book

Linux iptables Pocket Reference

August 2004

Intermediate to advanced

96 pages

1h 52m

English

Read now

Unlock full access

An Example CommandConceptsTablesChainsPacket flowRulesMatchesTargetsApplicationsConfiguring iptablesPersistent rulesOther configuration filesCompiling your own kernelConnection TrackingAccountingNetwork Address Translation (NAT)Source NAT and MasqueradingDestination NATTransparent ProxyingLoad Distribution and BalancingStateless and Stateful FirewallsTools of the Trade
Getting helpThe iptables Subcommandsiptables Matches and TargetsInternet Protocol (IPv4) matchesACCEPT targetah matchconnmark MatchCONNMARK targetconntrack matchDNAT targetDROP targetdscp matchDSCP targetecn matchECN targetesp matchFTOS targethelper matchicmp matchip (Internet Protocol IPv4) matchesiplimit matchipv4options matchIPV4OPTSSTRIP targetlength matchlimit matchLOG targetmac matchmark matchMARK targetMASQUERADE targetmultiport matchNETLINK targetNETMAP targetnth matchowner matchpkttype matchpool matchPOOL targetpsd (Port Scan Detector) matchQUEUE targetquota matchrandom matchrealm matchrecent matchrecord-rpc matchREDIRECT targetREJECT targetRETURN targetROUTE targetSAME targetSNAT targetstate matchstring matchtcp matchtcpmss matchTCPMSS targettime matchtos matchTOS targetttl matchTTL targetudp matchULOG targetunclean match
iptables-restoreiptables-save

iptables Command Reference

Most of the options for the iptables command can be grouped into subcommands and rule match criteria. Table 1-15 describes the other options.

Table 1-15. iptables miscellaneous options

Option	Description
`-c` `packets` `bytes`	When combined with the `-A`, `-I`, or `-R` subcommand, sets the packet counter to `packets` and the byte counter to `bytes` for the new or modified rule.
`--exact`	Synonym for `-x`.
`-h`	Displays information on iptables usage. If it appears after `-m` `match` or `-j` `target`, then any additional help related to the extension `match` or `target` (respectively) is also displayed.
`--help`	Synonym for `-h`.
`-j` `target` `[``options``]`	Determines what to do with packets matching this rule. The `target` can be the name of a user-defined chain, one of the built-in targets, or an iptables extension (in which case there may be additional `options`).
`--jump`	Synonym for `-j`.
`--line-numbers`	When combined with the `-L` subcommand, displays numbers for the rules in each chain, so you can refer to the rules by index when inserting rules into (via `-I`) or deleting rules from (via `-D`) a chain.
`-m` `match` `[``options``]`	Invoke extended `match`, possibly with additional `options`.
`--match`	Synonym for `-m`.
`-M` `cmd`	Used to load an iptables module (with new targets or match extensions) when appending, inserting, or replacing rules.
`--modprobe=``cmd`	Synonym for `-M`.
`-n`	Displays numeric addresses and ports instead of looking up and displaying domain names for the IP addresses and displaying service names for the port numbers. This can be especially ...