From c2794131b445ebccba184066af6d3fb2f38d1f38 Mon Sep 17 00:00:00 2001 From: Henrik Nordstrom Date: Thu, 22 Jan 2004 15:04:24 +0000 Subject: split manpages into per-extension manpage snippet (Henrik Nordstrom) add lots of missing manpage snippets (Harald Welte) --- Makefile | 9 +- extensions/Makefile | 75 +++ extensions/libip6t_HL.man | 17 + extensions/libip6t_LOG.man | 28 + extensions/libip6t_MARK.man | 6 + extensions/libip6t_REJECT.man | 34 ++ extensions/libip6t_ROUTE.man | 12 + extensions/libip6t_TRACE.man | 3 + extensions/libip6t_ah.man | 3 + extensions/libip6t_condition.man | 4 + extensions/libip6t_dst.man | 7 + extensions/libip6t_esp.man | 3 + extensions/libip6t_eui64.man | 1 + extensions/libip6t_frag.man | 19 + extensions/libip6t_fuzzy.man | 7 + extensions/libip6t_hbh.man | 7 + extensions/libip6t_hl.man | 10 + extensions/libip6t_icmpv6.man | 9 + extensions/libip6t_ipv6header.man | 10 + extensions/libip6t_length.man | 4 + extensions/libip6t_limit.man | 15 + extensions/libip6t_mac.man | 10 + extensions/libip6t_mark.man | 9 + extensions/libip6t_multiport.man | 19 + extensions/libip6t_nth.man | 14 + extensions/libip6t_owner.man | 21 + extensions/libip6t_random.man | 4 + extensions/libip6t_rt.man | 19 + extensions/libip6t_tcp.man | 45 ++ extensions/libip6t_udp.man | 14 + extensions/libipt_BALANCE.man | 4 + extensions/libipt_CLASSIFY.man | 4 + extensions/libipt_CLUSTERIP.man | 24 + extensions/libipt_CONNMARK.man | 13 + extensions/libipt_DNAT.man | 27 + extensions/libipt_DSCP.man | 9 + extensions/libipt_ECN.man | 7 + extensions/libipt_LOG.man | 28 + extensions/libipt_MARK.man | 6 + extensions/libipt_MASQUERADE.man | 22 + extensions/libipt_MIRROR.man | 12 + extensions/libipt_NETMAP.man | 9 + extensions/libipt_NOTRACK.man | 5 + extensions/libipt_REDIRECT.man | 18 + extensions/libipt_REJECT.man | 34 ++ extensions/libipt_ROUTE.man | 15 + extensions/libipt_SNAT.man | 26 + extensions/libipt_TCPMSS.man | 38 ++ extensions/libipt_TOS.man | 11 + extensions/libipt_TRACE.man | 3 + extensions/libipt_TTL.man | 19 + extensions/libipt_ULOG.man | 27 + extensions/libipt_addrtype.man | 37 ++ extensions/libipt_ah.man | 3 + extensions/libipt_condition.man | 4 + extensions/libipt_conntrack.man | 49 ++ extensions/libipt_dscp.man | 10 + extensions/libipt_dstlimit.man | 35 ++ extensions/libipt_ecn.man | 11 + extensions/libipt_esp.man | 3 + extensions/libipt_fuzzy.man | 7 + extensions/libipt_helper.man | 11 + extensions/libipt_icmp.man | 9 + extensions/libipt_iprange.man | 7 + extensions/libipt_length.man | 4 + extensions/libipt_limit.man | 15 + extensions/libipt_mac.man | 10 + extensions/libipt_mark.man | 9 + extensions/libipt_mport.man | 19 + extensions/libipt_multiport.man | 19 + extensions/libipt_nth.man | 14 + extensions/libipt_owner.man | 26 + extensions/libipt_physdev.man | 42 ++ extensions/libipt_pkttype.man | 3 + extensions/libipt_random.man | 4 + extensions/libipt_realm.man | 5 + extensions/libipt_state.man | 21 + extensions/libipt_tcp.man | 49 ++ extensions/libipt_tcpmss.man | 4 + extensions/libipt_time.man | 10 + extensions/libipt_tos.man | 9 + extensions/libipt_ttl.man | 10 + extensions/libipt_udp.man | 14 + extensions/libipt_unclean.man | 2 + ip6tables.8 | 821 ---------------------------- ip6tables.8.in | 461 ++++++++++++++++ iptables.8 | 1072 ------------------------------------- iptables.8.in | 464 ++++++++++++++++ 88 files changed, 2197 insertions(+), 1895 deletions(-) create mode 100644 extensions/libip6t_HL.man create mode 100644 extensions/libip6t_LOG.man create mode 100644 extensions/libip6t_MARK.man create mode 100644 extensions/libip6t_REJECT.man create mode 100644 extensions/libip6t_ROUTE.man create mode 100644 extensions/libip6t_TRACE.man create mode 100644 extensions/libip6t_ah.man create mode 100644 extensions/libip6t_condition.man create mode 100644 extensions/libip6t_dst.man create mode 100644 extensions/libip6t_esp.man create mode 100644 extensions/libip6t_eui64.man create mode 100644 extensions/libip6t_frag.man create mode 100644 extensions/libip6t_fuzzy.man create mode 100644 extensions/libip6t_hbh.man create mode 100644 extensions/libip6t_hl.man create mode 100644 extensions/libip6t_icmpv6.man create mode 100644 extensions/libip6t_ipv6header.man create mode 100644 extensions/libip6t_length.man create mode 100644 extensions/libip6t_limit.man create mode 100644 extensions/libip6t_mac.man create mode 100644 extensions/libip6t_mark.man create mode 100644 extensions/libip6t_multiport.man create mode 100644 extensions/libip6t_nth.man create mode 100644 extensions/libip6t_owner.man create mode 100644 extensions/libip6t_random.man create mode 100644 extensions/libip6t_rt.man create mode 100644 extensions/libip6t_tcp.man create mode 100644 extensions/libip6t_udp.man create mode 100644 extensions/libipt_BALANCE.man create mode 100644 extensions/libipt_CLASSIFY.man create mode 100644 extensions/libipt_CLUSTERIP.man create mode 100644 extensions/libipt_CONNMARK.man create mode 100644 extensions/libipt_DNAT.man create mode 100644 extensions/libipt_DSCP.man create mode 100644 extensions/libipt_ECN.man create mode 100644 extensions/libipt_LOG.man create mode 100644 extensions/libipt_MARK.man create mode 100644 extensions/libipt_MASQUERADE.man create mode 100644 extensions/libipt_MIRROR.man create mode 100644 extensions/libipt_NETMAP.man create mode 100644 extensions/libipt_NOTRACK.man create mode 100644 extensions/libipt_REDIRECT.man create mode 100644 extensions/libipt_REJECT.man create mode 100644 extensions/libipt_ROUTE.man create mode 100644 extensions/libipt_SNAT.man create mode 100644 extensions/libipt_TCPMSS.man create mode 100644 extensions/libipt_TOS.man create mode 100644 extensions/libipt_TRACE.man create mode 100644 extensions/libipt_TTL.man create mode 100644 extensions/libipt_ULOG.man create mode 100644 extensions/libipt_addrtype.man create mode 100644 extensions/libipt_ah.man create mode 100644 extensions/libipt_condition.man create mode 100644 extensions/libipt_conntrack.man create mode 100644 extensions/libipt_dscp.man create mode 100644 extensions/libipt_dstlimit.man create mode 100644 extensions/libipt_ecn.man create mode 100644 extensions/libipt_esp.man create mode 100644 extensions/libipt_fuzzy.man create mode 100644 extensions/libipt_helper.man create mode 100644 extensions/libipt_icmp.man create mode 100644 extensions/libipt_iprange.man create mode 100644 extensions/libipt_length.man create mode 100644 extensions/libipt_limit.man create mode 100644 extensions/libipt_mac.man create mode 100644 extensions/libipt_mark.man create mode 100644 extensions/libipt_mport.man create mode 100644 extensions/libipt_multiport.man create mode 100644 extensions/libipt_nth.man create mode 100644 extensions/libipt_owner.man create mode 100644 extensions/libipt_physdev.man create mode 100644 extensions/libipt_pkttype.man create mode 100644 extensions/libipt_random.man create mode 100644 extensions/libipt_realm.man create mode 100644 extensions/libipt_state.man create mode 100644 extensions/libipt_tcp.man create mode 100644 extensions/libipt_tcpmss.man create mode 100644 extensions/libipt_time.man create mode 100644 extensions/libipt_tos.man create mode 100644 extensions/libipt_ttl.man create mode 100644 extensions/libipt_udp.man create mode 100644 extensions/libipt_unclean.man delete mode 100644 ip6tables.8 create mode 100644 ip6tables.8.in delete mode 100644 iptables.8 create mode 100644 iptables.8.in diff --git a/Makefile b/Makefile index 50c85511..c9c6f343 100644 --- a/Makefile +++ b/Makefile @@ -53,7 +53,7 @@ LDFLAGS = -static LDLIBS = endif -EXTRAS+=iptables iptables.o +EXTRAS+=iptables iptables.o iptables.8 EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables $(DESTDIR)$(MANDIR)/man8/iptables.8 # No longer experimental. @@ -61,7 +61,7 @@ EXTRAS+=iptables-save iptables-restore EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables-save $(DESTDIR)$(BINDIR)/iptables-restore $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8 ifeq ($(DO_IPV6), 1) -EXTRAS+=ip6tables ip6tables.o +EXTRAS+=ip6tables ip6tables.o ip6tables.8 EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ip6tables $(DESTDIR)$(MANDIR)/man8/ip6tables.8 EXTRAS_EXP+=ip6tables-save ip6tables-restore EXTRA_INSTALLS_EXP+=$(DESTDIR)$(BINDIR)/ip6tables-save $(DESTDIR)$(BINDIR)/ip6tables-restore # $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-restore.8 @@ -147,6 +147,11 @@ EXTRA_DEPENDS+=iptables-standalone.d iptables.d iptables-standalone.d iptables.d: %.d: %.c @-$(CC) -M -MG $(CFLAGS) $< | sed -e 's@^.*\.o:@$*.d $*.o:@' > $@ +iptables.8: iptables.8.in extensions/libipt_matches.man extensions/libipt_targets.man + sed -e '/@MATCH@/ r extensions/libipt_matches.man' -e '/@TARGET@/ r extensions/libipt_targets.man' iptables.8.in >iptables.8 + +ip6tables.8: ip6tables.8.in extensions/libip6t_matches.man extensions/libip6t_targets.man + sed -e '/@MATCH@/ r extensions/libip6t_matches.man' -e '/@TARGET@/ r extensions/libiptt_targets.man' ip6tables.8.in >ip6tables.8 # Development Targets .PHONY: install-devel-man3 diff --git a/extensions/Makefile b/extensions/Makefile index db9d6041..2a45ea02 100644 --- a/extensions/Makefile +++ b/extensions/Makefile @@ -12,6 +12,29 @@ PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner standard tcp PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) +PF_EXT_ALL_SLIB:=$(patsubst extensions/libipt_%.c, %, $(wildcard extensions/libipt_*.c)) +PF6_EXT_ALL_SLIB:=$(patsubst extensions/libip6t_%.c, %, $(wildcard extensions/libipt_*.c)) + +PF_EXT_MAN_ALL_MATCHES:=$(foreach T,$(PF_EXT_ALL_SLIB),$(shell test -f extensions/libipt_$(T).man && grep -q register_match extensions/libipt_$(T).c && echo $(T))) +PF_EXT_MAN_ALL_TARGETS:=$(foreach T,$(PF_EXT_ALL_SLIB),$(shell test -f extensions/libipt_$(T).man && grep -q register_target extensions/libipt_$(T).c && echo $(T))) +PF6_EXT_MAN_ALL_MATCHES:=$(foreach T,$(PF6_EXT_ALL_SLIB),$(shell test -f extensions/libip6t_$(T).man && grep -q register_match6 extensions/libip6t_$(T).c && echo $(T))) +PF6_EXT_MAN_ALL_TARGETS:=$(foreach T,$(PF6_EXT_ALL_SLIB),$(shell test -f extensions/libip6t_$(T).man && grep -q register_target6 extensions/libip6t_$(T).c && echo $(T))) + +PF_EXT_MAN_MATCHES:=$(filter $(PF_EXT_ALL_SLIB), $(PF_EXT_MAN_ALL_MATCHES)) +PF_EXT_MAN_TARGETS:=$(filter $(PF_EXT_ALL_SLIB), $(PF_EXT_MAN_ALL_TARGETS)) +PF_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PF_EXT_MAN_MATCHES), $(PF_EXT_MAN_ALL_MATCHES)) +PF_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PF_EXT_MAN_TARGETS), $(PF_EXT_MAN_ALL_TARGETS)) +PF6_EXT_MAN_MATCHES:=$(filter $(PF6_EXT_ALL_SLIB), $(PF6_EXT_MAN_ALL_MATCHES)) +PF6_EXT_MAN_TARGETS:=$(filter $(PF6_EXT_ALL_SLIB), $(PF6_EXT_MAN_ALL_TARGETS)) +PF6_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PF6_EXT_MAN_MATCHES), $(PF6_EXT_MAN_ALL_MATCHES)) +PF6_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PF6_EXT_MAN_TARGETS), $(PF6_EXT_MAN_ALL_TARGETS)) + + +allman: + @echo ALL_SLIB: $(PF_EXT_ALL_SLIB) + @echo ALL_MATCH: $(PF_EXT_MAN_ALL_MATCHES) + @echo ALL_TARGET: $(PF_EXT_MAN_ALL_TARGETS) + PF_EXT_SLIB+=$(PF_EXT_SLIB_OPTS) PF6_EXT_SLIB+=$(PF6_EXT_SLIB_OPTS) @@ -79,6 +102,58 @@ extensions/lib%.o: extensions/lib%.c endif +EXTRAS += extensions/libipt_targets.man +extensions/libipt_targets.man: $(patsubst %,extensions/libipt_%.man,$(PF_EXT_MAN_ALL_TARGETS)) + @for ext in $(PF_EXT_MAN_TARGETS); do \ + echo ".SS $$ext" ;\ + cat extensions/libipt_$$ext.man ;\ + done >extensions/libipt_targets.man + @if [ -n "$(PF_EXT_MAN_EXTRA_TARGETS)" ]; then \ + for ext in $(PF_EXT_MAN_EXTRA_TARGETS); do \ + echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\ + cat extensions/libipt_$$ext.man ;\ + done ;\ + fi >>extensions/libipt_targets.man + +EXTRAS += extensions/libipt_matches.man +extensions/libipt_matches.man: $(patsubst %,extensions/libipt_%.man,$(PF_EXT_MAN_ALL_MATCHES)) + @for ext in $(PF_EXT_MAN_MATCHES); do \ + echo ".SS $$ext" ;\ + cat extensions/libipt_$$ext.man ;\ + done >extensions/libipt_matches.man + @if [ -n "$(PF_EXT_MAN_EXTRA_MATCHES)" ]; then \ + for ext in $(PF_EXT_MAN_EXTRA_MATCHES); do \ + echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\ + cat extensions/libipt_$$ext.man ;\ + done ;\ + fi >>extensions/libipt_matches.man + +EXTRAS += extensions/libip6t_targets.man +extensions/libip6t_targets.man: $(patsubst %, extensions/libip6t_%.man, $(PF6_EXT_MAN_ALL_TARGETS)) + @for ext in $(PF6_EXT_MAN_TARGETS); do \ + echo ".SS $$ext" ;\ + cat extensions/libip6t_$$ext.man ;\ + done >extensions/libip6t_targets.man + @if [ -n "$(PF6_EXT_MAN_EXTRA_TARGETS)" ]; then \ + for ext in $(PF6_EXT_MAN_EXTRA_TARGETS); do \ + echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\ + cat extensions/libip6t_$$ext.man ;\ + done ;\ + fi >>extensions/libip6t_targets.man + +EXTRAS += extensions/libip6t_matches.man +extensions/libip6t_matches.man: $(patsubst %, extensions/libip6t_%.man, $(PF6_EXT_MAN_ALL_MATCHES)) + @for ext in $(PF6_EXT_MAN_MATCHES); do \ + echo ".SS $$ext" ;\ + cat extensions/libip6t_$$ext.man ;\ + done >extensions/libip6t_matches.man + @if [ -n "$(PF6_EXT_MAN_EXTRA_MATCHES)" ]; then \ + for ext in $(PF6_EXT_MAN_EXTRA_MATCHES); do \ + echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\ + cat extensions/libip6t_$$ext.man ;\ + done ;\ + fi >>extensions/libip6t_matches.man + $(DESTDIR)$(LIBDIR)/iptables/libipt_%.so: extensions/libipt_%.so @[ -d $(DESTDIR)$(LIBDIR)/iptables ] || mkdir -p $(DESTDIR)$(LIBDIR)/iptables cp $< $@ diff --git a/extensions/libip6t_HL.man b/extensions/libip6t_HL.man new file mode 100644 index 00000000..6b8291d9 --- /dev/null +++ b/extensions/libip6t_HL.man @@ -0,0 +1,17 @@ +This is used to modify the IPv6 HOPLIMIT header field. The HOPLIMIT field is +similar to what is known as TTL value in IPv4. Setting or incrementing the +HOPLIMIT field can potentially be very dangerous, so it should be avoided at +any cost. +.TP +.B Don't ever set or increment the value on packets that leave your local network! +.B mangle +table. +.TP +.BI "--hl-set " "value" +Set the HOPLIMIT value to `value'. +.TP +.BI "--hl-dec " "value" +Decrement the HOPLIMIT value `value' times. +.TP +.BI "--hl-inc " "value" +Increment the HOPLIMIT value `value' times. diff --git a/extensions/libip6t_LOG.man b/extensions/libip6t_LOG.man new file mode 100644 index 00000000..9eb5a6ab --- /dev/null +++ b/extensions/libip6t_LOG.man @@ -0,0 +1,28 @@ +Turn on kernel logging of matching packets. When this option is set +for a rule, the Linux kernel will print some information on all +matching packets (like most IPv6 IPv6-header fields) via the kernel log +(where it can be read with +.I dmesg +or +.IR syslogd (8)). +This is a "non-terminating target", i.e. rule traversal continues at +the next rule. So if you want to LOG the packets you refuse, use two +separate rules with the same matching criteria, first using target LOG +then DROP (or REJECT). +.TP +.BI "--log-level " "level" +Level of logging (numeric or see \fIsyslog.conf\fP(5)). +.TP +.BI "--log-prefix " "prefix" +Prefix log messages with the specified prefix; up to 29 letters long, +and useful for distinguishing messages in the logs. +.TP +.B --log-tcp-sequence +Log TCP sequence numbers. This is a security risk if the log is +readable by users. +.TP +.B --log-tcp-options +Log options from the TCP packet header. +.TP +.B --log-ip-options +Log options from the IPv6 packet header. diff --git a/extensions/libip6t_MARK.man b/extensions/libip6t_MARK.man new file mode 100644 index 00000000..1f3260c5 --- /dev/null +++ b/extensions/libip6t_MARK.man @@ -0,0 +1,6 @@ +This is used to set the netfilter mark value associated with the +packet. It is only valid in the +.B mangle +table. +.TP +.BI "--set-mark " "mark" diff --git a/extensions/libip6t_REJECT.man b/extensions/libip6t_REJECT.man new file mode 100644 index 00000000..75930f1e --- /dev/null +++ b/extensions/libip6t_REJECT.man @@ -0,0 +1,34 @@ +This is used to send back an error packet in response to the matched +packet: otherwise it is equivalent to +.B DROP +so it is a terminating TARGET, ending rule traversal. +This target is only valid in the +.BR INPUT , +.B FORWARD +and +.B OUTPUT +chains, and user-defined chains which are only called from those +chains. The following option controls the nature of the error packet +returned: +.TP +.BI "--reject-with " "type" +The type given can be +.nf +.B " icmp6-no-route" +.B " no-route" +.B " icmp6-adm-prohibited" +.B " adm-prohibited" +.B " icmp6-addr-unreachable" +.B " addr-unreach" +.B " icmp6-port-unreachable" +.B " port-unreach" +.fi +which return the appropriate IPv6-ICMP error message (\fBport-unreach\fP is +the default). Finally, the option +.B tcp-reset +can be used on rules which only match the TCP protocol: this causes a +TCP RST packet to be sent back. This is mainly useful for blocking +.I ident +(113/tcp) probes which frequently occur when sending mail to broken mail +hosts (which won't accept your mail otherwise). + diff --git a/extensions/libip6t_ROUTE.man b/extensions/libip6t_ROUTE.man new file mode 100644 index 00000000..145d748d --- /dev/null +++ b/extensions/libip6t_ROUTE.man @@ -0,0 +1,12 @@ +This is used to explicitly override the core network stack's routing decision. +.B mangle +table. +.TP +.BI "--oif " "ifname" +Route the packet through `ifname' network interface +.TP +.BI "--gw " "IPv6_address" +Route the packet via this gateway +.TP +.BI "--continue " +Behave like a non-terminating target and continue traversing the rules diff --git a/extensions/libip6t_TRACE.man b/extensions/libip6t_TRACE.man new file mode 100644 index 00000000..549ab33b --- /dev/null +++ b/extensions/libip6t_TRACE.man @@ -0,0 +1,3 @@ +This target has no options. It just turns on +.B packet tracing +for all packets that match this rule. diff --git a/extensions/libip6t_ah.man b/extensions/libip6t_ah.man new file mode 100644 index 00000000..97de1e19 --- /dev/null +++ b/extensions/libip6t_ah.man @@ -0,0 +1,3 @@ +This module matches the SPIs in AH header of IPSec packets. +.TP +.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]" diff --git a/extensions/libip6t_condition.man b/extensions/libip6t_condition.man new file mode 100644 index 00000000..30c478cd --- /dev/null +++ b/extensions/libip6t_condition.man @@ -0,0 +1,4 @@ +This matches if a specific /proc filename is '0' or '1'. +.TP +.BI "--condition " "[!] filename" +Match on boolean value stored in /proc/net/ip6t_condition/filename file diff --git a/extensions/libip6t_dst.man b/extensions/libip6t_dst.man new file mode 100644 index 00000000..168a10fb --- /dev/null +++ b/extensions/libip6t_dst.man @@ -0,0 +1,7 @@ +This module matches the IPv6 destination header options +.TP +.BI "--dst-len" "[!]" "length" +Total length of this header +.TP +.BI "--dst-opts " "TYPE[:LEN],[,TYPE[:LEN]...]" +Options and it's length (List). diff --git a/extensions/libip6t_esp.man b/extensions/libip6t_esp.man new file mode 100644 index 00000000..7b84368d --- /dev/null +++ b/extensions/libip6t_esp.man @@ -0,0 +1,3 @@ +This module matches the SPIs in ESP header of IPSec packets. +.TP +.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]" diff --git a/extensions/libip6t_eui64.man b/extensions/libip6t_eui64.man new file mode 100644 index 00000000..24fc56c6 --- /dev/null +++ b/extensions/libip6t_eui64.man @@ -0,0 +1 @@ +This module matches the EUI64 part of a stateless autoconfigured IPv6 address. It compares the source MAC address with the lower 64 bits of the IPv6 address. diff --git a/extensions/libip6t_frag.man b/extensions/libip6t_frag.man new file mode 100644 index 00000000..fff3db3b --- /dev/null +++ b/extensions/libip6t_frag.man @@ -0,0 +1,19 @@ +This module matches the time IPv6 fragmentathion header +.TP +.BI "--fragid " "[!]" "id[:id]" +Matches the given fragmentation ID (range). +.TP +.BI "--fraglen " "[!]" "length" +Matches the total length of this header. +.TP +.BI "--fragres " +Matches the reserved field, too. +.TP +.BI "--fragfirst " +Matches on the first fragment. +.TP +.BI "[--fragmore]" +Matches if there are more fragments. +.TP +.BI "[--fraglast]" +Matches if this is the last fragement. diff --git a/extensions/libip6t_fuzzy.man b/extensions/libip6t_fuzzy.man new file mode 100644 index 00000000..270c8d62 --- /dev/null +++ b/extensions/libip6t_fuzzy.man @@ -0,0 +1,7 @@ +This module matches a rate limit based on a fuzzy logic controller [FLC] +.TP +.BI "--lower-limit "number" +Specifies the lower limit (in packets per second). +.TP +.BI "--upper-limit " "number" +Specifies the upper limit (in packets per second). diff --git a/extensions/libip6t_hbh.man b/extensions/libip6t_hbh.man new file mode 100644 index 00000000..8376f915 --- /dev/null +++ b/extensions/libip6t_hbh.man @@ -0,0 +1,7 @@ +This module matches the IPv6 hop-by-hop header options +.TP +.BI "--hbh-len" "[!]" "length" +Total length of this header +.TP +.BI "--hbh-opts " "TYPE[:LEN],[,TYPE[:LEN]...]" +Options and it's length (List). diff --git a/extensions/libip6t_hl.man b/extensions/libip6t_hl.man new file mode 100644 index 00000000..9fcb730d --- /dev/null +++ b/extensions/libip6t_hl.man @@ -0,0 +1,10 @@ +This module matches the HOPLIMIT field in the IPv6 header. +.TP +.BI "--hl-eq " "value" +Matches if HOPLIMIT equals the given value. +.TP +.BI "--hl-lt " "ttl" +Matches if HOPLIMIT is less than the given value. +.TP +.BI "--hl-gt " "ttl" +Matches if HOPLIMIT is greater than the given value. diff --git a/extensions/libip6t_icmpv6.man b/extensions/libip6t_icmpv6.man new file mode 100644 index 00000000..27029544 --- /dev/null +++ b/extensions/libip6t_icmpv6.man @@ -0,0 +1,9 @@ +This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is +specified. It provides the following option: +.TP +.BR "--icmpv6-type " "[!] \fItypename\fP" +This allows specification of the ICMP type, which can be a numeric +IPv6-ICMP type, or one of the IPv6-ICMP type names shown by the command +.nf + ip6tables -p ipv6-icmp -h +.fi diff --git a/extensions/libip6t_ipv6header.man b/extensions/libip6t_ipv6header.man new file mode 100644 index 00000000..bec3e184 --- /dev/null +++ b/extensions/libip6t_ipv6header.man @@ -0,0 +1,10 @@ +This module matches on IPv6 option headers +.TP +.BI "--header " "[!]" "headers" +Matches the given type of headers. +Names: hop,dst,route,frag,auth,esp,none,proto +Long Names: hop-by-hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol +Numbers: 0,60,43,44,51,50,59 +.TP +.BI "--soft" +The header CONTAINS the specified extensions. diff --git a/extensions/libip6t_length.man b/extensions/libip6t_length.man new file mode 100644 index 00000000..72a6b5dc --- /dev/null +++ b/extensions/libip6t_length.man @@ -0,0 +1,4 @@ +This module matches the length of a packet against a specific value +or range of values. +.TP +.BR "--length " "\fIlength\fP[:\fIlength\fP]" diff --git a/extensions/libip6t_limit.man b/extensions/libip6t_limit.man new file mode 100644 index 00000000..84b63d4e --- /dev/null +++ b/extensions/libip6t_limit.man @@ -0,0 +1,15 @@ +This module matches at a limited rate using a token bucket filter. +A rule using this extension will match until this limit is reached +(unless the `!' flag is used). It can be used in combination with the +.B LOG +target to give limited logging, for example. +.TP +.BI "--limit " "rate" +Maximum average matching rate: specified as a number, with an optional +`/second', `/minute', `/hour', or `/day' suffix; the default is +3/hour. +.TP +.BI "--limit-burst " "number" +Maximum initial number of packets to match: this number gets +recharged by one every time the limit specified above is not reached, +up to this number; the default is 5. diff --git a/extensions/libip6t_mac.man b/extensions/libip6t_mac.man new file mode 100644 index 00000000..5321ca1c --- /dev/null +++ b/extensions/libip6t_mac.man @@ -0,0 +1,10 @@ +.TP +.BR "--mac-source " "[!] \fIaddress\fP" +Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. +Note that this only makes sense for packets coming from an Ethernet device +and entering the +.BR PREROUTING , +.B FORWARD +or +.B INPUT +chains. diff --git a/extensions/libip6t_mark.man b/extensions/libip6t_mark.man new file mode 100644 index 00000000..05f8e1ec --- /dev/null +++ b/extensions/libip6t_mark.man @@ -0,0 +1,9 @@ +This module matches the netfilter mark field associated with a packet +(which can be set using the +.B MARK +target below). +.TP +.BR "--mark " "\fIvalue\fP[/\fImask\fP]" +Matches packets with the given unsigned mark value (if a mask is +specified, this is logically ANDed with the mask before the +comparison). diff --git a/extensions/libip6t_multiport.man b/extensions/libip6t_multiport.man new file mode 100644 index 00000000..cead84e7 --- /dev/null +++ b/extensions/libip6t_multiport.man @@ -0,0 +1,19 @@ +This module matches a set of source or destination ports. Up to 15 +ports can be specified. It can only be used in conjunction with +.B "-p tcp" +or +.BR "-p udp" . +.TP +.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" +Match if the source port is one of the given ports. The flag +.B --sports +is a convenient alias for this option. +.TP +.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" +Match if the destination port is one of the given ports. The flag +.B --dports +is a convenient alias for this option. +.TP +.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" +Match if the both the source and destination ports are equal to each +other and to one of the given ports. diff --git a/extensions/libip6t_nth.man b/extensions/libip6t_nth.man new file mode 100644 index 00000000..d215fd55 --- /dev/null +++ b/extensions/libip6t_nth.man @@ -0,0 +1,14 @@ +This module matches every `n'th packet +.TP +.BI "--every " "value" +Match every `value' packet +.TP +.BI "[" "--counter " "num" "]" +Use internal counter number `num'. Default is `0'. +.TP +.BI "[" "--start " "num" "]" +Initialize the counter at the number `num' insetad of `0'. Most between `0' +and `value'-1. +.TP +.BI "[" "--packet " "num" "]" +Match on `num' packet. Most be between `0' and `value'-1. diff --git a/extensions/libip6t_owner.man b/extensions/libip6t_owner.man new file mode 100644 index 00000000..8a31ca40 --- /dev/null +++ b/extensions/libip6t_owner.man @@ -0,0 +1,21 @@ +This module attempts to match various characteristics of the packet +creator, for locally-generated packets. It is only valid in the +.B OUTPUT +chain, and even this some packets (such as ICMP ping responses) may +have no owner, and hence never match. This is regarded as experimental. +.TP +.BI "--uid-owner " "userid" +Matches if the packet was created by a process with the given +effective user id. +.TP +.BI "--gid-owner " "groupid" +Matches if the packet was created by a process with the given +effective group id. +.TP +.BI "--pid-owner " "processid" +Matches if the packet was created by a process with the given +process id. +.TP +.BI "--sid-owner " "sessionid" +Matches if the packet was created by a process in the given session +group. diff --git a/extensions/libip6t_random.man b/extensions/libip6t_random.man new file mode 100644 index 00000000..f808a779 --- /dev/null +++ b/extensions/libip6t_random.man @@ -0,0 +1,4 @@ +This module randomly matches a certain percentage of all packets. +.TP +.BI "--average " "percent" +Matches the given percentage. If omitted, a probability of 50% is set. diff --git a/extensions/libip6t_rt.man b/extensions/libip6t_rt.man new file mode 100644 index 00000000..4347ecd1 --- /dev/null +++ b/extensions/libip6t_rt.man @@ -0,0 +1,19 @@ +Match on IPv6 routing header +.TP +.BI "--rt-type " "[!]" "type" +Match the type (numeric). +.TP +.BI "--rt-segsleft" "[!]" "num[:num]" +Match the `segments left' field (range). +.TP +.BI "--rt-len" "[!]" "length" +Match the length of this header +.TP +.BI "--rt-0-res" +Match the reserved field, too (type=0) +.TP +.BI "--rt-0-addrs ADDR[,ADDR...] +Match type=0 addresses (list). +.TP +.BI "--rt-0-not-strict" +List of type=0 addresses is not a strict list. diff --git a/extensions/libip6t_tcp.man b/extensions/libip6t_tcp.man new file mode 100644 index 00000000..75d172e1 --- /dev/null +++ b/extensions/libip6t_tcp.man @@ -0,0 +1,45 @@ +These extensions are loaded if `--protocol tcp' is specified. It +provides the following options: +.TP +.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" +Source port or port range specification. This can either be a service +name or a port number. An inclusive range can also be specified, +using the format +.IR port : port . +If the first port is omitted, "0" is assumed; if the last is omitted, +"65535" is assumed. +If the second port greater then the first they will be swapped. +The flag +.B --sport +is a convenient alias for this option. +.TP +.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" +Destination port or port range specification. The flag +.B --dport +is a convenient alias for this option. +.TP +.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP" +Match when the TCP flags are as specified. The first argument is the +flags which we should examine, written as a comma-separated list, and +the second argument is a comma-separated list of flags which must be +set. Flags are: +.BR "SYN ACK FIN RST URG PSH ALL NONE" . +Hence the command +.nf + ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN +.fi +will only match packets with the SYN flag set, and the ACK, FIN and +RST flags unset. +.TP +.B "[!] --syn" +Only match TCP packets with the SYN bit set and the ACK and RST bits +cleared. Such packets are used to request TCP connection initiation; +for example, blocking such packets coming in an interface will prevent +incoming TCP connections, but outgoing TCP connections will be +unaffected. +It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP. +If the "!" flag precedes the "--syn", the sense of the +option is inverted. +.TP +.BR "--tcp-option " "[!] \fInumber\fP" +Match if TCP option set. diff --git a/extensions/libip6t_udp.man b/extensions/libip6t_udp.man new file mode 100644 index 00000000..04084797 --- /dev/null +++ b/extensions/libip6t_udp.man @@ -0,0 +1,14 @@ +These extensions are loaded if `--protocol udp' is specified. It +provides the following options: +.TP +.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" +Source port or port range specification. +See the description of the +.B --source-port +option of the TCP extension for details. +.TP +.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" +Destination port or port range specification. +See the description of the +.B --destination-port +option of the TCP extension for details. diff --git a/extensions/libipt_BALANCE.man b/extensions/libipt_BALANCE.man new file mode 100644 index 00000000..0eb09d07 --- /dev/null +++ b/extensions/libipt_BALANCE.man @@ -0,0 +1,4 @@ +This allows you to DNAT connections in a round-robin way over a given range of destination addresses. +.TP +.BI "--to-destination " "ipaddr-ipaddr" +Address range to round-robin over. diff --git a/extensions/libipt_CLASSIFY.man b/extensions/libipt_CLASSIFY.man new file mode 100644 index 00000000..393c329e --- /dev/null +++ b/extensions/libipt_CLASSIFY.man @@ -0,0 +1,4 @@ +This module allows you to set the skb->priority value (and thus classify the packet into a specific CBQ class). +.TP +.BI "--set-class " "MAJOR:MINOR" +Set the major and minor class value. diff --git a/extensions/libipt_CLUSTERIP.man b/extensions/libipt_CLUSTERIP.man new file mode 100644 index 00000000..8e766f37 --- /dev/null +++ b/extensions/libipt_CLUSTERIP.man @@ -0,0 +1,24 @@ +This module allows you to configure a simple cluster of nodes that share +a certain IP and MAC address without an explicit load balancer in front of +them. Connections are statically distributed between the nodes in this +cluster. +.TP +.BI "--new " +Create a new ClusterIP. You always have to set this on the first rule +for a given ClusterIP. +.TP +.BI "--hashmode " "mode" +Specify the hashing mode. Has to be one of +.B sourceip, sourceip-sourceport, sourceip-sourceport-destport +.TP +.BI "--clustermac " "mac" +Specify the ClusterIP MAC address. Has to be a link-layer multicast address +.TP +.BI "--total-nodes " "num" +Number of total nodes within this cluster. +.TP +.BI "--local-node " "num" +Local node number within this cluster. +.TP +.BI "--hash-init " "rnd" +Specify the random seed used for hash initialization. diff --git a/extensions/libipt_CONNMARK.man b/extensions/libipt_CONNMARK.man new file mode 100644 index 00000000..64a0222d --- /dev/null +++ b/extensions/libipt_CONNMARK.man @@ -0,0 +1,13 @@ +This target allows you to mark that connection with an arbitrary walue. This +value can later be matched via the +.B connmark +match. +.TP +.BI "--set-mark " "mark" +Set the conntrack mark, +.TP +.BI "--save-mark" +Save the packet nfmark on the connection mark. +.TP +.BI "--restore-mark" +Restore the saved nfmark value from the connection mark. diff --git a/extensions/libipt_DNAT.man b/extensions/libipt_DNAT.man new file mode 100644 index 00000000..7579e14e --- /dev/null +++ b/extensions/libipt_DNAT.man @@ -0,0 +1,27 @@ +This target is only valid in the +.B nat +table, in the +.B PREROUTING +and +.B OUTPUT +chains, and user-defined chains which are only called from those +chains. It specifies that the destination address of the packet +should be modified (and all future packets in this connection will +also be mangled), and rules should cease being examined. It takes one +type of option: +.TP +.BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" +which can specify a single new destination IP address, an inclusive +range of IP addresses, and optionally, a port range (which is only +valid if the rule also specifies +.B "-p tcp" +or +.BR "-p udp" ). +If no port range is specified, then the destination port will never be +modified. +.RS +.PP +You can add several --to-destination options. If you specify more +than one destination address, either via an address range or multiple +--to-destination options, a simple round-robin (one after another in +cycle) load balancing takes place between these adresses. diff --git a/extensions/libipt_DSCP.man b/extensions/libipt_DSCP.man new file mode 100644 index 00000000..e8e5cf5b --- /dev/null +++ b/extensions/libipt_DSCP.man @@ -0,0 +1,9 @@ +This target allows to alter the value of the DSCP bits within the TOS +header of the IPv4 packet. As this manipulates a packet, it can only +be used in the mangle table. +.TP +.BI "--set-dscp " "value" +Set the DSCP field to a numerical value (can be decimal or hex) +.TP +.BI "--set-dscp-class " "class" +Set the DSCP field to a DiffServ class. diff --git a/extensions/libipt_ECN.man b/extensions/libipt_ECN.man new file mode 100644 index 00000000..3668490b --- /dev/null +++ b/extensions/libipt_ECN.man @@ -0,0 +1,7 @@ +This target allows to selectively work around known ECN blackholes. +It can only be used in the mangle table. +.TP +.BI "--ecn-tcp-remove" +Remove all ECN bits from the TCP header. Of course, it can only be used +in conjunction with +.BR "-p tcp" . diff --git a/extensions/libipt_LOG.man b/extensions/libipt_LOG.man new file mode 100644 index 00000000..c604c76c --- /dev/null +++ b/extensions/libipt_LOG.man @@ -0,0 +1,28 @@ +Turn on kernel logging of matching packets. When this option is set +for a rule, the Linux kernel will print some information on all +matching packets (like most IP header fields) via the kernel log +(where it can be read with +.I dmesg +or +.IR syslogd (8)). +This is a "non-terminating target", i.e. rule traversal continues at +the next rule. So if you want to LOG the packets you refuse, use two +separate rules with the same matching criteria, first using target LOG +then DROP (or REJECT). +.TP +.BI "--log-level " "level" +Level of logging (numeric or see \fIsyslog.conf\fP(5)). +.TP +.BI "--log-prefix " "prefix" +Prefix log messages with the specified prefix; up to 29 letters long, +and useful for distinguishing messages in the logs. +.TP +.B --log-tcp-sequence +Log TCP sequence numbers. This is a security risk if the log is +readable by users. +.TP +.B --log-tcp-options +Log options from the TCP packet header. +.TP +.B --log-ip-options +Log options from the IP packet header. diff --git a/extensions/libipt_MARK.man b/extensions/libipt_MARK.man new file mode 100644 index 00000000..1c47e97a --- /dev/null +++ b/extensions/libipt_MARK.man @@ -0,0 +1,6 @@ +This is used to set the netfilter mark value associated with the +packet. It is only valid in the +.B mangle +table. It can for example be used in conjunction with iproute2. +.TP +.BI "--set-mark " "mark" diff --git a/extensions/libipt_MASQUERADE.man b/extensions/libipt_MASQUERADE.man new file mode 100644 index 00000000..e82063cc --- /dev/null +++ b/extensions/libipt_MASQUERADE.man @@ -0,0 +1,22 @@ +This target is only valid in the +.B nat +table, in the +.B POSTROUTING +chain. It should only be used with dynamically assigned IP (dialup) +connections: if you have a static IP address, you should use the SNAT +target. Masquerading is equivalent to specifying a mapping to the IP +address of the interface the packet is going out, but also has the +effect that connections are +.I forgotten +when the interface goes down. This is the correct behavior when the +next dialup is unlikely to have the same interface address (and hence +any established connections are lost anyway). It takes one option: +.TP +.BR "--to-ports " "\fIport\fP[-\fIport\fP]" +This specifies a range of source ports to use, overriding the default +.B SNAT +source port-selection heuristics (see above). This is only valid +if the rule also specifies +.B "-p tcp" +or +.BR "-p udp" . diff --git a/extensions/libipt_MIRROR.man b/extensions/libipt_MIRROR.man new file mode 100644 index 00000000..7b720bcb --- /dev/null +++ b/extensions/libipt_MIRROR.man @@ -0,0 +1,12 @@ +This is an experimental demonstration target which inverts the source +and destination fields in the IP header and retransmits the packet. +It is only valid in the +.BR INPUT , +.B FORWARD +and +.B PREROUTING +chains, and user-defined chains which are only called from those +chains. Note that the outgoing packets are +.B NOT +seen by any packet filtering chains, connection tracking or NAT, to +avoid loops and other problems. diff --git a/extensions/libipt_NETMAP.man b/extensions/libipt_NETMAP.man new file mode 100644 index 00000000..d49a025d --- /dev/null +++ b/extensions/libipt_NETMAP.man @@ -0,0 +1,9 @@ +This target allows you to statically map a whole network of addresses onto +another network of addresses. It can only be used from rules in the +.B nat +table. +.TP +.BI "--to " "address[/mask]" +Network address to map to. The resulting address will be constructed in the +following way: All 'one' bits in the mask are filled in from the new `address'. +All bits that are zero in the mask are filled in from the original address. diff --git a/extensions/libipt_NOTRACK.man b/extensions/libipt_NOTRACK.man new file mode 100644 index 00000000..30e830ad --- /dev/null +++ b/extensions/libipt_NOTRACK.man @@ -0,0 +1,5 @@ +This target disables connection tracking for all packets matching that rule. +.TP +It can only be used in the +.B raw +table. diff --git a/extensions/libipt_REDIRECT.man b/extensions/libipt_REDIRECT.man new file mode 100644 index 00000000..19fa917c --- /dev/null +++ b/extensions/libipt_REDIRECT.man @@ -0,0 +1,18 @@ +This target is only valid in the +.B nat +table, in the +.B PREROUTING +and +.B OUTPUT +chains, and user-defined chains which are only called from those +chains. It alters the destination IP address to send the packet to +the machine itself (locally-generated packets are mapped to the +127.0.0.1 address). It takes one option: +.TP +.BR "--to-ports " "\fIport\fP[-\fIport\fP]" +This specifies a destination port or range of ports to use: without +this, the destination port is never altered. This is only valid +if the rule also specifies +.B "-p tcp" +or +.BR "-p udp" . diff --git a/extensions/libipt_REJECT.man b/extensions/libipt_REJECT.man new file mode 100644 index 00000000..174bf7b3 --- /dev/null +++ b/extensions/libipt_REJECT.man @@ -0,0 +1,34 @@ +This is used to send back an error packet in response to the matched +packet: otherwise it is equivalent to +.B DROP +so it is a terminating TARGET, ending rule traversal. +This target is only valid in the +.BR INPUT , +.B FORWARD +and +.B OUTPUT +chains, and user-defined chains which are only called from those +chains. The following option controls the nature of the error packet +returned: +.TP +.BI "--reject-with " "type" +The type given can be +.nf +.B " icmp-net-unreachable" +.B " icmp-host-unreachable" +.B " icmp-port-unreachable" +.B " icmp-proto-unreachable" +.B " icmp-net-prohibited" +.B " icmp-host-prohibited or" +.B " icmp-admin-prohibited (*)" +.fi +which return the appropriate ICMP error message (\fBport-unreachable\fP is +the default). The option +.B tcp-reset +can be used on rules which only match the TCP protocol: this causes a +TCP RST packet to be sent back. This is mainly useful for blocking +.I ident +(113/tcp) probes which frequently occur when sending mail to broken mail +hosts (which won't accept your mail otherwise). +.TP +(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT diff --git a/extensions/libipt_ROUTE.man b/extensions/libipt_ROUTE.man new file mode 100644 index 00000000..dae1cb5f --- /dev/null +++ b/extensions/libipt_ROUTE.man @@ -0,0 +1,15 @@ +This is used to explicitly override the core network stack's routing decision. +.B mangle +table. +.TP +.BI "--oif " "ifname" +Route the packet through `ifname' network interface +.TP +.BI "--iif " "ifname" +Change the packet's incoming interface to `ifname' +.TP +.BI "--gw " "IP_address" +Route the packet via this gateway +.TP +.BI "--continue " +Behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--iif' diff --git a/extensions/libipt_SNAT.man b/extensions/libipt_SNAT.man new file mode 100644 index 00000000..4cc03970 --- /dev/null +++ b/extensions/libipt_SNAT.man @@ -0,0 +1,26 @@ +This target is only valid in the +.B nat +table, in the +.B POSTROUTING +chain. It specifies that the source address of the packet should be +modified (and all future packets in this connection will also be +mangled), and rules should cease being examined. It takes one type +of option: +.TP +.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" +which can specify a single new source IP address, an inclusive range +of IP addresses, and optionally, a port range (which is only valid if +the rule also specifies +.B "-p tcp" +or +.BR "-p udp" ). +If no port range is specified, then source ports below 512 will be +mapped to other ports below 512: those between 512 and 1023 inclusive +will be mapped to ports below 1024, and other ports will be mapped to +1024 or above. Where possible, no port alteration will occur. +.RS +.PP +You can add several --to-source options. If you specify more +than one source address, either via an address range or multiple +--to-source options, a simple round-robin (one after another in +cycle) takes place between these adresses. diff --git a/extensions/libipt_TCPMSS.man b/extensions/libipt_TCPMSS.man new file mode 100644 index 00000000..da1bce2d --- /dev/null +++ b/extensions/libipt_TCPMSS.man @@ -0,0 +1,38 @@ +This target allows to alter the MSS value of TCP SYN packets, to control +the maximum size for that connection (usually limiting it to your +outgoing interface's MTU minus 40). Of course, it can only be used +in conjunction with +.BR "-p tcp" . +.br +This target is used to overcome criminally braindead ISPs or servers +which block ICMP Fragmentation Needed packets. The symptoms of this +problem are that everything works fine from your Linux +firewall/router, but machines behind it can never exchange large +packets: +.PD 0 +.RS 0.1i +.TP 0.3i +1) +Web browsers connect, then hang with no data received. +.TP +2) +Small mail works fine, but large emails hang. +.TP +3) +ssh works fine, but scp hangs after initial handshaking. +.RE +.PD +Workaround: activate this option and add a rule to your firewall +configuration like: +.nf + iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\ + -j TCPMSS --clamp-mss-to-pmtu +.fi +.TP +.BI "--set-mss " "value" +Explicitly set MSS option to specified value. +.TP +.B "--clamp-mss-to-pmtu" +Automatically clamp MSS value to (path_MTU - 40). +.TP +These options are mutually exclusive. diff --git a/extensions/libipt_TOS.man b/extensions/libipt_TOS.man new file mode 100644 index 00000000..c31b068d --- /dev/null +++ b/extensions/libipt_TOS.man @@ -0,0 +1,11 @@ +This is used to set the 8-bit Type of Service field in the IP header. +It is only valid in the +.B mangle +table. +.TP +.BI "--set-tos " "tos" +You can use a numeric TOS values, or use +.nf + iptables -j TOS -h +.fi +to see the list of valid TOS names. diff --git a/extensions/libipt_TRACE.man b/extensions/libipt_TRACE.man new file mode 100644 index 00000000..549ab33b --- /dev/null +++ b/extensions/libipt_TRACE.man @@ -0,0 +1,3 @@ +This target has no options. It just turns on +.B packet tracing +for all packets that match this rule. diff --git a/extensions/libipt_TTL.man b/extensions/libipt_TTL.man new file mode 100644 index 00000000..97c46c43 --- /dev/null +++ b/extensions/libipt_TTL.man @@ -0,0 +1,19 @@ +This is used to modify the IPv4 TTL header field. The TTL field determines +how many hops (routers) a packet can traverse until it's time to live is +exceeded. +.TP +Setting or incrementing the TTL field can potentially be very dangerous, +so it should be avoided at any cost. +.TP +.B Don't ever set or increment the value on packets that leave your local network! +.B mangle +table. +.TP +.BI "--ttl-set " "value" +Set the TTL value to `value'. +.TP +.BI "--ttl-dec " "value" +Decrement the TTL value `value' times. +.TP +.BI "--ttl-inc " "value" +Increment the TTL value `value' times. diff --git a/extensions/libipt_ULOG.man b/extensions/libipt_ULOG.man new file mode 100644 index 00000000..51aa619f --- /dev/null +++ b/extensions/libipt_ULOG.man @@ -0,0 +1,27 @@ +This target provides userspace logging of matching packets. When this +target is set for a rule, the Linux kernel will multicast this packet +through a +.IR netlink +socket. One or more userspace processes may then subscribe to various +multicast groups and receive the packets. +Like LOG, this is a "non-terminating target", i.e. rule traversal +continues at the next rule. +.TP +.BI "--ulog-nlgroup " "nlgroup" +This specifies the netlink group (1-32) to which the packet is sent. +Default value is 1. +.TP +.BI "--ulog-prefix " "prefix" +Prefix log messages with the specified prefix; up to 32 characters +long, and useful for distinguishing messages in the logs. +.TP +.BI "--ulog-cprange " "size" +Number of bytes to be copied to userspace. A value of 0 always copies +the entire packet, regardless of its size. Default is 0. +.TP +.BI "--ulog-qthreshold " "size" +Number of packet to queue inside kernel. Setting this value to, e.g. 10 +accumulates ten packets inside the kernel and transmits them as one +netlink multipart message to userspace. Default is 1 (for backwards +compatibility). +.br diff --git a/extensions/libipt_addrtype.man b/extensions/libipt_addrtype.man new file mode 100644 index 00000000..2c3bbab0 --- /dev/null +++ b/extensions/libipt_addrtype.man @@ -0,0 +1,37 @@ +This module matches packets based on their +.B address type. +Address types are used within the kernel networking stack and categorize +addresses into various groups. The exact definition of that group depends on the specific layer three protocol. +.TP +The following address types are possible: +.TP +.BI "UNSPEC" +an unspecified address (i.e. 0.0.0.0) +.BI "UNICAST" +an unicast address +.BI "LOCAL" +a local address +.BI "BROADCAST" +a broadcast address +.BI "ANYCAST" +an anycast packet +.BI "MULTICAST" +a multicast address +.BI "BLACKHOLE" +a blackhole address +.BI "UNREACHABLE" +an unreachable address +.BI "PROHIBIT" +a prohibited address +.BI "THROW" +FIXME +.BI "NAT" +FIXME +.BI "XRESOLVE" +FIXME +.TP +.BI "--src-type " "type" +Matches if the source address is of given type +.TP +.BI "--dst-type " "type" +Matches if the destination address is of given type diff --git a/extensions/libipt_ah.man b/extensions/libipt_ah.man new file mode 100644 index 00000000..97de1e19 --- /dev/null +++ b/extensions/libipt_ah.man @@ -0,0 +1,3 @@ +This module matches the SPIs in AH header of IPSec packets. +.TP +.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]" diff --git a/extensions/libipt_condition.man b/extensions/libipt_condition.man new file mode 100644 index 00000000..0fc51ffe --- /dev/null +++ b/extensions/libipt_condition.man @@ -0,0 +1,4 @@ +This matches if a specific /proc filename is '0' or '1'. +.TP +.BI "--condition " "[!] filename" +Match on boolean value stored in /proc/net/ipt_condition/filename file diff --git a/extensions/libipt_conntrack.man b/extensions/libipt_conntrack.man new file mode 100644 index 00000000..b732b28e --- /dev/null +++ b/extensions/libipt_conntrack.man @@ -0,0 +1,49 @@ +This module, when combined with connection tracking, allows access to +more connection tracking information than the "state" match. +(this module is present only if iptables was compiled under a kernel +supporting this feature) +.TP +.BI "--ctstate " "state" +Where state is a comma separated list of the connection states to +match. Possible states are +.B INVALID +meaning that the packet is associated with no known connection, +.B ESTABLISHED +meaning that the packet is associated with a connection which has seen +packets in both directions, +.B NEW +meaning that the packet has started a new connection, or otherwise +associated with a connection which has not seen packets in both +directions, and +.B RELATED +meaning that the packet is starting a new connection, but is +associated with an existing connection, such as an FTP data transfer, +or an ICMP error. +.B SNAT +A virtual state, matching if the original source address differs from +the reply destination. +.B DNAT +A virtual state, matching if the original destination differs from the +reply source. +.TP +.BI "--ctproto " "proto" +Protocol to match (by number or name) +.TP +.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]" +Match against original source address +.TP +.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]" +Match against original destination address +.TP +.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]" +Match against reply source address +.TP +.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]" +Match against reply destination address +.TP +.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]" +Match against internal conntrack states +.TP +.BI "--ctexpire " "\fItime\fP[\fI:time\fP]" +Match remaining lifetime in seconds against given value +or range of values (inclusive) diff --git a/extensions/libipt_dscp.man b/extensions/libipt_dscp.man new file mode 100644 index 00000000..4a842101 --- /dev/null +++ b/extensions/libipt_dscp.man @@ -0,0 +1,10 @@ +This module matches the 6 bit DSCP field within the TOS field in the +IP header. DSCP has superseded TOS within the IETF. +.TP +.BI "--dscp " "value" +Match against a numeric (decimal or hex) value [0-32]. +.TP +.BI "--dscp-class " "\fIDiffServ Class\fP" +Match the DiffServ class. This value may be any of the +BE, EF, AFxx or CSx classes. It will then be converted +into it's according numeric value. diff --git a/extensions/libipt_dstlimit.man b/extensions/libipt_dstlimit.man new file mode 100644 index 00000000..e4a4a5ab --- /dev/null +++ b/extensions/libipt_dstlimit.man @@ -0,0 +1,35 @@ +This module allows you to limit the packet per second (pps) rate on a per +destination IP or per destination port base. As opposed to the `limit' match, +every destination ip / destination port has it's own limit. +.TP +.BI "--dstlimit " "avg" +Maximum average match rate (packets per second unless followed by /sec /minute /hour /day postfixes). +.TP +.BI "--dstlimit-mode " "mode" +The limiting hashmode. Is the specified limit per +.B dstip, dstip-dstport +tuple, +.B srcip-dstip +tuple, or per +.B srcipdstip-dstport +tuple. +.TP +.BI "--dstlimit-name " "name" +Name for /proc/net/ipt_dstlimit/* file entry +.TP +.BI "[" "--dstlimit-burst " "burst" "]" +Number of packets to match in a burst. Default: 5 +.TP +.BI "[" "--dstlimit-htable-size " "size" "]" +Number of buckets in the hashtable +.TP +.BI "[" "--dstlimit-htable-max " "max" "]" +Maximum number of entries in the hashtable +.TP +.BI "[" "--dstlimit-htable-gcinterval " "interval" "]" +Interval between garbage collection runs of the hashtable (in miliseconds). +Default is 1000 (1 second). +.TP +.BI "[" "--dstlimit-htable-expire " "time" +After which time are idle entries expired from hashtable (in miliseconds)? +Default is 10000 (10 seconds). diff --git a/extensions/libipt_ecn.man b/extensions/libipt_ecn.man new file mode 100644 index 00000000..8ecfef59 --- /dev/null +++ b/extensions/libipt_ecn.man @@ -0,0 +1,11 @@ +This allows you to match the ECN bits of the IPv4 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168 +.TP +.BI "--ecn-tcp-cwr" +This matches if the TCP ECN CWR (Congestion Window Received) bit is set. +.TP +.BI "--ecn-tcp-ece" +This matches if the TCP ECN ECE (ECN Echo) bit is set. +.TP +.BI "--ecn-ip-ect " "num" +This matches a particular IPv4 ECT (ECN-Capable Transport). You have to specify +a number between `0' and `3'. diff --git a/extensions/libipt_esp.man b/extensions/libipt_esp.man new file mode 100644 index 00000000..7b84368d --- /dev/null +++ b/extensions/libipt_esp.man @@ -0,0 +1,3 @@ +This module matches the SPIs in ESP header of IPSec packets. +.TP +.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]" diff --git a/extensions/libipt_fuzzy.man b/extensions/libipt_fuzzy.man new file mode 100644 index 00000000..270c8d62 --- /dev/null +++ b/extensions/libipt_fuzzy.man @@ -0,0 +1,7 @@ +This module matches a rate limit based on a fuzzy logic controller [FLC] +.TP +.BI "--lower-limit "number" +Specifies the lower limit (in packets per second). +.TP +.BI "--upper-limit " "number" +Specifies the upper limit (in packets per second). diff --git a/extensions/libipt_helper.man b/extensions/libipt_helper.man new file mode 100644 index 00000000..c3221ad8 --- /dev/null +++ b/extensions/libipt_helper.man @@ -0,0 +1,11 @@ +This module matches packets related to a specific conntrack-helper. +.TP +.BI "--helper " "string" +Matches packets related to the specified conntrack-helper. +.RS +.PP +string can be "ftp" for packets related to a ftp-session on default port. +For other ports append -portnr to the value, ie. "ftp-2121". +.PP +Same rules apply for other conntrack-helpers. +.RE diff --git a/extensions/libipt_icmp.man b/extensions/libipt_icmp.man new file mode 100644 index 00000000..5b91514d --- /dev/null +++ b/extensions/libipt_icmp.man @@ -0,0 +1,9 @@ +This extension is loaded if `--protocol icmp' is specified. It +provides the following option: +.TP +.BR "--icmp-type " "[!] \fItypename\fP" +This allows specification of the ICMP type, which can be a numeric +ICMP type, or one of the ICMP type names shown by the command +.nf + iptables -p icmp -h +.fi diff --git a/extensions/libipt_iprange.man b/extensions/libipt_iprange.man new file mode 100644 index 00000000..57e1cff1 --- /dev/null +++ b/extensions/libipt_iprange.man @@ -0,0 +1,7 @@ +This matches on a given arbitrary range of IPv4 addresses +.TP +.BI "[!]" "--src-range " "ip-ip" +Match source IP in the specified range. +.TP +.BI "[!]" "--dst-range " "ip-ip" +Match destination IP in the specified range. diff --git a/extensions/libipt_length.man b/extensions/libipt_length.man new file mode 100644 index 00000000..72a6b5dc --- /dev/null +++ b/extensions/libipt_length.man @@ -0,0 +1,4 @@ +This module matches the length of a packet against a specific value +or range of values. +.TP +.BR "--length " "\fIlength\fP[:\fIlength\fP]" diff --git a/extensions/libipt_limit.man b/extensions/libipt_limit.man new file mode 100644 index 00000000..84b63d4e --- /dev/null +++ b/extensions/libipt_limit.man @@ -0,0 +1,15 @@ +This module matches at a limited rate using a token bucket filter. +A rule using this extension will match until this limit is reached +(unless the `!' flag is used). It can be used in combination with the +.B LOG +target to give limited logging, for example. +.TP +.BI "--limit " "rate" +Maximum average matching rate: specified as a number, with an optional +`/second', `/minute', `/hour', or `/day' suffix; the default is +3/hour. +.TP +.BI "--limit-burst " "number" +Maximum initial number of packets to match: this number gets +recharged by one every time the limit specified above is not reached, +up to this number; the default is 5. diff --git a/extensions/libipt_mac.man b/extensions/libipt_mac.man new file mode 100644 index 00000000..5321ca1c --- /dev/null +++ b/extensions/libipt_mac.man @@ -0,0 +1,10 @@ +.TP +.BR "--mac-source " "[!] \fIaddress\fP" +Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. +Note that this only makes sense for packets coming from an Ethernet device +and entering the +.BR PREROUTING , +.B FORWARD +or +.B INPUT +chains. diff --git a/extensions/libipt_mark.man b/extensions/libipt_mark.man new file mode 100644 index 00000000..05f8e1ec --- /dev/null +++ b/extensions/libipt_mark.man @@ -0,0 +1,9 @@ +This module matches the netfilter mark field associated with a packet +(which can be set using the +.B MARK +target below). +.TP +.BR "--mark " "\fIvalue\fP[/\fImask\fP]" +Matches packets with the given unsigned mark value (if a mask is +specified, this is logically ANDed with the mask before the +comparison). diff --git a/extensions/libipt_mport.man b/extensions/libipt_mport.man new file mode 100644 index 00000000..cead84e7 --- /dev/null +++ b/extensions/libipt_mport.man @@ -0,0 +1,19 @@ +This module matches a set of source or destination ports. Up to 15 +ports can be specified. It can only be used in conjunction with +.B "-p tcp" +or +.BR "-p udp" . +.TP +.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" +Match if the source port is one of the given ports. The flag +.B --sports +is a convenient alias for this option. +.TP +.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" +Match if the destination port is one of the given ports. The flag +.B --dports +is a convenient alias for this option. +.TP +.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" +Match if the both the source and destination ports are equal to each +other and to one of the given ports. diff --git a/extensions/libipt_multiport.man b/extensions/libipt_multiport.man new file mode 100644 index 00000000..cead84e7 --- /dev/null +++ b/extensions/libipt_multiport.man @@ -0,0 +1,19 @@ +This module matches a set of source or destination ports. Up to 15 +ports can be specified. It can only be used in conjunction with +.B "-p tcp" +or +.BR "-p udp" . +.TP +.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" +Match if the source port is one of the given ports. The flag +.B --sports +is a convenient alias for this option. +.TP +.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" +Match if the destination port is one of the given ports. The flag +.B --dports +is a convenient alias for this option. +.TP +.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" +Match if the both the source and destination ports are equal to each +other and to one of the given ports. diff --git a/extensions/libipt_nth.man b/extensions/libipt_nth.man new file mode 100644 index 00000000..d215fd55 --- /dev/null +++ b/extensions/libipt_nth.man @@ -0,0 +1,14 @@ +This module matches every `n'th packet +.TP +.BI "--every " "value" +Match every `value' packet +.TP +.BI "[" "--counter " "num" "]" +Use internal counter number `num'. Default is `0'. +.TP +.BI "[" "--start " "num" "]" +Initialize the counter at the number `num' insetad of `0'. Most between `0' +and `value'-1. +.TP +.BI "[" "--packet " "num" "]" +Match on `num' packet. Most be between `0' and `value'-1. diff --git a/extensions/libipt_owner.man b/extensions/libipt_owner.man new file mode 100644 index 00000000..1394aca6 --- /dev/null +++ b/extensions/libipt_owner.man @@ -0,0 +1,26 @@ +This module attempts to match various characteristics of the packet +creator, for locally-generated packets. It is only valid in the +.B OUTPUT +chain, and even this some packets (such as ICMP ping responses) may +have no owner, and hence never match. +.TP +.BI "--uid-owner " "userid" +Matches if the packet was created by a process with the given +effective user id. +.TP +.BI "--gid-owner " "groupid" +Matches if the packet was created by a process with the given +effective group id. +.TP +.BI "--pid-owner " "processid" +Matches if the packet was created by a process with the given +process id. +.TP +.BI "--sid-owner " "sessionid" +Matches if the packet was created by a process in the given session +group. +.TP +.BI "--cmd-owner " "name" +Matches if the packet was created by a process with the given command name. +(this option is present only if iptables was compiled under a kernel +supporting this feature) diff --git a/extensions/libipt_physdev.man b/extensions/libipt_physdev.man new file mode 100644 index 00000000..846ec7c1 --- /dev/null +++ b/extensions/libipt_physdev.man @@ -0,0 +1,42 @@ +This module matches on the bridge port input and output devices enslaved +to a bridge device. This module is a part of the infrastructure that enables +a transparent bridging IP firewall and is only useful for kernel versions +above version 2.5.44. +.TP +.B --physdev-in name +Name of a bridge port via which a packet is received (only for +packets entering the +.BR INPUT , +.B FORWARD +and +.B PREROUTING +chains). If the interface name ends in a "+", then any +interface which begins with this name will match. If the packet didn't arrive +through a bridge device, this packet won't match this option, unless '!' is used. +.TP +.B --physdev-out name +Name of a bridge port via which a packet is going to be sent (for packets +entering the +.BR FORWARD , +.B OUTPUT +and +.B POSTROUTING +chains). If the interface name ends in a "+", then any +interface which begins with this name will match. Note that in the +.BR nat " and " mangle +.B OUTPUT +chains one cannot match on the bridge output port, however one can in the +.B "filter OUTPUT" +chain. If the packet won't leave by a bridge device or it is yet unknown what +the output device will be, then the packet won't match this option, unless +'!' is used. +.TP +.B --physdev-is-in +Matches if the packet has entered through a bridge interface. +.TP +.B --physdev-is-out +Matches if the packet will leave through a bridge interface. +.TP +.B --physdev-is-bridged +Matches if the packet is being bridged and therefore is not being routed. +This is only useful in the FORWARD and POSTROUTING chains. diff --git a/extensions/libipt_pkttype.man b/extensions/libipt_pkttype.man new file mode 100644 index 00000000..b52810b7 --- /dev/null +++ b/extensions/libipt_pkttype.man @@ -0,0 +1,3 @@ +This module matches the link-layer packet type. +.TP +.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]" diff --git a/extensions/libipt_random.man b/extensions/libipt_random.man new file mode 100644 index 00000000..f808a779 --- /dev/null +++ b/extensions/libipt_random.man @@ -0,0 +1,4 @@ +This module randomly matches a certain percentage of all packets. +.TP +.BI "--average " "percent" +Matches the given percentage. If omitted, a probability of 50% is set. diff --git a/extensions/libipt_realm.man b/extensions/libipt_realm.man new file mode 100644 index 00000000..55e67fcf --- /dev/null +++ b/extensions/libipt_realm.man @@ -0,0 +1,5 @@ +This matches the routing realm. Routing realms are used in complex routing +setups involving dynamic routing protocols like BGP. +.TP +.BI "--realm " "[!]" "value[/mask]" +Matches a given realm number (and optionally mask). diff --git a/extensions/libipt_state.man b/extensions/libipt_state.man new file mode 100644 index 00000000..71078680 --- /dev/null +++ b/extensions/libipt_state.man @@ -0,0 +1,21 @@ +This module, when combined with connection tracking, allows access to +the connection tracking state for this packet. +.TP +.BI "--state " "state" +Where state is a comma separated list of the connection states to +match. Possible states are +.B INVALID +meaning that the packet could not be identified for some reason which +includes running out of memory and ICMP errors which don't correspond to any +known connection, +.B ESTABLISHED +meaning that the packet is associated with a connection which has seen +packets in both directions, +.B NEW +meaning that the packet has started a new connection, or otherwise +associated with a connection which has not seen packets in both +directions, and +.B RELATED +meaning that the packet is starting a new connection, but is +associated with an existing connection, such as an FTP data transfer, +or an ICMP error. diff --git a/extensions/libipt_tcp.man b/extensions/libipt_tcp.man new file mode 100644 index 00000000..48a068fa --- /dev/null +++ b/extensions/libipt_tcp.man @@ -0,0 +1,49 @@ +These extensions are loaded if `--protocol tcp' is specified. It +provides the following options: +.TP +.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" +Source port or port range specification. This can either be a service +name or a port number. An inclusive range can also be specified, +using the format +.IR port : port . +If the first port is omitted, "0" is assumed; if the last is omitted, +"65535" is assumed. +If the second port greater then the first they will be swapped. +The flag +.B --sport +is a convenient alias for this option. +.TP +.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" +Destination port or port range specification. The flag +.B --dport +is a convenient alias for this option. +.TP +.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP" +Match when the TCP flags are as specified. The first argument is the +flags which we should examine, written as a comma-separated list, and +the second argument is a comma-separated list of flags which must be +set. Flags are: +.BR "SYN ACK FIN RST URG PSH ALL NONE" . +Hence the command +.nf + iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN +.fi +will only match packets with the SYN flag set, and the ACK, FIN and +RST flags unset. +.TP +.B "[!] --syn" +Only match TCP packets with the SYN bit set and the ACK and RST bits +cleared. Such packets are used to request TCP connection initiation; +for example, blocking such packets coming in an interface will prevent +incoming TCP connections, but outgoing TCP connections will be +unaffected. +It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP. +If the "!" flag precedes the "--syn", the sense of the +option is inverted. +.TP +.BR "--tcp-option " "[!] \fInumber\fP" +Match if TCP option set. +.TP +.BR "--mss " "\fIvalue\fP[:\fIvalue\fP]" +Match TCP SYN or SYN/ACK packets with the specified MSS value (or range), +which control the maximum packet size for that connection. diff --git a/extensions/libipt_tcpmss.man b/extensions/libipt_tcpmss.man new file mode 100644 index 00000000..5115d6b9 --- /dev/null +++ b/extensions/libipt_tcpmss.man @@ -0,0 +1,4 @@ +This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time. +.TP +.BI "[!] "--mss " "value[:value]" +Match a given TCP MSS value or range. diff --git a/extensions/libipt_time.man b/extensions/libipt_time.man new file mode 100644 index 00000000..0871ecfa --- /dev/null +++ b/extensions/libipt_time.man @@ -0,0 +1,10 @@ +This matches if the current time is within a given range. +.TP +.BI "--timestart " "value" +Match only if it is after `value' (Format: HH:MM). +.TP +.BI "--timestop " "value" +Match only if it is before `value' (Format: HH:MM). +.TP +.BI "--days " "listofdays" +Match only if today is one of the given days. (Format: Mon,Tue,Wed,Thu,Fri) diff --git a/extensions/libipt_tos.man b/extensions/libipt_tos.man new file mode 100644 index 00000000..c612b299 --- /dev/null +++ b/extensions/libipt_tos.man @@ -0,0 +1,9 @@ +This module matches the 8 bits of Type of Service field in the IP +header (ie. including the precedence bits). +.TP +.BI "--tos " "tos" +The argument is either a standard name, (use +.br + iptables -m tos -h +.br +to see the list), or a numeric value to match. diff --git a/extensions/libipt_ttl.man b/extensions/libipt_ttl.man new file mode 100644 index 00000000..f043c79a --- /dev/null +++ b/extensions/libipt_ttl.man @@ -0,0 +1,10 @@ +This module matches the time to live field in the IP header. +.TP +.BI "--ttl-eq " "ttl" +Matches the given TTL value. +.TP +.BI "--ttl-gt " "ttl" +Matches if TTL is greater than the given TTL value. +.TP +.BI "--ttl-lt " "ttl" +Matches if TTL is less than the given TTL value. diff --git a/extensions/libipt_udp.man b/extensions/libipt_udp.man new file mode 100644 index 00000000..04084797 --- /dev/null +++ b/extensions/libipt_udp.man @@ -0,0 +1,14 @@ +These extensions are loaded if `--protocol udp' is specified. It +provides the following options: +.TP +.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" +Source port or port range specification. +See the description of the +.B --source-port +option of the TCP extension for details. +.TP +.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" +Destination port or port range specification. +See the description of the +.B --destination-port +option of the TCP extension for details. diff --git a/extensions/libipt_unclean.man b/extensions/libipt_unclean.man new file mode 100644 index 00000000..3fecd554 --- /dev/null +++ b/extensions/libipt_unclean.man @@ -0,0 +1,2 @@ +This module takes no options, but attempts to match packets which seem +malformed or unusual. This is regarded as experimental. diff --git a/ip6tables.8 b/ip6tables.8 deleted file mode 100644 index 53a310cd..00000000 --- a/ip6tables.8 +++ /dev/null @@ -1,821 +0,0 @@ -.TH IP6TABLES 8 "Mar 09, 2002" "" "" -.\" -.\" Man page written by Andras Kis-Szabo -.\" It is based on iptables man page. -.\" -.\" iptables page by Herve Eychenne -.\" It is based on ipchains man page. -.\" -.\" ipchains page by Paul ``Rusty'' Russell March 1997 -.\" Based on the original ipfwadm man page by Jos Vos -.\" -.\" This program is free software; you can redistribute it and/or modify -.\" it under the terms of the GNU General Public License as published by -.\" the Free Software Foundation; either version 2 of the License, or -.\" (at your option) any later version. -.\" -.\" This program is distributed in the hope that it will be useful, -.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -.\" GNU General Public License for more details. -.\" -.\" You should have received a copy of the GNU General Public License -.\" along with this program; if not, write to the Free Software -.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -.\" -.\" -.SH NAME -ip6tables \- IPv6 packet filter administration -.SH SYNOPSIS -.BR "ip6tables [-t table] -[AD] " "chain rule-specification [options]" -.br -.BR "ip6tables [-t table] -I " "chain [rulenum] rule-specification [options]" -.br -.BR "ip6tables [-t table] -R " "chain rulenum rule-specification [options]" -.br -.BR "ip6tables [-t table] -D " "chain rulenum [options]" -.br -.BR "ip6tables [-t table] -[LFZ] " "[chain] [options]" -.br -.BR "ip6tables [-t table] -N " "chain" -.br -.BR "ip6tables [-t table] -X " "[chain]" -.br -.BR "ip6tables [-t table] -P " "chain target [options]" -.br -.BR "ip6tables [-t table] -E " "old-chain-name new-chain-name" -.SH DESCRIPTION -.B Ip6tables -is used to set up, maintain, and inspect the tables of IPv6 packet -filter rules in the Linux kernel. Several different tables -may be defined. Each table contains a number of built-in -chains and may also contain user-defined chains. - -Each chain is a list of rules which can match a set of packets. Each -rule specifies what to do with a packet that matches. This is called -a `target', which may be a jump to a user-defined chain in the same -table. - -.SH TARGETS -A firewall rule specifies criteria for a packet, and a target. If the -packet does not match, the next rule in the chain is the examined; if -it does match, then the next rule is specified by the value of the -target, which can be the name of a user-defined chain or one of the -special values -.IR ACCEPT , -.IR DROP , -.IR QUEUE , -or -.IR RETURN . -.PP -.I ACCEPT -means to let the packet through. -.I DROP -means to drop the packet on the floor. -.I QUEUE -means to pass the packet to userspace (if supported by the kernel). -.I RETURN -means stop traversing this chain and resume at the next rule in the -previous (calling) chain. If the end of a built-in chain is reached -or a rule in a built-in chain with target -.I RETURN -is matched, the target specified by the chain policy determines the -fate of the packet. -.SH TABLES -There are currently two independent tables (which tables are present -at any time depends on the kernel configuration options and which -modules are present), as nat table has not been implemented yet. -.TP -.BI "-t, --table " "table" -This option specifies the packet matching table which the command -should operate on. If the kernel is configured with automatic module -loading, an attempt will be made to load the appropriate module for -that table if it is not already there. - -The tables are as follows: -.RS -.TP .4i -.BR "filter" : -This is the default table (if no -t option is passed). It contains -the built-in chains -.B INPUT -(for packets coming into the box itself), -.B FORWARD -(for packets being routed through the box), and -.B OUTPUT -(for locally-generated packets). -.TP -.BR "mangle" : -This table is used for specialized packet alteration. Until kernel -2.4.17 it had two built-in chains: -.B PREROUTING -(for altering incoming packets before routing) and -.B OUTPUT -(for altering locally-generated packets before routing). -Since kernel 2.4.18, three other built-in chains are also supported: -.B INPUT -(for packets coming into the box itself), -.B FORWARD -(for altering packets being routed through the box), and -.B POSTROUTING -(for altering packets as they are about to go out). -.RE -.SH OPTIONS -The options that are recognized by -.B ip6tables -can be divided into several different groups. -.SS COMMANDS -These options specify the specific action to perform. Only one of them -can be specified on the command line unless otherwise specified -below. For all the long versions of the command and option names, you -need to use only enough letters to ensure that -.B ip6tables -can differentiate it from all other options. -.TP -.BI "-A, --append " "chain rule-specification" -Append one or more rules to the end of the selected chain. -When the source and/or destination names resolve to more than one -address, a rule will be added for each possible address combination. -.TP -.BI "-D, --delete " "chain rule-specification" -.ns -.TP -.BI "-D, --delete " "chain rulenum" -Delete one or more rules from the selected chain. There are two -versions of this command: the rule can be specified as a number in the -chain (starting at 1 for the first rule) or a rule to match. -.TP -.B "-I, --insert" -Insert one or more rules in the selected chain as the given rule -number. So, if the rule number is 1, the rule or rules are inserted -at the head of the chain. This is also the default if no rule number -is specified. -.TP -.BI "-R, --replace " "chain rulenum rule-specification" -Replace a rule in the selected chain. If the source and/or -destination names resolve to multiple addresses, the command will -fail. Rules are numbered starting at 1. -.TP -.BR "-L, --list " "[\fIchain\fP]" -List all rules in the selected chain. If no chain is selected, all -chains are listed. As every other iptables command, it applies to the -specified table (filter is the default), so mangle rules get listed by -.nf - ip6tables -t mangle -n -L -.fi -Please note that it is often used with the -.B -n -option, in order to avoid long reverse DNS lookups. -It is legal to specify the -.B -Z -(zero) option as well, in which case the chain(s) will be atomically -listed and zeroed. The exact output is affected by the other -arguments given. The exact rules are suppressed until you use -.nf - ip6tables -L -v -.fi -.TP -.BR "-F, --flush " "[\fIchain\fP]" -Flush the selected chain (all the chains in the table if none is given). -This is equivalent to deleting all the rules one by one. -.TP -.BR "-Z, --zero " "[\fIchain\fP]" -Zero the packet and byte counters in all chains. It is legal to -specify the -.B "-L, --list" -(list) option as well, to see the counters immediately before they are -cleared. (See above.) -.TP -.BI "-N, --new-chain " "chain" -Create a new user-defined chain by the given name. There must be no -target of that name already. -.TP -.BR "-X, --delete-chain " "[\fIchain\fP]" -Delete the optional user-defined chain specified. There must be no references -to the chain. If there are, you must delete or replace the referring -rules before the chain can be deleted. If no argument is given, it -will attempt to delete every non-builtin chain in the table. -.TP -.BI "-P, --policy " "chain target" -Set the policy for the chain to the given target. See the section -.B TARGETS -for the legal targets. Only built-in (non-user-defined) chains can have -policies, and neither built-in nor user-defined chains can be policy -targets. -.TP -.BI "-E, --rename-chain " "old-chain new-chain" -Rename the user specified chain to the user supplied name. This is -cosmetic, and has no effect on the structure of the table. -.TP -.B -h -Help. -Give a (currently very brief) description of the command syntax. -.SS PARAMETERS -The following parameters make up a rule specification (as used in the -add, delete, insert, replace and append commands). -.TP -.BR "-p, --protocol " "[!] \fIprotocol\fP" -The protocol of the rule or of the packet to check. -The specified protocol can be one of -.IR tcp , -.IR udp , -.IR ipv6-icmp|icmpv6 , -or -.IR all , -or it can be a numeric value, representing one of these protocols or a -different one. A protocol name from /etc/protocols is also allowed. -A "!" argument before the protocol inverts the -test. The number zero is equivalent to -.IR all . -Protocol -.I all -will match with all protocols and is taken as default when this -option is omitted. -.TP -.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]" -Source specification. -.I Address -can be either a hostname (please note that specifying -any name to be resolved with a remote query such as DNS is a really bad idea), -a network IPv6 address (with /mask), or a plain IPv6 address. -(the network name isn't supported now). -The -.I mask -can be either a network mask or a plain number, -specifying the number of 1's at the left side of the network mask. -Thus, a mask of -.I 64 -is equivalent to -.IR ffff:ffff:ffff:ffff:0000:0000:0000:0000 . -A "!" argument before the address specification inverts the sense of -the address. The flag -.B --src -is an alias for this option. -.TP -.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]" -Destination specification. -See the description of the -.B -s -(source) flag for a detailed description of the syntax. The flag -.B --dst -is an alias for this option. -.TP -.BI "-j, --jump " "target" -This specifies the target of the rule; i.e., what to do if the packet -matches it. The target can be a user-defined chain (other than the -one this rule is in), one of the special builtin targets which decide -the fate of the packet immediately, or an extension (see -.B EXTENSIONS -below). If this -option is omitted in a rule, then matching the rule will have no -effect on the packet's fate, but the counters on the rule will be -incremented. -.TP -.BR "-i, --in-interface " "[!] \fIname\fP" -Name of an interface via which a packet is going to be received (only for -packets entering the -.BR INPUT , -.B FORWARD -and -.B PREROUTING -chains). When the "!" argument is used before the interface name, the -sense is inverted. If the interface name ends in a "+", then any -interface which begins with this name will match. If this option is -omitted, any interface name will match. -.TP -.BR "-o, --out-interface " "[!] \fIname\fP" -Name of an interface via which a packet is going to be sent (for packets -entering the -.BR FORWARD -and -.B OUTPUT -chains). When the "!" argument is used before the interface name, the -sense is inverted. If the interface name ends in a "+", then any -interface which begins with this name will match. If this option is -omitted, any interface name will match. -.TP -.\" Currently not supported (header-based) -.\" -.\" .B "[!] " "-f, --fragment" -.\" This means that the rule only refers to second and further fragments -.\" of fragmented packets. Since there is no way to tell the source or -.\" destination ports of such a packet (or ICMP type), such a packet will -.\" not match any rules which specify them. When the "!" argument -.\" precedes the "-f" flag, the rule will only match head fragments, or -.\" unfragmented packets. -.\" .TP -.B "-c, --set-counters " "PKTS BYTES" -This enables the administrator to initialize the packet and byte -counters of a rule (during -.B INSERT, -.B APPEND, -.B REPLACE -operations). -.SS "OTHER OPTIONS" -The following additional options can be specified: -.TP -.B "-v, --verbose" -Verbose output. This option makes the list command show the interface -name, the rule options (if any), and the TOS masks. The packet and -byte counters are also listed, with the suffix 'K', 'M' or 'G' for -1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see -the -.B -x -flag to change this). -For appending, insertion, deletion and replacement, this causes -detailed information on the rule or rules to be printed. -.TP -.B "-n, --numeric" -Numeric output. -IP addresses and port numbers will be printed in numeric format. -By default, the program will try to display them as host names, -network names, or services (whenever applicable). -.TP -.B "-x, --exact" -Expand numbers. -Display the exact value of the packet and byte counters, -instead of only the rounded number in K's (multiples of 1000) -M's (multiples of 1000K) or G's (multiples of 1000M). This option is -only relevant for the -.B -L -command. -.TP -.B "--line-numbers" -When listing rules, add line numbers to the beginning of each rule, -corresponding to that rule's position in the chain. -.TP -.B "--modprobe=command" -When adding or inserting rules into a chain, use -.B command -to load any necessary modules (targets, match extensions, etc). -.SH MATCH EXTENSIONS -ip6tables can use extended packet matching modules. These are loaded -in two ways: implicitly, when -.B -p -or -.B --protocol -is specified, or with the -.B -m -or -.B --match -options, followed by the matching module name; after these, various -extra command line options become available, depending on the specific -module. You can specify multiple extended match modules in one line, -and you can use the -.B -h -or -.B --help -options after the module has been specified to receive help specific -to that module. - -The following are included in the base package, and most of these can -be preceded by a -.B ! -to invert the sense of the match. -.SS tcp -These extensions are loaded if `--protocol tcp' is specified. It -provides the following options: -.TP -.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" -Source port or port range specification. This can either be a service -name or a port number. An inclusive range can also be specified, -using the format -.IR port : port . -If the first port is omitted, "0" is assumed; if the last is omitted, -"65535" is assumed. -If the second port greater then the first they will be swapped. -The flag -.B --sport -is a convenient alias for this option. -.TP -.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" -Destination port or port range specification. The flag -.B --dport -is a convenient alias for this option. -.TP -.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP" -Match when the TCP flags are as specified. The first argument is the -flags which we should examine, written as a comma-separated list, and -the second argument is a comma-separated list of flags which must be -set. Flags are: -.BR "SYN ACK FIN RST URG PSH ALL NONE" . -Hence the command -.nf - ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -.fi -will only match packets with the SYN flag set, and the ACK, FIN and -RST flags unset. -.TP -.B "[!] --syn" -Only match TCP packets with the SYN bit set and the ACK and RST bits -cleared. Such packets are used to request TCP connection initiation; -for example, blocking such packets coming in an interface will prevent -incoming TCP connections, but outgoing TCP connections will be -unaffected. -It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP. -If the "!" flag precedes the "--syn", the sense of the -option is inverted. -.TP -.BR "--tcp-option " "[!] \fInumber\fP" -Match if TCP option set. -.SS udp -These extensions are loaded if `--protocol udp' is specified. It -provides the following options: -.TP -.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" -Source port or port range specification. -See the description of the -.B --source-port -option of the TCP extension for details. -.TP -.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" -Destination port or port range specification. -See the description of the -.B --destination-port -option of the TCP extension for details. -.SS ipv6-icmp -This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is -specified. It provides the following option: -.TP -.BR "--icmpv6-type " "[!] \fItypename\fP" -This allows specification of the ICMP type, which can be a numeric -IPv6-ICMP type, or one of the IPv6-ICMP type names shown by the command -.nf - ip6tables -p ipv6-icmp -h -.fi -.SS mac -.TP -.BR "--mac-source " "[!] \fIaddress\fP" -Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. -Note that this only makes sense for packets coming from an Ethernet device -and entering the -.BR PREROUTING , -.B FORWARD -or -.B INPUT -chains. -.SS limit -This module matches at a limited rate using a token bucket filter. -A rule using this extension will match until this limit is reached -(unless the `!' flag is used). It can be used in combination with the -.B LOG -target to give limited logging, for example. -.TP -.BI "--limit " "rate" -Maximum average matching rate: specified as a number, with an optional -`/second', `/minute', `/hour', or `/day' suffix; the default is -3/hour. -.TP -.BI "--limit-burst " "number" -Maximum initial number of packets to match: this number gets -recharged by one every time the limit specified above is not reached, -up to this number; the default is 5. -.SS multiport -This module matches a set of source or destination ports. Up to 15 -ports can be specified. It can only be used in conjunction with -.B "-p tcp" -or -.BR "-p udp" . -.TP -.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" -Match if the source port is one of the given ports. The flag -.B --sports -is a convenient alias for this option. -.TP -.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" -Match if the destination port is one of the given ports. The flag -.B --dports -is a convenient alias for this option. -.TP -.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" -Match if the both the source and destination ports are equal to each -other and to one of the given ports. -.SS mark -This module matches the netfilter mark field associated with a packet -(which can be set using the -.B MARK -target below). -.TP -.BR "--mark " "\fIvalue\fP[/\fImask\fP]" -Matches packets with the given unsigned mark value (if a mask is -specified, this is logically ANDed with the mask before the -comparison). -.SS owner -This module attempts to match various characteristics of the packet -creator, for locally-generated packets. It is only valid in the -.B OUTPUT -chain, and even this some packets (such as ICMP ping responses) may -have no owner, and hence never match. This is regarded as experimental. -.TP -.BI "--uid-owner " "userid" -Matches if the packet was created by a process with the given -effective user id. -.TP -.BI "--gid-owner " "groupid" -Matches if the packet was created by a process with the given -effective group id. -.TP -.BI "--pid-owner " "processid" -Matches if the packet was created by a process with the given -process id. -.TP -.BI "--sid-owner " "sessionid" -Matches if the packet was created by a process in the given session -group. -.\" .SS state -.\" This module, when combined with connection tracking, allows access to -.\" the connection tracking state for this packet. -.\" .TP -.\" .BI "--state " "state" -.\" Where state is a comma separated list of the connection states to -.\" match. Possible states are -.\" .B INVALID -.\" meaning that the packet is associated with no known connection, -.\" .B ESTABLISHED -.\" meaning that the packet is associated with a connection which has seen -.\" packets in both directions, -.\" .B NEW -.\" meaning that the packet has started a new connection, or otherwise -.\" associated with a connection which has not seen packets in both -.\" directions, and -.\" .B RELATED -.\" meaning that the packet is starting a new connection, but is -.\" associated with an existing connection, such as an FTP data transfer, -.\" or an ICMP error. -.\" .SS unclean -.\" This module takes no options, but attempts to match packets which seem -.\" malformed or unusual. This is regarded as experimental. -.\" .SS tos -.\" This module matches the 8 bits of Type of Service field in the IP -.\" header (ie. including the precedence bits). -.\" .TP -.\" .BI "--tos " "tos" -.\" The argument is either a standard name, (use -.\" .br -.\" iptables -m tos -h -.\" .br -.\" to see the list), or a numeric value to match. -.SH TARGET EXTENSIONS -ip6tables can use extended target modules: the following are included -in the standard distribution. -.SS LOG -Turn on kernel logging of matching packets. When this option is set -for a rule, the Linux kernel will print some information on all -matching packets (like most IPv6 IPv6-header fields) via the kernel log -(where it can be read with -.I dmesg -or -.IR syslogd (8)). -This is a "non-terminating target", i.e. rule traversal continues at -the next rule. So if you want to LOG the packets you refuse, use two -separate rules with the same matching criteria, first using target LOG -then DROP (or REJECT). -.TP -.BI "--log-level " "level" -Level of logging (numeric or see \fIsyslog.conf\fP(5)). -.TP -.BI "--log-prefix " "prefix" -Prefix log messages with the specified prefix; up to 29 letters long, -and useful for distinguishing messages in the logs. -.TP -.B --log-tcp-sequence -Log TCP sequence numbers. This is a security risk if the log is -readable by users. -.TP -.B --log-tcp-options -Log options from the TCP packet header. -.TP -.B --log-ip-options -Log options from the IPv6 packet header. -.SS MARK -This is used to set the netfilter mark value associated with the -packet. It is only valid in the -.B mangle -table. -.TP -.BI "--set-mark " "mark" -.SS REJECT -This is used to send back an error packet in response to the matched -packet: otherwise it is equivalent to -.B DROP -so it is a terminating TARGET, ending rule traversal. -This target is only valid in the -.BR INPUT , -.B FORWARD -and -.B OUTPUT -chains, and user-defined chains which are only called from those -chains. The following option controls the nature of the error packet -returned: -.TP -.BI "--reject-with " "type" -The type given can be -.nf -.B " icmp6-no-route" -.B " no-route" -.B " icmp6-adm-prohibited" -.B " adm-prohibited" -.B " icmp6-addr-unreachable" -.B " addr-unreach" -.B " icmp6-port-unreachable" -.B " port-unreach" -.fi -which return the appropriate IPv6-ICMP error message (\fBport-unreach\fP is -the default). Finally, the option -.B tcp-reset -can be used on rules which only match the TCP protocol: this causes a -TCP RST packet to be sent back. This is mainly useful for blocking -.I ident -(113/tcp) probes which frequently occur when sending mail to broken mail -hosts (which won't accept your mail otherwise). -.\" .SS TOS -.\" This is used to set the 8-bit Type of Service field in the IP header. -.\" It is only valid in the -.\" .B mangle -.\" table. -.\" .TP -.\" .BI "--set-tos " "tos" -.\" You can use a numeric TOS values, or use -.\" .br -.\" iptables -j TOS -h -.\" .br -.\" to see the list of valid TOS names. -.\" .SS MIRROR -.\" This is an experimental demonstration target which inverts the source -.\" and destination fields in the IP header and retransmits the packet. -.\" It is only valid in the -.\" .BR INPUT , -.\" .B FORWARD -.\" and -.\" .B PREROUTING -.\" chains, and user-defined chains which are only called from those -.\" chains. Note that the outgoing packets are -.\" .B NOT -.\" seen by any packet filtering chains, connection tracking or NAT, to -.\" avoid loops and other problems. -.\" .SS SNAT -.\" This target is only valid in the -.\" .B nat -.\" table, in the -.\" .B POSTROUTING -.\" chain. It specifies that the source address of the packet should be -.\" modified (and all future packets in this connection will also be -.\" mangled), and rules should cease being examined. It takes one option: -.\" .TP -.\" .BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" -.\" which can specify a single new source IP address, an inclusive range -.\" of IP addresses, and optionally, a port range (which is only valid if -.\" the rule also specifies -.\" .B "-p tcp" -.\" or -.\" .BR "-p udp" ). -.\" If no port range is specified, then source ports below 512 will be -.\" mapped to other ports below 512: those between 512 and 1023 inclusive -.\" will be mapped to ports below 1024, and other ports will be mapped to -.\" 1024 or above. Where possible, no port alteration will occur. -.\" .SS DNAT -.\" This target is only valid in the -.\" .B nat -.\" table, in the -.\" .B PREROUTING -.\" and -.\" .B OUTPUT -.\" chains, and user-defined chains which are only called from those -.\" chains. It specifies that the destination address of the packet -.\" should be modified (and all future packets in this connection will -.\" also be mangled), and rules should cease being examined. It takes one -.\" option: -.\" .TP -.\" .BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" -.\" which can specify a single new destination IP address, an inclusive -.\" range of IP addresses, and optionally, a port range (which is only -.\" valid if the rule also specifies -.\" .B "-p tcp" -.\" or -.\" .BR "-p udp" ). -.\" If no port range is specified, then the destination port will never be -.\" modified. -.\" .SS MASQUERADE -.\" This target is only valid in the -.\" .B nat -.\" table, in the -.\" .B POSTROUTING -.\" chain. It should only be used with dynamically assigned IP (dialup) -.\" connections: if you have a static IP address, you should use the SNAT -.\" target. Masquerading is equivalent to specifying a mapping to the IP -.\" address of the interface the packet is going out, but also has the -.\" effect that connections are -.\" .I forgotten -.\" when the interface goes down. This is the correct behavior when the -.\" next dialup is unlikely to have the same interface address (and hence -.\" any established connections are lost anyway). It takes one option: -.\" .TP -.\" .BR "--to-ports " "\fIport\fP[-\fIport\fP]" -.\" This specifies a range of source ports to use, overriding the default -.\" .B SNAT -.\" source port-selection heuristics (see above). This is only valid -.\" if the rule also specifies -.\" .B "-p tcp" -.\" or -.\" .BR "-p udp" . -.\" .SS REDIRECT -.\" This target is only valid in the -.\" .B nat -.\" table, in the -.\" .B PREROUTING -.\" and -.\" .B OUTPUT -.\" chains, and user-defined chains which are only called from those -.\" chains. It alters the destination IP address to send the packet to -.\" the machine itself (locally-generated packets are mapped to the -.\" 127.0.0.1 address). It takes one option: -.\" .TP -.\" .BR "--to-ports " "\fIport\fP[-\fIport\fP]" -.\" This specifies a destination port or range of ports to use: without -.\" this, the destination port is never altered. This is only valid -.\" if the rule also specifies -.\" .B "-p tcp" -.\" or -.\" .BR "-p udp" . -.SH DIAGNOSTICS -Various error messages are printed to standard error. The exit code -is 0 for correct functioning. Errors which appear to be caused by -invalid or abused command line parameters cause an exit code of 2, and -other errors cause an exit code of 1. -.SH BUGS -Bugs? What's this? ;-) -Well... the counters are not reliable on sparc64. -.SH COMPATIBILITY WITH IPCHAINS -This -.B ip6tables -is very similar to ipchains by Rusty Russell. The main difference is -that the chains -.B INPUT -and -.B OUTPUT -are only traversed for packets coming into the local host and -originating from the local host respectively. Hence every packet only -passes through one of the three chains (except loopback traffic, which -involves both INPUT and OUTPUT chains); previously a forwarded packet -would pass through all three. -.PP -The other main difference is that -.B -i -refers to the input interface; -.B -o -refers to the output interface, and both are available for packets -entering the -.B FORWARD -chain. -.\" .PP The various forms of NAT have been separated out; -.\" .B iptables -.\" is a pure packet filter when using the default `filter' table, with -.\" optional extension modules. This should simplify much of the previous -.\" confusion over the combination of IP masquerading and packet filtering -.\" seen previously. So the following options are handled differently: -.\" .br -.\" -j MASQ -.\" .br -.\" -M -S -.\" .br -.\" -M -L -.\" .br -There are several other changes in ip6tables. -.SH SEE ALSO -.BR ip6tables-save (8), -.BR ip6tables-restore(8), -.BR iptables (8), -.BR iptables-save (8), -.BR iptables-restore (8). -.P -The packet-filtering-HOWTO details iptables usage for -packet filtering, the NAT-HOWTO details NAT, -the netfilter-extensions-HOWTO details the extensions that are -not in the standard distribution, -and the netfilter-hacking-HOWTO details the netfilter internals. -.br -See -.BR "http://www.netfilter.org/" . -.SH AUTHORS -Rusty Russell wrote iptables, in early consultation with Michael -Neuling. -.PP -Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet -selection framework in iptables, then wrote the mangle table, the owner match, -the mark stuff, and ran around doing cool stuff everywhere. -.PP -James Morris wrote the TOS target, and tos match. -.PP -Jozsef Kadlecsik wrote the REJECT target. -.PP -Harald Welte wrote the ULOG target, TTL match+target and libipulog. -.PP -The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik, -James Morris, Harald Welte and Rusty Russell. -.PP -ip6tables man page created by Andras Kis-Szabo, based on -iptables man page written by Herve Eychenne . -.\" .. and did I mention that we are incredibly cool people? -.\" .. sexy, too .. -.\" .. witty, charming, powerful .. -.\" .. and most of all, modest .. diff --git a/ip6tables.8.in b/ip6tables.8.in new file mode 100644 index 00000000..6d3f56cd --- /dev/null +++ b/ip6tables.8.in @@ -0,0 +1,461 @@ +.TH IP6TABLES 8 "Mar 09, 2002" "" "" +.\" +.\" Man page written by Andras Kis-Szabo +.\" It is based on iptables man page. +.\" +.\" iptables page by Herve Eychenne +.\" It is based on ipchains man page. +.\" +.\" ipchains page by Paul ``Rusty'' Russell March 1997 +.\" Based on the original ipfwadm man page by Jos Vos +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 2 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software +.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +.\" +.\" +.SH NAME +ip6tables \- IPv6 packet filter administration +.SH SYNOPSIS +.BR "ip6tables [-t table] -[AD] " "chain rule-specification [options]" +.br +.BR "ip6tables [-t table] -I " "chain [rulenum] rule-specification [options]" +.br +.BR "ip6tables [-t table] -R " "chain rulenum rule-specification [options]" +.br +.BR "ip6tables [-t table] -D " "chain rulenum [options]" +.br +.BR "ip6tables [-t table] -[LFZ] " "[chain] [options]" +.br +.BR "ip6tables [-t table] -N " "chain" +.br +.BR "ip6tables [-t table] -X " "[chain]" +.br +.BR "ip6tables [-t table] -P " "chain target [options]" +.br +.BR "ip6tables [-t table] -E " "old-chain-name new-chain-name" +.SH DESCRIPTION +.B Ip6tables +is used to set up, maintain, and inspect the tables of IPv6 packet +filter rules in the Linux kernel. Several different tables +may be defined. Each table contains a number of built-in +chains and may also contain user-defined chains. + +Each chain is a list of rules which can match a set of packets. Each +rule specifies what to do with a packet that matches. This is called +a `target', which may be a jump to a user-defined chain in the same +table. + +.SH TARGETS +A firewall rule specifies criteria for a packet, and a target. If the +packet does not match, the next rule in the chain is the examined; if +it does match, then the next rule is specified by the value of the +target, which can be the name of a user-defined chain or one of the +special values +.IR ACCEPT , +.IR DROP , +.IR QUEUE , +or +.IR RETURN . +.PP +.I ACCEPT +means to let the packet through. +.I DROP +means to drop the packet on the floor. +.I QUEUE +means to pass the packet to userspace (if supported by the kernel). +.I RETURN +means stop traversing this chain and resume at the next rule in the +previous (calling) chain. If the end of a built-in chain is reached +or a rule in a built-in chain with target +.I RETURN +is matched, the target specified by the chain policy determines the +fate of the packet. +.SH TABLES +There are currently two independent tables (which tables are present +at any time depends on the kernel configuration options and which +modules are present), as nat table has not been implemented yet. +.TP +.BI "-t, --table " "table" +This option specifies the packet matching table which the command +should operate on. If the kernel is configured with automatic module +loading, an attempt will be made to load the appropriate module for +that table if it is not already there. + +The tables are as follows: +.RS +.TP .4i +.BR "filter" : +This is the default table (if no -t option is passed). It contains +the built-in chains +.B INPUT +(for packets coming into the box itself), +.B FORWARD +(for packets being routed through the box), and +.B OUTPUT +(for locally-generated packets). +.TP +.BR "mangle" : +This table is used for specialized packet alteration. Until kernel +2.4.17 it had two built-in chains: +.B PREROUTING +(for altering incoming packets before routing) and +.B OUTPUT +(for altering locally-generated packets before routing). +Since kernel 2.4.18, three other built-in chains are also supported: +.B INPUT +(for packets coming into the box itself), +.B FORWARD +(for altering packets being routed through the box), and +.B POSTROUTING +(for altering packets as they are about to go out). +.RE +.SH OPTIONS +The options that are recognized by +.B ip6tables +can be divided into several different groups. +.SS COMMANDS +These options specify the specific action to perform. Only one of them +can be specified on the command line unless otherwise specified +below. For all the long versions of the command and option names, you +need to use only enough letters to ensure that +.B ip6tables +can differentiate it from all other options. +.TP +.BI "-A, --append " "chain rule-specification" +Append one or more rules to the end of the selected chain. +When the source and/or destination names resolve to more than one +address, a rule will be added for each possible address combination. +.TP +.BI "-D, --delete " "chain rule-specification" +.ns +.TP +.BI "-D, --delete " "chain rulenum" +Delete one or more rules from the selected chain. There are two +versions of this command: the rule can be specified as a number in the +chain (starting at 1 for the first rule) or a rule to match. +.TP +.B "-I, --insert" +Insert one or more rules in the selected chain as the given rule +number. So, if the rule number is 1, the rule or rules are inserted +at the head of the chain. This is also the default if no rule number +is specified. +.TP +.BI "-R, --replace " "chain rulenum rule-specification" +Replace a rule in the selected chain. If the source and/or +destination names resolve to multiple addresses, the command will +fail. Rules are numbered starting at 1. +.TP +.BR "-L, --list " "[\fIchain\fP]" +List all rules in the selected chain. If no chain is selected, all +chains are listed. As every other iptables command, it applies to the +specified table (filter is the default), so mangle rules get listed by +.nf + ip6tables -t mangle -n -L +.fi +Please note that it is often used with the +.B -n +option, in order to avoid long reverse DNS lookups. +It is legal to specify the +.B -Z +(zero) option as well, in which case the chain(s) will be atomically +listed and zeroed. The exact output is affected by the other +arguments given. The exact rules are suppressed until you use +.nf + ip6tables -L -v +.fi +.TP +.BR "-F, --flush " "[\fIchain\fP]" +Flush the selected chain (all the chains in the table if none is given). +This is equivalent to deleting all the rules one by one. +.TP +.BR "-Z, --zero " "[\fIchain\fP]" +Zero the packet and byte counters in all chains. It is legal to +specify the +.B "-L, --list" +(list) option as well, to see the counters immediately before they are +cleared. (See above.) +.TP +.BI "-N, --new-chain " "chain" +Create a new user-defined chain by the given name. There must be no +target of that name already. +.TP +.BR "-X, --delete-chain " "[\fIchain\fP]" +Delete the optional user-defined chain specified. There must be no references +to the chain. If there are, you must delete or replace the referring +rules before the chain can be deleted. If no argument is given, it +will attempt to delete every non-builtin chain in the table. +.TP +.BI "-P, --policy " "chain target" +Set the policy for the chain to the given target. See the section +.B TARGETS +for the legal targets. Only built-in (non-user-defined) chains can have +policies, and neither built-in nor user-defined chains can be policy +targets. +.TP +.BI "-E, --rename-chain " "old-chain new-chain" +Rename the user specified chain to the user supplied name. This is +cosmetic, and has no effect on the structure of the table. +.TP +.B -h +Help. +Give a (currently very brief) description of the command syntax. +.SS PARAMETERS +The following parameters make up a rule specification (as used in the +add, delete, insert, replace and append commands). +.TP +.BR "-p, --protocol " "[!] \fIprotocol\fP" +The protocol of the rule or of the packet to check. +The specified protocol can be one of +.IR tcp , +.IR udp , +.IR ipv6-icmp|icmpv6 , +or +.IR all , +or it can be a numeric value, representing one of these protocols or a +different one. A protocol name from /etc/protocols is also allowed. +A "!" argument before the protocol inverts the +test. The number zero is equivalent to +.IR all . +Protocol +.I all +will match with all protocols and is taken as default when this +option is omitted. +.TP +.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]" +Source specification. +.I Address +can be either a hostname (please note that specifying +any name to be resolved with a remote query such as DNS is a really bad idea), +a network IPv6 address (with /mask), or a plain IPv6 address. +(the network name isn't supported now). +The +.I mask +can be either a network mask or a plain number, +specifying the number of 1's at the left side of the network mask. +Thus, a mask of +.I 64 +is equivalent to +.IR ffff:ffff:ffff:ffff:0000:0000:0000:0000 . +A "!" argument before the address specification inverts the sense of +the address. The flag +.B --src +is an alias for this option. +.TP +.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]" +Destination specification. +See the description of the +.B -s +(source) flag for a detailed description of the syntax. The flag +.B --dst +is an alias for this option. +.TP +.BI "-j, --jump " "target" +This specifies the target of the rule; i.e., what to do if the packet +matches it. The target can be a user-defined chain (other than the +one this rule is in), one of the special builtin targets which decide +the fate of the packet immediately, or an extension (see +.B EXTENSIONS +below). If this +option is omitted in a rule, then matching the rule will have no +effect on the packet's fate, but the counters on the rule will be +incremented. +.TP +.BR "-i, --in-interface " "[!] \fIname\fP" +Name of an interface via which a packet is going to be received (only for +packets entering the +.BR INPUT , +.B FORWARD +and +.B PREROUTING +chains). When the "!" argument is used before the interface name, the +sense is inverted. If the interface name ends in a "+", then any +interface which begins with this name will match. If this option is +omitted, any interface name will match. +.TP +.BR "-o, --out-interface " "[!] \fIname\fP" +Name of an interface via which a packet is going to be sent (for packets +entering the +.BR FORWARD +and +.B OUTPUT +chains). When the "!" argument is used before the interface name, the +sense is inverted. If the interface name ends in a "+", then any +interface which begins with this name will match. If this option is +omitted, any interface name will match. +.TP +.\" Currently not supported (header-based) +.\" +.\" .B "[!] " "-f, --fragment" +.\" This means that the rule only refers to second and further fragments +.\" of fragmented packets. Since there is no way to tell the source or +.\" destination ports of such a packet (or ICMP type), such a packet will +.\" not match any rules which specify them. When the "!" argument +.\" precedes the "-f" flag, the rule will only match head fragments, or +.\" unfragmented packets. +.\" .TP +.B "-c, --set-counters " "PKTS BYTES" +This enables the administrator to initialize the packet and byte +counters of a rule (during +.B INSERT, +.B APPEND, +.B REPLACE +operations). +.SS "OTHER OPTIONS" +The following additional options can be specified: +.TP +.B "-v, --verbose" +Verbose output. This option makes the list command show the interface +name, the rule options (if any), and the TOS masks. The packet and +byte counters are also listed, with the suffix 'K', 'M' or 'G' for +1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see +the +.B -x +flag to change this). +For appending, insertion, deletion and replacement, this causes +detailed information on the rule or rules to be printed. +.TP +.B "-n, --numeric" +Numeric output. +IP addresses and port numbers will be printed in numeric format. +By default, the program will try to display them as host names, +network names, or services (whenever applicable). +.TP +.B "-x, --exact" +Expand numbers. +Display the exact value of the packet and byte counters, +instead of only the rounded number in K's (multiples of 1000) +M's (multiples of 1000K) or G's (multiples of 1000M). This option is +only relevant for the +.B -L +command. +.TP +.B "--line-numbers" +When listing rules, add line numbers to the beginning of each rule, +corresponding to that rule's position in the chain. +.TP +.B "--modprobe=command" +When adding or inserting rules into a chain, use +.B command +to load any necessary modules (targets, match extensions, etc). +.SH MATCH EXTENSIONS +ip6tables can use extended packet matching modules. These are loaded +in two ways: implicitly, when +.B -p +or +.B --protocol +is specified, or with the +.B -m +or +.B --match +options, followed by the matching module name; after these, various +extra command line options become available, depending on the specific +module. You can specify multiple extended match modules in one line, +and you can use the +.B -h +or +.B --help +options after the module has been specified to receive help specific +to that module. + +The following are included in the base package, and most of these can +be preceded by a +.B ! +to invert the sense of the match. +.\" @MATCH@ +.SH TARGET EXTENSIONS +ip6tables can use extended target modules: the following are included +in the standard distribution. +.\" @TARGET@ +.SH DIAGNOSTICS +Various error messages are printed to standard error. The exit code +is 0 for correct functioning. Errors which appear to be caused by +invalid or abused command line parameters cause an exit code of 2, and +other errors cause an exit code of 1. +.SH BUGS +Bugs? What's this? ;-) +Well... the counters are not reliable on sparc64. +.SH COMPATIBILITY WITH IPCHAINS +This +.B ip6tables +is very similar to ipchains by Rusty Russell. The main difference is +that the chains +.B INPUT +and +.B OUTPUT +are only traversed for packets coming into the local host and +originating from the local host respectively. Hence every packet only +passes through one of the three chains (except loopback traffic, which +involves both INPUT and OUTPUT chains); previously a forwarded packet +would pass through all three. +.PP +The other main difference is that +.B -i +refers to the input interface; +.B -o +refers to the output interface, and both are available for packets +entering the +.B FORWARD +chain. +.\" .PP The various forms of NAT have been separated out; +.\" .B iptables +.\" is a pure packet filter when using the default `filter' table, with +.\" optional extension modules. This should simplify much of the previous +.\" confusion over the combination of IP masquerading and packet filtering +.\" seen previously. So the following options are handled differently: +.\" .br +.\" -j MASQ +.\" .br +.\" -M -S +.\" .br +.\" -M -L +.\" .br +There are several other changes in ip6tables. +.SH SEE ALSO +.BR ip6tables-save (8), +.BR ip6tables-restore(8), +.BR iptables (8), +.BR iptables-save (8), +.BR iptables-restore (8). +.P +The packet-filtering-HOWTO details iptables usage for +packet filtering, the NAT-HOWTO details NAT, +the netfilter-extensions-HOWTO details the extensions that are +not in the standard distribution, +and the netfilter-hacking-HOWTO details the netfilter internals. +.br +See +.BR "http://www.netfilter.org/" . +.SH AUTHORS +Rusty Russell wrote iptables, in early consultation with Michael +Neuling. +.PP +Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet +selection framework in iptables, then wrote the mangle table, the owner match, +the mark stuff, and ran around doing cool stuff everywhere. +.PP +James Morris wrote the TOS target, and tos match. +.PP +Jozsef Kadlecsik wrote the REJECT target. +.PP +Harald Welte wrote the ULOG target, TTL match+target and libipulog. +.PP +The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik, +James Morris, Harald Welte and Rusty Russell. +.PP +ip6tables man page created by Andras Kis-Szabo, based on +iptables man page written by Herve Eychenne . +.\" .. and did I mention that we are incredibly cool people? +.\" .. sexy, too .. +.\" .. witty, charming, powerful .. +.\" .. and most of all, modest .. diff --git a/iptables.8 b/iptables.8 deleted file mode 100644 index b79f1ece..00000000 --- a/iptables.8 +++ /dev/null @@ -1,1072 +0,0 @@ -.TH IPTABLES 8 "Mar 09, 2002" "" "" -.\" -.\" Man page written by Herve Eychenne (May 1999) -.\" It is based on ipchains page. -.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG) -.\" -.\" ipchains page by Paul ``Rusty'' Russell March 1997 -.\" Based on the original ipfwadm man page by Jos Vos -.\" -.\" This program is free software; you can redistribute it and/or modify -.\" it under the terms of the GNU General Public License as published by -.\" the Free Software Foundation; either version 2 of the License, or -.\" (at your option) any later version. -.\" -.\" This program is distributed in the hope that it will be useful, -.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -.\" GNU General Public License for more details. -.\" -.\" You should have received a copy of the GNU General Public License -.\" along with this program; if not, write to the Free Software -.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -.\" -.\" -.SH NAME -iptables \- administration tool for IPv4 packet filtering and NAT -.SH SYNOPSIS -.BR "iptables [-t table] -[AD] " "chain rule-specification [options]" -.br -.BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]" -.br -.BR "iptables [-t table] -R " "chain rulenum rule-specification [options]" -.br -.BR "iptables [-t table] -D " "chain rulenum [options]" -.br -.BR "iptables [-t table] -[LFZ] " "[chain] [options]" -.br -.BR "iptables [-t table] -N " "chain" -.br -.BR "iptables [-t table] -X " "[chain]" -.br -.BR "iptables [-t table] -P " "chain target [options]" -.br -.BR "iptables [-t table] -E " "old-chain-name new-chain-name" -.SH DESCRIPTION -.B Iptables -is used to set up, maintain, and inspect the tables of IP packet -filter rules in the Linux kernel. Several different tables -may be defined. Each table contains a number of built-in -chains and may also contain user-defined chains. - -Each chain is a list of rules which can match a set of packets. Each -rule specifies what to do with a packet that matches. This is called -a `target', which may be a jump to a user-defined chain in the same -table. - -.SH TARGETS -A firewall rule specifies criteria for a packet, and a target. If the -packet does not match, the next rule in the chain is the examined; if -it does match, then the next rule is specified by the value of the -target, which can be the name of a user-defined chain or one of the -special values -.IR ACCEPT , -.IR DROP , -.IR QUEUE , -or -.IR RETURN . -.PP -.I ACCEPT -means to let the packet through. -.I DROP -means to drop the packet on the floor. -.I QUEUE -means to pass the packet to userspace (if supported by the kernel). -.I RETURN -means stop traversing this chain and resume at the next rule in the -previous (calling) chain. If the end of a built-in chain is reached -or a rule in a built-in chain with target -.I RETURN -is matched, the target specified by the chain policy determines the -fate of the packet. -.SH TABLES -There are currently three independent tables (which tables are present -at any time depends on the kernel configuration options and which -modules are present). -.TP -.BI "-t, --table " "table" -This option specifies the packet matching table which the command -should operate on. If the kernel is configured with automatic module -loading, an attempt will be made to load the appropriate module for -that table if it is not already there. - -The tables are as follows: -.RS -.TP .4i -.BR "filter" : -This is the default table (if no -t option is passed). It contains -the built-in chains -.B INPUT -(for packets coming into the box itself), -.B FORWARD -(for packets being routed through the box), and -.B OUTPUT -(for locally-generated packets). -.TP -.BR "nat" : -This table is consulted when a packet that creates a new -connection is encountered. It consists of three built-ins: -.B PREROUTING -(for altering packets as soon as they come in), -.B OUTPUT -(for altering locally-generated packets before routing), and -.B POSTROUTING -(for altering packets as they are about to go out). -.TP -.BR "mangle" : -This table is used for specialized packet alteration. Until kernel -2.4.17 it had two built-in chains: -.B PREROUTING -(for altering incoming packets before routing) and -.B OUTPUT -(for altering locally-generated packets before routing). -Since kernel 2.4.18, three other built-in chains are also supported: -.B INPUT -(for packets coming into the box itself), -.B FORWARD -(for altering packets being routed through the box), and -.B POSTROUTING -(for altering packets as they are about to go out). -.RE -.SH OPTIONS -The options that are recognized by -.B iptables -can be divided into several different groups. -.SS COMMANDS -These options specify the specific action to perform. Only one of them -can be specified on the command line unless otherwise specified -below. For all the long versions of the command and option names, you -need to use only enough letters to ensure that -.B iptables -can differentiate it from all other options. -.TP -.BI "-A, --append " "chain rule-specification" -Append one or more rules to the end of the selected chain. -When the source and/or destination names resolve to more than one -address, a rule will be added for each possible address combination. -.TP -.BI "-D, --delete " "chain rule-specification" -.ns -.TP -.BI "-D, --delete " "chain rulenum" -Delete one or more rules from the selected chain. There are two -versions of this command: the rule can be specified as a number in the -chain (starting at 1 for the first rule) or a rule to match. -.TP -.BR "-I, --insert " "\fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP" -Insert one or more rules in the selected chain as the given rule -number. So, if the rule number is 1, the rule or rules are inserted -at the head of the chain. This is also the default if no rule number -is specified. -.TP -.BI "-R, --replace " "chain rulenum rule-specification" -Replace a rule in the selected chain. If the source and/or -destination names resolve to multiple addresses, the command will -fail. Rules are numbered starting at 1. -.TP -.BR "-L, --list " "[\fIchain\fP]" -List all rules in the selected chain. If no chain is selected, all -chains are listed. As every other iptables command, it applies to the -specified table (filter is the default), so NAT rules get listed by -.nf - iptables -t nat -n -L -.fi -Please note that it is often used with the -.B -n -option, in order to avoid long reverse DNS lookups. -It is legal to specify the -.B -Z -(zero) option as well, in which case the chain(s) will be atomically -listed and zeroed. The exact output is affected by the other -arguments given. The exact rules are suppressed until you use -.nf - iptables -L -v -.fi -.TP -.BR "-F, --flush " "[\fIchain\fP]" -Flush the selected chain (all the chains in the table if none is given). -This is equivalent to deleting all the rules one by one. -.TP -.BR "-Z, --zero " "[\fIchain\fP]" -Zero the packet and byte counters in all chains. It is legal to -specify the -.B "-L, --list" -(list) option as well, to see the counters immediately before they are -cleared. (See above.) -.TP -.BI "-N, --new-chain " "chain" -Create a new user-defined chain by the given name. There must be no -target of that name already. -.TP -.BR "-X, --delete-chain " "[\fIchain\fP]" -Delete the optional user-defined chain specified. There must be no references -to the chain. If there are, you must delete or replace the referring -rules before the chain can be deleted. If no argument is given, it -will attempt to delete every non-builtin chain in the table. -.TP -.BI "-P, --policy " "chain target" -Set the policy for the chain to the given target. See the section -.B TARGETS -for the legal targets. Only built-in (non-user-defined) chains can have -policies, and neither built-in nor user-defined chains can be policy -targets. -.TP -.BI "-E, --rename-chain " "old-chain new-chain" -Rename the user specified chain to the user supplied name. This is -cosmetic, and has no effect on the structure of the table. -.TP -.B -h -Help. -Give a (currently very brief) description of the command syntax. -.SS PARAMETERS -The following parameters make up a rule specification (as used in the -add, delete, insert, replace and append commands). -.TP -.BR "-p, --protocol " "[!] \fIprotocol\fP" -The protocol of the rule or of the packet to check. -The specified protocol can be one of -.IR tcp , -.IR udp , -.IR icmp , -or -.IR all , -or it can be a numeric value, representing one of these protocols or a -different one. A protocol name from /etc/protocols is also allowed. -A "!" argument before the protocol inverts the -test. The number zero is equivalent to -.IR all . -Protocol -.I all -will match with all protocols and is taken as default when this -option is omitted. -.TP -.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]" -Source specification. -.I Address -can be either a network name, a hostname (please note that specifying -any name to be resolved with a remote query such as DNS is a really bad idea), -a network IP address (with /mask), or a plain IP address. -The -.I mask -can be either a network mask or a plain number, -specifying the number of 1's at the left side of the network mask. -Thus, a mask of -.I 24 -is equivalent to -.IR 255.255.255.0 . -A "!" argument before the address specification inverts the sense of -the address. The flag -.B --src -is an alias for this option. -.TP -.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]" -Destination specification. -See the description of the -.B -s -(source) flag for a detailed description of the syntax. The flag -.B --dst -is an alias for this option. -.TP -.BI "-j, --jump " "target" -This specifies the target of the rule; i.e., what to do if the packet -matches it. The target can be a user-defined chain (other than the -one this rule is in), one of the special builtin targets which decide -the fate of the packet immediately, or an extension (see -.B EXTENSIONS -below). If this -option is omitted in a rule, then matching the rule will have no -effect on the packet's fate, but the counters on the rule will be -incremented. -.TP -.BR "-i, --in-interface " "[!] \fIname\fP" -Name of an interface via which a packet is going to be received (only for -packets entering the -.BR INPUT , -.B FORWARD -and -.B PREROUTING -chains). When the "!" argument is used before the interface name, the -sense is inverted. If the interface name ends in a "+", then any -interface which begins with this name will match. If this option is -omitted, any interface name will match. -.TP -.BR "-o, --out-interface " "[!] \fIname\fP" -Name of an interface via which a packet is going to be sent (for packets -entering the -.BR FORWARD , -.B OUTPUT -and -.B POSTROUTING -chains). When the "!" argument is used before the interface name, the -sense is inverted. If the interface name ends in a "+", then any -interface which begins with this name will match. If this option is -omitted, any interface name will match. -.TP -.B "[!] " "-f, --fragment" -This means that the rule only refers to second and further fragments -of fragmented packets. Since there is no way to tell the source or -destination ports of such a packet (or ICMP type), such a packet will -not match any rules which specify them. When the "!" argument -precedes the "-f" flag, the rule will only match head fragments, or -unfragmented packets. -.TP -.BI "-c, --set-counters " "PKTS BYTES" -This enables the administrator to initialize the packet and byte -counters of a rule (during -.B INSERT, -.B APPEND, -.B REPLACE -operations). -.SS "OTHER OPTIONS" -The following additional options can be specified: -.TP -.B "-v, --verbose" -Verbose output. This option makes the list command show the interface -name, the rule options (if any), and the TOS masks. The packet and -byte counters are also listed, with the suffix 'K', 'M' or 'G' for -1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see -the -.B -x -flag to change this). -For appending, insertion, deletion and replacement, this causes -detailed information on the rule or rules to be printed. -.TP -.B "-n, --numeric" -Numeric output. -IP addresses and port numbers will be printed in numeric format. -By default, the program will try to display them as host names, -network names, or services (whenever applicable). -.TP -.B "-x, --exact" -Expand numbers. -Display the exact value of the packet and byte counters, -instead of only the rounded number in K's (multiples of 1000) -M's (multiples of 1000K) or G's (multiples of 1000M). This option is -only relevant for the -.B -L -command. -.TP -.B "--line-numbers" -When listing rules, add line numbers to the beginning of each rule, -corresponding to that rule's position in the chain. -.TP -.B "--modprobe=command" -When adding or inserting rules into a chain, use -.B command -to load any necessary modules (targets, match extensions, etc). -.SH MATCH EXTENSIONS -iptables can use extended packet matching modules. These are loaded -in two ways: implicitly, when -.B -p -or -.B --protocol -is specified, or with the -.B -m -or -.B --match -options, followed by the matching module name; after these, various -extra command line options become available, depending on the specific -module. You can specify multiple extended match modules in one line, -and you can use the -.B -h -or -.B --help -options after the module has been specified to receive help specific -to that module. - -The following are included in the base package, and most of these can -be preceded by a -.B ! -to invert the sense of the match. -.SS ah -This module matches the SPIs in AH header of IPSec packets. -.TP -.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]" -.SS conntrack -This module, when combined with connection tracking, allows access to -more connection tracking information than the "state" match. -(this module is present only if iptables was compiled under a kernel -supporting this feature) -.TP -.BI "--ctstate " "state" -Where state is a comma separated list of the connection states to -match. Possible states are -.B INVALID -meaning that the packet is associated with no known connection, -.B ESTABLISHED -meaning that the packet is associated with a connection which has seen -packets in both directions, -.B NEW -meaning that the packet has started a new connection, or otherwise -associated with a connection which has not seen packets in both -directions, and -.B RELATED -meaning that the packet is starting a new connection, but is -associated with an existing connection, such as an FTP data transfer, -or an ICMP error. -.B SNAT -A virtual state, matching if the original source address differs from -the reply destination. -.B DNAT -A virtual state, matching if the original destination differs from the -reply source. -.TP -.BI "--ctproto " "proto" -Protocol to match (by number or name) -.TP -.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]" -Match against original source address -.TP -.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]" -Match against original destination address -.TP -.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]" -Match against reply source address -.TP -.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]" -Match against reply destination address -.TP -.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]" -Match against internal conntrack states -.TP -.BI "--ctexpire " "\fItime\fP[\fI:time\fP]" -Match remaining lifetime in seconds against given value -or range of values (inclusive) -.SS dscp -This module matches the 6 bit DSCP field within the TOS field in the -IP header. DSCP has superseded TOS within the IETF. -.TP -.BI "--dscp " "value" -Match against a numeric (decimal or hex) value [0-32]. -.TP -.BI "--dscp-class " "\fIDiffServ Class\fP" -Match the DiffServ class. This value may be any of the -BE, EF, AFxx or CSx classes. It will then be converted -into it's according numeric value. -.SS esp -This module matches the SPIs in ESP header of IPSec packets. -.TP -.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]" -.SS helper -This module matches packets related to a specific conntrack-helper. -.TP -.BI "--helper " "string" -Matches packets related to the specified conntrack-helper. -.RS -.PP -string can be "ftp" for packets related to a ftp-session on default port. -For other ports append -portnr to the value, ie. "ftp-2121". -.PP -Same rules apply for other conntrack-helpers. -.RE -.SS icmp -This extension is loaded if `--protocol icmp' is specified. It -provides the following option: -.TP -.BR "--icmp-type " "[!] \fItypename\fP" -This allows specification of the ICMP type, which can be a numeric -ICMP type, or one of the ICMP type names shown by the command -.nf - iptables -p icmp -h -.fi -.SS length -This module matches the length of a packet against a specific value -or range of values. -.TP -.BR "--length " "\fIlength\fP[:\fIlength\fP]" -.SS limit -This module matches at a limited rate using a token bucket filter. -A rule using this extension will match until this limit is reached -(unless the `!' flag is used). It can be used in combination with the -.B LOG -target to give limited logging, for example. -.TP -.BI "--limit " "rate" -Maximum average matching rate: specified as a number, with an optional -`/second', `/minute', `/hour', or `/day' suffix; the default is -3/hour. -.TP -.BI "--limit-burst " "number" -Maximum initial number of packets to match: this number gets -recharged by one every time the limit specified above is not reached, -up to this number; the default is 5. -.SS mac -.TP -.BR "--mac-source " "[!] \fIaddress\fP" -Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. -Note that this only makes sense for packets coming from an Ethernet device -and entering the -.BR PREROUTING , -.B FORWARD -or -.B INPUT -chains. -.SS mark -This module matches the netfilter mark field associated with a packet -(which can be set using the -.B MARK -target below). -.TP -.BR "--mark " "\fIvalue\fP[/\fImask\fP]" -Matches packets with the given unsigned mark value (if a mask is -specified, this is logically ANDed with the mask before the -comparison). -.SS multiport -This module matches a set of source or destination ports. Up to 15 -ports can be specified. It can only be used in conjunction with -.B "-p tcp" -or -.BR "-p udp" . -.TP -.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" -Match if the source port is one of the given ports. The flag -.B --sports -is a convenient alias for this option. -.TP -.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" -Match if the destination port is one of the given ports. The flag -.B --dports -is a convenient alias for this option. -.TP -.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" -Match if the both the source and destination ports are equal to each -other and to one of the given ports. -.SS owner -This module attempts to match various characteristics of the packet -creator, for locally-generated packets. It is only valid in the -.B OUTPUT -chain, and even this some packets (such as ICMP ping responses) may -have no owner, and hence never match. -.TP -.BI "--uid-owner " "userid" -Matches if the packet was created by a process with the given -effective user id. -.TP -.BI "--gid-owner " "groupid" -Matches if the packet was created by a process with the given -effective group id. -.TP -.BI "--pid-owner " "processid" -Matches if the packet was created by a process with the given -process id. -.TP -.BI "--sid-owner " "sessionid" -Matches if the packet was created by a process in the given session -group. -.TP -.BI "--cmd-owner " "name" -Matches if the packet was created by a process with the given command name. -(this option is present only if iptables was compiled under a kernel -supporting this feature) -.SS physdev -This module matches on the bridge port input and output devices enslaved -to a bridge device. This module is a part of the infrastructure that enables -a transparent bridging IP firewall and is only useful for kernel versions -above version 2.5.44. -.TP -.B --physdev-in name -Name of a bridge port via which a packet is received (only for -packets entering the -.BR INPUT , -.B FORWARD -and -.B PREROUTING -chains). If the interface name ends in a "+", then any -interface which begins with this name will match. If the packet didn't arrive -through a bridge device, this packet won't match this option, unless '!' is used. -.TP -.B --physdev-out name -Name of a bridge port via which a packet is going to be sent (for packets -entering the -.BR FORWARD , -.B OUTPUT -and -.B POSTROUTING -chains). If the interface name ends in a "+", then any -interface which begins with this name will match. Note that in the -.BR nat " and " mangle -.B OUTPUT -chains one cannot match on the bridge output port, however one can in the -.B "filter OUTPUT" -chain. If the packet won't leave by a bridge device or it is yet unknown what -the output device will be, then the packet won't match this option, unless -'!' is used. -.TP -.B --physdev-is-in -Matches if the packet has entered through a bridge interface. -.TP -.B --physdev-is-out -Matches if the packet will leave through a bridge interface. -.TP -.B --physdev-is-bridged -Matches if the packet is being bridged and therefore is not being routed. -This is only useful in the FORWARD and POSTROUTING chains. -.SS pkttype -This module matches the link-layer packet type. -.TP -.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]" -.SS state -This module, when combined with connection tracking, allows access to -the connection tracking state for this packet. -.TP -.BI "--state " "state" -Where state is a comma separated list of the connection states to -match. Possible states are -.B INVALID -meaning that the packet could not be identified for some reason which -includes running out of memory and ICMP errors which don't correspond to any -known connection, -.B ESTABLISHED -meaning that the packet is associated with a connection which has seen -packets in both directions, -.B NEW -meaning that the packet has started a new connection, or otherwise -associated with a connection which has not seen packets in both -directions, and -.B RELATED -meaning that the packet is starting a new connection, but is -associated with an existing connection, such as an FTP data transfer, -or an ICMP error. -.SS tcp -These extensions are loaded if `--protocol tcp' is specified. It -provides the following options: -.TP -.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" -Source port or port range specification. This can either be a service -name or a port number. An inclusive range can also be specified, -using the format -.IR port : port . -If the first port is omitted, "0" is assumed; if the last is omitted, -"65535" is assumed. -If the second port greater then the first they will be swapped. -The flag -.B --sport -is a convenient alias for this option. -.TP -.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" -Destination port or port range specification. The flag -.B --dport -is a convenient alias for this option. -.TP -.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP" -Match when the TCP flags are as specified. The first argument is the -flags which we should examine, written as a comma-separated list, and -the second argument is a comma-separated list of flags which must be -set. Flags are: -.BR "SYN ACK FIN RST URG PSH ALL NONE" . -Hence the command -.nf - iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -.fi -will only match packets with the SYN flag set, and the ACK, FIN and -RST flags unset. -.TP -.B "[!] --syn" -Only match TCP packets with the SYN bit set and the ACK and RST bits -cleared. Such packets are used to request TCP connection initiation; -for example, blocking such packets coming in an interface will prevent -incoming TCP connections, but outgoing TCP connections will be -unaffected. -It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP. -If the "!" flag precedes the "--syn", the sense of the -option is inverted. -.TP -.BR "--tcp-option " "[!] \fInumber\fP" -Match if TCP option set. -.TP -.BR "--mss " "\fIvalue\fP[:\fIvalue\fP]" -Match TCP SYN or SYN/ACK packets with the specified MSS value (or range), -which control the maximum packet size for that connection. -.SS tos -This module matches the 8 bits of Type of Service field in the IP -header (ie. including the precedence bits). -.TP -.BI "--tos " "tos" -The argument is either a standard name, (use -.br - iptables -m tos -h -.br -to see the list), or a numeric value to match. -.SS ttl -This module matches the time to live field in the IP header. -.TP -.BI "--ttl " "ttl" -Matches the given TTL value. -.SS udp -These extensions are loaded if `--protocol udp' is specified. It -provides the following options: -.TP -.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" -Source port or port range specification. -See the description of the -.B --source-port -option of the TCP extension for details. -.TP -.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" -Destination port or port range specification. -See the description of the -.B --destination-port -option of the TCP extension for details. -.SS unclean -This module takes no options, but attempts to match packets which seem -malformed or unusual. This is regarded as experimental. -.SH TARGET EXTENSIONS -iptables can use extended target modules: the following are included -in the standard distribution. -.SS DNAT -This target is only valid in the -.B nat -table, in the -.B PREROUTING -and -.B OUTPUT -chains, and user-defined chains which are only called from those -chains. It specifies that the destination address of the packet -should be modified (and all future packets in this connection will -also be mangled), and rules should cease being examined. It takes one -type of option: -.TP -.BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" -which can specify a single new destination IP address, an inclusive -range of IP addresses, and optionally, a port range (which is only -valid if the rule also specifies -.B "-p tcp" -or -.BR "-p udp" ). -If no port range is specified, then the destination port will never be -modified. -.RS -.PP -You can add several --to-destination options. If you specify more -than one destination address, either via an address range or multiple ---to-destination options, a simple round-robin (one after another in -cycle) load balancing takes place between these adresses. -.SS DSCP -This target allows to alter the value of the DSCP bits within the TOS -header of the IPv4 packet. As this manipulates a packet, it can only -be used in the mangle table. -.TP -.BI "--set-dscp " "value" -Set the DSCP field to a numerical value (can be decimal or hex) -.TP -.BI "--set-dscp-class " "class" -Set the DSCP field to a DiffServ class. -.SS ECN -This target allows to selectively work around known ECN blackholes. -It can only be used in the mangle table. -.TP -.BI "--ecn-tcp-remove" -Remove all ECN bits from the TCP header. Of course, it can only be used -in conjunction with -.BR "-p tcp" . -.SS LOG -Turn on kernel logging of matching packets. When this option is set -for a rule, the Linux kernel will print some information on all -matching packets (like most IP header fields) via the kernel log -(where it can be read with -.I dmesg -or -.IR syslogd (8)). -This is a "non-terminating target", i.e. rule traversal continues at -the next rule. So if you want to LOG the packets you refuse, use two -separate rules with the same matching criteria, first using target LOG -then DROP (or REJECT). -.TP -.BI "--log-level " "level" -Level of logging (numeric or see \fIsyslog.conf\fP(5)). -.TP -.BI "--log-prefix " "prefix" -Prefix log messages with the specified prefix; up to 29 letters long, -and useful for distinguishing messages in the logs. -.TP -.B --log-tcp-sequence -Log TCP sequence numbers. This is a security risk if the log is -readable by users. -.TP -.B --log-tcp-options -Log options from the TCP packet header. -.TP -.B --log-ip-options -Log options from the IP packet header. -.SS MARK -This is used to set the netfilter mark value associated with the -packet. It is only valid in the -.B mangle -table. It can for example be used in conjunction with iproute2. -.TP -.BI "--set-mark " "mark" -.SS MASQUERADE -This target is only valid in the -.B nat -table, in the -.B POSTROUTING -chain. It should only be used with dynamically assigned IP (dialup) -connections: if you have a static IP address, you should use the SNAT -target. Masquerading is equivalent to specifying a mapping to the IP -address of the interface the packet is going out, but also has the -effect that connections are -.I forgotten -when the interface goes down. This is the correct behavior when the -next dialup is unlikely to have the same interface address (and hence -any established connections are lost anyway). It takes one option: -.TP -.BR "--to-ports " "\fIport\fP[-\fIport\fP]" -This specifies a range of source ports to use, overriding the default -.B SNAT -source port-selection heuristics (see above). This is only valid -if the rule also specifies -.B "-p tcp" -or -.BR "-p udp" . -.SS MIRROR -This is an experimental demonstration target which inverts the source -and destination fields in the IP header and retransmits the packet. -It is only valid in the -.BR INPUT , -.B FORWARD -and -.B PREROUTING -chains, and user-defined chains which are only called from those -chains. Note that the outgoing packets are -.B NOT -seen by any packet filtering chains, connection tracking or NAT, to -avoid loops and other problems. -.SS REDIRECT -This target is only valid in the -.B nat -table, in the -.B PREROUTING -and -.B OUTPUT -chains, and user-defined chains which are only called from those -chains. It alters the destination IP address to send the packet to -the machine itself (locally-generated packets are mapped to the -127.0.0.1 address). It takes one option: -.TP -.BR "--to-ports " "\fIport\fP[-\fIport\fP]" -This specifies a destination port or range of ports to use: without -this, the destination port is never altered. This is only valid -if the rule also specifies -.B "-p tcp" -or -.BR "-p udp" . -.SS REJECT -This is used to send back an error packet in response to the matched -packet: otherwise it is equivalent to -.B DROP -so it is a terminating TARGET, ending rule traversal. -This target is only valid in the -.BR INPUT , -.B FORWARD -and -.B OUTPUT -chains, and user-defined chains which are only called from those -chains. The following option controls the nature of the error packet -returned: -.TP -.BI "--reject-with " "type" -The type given can be -.nf -.B " icmp-net-unreachable" -.B " icmp-host-unreachable" -.B " icmp-port-unreachable" -.B " icmp-proto-unreachable" -.B " icmp-net-prohibited" -.B " icmp-host-prohibited or" -.B " icmp-admin-prohibited (*)" -.fi -which return the appropriate ICMP error message (\fBport-unreachable\fP is -the default). The option -.B tcp-reset -can be used on rules which only match the TCP protocol: this causes a -TCP RST packet to be sent back. This is mainly useful for blocking -.I ident -(113/tcp) probes which frequently occur when sending mail to broken mail -hosts (which won't accept your mail otherwise). -.TP -(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT -.SS SNAT -This target is only valid in the -.B nat -table, in the -.B POSTROUTING -chain. It specifies that the source address of the packet should be -modified (and all future packets in this connection will also be -mangled), and rules should cease being examined. It takes one type -of option: -.TP -.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" -which can specify a single new source IP address, an inclusive range -of IP addresses, and optionally, a port range (which is only valid if -the rule also specifies -.B "-p tcp" -or -.BR "-p udp" ). -If no port range is specified, then source ports below 512 will be -mapped to other ports below 512: those between 512 and 1023 inclusive -will be mapped to ports below 1024, and other ports will be mapped to -1024 or above. Where possible, no port alteration will occur. -.RS -.PP -You can add several --to-source options. If you specify more -than one source address, either via an address range or multiple ---to-source options, a simple round-robin (one after another in -cycle) takes place between these adresses. -.SS TCPMSS -This target allows to alter the MSS value of TCP SYN packets, to control -the maximum size for that connection (usually limiting it to your -outgoing interface's MTU minus 40). Of course, it can only be used -in conjunction with -.BR "-p tcp" . -.br -This target is used to overcome criminally braindead ISPs or servers -which block ICMP Fragmentation Needed packets. The symptoms of this -problem are that everything works fine from your Linux -firewall/router, but machines behind it can never exchange large -packets: -.PD 0 -.RS 0.1i -.TP 0.3i -1) -Web browsers connect, then hang with no data received. -.TP -2) -Small mail works fine, but large emails hang. -.TP -3) -ssh works fine, but scp hangs after initial handshaking. -.RE -.PD -Workaround: activate this option and add a rule to your firewall -configuration like: -.nf - iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\ - -j TCPMSS --clamp-mss-to-pmtu -.fi -.TP -.BI "--set-mss " "value" -Explicitly set MSS option to specified value. -.TP -.B "--clamp-mss-to-pmtu" -Automatically clamp MSS value to (path_MTU - 40). -.TP -These options are mutually exclusive. -.SS TOS -This is used to set the 8-bit Type of Service field in the IP header. -It is only valid in the -.B mangle -table. -.TP -.BI "--set-tos " "tos" -You can use a numeric TOS values, or use -.nf - iptables -j TOS -h -.fi -to see the list of valid TOS names. -.SS ULOG -This target provides userspace logging of matching packets. When this -target is set for a rule, the Linux kernel will multicast this packet -through a -.IR netlink -socket. One or more userspace processes may then subscribe to various -multicast groups and receive the packets. -Like LOG, this is a "non-terminating target", i.e. rule traversal -continues at the next rule. -.TP -.BI "--ulog-nlgroup " "nlgroup" -This specifies the netlink group (1-32) to which the packet is sent. -Default value is 1. -.TP -.BI "--ulog-prefix " "prefix" -Prefix log messages with the specified prefix; up to 32 characters -long, and useful for distinguishing messages in the logs. -.TP -.BI "--ulog-cprange " "size" -Number of bytes to be copied to userspace. A value of 0 always copies -the entire packet, regardless of its size. Default is 0. -.TP -.BI "--ulog-qthreshold " "size" -Number of packet to queue inside kernel. Setting this value to, e.g. 10 -accumulates ten packets inside the kernel and transmits them as one -netlink multipart message to userspace. Default is 1 (for backwards -compatibility). -.br -.SH DIAGNOSTICS -Various error messages are printed to standard error. The exit code -is 0 for correct functioning. Errors which appear to be caused by -invalid or abused command line parameters cause an exit code of 2, and -other errors cause an exit code of 1. -.SH BUGS -Bugs? What's this? ;-) -Well... the counters are not reliable on sparc64. -.SH COMPATIBILITY WITH IPCHAINS -This -.B iptables -is very similar to ipchains by Rusty Russell. The main difference is -that the chains -.B INPUT -and -.B OUTPUT -are only traversed for packets coming into the local host and -originating from the local host respectively. Hence every packet only -passes through one of the three chains (except loopback traffic, which -involves both INPUT and OUTPUT chains); previously a forwarded packet -would pass through all three. -.PP -The other main difference is that -.B -i -refers to the input interface; -.B -o -refers to the output interface, and both are available for packets -entering the -.B FORWARD -chain. -.PP The various forms of NAT have been separated out; -.B iptables -is a pure packet filter when using the default `filter' table, with -optional extension modules. This should simplify much of the previous -confusion over the combination of IP masquerading and packet filtering -seen previously. So the following options are handled differently: -.nf - -j MASQ - -M -S - -M -L -.fi -There are several other changes in iptables. -.SH SEE ALSO -.BR iptables-save (8), -.BR iptables-restore (8), -.BR ip6tables (8), -.BR ip6tables-save (8), -.BR ip6tables-restore (8). -.P -The packet-filtering-HOWTO details iptables usage for -packet filtering, the NAT-HOWTO details NAT, -the netfilter-extensions-HOWTO details the extensions that are -not in the standard distribution, -and the netfilter-hacking-HOWTO details the netfilter internals. -.br -See -.BR "http://www.netfilter.org/" . -.SH AUTHORS -Rusty Russell wrote iptables, in early consultation with Michael -Neuling. -.PP -Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet -selection framework in iptables, then wrote the mangle table, the owner match, -the mark stuff, and ran around doing cool stuff everywhere. -.PP -James Morris wrote the TOS target, and tos match. -.PP -Jozsef Kadlecsik wrote the REJECT target. -.PP -Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets. -.PP -The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik, -James Morris, Harald Welte and Rusty Russell. -.PP -Man page written by Herve Eychenne . -.\" .. and did I mention that we are incredibly cool people? -.\" .. sexy, too .. -.\" .. witty, charming, powerful .. -.\" .. and most of all, modest .. diff --git a/iptables.8.in b/iptables.8.in new file mode 100644 index 00000000..3f36fd80 --- /dev/null +++ b/iptables.8.in @@ -0,0 +1,464 @@ +.TH IPTABLES 8 "Mar 09, 2002" "" "" +.\" +.\" Man page written by Herve Eychenne (May 1999) +.\" It is based on ipchains page. +.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG) +.\" +.\" ipchains page by Paul ``Rusty'' Russell March 1997 +.\" Based on the original ipfwadm man page by Jos Vos +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 2 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software +.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +.\" +.\" +.SH NAME +iptables \- administration tool for IPv4 packet filtering and NAT +.SH SYNOPSIS +.BR "iptables [-t table] -[AD] " "chain rule-specification [options]" +.br +.BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]" +.br +.BR "iptables [-t table] -R " "chain rulenum rule-specification [options]" +.br +.BR "iptables [-t table] -D " "chain rulenum [options]" +.br +.BR "iptables [-t table] -[LFZ] " "[chain] [options]" +.br +.BR "iptables [-t table] -N " "chain" +.br +.BR "iptables [-t table] -X " "[chain]" +.br +.BR "iptables [-t table] -P " "chain target [options]" +.br +.BR "iptables [-t table] -E " "old-chain-name new-chain-name" +.SH DESCRIPTION +.B Iptables +is used to set up, maintain, and inspect the tables of IP packet +filter rules in the Linux kernel. Several different tables +may be defined. Each table contains a number of built-in +chains and may also contain user-defined chains. + +Each chain is a list of rules which can match a set of packets. Each +rule specifies what to do with a packet that matches. This is called +a `target', which may be a jump to a user-defined chain in the same +table. + +.SH TARGETS +A firewall rule specifies criteria for a packet, and a target. If the +packet does not match, the next rule in the chain is the examined; if +it does match, then the next rule is specified by the value of the +target, which can be the name of a user-defined chain or one of the +special values +.IR ACCEPT , +.IR DROP , +.IR QUEUE , +or +.IR RETURN . +.PP +.I ACCEPT +means to let the packet through. +.I DROP +means to drop the packet on the floor. +.I QUEUE +means to pass the packet to userspace (if supported by the kernel). +.I RETURN +means stop traversing this chain and resume at the next rule in the +previous (calling) chain. If the end of a built-in chain is reached +or a rule in a built-in chain with target +.I RETURN +is matched, the target specified by the chain policy determines the +fate of the packet. +.SH TABLES +There are currently three independent tables (which tables are present +at any time depends on the kernel configuration options and which +modules are present). +.TP +.BI "-t, --table " "table" +This option specifies the packet matching table which the command +should operate on. If the kernel is configured with automatic module +loading, an attempt will be made to load the appropriate module for +that table if it is not already there. + +The tables are as follows: +.RS +.TP .4i +.BR "filter" : +This is the default table (if no -t option is passed). It contains +the built-in chains +.B INPUT +(for packets coming into the box itself), +.B FORWARD +(for packets being routed through the box), and +.B OUTPUT +(for locally-generated packets). +.TP +.BR "nat" : +This table is consulted when a packet that creates a new +connection is encountered. It consists of three built-ins: +.B PREROUTING +(for altering packets as soon as they come in), +.B OUTPUT +(for altering locally-generated packets before routing), and +.B POSTROUTING +(for altering packets as they are about to go out). +.TP +.BR "mangle" : +This table is used for specialized packet alteration. Until kernel +2.4.17 it had two built-in chains: +.B PREROUTING +(for altering incoming packets before routing) and +.B OUTPUT +(for altering locally-generated packets before routing). +Since kernel 2.4.18, three other built-in chains are also supported: +.B INPUT +(for packets coming into the box itself), +.B FORWARD +(for altering packets being routed through the box), and +.B POSTROUTING +(for altering packets as they are about to go out). +.RE +.SH OPTIONS +The options that are recognized by +.B iptables +can be divided into several different groups. +.SS COMMANDS +These options specify the specific action to perform. Only one of them +can be specified on the command line unless otherwise specified +below. For all the long versions of the command and option names, you +need to use only enough letters to ensure that +.B iptables +can differentiate it from all other options. +.TP +.BI "-A, --append " "chain rule-specification" +Append one or more rules to the end of the selected chain. +When the source and/or destination names resolve to more than one +address, a rule will be added for each possible address combination. +.TP +.BI "-D, --delete " "chain rule-specification" +.ns +.TP +.BI "-D, --delete " "chain rulenum" +Delete one or more rules from the selected chain. There are two +versions of this command: the rule can be specified as a number in the +chain (starting at 1 for the first rule) or a rule to match. +.TP +.BR "-I, --insert " "\fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP" +Insert one or more rules in the selected chain as the given rule +number. So, if the rule number is 1, the rule or rules are inserted +at the head of the chain. This is also the default if no rule number +is specified. +.TP +.BI "-R, --replace " "chain rulenum rule-specification" +Replace a rule in the selected chain. If the source and/or +destination names resolve to multiple addresses, the command will +fail. Rules are numbered starting at 1. +.TP +.BR "-L, --list " "[\fIchain\fP]" +List all rules in the selected chain. If no chain is selected, all +chains are listed. As every other iptables command, it applies to the +specified table (filter is the default), so NAT rules get listed by +.nf + iptables -t nat -n -L +.fi +Please note that it is often used with the +.B -n +option, in order to avoid long reverse DNS lookups. +It is legal to specify the +.B -Z +(zero) option as well, in which case the chain(s) will be atomically +listed and zeroed. The exact output is affected by the other +arguments given. The exact rules are suppressed until you use +.nf + iptables -L -v +.fi +.TP +.BR "-F, --flush " "[\fIchain\fP]" +Flush the selected chain (all the chains in the table if none is given). +This is equivalent to deleting all the rules one by one. +.TP +.BR "-Z, --zero " "[\fIchain\fP]" +Zero the packet and byte counters in all chains. It is legal to +specify the +.B "-L, --list" +(list) option as well, to see the counters immediately before they are +cleared. (See above.) +.TP +.BI "-N, --new-chain " "chain" +Create a new user-defined chain by the given name. There must be no +target of that name already. +.TP +.BR "-X, --delete-chain " "[\fIchain\fP]" +Delete the optional user-defined chain specified. There must be no references +to the chain. If there are, you must delete or replace the referring +rules before the chain can be deleted. If no argument is given, it +will attempt to delete every non-builtin chain in the table. +.TP +.BI "-P, --policy " "chain target" +Set the policy for the chain to the given target. See the section +.B TARGETS +for the legal targets. Only built-in (non-user-defined) chains can have +policies, and neither built-in nor user-defined chains can be policy +targets. +.TP +.BI "-E, --rename-chain " "old-chain new-chain" +Rename the user specified chain to the user supplied name. This is +cosmetic, and has no effect on the structure of the table. +.TP +.B -h +Help. +Give a (currently very brief) description of the command syntax. +.SS PARAMETERS +The following parameters make up a rule specification (as used in the +add, delete, insert, replace and append commands). +.TP +.BR "-p, --protocol " "[!] \fIprotocol\fP" +The protocol of the rule or of the packet to check. +The specified protocol can be one of +.IR tcp , +.IR udp , +.IR icmp , +or +.IR all , +or it can be a numeric value, representing one of these protocols or a +different one. A protocol name from /etc/protocols is also allowed. +A "!" argument before the protocol inverts the +test. The number zero is equivalent to +.IR all . +Protocol +.I all +will match with all protocols and is taken as default when this +option is omitted. +.TP +.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]" +Source specification. +.I Address +can be either a network name, a hostname (please note that specifying +any name to be resolved with a remote query such as DNS is a really bad idea), +a network IP address (with /mask), or a plain IP address. +The +.I mask +can be either a network mask or a plain number, +specifying the number of 1's at the left side of the network mask. +Thus, a mask of +.I 24 +is equivalent to +.IR 255.255.255.0 . +A "!" argument before the address specification inverts the sense of +the address. The flag +.B --src +is an alias for this option. +.TP +.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]" +Destination specification. +See the description of the +.B -s +(source) flag for a detailed description of the syntax. The flag +.B --dst +is an alias for this option. +.TP +.BI "-j, --jump " "target" +This specifies the target of the rule; i.e., what to do if the packet +matches it. The target can be a user-defined chain (other than the +one this rule is in), one of the special builtin targets which decide +the fate of the packet immediately, or an extension (see +.B EXTENSIONS +below). If this +option is omitted in a rule, then matching the rule will have no +effect on the packet's fate, but the counters on the rule will be +incremented. +.TP +.BR "-i, --in-interface " "[!] \fIname\fP" +Name of an interface via which a packet is going to be received (only for +packets entering the +.BR INPUT , +.B FORWARD +and +.B PREROUTING +chains). When the "!" argument is used before the interface name, the +sense is inverted. If the interface name ends in a "+", then any +interface which begins with this name will match. If this option is +omitted, any interface name will match. +.TP +.BR "-o, --out-interface " "[!] \fIname\fP" +Name of an interface via which a packet is going to be sent (for packets +entering the +.BR FORWARD , +.B OUTPUT +and +.B POSTROUTING +chains). When the "!" argument is used before the interface name, the +sense is inverted. If the interface name ends in a "+", then any +interface which begins with this name will match. If this option is +omitted, any interface name will match. +.TP +.B "[!] " "-f, --fragment" +This means that the rule only refers to second and further fragments +of fragmented packets. Since there is no way to tell the source or +destination ports of such a packet (or ICMP type), such a packet will +not match any rules which specify them. When the "!" argument +precedes the "-f" flag, the rule will only match head fragments, or +unfragmented packets. +.TP +.BI "-c, --set-counters " "PKTS BYTES" +This enables the administrator to initialize the packet and byte +counters of a rule (during +.B INSERT, +.B APPEND, +.B REPLACE +operations). +.SS "OTHER OPTIONS" +The following additional options can be specified: +.TP +.B "-v, --verbose" +Verbose output. This option makes the list command show the interface +name, the rule options (if any), and the TOS masks. The packet and +byte counters are also listed, with the suffix 'K', 'M' or 'G' for +1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see +the +.B -x +flag to change this). +For appending, insertion, deletion and replacement, this causes +detailed information on the rule or rules to be printed. +.TP +.B "-n, --numeric" +Numeric output. +IP addresses and port numbers will be printed in numeric format. +By default, the program will try to display them as host names, +network names, or services (whenever applicable). +.TP +.B "-x, --exact" +Expand numbers. +Display the exact value of the packet and byte counters, +instead of only the rounded number in K's (multiples of 1000) +M's (multiples of 1000K) or G's (multiples of 1000M). This option is +only relevant for the +.B -L +command. +.TP +.B "--line-numbers" +When listing rules, add line numbers to the beginning of each rule, +corresponding to that rule's position in the chain. +.TP +.B "--modprobe=command" +When adding or inserting rules into a chain, use +.B command +to load any necessary modules (targets, match extensions, etc). +.SH MATCH EXTENSIONS +iptables can use extended packet matching modules. These are loaded +in two ways: implicitly, when +.B -p +or +.B --protocol +is specified, or with the +.B -m +or +.B --match +options, followed by the matching module name; after these, various +extra command line options become available, depending on the specific +module. You can specify multiple extended match modules in one line, +and you can use the +.B -h +or +.B --help +options after the module has been specified to receive help specific +to that module. + +The following are included in the base package, and most of these can +be preceded by a +.B ! +to invert the sense of the match. +.\" @MATCH@ +.SH TARGET EXTENSIONS +iptables can use extended target modules: the following are included +in the standard distribution. +.\" @TARGET@ +.SH DIAGNOSTICS +Various error messages are printed to standard error. The exit code +is 0 for correct functioning. Errors which appear to be caused by +invalid or abused command line parameters cause an exit code of 2, and +other errors cause an exit code of 1. +.SH BUGS +Bugs? What's this? ;-) +Well... the counters are not reliable on sparc64. +.SH COMPATIBILITY WITH IPCHAINS +This +.B iptables +is very similar to ipchains by Rusty Russell. The main difference is +that the chains +.B INPUT +and +.B OUTPUT +are only traversed for packets coming into the local host and +originating from the local host respectively. Hence every packet only +passes through one of the three chains (except loopback traffic, which +involves both INPUT and OUTPUT chains); previously a forwarded packet +would pass through all three. +.PP +The other main difference is that +.B -i +refers to the input interface; +.B -o +refers to the output interface, and both are available for packets +entering the +.B FORWARD +chain. +.PP The various forms of NAT have been separated out; +.B iptables +is a pure packet filter when using the default `filter' table, with +optional extension modules. This should simplify much of the previous +confusion over the combination of IP masquerading and packet filtering +seen previously. So the following options are handled differently: +.nf + -j MASQ + -M -S + -M -L +.fi +There are several other changes in iptables. +.SH SEE ALSO +.BR iptables-save (8), +.BR iptables-restore (8), +.BR ip6tables (8), +.BR ip6tables-save (8), +.BR ip6tables-restore (8). +.P +The packet-filtering-HOWTO details iptables usage for +packet filtering, the NAT-HOWTO details NAT, +the netfilter-extensions-HOWTO details the extensions that are +not in the standard distribution, +and the netfilter-hacking-HOWTO details the netfilter internals. +.br +See +.BR "http://www.netfilter.org/" . +.SH AUTHORS +Rusty Russell wrote iptables, in early consultation with Michael +Neuling. +.PP +Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet +selection framework in iptables, then wrote the mangle table, the owner match, +the mark stuff, and ran around doing cool stuff everywhere. +.PP +James Morris wrote the TOS target, and tos match. +.PP +Jozsef Kadlecsik wrote the REJECT target. +.PP +Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets. +.PP +The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik, +James Morris, Harald Welte and Rusty Russell. +.PP +Man page written by Herve Eychenne . +.\" .. and did I mention that we are incredibly cool people? +.\" .. sexy, too .. +.\" .. witty, charming, powerful .. +.\" .. and most of all, modest .. -- cgit v1.2.3