iptables linux command

iptables

iptables command [options]

System administration command. Configure netfilter filtering rules. In the 2.4 kernel, the ipchains firewall capabilities are replaced with the netfilter kernel module. netfilter can be configured to work just like ipchains, but it also comes with the module iptables, which is similar to ipchains but extensible. iptables rules consist of some matching criteria and a target, a result to be applied if the packet matches the criteria. The rules are organized into chains. You can use these rules to build a firewall, masquerade your local area network, or just reject certain kinds of network connections.

There are three built-in tables for iptables, one for network filtering (filter), one for Network Address Translation (nat), and the last for specialized packet alterations (mangle). Firewall rules are organized into chains, ordered check lists of rules that the kernel works through looking for matches. The filter table has three built-in chains: INPUT, OUTPUT, and FORWARD. The INPUT and OUTPUT chains handle packets originating from or destined for the host system. The FORWARD chain handles mail just passing through the host system. The nat table also has three built-in chains: PREROUTING, POSTROUTING, and OUTPUT. mangle has only two chains: PREROUTING and OUTPUT.

netfilter checks packets entering the system. After applying any PREROUTING rules it passes them to the INPUT chain or to the FORWARD chain if the packet is just passing through. Upon leaving, the system packets are passed to the OUTPUT chain and then on to any POSTROUTING rules. Each of these chains has a default target, a policy, in case no match is found. User-defined chains can also be created and used as targets for packets but do not have default policies. If no match can be found in a user-defined chain, the packet is returned to the chain from which it was called and tested against the next rule in that chain.

iptables only changes the rules in the running kernel. When the system is powered off, all changes are lost. You can use the iptables-save command to make a script you can run with iptables-restore to restore your firewall settings. Such a script is often called at bootup. Many distributions will have an iptables initialization script that uses the output from iptables-save.

Commands

iptables is always invoked with one of the following commands:

-A chain rules, --append chain rules

Append new rules to chain.

-I chain number rules, --insert chain number rules

Insert rules into chain at the ordinal position given by number.

-D chain rules, --delete chain rules

Delete rules from chain. Rules can be specified by their ordinal number in the chain as well as by a general rule description.

-R chain number rule, --replace chain number rule

Replace a rule in chain. The rule to be replaced is specified by its ordinal number.

-C chain rule, --check chain rules

Check how chain will handle a network packet that matches the given rule. The rule must describe the source, destination, protocol, and interface of the packet to be constructed.

-L [chain], --list $PARAMETER

List the rules in chain or all chains if chain is not specified.

-F [chain], --flush chain

Remove all rules from chain or from all chains if chain is not specified.

-Z [chain], --zero chain

Zero the packet and byte counters in chain. If no chain is specified, all chains will be reset. When used without specifying a chain and combined with the -L command, it lists the current counter values before they are reset chain.

-N chain, --new-chain chain

Create a new chain. The chain's name must be unique. This is how user-defined chains are created.

-X [chain], --delete-chain chain

Delete the specified user-defined chain or all user-defined chains if no chain is specified.

-P chain target, --policy chain target

Set the default policy for a built-in chain; the target itself cannot be a chain.

-E old-chain new-chain, --rename-chain old-chain new-chain

Rename old-chain to new-chain.

-h [icmp]

Print a brief help message. If the option icmp is given, print a list of valid ICMP types.

Targets

A target may be the name of a chain or one of the following special values.

ACCEPT

Let the packet through.

DROP

Drop the packet.

QUEUE

Send packets to the user space for processing.

RETURN

Stop traversing the current chain and return to the point in the previous chain from which this one was called. If RETURN is the target of a rule in a built-in chain, the built-in chain's default policy is applied.

Rule specification parameters

These options are used to create rules for use with the preceding commands. Rules consist of some matching criteria and usually a target to jump to (-j) if the match is made. Many of the parameters for these matching rules can be expressed as a negative with an exclamation point (!) meaning 'not.' Those rules will match everything except the given parameter.

-p [!] name, --protocol [!]$PARAMETER

Match packets of protocol name. The value of name can be given as a name or number as found in the file /etc/protocols. The most common values are tcp, udp, icmp, or the special value all. The number 0 is equivalent to all and this is the default value when this option is not used. If there are extended matching rules associated with the specified protocol, they will be loaded automatically. You need not use the -m option to load them.

-s [!] address mask port], --source [!] address mask port

Match packets with the source address. The address may be supplied as a hostname, a network name, or an IP address. The optional mask is the netmask to use and may be supplied either in the traditional form (e.g., /255.255.255.0) or in the modern form (e.g., /24).

-d [!] address mask port], --destination [!] address mask port

Match packets from the destination address. See the description of -s for the syntax of this option.

-j target, --jump target

Jump to a special target or a user-defined chain. If this option is not specified for a rule, matching the rule only increases the rule's counters, and the packet is tested against the next rule.

-i [!] name[+], --in-interface name

Match packets being received from interface name. name is the network interface used by your system (e.g., eth0 or ppp0). A + can be used as a wildcard, so ppp+ would match any interface name beginning with ppp

-o [!] name[+], --out-interface name

Match packets being sent from interface name. See the description of -i for the syntax for name.

[!] -f, [!]--fragment $PARAMETER

The rule applies only to the second or further fragments of a fragmented packet.

Options

-v, --verbose

Verbose mode.

-n, --numeric

Print all IP address and port numbers in numeric form. By default, text names are displayed when possible.

-x, --exact

Expand all numbers in a listing (-L). Display the exact value of the packet and byte counters instead of rounded figures.

-m module, --match

Explicitly load matching rule extensions associated with module. See the following section, 'Match Extensions.'

-h [icmp], --help [icmp]

Print help message. If icmp is specified, a list of valid ICMP type names will be printed. -h can also be used with the -m option to get help on an extension module.

--line-numbers

Used with the -L command. Add the line number to the beginning of each rule in a listing, indicating its position in the chain.

Match extensions

Several kernel modules come with netfilter to extend matching capabilities of rules. Those associated with particular protocols are loaded automatically when the -p option is used to specify the protocol. Others need to be loaded explicitly with the -m option.

tcp

Loaded when -p tcp is the only protocol specified.

--source-port [!] [port port], --sport [!] [port port

Match the specified source ports. Using the colon specifies an inclusive range of services to match. If the first port is omitted, 0 is the default. If the second port is omitted, 65535 is the default. You can also use a dash instead of a colon to specify the range.

--destination-port [!] [port port], --dport [!] [port port

Match the specified destination ports. The syntax is the same as for --source-port.

--tcp-flags [!] mask comp

Match the packets with the TCP flags specified by mask and comp. mask is a comma-separated list of flags that should be examined. comp is a comma-separated list of flags that must be set for the rule to match. Valid flags are SYN, ACK, FIN, RST, URG, PSH, ALL, and NONE.

[!] --syn

Match packets with the SYN bit set and the ACK and FIN bits cleared. These are packets that request TCP connections; blocking them prevents incoming connections. Shorthand for --tcp-flags SYN,RST,ACK SYN.

udp

Loaded when -p udp is the only protocol specified.

--source-port [!] [port port], --sport [!] [port port

Match the specified source ports. The syntax is the same as for the --source-port option of the TCP extension.

--destination-port [!] [port port], --dport [!] [port port

Match the specified destination ports. The syntax is the same as for --source-port option of the TCP extension.

icmp

Loaded when -p icmp is the only protocol specified.

--icmp-type [!] type

Match the specified icmp type. type may be a numeric ICMP type or one of the ICMP type names shown by the command iptables -p icmp -h.

mac

Loaded explicitly with the -m option.

--mac-source [!] address

Match the source address that transmitted the packet. address must be given in colon-separated hexbyte notation (for example, --mac-source 00:60:08:91:CC:B7.

limit

Loaded explicitly with the -m option. The limit extensions are used to limit the number of packets matched. This is useful when combined with the LOG target. Rules using this extension match until the specified limit is reached.

--limit rate

Match addresses at the given rate. rate is specified as a number with an optional /second, /minute, hour, or /day suffix. When this option is not set, the default is 3/hour

--limit-burst [number

Set the maximum number of packets to match in a burst. Once the number has been reached, no more packets are matched for this rule until the number has recharged. It recharges at the rate set by the --limit option. When not specified, the default is 5.

multiport

Loaded explicitly with the -m option. The multiport extensions match sets of source or destination ports. These rules can be used only in conjunction with -p tcp and -p udp. Up to 15 ports can be specified in a comma-separated list.

--source-port [ports

Match the given source ports.

--destination-port [ports

Match the given destination ports.

--port [ports

Match if the packet has the same source and destination port and that port is one of the given ports.

mark

Loaded explicitly with the -m option. This module works with the MARK extension target:

--mark value mask

Match the given unsigned mark value. If a mask is specified, it is logically ANDed with the mark before comparison.

owner

Loaded explicitly with the -m option. The owner extensions match a local packet's creator's user, group process, and session IDs. This makes sense only as a part of the OUTPUT chain.

--uid-owner userid

Match packets created by a process owned by userid.

--gid-owner groupid

Match packets created by a process owned by groupid.

--pid-owner processid

Match packets created by process ID processid.

--sid-owner sessionid

Match packets created by a process in the session sessionid.

state

Loaded explicitly with the -m option. This module matches the connection state of a packet.

--state states

Match the packet if it has one of the states in the comma-separated list states. Valid states are INVALID, ESTABLISHED, NEW, and RELATED.

tos

Loaded explicitly with the -m option. This module matches the Type of Service field in a packet's header.

--tos value

Match the packet if it has a TOS of value. value can be a numeric value or a Type of Service name. iptables -m tos -h will give you a list of valid TOS values.

Target extensions

Extension targets are optional additional targets supported by separate kernel modules. They have their own associated options.

LOG

Log the packet's information in the system log.

--log-level level

Set the syslog level by name or number (as defined by syslog.conf).

--log-prefix prefix

Begin each log entry with the string prefix. The prefix string may be up to 30 characters long.

--log-tcp-sequence

Log the TCP sequence numbers. This is a security risk if your log is readable by users.

--log-tcp-options

Log options from the TCP packet header.

--log-ip-options

Log options from the IP packet header.

MARK

Used to mark packets with an unsigned integer value you can use later with the mark matching extension. Valid only with the mangle table.

--set-mark value

Mark the packet with value.

REJECT

Drop the packet and, if appropriate, send an ICMP message back to the sender indicating the packet was dropped. If the packet was an ICMP error message, an unknown ICMP type, or a nonhead fragment, or if too many ICMP messages have already been sent to this address, no message is sent.

--reject-with type

Send the specified ICMP message type. Valid values are icmp-net-unreachable, icmp-host- unreachable, icmp-port-unreachable, or icmp-proto-unreachable. If the packet was an ICMP ping packet, type may also be echo-reply.

TOS

Set the Type of Service field in the IP header. TOS is a valid target only for rules in the mangle table.

--set-tos value

Set the TOS field to value. You can specify this as an 8-bit value or as a TOS name. You can get a list of valid names using iptables -j TOS -h.

SNAT

Modify the source address of the packet and all future packets in the current connection. SNAT is valid only as a part of the POSTROUTING chain in the nat table.

--to-source address address port port

Specify the new source address or range of addresses. If a tcp or udp protocol has been specified with the -p option, source ports may also be specified. If none is specified, map the new source to the same port if possible. If not, map ports below 512 to other ports below 512, those between 512 and 1024 to other ports below 1024, and ports above 1024 to other ports above 1024.

DNAT

Modify the destination address of the packet and all future packets in the current connection. DNAT is valid only as a part of the POSTROUTING chain in the nat table.

--to-destination address address port port

Specify the new destination address or range of addresses. The arguments for this option are the same as the --to-source argument for the SNAT extension target.

MASQUERADE

Masquerade the packet so it appears that it originated from the current system. Reverse packets from masqueraded connections are unmasqueraded automatically. This is a legal target only for chains in the nat table that handle incoming packets and should be used only with dynamic IP addresses (like dial-up.) For static addresses use DNAT.

--to-ports port port

Specify the port or range of ports to use when masquerading. This option is only valid if a tcp or udp protocol has been specified with the -p option. If this option is not used, the masqueraded packet's port will not be changed.

REDIRECT [--to-port port

Redirect the packet to a local port. This is useful for creating transparent proxies.

--to-ports port port

Specify the port or range of ports on the local system to which the packet should be redirected. This option is valid only if a tcp or udp protocol has been specified with the -p option. If this option is not used, the redirected packet's port will not be changed.