summaryrefslogtreecommitdiffstats
path: root/iptables.8
diff options
context:
space:
mode:
Diffstat (limited to 'iptables.8')
-rw-r--r--iptables.8112
1 files changed, 48 insertions, 64 deletions
diff --git a/iptables.8 b/iptables.8
index 870eeb12..6007dbcc 100644
--- a/iptables.8
+++ b/iptables.8
@@ -2,8 +2,7 @@
.\"
.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
.\" It is based on ipchains page.
-.\" TODO : add a word for protocol helpers (FTP, IRC, SNMP-ALG)
-.\" add EXTRA EXTENSIONS matches
+.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG)
.\"
.\" ipchains page by Paul ``Rusty'' Russell March 1997
.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
@@ -24,7 +23,7 @@
.\"
.\"
.SH NAME
-iptables \- IP packet filter administration
+iptables \- administration tool for IPv4 packet filtering and NAT
.SH SYNOPSIS
.BR "iptables -[ADC] " "chain rule-specification [options]"
.br
@@ -94,25 +93,38 @@ that table if it is not already there.
The tables are as follows:
.TP
.B "filter"
-This is the default table. It contains the built-in chains INPUT (for
-packets coming into the box itself), FORWARD (for packets being routed
-through the box), and OUTPUT (for locally-generated packets).
+This is the default table. It contains the built-in chains
+.B INPUT
+(for packets coming into the box itself),
+.B FORWARD
+(for packets being routed through the box), and
+.B OUTPUT
+(for locally-generated packets).
.TP
.B "nat"
This table is consulted when a packet that creates a new
-connection is encountered. It consists of three built-ins: PREROUTING
-(for altering packets as soon as they come in), OUTPUT (for altering
-locally-generated packets before routing), and POSTROUTING (for
-altering packets as they are about to go out).
+connection is encountered. It consists of three built-ins:
+.B PREROUTING
+(for altering packets as soon as they come in),
+.B OUTPUT
+(for altering locally-generated packets before routing), and
+.B POSTROUTING
+(for altering packets as they are about to go out).
.TP
.B "mangle"
This table is used for specialized packet alteration. Until kernel
-2.4.17 it had two built-in chains: PREROUTING (for altering incoming
-packets before routing) and OUTPUT (for altering locally-generated
-packets before routing). Since kernel 2.4.18, three other built-in
-chains are also supported : INPUT (for packets coming into the box itself),
-FORWARD (for altering packets being routed through the box), and
-POSTROUTING (for altering packets as they are about to go out).
+2.4.17 it had two built-in chains:
+.B PREROUTING
+(for altering incoming packets before routing) and
+.B OUTPUT
+(for altering locally-generated packets before routing).
+Since kernel 2.4.18, three other built-in chains are also supported:
+.B INPUT
+(for packets coming into the box itself),
+.B FORWARD
+(for altering packets being routed through the box), and
+.B POSTROUTING
+(for altering packets as they are about to go out).
.SH OPTIONS
The options that are recognized by
.B iptables
@@ -567,28 +579,6 @@ This module matches the time to live field in the IP header.
.TP
.BI "--ttl " "ttl"
Matches the given TTL value.
-.SS owner
-This module attempts to match various characteristics of the packet
-creator, for locally-generated packets. It is only valid in the
-.B OUTPUT
-chain, and even this some packets (such as ICMP ping responses) may
-have no owner, and hence never match. This is regarded as experimental.
-.TP
-.BI "--uid-owner " "userid"
-Matches if the packet was created by a process with the given
-effective user id.
-.TP
-.BI "--gid-owner " "groupid"
-Matches if the packet was created by a process with the given
-effective group id.
-.TP
-.BI "--pid-owner " "processid"
-Matches if the packet was created by a process with the given
-process id.
-.TP
-.BI "--sid-owner " "sessionid"
-Matches if the packet was created by a process in the given session
-group.
.SS unclean
This module takes no options, but attempts to match packets which seem
malformed or unusual. This is regarded as experimental.
@@ -777,6 +767,8 @@ through a
.IR netlink
socket. One or more userspace processes may then subscribe to various
multicast groups and receive the packets.
+Like LOG, this is a "non-terminating target", i.e. rule traversal
+continues at the next rule.
.TP
.BI "--ulog-nlgroup " "nlgroup"
This specifies the netlink group (1-32) to which the packet is sent.
@@ -784,21 +776,21 @@ Default value is 1.
.TP
.BI "--ulog-prefix " "prefix"
Prefix log messages with the specified prefix; up to 32 characters
-long, and useful fro distinguishing messages in the logs.
+long, and useful for distinguishing messages in the logs.
.TP
.BI "--ulog-cprange " "size"
-Number of bytes to be copied to userspace. A value of 0 always copies
-the entire packet, regardless of its size. Default is 0.
+Number of bytes to be copied to userspace. A value of 0 always copies
+the entire packet, regardless of its size. Default is 0.
.TP
.BI "--ulog-qthreshold " "size"
-Number of packet to queue inside kernel. Setting this value to, e.g. 10
+Number of packet to queue inside kernel. Setting this value to, e.g. 10
accumulates ten packets inside the kernel and transmits them as one
netlink multipart message to userspace. Default is 1 (for backwards
compatibility).
.SS TCPMSS
This target allows to alter the MSS value of TCP SYN packets, to control
the maximum size for that connection (usually limiting it to your
-outgoing interface's MTU minus 40). Of course, it can only be used
+outgoing interface's MTU minus 40). Of course, it can only be used
in conjunction with
.BR "-p tcp" .
.br
@@ -828,30 +820,13 @@ Explicitly set MSS option to specified value.
Automatically clamp MSS value to (path_MTU - 40).
.TP
These options are mutually exclusive.
-.SH EXTRA EXTENSIONS
-The following extensions are not included by default in the standard
-distribution.
-.SS TTL
-This target is used to modify the time to live field in the IP header.
-It is only valid in the
-.B mangle
-table.
-.TP
-.BI "--ttl-set " "ttl"
-Set the TTL to the given value.
-.TP
-.BI "--ttl-dec " "ttl"
-Decrement the TTL by the given value.
-.TP
-.BI "--ttl-inc " "ttl"
-Increment the TTL by the given value.
.SH DIAGNOSTICS
Various error messages are printed to standard error. The exit code
is 0 for correct functioning. Errors which appear to be caused by
invalid or abused command line parameters cause an exit code of 2, and
other errors cause an exit code of 1.
.SH BUGS
-Check is not implemented (yet).
+Bugs? What's this? ;-)
.SH COMPATIBILITY WITH IPCHAINS
This
.B iptables
@@ -888,9 +863,17 @@ seen previously. So the following options are handled differently:
.br
There are several other changes in iptables.
.SH SEE ALSO
-The packet-filtering-HOWTO, which details more iptables usage for
-packet filtering, the NAT-HOWTO, which details NAT,
-and the netfilter-hacking-HOWTO which details the internals.
+.BR iptables-save (8),
+.BR iptables-restore (8),
+.BR ip6tables (8),
+.BR ip6tables-save (8),
+.BR ip6tables-restore(8).
+.P
+The packet-filtering-HOWTO details iptables usage for
+packet filtering, the NAT-HOWTO details NAT,
+the netfilter-extensions-HOWTO details the extensions that are
+not in the standard distribution,
+and the netfilter-hacking-HOWTO details the netfilter internals.
.br
See
.BR "http://www.netfilter.org/" .
@@ -912,6 +895,7 @@ The Netfilter Core Team is: Marc Boucher, Jozsef Kadlecsik, James Morris,
Harald Welte and Rusty Russell.
.PP
Man page written by Herve Eychenne <rv@wallfire.org>.
+
.\" .. and did I mention that we are incredibly cool people?
.\" .. sexy, too ..
.\" .. witty, charming, powerful ..