Building a Set of Rules

To specify a table, it is common practice to put the table declaration on the command line immediately following iptables. For example, the following command flushes (deletes all the rules from) the NAT table:

# iptables -t NAT -F

Commands

Following is a list of iptables commands:

append

A Adds rule(s) specified by rule-specifications to the end of chain. When a packet matches one of the rule-specifications, target processes it.

iptables A chain rule-specifications jump target

delete

D Removes one or more rules from chain, as specified by the rule-numbers or rule-specifications.

iptables D chain rule-numbers | rule-specifications

insert

I Adds rule(s) specified by rule-specifications and target to the location in chain specified by rule-number. If you do not specify rule-number, it defaults to 1, the head of the chain.

iptables I chain rule-number rule-specifications jump target

replace

R Replaces rule number rule-number in chain with rule-specification and target. The command fails if rule-number or rule-specification resolves to more than one address.

iptables R chain rule-number rule-specification jump target

list

L Displays the rules in chain. Omit chain to display rules for all chains. Use line-numbers to display rule numbers or select other display criteria from the list on page 772.

iptables L [chain] display-criteria

flush

F Deletes all rules from chain. Omit chain to delete all rules from all chains.

iptables F [chain]

zero

Z Change to zero the value of all packet and byte counters in chain or in all chains when you do not specify chain. Use with L to display the counters before clearing them.

iptables Z [L] [chain]

delete-chain

X Removes the user-defined chain named chain. If you do not specify chain, removes all user-defined chains. You cannot delete a chain that a target points to.

iptables X chain

policy

P Sets the default target or policy builtin-target for the builtin chain builtin-chain. This policy is applied to packets that do not match any rule in the chain. If a chain does not have a policy, unmatched packets are ACCEPTed.

iptables P builtin-chain builtin-target

rename-chain

E Changes the name of the chain old to new.

iptables E old new

help

h Displays a summary of iptables command syntax.

iptables h

Follow a match extension protocol with h to display options you can use with that protocol. For more information refer to "Help with extensions"on page 773.

Packet Match Criteria

The following criteria match network packets. When you precede a criterion with an exclamation point (!), the rule matches packets that do not match the criterion.

protocol [!] proto

p Matches if the packet uses the proto protocol. This criterion is a match extension (page 773).

source [!] address[/mask]

s or src Matches if the packet came from address. The address can be a name or IP address. See page 423 for formats of the optional mask (only with an IP address).

destination [!] address[/mask]

d or dst Matches if the packet is going to address. The address can be a name or IP address. See page 423 for formats of the optional mask (only with an IP address).

in-interface [!] iface[+]

i For the INPUT, FORWARD, and PREROUTING chains, matches if iface is the name of the interface the packet was received from. Append a plus sign (+) to iface to match any interface whose name begins with iface. When you do not specify in-interface, the rule matches packets coming from any interface.

out-interface [!] iface[+]

o For the FORWARD, OUTPUT, and POSTROUTING chains, matches if iface is the interface the packet will be sent to. Append a plus sign (+) to iface to match any interface whose name begins with iface. When you do not specify out-interface, the rule matches packets going to any interface.

[!] fragment

f Matches the second and subsequent fragments of fragmented packets. Because these packets do not contain source or destination information, they do not match any other rules.

Display Criteria

The following criteria display information. All packets match these criteria.

verbose

v Displays additional output.

numeric

n Displays IP addresses and port numbers as numbers, not names.

exact

x Use with L to display exact packet and byte counts instead of rounded values.

line-numbers

Display line numbers when listing rules. The line numbers are also the rule numbers that you can use in rule match criteria (page 770).

Match Extensions

Rule specification (packet match criteria) extensions, called match extensions, add matches based on protocols and state to the matches described previously. Each of the protocol extensions is kept in a module that must be loaded before that match extension can be used. The command that loads the module must appear in the same rule specification as, and to the left of, the command that uses the module. There are two types of match extensions: implicit and explicit.

Implicit Match Extensions

Help with extensions

Implicit extensions are loaded (somewhat) automatically when you use a protocol command (following). Each protocol has its own extensions. Follow the protocol with h to display extensions you can use with that protocol. For example, the following command displays TCP extensions at the end of the Help output:

# iptables -p tcp -h ... TCP v1.3.5 options:  --tcp-flags [!] mask comp      match when TCP flags & mask == comp                                 (Flags: SYN ACK FIN RST URG PSH ALL NONE) [!] --syn                       match when only SYN flag set                                 (equivalent to --tcp-flags SYN,RST,ACK SYN)  --source-port [!] port[:port]   --sport ...                                 match source port(s)  --destination-port [!] port[:port]   --dport ...                                 match destination port(s)  --tcp-option [!] number       match if TCP option set

This section does not describe all extensions. Use h, as described in the preceding example, to display a complete list.

protocol [!] proto

p Loads the proto module and matches if the packet uses the proto protocol. The proto can be a name or number from /etc/protocols, including tcp, udp, and icmp (page 1036). Specifying all or 0 (zero) matches any of all protocols and is the same as not including this match in a rule.

The following criteria load the TCP module and match TCP protocol packets coming from port 22 (ssh packets):

--protocol tcp --source-port 22

The following command expands the preceding match to cause the kernel to drop all incoming ssh packets. This command uses ssh, which iptables looks up in /etc/services, in place of 22:

# iptables --protocol tcp --source-port ssh --jump DROP

TCP

The extensions in this section are loaded when you specify protocol tcp.

destination-port [!] [port][:port]]

dport Matches a destination port number or service name (see /etc/services). You can also specify a range of port numbers. Specifically, :port specifies ports 0 through port, and port: specifies ports port through 65535.

source-port [!] [port][:port]]

sport Matches a source port number or service name (see /etc/services). You can also specify a range of port numbers. Specifically, :port specifies ports 0 through port, and port: specifies ports port through 65535.

[!] syn

Matches packets with the SYN bit set and the ACK and FIN bits cleared. This match extension is shorthand for tcp-flags SYN,RST,ACK SYN.

tcp-flags [!] mask comp

Defines TCP flag settings that constitute a match. Valid flags are SYN, ACK, FIN, RST, URG, PSH, ALL, and NONE. The mask is a comma-separated list of flags to be examined; comp is a comma-separated subset of mask that specifies the flags that must be set for a match to occur. Flags not specified in mask must be unset.

tcp-option [!] n

Matches a TCP option with a decimal value of n.

UDP

When you specify protocol udp, you can specify a source and/or destination port in the same manner as described earlier under "TCP."

ICMP

The extension in this section is loaded when you specify protocol icmp. ICMP (page 1036) packets carry messages only.

icmp-type [!] name

Matches when the packet is an ICMP packet of type name. The name can be a numeric ICMP type or one of the names returned by

# iptables -p icmp -h

Explicit Match Extensions

Explicit match extensions differ from implicit match extensions in that you must use a m or match option to specify a module before you can use the extension. Many explicit match extension modules are available; this section covers state, one of the most important.

State

The state extension matches criteria based on the state of the connection the packet is part of (page 766).

state state

Matches a packet whose state is defined by state, a comma-separated list of states from the following list:

• ESTABLISHED Any packet, within a specific connection, following the exchange of packets in both directions for that connection.

• INVALID A stateless or unidentifiable packet.

• NEW The first packet within a specific connection, typically a SYN packet.

• RELATED Any packets exchanged in a connection spawned from an ESTABLISHED connection. For example, an FTP data connection might be related to the FTP control connection. (You need the ip_conntrack_ftp module for FTP connection tracking.)

The following command loads the state extension and establishes a rule that matches and drops both invalid packets and packets from new connections:

# iptables --match state --state INVALID,NEW --jump DROP

Targets

All targets are built in; there are no user-defined targets. This section lists some of the targets available with iptables. Applicable target options are listed following each target.

ACCEPT

Continues processing the packet.

DNAT

Destination Network Address Translation Rewrites the destination address of the packet (page 765).

to-destination ip[-ip][:port-port]

Same as SNAT with to-source, except that it changes the destination addresses of packets to the specified address(es) and port(s) and is valid only in the PREROUTING or OUTPUT chains of the NAT table and any user-defined chains called from those chains. The following command adds to the PREROUTING chain of the NAT table a rule that changes the destination in the headers of TCP packets with a destination of 66.187.232.50 to 192.168.0.10:

# iptables -t NAT -A PREROUTING -p tcp -d 66.187.232.50 -j DNAT --to-destination 192.168.0.10

DROP

Ends the packet's life without notice.

LOG

Turns on logging for the packet being processed. The kernel uses syslogd (page 562) to process output generated by this target. LOG is a nonterminating target; processing continues with the next rule. Use two rules to LOG packets that you REJECT, one each with the targets LOG and REJECT, with the same matching criteria.

log-level n

Specifies logging level n as per syslog.conf (page 562).

log-prefix string

Prefixes log entries with string, which can be up to 14 characters long.

log-tcp-options

Logs options from the TCP packet header.

log-ip-options

Logs options from the IP packet header.

MASQUERADE

Similar to SNAT with to-source, except that the IP information is grabbed from the interface on the specified port. For use on systems with dynamically assigned IP addresses, such as those that use DHCP, including most dial-up lines. Valid only in rules in the POSTROUTING chain of the NAT table.

to-ports port[-port]

Specifies the port for the interface you want to masquerade. Forgets connections when the interface goes down, as is appropriate for dial-up lines. You must specify the TCP or UDP protocol (protocol tcp or udp) with this target.

REJECT

Similar to DROP, except that it notifies the sending system that the packet was blocked.

reject-with type

Returns the error type to the originating system. The type can be any of the following, all of which return the appropriate ICMP (page 1036) error: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited, or icmp-host-prohibited. You can specify type as echo-reply from rules that require an ICMP ping (page 365) packet to return a ping reply. You can specify tcp-reset from rules in or called from the INPUT chain to return a TCP RST packet. This parameter is valid in the INPUT, FORWARD, and OUTPUT chains and user-defined chains called from these chains.

RETURN

Stops traversing this chain and returns the packet to the calling chain.

SNAT

Source Network Address Translation Rewrites the source address of the packet. Appropriate for hosts on a LAN that share an Internet connection.

to-source ip[-ip][:port-port]

Alters the source IP address of an outbound packet, and the source IP addresses of all future packets in this connection, to ip. Skips additional rules, if any. Returning packets are automatically de-SNATed so they return to the originating host. Valid only in the POSTROUTING chain of the NAT table.

When you specify a range of IP addresses (ip-ip) or use multiple to-source targets, iptables assigns the addresses in a round-robin fashion, cycling through the addresses, one for each new connection.

When the rule specifies the TCP or UDP protocol (p tcp or p udp), you can specify a range of ports. When you do not specify a range of ports, the rule matches all ports. Every connection on a NATed subnet must have a unique IP address and port combination. If two computers on a NATed subnet try to use the same port, the kernel maps one of the ports to another (unused) one. Ports less than 512 are mapped to other ports less than 512, ports from 512 to 1024 are mapped to other ports from 512 to 1024, and ports above 1024 are mapped to other ports above 1024.

Copying Rules to and from the Kernel

The iptables-save utility copies packet filtering rules from the kernel to standard output so you can save them in a file. The iptables-restore utility copies rules from standard input, as written by iptables-save, to the kernel. Sample output from iptables-save follows:

# iptables-save # Generated by iptables-save v1.3.5 on Tue Mar  7 20:52:04 2006 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4779:2823599] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT ... COMMIT

Most of the lines that iptables-save writes are iptables command lines without the iptables at the beginning. Lines that begin with a pound sign (#) are comments. Lines that begin with an asterisk are names of tables that the following commands work on; all of the commands in the preceding example work on the Filter table. The COMMIT line must appear at the end of all commands for a table; it executes the preceding commands. Lines that begin with colons specify chains in the following format:

:chain policy [packets:bytes]

where chain is the name of the chain, policy is the policy (default target) for the chain, and packets and bytes are the packet and byte counters, respectively. The square brackets must appear in the line; they do not indicate optional parameters. Refer to the next section and visit www.faqs.org/docs/iptables/iptables-save.html for more information.