alias for this option.
-j, --jump target
       This  specifies the target of the rule; i.e., what to do if the packet matches it.  The target can
       be a user-defined chain (other than the one this rule is in), one of the special  builtin  targets
       which  decide the fate of the packet immediately, or an extension (see EXTENSIONS below).  If this
       option is omitted in a rule (and -g is not used), then matching the rule will have  no  effect  on
       the packet's fate, but the counters on the rule will be incremented.
-g, --goto chain
       This  specifies  that  the processing should continue in a user specified chain. Unlike the --jump
       option return will not continue processing in this chain but instead in the chain that  called  us
       via --jump.
[!] -i, --in-interface name
       Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD
       and PREROUTING chains).  When the "!" argument is used before the interface  name,  the  sense  is
       inverted.   If  the  interface  name ends in a "+", then any interface which begins with this name
       will match.  If this option is omitted, any interface name will match.
[!] -o, --out-interface name
       Name of an interface via which a packet is going to be sent (for  packets  entering  the  FORWARD,
       OUTPUT  and  POSTROUTING  chains).   When  the "!" argument is used before the interface name, the
       sense is inverted.  If the interface name ends in a "+", then any interface which begins with this
       name will match.  If this option is omitted, any interface name will match.
[!] -f, --fragment
       This means that the rule only refers to second and further fragments of fragmented packets.  Since
       there is no way to tell the source or destination ports of such a packet (or ICMP  type),  such  a
       packet will not match any rules which specify them.  When the "!" argument precedes the "-f" flag,
       the rule will only match head fragments, or unfragmented packets.
-c, --set-counters packets bytes
       This enables the administrator to initialize the packet  and  byte  counters  of  a  rule  (during
       INSERT, APPEND, REPLACE operations).
-v, --verbose
       Verbose  output.  This option makes the list command show the interface name, the rule options (if
       any), and the TOS masks.  The packet and byte counters are also listed, with the suffix  'K',  'M'
       or  'G'  for  1000,  1,000,000  and 1,000,000,000 multipliers respectively (but see the -x flag to
       change  this).   For  appending,  insertion,  deletion  and  replacement,  this  causes   detailed
       information  on  the  rule  or rules to be printed. -v may be specified multiple times to possibly
       emit more detailed debug statements.
-n, --numeric
       Numeric output.  IP addresses and port numbers will be printed in numeric format.  By default, the
       program will try to display them as host names, network names, or services (whenever applicable).
-x, --exact
       Expand  numbers.   Display  the  exact  value of the packet and byte counters, instead of only the
       rounded number in K's (multiples of 1000) M's (multiples of 1000K) or G's  (multiples  of  1000M).
       This option is only relevant for the -L command.
--line-numbers
       When  listing  rules, add line numbers to the beginning of each rule, corresponding to that rule's
       position in the chain.
--modprobe=command
       When adding or inserting rules into a chain, use command to load any necessary  modules  (targets,
       match extensions, etc).
[!] --src-type type
       Matches if the source address is of given type
[!] --dst-type type
       Matches if the destination address is of given type
--limit-iface-in
       The  address type checking can be limited to the interface the packet is coming in. This option is
       only valid in the  PREROUTING,  INPUT  and  FORWARD  chains.  It  cannot  be  specified  with  the
       --limit-iface-out option.
--limit-iface-out
       The  address type checking can be limited to the interface the packet is going out. This option is
       only valid in the POSTROUTING, OUTPUT  and  FORWARD  chains.  It  cannot  be  specified  with  the
       --limit-iface-in option.
ah
    This module matches the SPIs in Authentication header of IPsec packets.

    [!] --ahspi spi[:spi]
--cluster-total-nodes num
       Set number of total nodes in cluster.
[!] --cluster-local-node num
       Set the local node number ID.
[!] --cluster-local-nodemask mask
       Set the local node number ID mask. You can use this option instead of --cluster-local-node.
--cluster-hash-seed value
       Set seed value of the Jenkins hash.
comment
    Allows you to add comments (up to 256 characters) to any rule.

    --comment comment

    Example:
           iptables -A INPUT -i eth1 -m comment --comment "my local LAN"
[!] --connbytes from[:to]
       match packets from a connection whose packets/bytes/average packet size is more than FROM and less
       than TO bytes/packets. if TO is omitted only FROM check is done. "!" is used to match packets  not
       falling in the range.
--connbytes-dir {original|reply|both}
       which packets to consider
--connbytes-mode {packets|bytes|avgpkt}
       whether to check the amount of packets, number of bytes transferred or the average size (in bytes)
       of all packets received so far. Note that when "both" is used together with "avgpkt", and data  is
       going  (mainly)  only  in  one direction (for example HTTP), the average packet size will be about
       half of the actual data packets.

Example:
       iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ...
--connlimit-upto n
       Match if the number of existing connections is below or equal n.
--connlimit-above n
       Match if the number of existing connections is above n.
--connlimit-mask prefix_length
       Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.
       For IPv6, between 0 and 128. If not specified,  the  maximum  prefix  length  for  the  applicable
       protocol is used.
--connlimit-saddr
       Apply the limit onto the source group.
--connlimit-daddr
       Apply the limit onto the destination group.
connmark
    This  module  matches  the  netfilter mark field associated with a connection (which can be set using the
    CONNMARK target below).

    [!] --mark value[/mask]
           Matches packets in connections with the given  mark  value  (if  a  mask  is  specified,  this  is
           logically ANDed with the mark before the comparison).
[!] --ctstate statelist
       statelist is a comma separated list of the connection states to match.  Possible states are listed
       below.
[!] --ctproto l4proto
       Layer-4 protocol to match (by number or name)
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask]
       Match against original/reply source/destination address
[!] --ctorigsrcport port[:port]
[!] --ctorigdstport port[:port]
[!] --ctreplsrcport port[:port]
[!] --ctrepldstport port[:port]
       Match  against original/reply source/destination port (TCP/UDP/etc.) or GRE key.  Matching against
       port ranges is only supported in kernel versions above 2.6.38.
[!] --ctstatus statelist
       statuslist is a comma separated list of the connection statuses to match.  Possible  statuses  are
       listed below.
[!] --ctexpire time[:time]
       Match remaining lifetime in seconds against given value or range of values (inclusive)
--ctdir {ORIGINAL|REPLY}
       Match  packets  that are flowing in the specified direction. If this flag is not specified at all,
       matches packets in both directions.
cpu
    [!] --cpu number
           Match  cpu  handling this packet. cpus are numbered from 0 to NR_CPUS-1 Can be used in combination
           with RPS (Remote Packet Steering) or multiqueue  NICs  to  spread  network  traffic  on  different
           queues.

    Example:

    iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j REDIRECT --to-port 8080

    iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j REDIRECT --to-port 8081

    Available since Linux 2.6.36.
--hashlimit-upto amount[/second|/minute|/hour|/day]
       Match if the rate is below or equal to amount/quantum. It  is  specified  as  a  number,  with  an
       optional time quantum suffix; the default is 3/hour.
--hashlimit-above amount[/second|/minute|/hour|/day]
       Match if the rate is above amount/quantum.
--hashlimit-burst amount
       Maximum initial number of packets to match: this number gets recharged by one every time the limit
       specified above is not reached, up to this number; the default is 5.
--hashlimit-mode {srcip|srcport|dstip|dstport},...
       A comma-separated list of objects to take into consideration. If  no  --hashlimit-mode  option  is
       given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping.
--hashlimit-srcmask prefix
       When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to
       the given prefix length and the so-created subnet will be subject to  hashlimit.  prefix  must  be
       between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as
       not specifying srcip for --hashlimit-mode, but is technically more expensive.
--hashlimit-dstmask prefix
       Like --hashlimit-srcmask, but for destination addresses.
--hashlimit-name foo
       The name for the /proc/net/ipt_hashlimit/foo entry.
--hashlimit-htable-size buckets
       The number of buckets of the hash table
--hashlimit-htable-max entries
       Maximum entries in the hash.
--hashlimit-htable-expire msec
       After how many milliseconds do hash entries expire.
--hashlimit-htable-gcinterval msec
       How many milliseconds between garbage collection intervals.
helper
    This module matches packets related to a specific conntrack-helper.

    [!] --helper string
           Matches packets related to the specified conntrack-helper.

           string  can be "ftp" for packets related to a ftp-session on default port.  For other ports append
           -portnr to the value, ie. "ftp-2121".

           Same rules apply for other conntrack-helpers.
icmp
    This extension can be used if `--protocol icmp' is specified. It provides the following option:

    [!] --icmp-type {type[/code]|typename}
           This allows specification of the ICMP type, which can be a numeric ICMP type, type/code  pair,  or
           one of the ICMP type names shown by the command
            iptables -p icmp -h
[!] --src-range from[-to]
       Match source IP in the specified range.
[!] --dst-range from[-to]
       Match destination IP in the specified range.
[!] --ipvs
       packet belongs to an IPVS connection
[!] --vproto protocol
       VIP protocol to match; by number or name, e.g. "tcp"
[!] --vaddr address[/mask]
       VIP address to match
[!] --vport port
       VIP port to match; by number or name, e.g. "http"
--vdir {ORIGINAL|REPLY}
       flow direction of packet
[!] --vmethod {GATE|IPIP|MASQ}
       IPVS forwarding method used
[!] --vportctl port
       VIP port of the controlling connection to match, e.g. 21 for FTP
length
    This  module  matches  the  length  of  the  layer-3  payload (e.g. layer-4 packet) of a packet against a
    specific value or range of values.

    [!] --length length[:length]
limit
    This module matches at a limited rate using a token bucket filter.  A  rule  using  this  extension  will
    match  until  this  limit  is reached.  It can be used in combination with the LOG target to give limited
    logging, for example.

    xt_limit has no negation support - you will have to use -m hashlimit !  --hashlimit  rate  in  this  case
    whilst omitting --hashlimit-mode.

    --limit rate[/second|/minute|/hour|/day]
           Maximum  average  matching  rate:  specified  as  a number, with an optional `/second', `/minute',
           `/hour', or `/day' suffix; the default is 3/hour.
--limit-burst number
       Maximum initial number of packets to match: this number gets recharged by one every time the limit
       specified above is not reached, up to this number; the default is 5.
mac
    [!] --mac-source address
           Match  source  MAC  address.  It must be of the form XX:XX:XX:XX:XX:XX.  Note that this only makes
           sense for packets coming from an Ethernet device and entering the  PREROUTING,  FORWARD  or  INPUT
           chains.
mark
    This  module  matches  the netfilter mark field associated with a packet (which can be set using the MARK
    target below).

    [!] --mark value[/mask]
           Matches packets with the given unsigned mark value (if a mask  is  specified,  this  is  logically
           ANDed with the mask before the comparison).
[!] --source-ports,--sports port[,port|,port:port]...
       Match if the source port is one of the given ports.  The flag --sports is a convenient  alias  for
       this  option.  Multiple  ports  or  port  ranges  are separated using a comma, and a port range is
       specified using a colon.  53,1024:65535 would therefore match ports 53 and all from  1024  through
       65535.
[!] --destination-ports,--dports port[,port|,port:port]...
       Match  if the destination port is one of the given ports.  The flag --dports is a convenient alias
       for this option.
[!] --ports port[,port|,port:port]...
       Match if either the source or destination ports are equal to one of the given ports.
[!] --genre string
       Match an operating system genre by using a passive fingerprinting.
--ttl level
       Do additional TTL checks on the packet to determine the operating system.  level can be one of the
       following values:

   0 - True IP address and fingerprint TTL comparison. This generally works for LANs.

   1 - Check if the IP header's TTL is less  than  the  fingerprint  one.  Works  for  globally-routable
    addresses.

   2 - Do not compare the TTL at all.
--log level
    Log  determined genres into dmesg even if they do not match the desired one.  level can be one of the
    following values:

          0 - Log all matched or unknown signatures

          1 - Log only the first one

          2 - Log all known matched signatures

       You may find something like this in syslog:

       Windows [2000:SP3:Windows XP Pro  SP1,  2000  SP3]:  11.22.33.55:4024  ->  11.22.33.44:139  hops=3  Linux
       [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4

       OS fingerprints are loadable using the nfnl_osf program. To load fingerprints from a file, use:

       nfnl_osf -f /usr/share/xtables/pf.os

       To remove them again,

       nfnl_osf -f /usr/share/xtables/pf.os -d

       The fingerprint database can be downlaoded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
[!] --uid-owner username

[!] --uid-owner userid[-userid]
       Matches  if the packet socket's file structure (if it has one) is owned by the given user. You may
       also specify a numerical UID, or an UID range.
[!] --gid-owner groupname

[!] --gid-owner groupid[-groupid]
       Matches if the packet socket's file structure is owned by the given group.  You may also specify a
       numerical GID, or a GID range.
[!] --socket-exists
       Matches if the packet is associated with a socket.
--dir {in|out}
       Used to select whether to match the policy used for decapsulation or the policy that will be  used
       for  encapsulation.   in is valid in the PREROUTING, INPUT and FORWARD chains, out is valid in the
       POSTROUTING, OUTPUT and FORWARD chains.
--pol {none|ipsec}
       Matches if the packet is subject to IPsec processing. --pol none cannot be combined with --strict.
--strict
       Selects whether to match the exact policy or match if any rule of the  policy  matches  the  given
       policy.
--rateest-delta
    For  each  estimator  (either  absolute  or  relative  mode),  calculate  the  difference between the
    estimator-determined flow rate and the static value chosen with the BPS/PPS options. If the flow rate
    is  higher  than  the  specified BPS/PPS, 0 will be used instead of a negative value. In other words,
    "max(0, rateest#_rate - rateest#_bps)" is used.
[!] --rateest-lt
    Match if rate is less than given rate/estimator.
[!] --rateest-gt
    Match if rate is greater than given rate/estimator.
--rateest name
       Name of the one rate estimator for absolute mode.
--rateest1 name
--rateest2 name
       The names of the two rate estimators for relative mode.
--rateest-bps [value]
--rateest-pps [value]
--rateest-bps1 [value]
--rateest-bps2 [value]
--rateest-pps1 [value]
--rateest-pps2 [value]
       Compare the estimator(s) by bytes or packets per second, and compare against the chosen value. See
       the above bullet list for which option is to be used in which case. A unit suffix may  be  used  -
       available ones are: bit, [kmgt]bit, [KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps.
realm
    This matches the routing realm.  Routing realms are used in  complex  routing  setups  involving  dynamic
    routing protocols like BGP.

    [!] --realm value[/mask]
           Matches  a  given  realm number (and optionally mask). If not a number, value can be a named realm
           from /etc/iproute2/rt_realms (mask can not be used in that case).
--name name
       Specify the list to use for the commands. If no name is given then DEFAULT will be used.
[!] --set
       This will add the source address of the packet to the list. If the source address  is  already  in
       the list, this will update the existing entry. This will always return success (or failure if ! is
       passed in).
--rsource
       Match/save the source address of each packet in the recent list table. This is the default.
--rdest
       Match/save the destination address of each packet in the recent list table.
[!] --rcheck
       Check if the source address of the packet is currently in the list.
[!] --update
       Like --rcheck, except it will update the "last seen" timestamp if it matches.
[!] --remove
       Check if the source address of the packet is currently in the list and if so that address will  be
       removed  from  the  list  and  the  rule  will  return true. If the address is not found, false is
       returned.
--seconds seconds
       This option must be used in conjunction with one of --rcheck or --update.  When  used,  this  will
       narrow the match to only happen when the address is in the list and was seen within the last given
       number of seconds.
--reap reap
       This option can only be used in conjunction with --seconds.  When used, this  will  cause  entries
       older then 'seconds' to be purged.
--hitcount hits
       This  option  must  be  used in conjunction with one of --rcheck or --update. When used, this will
       narrow the match to only happen when the address is in the list  and  packets  had  been  received
       greater  than  or equal to the given value. This option may be used along with --seconds to create
       an even narrower match requiring a certain number of  hits  within  a  specific  time  frame.  The
       maximum  value  for  the  hitcount  parameter  is  given by the "ip_pkt_list_tot" parameter of the
       xt_recent kernel module. Exceeding this value on the command  line  will  cause  the  rule  to  be
       rejected.
--rttl This option may only be used in conjunction with one of --rcheck or --update. When used, this will
       narrow the match to only happen when the address is in the list and the TTL of the current  packet
       matches  that of the packet which hit the --set rule. This may be useful if you have problems with
       people faking their source address in order to DoS you  via  this  module  by  disallowing  others
       access to your site by sending bogus packets to you.
socket
    This matches if an open socket can be found by doing a socket lookup on the packet.

 --transparent
        Ignore non-transparent sockets.
state
    This module, when combined with connection tracking, allows access to the connection tracking  state  for
    this packet.

    [!] --state state
           Where  state  is  a  comma  separated list of the connection states to match.  Possible states are
           INVALID meaning that the packet could not be identified for some reason which includes running out
           of memory and ICMP errors which don't correspond to any known connection, ESTABLISHED meaning that
           the packet is associated with a connection which has seen packets in both directions, NEW  meaning
           that  the packet has started a new connection, or otherwise associated with a connection which has
           not seen packets in both directions, and RELATED  meaning  that  the  packet  is  starting  a  new
           connection,  but  is  associated  with an existing connection, such as an FTP data transfer, or an
           ICMP error.  UNTRACKED meaning that the packet is not tracked at all, which happens if you use the
           NOTRACK target in raw table.
--mode mode
       Set the matching mode of the matching rule, supported modes are random and nth.
[!] --probability p
       Set the probability for a packet to be randomly matched. It only works with  the  random  mode.  p
       must be within 0.0 and 1.0. The supported granularity is in 1/2147483648th increments.
[!] --every n
       Match one packet every nth packet. It works only with the nth mode (see also the --packet option).
--packet p
       Set the initial counter value (0 <= p <= n-1, default 0) for the nth mode.
--algo {bm|kmp}
       Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
--from offset
       Set the offset from which it starts looking for any matching. If not passed, default is 0.
--to offset
       Set the offset up to which should be scanned. That is, byte offset-1 (counting from 0) is the last
       one that is scanned.  If not passed, default is the packet size.
[!] --string pattern
       Matches the given pattern.
[!] --hex-string pattern
       Matches the given pattern in hex notation.
[!] --source-port,--sport port[:port]
       Source  port  or  port range specification. This can either be a service name or a port number. An
       inclusive range can also be specified, using the format first:last.  If the first port is omitted,
       "0" is assumed; if the last is omitted, "65535" is assumed.  If the first port is greater than the
       second one they will be swapped.  The flag --sport is a convenient alias for this option.
[!] --destination-port,--dport port[:port]
       Destination port or port range specification.  The flag --dport is a  convenient  alias  for  this
       option.
[!] --tcp-flags mask comp
       Match  when  the TCP flags are as specified.  The first argument mask is the flags which we should
       examine, written as a comma-separated list, and the second argument comp is a comma-separated list
       of flags which must be set.  Flags are: SYN ACK FIN RST URG PSH ALL NONE.  Hence the command
        iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
       will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
[!] --syn
       Only  match  TCP  packets with the SYN bit set and the ACK,RST and FIN bits cleared.  Such packets
       are used to request TCP connection initiation; for example, blocking such  packets  coming  in  an
       interface  will prevent incoming TCP connections, but outgoing TCP connections will be unaffected.
       It is equivalent to --tcp-flags SYN,RST,ACK,FIN SYN.  If the "!" flag precedes  the  "--syn",  the
       sense of the option is inverted.
[!] --tcp-option number
       Match if TCP option set.
--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
       Only match during the given time, which must be in ISO 8601 "T" notation.  The possible time range
       is 1970-01-01T00:00:00 to 2038-01-19T04:17:07.

       If  --datestart  or  --datestop  are  not specified, it will default to 1970-01-01 and 2038-01-19,
       respectively.
--timestart hh:mm[:ss]
--timestop hh:mm[:ss]
       Only match during the given daytime. The possible time range  is  00:00:00  to  23:59:59.  Leading
       zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
[!] --monthdays day[,day...]
       Only  match  on  the given days of the month. Possible values are 1 to 31. Note that specifying 31
       will of course not match on months which do not have a 31st day; the same goes for 28-  or  29-day
       February.
[!] --weekdays day[,day...]
       Only match on the given weekdays. Possible values are Mon, Tue, Wed, Thu, Fri, Sat, Sun, or values
       from 1 to 7, respectively. You may also use two-character variants (Mo, Tu, etc.).
--kerneltz
       Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.

About kernel timezones: Linux keeps the system time in UTC, and always does so.  On boot, system time  is
initialized  from  a referential time source. Where this time source has no timezone information, such as
the x86 CMOS RTC, UTC will be assumed. If the time source is however not in UTC, userspace should provide
the correct system time and timezone to the kernel once it has the information.

Local  time  is a feature on top of the (timezone independent) system time. Each process has its own idea
of local time, specified via the TZ environment variable. The kernel also has  its  own  timezone  offset
variable.  The  TZ  userspace  environment variable specifies how the UTC-based system time is displayed,
e.g. when you run date(1), or what you see on your desktop clock.  The TZ string may resolve to different
offsets  at  different  dates,  which  is  what enables the automatic time-jumping in userspace. when DST
changes. The kernel's timezone offset variable is used when it has to convert  between  non-UTC  sources,
such as FAT filesystems, to UTC (since the latter is what the rest of the system uses).

The  caveat  with  the kernel timezone is that Linux distributions may ignore to set the kernel timezone,
and instead only set the system time. Even if a particular distribution does set the timezone at boot, it
is  usually  does  not keep the kernel timezone offset - which is what changes on DST - up to date.  ntpd
will not touch the kernel timezone, so running it will not resolve the issue. As such, one may  encounter
a  timezone  that  is  always  +0000,  or  one that is wrong half of the time of the year. As such, using
--kerneltz is highly discouraged.
--ttl-eq ttl
       Matches the given TTL value.
--ttl-gt ttl
       Matches if TTL is greater than the given TTL value.
--ttl-lt ttl
       Matches if TTL is less than the given TTL value.
--u32 "0 & 0xFFFF = 0x100:0xFFFF"
--u32 "6 & 0xFF = 1 && ...
--u32 "6 & 0xFF = 6 && ...
--type {accept|drop|reject}
       Set type of audit record.

       Example:

              iptables -N AUDIT_DROP

              iptables -A AUDIT_DROP -j AUDIT --type drop

              iptables -A AUDIT_DROP -j DROP
--checksum-fill
       Compute  and fill in the checksum in a packet that lacks a checksum.  This is particularly useful,
       if you need to work around old applications such as dhcp clients,  that  do  not  work  well  with
       checksum offloads, but don't want to disable checksum offload in your device.
--set-class major:minor
       Set the major and minor class value. The values are always interpreted as hexadecimal even  if  no
       0x prefix is given.
--new  Create a new ClusterIP.  You always have to set this on the first rule for a given ClusterIP.
--hashmode mode
       Specify    the    hashing    mode.     Has   to   be   one   of   sourceip,   sourceip-sourceport,
       sourceip-sourceport-destport.
--clustermac mac
       Specify the ClusterIP MAC address. Has to be a link-layer multicast address
--total-nodes num
       Number of total nodes within this cluster.
--local-node num
       Local node number within this cluster.
--hash-init rnd
       Specify the random seed used for hash initialization.
--set-xmark value[/mask]
       Zero out the bits given by mask and XOR value into the ctmark.
--and-mark bits
       Binary AND the ctmark with bits. (Mnemonic for --set-xmark 0/invbits, where invbits is the  binary
       negation of bits.)
--or-mark bits
       Binary OR the ctmark with bits. (Mnemonic for --set-xmark bits/bits.)
--xor-mark bits
       Binary XOR the ctmark with bits. (Mnemonic for --set-xmark bits/0.)
--set-mark value[/mask]
       Set the connection mark. If a mask is specified then only those bits set in the mask are modified.
--save-mark [--mask mask]
       Copy the nfmark to the ctmark. If a mask is specified, only those bits are copied.
--restore-mark [--mask mask]
       Copy  the  ctmark  to the nfmark. If a mask is specified, only those bits are copied. This is only
       valid in the mangle table.
--restore
       If the packet does not have a security marking, and the connection does, copy the security marking
       from the connection to the packet.
--notrack
       Disables connection tracking for this packet.
--helper name
       Use  the  helper  identified  by  name  for the connection. This is more flexible than loading the
       conntrack helper modules with preset ports.
--ctevents event[,...]
       Only generate the specified conntrack events for this connection. Possible event types  are:  new,
       related, destroy, reply, assured, protoinfo, helper, mark (this refers to the ctmark, not nfmark),
       natseqinfo, secmark (ctsecmark).
--expevents event[,...]
       Only generate the specified expectation events for this connection.   Possible  event  types  are:
       new.
--zone id
       Assign  this  packet to zone id and only have lookups done in that zone.  By default, packets have
       zone 0.
--random
       If option --random is used then port mapping will be randomized (kernel >= 2.6.22).
--persistent
       Gives a client the same source-/destination-address for each connection.  This supersedes the SAME
       target. Support for persistent mappings is available from 2.6.29-rc2.
--set-dscp value
       Set the DSCP field to a numerical value (can be decimal or hex)
--set-dscp-class class
       Set the DSCP field to a DiffServ class.
--ecn-tcp-remove
       Remove  all  ECN  bits from the TCP header.  Of course, it can only be used in conjunction with -p
       tcp.
--timeout amount
       This is the time in seconds that will trigger the notification.
--label string
       This is a unique identifier for the timer.   The  maximum  length  for  the  label  string  is  27
       characters.
--log-level level
       Level of logging (numeric or see syslog.conf(5)).
--log-prefix prefix
       Prefix  log  messages  with  the  specified  prefix;  up  to  29  letters  long,  and  useful  for
       distinguishing messages in the logs.
--log-tcp-sequence
       Log TCP sequence numbers. This is a security risk if the log is readable by users.
--log-tcp-options
       Log options from the TCP packet header.
--log-ip-options
       Log options from the IP packet header.
--log-uid
       Log the userid of the process which generated the packet.
--set-xmark value[/mask]
       Zeroes  out  the  bits  given  by  mask and XORs value into the packet mark ("nfmark"). If mask is
       omitted, 0xFFFFFFFF is assumed.
--set-mark value[/mask]
       Zeroes out the bits given by mask and ORs  value  into  the  packet  mark.  If  mask  is  omitted,
       0xFFFFFFFF is assumed.
--and-mark bits
       Binary  AND the nfmark with bits. (Mnemonic for --set-xmark 0/invbits, where invbits is the binary
       negation of bits.)
--or-mark bits
       Binary OR the nfmark with bits. (Mnemonic for --set-xmark bits/bits.)
--xor-mark bits
       Binary XOR the nfmark with bits. (Mnemonic for --set-xmark bits/0.)
--random
       Randomize source port mapping If option --random is used then  port  mapping  will  be  randomized
       (kernel >= 2.6.21).
--to address[/mask]
       Network  address  to  map to.  The resulting address will be constructed in the following way: All
       'one' bits in the mask are filled in from the new `address'.  All bits that are zero in  the  mask
       are filled in from the original address.
--nflog-group nlgroup
       The  netlink  group  (0  -  2^16-1)  to which packets are (only applicable for nfnetlink_log). The
       default value is 0.
--nflog-prefix prefix
       A prefix string to include in the log message, up to 64 characters long, useful for distinguishing
       messages in the logs.
--nflog-range size
       The  number  of bytes to be copied to userspace (only applicable for nfnetlink_log). nfnetlink_log
       instances may specify their own range, this option overrides it.
--nflog-threshold size
       Number of packets to queue inside the kernel before sending them to userspace (only applicable for
       nfnetlink_log).  Higher  values  result  in less overhead per packet, but increase delay until the
       packets reach userspace. The default value is 1.
--queue-num value
       This  specifies  the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is
       0.
--queue-balance value:value
       This specifies a range of queues to use. Packets are then balanced across the given queues.   This
       is  useful  for  multicore systems: start multiple instances of the userspace program on queues x,
       x+1, .. x+n and use "--queue-balance x:x+n".  Packets belonging to the  same  connection  are  put
       into the same nfqueue.
--queue-bypass
       By  default,  if  no userspace program is listening on an NFQUEUE, then all packets that are to be
       queued are dropped.  When this option is used, the NFQUEUE rule is silently bypassed instead.  The
       packet will move on to the next rule.
--rateest-name name
       Count matched packets into the pool referred to by name, which is freely choosable.
--rateest-interval amount{s|ms|us}
       Rate measurement interval, in seconds, milliseconds or microseconds.
--rateest-ewmalog value
       Rate measurement averaging time constant.
--to-ports port[-port]
       This  specifies a destination port or range of ports to use: without this, the destination port is
       never altered.  This is only valid if the rule also specifies -p tcp or -p udp.
--random
       If option --random is used then port mapping will be randomized (kernel >= 2.6.22).
--to ipaddr[-ipaddr]
       Addresses to map source to. May be specified more than once for multiple ranges.
--nodst
       Don't use the destination-ip in the calculations when selecting the new source-ip
--random
       Port mapping will be forcibly randomized to avoid attacks based  on  port  prediction  (kernel  >=
       2.6.21).
--selctx security_context
--add-set setname flag[,flag...]
       add the address(es)/port(s) of the packet to the sets
--del-set setname flag[,flag...]
       delete the address(es)/port(s) of the packet from the sets

       where flags are src and/or dst specifications and there can be no more than six of them.
--timeout value
       when adding entry, the timeout value to use instead of the default one from the set definition
--exist
       when  adding  entry  if  it already exists, reset the timeout value to the specified one or to the
       default from the set definition

Use of -j SET requires that ipset kernel support is provided.  As  standard  kernels  do  not  ship  this
currently, the ipset or Xtables-addons package needs to be installed.
--to-source [ipaddr[-ipaddr]][:port[-port]]
       which  can  specify  a  single  new  source  IP  address,  an inclusive range of IP addresses, and
       optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp).  If no
       port  range  is  specified,  then  source ports below 512 will be mapped to other ports below 512:
       those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports  will  be
       mapped to 1024 or above. Where possible, no port alteration will occur.

       In  Kernels  up  to  2.6.10,  you  can  add several --to-source options. For those kernels, if you
       specify more than one source address, either via an address range or multiple --to-source options,
       a  simple  round-robin  (one  after  another in cycle) takes place between these addresses.  Later
       Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore.
--random
       If option --random is used then port mapping will be randomized (kernel >= 2.6.21).
--persistent
       Gives a client the same source-/destination-address for each connection.  This supersedes the SAME
       target. Support for persistent mappings is available from 2.6.29-rc2.
--set-mss value
       Explicitly  sets  MSS  option  to  specified value. If the MSS of the packet is already lower than
       value, it will not be increased (from Linux 2.6.25 onwards) to  avoid  more  problems  with  hosts
       relying on a proper MSS.
--clamp-mss-to-pmtu
       Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60 for IPv6).  This may not function as
       desired where asymmetric routes with differing path MTU exist — the kernel uses the path MTU which
       it  would  use  to  send  packets from itself to the source and destination IP addresses. Prior to
       Linux 2.6.25, only the path MTU to the destination IP  address  was  considered  by  this  option;
       subsequent kernels also consider the path MTU to the source IP address.
--strip-options option[,option...]
       Strip the given option(s). The options may be specified by TCP option number or by symbolic  name.
       The list of recognized options can be obtained by calling iptables with -j TCPOPTSTRIP -h.
--gateway ipaddr
       Send  the  cloned  packet to the host reachable at the given IP address.  Use of 0.0.0.0 (for IPv4
       packets) or :: (IPv6) is invalid.

To forward all incoming traffic on eth0 to an Network Layer logging box:

-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1
--set-tos value[/mask]
       Zeroes out the bits given by mask (see NOTE below) and XORs value into the TOS/Priority field.  If
       mask is omitted, 0xFF is assumed.
--set-tos symbol
       You can specify a symbolic name when using the TOS target for IPv4. It implies a mask of 0xFF (see
       NOTE below). The list of recognized TOS names can be obtained by calling iptables with -j TOS -h.
--and-tos bits
       Binary AND the TOS value with bits. (Mnemonic for --set-tos 0/invbits, where invbits is the binary
       negation of bits.  See NOTE below.)
--or-tos bits
       Binary OR the TOS value with bits. (Mnemonic for --set-tos bits/bits. See NOTE below.)
--xor-tos bits
       Binary XOR the TOS value with bits. (Mnemonic for --set-tos bits/0. See NOTE below.)

NOTE:  In Linux kernels up to and including 2.6.38, with the exception of longterm releases 2.6.32.42 (or
later) and 2.6.33.15 (or later), there is a bug whereby IPv6 TOS mangling does not behave  as  documented
and  differs from the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it needs to
be inverted before applying it to the original TOS field. However, the aformentioned  kernels  forgo  the
inversion which breaks --set-tos and its mnemonics.
--on-ip address
       This  specifies  a  destination  address  to  use. By default the address is the IP address of the
       incoming interface. This is only valid if the rule also specifies -p tcp or -p udp.
--tproxy-mark value[/mask]
       Marks packets with the given value/mask. The fwmark  value  set  here  can  be  used  by  advanced
       routing.  (Required  for transparent proxying to work: otherwise these packets will get forwarded,
       which is probably not what you want.)
--ttl-set value
       Set the TTL value to `value'.
--ttl-dec value
       Decrement the TTL value `value' times.
--ttl-inc value
       Increment the TTL value `value' times.
--ulog-nlgroup nlgroup
       This specifies the netlink group (1-32) to which the packet is sent.  Default value is 1.
--ulog-prefix prefix
       Prefix  log  messages  with  the  specified  prefix;  up  to  32  characters  long, and useful for
       distinguishing messages in the logs.
--ulog-cprange size
       Number of bytes to be copied to userspace.   A  value  of  0  always  copies  the  entire  packet,
       regardless of its size.  Default is 0.
--ulog-qthreshold size
       Number  of  packet to queue inside kernel.  Setting this value to, e.g. 10 accumulates ten packets
       inside the kernel and transmits them as one netlink multipart message to userspace.  Default is  1
       (for backwards compatibility).