X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=iptables.8;fp=iptables.8;h=311a0303206dd52926ee90c58a5348a54babf710;hb=47de4bdebcf993db3a285047a8f977c94c87e9ec;hp=0000000000000000000000000000000000000000;hpb=3bbf6cde0b81310fdef47ebead675dfa6d346f8b;p=iptables.git diff --git a/iptables.8 b/iptables.8 new file mode 100644 index 0000000..311a030 --- /dev/null +++ b/iptables.8 @@ -0,0 +1,1931 @@ +.TH IPTABLES 8 "Mar 09, 2002" "" "" +.\" +.\" Man page written by Herve Eychenne (May 1999) +.\" It is based on ipchains page. +.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG) +.\" +.\" ipchains page by Paul ``Rusty'' Russell March 1997 +.\" Based on the original ipfwadm man page by Jos Vos +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 2 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software +.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +.\" +.\" +.SH NAME +iptables \- administration tool for IPv4 packet filtering and NAT +.SH SYNOPSIS +.BR "iptables [-t table] -[AD] " "chain rule-specification [options]" +.br +.BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]" +.br +.BR "iptables [-t table] -R " "chain rulenum rule-specification [options]" +.br +.BR "iptables [-t table] -D " "chain rulenum [options]" +.br +.BR "iptables [-t table] -[LFZ] " "[chain] [options]" +.br +.BR "iptables [-t table] -N " "chain" +.br +.BR "iptables [-t table] -X " "[chain]" +.br +.BR "iptables [-t table] -P " "chain target [options]" +.br +.BR "iptables [-t table] -E " "old-chain-name new-chain-name" +.SH DESCRIPTION +.B Iptables +is used to set up, maintain, and inspect the tables of IP packet +filter rules in the Linux kernel. Several different tables +may be defined. Each table contains a number of built-in +chains and may also contain user-defined chains. + +Each chain is a list of rules which can match a set of packets. Each +rule specifies what to do with a packet that matches. This is called +a `target', which may be a jump to a user-defined chain in the same +table. + +.SH TARGETS +A firewall rule specifies criteria for a packet, and a target. If the +packet does not match, the next rule in the chain is the examined; if +it does match, then the next rule is specified by the value of the +target, which can be the name of a user-defined chain or one of the +special values +.IR ACCEPT , +.IR DROP , +.IR QUEUE , +or +.IR RETURN . +.PP +.I ACCEPT +means to let the packet through. +.I DROP +means to drop the packet on the floor. +.I QUEUE +means to pass the packet to userspace (if supported by the kernel). +.I RETURN +means stop traversing this chain and resume at the next rule in the +previous (calling) chain. If the end of a built-in chain is reached +or a rule in a built-in chain with target +.I RETURN +is matched, the target specified by the chain policy determines the +fate of the packet. +.SH TABLES +There are currently three independent tables (which tables are present +at any time depends on the kernel configuration options and which +modules are present). +.TP +.BI "-t, --table " "table" +This option specifies the packet matching table which the command +should operate on. If the kernel is configured with automatic module +loading, an attempt will be made to load the appropriate module for +that table if it is not already there. + +The tables are as follows: +.RS +.TP .4i +.BR "filter" : +This is the default table (if no -t option is passed). It contains +the built-in chains +.B INPUT +(for packets destined to local sockets), +.B FORWARD +(for packets being routed through the box), and +.B OUTPUT +(for locally-generated packets). +.TP +.BR "nat" : +This table is consulted when a packet that creates a new +connection is encountered. It consists of three built-ins: +.B PREROUTING +(for altering packets as soon as they come in), +.B OUTPUT +(for altering locally-generated packets before routing), and +.B POSTROUTING +(for altering packets as they are about to go out). +.TP +.BR "mangle" : +This table is used for specialized packet alteration. Until kernel +2.4.17 it had two built-in chains: +.B PREROUTING +(for altering incoming packets before routing) and +.B OUTPUT +(for altering locally-generated packets before routing). +Since kernel 2.4.18, three other built-in chains are also supported: +.B INPUT +(for packets coming into the box itself), +.B FORWARD +(for altering packets being routed through the box), and +.B POSTROUTING +(for altering packets as they are about to go out). +.TP +.BR "raw" : +This table is used mainly for configuring exemptions from connection +tracking in combination with the NOTRACK target. It registers at the netfilter +hooks with higher priority and is thus called before ip_conntrack, or any other +IP tables. It provides the following built-in chains: +.B PREROUTING +(for packets arriving via any network interface) +.B OUTPUT +(for packets generated by local processes) +.RE +.SH OPTIONS +The options that are recognized by +.B iptables +can be divided into several different groups. +.SS COMMANDS +These options specify the specific action to perform. Only one of them +can be specified on the command line unless otherwise specified +below. For all the long versions of the command and option names, you +need to use only enough letters to ensure that +.B iptables +can differentiate it from all other options. +.TP +.BI "-A, --append " "chain rule-specification" +Append one or more rules to the end of the selected chain. +When the source and/or destination names resolve to more than one +address, a rule will be added for each possible address combination. +.TP +.BI "-D, --delete " "chain rule-specification" +.ns +.TP +.BI "-D, --delete " "chain rulenum" +Delete one or more rules from the selected chain. There are two +versions of this command: the rule can be specified as a number in the +chain (starting at 1 for the first rule) or a rule to match. +.TP +.BR "-I, --insert " "\fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP" +Insert one or more rules in the selected chain as the given rule +number. So, if the rule number is 1, the rule or rules are inserted +at the head of the chain. This is also the default if no rule number +is specified. +.TP +.BI "-R, --replace " "chain rulenum rule-specification" +Replace a rule in the selected chain. If the source and/or +destination names resolve to multiple addresses, the command will +fail. Rules are numbered starting at 1. +.TP +.BR "-L, --list " "[\fIchain\fP]" +List all rules in the selected chain. If no chain is selected, all +chains are listed. As every other iptables command, it applies to the +specified table (filter is the default), so NAT rules get listed by +.nf + iptables -t nat -n -L +.fi +Please note that it is often used with the +.B -n +option, in order to avoid long reverse DNS lookups. +It is legal to specify the +.B -Z +(zero) option as well, in which case the chain(s) will be atomically +listed and zeroed. The exact output is affected by the other +arguments given. The exact rules are suppressed until you use +.nf + iptables -L -v +.fi +.TP +.BR "-F, --flush " "[\fIchain\fP]" +Flush the selected chain (all the chains in the table if none is given). +This is equivalent to deleting all the rules one by one. +.TP +.BR "-Z, --zero " "[\fIchain\fP]" +Zero the packet and byte counters in all chains. It is legal to +specify the +.B "-L, --list" +(list) option as well, to see the counters immediately before they are +cleared. (See above.) +.TP +.BI "-N, --new-chain " "chain" +Create a new user-defined chain by the given name. There must be no +target of that name already. +.TP +.BR "-X, --delete-chain " "[\fIchain\fP]" +Delete the optional user-defined chain specified. There must be no references +to the chain. If there are, you must delete or replace the referring +rules before the chain can be deleted. If no argument is given, it +will attempt to delete every non-builtin chain in the table. +.TP +.BI "-P, --policy " "chain target" +Set the policy for the chain to the given target. See the section +.B TARGETS +for the legal targets. Only built-in (non-user-defined) chains can have +policies, and neither built-in nor user-defined chains can be policy +targets. +.TP +.BI "-E, --rename-chain " "old-chain new-chain" +Rename the user specified chain to the user supplied name. This is +cosmetic, and has no effect on the structure of the table. +.TP +.B -h +Help. +Give a (currently very brief) description of the command syntax. +.SS PARAMETERS +The following parameters make up a rule specification (as used in the +add, delete, insert, replace and append commands). +.TP +.BR "-p, --protocol " "[!] \fIprotocol\fP" +The protocol of the rule or of the packet to check. +The specified protocol can be one of +.IR tcp , +.IR udp , +.IR icmp , +or +.IR all , +or it can be a numeric value, representing one of these protocols or a +different one. A protocol name from /etc/protocols is also allowed. +A "!" argument before the protocol inverts the +test. The number zero is equivalent to +.IR all . +Protocol +.I all +will match with all protocols and is taken as default when this +option is omitted. +.TP +.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]" +Source specification. +.I Address +can be either a network name, a hostname (please note that specifying +any name to be resolved with a remote query such as DNS is a really bad idea), +a network IP address (with /mask), or a plain IP address. +The +.I mask +can be either a network mask or a plain number, +specifying the number of 1's at the left side of the network mask. +Thus, a mask of +.I 24 +is equivalent to +.IR 255.255.255.0 . +A "!" argument before the address specification inverts the sense of +the address. The flag +.B --src +is an alias for this option. +.TP +.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]" +Destination specification. +See the description of the +.B -s +(source) flag for a detailed description of the syntax. The flag +.B --dst +is an alias for this option. +.TP +.BI "-j, --jump " "target" +This specifies the target of the rule; i.e., what to do if the packet +matches it. The target can be a user-defined chain (other than the +one this rule is in), one of the special builtin targets which decide +the fate of the packet immediately, or an extension (see +.B EXTENSIONS +below). If this +option is omitted in a rule, then matching the rule will have no +effect on the packet's fate, but the counters on the rule will be +incremented. +.TP +.BR "-i, --in-interface " "[!] \fIname\fP" +Name of an interface via which a packet was received (only for +packets entering the +.BR INPUT , +.B FORWARD +and +.B PREROUTING +chains). When the "!" argument is used before the interface name, the +sense is inverted. If the interface name ends in a "+", then any +interface which begins with this name will match. If this option is +omitted, any interface name will match. +.TP +.BR "-o, --out-interface " "[!] \fIname\fP" +Name of an interface via which a packet is going to be sent (for packets +entering the +.BR FORWARD , +.B OUTPUT +and +.B POSTROUTING +chains). When the "!" argument is used before the interface name, the +sense is inverted. If the interface name ends in a "+", then any +interface which begins with this name will match. If this option is +omitted, any interface name will match. +.TP +.B "[!] " "-f, --fragment" +This means that the rule only refers to second and further fragments +of fragmented packets. Since there is no way to tell the source or +destination ports of such a packet (or ICMP type), such a packet will +not match any rules which specify them. When the "!" argument +precedes the "-f" flag, the rule will only match head fragments, or +unfragmented packets. +.TP +.BI "-c, --set-counters " "PKTS BYTES" +This enables the administrator to initialize the packet and byte +counters of a rule (during +.B INSERT, +.B APPEND, +.B REPLACE +operations). +.SS "OTHER OPTIONS" +The following additional options can be specified: +.TP +.B "-v, --verbose" +Verbose output. This option makes the list command show the interface +name, the rule options (if any), and the TOS masks. The packet and +byte counters are also listed, with the suffix 'K', 'M' or 'G' for +1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see +the +.B -x +flag to change this). +For appending, insertion, deletion and replacement, this causes +detailed information on the rule or rules to be printed. +.TP +.B "-n, --numeric" +Numeric output. +IP addresses and port numbers will be printed in numeric format. +By default, the program will try to display them as host names, +network names, or services (whenever applicable). +.TP +.B "-x, --exact" +Expand numbers. +Display the exact value of the packet and byte counters, +instead of only the rounded number in K's (multiples of 1000) +M's (multiples of 1000K) or G's (multiples of 1000M). This option is +only relevant for the +.B -L +command. +.TP +.B "--line-numbers" +When listing rules, add line numbers to the beginning of each rule, +corresponding to that rule's position in the chain. +.TP +.B "--modprobe=command" +When adding or inserting rules into a chain, use +.B command +to load any necessary modules (targets, match extensions, etc). +.SH MATCH EXTENSIONS +iptables can use extended packet matching modules. These are loaded +in two ways: implicitly, when +.B -p +or +.B --protocol +is specified, or with the +.B -m +or +.B --match +options, followed by the matching module name; after these, various +extra command line options become available, depending on the specific +module. You can specify multiple extended match modules in one line, +and you can use the +.B -h +or +.B --help +options after the module has been specified to receive help specific +to that module. + +The following are included in the base package, and most of these can +be preceded by a +.B ! +to invert the sense of the match. +.\" @MATCH@ +.SS account +Account traffic for all hosts in defined network/netmask. + +Features: + +- long (one counter per protocol TCP/UDP/IMCP/Other) and short statistics + +- one iptables rule for all hosts in network/netmask + +- loading/saving counters (by reading/writting to procfs entries) + +.TP +.BI "--aaddr " "network/netmask" +defines network/netmask for which make statistics. +.TP +.BI "--aname " "name" +defines name of list where statistics will be kept. If no is +specified DEFAULT will be used. +.TP +.B "--ashort" +table will colect only short statistics (only total counters +without splitting it into protocols. +.P +Example usage: + +account traffic for/to 192.168.0.0/24 network into table mynetwork: + +# iptables -A FORWARD -m account --aname mynetwork --aaddr 192.168.0.0/24 + +account traffic for/to WWW serwer for 192.168.0.0/24 network into table mywwwserver: + +# iptables -A INPUT -p tcp --dport 80 + -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort + +# iptables -A OUTPUT -p tcp --sport 80 + -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort + +read counters: + +# cat /proc/net/ipt_account/mynetwork +# cat /proc/net/ipt_account/mywwwserver + +set counters: + +# echo "ip = 192.168.0.1 packets_src = 0" > /proc/net/ipt_account/mywwserver + +Webpage: + http://www.barbara.eu.org/~quaker/ipt_account/ +.SS addrtype +This module matches packets based on their +.B address type. +Address types are used within the kernel networking stack and categorize +addresses into various groups. The exact definition of that group depends on the specific layer three protocol. +.TP +The following address types are possible: +.TP +.BI "UNSPEC" +an unspecified address (i.e. 0.0.0.0) +.BI "UNICAST" +an unicast address +.BI "LOCAL" +a local address +.BI "BROADCAST" +a broadcast address +.BI "ANYCAST" +an anycast packet +.BI "MULTICAST" +a multicast address +.BI "BLACKHOLE" +a blackhole address +.BI "UNREACHABLE" +an unreachable address +.BI "PROHIBIT" +a prohibited address +.BI "THROW" +FIXME +.BI "NAT" +FIXME +.BI "XRESOLVE" +FIXME +.TP +.BI "--src-type " "type" +Matches if the source address is of given type +.TP +.BI "--dst-type " "type" +Matches if the destination address is of given type +.SS ah +This module matches the SPIs in AH header of IPSec packets. +.TP +.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]" +.SS childlevel +This is an experimental module. It matches on whether the +packet is part of a master connection or one of its children (or grandchildren, +etc). For instance, most packets are level 0. FTP data transfer is level 1. +.TP +.BR "--childlevel " "[!] \fIlevel\fP" +.SS comment +Allows you to add comments (up to 256 characters) to any rule. +.TP +.BI "--comment " "comment" +.TP +Example: +iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A privatized IP block" +.SS condition +This matches if a specific /proc filename is '0' or '1'. +.TP +.BI "--condition " "[!] filename" +Match on boolean value stored in /proc/net/ipt_condition/filename file +.SS connbytes +Match by how many bytes or packets a connection (or one of the two +flows constituting the connection) have tranferred so far, or by +average bytes per packet. + +The counters are 64bit and are thus not expected to overflow ;) + +The primary use is to detect long-lived downloads and mark them to be +scheduled using a lower priority band in traffic control. + +The transfered bytes per connection can also be viewed through +/proc/net/ip_conntrack and accessed via ctnetlink +.TP +[\fB!\fR]\fB --connbytes \fIfrom\fB:\fR[\fIto\fR] +match packets from a connection whose packets/bytes/average packet +size is more than FROM and less than TO bytes/packets. if TO is +omitted only FROM check is done. "!" is used to match packets not +falling in the range. +.TP +\fB--connbytes-dir\fR [\fBoriginal\fR|\fBreply\fR|\fBboth\fR] +which packets to consider +.TP +\fB--connbytes-mode\fR [\fBpackets\fR|\fBbytes\fR|\fBavgpkt\fR] +whether to check the amount of packets, number of bytes transferred or +the average size (in bytes) of all packets received so far. Note that +when "both" is used together with "avgpkt", and data is going (mainly) +only in one direction (for example HTTP), the average packet size will +be about half of the actual data packets. +.TP +Example: +iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ... +.SS connlimit +Allows you to restrict the number of parallel TCP connections to a +server per client IP address (or address block). +.TP +[\fB!\fR] \fB--connlimit-above \fIn\fR +match if the number of existing tcp connections is (not) above n +.TP +.BI "--connlimit-mask " "bits" +group hosts using mask +.P +Examples: +.TP +# allow 2 telnet connections per client host +iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT +.TP +# you can also match the other way around: +iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT +.TP +# limit the nr of parallel http requests to 16 per class C sized \ +network (24 bit netmask) +iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 +--connlimit-mask 24 -j REJECT +.SS connmark +This module matches the netfilter mark field associated with a connection +(which can be set using the +.B CONNMARK +target below). +.TP +.BI "--mark " "value[/mask]" +Matches packets in connections with the given mark value (if a mask is +specified, this is logically ANDed with the mark before the +comparison). +.SS connrate +This module matches the current transfer rate in a connection. +.TP +.BI "--connrate " "[!] [\fIfrom\fP]:[\fIto\fP]" +Match against the current connection transfer rate being within 'from' +and 'to' bytes per second. When the "!" argument is used before the +range, the sense of the match is inverted. +.SS conntrack +This module, when combined with connection tracking, allows access to +more connection tracking information than the "state" match. +(this module is present only if iptables was compiled under a kernel +supporting this feature) +.TP +.BI "--ctstate " "state" +Where state is a comma separated list of the connection states to +match. Possible states are +.B INVALID +meaning that the packet is associated with no known connection, +.B ESTABLISHED +meaning that the packet is associated with a connection which has seen +packets in both directions, +.B NEW +meaning that the packet has started a new connection, or otherwise +associated with a connection which has not seen packets in both +directions, and +.B RELATED +meaning that the packet is starting a new connection, but is +associated with an existing connection, such as an FTP data transfer, +or an ICMP error. +.B SNAT +A virtual state, matching if the original source address differs from +the reply destination. +.B DNAT +A virtual state, matching if the original destination differs from the +reply source. +.TP +.BI "--ctproto " "proto" +Protocol to match (by number or name) +.TP +.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]" +Match against original source address +.TP +.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]" +Match against original destination address +.TP +.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]" +Match against reply source address +.TP +.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]" +Match against reply destination address +.TP +.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]" +Match against internal conntrack states +.TP +.BI "--ctexpire " "\fItime\fP[\fI:time\fP]" +Match remaining lifetime in seconds against given value +or range of values (inclusive) +.SS dscp +This module matches the 6 bit DSCP field within the TOS field in the +IP header. DSCP has superseded TOS within the IETF. +.TP +.BI "--dscp " "value" +Match against a numeric (decimal or hex) value [0-32]. +.TP +.BI "--dscp-class " "\fIDiffServ Class\fP" +Match the DiffServ class. This value may be any of the +BE, EF, AFxx or CSx classes. It will then be converted +into it's according numeric value. +.SS dstlimit +This module allows you to limit the packet per second (pps) rate on a per +destination IP or per destination port base. As opposed to the `limit' match, +every destination ip / destination port has it's own limit. +.TP +.BI "--dstlimit " "avg" +Maximum average match rate (packets per second unless followed by /sec /minute /hour /day postfixes). +.TP +.BI "--dstlimit-mode " "mode" +The limiting hashmode. Is the specified limit per +.B dstip, dstip-dstport +tuple, +.B srcip-dstip +tuple, or per +.B srcipdstip-dstport +tuple. +.TP +.BI "--dstlimit-name " "name" +Name for /proc/net/ipt_dstlimit/* file entry +.TP +.BI "[" "--dstlimit-burst " "burst" "]" +Number of packets to match in a burst. Default: 5 +.TP +.BI "[" "--dstlimit-htable-size " "size" "]" +Number of buckets in the hashtable +.TP +.BI "[" "--dstlimit-htable-max " "max" "]" +Maximum number of entries in the hashtable +.TP +.BI "[" "--dstlimit-htable-gcinterval " "interval" "]" +Interval between garbage collection runs of the hashtable (in miliseconds). +Default is 1000 (1 second). +.TP +.BI "[" "--dstlimit-htable-expire " "time" +After which time are idle entries expired from hashtable (in miliseconds)? +Default is 10000 (10 seconds). +.SS ecn +This allows you to match the ECN bits of the IPv4 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168 +.TP +.BI "--ecn-tcp-cwr" +This matches if the TCP ECN CWR (Congestion Window Received) bit is set. +.TP +.BI "--ecn-tcp-ece" +This matches if the TCP ECN ECE (ECN Echo) bit is set. +.TP +.BI "--ecn-ip-ect " "num" +This matches a particular IPv4 ECT (ECN-Capable Transport). You have to specify +a number between `0' and `3'. +.SS esp +This module matches the SPIs in ESP header of IPSec packets. +.TP +.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]" +.SS fuzzy +This module matches a rate limit based on a fuzzy logic controller [FLC] +.TP +.BI "--lower-limit "number" +Specifies the lower limit (in packets per second). +.TP +.BI "--upper-limit " "number" +Specifies the upper limit (in packets per second). +.SS hashlimit +This patch adds a new match called 'hashlimit'. +The idea is to have something like 'limit', but either per +destination-ip or per (destip,destport) tuple. + +It gives you the ability to express +.IP + '1000 packets per second for every host in 192.168.0.0/16' +.IP + '100 packets per second for every service of 192.168.1.1' +.P +with a single iptables rule. +.TP +.BI "--hashlimit " "rate" +A rate just like the limit match +.TP +.BI "--hashlimit-burst " "num" +Burst value, just like limit match +.TP +.BI "--hashlimit-mode " "destip | destip-destport" +Limit per IP or per port +.TP +.BI "--hashlimit-name " "foo" +The name for the /proc/net/ipt_hashlimit/foo entry +.TP +.BI "--hashlimit-htable-size " "num" +The number of buckets of the hash table +.TP +.BI "--hashlimit-htable-max " "num" +Maximum entries in the hash +.TP +.BI "--hashlimit-htable-expire " "num" +After how many miliseconds do hash entries expire +.TP +.BI "--hashlimit-htable-gcinterval " "num" +How many miliseconds between garbage collection intervals +.SS helper +This module matches packets related to a specific conntrack-helper. +.TP +.BI "--helper " "string" +Matches packets related to the specified conntrack-helper. +.RS +.PP +string can be "ftp" for packets related to a ftp-session on default port. +For other ports append -portnr to the value, ie. "ftp-2121". +.PP +Same rules apply for other conntrack-helpers. +.RE +.SS icmp +This extension is loaded if `--protocol icmp' is specified. It +provides the following option: +.TP +.BR "--icmp-type " "[!] \fItypename\fP" +This allows specification of the ICMP type, which can be a numeric +ICMP type, or one of the ICMP type names shown by the command +.nf + iptables -p icmp -h +.fi +.SS iprange +This matches on a given arbitrary range of IPv4 addresses +.TP +.BI "[!]" "--src-range " "ip-ip" +Match source IP in the specified range. +.TP +.BI "[!]" "--dst-range " "ip-ip" +Match destination IP in the specified range. +.SS ipv4options +Match on IPv4 header options like source routing, record route, +timestamp and router-alert. +.TP +.B "--ssrr" +To match packets with the flag strict source routing. +.TP +.B "--lsrr" +To match packets with the flag loose source routing. +.TP +.B "--no-srr" +To match packets with no flag for source routing. +.TP +.B "\fR[\fB!\fR]\fB --rr" +To match packets with the RR flag. +.TP +.B "\fR[\fB!\fR]\fB --ts" +To match packets with the TS flag. +.TP +.B "\fR[\fB!\fR]\fB --ra" +To match packets with the router-alert option. +.TP +.B "\fR[\fB!\fR]\fB --any-opt" +To match a packet with at least one IP option, or no IP option +at all if ! is chosen. +.TP +Examples: +.TP +$ iptables -A input -m ipv4options --rr -j DROP +will drop packets with the record-route flag. +.TP +$ iptables -A input -m ipv4options --ts -j DROP +will drop packets with the timestamp flag. +.SS length +This module matches the length of a packet against a specific value +or range of values. +.TP +.BR "--length " "\fIlength\fP[:\fIlength\fP]" +.SS limit +This module matches at a limited rate using a token bucket filter. +A rule using this extension will match until this limit is reached +(unless the `!' flag is used). It can be used in combination with the +.B LOG +target to give limited logging, for example. +.TP +.BI "--limit " "rate" +Maximum average matching rate: specified as a number, with an optional +`/second', `/minute', `/hour', or `/day' suffix; the default is +3/hour. +.TP +.BI "--limit-burst " "number" +Maximum initial number of packets to match: this number gets +recharged by one every time the limit specified above is not reached, +up to this number; the default is 5. +.SS mac +.TP +.BR "--mac-source " "[!] \fIaddress\fP" +Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. +Note that this only makes sense for packets coming from an Ethernet device +and entering the +.BR PREROUTING , +.B FORWARD +or +.B INPUT +chains. +.SS mark +This module matches the netfilter mark field associated with a packet +(which can be set using the +.B MARK +target below). +.TP +.BR "--mark " "\fIvalue\fP[/\fImask\fP]" +Matches packets with the given unsigned mark value (if a mask is +specified, this is logically ANDed with the mask before the +comparison). +.SS mport +This module matches a set of source or destination ports. Up to 15 +ports can be specified. It can only be used in conjunction with +.B "-p tcp" +or +.BR "-p udp" . +.TP +.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" +Match if the source port is one of the given ports. The flag +.B --sports +is a convenient alias for this option. +.TP +.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" +Match if the destination port is one of the given ports. The flag +.B --dports +is a convenient alias for this option. +.TP +.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]" +Match if the both the source and destination ports are equal to each +other and to one of the given ports. +.SS multiport +This module matches a set of source or destination ports. Up to 15 +ports can be specified. A port range (port:port) counts as two +ports. It can only be used in conjunction with +.B "-p tcp" +or +.BR "-p udp" . +.TP +.BR "--source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]" +Match if the source port is one of the given ports. The flag +.B --sports +is a convenient alias for this option. +.TP +.BR "--destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]" +Match if the destination port is one of the given ports. The flag +.B --dports +is a convenient alias for this option. +.TP +.BR "--ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]" +Match if either the source or destination ports are equal to one of +the given ports. +.SS nth +This module matches every `n'th packet +.TP +.BI "--every " "value" +Match every `value' packet +.TP +.BI "[" "--counter " "num" "]" +Use internal counter number `num'. Default is `0'. +.TP +.BI "[" "--start " "num" "]" +Initialize the counter at the number `num' insetad of `0'. Most between `0' +and `value'-1. +.TP +.BI "[" "--packet " "num" "]" +Match on `num' packet. Most be between `0' and `value'-1. +.SS osf +The idea of passive OS fingerprint matching exists for quite a long time, +but was created as extension fo OpenBSD pf only some weeks ago. +Original idea was lurked in some OpenBSD mailing list (thanks +grange@open...) and than adopted for Linux netfilter in form of this code. + +Original fingerprint table was created by Michal Zalewski . + +This module compares some data(WS, MSS, options and it's order, ttl, +df and others) from first SYN packet (actually from packets with SYN +bit set) with dynamically loaded OS fingerprints. +.TP +.B "--log 1/0" +If present, OSF will log determined genres even if they don't match +desired one. +0 - log all determined entries, +1 - only first one. + +In syslog you find something like this: +.IP +ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139 +.IP +ipt_osf: Unknown: 16384:106:1:48:020405B401010402 44.33.22.11:1239 -> 11.22.33.44:80 +.TP +.B "--smart" +if present, OSF will use some smartness to determine remote OS. +OSF will use initial TTL only if source of connection is in our local network. +.TP +.B "--netlink" +If present, OSF will log all events also through netlink NETLINK_NFLOG groupt 1. +.TP +.BI "--genre " "[!] string" +Match a OS genre by passive fingerprinting +.P +Example: + +#iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 1 --smart + +NOTE: -p tcp is obviously required as it is a TCP match. + +Fingerprints can be loaded and read through /proc/sys/net/ipv4/osf file. +One can flush all fingerprints with following command: +.IP +echo -en FLUSH > /proc/sys/net/ipv4/osf +.P +Only one fingerprint per open/write/close. + +Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os +.SS owner +This module attempts to match various characteristics of the packet +creator, for locally-generated packets. It is only valid in the +.B OUTPUT +chain, and even this some packets (such as ICMP ping responses) may +have no owner, and hence never match. +.TP +.BI "--uid-owner " "userid" +Matches if the packet was created by a process with the given +effective user id. +.TP +.BI "--gid-owner " "groupid" +Matches if the packet was created by a process with the given +effective group id. +.TP +.BI "--pid-owner " "processid" +Matches if the packet was created by a process with the given +process id. +.TP +.BI "--sid-owner " "sessionid" +Matches if the packet was created by a process in the given session +group. +.TP +.BI "--cmd-owner " "name" +Matches if the packet was created by a process with the given command name. +(this option is present only if iptables was compiled under a kernel +supporting this feature) +.TP +.B NOTE: pid, sid and command matching are broken on SMP +.SS physdev +This module matches on the bridge port input and output devices enslaved +to a bridge device. This module is a part of the infrastructure that enables +a transparent bridging IP firewall and is only useful for kernel versions +above version 2.5.44. +.TP +.B --physdev-in name +Name of a bridge port via which a packet is received (only for +packets entering the +.BR INPUT , +.B FORWARD +and +.B PREROUTING +chains). If the interface name ends in a "+", then any +interface which begins with this name will match. If the packet didn't arrive +through a bridge device, this packet won't match this option, unless '!' is used. +.TP +.B --physdev-out name +Name of a bridge port via which a packet is going to be sent (for packets +entering the +.BR FORWARD , +.B OUTPUT +and +.B POSTROUTING +chains). If the interface name ends in a "+", then any +interface which begins with this name will match. Note that in the +.BR nat " and " mangle +.B OUTPUT +chains one cannot match on the bridge output port, however one can in the +.B "filter OUTPUT" +chain. If the packet won't leave by a bridge device or it is yet unknown what +the output device will be, then the packet won't match this option, unless +'!' is used. +.TP +.B --physdev-is-in +Matches if the packet has entered through a bridge interface. +.TP +.B --physdev-is-out +Matches if the packet will leave through a bridge interface. +.TP +.B --physdev-is-bridged +Matches if the packet is being bridged and therefore is not being routed. +This is only useful in the FORWARD and POSTROUTING chains. +.SS pkttype +This module matches the link-layer packet type. +.TP +.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]" +.SS psd +Attempt to detect TCP and UDP port scans. This match was derived from +Solar Designer's scanlogd. +.TP +.BI "--psd-weight-threshold " "threshold" +Total weight of the latest TCP/UDP packets with different +destination ports coming from the same host to be treated as port +scan sequence. +.TP +.BI "--psd-delay-threshold " "delay" +Delay (in hundredths of second) for the packets with different +destination ports coming from the same host to be treated as +possible port scan subsequence. +.TP +.BI "--psd-lo-ports-weight " "weight" +Weight of the packet with privileged (<=1024) destination port. +.TP +.BI "--psd-hi-ports-weight " "weight" +Weight of the packet with non-priviliged destination port. +.SS quota +Implements network quotas by decrementing a byte counter with each +packet. +.TP +.BI "--quota " "bytes" +The quota in bytes. +.P +KNOWN BUGS: this does not work on SMP systems. +.SS random +This module randomly matches a certain percentage of all packets. +.TP +.BI "--average " "percent" +Matches the given percentage. If omitted, a probability of 50% is set. +.SS realm +This matches the routing realm. Routing realms are used in complex routing +setups involving dynamic routing protocols like BGP. +.TP +.BI "--realm " "[!]" "value[/mask]" +Matches a given realm number (and optionally mask). +.SS recent +Allows you to dynamically create a list of IP addresses and then match +against that list in a few different ways. + +For example, you can create a `badguy' list out of people attempting +to connect to port 139 on your firewall and then DROP all future +packets from them without considering them. +.TP +.BI "--name " "name" +Specify the list to use for the commands. If no name is given then 'DEFAULT' +will be used. +.TP +[\fB!\fR] \fB--set\fR +This will add the source address of the packet to the list. If the +source address is already in the list, this will update the existing +entry. This will always return success (or failure if `!' is passed +in). +.TP +[\fB!\fR] \fB--rcheck\fR +Check if the source address of the packet is currently in +the list. +.TP +[\fB!\fR] \fB--update\fR +Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it +matches. +.TP +[\fB!\fR] \fB--remove\fR +Check if the source address of the packet is currently in the list and +if so that address will be removed from the list and the rule will +return true. If the address is not found, false is returned. +.TP +[\fB!\fR] \fB--seconds \fIseconds\fR +This option must be used in conjunction with one of \fB--rcheck\fR or +\fB--update\fR. When used, this will narrow the match to only happen +when the address is in the list and was seen within the last given +number of seconds. +.TP +[\fB!\fR] \fB--hitcount \fIhits\fR +This option must be used in conjunction with one of \fB--rcheck\fR or +\fB--update\fR. When used, this will narrow the match to only happen +when the address is in the list and packets had been received greater +than or equal to the given value. This option may be used along with +\fB--seconds\fR to create an even narrower match requiring a certain +number of hits within a specific time frame. +.TP +\fB--rttl\fR +This option must be used in conjunction with one of \fB--rcheck\fR or +\fB--update\fR. When used, this will narrow the match to only happen +when the address is in the list and the TTL of the current packet +matches that of the packet which hit the \fB--set\fR rule. This may be +useful if you have problems with people faking their source address in +order to DoS you via this module by disallowing others access to your +site by sending bogus packets to you. +.P +Examples: +.IP +# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP + +# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP +.P +Official website (http://snowman.net/projects/ipt_recent/) also has +some examples of usage. + +/proc/net/ipt_recent/* are the current lists of addresses and information +about each entry of each list. + +Each file in /proc/net/ipt_recent/ can be read from to see the current list +or written two using the following commands to modify the list: +.TP +echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT +to Add to the DEFAULT list +.TP +echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT +to Remove from the DEFAULT list +.TP +echo clear > /proc/net/ipt_recent/DEFAULT +to empty the DEFAULT list. +.P +The module itself accepts parameters, defaults shown: +.TP +.BI "ip_list_tot=" "100" +Number of addresses remembered per table +.TP +.BI "ip_pkt_list_tot=" "20" +Number of packets per address remembered +.TP +.BI "ip_list_hash_size=" "0" +Hash table size. 0 means to calculate it based on ip_list_tot, default: 512 +.TP +.BI "ip_list_perms=" "0644" +Permissions for /proc/net/ipt_recent/* files +.TP +.BI "debug=" "0" +Set to 1 to get lots of debugging info +.SS sctp +.TP +\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR] +.TP +\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR] +.TP +\fB--chunk-types\fR [\fB!\fR] \fBall\fR|\fBany\fR|\fBonly \fIchunktype\fR[\fB:\fIflags\fR] [...] +The flag letter in upper case indicates that the flag is to match if set, +in the lower case indicates to match if unset. + +Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK + +chunk type available flags +.br +DATA U B E u b e +.br +ABORT T t +.br +SHUTDOWN_COMPLETE T t + +(lowercase means flag should be "off", uppercase means "on") +.P +Examples: + +iptables -A INPUT -p sctp --dport 80 -j DROP + +iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP + +iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT +.SS set +This modules macthes IP sets which can be defined by ipset(8). +.TP +.BR "--set " "setname flag[,flag...]" +where flags are +.BR "src" +and/or +.BR "dst" +and there can be no more than six of them. Hence the command +.nf + iptables -A FORWARD -m set --set test src,dst +.fi +will match packets, for which (depending on the type of the set) the source +address or port number of the packet can be found in the specified set. If +there is a binding belonging to the mached set element or there is a default +binding for the given set, then the rule will match the packet only if +additionally (depending on the type of the set) the destination address or +port number of the packet can be found in the set according to the binding. +.SS state +This module, when combined with connection tracking, allows access to +the connection tracking state for this packet. +.TP +.BI "--state " "state" +Where state is a comma separated list of the connection states to +match. Possible states are +.B INVALID +meaning that the packet could not be identified for some reason which +includes running out of memory and ICMP errors which don't correspond to any +known connection, +.B ESTABLISHED +meaning that the packet is associated with a connection which has seen +packets in both directions, +.B NEW +meaning that the packet has started a new connection, or otherwise +associated with a connection which has not seen packets in both +directions, and +.B RELATED +meaning that the packet is starting a new connection, but is +associated with an existing connection, such as an FTP data transfer, +or an ICMP error. +.SS tcp +These extensions are loaded if `--protocol tcp' is specified. It +provides the following options: +.TP +.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" +Source port or port range specification. This can either be a service +name or a port number. An inclusive range can also be specified, +using the format +.IR port : port . +If the first port is omitted, "0" is assumed; if the last is omitted, +"65535" is assumed. +If the second port greater then the first they will be swapped. +The flag +.B --sport +is a convenient alias for this option. +.TP +.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" +Destination port or port range specification. The flag +.B --dport +is a convenient alias for this option. +.TP +.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP" +Match when the TCP flags are as specified. The first argument is the +flags which we should examine, written as a comma-separated list, and +the second argument is a comma-separated list of flags which must be +set. Flags are: +.BR "SYN ACK FIN RST URG PSH ALL NONE" . +Hence the command +.nf + iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN +.fi +will only match packets with the SYN flag set, and the ACK, FIN and +RST flags unset. +.TP +.B "[!] --syn" +Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits +cleared. Such packets are used to request TCP connection initiation; +for example, blocking such packets coming in an interface will prevent +incoming TCP connections, but outgoing TCP connections will be +unaffected. +It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP. +If the "!" flag precedes the "--syn", the sense of the +option is inverted. +.TP +.BR "--tcp-option " "[!] \fInumber\fP" +Match if TCP option set. +.TP +.BR "--mss " "\fIvalue\fP[:\fIvalue\fP]" +Match TCP SYN or SYN/ACK packets with the specified MSS value (or range), +which control the maximum packet size for that connection. +.SS tcpmss +This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time. +.TP +.BI "[!] "--mss " "value[:value]" +Match a given TCP MSS value or range. +.SS time +This matches if the packet arrival time/date is within a given range. All options are facultative. +.TP +.BI " --timestart " "value" +Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00). +.TP +.BI "--timestop " "value" +Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59). +.TP +.BI "--days " "listofdays" +Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday) +.TP +.BI "--datestart " "date" +Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] ; h,m,s start from 0 ; default to 1970) +.TP +.BI "--datestop " "date" +Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] ; h,m,s start from 0 ; default to 2037) +.SS tos +This module matches the 8 bits of Type of Service field in the IP +header (ie. including the precedence bits). +.TP +.BI "--tos " "tos" +The argument is either a standard name, (use +.br + iptables -m tos -h +.br +to see the list), or a numeric value to match. +.SS ttl +This module matches the time to live field in the IP header. +.TP +.BI "--ttl-eq " "ttl" +Matches the given TTL value. +.TP +.BI "--ttl-gt " "ttl" +Matches if TTL is greater than the given TTL value. +.TP +.BI "--ttl-lt " "ttl" +Matches if TTL is less than the given TTL value. +.SS u32 +U32 allows you to extract quantities of up to 4 bytes from a packet, +AND them with specified masks, shift them by specified amounts and +test whether the results are in any of a set of specified ranges. +The specification of what to extract is general enough to skip over +headers with lengths stored in the packet, as in IP or TCP header +lengths. + +Details and examples are in the kernel module source. +.SS udp +These extensions are loaded if `--protocol udp' is specified. It +provides the following options: +.TP +.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" +Source port or port range specification. +See the description of the +.B --source-port +option of the TCP extension for details. +.TP +.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" +Destination port or port range specification. +See the description of the +.B --destination-port +option of the TCP extension for details. +.SS unclean +This module takes no options, but attempts to match packets which seem +malformed or unusual. This is regarded as experimental. +.SH TARGET EXTENSIONS +iptables can use extended target modules: the following are included +in the standard distribution. +.\" @TARGET@ +.SS BALANCE +This allows you to DNAT connections in a round-robin way over a given range of destination addresses. +.TP +.BI "--to-destination " "ipaddr-ipaddr" +Address range to round-robin over. +.SS CLASSIFY +This module allows you to set the skb->priority value (and thus classify the packet into a specific CBQ class). +.TP +.BI "--set-class " "MAJOR:MINOR" +Set the major and minor class value. +.SS CLUSTERIP +This module allows you to configure a simple cluster of nodes that share +a certain IP and MAC address without an explicit load balancer in front of +them. Connections are statically distributed between the nodes in this +cluster. +.TP +.BI "--new " +Create a new ClusterIP. You always have to set this on the first rule +for a given ClusterIP. +.TP +.BI "--hashmode " "mode" +Specify the hashing mode. Has to be one of +.B sourceip, sourceip-sourceport, sourceip-sourceport-destport +.TP +.BI "--clustermac " "mac" +Specify the ClusterIP MAC address. Has to be a link-layer multicast address +.TP +.BI "--total-nodes " "num" +Number of total nodes within this cluster. +.TP +.BI "--local-node " "num" +Local node number within this cluster. +.TP +.BI "--hash-init " "rnd" +Specify the random seed used for hash initialization. +.SS CONNMARK +This module sets the netfilter mark value associated with a connection +.TP +.B --set-mark mark[/mask] +Set connection mark. If a mask is specified then only those bits set in the +mask is modified. +.TP +.B --save-mark [--mask mask] +Copy the netfilter packet mark value to the connection mark. If a mask +is specified then only those bits are copied. +.TP +.B --restore-mark [--mask mask] +Copy the connection mark value to the packet. If a mask is specified +then only those bits are copied. This is only valid in the +.B mangle +table. +.SS DNAT +This target is only valid in the +.B nat +table, in the +.B PREROUTING +and +.B OUTPUT +chains, and user-defined chains which are only called from those +chains. It specifies that the destination address of the packet +should be modified (and all future packets in this connection will +also be mangled), and rules should cease being examined. It takes one +type of option: +.TP +.BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" +which can specify a single new destination IP address, an inclusive +range of IP addresses, and optionally, a port range (which is only +valid if the rule also specifies +.B "-p tcp" +or +.BR "-p udp" ). +If no port range is specified, then the destination port will never be +modified. +.RS +.PP +You can add several --to-destination options. If you specify more +than one destination address, either via an address range or multiple +--to-destination options, a simple round-robin (one after another in +cycle) load balancing takes place between these adresses. +.SS DSCP +This target allows to alter the value of the DSCP bits within the TOS +header of the IPv4 packet. As this manipulates a packet, it can only +be used in the mangle table. +.TP +.BI "--set-dscp " "value" +Set the DSCP field to a numerical value (can be decimal or hex) +.TP +.BI "--set-dscp-class " "class" +Set the DSCP field to a DiffServ class. +.SS ECN +This target allows to selectively work around known ECN blackholes. +It can only be used in the mangle table. +.TP +.BI "--ecn-tcp-remove" +Remove all ECN bits from the TCP header. Of course, it can only be used +in conjunction with +.BR "-p tcp" . +.SS IPMARK +Allows you to mark a received packet basing on its IP address. This +can replace many mangle/mark entries with only one, if you use +firewall based classifier. + +This target is to be used inside the mangle table, in the PREROUTING, +POSTROUTING or FORWARD hooks. +.TP +.BI "--addr " "src/dst" +Use source or destination IP address. +.TP +.BI "--and-mask " "mask" +Perform bitwise `and' on the IP address and this mask. +.TP +.BI "--or-mask " "mask" +Perform bitwise `or' on the IP address and this mask. +.P +The order of IP address bytes is reversed to meet "human order of bytes": +192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then +`or'. + +Examples: + +We create a queue for each user, the queue number is adequate +to the IP address of the user, e.g.: all packets going to/from 192.168.5.2 +are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc. + +We have one classifier rule: +.IP +tc filter add dev eth3 parent 1:0 protocol ip fw +.P +Earlier we had many rules just like below: +.IP +iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK +--set-mark 0x10502 +.IP +iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK +--set-mark 0x10503 +.P +Using IPMARK target we can replace all the mangle/mark rules with only one: +.IP +iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst +--and-mask=0xffff --or-mask=0x10000 +.P +On the routers with hundreds of users there should be significant load +decrease (e.g. twice). +.SS IPV4OPTSSTRIP +Strip all the IP options from a packet. + +The target doesn't take any option, and therefore is extremly easy to use : + +# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP +.SS LOG +Turn on kernel logging of matching packets. When this option is set +for a rule, the Linux kernel will print some information on all +matching packets (like most IP header fields) via the kernel log +(where it can be read with +.I dmesg +or +.IR syslogd (8)). +This is a "non-terminating target", i.e. rule traversal continues at +the next rule. So if you want to LOG the packets you refuse, use two +separate rules with the same matching criteria, first using target LOG +then DROP (or REJECT). +.TP +.BI "--log-level " "level" +Level of logging (numeric or see \fIsyslog.conf\fP(5)). +.TP +.BI "--log-prefix " "prefix" +Prefix log messages with the specified prefix; up to 29 letters long, +and useful for distinguishing messages in the logs. +.TP +.B --log-tcp-sequence +Log TCP sequence numbers. This is a security risk if the log is +readable by users. +.TP +.B --log-tcp-options +Log options from the TCP packet header. +.TP +.B --log-ip-options +Log options from the IP packet header. +.TP +.B --log-uid +Log the userid of the process which generated the packet. +.SS MARK +This is used to set the netfilter mark value associated with the +packet. It is only valid in the +.B mangle +table. It can for example be used in conjunction with iproute2. +.TP +.BI "--set-mark " "mark" +.SS MASQUERADE +This target is only valid in the +.B nat +table, in the +.B POSTROUTING +chain. It should only be used with dynamically assigned IP (dialup) +connections: if you have a static IP address, you should use the SNAT +target. Masquerading is equivalent to specifying a mapping to the IP +address of the interface the packet is going out, but also has the +effect that connections are +.I forgotten +when the interface goes down. This is the correct behavior when the +next dialup is unlikely to have the same interface address (and hence +any established connections are lost anyway). It takes one option: +.TP +.BR "--to-ports " "\fIport\fP[-\fIport\fP]" +This specifies a range of source ports to use, overriding the default +.B SNAT +source port-selection heuristics (see above). This is only valid +if the rule also specifies +.B "-p tcp" +or +.BR "-p udp" . +.SS MIRROR +This is an experimental demonstration target which inverts the source +and destination fields in the IP header and retransmits the packet. +It is only valid in the +.BR INPUT , +.B FORWARD +and +.B PREROUTING +chains, and user-defined chains which are only called from those +chains. Note that the outgoing packets are +.B NOT +seen by any packet filtering chains, connection tracking or NAT, to +avoid loops and other problems. +.SS NETMAP +This target allows you to statically map a whole network of addresses onto +another network of addresses. It can only be used from rules in the +.B nat +table. +.TP +.BI "--to " "address[/mask]" +Network address to map to. The resulting address will be constructed in the +following way: All 'one' bits in the mask are filled in from the new `address'. +All bits that are zero in the mask are filled in from the original address. +.SS NOTRACK +This target disables connection tracking for all packets matching that rule. +.TP +It can only be used in the +.B raw +table. +.SS REDIRECT +This target is only valid in the +.B nat +table, in the +.B PREROUTING +and +.B OUTPUT +chains, and user-defined chains which are only called from those +chains. It redirects the packet to the machine itself by changing the +destination IP to the primary address of the incoming interface +(locally-generated packets are mapped to the 127.0.0.1 address). It +takes one option: +.TP +.BR "--to-ports " "\fIport\fP[-\fIport\fP]" +This specifies a destination port or range of ports to use: without +this, the destination port is never altered. This is only valid +if the rule also specifies +.B "-p tcp" +or +.BR "-p udp" . +.SS REJECT +This is used to send back an error packet in response to the matched +packet: otherwise it is equivalent to +.B DROP +so it is a terminating TARGET, ending rule traversal. +This target is only valid in the +.BR INPUT , +.B FORWARD +and +.B OUTPUT +chains, and user-defined chains which are only called from those +chains. The following option controls the nature of the error packet +returned: +.TP +.BI "--reject-with " "type" +The type given can be +.nf +.B " icmp-net-unreachable" +.B " icmp-host-unreachable" +.B " icmp-port-unreachable" +.B " icmp-proto-unreachable" +.B " icmp-net-prohibited" +.B " icmp-host-prohibited or" +.B " icmp-admin-prohibited (*)" +.fi +which return the appropriate ICMP error message (\fBport-unreachable\fP is +the default). The option +.B tcp-reset +can be used on rules which only match the TCP protocol: this causes a +TCP RST packet to be sent back. This is mainly useful for blocking +.I ident +(113/tcp) probes which frequently occur when sending mail to broken mail +hosts (which won't accept your mail otherwise). +.TP +(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT +.SS ROUTE +This is used to explicitly override the core network stack's routing decision. +.B mangle +table. +.TP +.BI "--oif " "ifname" +Route the packet through `ifname' network interface +.TP +.BI "--iif " "ifname" +Change the packet's incoming interface to `ifname' +.TP +.BI "--gw " "IP_address" +Route the packet via this gateway +.TP +.BI "--continue " +Behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--iif' or `--tee' +.TP +.BI "--tee " +Make a copy of the packet, and route that copy to the given destination. For the original, uncopied packet, behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--iif' or `--continue' +.SS SAME +Similar to SNAT/DNAT depending on chain: it takes a range of addresses +(`--to 1.2.3.4-1.2.3.7') and gives a client the same +source-/destination-address for each connection. +.TP +.BI "--to " "-" +Addresses to map source to. May be specified more than once for +multiple ranges. +.TP +.B "--nodst" +Don't use the destination-ip in the calculations when selecting the +new source-ip +.SS SET +This modules adds and/or deletes entries from IP sets which can be defined +by ipset(8). +.TP +.BR "--add-set " "setname flag[,flag...]" +add the address(es)/port(s) of the packet to the sets +.TP +.BR "--del-set " "setname flag[,flag...]" +delete the address(es)/port(s) of the packet from the sets, +where flags are +.BR "src" +and/or +.BR "dst" +and there can be no more than six of them. +.TP +The bindings to follow must previously be defined in order to use +multilevel adding/deleting by the SET target. +.SS SNAT +This target is only valid in the +.B nat +table, in the +.B POSTROUTING +chain. It specifies that the source address of the packet should be +modified (and all future packets in this connection will also be +mangled), and rules should cease being examined. It takes one type +of option: +.TP +.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" +which can specify a single new source IP address, an inclusive range +of IP addresses, and optionally, a port range (which is only valid if +the rule also specifies +.B "-p tcp" +or +.BR "-p udp" ). +If no port range is specified, then source ports below 512 will be +mapped to other ports below 512: those between 512 and 1023 inclusive +will be mapped to ports below 1024, and other ports will be mapped to +1024 or above. Where possible, no port alteration will occur. +.RS +.PP +You can add several --to-source options. If you specify more +than one source address, either via an address range or multiple +--to-source options, a simple round-robin (one after another in +cycle) takes place between these adresses. +.SS TARPIT +Captures and holds incoming TCP connections using no local +per-connection resources. Connections are accepted, but immediately +switched to the persist state (0 byte window), in which the remote +side stops sending data and asks to continue every 60-240 seconds. +Attempts to close the connection are ignored, forcing the remote side +to time out the connection in 12-24 minutes. + +This offers similar functionality to LaBrea + but doesn't require dedicated +hardware or IPs. Any TCP port that you would normally DROP or REJECT +can instead become a tarpit. + +To tarpit connections to TCP port 80 destined for the current machine: +.IP +iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT +.P +To significantly slow down Code Red/Nimda-style scans of unused address +space, forward unused ip addresses to a Linux box not acting as a router +(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP +forwarding on the Linux box, and add: +.IP +iptables -A FORWARD -p tcp -j TARPIT +.IP +iptables -A FORWARD -j DROP +.TP +NOTE: +If you use the conntrack module while you are using TARPIT, you should +also use the NOTRACK target, or the kernel will unnecessarily allocate +resources for each TARPITted connection. To TARPIT incoming +connections to the standard IRC port while using conntrack, you could: +.IP +iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK +.IP +iptables -A INPUT -p tcp --dport 6667 -j TARPIT +.SS TCPMSS +This target allows to alter the MSS value of TCP SYN packets, to control +the maximum size for that connection (usually limiting it to your +outgoing interface's MTU minus 40). Of course, it can only be used +in conjunction with +.BR "-p tcp" . +.br +This target is used to overcome criminally braindead ISPs or servers +which block ICMP Fragmentation Needed packets. The symptoms of this +problem are that everything works fine from your Linux +firewall/router, but machines behind it can never exchange large +packets: +.PD 0 +.RS 0.1i +.TP 0.3i +1) +Web browsers connect, then hang with no data received. +.TP +2) +Small mail works fine, but large emails hang. +.TP +3) +ssh works fine, but scp hangs after initial handshaking. +.RE +.PD +Workaround: activate this option and add a rule to your firewall +configuration like: +.nf + iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\ + -j TCPMSS --clamp-mss-to-pmtu +.fi +.TP +.BI "--set-mss " "value" +Explicitly set MSS option to specified value. +.TP +.B "--clamp-mss-to-pmtu" +Automatically clamp MSS value to (path_MTU - 40). +.TP +These options are mutually exclusive. +.SS TOS +This is used to set the 8-bit Type of Service field in the IP header. +It is only valid in the +.B mangle +table. +.TP +.BI "--set-tos " "tos" +You can use a numeric TOS values, or use +.nf + iptables -j TOS -h +.fi +to see the list of valid TOS names. +.SS TRACE +This target has no options. It just turns on +.B packet tracing +for all packets that match this rule. +.SS TTL +This is used to modify the IPv4 TTL header field. The TTL field determines +how many hops (routers) a packet can traverse until it's time to live is +exceeded. +.TP +Setting or incrementing the TTL field can potentially be very dangerous, +so it should be avoided at any cost. +.TP +.B Don't ever set or increment the value on packets that leave your local network! +.B mangle +table. +.TP +.BI "--ttl-set " "value" +Set the TTL value to `value'. +.TP +.BI "--ttl-dec " "value" +Decrement the TTL value `value' times. +.TP +.BI "--ttl-inc " "value" +Increment the TTL value `value' times. +.SS ULOG +This target provides userspace logging of matching packets. When this +target is set for a rule, the Linux kernel will multicast this packet +through a +.IR netlink +socket. One or more userspace processes may then subscribe to various +multicast groups and receive the packets. +Like LOG, this is a "non-terminating target", i.e. rule traversal +continues at the next rule. +.TP +.BI "--ulog-nlgroup " "nlgroup" +This specifies the netlink group (1-32) to which the packet is sent. +Default value is 1. +.TP +.BI "--ulog-prefix " "prefix" +Prefix log messages with the specified prefix; up to 32 characters +long, and useful for distinguishing messages in the logs. +.TP +.BI "--ulog-cprange " "size" +Number of bytes to be copied to userspace. A value of 0 always copies +the entire packet, regardless of its size. Default is 0. +.TP +.BI "--ulog-qthreshold " "size" +Number of packet to queue inside kernel. Setting this value to, e.g. 10 +accumulates ten packets inside the kernel and transmits them as one +netlink multipart message to userspace. Default is 1 (for backwards +compatibility). +.br +.SS XOR +Encrypt TCP and UDP traffic using a simple XOR encryption +.TP +.BI "--key " "string" +Set key to "string" +.TP +.BI "--block-size" +Set block size +.SH DIAGNOSTICS +Various error messages are printed to standard error. The exit code +is 0 for correct functioning. Errors which appear to be caused by +invalid or abused command line parameters cause an exit code of 2, and +other errors cause an exit code of 1. +.SH BUGS +Bugs? What's this? ;-) +Well, you might want to have a look at http://bugzilla.netfilter.org/ +.SH COMPATIBILITY WITH IPCHAINS +This +.B iptables +is very similar to ipchains by Rusty Russell. The main difference is +that the chains +.B INPUT +and +.B OUTPUT +are only traversed for packets coming into the local host and +originating from the local host respectively. Hence every packet only +passes through one of the three chains (except loopback traffic, which +involves both INPUT and OUTPUT chains); previously a forwarded packet +would pass through all three. +.PP +The other main difference is that +.B -i +refers to the input interface; +.B -o +refers to the output interface, and both are available for packets +entering the +.B FORWARD +chain. +.PP The various forms of NAT have been separated out; +.B iptables +is a pure packet filter when using the default `filter' table, with +optional extension modules. This should simplify much of the previous +confusion over the combination of IP masquerading and packet filtering +seen previously. So the following options are handled differently: +.nf + -j MASQ + -M -S + -M -L +.fi +There are several other changes in iptables. +.SH SEE ALSO +.BR iptables-save (8), +.BR iptables-restore (8), +.BR ip6tables (8), +.BR ip6tables-save (8), +.BR ip6tables-restore (8). +.P +The packet-filtering-HOWTO details iptables usage for +packet filtering, the NAT-HOWTO details NAT, +the netfilter-extensions-HOWTO details the extensions that are +not in the standard distribution, +and the netfilter-hacking-HOWTO details the netfilter internals. +.br +See +.BR "http://www.netfilter.org/" . +.SH AUTHORS +Rusty Russell wrote iptables, in early consultation with Michael +Neuling. +.PP +Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet +selection framework in iptables, then wrote the mangle table, the owner match, +the mark stuff, and ran around doing cool stuff everywhere. +.PP +James Morris wrote the TOS target, and tos match. +.PP +Jozsef Kadlecsik wrote the REJECT target. +.PP +Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets. +.PP +The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik, +Patrick McHardy, James Morris, Harald Welte and Rusty Russell. +.PP +Man page written by Herve Eychenne . +.\" .. and did I mention that we are incredibly cool people? +.\" .. sexy, too .. +.\" .. witty, charming, powerful .. +.\" .. and most of all, modest ..