26
iptables \- administration tool for IPv4 packet filtering and NAT
26
iptables - administration tool for IPv4 packet filtering and NAT
28
.BR "iptables [-t table] -[AD] " "chain rule-specification [options]"
30
.BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]"
32
.BR "iptables [-t table] -R " "chain rulenum rule-specification [options]"
34
.BR "iptables [-t table] -D " "chain rulenum [options]"
36
.BR "iptables [-t table] -[LFZ] " "[chain] [options]"
38
.BR "iptables [-t table] -N " "chain"
40
.BR "iptables [-t table] -X " "[chain]"
42
.BR "iptables [-t table] -P " "chain target [options]"
44
.BR "iptables [-t table] -E " "old-chain-name new-chain-name"
28
\fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-D\fP} \fIchain\fP \fIrule-specification\fP
30
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
32
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum rule-specification\fP
34
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP
36
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]]
38
\fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP} [\fIchain\fP] [\fIoptions...\fP]
40
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP
42
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
44
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
46
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
48
rule-specification = [\fImatches...\fP] [\fItarget\fP]
50
match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
52
target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
47
is used to set up, maintain, and inspect the tables of IP packet
54
\fBIptables\fP is used to set up, maintain, and inspect the
48
56
filter rules in the Linux kernel. Several different tables
49
57
may be defined. Each table contains a number of built-in
50
58
chains and may also contain user-defined chains.
52
60
Each chain is a list of rules which can match a set of packets. Each
53
61
rule specifies what to do with a packet that matches. This is called
54
62
a `target', which may be a jump to a user-defined chain in the same
58
65
A firewall rule specifies criteria for a packet and a target. If the
59
66
packet does not match, the next rule in the chain is the examined; if
60
67
it does match, then the next rule is specified by the value of the
61
68
target, which can be the name of a user-defined chain or one of the
69
special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
70
means to let the packet through.
72
means to drop the packet on the floor.
74
means to pass the packet to userspace. (How the packet can be received
71
\fBACCEPT\fP means to let the packet through.
72
\fBDROP\fP means to drop the packet on the floor.
73
\fBQUEUE\fP means to pass the packet to userspace.
74
(How the packet can be received
75
75
by a userspace process differs by the particular queue handler. 2.4.x
76
and 2.6.x kernels up to 2.6.13 include the
79
queue handler. Kernels 2.6.14 and later additionally include the
82
queue handler. Packets with a target of QUEUE will be sent to queue number '0'
83
in this case. Please also see the
76
and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
77
queue handler. Kernels 2.6.14 and later additionally include the
78
\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
79
sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
86
80
target as described later in this man page.)
88
means stop traversing this chain and resume at the next rule in the
81
\fBRETURN\fP means stop traversing this chain and resume at the next
89
83
previous (calling) chain. If the end of a built-in chain is reached
90
or a rule in a built-in chain with target
84
or a rule in a built-in chain with target \fBRETURN\fP
92
85
is matched, the target specified by the chain policy determines the
93
86
fate of the packet.
105
98
The tables are as follows:
109
This is the default table (if no -t option is passed). It contains
112
(for packets destined to local sockets),
114
(for packets being routed through the box), and
116
(for locally-generated packets).
102
This is the default table (if no \-t option is passed). It contains
103
the built-in chains \fBINPUT\fP (for packets destined to local sockets),
104
\fBFORWARD\fP (for packets being routed through the box), and
105
\fBOUTPUT\fP (for locally-generated packets).
119
108
This table is consulted when a packet that creates a new
120
connection is encountered. It consists of three built-ins:
122
(for altering packets as soon as they come in),
124
(for altering locally-generated packets before routing), and
109
connection is encountered. It consists of three built-ins: \fBPREROUTING\fP
110
(for altering packets as soon as they come in), \fBOUTPUT\fP
111
(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
126
112
(for altering packets as they are about to go out).
129
115
This table is used for specialized packet alteration. Until kernel
130
2.4.17 it had two built-in chains:
132
(for altering incoming packets before routing) and
116
2.4.17 it had two built-in chains: \fBPREROUTING\fP
117
(for altering incoming packets before routing) and \fBOUTPUT\fP
134
118
(for altering locally-generated packets before routing).
135
119
Since kernel 2.4.18, three other built-in chains are also supported:
137
(for packets coming into the box itself),
139
(for altering packets being routed through the box), and
120
\fBINPUT\fP (for packets coming into the box itself), \fBFORWARD\fP
121
(for altering packets being routed through the box), and \fBPOSTROUTING\fP
141
122
(for altering packets as they are about to go out).
144
125
This table is used mainly for configuring exemptions from connection
145
126
tracking in combination with the NOTRACK target. It registers at the netfilter
146
127
hooks with higher priority and is thus called before ip_conntrack, or any other
147
IP tables. It provides the following built-in chains:
149
(for packets arriving via any network interface)
128
IP tables. It provides the following built-in chains: \fBPREROUTING\fP
129
(for packets arriving via any network interface) \fBOUTPUT\fP
151
130
(for packets generated by local processes)
154
133
The options that are recognized by
156
can be divided into several different groups.
134
\fBiptables\fP can be divided into several different groups.
158
136
These options specify the desired action to perform. Only one of them
159
137
can be specified on the command line unless otherwise stated
160
138
below. For long versions of the command and option names, you
161
139
need to use only enough letters to ensure that
163
can differentiate it from all other options.
140
\fBiptables\fP can differentiate it from all other options.
165
.BI "-A, --append " "chain rule-specification"
142
\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
166
143
Append one or more rules to the end of the selected chain.
167
144
When the source and/or destination names resolve to more than one
168
145
address, a rule will be added for each possible address combination.
170
.BI "-D, --delete " "chain rule-specification"
147
\fB\-D\fP, \fB\-\-delete\fP \fIchain rule-specification\fP
173
.BI "-D, --delete " "chain rulenum"
150
\fB\-D\fP, \fB\-\-delete\fP \fIchain rulenum\fP
174
151
Delete one or more rules from the selected chain. There are two
175
152
versions of this command: the rule can be specified as a number in the
176
153
chain (starting at 1 for the first rule) or a rule to match.
178
.BR "-I, --insert " "\fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP"
155
\fB\-I\fP, \fB\-\-insert\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
179
156
Insert one or more rules in the selected chain as the given rule
180
157
number. So, if the rule number is 1, the rule or rules are inserted
181
158
at the head of the chain. This is also the default if no rule number
184
.BI "-R, --replace " "chain rulenum rule-specification"
161
\fB\-R\fP, \fB\-\-replace\fP \fIchain rulenum rule-specification\fP
185
162
Replace a rule in the selected chain. If the source and/or
186
163
destination names resolve to multiple addresses, the command will
187
164
fail. Rules are numbered starting at 1.
189
.BR "-L, --list " "[\fIchain\fP]"
166
\fB\-L\fP, \fB\-\-list\fP [\fIchain\fP]
190
167
List all rules in the selected chain. If no chain is selected, all
191
168
chains are listed. Like every other iptables command, it applies to the
192
169
specified table (filter is the default), so NAT rules get listed by
194
iptables -t nat -n -L
171
iptables \-t nat \-n \-L
196
Please note that it is often used with the
173
Please note that it is often used with the \fB\-n\fP
198
174
option, in order to avoid long reverse DNS lookups.
199
It is legal to specify the
175
It is legal to specify the \fB\-Z\fP
201
176
(zero) option as well, in which case the chain(s) will be atomically
202
177
listed and zeroed. The exact output is affected by the other
203
178
arguments given. The exact rules are suppressed until you use
208
.BR "-S, --list-rules " "[\fIchain\fP]"
183
\fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
209
184
Print all rules in the selected chain. If no chain is selected, all
210
chains are printed like iptables-save. Like every other iptables command,
185
chains are printed like iptables\-save. Like every other iptables command,
211
186
it applies to the specified table (filter is the default).
213
.BR "-F, --flush " "[\fIchain\fP]"
188
\fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP]
214
189
Flush the selected chain (all the chains in the table if none is given).
215
190
This is equivalent to deleting all the rules one by one.
217
.BR "-Z, --zero " "[\fIchain\fP]"
192
\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP]
218
193
Zero the packet and byte counters in all chains. It is legal to
195
\fB\-L\fP, \fB\-\-list\fP
221
196
(list) option as well, to see the counters immediately before they are
222
197
cleared. (See above.)
224
.BI "-N, --new-chain " "chain"
199
\fB\-N\fP, \fB\-\-new\-chain\fP \fIchain\fP
225
200
Create a new user-defined chain by the given name. There must be no
226
201
target of that name already.
228
.BR "-X, --delete-chain " "[\fIchain\fP]"
203
\fB\-X\fP, \fB\-\-delete\-chain\fP [\fIchain\fP]
229
204
Delete the optional user-defined chain specified. There must be no references
230
205
to the chain. If there are, you must delete or replace the referring rules
231
206
before the chain can be deleted. The chain must be empty, i.e. not contain
232
207
any rules. If no argument is given, it will attempt to delete every
233
208
non-builtin chain in the table.
235
.BI "-P, --policy " "chain target"
236
Set the policy for the chain to the given target. See the section
210
\fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
211
Set the policy for the chain to the given target. See the section \fBTARGETS\fP
238
212
for the legal targets. Only built-in (non-user-defined) chains can have
239
213
policies, and neither built-in nor user-defined chains can be policy
242
.BI "-E, --rename-chain " "old-chain new-chain"
216
\fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
243
217
Rename the user specified chain to the user supplied name. This is
244
218
cosmetic, and has no effect on the structure of the table.
248
222
Give a (currently very brief) description of the command syntax.
250
224
The following parameters make up a rule specification (as used in the
251
225
add, delete, insert, replace and append commands).
253
.BR "-p, --protocol " "[!] \fIprotocol\fP"
227
[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
254
228
The protocol of the rule or of the packet to check.
255
The specified protocol can be one of
229
The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
230
\fBicmp\fP, \fBesp\fP, \fBah\fP, \fBsctp\fP or \fBall\fP,
261
231
or it can be a numeric value, representing one of these protocols or a
262
232
different one. A protocol name from /etc/protocols is also allowed.
263
233
A "!" argument before the protocol inverts the
264
test. The number zero is equivalent to
234
test. The number zero is equivalent to \fBall\fP.
268
236
will match with all protocols and is taken as default when this
269
237
option is omitted.
271
.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
272
Source specification.
239
[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP]
240
Source specification. \fIAddress\fP
274
241
can be either a network name, a hostname (please note that specifying
275
242
any name to be resolved with a remote query such as DNS is a really bad idea),
276
a network IP address (with /mask), or a plain IP address.
243
a network IP address (with \fB/\fP\fImask\fP), or a plain IP address.
279
245
can be either a network mask or a plain number,
280
246
specifying the number of 1's at the left side of the network mask.
247
Thus, a mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
285
248
A "!" argument before the address specification inverts the sense of
286
the address. The flag
288
is an alias for this option.
249
the address. The flag \fB\-\-src\fP is an alias for this option.
290
.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
251
[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP]
291
252
Destination specification.
292
See the description of the
253
See the description of the \fB\-s\fP
294
254
(source) flag for a detailed description of the syntax. The flag
296
is an alias for this option.
255
\fB\-\-dst\fP is an alias for this option.
298
.BI "-j, --jump " "target"
257
\fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
299
258
This specifies the target of the rule; i.e., what to do if the packet
300
259
matches it. The target can be a user-defined chain (other than the
301
260
one this rule is in), one of the special builtin targets which decide
302
the fate of the packet immediately, or an extension (see
261
the fate of the packet immediately, or an extension (see \fBEXTENSIONS\fP
305
option is omitted in a rule (and
263
option is omitted in a rule (and \fB\-g\fP
307
264
is not used), then matching the rule will have no
308
265
effect on the packet's fate, but the counters on the rule will be
311
.BI "-g, --goto " "chain"
268
\fB\-g\fP, \fB\-\-goto\fP \fIchain\fP
312
269
This specifies that the processing should continue in a user
313
specified chain. Unlike the --jump option return will not continue
270
specified chain. Unlike the \-\-jump option return will not continue
314
271
processing in this chain but instead in the chain that called us via
317
.BR "-i, --in-interface " "[!] \fIname\fP"
274
[\fB!\fP] \fB\-i\fP, \fB\-\-in\-interface\fP \fIname\fP
318
275
Name of an interface via which a packet was received (only for
276
packets entering the \fBINPUT\fP, \fBFORWARD\fP and \fBPREROUTING\fP
324
277
chains). When the "!" argument is used before the interface name, the
325
278
sense is inverted. If the interface name ends in a "+", then any
326
279
interface which begins with this name will match. If this option is
327
280
omitted, any interface name will match.
329
.BR "-o, --out-interface " "[!] \fIname\fP"
282
[\fB!\fP] \fB\-o\fP, \fB\-\-out\-interface\fP \fIname\fP
330
283
Name of an interface via which a packet is going to be sent (for packets
284
entering the \fBFORWARD\fP, \fBOUTPUT\fP and \fBPOSTROUTING\fP
336
285
chains). When the "!" argument is used before the interface name, the
337
286
sense is inverted. If the interface name ends in a "+", then any
338
287
interface which begins with this name will match. If this option is
339
288
omitted, any interface name will match.
341
.B "[!] " "-f, --fragment"
290
[\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
342
291
This means that the rule only refers to second and further fragments
343
292
of fragmented packets. Since there is no way to tell the source or
344
293
destination ports of such a packet (or ICMP type), such a packet will
345
294
not match any rules which specify them. When the "!" argument
346
precedes the "-f" flag, the rule will only match head fragments, or
295
precedes the "\-f" flag, the rule will only match head fragments, or
347
296
unfragmented packets.
349
.BI "-c, --set-counters " "PKTS BYTES"
298
\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
350
299
This enables the administrator to initialize the packet and byte
351
counters of a rule (during
300
counters of a rule (during \fBINSERT\fP, \fBAPPEND\fP, \fBREPLACE\fP
356
302
.SS "OTHER OPTIONS"
357
303
The following additional options can be specified:
305
\fB\-v\fP, \fB\-\-verbose\fP
360
306
Verbose output. This option makes the list command show the interface
361
307
name, the rule options (if any), and the TOS masks. The packet and
362
308
byte counters are also listed, with the suffix 'K', 'M' or 'G' for
363
309
1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
366
flag to change this).
310
the \fB\-x\fP flag to change this).
367
311
For appending, insertion, deletion and replacement, this causes
368
312
detailed information on the rule or rules to be printed.
314
\fB\-n\fP, \fB\-\-numeric\fP
372
316
IP addresses and port numbers will be printed in numeric format.
373
317
By default, the program will try to display them as host names,
374
318
network names, or services (whenever applicable).
320
\fB\-x\fP, \fB\-\-exact\fP
378
322
Display the exact value of the packet and byte counters,
379
323
instead of only the rounded number in K's (multiples of 1000)
380
324
M's (multiples of 1000K) or G's (multiples of 1000M). This option is
381
only relevant for the
325
only relevant for the \fB\-L\fP command.
327
\fB\-\-line\-numbers\fP
386
328
When listing rules, add line numbers to the beginning of each rule,
387
329
corresponding to that rule's position in the chain.
389
.B "--modprobe=command"
390
When adding or inserting rules into a chain, use
331
\fB\-\-modprobe=\fP\fIcommand\fP
332
When adding or inserting rules into a chain, use \fIcommand\fP
392
333
to load any necessary modules (targets, match extensions, etc).
393
334
.SH MATCH EXTENSIONS
394
335
iptables can use extended packet matching modules. These are loaded
395
in two ways: implicitly, when
399
is specified, or with the
336
in two ways: implicitly, when \fB\-p\fP or \fB\-\-protocol\fP
337
is specified, or with the \fB\-m\fP or \fB\-\-match\fP
403
338
options, followed by the matching module name; after these, various
404
339
extra command line options become available, depending on the specific
405
340
module. You can specify multiple extended match modules in one line,
341
and you can use the \fB\-h\fP or \fB\-\-help\fP
410
342
options after the module has been specified to receive help specific
413
345
The following are included in the base package, and most of these can
416
to invert the sense of the match.
346
be preceded by a "\fB!\fP" to invert the sense of the match.
418
348
.SH TARGET EXTENSIONS
419
349
iptables can use extended target modules: the following are included