diff options
Diffstat (limited to 'iptables.8')
| -rw-r--r-- | iptables.8 | 104 |
1 files changed, 66 insertions, 38 deletions
@@ -1,4 +1,4 @@ -.TH IPTABLES 8 "Mar 20, 2000" "" "" +.TH IPTABLES 8 "Aug 11, 2000" "" "" .\" .\" Man page written by Herve Eychenne <eychenne@info.enserb.u-bordeaux.fr> .\" It is based on ipchains man page. @@ -66,7 +66,7 @@ means to let the packet through. .I DROP means to drop the packet on the floor. .I QUEUE -means to pass the packet to userspace. +means to pass the packet to userspace (if supported by the kernel). .I RETURN means stop traversing this chain, and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached, @@ -75,9 +75,9 @@ or a rule in a built-in chain with target is matched, the target specified by the chain policy determines the fate of the packet. .SH TABLES -There are current three tables (which tables are present at any time -depends on the kernel configuration options and which modules are -present). +There are current three independent tables (which tables are present +at any time depends on the kernel configuration options and which +modules are present). .TP .B "-t, --table" This option specifies the packet matching table which the command @@ -161,17 +161,17 @@ target of that name already. Delete the specified user-defined chain. There must be no references to the chain (if there are you must delete or replace the referring rules before the chain can be deleted). If no argument is given, it -will attempt to delete every non-builtin chain. +will attempt to delete every non-builtin chain in the table. .TP .B "-P, --policy" Set the policy for the chain to the given target. See the section +.B TARGETS +for the legal targets. Only non-userdefined chains can have policies, +and neither built-in nor user-defined chains can be policy targets. .TP .B "-E, --rename-chain" Rename the user specified chain to the user supplied name; this is cosmetic, and has no effect on the structure of the table. -.B TARGETS -for the legal targets. Only non-userdefined chains can have policies, -and neither built-in nor user-defined chains can be policy targets. .TP .B -h Help. @@ -189,7 +189,7 @@ The specified protocol can be one of or .IR all , or it can be a numeric value, representing one of these protocols or a -different one. Also a protocol name from /etc/protocols is allowed. +different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to .IR all . @@ -197,8 +197,6 @@ Protocol .I all will match with all protocols and is taken as default when this option is omitted. -.I All -may not be used in in combination with the check command. .TP .BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]" Source specification. @@ -267,7 +265,8 @@ This means that the rule only refers to second and further fragments of fragmented packets. Since there is no way to tell the source or destination ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the "!" argument -precedes the "-f" flag, the sense is inverted. +precedes the "-f" flag, the rule will only match head fragments, or +unfragmented packets. .SS "OTHER OPTIONS" The following additional options can be specified: .TP @@ -301,13 +300,31 @@ command. When listing rules, add line numbers to the beginning of each rule, corresponding to that rule's position in the chain. .SH MATCH EXTENSIONS -iptables can use extended packet matching modules. The following are -included in the base package, and most of these can be preceded by a +iptables can use extended packet matching modules. These are loaded +in two ways: implicitly, when +.B -p +or +.B --protocol +is specified, or with the +.B -m +or +.B --match +options, followed by the matching module name; after these, various +extra command line options become available, depending on the specific +module. You can specify multiple extended match modules in one line, and you can use the +.B -h +or +.B --help +options after the module has been specified to receive help specific +to that module. + +The following are included in the base package, and most of these can +be preceded by a .B ! to invert the sense of the match. .SS tcp -These extensions are loaded if `--protocol tcp' is specified, and no -other match is specified. It provides the following options: +These extensions are loaded if `--protocol tcp' is specified. It +provides the following options: .TP .BR "--source-port " "[!] [\fIport[:port]\fP]" Source port or port range specification. This can either be a service @@ -352,8 +369,8 @@ option is inverted. .BR "--tcp-option " "[!] \fInumber\fP" Match if TCP option set. .SS udp -These extensions are loaded if `--protocol udp' is specified, and no -other match is specified. It provides the following options: +These extensions are loaded if `--protocol udp' is specified. It +provides the following options: .TP .BR "--source-port " "[!] [\fIport[:port]\fP]" Source port or port range specification. @@ -367,8 +384,8 @@ See the description of the .B --destination-port option of the TCP extension for details. .SS icmp -This extension is loaded if `--protocol icmp' is specified, and no -other match is specified. It provides the following option: +This extension is loaded if `--protocol icmp' is specified. It +provides the following option: .TP .BR "--icmp-type " "[!] \fItypename\fP" This allows specification of the ICMP type, which can be a numeric @@ -388,9 +405,10 @@ or chains for packets coming from an ethernet device. .SS limit This module matches at a limited rate using a token bucket filter: it -can be used in combination with the LOG target to give limited -logging. A rule using this extension will match until this limit is -reached (unless the `!' flag is used). +can be used in combination with the +.B LOG +target to give limited logging. A rule using this extension will +match until this limit is reached (unless the `!' flag is used). .TP .BI "--limit " "rate" Maximum average matching rate: specified as a number, with an optional @@ -430,8 +448,9 @@ comparison). .SS owner This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the -OUTPUT chain, and even this some packets (such as ICMP ping responses) -may have no owner, and hence never match. +.B OUTPUT +chain, and even this some packets (such as ICMP ping responses) may +have no owner, and hence never match. .TP .BI "--uid-owner " "userid" Matches if the packet was created by a process with the given @@ -487,8 +506,11 @@ in the standard distribution. .SS LOG Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all -matching packets (like most IP header fields) via -.IR printk (). +matching packets (like most IP header fields) via the kernel log +(where it can be read with +.I dmesg +or +.IR syslogd (8)). .TP .BI "--log-level " "level" Level of logging (numeric or see \fIsyslog.conf\fP(5)). @@ -540,10 +562,11 @@ the default). The option is also allowed; it can only be used for rules which specify an ICMP ping packet, and generates a ping reply. Finally, the option .B tcp-reset -can be used on rules in (or called from) the -.B INPUT -chain which only match the TCP protocol: this causes a TCP RST packet -to be sent back. +can be used on rules which only match the TCP protocol: this causes a +TCP RST packet to be sent back. This is mainly useful for blocking +.I ident +probes which frequently occur when sending mail to broken mail hosts +(which won't accept your mail otherwise). .SS TOS This is used to set the 8-bit Type of Service field in the IP header. It is only valid in the @@ -563,8 +586,12 @@ It is only valid in the .BR INPUT , .B FORWARD and -.B OUTPUT -chains, and user-defined chains which are only called from those chains. +.B PREROUTING +chains, and user-defined chains which are only called from those +chains. Note that the outgoing packets are +.B NOT +seen by any packet filtering chains, connection tracking or NAT, to +avoid loops and other problems. .SS SNAT This target is only valid in the .B nat @@ -649,7 +676,6 @@ if the rule also specifies .B "-p tcp" or .BR "-p udp" ). -.TP .SH DIAGNOSTICS Various error messages are printed to standard error. The exit code is 0 for correct functioning. Errors which appear to be caused by @@ -693,8 +719,9 @@ seen previously. So the following options are handled differently: .br There are several other changes in iptables. .SH SEE ALSO -The iptables-HOWTO, which details more iptables usage, and the -netfilter-hacking-HOWTO which details the internals. +The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, +which details NAT, and the netfilter-hacking-HOWTO which details the +internals. .SH AUTHORS Rusty Russell wrote iptables, in early consultation with Michael Neuling. @@ -707,5 +734,6 @@ James Morris wrote the TOS target, and tos match. .PP Jozsef Kadlecsik wrote the REJECT target. .PP -The Netfilter Core Team is: Marc Boucher, Rusty Russell. +The Netfilter Core Team is: Marc Boucher, James Morris and Rusty Russell. .\" .. and did I mention that we are incredibly cool people? +.\" .. sexy, too .. |