-t, --table table
This option specifies the packet matching table which the command should operate on. If the
kernel is configured with automatic module loading, an attempt will be made to load the
appropriate module for that table if it is not already there.
The tables are as follows:
filter:
This is the default table (if no -t option is passed). It contains the built-in chains INPUT
(for packets destined to local sockets), FORWARD (for packets being routed through the box),
and OUTPUT (for locally-generated packets).
nat:
This table is consulted when a packet that creates a new connection is encountered. It
consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT
(for altering locally-generated packets before routing), and POSTROUTING (for altering packets
as they are about to go out).
mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in
chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering
locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains
are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering
packets being routed through the box), and POSTROUTING (for altering packets as they are about
to go out).
raw:
This table is used mainly for configuring exemptions from connection tracking in combination
with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus
called before ip_conntrack, or any other IP tables. It provides the following built-in
chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets
generated by local processes)
security:
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled
by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux
Security Modules such as SELinux. The security table is called after the filter table,
allowing any Discretionary Access Control (DAC) rules in the filter table to take effect
before MAC rules. This table provides the following built-in chains: INPUT (for packets
coming into the box itself), OUTPUT (for altering locally-generated packets before routing),
and FORWARD (for altering packets being routed through the box).
|
-A, --append chain rule-specification
Append one or more rules to the end of the selected chain. When the source and/or destination
names resolve to more than one address, a rule will be added for each possible address
combination.
|
-C, --check chain rule-specification
Check whether a rule matching the specification does exist in the selected chain. This command
uses the same logic as -D to find a matching entry, but does not alter the existing iptables
configuration and uses its exit code to indicate success or failure.
|
-D, --delete chain rule-specification
-D, --delete chain rulenum
Delete one or more rules from the selected chain. There are two versions of this command: the
rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to
match.
|
-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the given rule number. So, if the rule number
is 1, the rule or rules are inserted at the head of the chain. This is also the default if no
rule number is specified.
|
-R, --replace chain rulenum rule-specification
Replace a rule in the selected chain. If the source and/or destination names resolve to multiple
addresses, the command will fail. Rules are numbered starting at 1.
|
-L, --list [chain]
List all rules in the selected chain. If no chain is selected, all chains are listed. Like every
other iptables command, it applies to the specified table (filter is the default), so NAT rules
get listed by
iptables -t nat -n -L
Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups.
It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically
listed and zeroed. The exact output is affected by the other arguments given. The exact rules are
suppressed until you use
iptables -L -v
|
-S, --list-rules [chain]
Print all rules in the selected chain. If no chain is selected, all chains are printed like
iptables-save. Like every other iptables command, it applies to the specified table (filter is the
default).
|
-F, --flush [chain]
Flush the selected chain (all the chains in the table if none is given). This is equivalent to
deleting all the rules one by one.
|
-Z, --zero [chain [rulenum]]
Zero the packet and byte counters in all chains, or only the given chain, or only the given rule
in a chain. It is legal to specify the -L, --list (list) option as well, to see the counters
immediately before they are cleared. (See above.)
|
-N, --new-chain chain
Create a new user-defined chain by the given name. There must be no target of that name already.
|
-X, --delete-chain [chain]
Delete the optional user-defined chain specified. There must be no references to the chain. If
there are, you must delete or replace the referring rules before the chain can be deleted. The
chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to
delete every non-builtin chain in the table.
|
-P, --policy chain target
Set the policy for the chain to the given target. See the section TARGETS for the legal targets.
Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined
chains can be policy targets.
|
-E, --rename-chain old-chain new-chain
Rename the user specified chain to the user supplied name. This is cosmetic, and has no effect on
the structure of the table.
|
-h Help. Give a (currently very brief) description of the command syntax.
|
[!] -p, --protocol protocol
The protocol of the rule or of the packet to check. The specified protocol can be one of tcp,
udp, udplite, icmp, esp, ah, sctp or the special keyword "all", or it can be a numeric value,
representing one of these protocols or a different one. A protocol name from /etc/protocols is
also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent
to all. "all" will match with all protocols and is taken as default when this option is omitted.
|
[!] -s, --source address[/mask][,...]
Source specification. Address can be either a network name, a hostname, a network IP address (with
/mask), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted
to the kernel. Please note that specifying any name to be resolved with a remote query such as
DNS is a really bad idea. The mask can be either a network mask or a plain number, specifying the
number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to
255.255.255.0. A "!" argument before the address specification inverts the sense of the address.
The flag --src is an alias for this option. Multiple addresses can be specified, but this will
expand to multiple rules (when adding with -A), or will cause multiple rules to be deleted (with
-D).
|
[!] -d, --destination address[/mask][,...]
Destination specification. See the description of the -s (source) flag for a detailed description
of the syntax. The flag --dst is an alias for this option.
|
-j, --jump target
This specifies the target of the rule; i.e., what to do if the packet matches it. The target can
be a user-defined chain (other than the one this rule is in), one of the special builtin targets
which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this
option is omitted in a rule (and -g is not used), then matching the rule will have no effect on
the packet's fate, but the counters on the rule will be incremented.
|
-g, --goto chain
This specifies that the processing should continue in a user specified chain. Unlike the --jump
option return will not continue processing in this chain but instead in the chain that called us
via --jump.
|
[!] -i, --in-interface name
Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD
and PREROUTING chains). When the "!" argument is used before the interface name, the sense is
inverted. If the interface name ends in a "+", then any interface which begins with this name
will match. If this option is omitted, any interface name will match.
|
[!] -o, --out-interface name
Name of an interface via which a packet is going to be sent (for packets entering the FORWARD,
OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the
sense is inverted. If the interface name ends in a "+", then any interface which begins with this
name will match. If this option is omitted, any interface name will match.
|
[!] -f, --fragment
This means that the rule only refers to second and further fragments of fragmented packets. Since
there is no way to tell the source or destination ports of such a packet (or ICMP type), such a
packet will not match any rules which specify them. When the "!" argument precedes the "-f" flag,
the rule will only match head fragments, or unfragmented packets.
|
-c, --set-counters packets bytes
This enables the administrator to initialize the packet and byte counters of a rule (during
INSERT, APPEND, REPLACE operations).
|
-v, --verbose
Verbose output. This option makes the list command show the interface name, the rule options (if
any), and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M'
or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see the -x flag to
change this). For appending, insertion, deletion and replacement, this causes detailed
information on the rule or rules to be printed. -v may be specified multiple times to possibly
emit more detailed debug statements.
|
-n, --numeric
Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the
program will try to display them as host names, network names, or services (whenever applicable).
|
-x, --exact
Expand numbers. Display the exact value of the packet and byte counters, instead of only the
rounded number in K's (multiples of 1000) M's (multiples of 1000K) or G's (multiples of 1000M).
This option is only relevant for the -L command.
|
--line-numbers
When listing rules, add line numbers to the beginning of each rule, corresponding to that rule's
position in the chain.
|
--modprobe=command
When adding or inserting rules into a chain, use command to load any necessary modules (targets,
match extensions, etc).
|
[!] --src-type type
Matches if the source address is of given type
|
[!] --dst-type type
Matches if the destination address is of given type
|
--limit-iface-in
The address type checking can be limited to the interface the packet is coming in. This option is
only valid in the PREROUTING, INPUT and FORWARD chains. It cannot be specified with the
--limit-iface-out option.
|
--limit-iface-out
The address type checking can be limited to the interface the packet is going out. This option is
only valid in the POSTROUTING, OUTPUT and FORWARD chains. It cannot be specified with the
--limit-iface-in option.
|
ah
This module matches the SPIs in Authentication header of IPsec packets.
[!] --ahspi spi[:spi]
|
--cluster-total-nodes num
Set number of total nodes in cluster.
|
[!] --cluster-local-node num
Set the local node number ID.
|
[!] --cluster-local-nodemask mask
Set the local node number ID mask. You can use this option instead of --cluster-local-node.
|
--cluster-hash-seed value
Set seed value of the Jenkins hash.
|
comment
Allows you to add comments (up to 256 characters) to any rule.
--comment comment
Example:
iptables -A INPUT -i eth1 -m comment --comment "my local LAN"
|
[!] --connbytes from[:to]
match packets from a connection whose packets/bytes/average packet size is more than FROM and less
than TO bytes/packets. if TO is omitted only FROM check is done. "!" is used to match packets not
falling in the range.
|
--connbytes-dir {original|reply|both}
which packets to consider
|
--connbytes-mode {packets|bytes|avgpkt}
whether to check the amount of packets, number of bytes transferred or the average size (in bytes)
of all packets received so far. Note that when "both" is used together with "avgpkt", and data is
going (mainly) only in one direction (for example HTTP), the average packet size will be about
half of the actual data packets.
Example:
iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ...
|
--connlimit-upto n
Match if the number of existing connections is below or equal n.
|
--connlimit-above n
Match if the number of existing connections is above n.
|
--connlimit-mask prefix_length
Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.
For IPv6, between 0 and 128. If not specified, the maximum prefix length for the applicable
protocol is used.
|
--connlimit-saddr
Apply the limit onto the source group.
|
--connlimit-daddr
Apply the limit onto the destination group.
|
connmark
This module matches the netfilter mark field associated with a connection (which can be set using the
CONNMARK target below).
[!] --mark value[/mask]
Matches packets in connections with the given mark value (if a mask is specified, this is
logically ANDed with the mark before the comparison).
|
[!] --ctstate statelist
statelist is a comma separated list of the connection states to match. Possible states are listed
below.
|
[!] --ctproto l4proto
Layer-4 protocol to match (by number or name)
|
[!] --ctorigsrc address[/mask]
|
[!] --ctorigdst address[/mask]
|
[!] --ctreplsrc address[/mask]
|
[!] --ctrepldst address[/mask]
Match against original/reply source/destination address
|
[!] --ctorigsrcport port[:port]
|
[!] --ctorigdstport port[:port]
|
[!] --ctreplsrcport port[:port]
|
[!] --ctrepldstport port[:port]
Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. Matching against
port ranges is only supported in kernel versions above 2.6.38.
|
[!] --ctstatus statelist
statuslist is a comma separated list of the connection statuses to match. Possible statuses are
listed below.
|
[!] --ctexpire time[:time]
Match remaining lifetime in seconds against given value or range of values (inclusive)
|
--ctdir {ORIGINAL|REPLY}
Match packets that are flowing in the specified direction. If this flag is not specified at all,
matches packets in both directions.
|
cpu
[!] --cpu number
Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 Can be used in combination
with RPS (Remote Packet Steering) or multiqueue NICs to spread network traffic on different
queues.
Example:
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j REDIRECT --to-port 8081
Available since Linux 2.6.36.
|
--hashlimit-upto amount[/second|/minute|/hour|/day]
Match if the rate is below or equal to amount/quantum. It is specified as a number, with an
optional time quantum suffix; the default is 3/hour.
|
--hashlimit-above amount[/second|/minute|/hour|/day]
Match if the rate is above amount/quantum.
|
--hashlimit-burst amount
Maximum initial number of packets to match: this number gets recharged by one every time the limit
specified above is not reached, up to this number; the default is 5.
|
--hashlimit-mode {srcip|srcport|dstip|dstport},...
A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is
given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping.
|
--hashlimit-srcmask prefix
When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to
the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be
between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as
not specifying srcip for --hashlimit-mode, but is technically more expensive.
|
--hashlimit-dstmask prefix
Like --hashlimit-srcmask, but for destination addresses.
|
--hashlimit-name foo
The name for the /proc/net/ipt_hashlimit/foo entry.
|
--hashlimit-htable-size buckets
The number of buckets of the hash table
|
--hashlimit-htable-max entries
Maximum entries in the hash.
|
--hashlimit-htable-expire msec
After how many milliseconds do hash entries expire.
|
--hashlimit-htable-gcinterval msec
How many milliseconds between garbage collection intervals.
|
helper
This module matches packets related to a specific conntrack-helper.
[!] --helper string
Matches packets related to the specified conntrack-helper.
string can be "ftp" for packets related to a ftp-session on default port. For other ports append
-portnr to the value, ie. "ftp-2121".
Same rules apply for other conntrack-helpers.
|
icmp
This extension can be used if `--protocol icmp' is specified. It provides the following option:
[!] --icmp-type {type[/code]|typename}
This allows specification of the ICMP type, which can be a numeric ICMP type, type/code pair, or
one of the ICMP type names shown by the command
iptables -p icmp -h
|
[!] --src-range from[-to]
Match source IP in the specified range.
|
[!] --dst-range from[-to]
Match destination IP in the specified range.
|
[!] --ipvs
packet belongs to an IPVS connection
|
[!] --vproto protocol
VIP protocol to match; by number or name, e.g. "tcp"
|
[!] --vaddr address[/mask]
VIP address to match
|
[!] --vport port
VIP port to match; by number or name, e.g. "http"
|
--vdir {ORIGINAL|REPLY}
flow direction of packet
|
[!] --vmethod {GATE|IPIP|MASQ}
IPVS forwarding method used
|
[!] --vportctl port
VIP port of the controlling connection to match, e.g. 21 for FTP
|
length
This module matches the length of the layer-3 payload (e.g. layer-4 packet) of a packet against a
specific value or range of values.
[!] --length length[:length]
|
limit
This module matches at a limited rate using a token bucket filter. A rule using this extension will
match until this limit is reached. It can be used in combination with the LOG target to give limited
logging, for example.
xt_limit has no negation support - you will have to use -m hashlimit ! --hashlimit rate in this case
whilst omitting --hashlimit-mode.
--limit rate[/second|/minute|/hour|/day]
Maximum average matching rate: specified as a number, with an optional `/second', `/minute',
`/hour', or `/day' suffix; the default is 3/hour.
|
--limit-burst number
Maximum initial number of packets to match: this number gets recharged by one every time the limit
specified above is not reached, up to this number; the default is 5.
|
mac
[!] --mac-source address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes
sense for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT
chains.
|
mark
This module matches the netfilter mark field associated with a packet (which can be set using the MARK
target below).
[!] --mark value[/mask]
Matches packets with the given unsigned mark value (if a mask is specified, this is logically
ANDed with the mask before the comparison).
|
[!] --source-ports,--sports port[,port|,port:port]...
Match if the source port is one of the given ports. The flag --sports is a convenient alias for
this option. Multiple ports or port ranges are separated using a comma, and a port range is
specified using a colon. 53,1024:65535 would therefore match ports 53 and all from 1024 through
65535.
|
[!] --destination-ports,--dports port[,port|,port:port]...
Match if the destination port is one of the given ports. The flag --dports is a convenient alias
for this option.
|
[!] --ports port[,port|,port:port]...
Match if either the source or destination ports are equal to one of the given ports.
|
[!] --genre string
Match an operating system genre by using a passive fingerprinting.
|
--ttl level
Do additional TTL checks on the packet to determine the operating system. level can be one of the
following values:
0 - True IP address and fingerprint TTL comparison. This generally works for LANs.
1 - Check if the IP header's TTL is less than the fingerprint one. Works for globally-routable
addresses.
2 - Do not compare the TTL at all.
|
--log level
Log determined genres into dmesg even if they do not match the desired one. level can be one of the
following values:
0 - Log all matched or unknown signatures
1 - Log only the first one
2 - Log all known matched signatures
You may find something like this in syslog:
Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139 hops=3 Linux
[2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4
OS fingerprints are loadable using the nfnl_osf program. To load fingerprints from a file, use:
nfnl_osf -f /usr/share/xtables/pf.os
To remove them again,
nfnl_osf -f /usr/share/xtables/pf.os -d
The fingerprint database can be downlaoded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
|
[!] --uid-owner username
[!] --uid-owner userid[-userid]
Matches if the packet socket's file structure (if it has one) is owned by the given user. You may
also specify a numerical UID, or an UID range.
|
[!] --gid-owner groupname
[!] --gid-owner groupid[-groupid]
Matches if the packet socket's file structure is owned by the given group. You may also specify a
numerical GID, or a GID range.
|
[!] --socket-exists
Matches if the packet is associated with a socket.
|
--dir {in|out}
Used to select whether to match the policy used for decapsulation or the policy that will be used
for encapsulation. in is valid in the PREROUTING, INPUT and FORWARD chains, out is valid in the
POSTROUTING, OUTPUT and FORWARD chains.
|
--pol {none|ipsec}
Matches if the packet is subject to IPsec processing. --pol none cannot be combined with --strict.
|
--strict
Selects whether to match the exact policy or match if any rule of the policy matches the given
policy.
|
--rateest-delta
For each estimator (either absolute or relative mode), calculate the difference between the
estimator-determined flow rate and the static value chosen with the BPS/PPS options. If the flow rate
is higher than the specified BPS/PPS, 0 will be used instead of a negative value. In other words,
"max(0, rateest#_rate - rateest#_bps)" is used.
|
[!] --rateest-lt
Match if rate is less than given rate/estimator.
|
[!] --rateest-gt
Match if rate is greater than given rate/estimator.
|
--rateest name
Name of the one rate estimator for absolute mode.
|
--rateest1 name
|
--rateest2 name
The names of the two rate estimators for relative mode.
|
--rateest-bps [value]
|
--rateest-pps [value]
|
--rateest-bps1 [value]
|
--rateest-bps2 [value]
|
--rateest-pps1 [value]
|
--rateest-pps2 [value]
Compare the estimator(s) by bytes or packets per second, and compare against the chosen value. See
the above bullet list for which option is to be used in which case. A unit suffix may be used -
available ones are: bit, [kmgt]bit, [KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps.
|
realm
This matches the routing realm. Routing realms are used in complex routing setups involving dynamic
routing protocols like BGP.
[!] --realm value[/mask]
Matches a given realm number (and optionally mask). If not a number, value can be a named realm
from /etc/iproute2/rt_realms (mask can not be used in that case).
|
--name name
Specify the list to use for the commands. If no name is given then DEFAULT will be used.
|
[!] --set
This will add the source address of the packet to the list. If the source address is already in
the list, this will update the existing entry. This will always return success (or failure if ! is
passed in).
|
--rsource
Match/save the source address of each packet in the recent list table. This is the default.
|
--rdest
Match/save the destination address of each packet in the recent list table.
|
[!] --rcheck
Check if the source address of the packet is currently in the list.
|
[!] --update
Like --rcheck, except it will update the "last seen" timestamp if it matches.
|
[!] --remove
Check if the source address of the packet is currently in the list and if so that address will be
removed from the list and the rule will return true. If the address is not found, false is
returned.
|
--seconds seconds
This option must be used in conjunction with one of --rcheck or --update. When used, this will
narrow the match to only happen when the address is in the list and was seen within the last given
number of seconds.
|
--reap reap
This option can only be used in conjunction with --seconds. When used, this will cause entries
older then 'seconds' to be purged.
|
--hitcount hits
This option must be used in conjunction with one of --rcheck or --update. When used, this will
narrow the match to only happen when the address is in the list and packets had been received
greater than or equal to the given value. This option may be used along with --seconds to create
an even narrower match requiring a certain number of hits within a specific time frame. The
maximum value for the hitcount parameter is given by the "ip_pkt_list_tot" parameter of the
xt_recent kernel module. Exceeding this value on the command line will cause the rule to be
rejected.
|
--rttl This option may only be used in conjunction with one of --rcheck or --update. When used, this will
narrow the match to only happen when the address is in the list and the TTL of the current packet
matches that of the packet which hit the --set rule. This may be useful if you have problems with
people faking their source address in order to DoS you via this module by disallowing others
access to your site by sending bogus packets to you.
|
socket
This matches if an open socket can be found by doing a socket lookup on the packet.
--transparent
Ignore non-transparent sockets.
|
state
This module, when combined with connection tracking, allows access to the connection tracking state for
this packet.
[!] --state state
Where state is a comma separated list of the connection states to match. Possible states are
INVALID meaning that the packet could not be identified for some reason which includes running out
of memory and ICMP errors which don't correspond to any known connection, ESTABLISHED meaning that
the packet is associated with a connection which has seen packets in both directions, NEW meaning
that the packet has started a new connection, or otherwise associated with a connection which has
not seen packets in both directions, and RELATED meaning that the packet is starting a new
connection, but is associated with an existing connection, such as an FTP data transfer, or an
ICMP error. UNTRACKED meaning that the packet is not tracked at all, which happens if you use the
NOTRACK target in raw table.
|
--mode mode
Set the matching mode of the matching rule, supported modes are random and nth.
|
[!] --probability p
Set the probability for a packet to be randomly matched. It only works with the random mode. p
must be within 0.0 and 1.0. The supported granularity is in 1/2147483648th increments.
|
[!] --every n
Match one packet every nth packet. It works only with the nth mode (see also the --packet option).
|
--packet p
Set the initial counter value (0 <= p <= n-1, default 0) for the nth mode.
|
--algo {bm|kmp}
Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
|
--from offset
Set the offset from which it starts looking for any matching. If not passed, default is 0.
|
--to offset
Set the offset up to which should be scanned. That is, byte offset-1 (counting from 0) is the last
one that is scanned. If not passed, default is the packet size.
|
[!] --string pattern
Matches the given pattern.
|
[!] --hex-string pattern
Matches the given pattern in hex notation.
|
[!] --source-port,--sport port[:port]
Source port or port range specification. This can either be a service name or a port number. An
inclusive range can also be specified, using the format first:last. If the first port is omitted,
"0" is assumed; if the last is omitted, "65535" is assumed. If the first port is greater than the
second one they will be swapped. The flag --sport is a convenient alias for this option.
|
[!] --destination-port,--dport port[:port]
Destination port or port range specification. The flag --dport is a convenient alias for this
option.
|
[!] --tcp-flags mask comp
Match when the TCP flags are as specified. The first argument mask is the flags which we should
examine, written as a comma-separated list, and the second argument comp is a comma-separated list
of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
|
[!] --syn
Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits cleared. Such packets
are used to request TCP connection initiation; for example, blocking such packets coming in an
interface will prevent incoming TCP connections, but outgoing TCP connections will be unaffected.
It is equivalent to --tcp-flags SYN,RST,ACK,FIN SYN. If the "!" flag precedes the "--syn", the
sense of the option is inverted.
|
[!] --tcp-option number
Match if TCP option set.
|
--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
|
--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range
is 1970-01-01T00:00:00 to 2038-01-19T04:17:07.
If --datestart or --datestop are not specified, it will default to 1970-01-01 and 2038-01-19,
respectively.
|
--timestart hh:mm[:ss]
|
--timestop hh:mm[:ss]
Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading
zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
|
[!] --monthdays day[,day...]
Only match on the given days of the month. Possible values are 1 to 31. Note that specifying 31
will of course not match on months which do not have a 31st day; the same goes for 28- or 29-day
February.
|
[!] --weekdays day[,day...]
Only match on the given weekdays. Possible values are Mon, Tue, Wed, Thu, Fri, Sat, Sun, or values
from 1 to 7, respectively. You may also use two-character variants (Mo, Tu, etc.).
|
--kerneltz
Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
About kernel timezones: Linux keeps the system time in UTC, and always does so. On boot, system time is
initialized from a referential time source. Where this time source has no timezone information, such as
the x86 CMOS RTC, UTC will be assumed. If the time source is however not in UTC, userspace should provide
the correct system time and timezone to the kernel once it has the information.
Local time is a feature on top of the (timezone independent) system time. Each process has its own idea
of local time, specified via the TZ environment variable. The kernel also has its own timezone offset
variable. The TZ userspace environment variable specifies how the UTC-based system time is displayed,
e.g. when you run date(1), or what you see on your desktop clock. The TZ string may resolve to different
offsets at different dates, which is what enables the automatic time-jumping in userspace. when DST
changes. The kernel's timezone offset variable is used when it has to convert between non-UTC sources,
such as FAT filesystems, to UTC (since the latter is what the rest of the system uses).
The caveat with the kernel timezone is that Linux distributions may ignore to set the kernel timezone,
and instead only set the system time. Even if a particular distribution does set the timezone at boot, it
is usually does not keep the kernel timezone offset - which is what changes on DST - up to date. ntpd
will not touch the kernel timezone, so running it will not resolve the issue. As such, one may encounter
a timezone that is always +0000, or one that is wrong half of the time of the year. As such, using
--kerneltz is highly discouraged.
|
--ttl-eq ttl
Matches the given TTL value.
|
--ttl-gt ttl
Matches if TTL is greater than the given TTL value.
|
--ttl-lt ttl
Matches if TTL is less than the given TTL value.
|
--u32 "0 & 0xFFFF = 0x100:0xFFFF"
|
--u32 "6 & 0xFF = 1 && ...
|
--u32 "6 & 0xFF = 6 && ...
|
--type {accept|drop|reject}
Set type of audit record.
Example:
iptables -N AUDIT_DROP
iptables -A AUDIT_DROP -j AUDIT --type drop
iptables -A AUDIT_DROP -j DROP
|
--checksum-fill
Compute and fill in the checksum in a packet that lacks a checksum. This is particularly useful,
if you need to work around old applications such as dhcp clients, that do not work well with
checksum offloads, but don't want to disable checksum offload in your device.
|
--set-class major:minor
Set the major and minor class value. The values are always interpreted as hexadecimal even if no
0x prefix is given.
|
--new Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP.
|
--hashmode mode
Specify the hashing mode. Has to be one of sourceip, sourceip-sourceport,
sourceip-sourceport-destport.
|
--clustermac mac
Specify the ClusterIP MAC address. Has to be a link-layer multicast address
|
--total-nodes num
Number of total nodes within this cluster.
|
--local-node num
Local node number within this cluster.
|
--hash-init rnd
Specify the random seed used for hash initialization.
|
--set-xmark value[/mask]
Zero out the bits given by mask and XOR value into the ctmark.
|
--and-mark bits
Binary AND the ctmark with bits. (Mnemonic for --set-xmark 0/invbits, where invbits is the binary
negation of bits.)
|
--or-mark bits
Binary OR the ctmark with bits. (Mnemonic for --set-xmark bits/bits.)
|
--xor-mark bits
Binary XOR the ctmark with bits. (Mnemonic for --set-xmark bits/0.)
|
--set-mark value[/mask]
Set the connection mark. If a mask is specified then only those bits set in the mask are modified.
|
--save-mark [--mask mask]
Copy the nfmark to the ctmark. If a mask is specified, only those bits are copied.
|
--restore-mark [--mask mask]
Copy the ctmark to the nfmark. If a mask is specified, only those bits are copied. This is only
valid in the mangle table.
|
--restore
If the packet does not have a security marking, and the connection does, copy the security marking
from the connection to the packet.
|
--notrack
Disables connection tracking for this packet.
|
--helper name
Use the helper identified by name for the connection. This is more flexible than loading the
conntrack helper modules with preset ports.
|
--ctevents event[,...]
Only generate the specified conntrack events for this connection. Possible event types are: new,
related, destroy, reply, assured, protoinfo, helper, mark (this refers to the ctmark, not nfmark),
natseqinfo, secmark (ctsecmark).
|
--expevents event[,...]
Only generate the specified expectation events for this connection. Possible event types are:
new.
|
--zone id
Assign this packet to zone id and only have lookups done in that zone. By default, packets have
zone 0.
|
--random
If option --random is used then port mapping will be randomized (kernel >= 2.6.22).
|
--persistent
Gives a client the same source-/destination-address for each connection. This supersedes the SAME
target. Support for persistent mappings is available from 2.6.29-rc2.
|
--set-dscp value
Set the DSCP field to a numerical value (can be decimal or hex)
|
--set-dscp-class class
Set the DSCP field to a DiffServ class.
|
--ecn-tcp-remove
Remove all ECN bits from the TCP header. Of course, it can only be used in conjunction with -p
tcp.
|
--timeout amount
This is the time in seconds that will trigger the notification.
|
--label string
This is a unique identifier for the timer. The maximum length for the label string is 27
characters.
|
--log-level level
Level of logging (numeric or see syslog.conf(5)).
|
--log-prefix prefix
Prefix log messages with the specified prefix; up to 29 letters long, and useful for
distinguishing messages in the logs.
|
--log-tcp-sequence
Log TCP sequence numbers. This is a security risk if the log is readable by users.
|
--log-tcp-options
Log options from the TCP packet header.
|
--log-ip-options
Log options from the IP packet header.
|
--log-uid
Log the userid of the process which generated the packet.
|
--set-xmark value[/mask]
Zeroes out the bits given by mask and XORs value into the packet mark ("nfmark"). If mask is
omitted, 0xFFFFFFFF is assumed.
|
--set-mark value[/mask]
Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted,
0xFFFFFFFF is assumed.
|
--and-mark bits
Binary AND the nfmark with bits. (Mnemonic for --set-xmark 0/invbits, where invbits is the binary
negation of bits.)
|
--or-mark bits
Binary OR the nfmark with bits. (Mnemonic for --set-xmark bits/bits.)
|
--xor-mark bits
Binary XOR the nfmark with bits. (Mnemonic for --set-xmark bits/0.)
|
--random
Randomize source port mapping If option --random is used then port mapping will be randomized
(kernel >= 2.6.21).
|
--to address[/mask]
Network address to map to. The resulting address will be constructed in the following way: All
'one' bits in the mask are filled in from the new `address'. All bits that are zero in the mask
are filled in from the original address.
|
--nflog-group nlgroup
The netlink group (0 - 2^16-1) to which packets are (only applicable for nfnetlink_log). The
default value is 0.
|
--nflog-prefix prefix
A prefix string to include in the log message, up to 64 characters long, useful for distinguishing
messages in the logs.
|
--nflog-range size
The number of bytes to be copied to userspace (only applicable for nfnetlink_log). nfnetlink_log
instances may specify their own range, this option overrides it.
|
--nflog-threshold size
Number of packets to queue inside the kernel before sending them to userspace (only applicable for
nfnetlink_log). Higher values result in less overhead per packet, but increase delay until the
packets reach userspace. The default value is 1.
|
--queue-num value
This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is
0.
|
--queue-balance value:value
This specifies a range of queues to use. Packets are then balanced across the given queues. This
is useful for multicore systems: start multiple instances of the userspace program on queues x,
x+1, .. x+n and use "--queue-balance x:x+n". Packets belonging to the same connection are put
into the same nfqueue.
|
--queue-bypass
By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be
queued are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The
packet will move on to the next rule.
|
--rateest-name name
Count matched packets into the pool referred to by name, which is freely choosable.
|
--rateest-interval amount{s|ms|us}
Rate measurement interval, in seconds, milliseconds or microseconds.
|
--rateest-ewmalog value
Rate measurement averaging time constant.
|
--to-ports port[-port]
This specifies a destination port or range of ports to use: without this, the destination port is
never altered. This is only valid if the rule also specifies -p tcp or -p udp.
|
--random
If option --random is used then port mapping will be randomized (kernel >= 2.6.22).
|
--to ipaddr[-ipaddr]
Addresses to map source to. May be specified more than once for multiple ranges.
|
--nodst
Don't use the destination-ip in the calculations when selecting the new source-ip
|
--random
Port mapping will be forcibly randomized to avoid attacks based on port prediction (kernel >=
2.6.21).
|
--selctx security_context
|
--add-set setname flag[,flag...]
add the address(es)/port(s) of the packet to the sets
|
--del-set setname flag[,flag...]
delete the address(es)/port(s) of the packet from the sets
where flags are src and/or dst specifications and there can be no more than six of them.
|
--timeout value
when adding entry, the timeout value to use instead of the default one from the set definition
|
--exist
when adding entry if it already exists, reset the timeout value to the specified one or to the
default from the set definition
Use of -j SET requires that ipset kernel support is provided. As standard kernels do not ship this
currently, the ipset or Xtables-addons package needs to be installed.
|
--to-source [ipaddr[-ipaddr]][:port[-port]]
which can specify a single new source IP address, an inclusive range of IP addresses, and
optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp). If no
port range is specified, then source ports below 512 will be mapped to other ports below 512:
those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be
mapped to 1024 or above. Where possible, no port alteration will occur.
In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you
specify more than one source address, either via an address range or multiple --to-source options,
a simple round-robin (one after another in cycle) takes place between these addresses. Later
Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore.
|
--random
If option --random is used then port mapping will be randomized (kernel >= 2.6.21).
|
--persistent
Gives a client the same source-/destination-address for each connection. This supersedes the SAME
target. Support for persistent mappings is available from 2.6.29-rc2.
|
--set-mss value
Explicitly sets MSS option to specified value. If the MSS of the packet is already lower than
value, it will not be increased (from Linux 2.6.25 onwards) to avoid more problems with hosts
relying on a proper MSS.
|
--clamp-mss-to-pmtu
Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60 for IPv6). This may not function as
desired where asymmetric routes with differing path MTU exist — the kernel uses the path MTU which
it would use to send packets from itself to the source and destination IP addresses. Prior to
Linux 2.6.25, only the path MTU to the destination IP address was considered by this option;
subsequent kernels also consider the path MTU to the source IP address.
|
--strip-options option[,option...]
Strip the given option(s). The options may be specified by TCP option number or by symbolic name.
The list of recognized options can be obtained by calling iptables with -j TCPOPTSTRIP -h.
|
--gateway ipaddr
Send the cloned packet to the host reachable at the given IP address. Use of 0.0.0.0 (for IPv4
packets) or :: (IPv6) is invalid.
To forward all incoming traffic on eth0 to an Network Layer logging box:
-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1
|
--set-tos value[/mask]
Zeroes out the bits given by mask (see NOTE below) and XORs value into the TOS/Priority field. If
mask is omitted, 0xFF is assumed.
|
--set-tos symbol
You can specify a symbolic name when using the TOS target for IPv4. It implies a mask of 0xFF (see
NOTE below). The list of recognized TOS names can be obtained by calling iptables with -j TOS -h.
|
--and-tos bits
Binary AND the TOS value with bits. (Mnemonic for --set-tos 0/invbits, where invbits is the binary
negation of bits. See NOTE below.)
|
--or-tos bits
Binary OR the TOS value with bits. (Mnemonic for --set-tos bits/bits. See NOTE below.)
|
--xor-tos bits
Binary XOR the TOS value with bits. (Mnemonic for --set-tos bits/0. See NOTE below.)
NOTE: In Linux kernels up to and including 2.6.38, with the exception of longterm releases 2.6.32.42 (or
later) and 2.6.33.15 (or later), there is a bug whereby IPv6 TOS mangling does not behave as documented
and differs from the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it needs to
be inverted before applying it to the original TOS field. However, the aformentioned kernels forgo the
inversion which breaks --set-tos and its mnemonics.
|
--on-ip address
This specifies a destination address to use. By default the address is the IP address of the
incoming interface. This is only valid if the rule also specifies -p tcp or -p udp.
|
--tproxy-mark value[/mask]
Marks packets with the given value/mask. The fwmark value set here can be used by advanced
routing. (Required for transparent proxying to work: otherwise these packets will get forwarded,
which is probably not what you want.)
|
--ttl-set value
Set the TTL value to `value'.
|
--ttl-dec value
Decrement the TTL value `value' times.
|
--ttl-inc value
Increment the TTL value `value' times.
|
--ulog-nlgroup nlgroup
This specifies the netlink group (1-32) to which the packet is sent. Default value is 1.
|
--ulog-prefix prefix
Prefix log messages with the specified prefix; up to 32 characters long, and useful for
distinguishing messages in the logs.
|
--ulog-cprange size
Number of bytes to be copied to userspace. A value of 0 always copies the entire packet,
regardless of its size. Default is 0.
|
--ulog-qthreshold size
Number of packet to queue inside kernel. Setting this value to, e.g. 10 accumulates ten packets
inside the kernel and transmits them as one netlink multipart message to userspace. Default is 1
(for backwards compatibility).
|