path: root/
diff options
authorHenrik Nordstrom <>2004-01-22 15:04:24 +0000
committerHarald Welte <>2004-01-22 15:04:24 +0000
commitc2794131b445ebccba184066af6d3fb2f38d1f38 (patch)
treea24f57a9be5a8364b53dfa102705d270f36b440a /
parent0113fe75ff05e09e6f3d251534d9ae32e9aa717c (diff)
split manpages into per-extension manpage snippet (Henrik Nordstrom)
add lots of missing manpage snippets (Harald Welte)
Diffstat (limited to '')
1 files changed, 464 insertions, 0 deletions
diff --git a/ b/
new file mode 100644
index 00000000..3f36fd80
--- /dev/null
+++ b/
@@ -0,0 +1,464 @@
+.TH IPTABLES 8 "Mar 09, 2002" "" ""
+.\" Man page written by Herve Eychenne <> (May 1999)
+.\" It is based on ipchains page.
+.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG)
+.\" ipchains page by Paul ``Rusty'' Russell March 1997
+.\" Based on the original ipfwadm man page by Jos Vos <>
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" GNU General Public License for more details.
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+iptables \- administration tool for IPv4 packet filtering and NAT
+.BR "iptables [-t table] -[AD] " "chain rule-specification [options]"
+.BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]"
+.BR "iptables [-t table] -R " "chain rulenum rule-specification [options]"
+.BR "iptables [-t table] -D " "chain rulenum [options]"
+.BR "iptables [-t table] -[LFZ] " "[chain] [options]"
+.BR "iptables [-t table] -N " "chain"
+.BR "iptables [-t table] -X " "[chain]"
+.BR "iptables [-t table] -P " "chain target [options]"
+.BR "iptables [-t table] -E " "old-chain-name new-chain-name"
+.B Iptables
+is used to set up, maintain, and inspect the tables of IP packet
+filter rules in the Linux kernel. Several different tables
+may be defined. Each table contains a number of built-in
+chains and may also contain user-defined chains.
+Each chain is a list of rules which can match a set of packets. Each
+rule specifies what to do with a packet that matches. This is called
+a `target', which may be a jump to a user-defined chain in the same
+A firewall rule specifies criteria for a packet, and a target. If the
+packet does not match, the next rule in the chain is the examined; if
+it does match, then the next rule is specified by the value of the
+target, which can be the name of a user-defined chain or one of the
+special values
+means to let the packet through.
+means to drop the packet on the floor.
+means to pass the packet to userspace (if supported by the kernel).
+means stop traversing this chain and resume at the next rule in the
+previous (calling) chain. If the end of a built-in chain is reached
+or a rule in a built-in chain with target
+is matched, the target specified by the chain policy determines the
+fate of the packet.
+There are currently three independent tables (which tables are present
+at any time depends on the kernel configuration options and which
+modules are present).
+.BI "-t, --table " "table"
+This option specifies the packet matching table which the command
+should operate on. If the kernel is configured with automatic module
+loading, an attempt will be made to load the appropriate module for
+that table if it is not already there.
+The tables are as follows:
+.TP .4i
+.BR "filter" :
+This is the default table (if no -t option is passed). It contains
+the built-in chains
+(for packets coming into the box itself),
+(for packets being routed through the box), and
+(for locally-generated packets).
+.BR "nat" :
+This table is consulted when a packet that creates a new
+connection is encountered. It consists of three built-ins:
+(for altering packets as soon as they come in),
+(for altering locally-generated packets before routing), and
+(for altering packets as they are about to go out).
+.BR "mangle" :
+This table is used for specialized packet alteration. Until kernel
+2.4.17 it had two built-in chains:
+(for altering incoming packets before routing) and
+(for altering locally-generated packets before routing).
+Since kernel 2.4.18, three other built-in chains are also supported:
+(for packets coming into the box itself),
+(for altering packets being routed through the box), and
+(for altering packets as they are about to go out).
+The options that are recognized by
+.B iptables
+can be divided into several different groups.
+These options specify the specific action to perform. Only one of them
+can be specified on the command line unless otherwise specified
+below. For all the long versions of the command and option names, you
+need to use only enough letters to ensure that
+.B iptables
+can differentiate it from all other options.
+.BI "-A, --append " "chain rule-specification"
+Append one or more rules to the end of the selected chain.
+When the source and/or destination names resolve to more than one
+address, a rule will be added for each possible address combination.
+.BI "-D, --delete " "chain rule-specification"
+.BI "-D, --delete " "chain rulenum"
+Delete one or more rules from the selected chain. There are two
+versions of this command: the rule can be specified as a number in the
+chain (starting at 1 for the first rule) or a rule to match.
+.BR "-I, --insert " "\fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP"
+Insert one or more rules in the selected chain as the given rule
+number. So, if the rule number is 1, the rule or rules are inserted
+at the head of the chain. This is also the default if no rule number
+is specified.
+.BI "-R, --replace " "chain rulenum rule-specification"
+Replace a rule in the selected chain. If the source and/or
+destination names resolve to multiple addresses, the command will
+fail. Rules are numbered starting at 1.
+.BR "-L, --list " "[\fIchain\fP]"
+List all rules in the selected chain. If no chain is selected, all
+chains are listed. As every other iptables command, it applies to the
+specified table (filter is the default), so NAT rules get listed by
+ iptables -t nat -n -L
+Please note that it is often used with the
+.B -n
+option, in order to avoid long reverse DNS lookups.
+It is legal to specify the
+.B -Z
+(zero) option as well, in which case the chain(s) will be atomically
+listed and zeroed. The exact output is affected by the other
+arguments given. The exact rules are suppressed until you use
+ iptables -L -v
+.BR "-F, --flush " "[\fIchain\fP]"
+Flush the selected chain (all the chains in the table if none is given).
+This is equivalent to deleting all the rules one by one.
+.BR "-Z, --zero " "[\fIchain\fP]"
+Zero the packet and byte counters in all chains. It is legal to
+specify the
+.B "-L, --list"
+(list) option as well, to see the counters immediately before they are
+cleared. (See above.)
+.BI "-N, --new-chain " "chain"
+Create a new user-defined chain by the given name. There must be no
+target of that name already.
+.BR "-X, --delete-chain " "[\fIchain\fP]"
+Delete the optional user-defined chain specified. There must be no references
+to the chain. If there are, you must delete or replace the referring
+rules before the chain can be deleted. If no argument is given, it
+will attempt to delete every non-builtin chain in the table.
+.BI "-P, --policy " "chain target"
+Set the policy for the chain to the given target. See the section
+for the legal targets. Only built-in (non-user-defined) chains can have
+policies, and neither built-in nor user-defined chains can be policy
+.BI "-E, --rename-chain " "old-chain new-chain"
+Rename the user specified chain to the user supplied name. This is
+cosmetic, and has no effect on the structure of the table.
+.B -h
+Give a (currently very brief) description of the command syntax.
+The following parameters make up a rule specification (as used in the
+add, delete, insert, replace and append commands).
+.BR "-p, --protocol " "[!] \fIprotocol\fP"
+The protocol of the rule or of the packet to check.
+The specified protocol can be one of
+.IR tcp ,
+.IR udp ,
+.IR icmp ,
+.IR all ,
+or it can be a numeric value, representing one of these protocols or a
+different one. A protocol name from /etc/protocols is also allowed.
+A "!" argument before the protocol inverts the
+test. The number zero is equivalent to
+.IR all .
+.I all
+will match with all protocols and is taken as default when this
+option is omitted.
+.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
+Source specification.
+.I Address
+can be either a network name, a hostname (please note that specifying
+any name to be resolved with a remote query such as DNS is a really bad idea),
+a network IP address (with /mask), or a plain IP address.
+.I mask
+can be either a network mask or a plain number,
+specifying the number of 1's at the left side of the network mask.
+Thus, a mask of
+.I 24
+is equivalent to
+.IR .
+A "!" argument before the address specification inverts the sense of
+the address. The flag
+.B --src
+is an alias for this option.
+.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
+Destination specification.
+See the description of the
+.B -s
+(source) flag for a detailed description of the syntax. The flag
+.B --dst
+is an alias for this option.
+.BI "-j, --jump " "target"
+This specifies the target of the rule; i.e., what to do if the packet
+matches it. The target can be a user-defined chain (other than the
+one this rule is in), one of the special builtin targets which decide
+the fate of the packet immediately, or an extension (see
+below). If this
+option is omitted in a rule, then matching the rule will have no
+effect on the packet's fate, but the counters on the rule will be
+.BR "-i, --in-interface " "[!] \fIname\fP"
+Name of an interface via which a packet is going to be received (only for
+packets entering the
+chains). When the "!" argument is used before the interface name, the
+sense is inverted. If the interface name ends in a "+", then any
+interface which begins with this name will match. If this option is
+omitted, any interface name will match.
+.BR "-o, --out-interface " "[!] \fIname\fP"
+Name of an interface via which a packet is going to be sent (for packets
+entering the
+chains). When the "!" argument is used before the interface name, the
+sense is inverted. If the interface name ends in a "+", then any
+interface which begins with this name will match. If this option is
+omitted, any interface name will match.
+.B "[!] " "-f, --fragment"
+This means that the rule only refers to second and further fragments
+of fragmented packets. Since there is no way to tell the source or
+destination ports of such a packet (or ICMP type), such a packet will
+not match any rules which specify them. When the "!" argument
+precedes the "-f" flag, the rule will only match head fragments, or
+unfragmented packets.
+.BI "-c, --set-counters " "PKTS BYTES"
+This enables the administrator to initialize the packet and byte
+counters of a rule (during
+The following additional options can be specified:
+.B "-v, --verbose"
+Verbose output. This option makes the list command show the interface
+name, the rule options (if any), and the TOS masks. The packet and
+byte counters are also listed, with the suffix 'K', 'M' or 'G' for
+1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
+.B -x
+flag to change this).
+For appending, insertion, deletion and replacement, this causes
+detailed information on the rule or rules to be printed.
+.B "-n, --numeric"
+Numeric output.
+IP addresses and port numbers will be printed in numeric format.
+By default, the program will try to display them as host names,
+network names, or services (whenever applicable).
+.B "-x, --exact"
+Expand numbers.
+Display the exact value of the packet and byte counters,
+instead of only the rounded number in K's (multiples of 1000)
+M's (multiples of 1000K) or G's (multiples of 1000M). This option is
+only relevant for the
+.B -L
+.B "--line-numbers"
+When listing rules, add line numbers to the beginning of each rule,
+corresponding to that rule's position in the chain.
+.B "--modprobe=command"
+When adding or inserting rules into a chain, use
+.B command
+to load any necessary modules (targets, match extensions, etc).
+iptables can use extended packet matching modules. These are loaded
+in two ways: implicitly, when
+.B -p
+.B --protocol
+is specified, or with the
+.B -m
+.B --match
+options, followed by the matching module name; after these, various
+extra command line options become available, depending on the specific
+module. You can specify multiple extended match modules in one line,
+and you can use the
+.B -h
+.B --help
+options after the module has been specified to receive help specific
+to that module.
+The following are included in the base package, and most of these can
+be preceded by a
+.B !
+to invert the sense of the match.
+.\" @MATCH@
+iptables can use extended target modules: the following are included
+in the standard distribution.
+.\" @TARGET@
+Various error messages are printed to standard error. The exit code
+is 0 for correct functioning. Errors which appear to be caused by
+invalid or abused command line parameters cause an exit code of 2, and
+other errors cause an exit code of 1.
+Bugs? What's this? ;-)
+Well... the counters are not reliable on sparc64.
+.B iptables
+is very similar to ipchains by Rusty Russell. The main difference is
+that the chains
+are only traversed for packets coming into the local host and
+originating from the local host respectively. Hence every packet only
+passes through one of the three chains (except loopback traffic, which
+involves both INPUT and OUTPUT chains); previously a forwarded packet
+would pass through all three.
+The other main difference is that
+.B -i
+refers to the input interface;
+.B -o
+refers to the output interface, and both are available for packets
+entering the
+.PP The various forms of NAT have been separated out;
+.B iptables
+is a pure packet filter when using the default `filter' table, with
+optional extension modules. This should simplify much of the previous
+confusion over the combination of IP masquerading and packet filtering
+seen previously. So the following options are handled differently:
+ -j MASQ
+ -M -S
+ -M -L
+There are several other changes in iptables.
+.BR iptables-save (8),
+.BR iptables-restore (8),
+.BR ip6tables (8),
+.BR ip6tables-save (8),
+.BR ip6tables-restore (8).
+The packet-filtering-HOWTO details iptables usage for
+packet filtering, the NAT-HOWTO details NAT,
+the netfilter-extensions-HOWTO details the extensions that are
+not in the standard distribution,
+and the netfilter-hacking-HOWTO details the netfilter internals.
+.BR "" .
+Rusty Russell wrote iptables, in early consultation with Michael
+Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
+selection framework in iptables, then wrote the mangle table, the owner match,
+the mark stuff, and ran around doing cool stuff everywhere.
+James Morris wrote the TOS target, and tos match.
+Jozsef Kadlecsik wrote the REJECT target.
+Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets.
+The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
+James Morris, Harald Welte and Rusty Russell.
+Man page written by Herve Eychenne <>.
+.\" .. and did I mention that we are incredibly cool people?
+.\" .. sexy, too ..
+.\" .. witty, charming, powerful ..
+.\" .. and most of all, modest ..