System administration command. Configure netfilter filtering rules for kernels 2.4 and later. Rules for iptables consist of some matching criteria and a target, a result to be applied if the packet matches the criteria. The rules are organized into chains. You can use these rules to build a firewall, masquerade your local area network, or just reject certain kinds of network connections.
There are three built-in tables for iptables: one for network filtering (filter), one for Network Address Translation (nat), and the last for specialized packet alterations (mangle). Firewall rules are organized into chains, ordered checklists of rules that the kernel works through looking for matches. The filter table has three built-in chains: INPUT, OUTPUT, and FORWARD. The INPUT and OUTPUT chains handle packets originating from or destined for the host system. The FORWARD chain handles packets just passing through the host system. The nat table also has three built-in chains: PREROUTING, POSTROUTING, and OUTPUT. mangle has only two chains: PREROUTING and OUTPUT.
netfilter checks packets entering the system. After applying any PREROUTING rules, it passes them to the INPUT chain, or to the FORWARD chain if the packet is just passing through. Upon leaving, the system packets are passed to the OUTPUT chain and then on to any POSTROUTING rules. Each of these chains has a default target (a policy) in case no match is found. User-defined chains can also be created and used as targets for packets but do not have default policies. If no match can be found in a user-defined chain, the packet is returned to the chain from which it was called and tested against the next rule in that chain.
iptables changes only the rules in the running kernel. When the system is powered off, all changes are lost. You can use the iptables-save command to make a script you can run with iptables-restore to restore your firewall settings. Such a script is often called at bootup. Many distributions have an iptables initialization script that uses the output from iptables-save.
iptables is almost always invoked with one of the following commands:
Append new rules to chain.
Delete rules from chain. Rules can be specified by their ordinal number in the chain as well as by a general rule description.
Remove all rules from chain, or from all chains if chain is not specified.
Insert rules into chain at the ordinal position given by number.
-L [chain] , --list [chain]
List the rules in chain, or all chains if chain is not specified.
Create a new chain. The chain's name must be unique. This is how user-defined chains are created.
Set the default policy for a built-in chain; the target itself cannot be a chain.
Replace a rule in chain. The rule to be replaced is specified by its ordinal number.
-X [chain] , --delete-chain [chain]
Delete the specified user-defined chain, or all user-defined chains if chain is not specified.
-Z [chain] , --zero [chain]
Zero the packet and byte counters in chain. If no chain is specified, all chains will be reset. When used without specifying a chain and combined with the -L command, list the current counter values before they are reset.
A target may be the name of a chain or one of the following special values:
Let the packet through.
Drop the packet.
Send packets to the user space for processing.
Stop traversing the current chain and return to the point in the previous chain from which this one was called. If RETURN is the target of a rule in a built-in chain, the built-in chain's default policy is applied.
Rule specification parameters
These options are used to create rules for use with the preceding commands. Rules consist of some matching criteria and usually a target to jump to (-j) if the match is made. Many of the parameters for these matching rules can be expressed as a negative with an exclamation point (!) meaning "not." Those rules will match everything except the given parameter.
Initialize packet and byte counters to the specified values.
Match packets from the destination address. The address may be supplied as a hostname, a network name, or an IP address. The optional mask is the netmask to use and may be supplied either in the traditional form (e.g., /255.255.255.0) or in the modern form (e.g., /24).
[!] -f, [!] --fragment
The rule applies only to the second or further fragments of a fragmented packet.
-i [!] name[+] , --in-interfacename[+]
Match packets being received from interface name. name is the network interface used by your system (e.g., eth0 or ppp0). A + can be used as a wildcard, so ppp+ would match any interface name beginning with ppp.
Jump to a special target or a user-defined chain. If this option is not specified for a rule, matching the rule only increases the rule's counters, and the packet is tested against the next rule.
-o [!] name[+] , --out-interfacename[+]
Match packets being sent from interface name. See the description of -i for the syntax for name.
-p [!] name, --protocol [!] name
Match packets of protocol name. The value of name can be given as a name or number, as found in the file /etc/protocols. The most common values are tcp, udp, icmp, or the special value all. The number 0 is equivalent to all, and this is the default value when this option is not used. If there are extended matching rules associated with the specified protocol, they will be loaded automatically. You need not use the -m option to load them.
Match packets with the source address. See the description of -d for the syntax of this option.
-h [icmp] , --help [icmp]
Print help message. If icmp is specified, a list of valid ICMP type names will be printed. -h can also be used with the -m option to get help on an extension module.
Used with the -L command. Add the line number to the beginning of each rule in a listing, indicating its position in the chain.
-mmodule, --match module
Explicitly load matching rule extensions associated with module. See the next section.
Use specified command to load any necessary kernel modules while adding or inserting rules into a chain.
Print all IP address and port numbers in numeric form. By default, text names are displayed when possible.
Apply rules to the specified table. Rules apply to the filter table by default.
Expand all numbers in a listing (-L). Display the exact value of the packet and byte counters instead of rounded figures.
Several modules extend the matching capabilities of netfilter rules. Using the -p option will cause iptables to load associated modules implicitly. Others need to be loaded explicitly with the -m or --match options. Here we document those modules used most frequently.
Loaded when -p icmp is the only protocol specified:
--icmp-type [!] type
Match the specified ICMP type. type may be a numeric ICMP type or one of the ICMP type names shown by the command iptables -p icmp -h.
Loaded explicitly with the -m option. The multiport extensions match sets of source or destination ports. These rules can be used only in conjunction with -p tcp and -p udp. Up to 15 ports can be specified in a comma-separated list:
Match the given source ports.
Match the given destination ports.
Match if the packet has the same source and destination port and that port is one of the given ports.
Loaded explicitly with the -m option. This module matches the connection state of a packet:
Match the packet if it has one of the states in the comma-separated list states. Valid states are INVALID, ESTABLISHED, NEW, and RELATED.
Loaded when -p tcp is the only protocol specified:
Match the specified source ports. Using the colon specifies an inclusive range of services to match. If the first port is omitted, 0 is the default. If the second port is omitted, 65535 is the default. You can also use a dash instead of a colon to specify the range.
Match the specified destination ports. The syntax is the same as for --source-port.
Match if TCP SYN or SYN/ACK packets have the specified MSS value or fall within the specified range. Use this to control the maximum packet size for a connection.
Match packets with the SYN bit set and the ACK and FIN bits cleared. These are packets that request TCP connections; blocking them prevents incoming connections. Shorthand for --tcp-flags SYN,RST,ACK SYN.
--tcp-flags [!] maskcomp
Match the packets with the TCP flags specified by mask and comp. mask is a comma-separated list of flags that should be examined. comp is a comma-separated list of flags that must be set for the rule to match. Valid flags are SYN, ACK, FIN, RST, URG, PSH, ALL, and NONE.
--tcp-option [!] n
Match if TCP option is set.
Loaded when -p udp is the only protocol specified:
Match the specified destination ports. The syntax is the same as for the --source-port option of the TCP extension.
Extension targets are optional additional targets supported by separate kernel modules. They have their own associated options. We cover the most frequently used target extensions below.
Modify the destination address of the packet and all future packets in the current connection. DNAT is valid only as a part of the POSTROUTING chain in the nat table:
Specify the new destination address or range of addresses. The arguments for this option are the same as the --to-source argument for the SNAT extension target.
Log the packet's information in the system log:
Set the syslog level by name or number (as defined by syslog.conf).
Begin each log entry with the string prefix. The prefix string may be up to 30 characters long.
Log the TCP sequence numbers. This is a security risk if your log is readable by users.
Log options from the TCP packet header.
Log options from the IP packet header.
Masquerade the packet so it appears that it originated from the current system. Reverse packets from masqueraded connections are unmasqueraded automatically. This is a legal target only for chains in the nat table that handle incoming packets and should be used only with dynamic IP addresses (like dial-up.) For static addresses use DNAT:
Specify the port or range of ports to use when masquerading. This option is valid only if a tcp or udp protocol has been specified with the -p option. If this option is not used, the masqueraded packet's port will not be changed.
Drop the packet and, if appropriate, send an ICMP message back to the sender indicating the packet was dropped. If the packet was an ICMP error message, an unknown ICMP type, or a nonhead fragment, or if too many ICMP messages have already been sent to this address, no message is sent:
Send specified ICMP message type. Valid values are icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, or icmp-proto-unreachable. If the packet was an ICMP ping packet, type may also be echo-reply.
Modify the source address of the packet and all future packets in the current connection. SNAT is valid only as a part of the POSTROUTING chain in the nat table:
Specify the new source address or range of addresses. If a tcp or udp protocol has been specified with the -p option, source ports may also be specified. If none is specified, map the new source to the same port if possible. If not, map ports below 512 to other ports below 512, those between 512 and 1024 to other ports below 1024, and ports above 1024 to other ports above 1024.