administration tool for IPv4 packet filtering and NAT
|
-A, --append chain rule-specification
Append one or more rules to the end of the selected chain. When the source and/or destination
names resolve to more than one address, a rule will be added for each possible address
combination.
|
-t, --table table
This option specifies the packet matching table which the command should operate on. If the
kernel is configured with automatic module loading, an attempt will be made to load the
appropriate module for that table if it is not already there.
The tables are as follows:
filter:
This is the default table (if no -t option is passed). It contains the built-in chains INPUT
(for packets destined to local sockets), FORWARD (for packets being routed through the box),
and OUTPUT (for locally-generated packets).
nat:
This table is consulted when a packet that creates a new connection is encountered. It
consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT
(for altering locally-generated packets before routing), and POSTROUTING (for altering packets
as they are about to go out).
mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in
chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering
locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains
are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering
packets being routed through the box), and POSTROUTING (for altering packets as they are about
to go out).
raw:
This table is used mainly for configuring exemptions from connection tracking in combination
with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus
called before ip_conntrack, or any other IP tables. It provides the following built-in
chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets
generated by local processes)
security:
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled
by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux
Security Modules such as SELinux. The security table is called after the filter table,
allowing any Discretionary Access Control (DAC) rules in the filter table to take effect
before MAC rules. This table provides the following built-in chains: INPUT (for packets
coming into the box itself), OUTPUT (for altering locally-generated packets before routing),
and FORWARD (for altering packets being routed through the box).
|
[!] -d, --destination address[/mask][,...]
Destination specification. See the description of the -s (source) flag for a detailed description
of the syntax. The flag --dst is an alias for this option.
|
[!] -p, --protocol protocol
The protocol of the rule or of the packet to check. The specified protocol can be one of tcp,
udp, udplite, icmp, esp, ah, sctp or the special keyword "all", or it can be a numeric value,
representing one of these protocols or a different one. A protocol name from /etc/protocols is
also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent
to all. "all" will match with all protocols and is taken as default when this option is omitted.
|
[!] --destination-ports,--dports port[,port|,port:port]...
Match if the destination port is one of the given ports. The flag --dports is a convenient alias
for this option.
|
-j, --jump target
This specifies the target of the rule; i.e., what to do if the packet matches it. The target can
be a user-defined chain (other than the one this rule is in), one of the special builtin targets
which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this
option is omitted in a rule (and -g is not used), then matching the rule will have no effect on
the packet's fate, but the counters on the rule will be incremented.
|
--to offset
Set the offset up to which should be scanned. That is, byte offset-1 (counting from 0) is the last
one that is scanned. If not passed, default is the packet size.
|