Diffstat (limited to 'iptables.8')
1 files changed, 53 insertions, 42 deletions
@@ -25,7 +25,7 @@
iptables \- administration tool for IPv4 packet filtering and NAT
-.BR "iptables [-t table] -[ADC] " "chain rule-specification [options]"
+.BR "iptables [-t table] -[AD] " "chain rule-specification [options]"
.BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]"
@@ -91,8 +91,9 @@ loading, an attempt will be made to load the appropriate module for
that table if it is not already there.
The tables are as follows:
+.BR "filter" :
This is the default table (if no -t option is passed). It contains
the built-in chains
@@ -102,7 +103,7 @@ the built-in chains
(for locally-generated packets).
+.BR "nat" :
This table is consulted when a packet that creates a new
connection is encountered. It consists of three built-ins:
@@ -112,7 +113,7 @@ connection is encountered. It consists of three built-ins:
(for altering packets as they are about to go out).
+.BR "mangle" :
This table is used for specialized packet alteration. Until kernel
2.4.17 it had two built-in chains:
@@ -126,6 +127,7 @@ Since kernel 2.4.18, three other built-in chains are also supported:
(for altering packets being routed through the box), and
(for altering packets as they are about to go out).
The options that are recognized by
@@ -166,9 +168,9 @@ fail. Rules are numbered starting at 1.
List all rules in the selected chain. If no chain is selected, all
chains are listed. As every other iptables command, it applies to the
specified table (filter is the default), so NAT rules get listed by
iptables -t nat -n -L
Please note that it is often used with the
option, in order to avoid long reverse DNS lookups.
@@ -177,9 +179,9 @@ It is legal to specify the
(zero) option as well, in which case the chain(s) will be atomically
listed and zeroed. The exact output is affected by the other
arguments given. The exact rules are suppressed until you use
iptables -L -v
.BR "-F, --flush " "[\fIchain\fP]"
Flush the selected chain (all the chains in the table if none is given).
@@ -450,12 +452,13 @@ This module matches packets related to a specific conntrack-helper.
.BI "--helper " "string"
Matches packets related to the specified conntrack-helper.
string can be "ftp" for packets related to a ftp-session on default port.
For other ports append -portnr to the value, ie. "ftp-2121".
Same rules apply for other conntrack-helpers.
This extension is loaded if `--protocol icmp' is specified. It
provides the following option:
@@ -463,9 +466,9 @@ provides the following option:
.BR "--icmp-type " "[!] \fItypename\fP"
This allows specification of the ICMP type, which can be a numeric
ICMP type, or one of the ICMP type names shown by the command
iptables -p icmp -h
This module matches the length of a packet against a specific value
or range of values.
@@ -652,9 +655,9 @@ the second argument is a comma-separated list of flags which must be
set. Flags are:
.BR "SYN ACK FIN RST URG PSH ALL NONE" .
Hence the command
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
will only match packets with the SYN flag set, and the ACK, FIN and
RST flags unset.
@@ -732,7 +735,8 @@ or
.BR "-p udp" ).
If no port range is specified, then the destination port will never be
You can add several --to-destination options. If you specify more
than one destination address, either via an address range or multiple
--to-destination options, a simple round-robin (one after another in
@@ -862,13 +866,15 @@ returned:
.BI "--reject-with " "type"
The type given can be
-.BR icmp-net-unreachable ,
-.BR icmp-host-unreachable ,
-.BR icmp-port-unreachable ,
-.BR icmp-proto-unreachable ,
-.BR icmp-net-prohibited ,
-.BR "icmp-host-prohibited or"
-.BR "icmp-admin-prohibited (*)"
+.B " icmp-net-unreachable"
+.B " icmp-host-unreachable"
+.B " icmp-port-unreachable"
+.B " icmp-proto-unreachable"
+.B " icmp-net-prohibited"
+.B " icmp-host-prohibited or"
+.B " icmp-admin-prohibited (*)"
which return the appropriate ICMP error message (\fBport-unreachable\fP is
the default). The option
@@ -900,7 +906,8 @@ If no port range is specified, then source ports below 512 will be
mapped to other ports below 512: those between 512 and 1023 inclusive
will be mapped to ports below 1024, and other ports will be mapped to
1024 or above. Where possible, no port alteration will occur.
You can add several --to-source options. If you specify more
than one source address, either via an address range or multiple
--to-source options, a simple round-robin (one after another in
@@ -917,19 +924,25 @@ which block ICMP Fragmentation Needed packets. The symptoms of this
problem are that everything works fine from your Linux
firewall/router, but machines behind it can never exchange large
- 1) Web browsers connect, then hang with no data received.
- 2) Small mail works fine, but large emails hang.
- 3) ssh works fine, but scp hangs after initial handshaking.
+Web browsers connect, then hang with no data received.
+Small mail works fine, but large emails hang.
+ssh works fine, but scp hangs after initial handshaking.
Workaround: activate this option and add a rule to your firewall
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
-j TCPMSS --clamp-mss-to-pmtu
.BI "--set-mss " "value"
Explicitly set MSS option to specified value.
@@ -946,9 +959,9 @@ table.
.BI "--set-tos " "tos"
You can use a numeric TOS values, or use
iptables -j TOS -h
to see the list of valid TOS names.
This target provides userspace logging of matching packets. When this
@@ -996,7 +1009,8 @@ and
are only traversed for packets coming into the local host and
originating from the local host respectively. Hence every packet only
-passes through one of the three chains; previously a forwarded packet
+passes through one of the three chains (except loopback traffic, which
+involves both INPUT and OUTPUT chains); previously a forwarded packet
would pass through all three.
The other main difference is that
@@ -1013,13 +1027,11 @@ is a pure packet filter when using the default `filter' table, with
optional extension modules. This should simplify much of the previous
confusion over the combination of IP masquerading and packet filtering
seen previously. So the following options are handled differently:
There are several other changes in iptables.
.SH SEE ALSO
.BR iptables-save (8),
@@ -1054,7 +1066,6 @@ The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
James Morris, Harald Welte and Rusty Russell.
Man page written by Herve Eychenne <firstname.lastname@example.org>.
.\" .. and did I mention that we are incredibly cool people?
.\" .. sexy, too ..
.\" .. witty, charming, powerful ..