Revision | d0c4ba014332d53f2facb60c7e4bf29a91d1b352 (tree) |
---|---|
Time | 2013-04-03 12:21:38 |
Author | Akihiro MOTOKI <amotoki@gmai...> |
Commiter | Akihiro MOTOKI |
iptables: Update original to 1.4.18
@@ -21,7 +21,8 @@ | ||
21 | 21 | .SH NAME |
22 | 22 | ip6tables-restore \(em Restore IPv6 Tables |
23 | 23 | .SH SYNOPSIS |
24 | -\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] | |
24 | +\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP] | |
25 | +[\fB\-T\fP \fIname\fP] | |
25 | 26 | .SH DESCRIPTION |
26 | 27 | .PP |
27 | 28 | .B ip6tables-restore |
@@ -31,8 +32,23 @@ I/O redirection provided by your shell to read from a file | ||
31 | 32 | \fB\-c\fR, \fB\-\-counters\fR |
32 | 33 | restore the values of all packet and byte counters |
33 | 34 | .TP |
35 | +\fB\-h\fP, \fB\-\-help\fP | |
36 | +Print a short option summary. | |
37 | +.TP | |
34 | 38 | \fB\-n\fR, \fB\-\-noflush\fR |
35 | -don't flush the previous contents of the table. If not specified, | |
39 | +don't flush the previous contents of the table. If not specified, | |
40 | +\fBip6tables-restore\fP flushes (deletes) all previous contents of the | |
41 | +respective table. | |
42 | +.TP | |
43 | +\fB\-t\fP, \fB\-\-test\fP | |
44 | +Only parse and construct the ruleset, but do not commit it. | |
45 | +.TP | |
46 | +\fB\-v\fP, \fB\-\-verbose\fP | |
47 | +Print additional debug info during ruleset processing. | |
48 | +.TP | |
49 | +\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP | |
50 | +Specify the path to the modprobe program. By default, ip6tables-restore will | |
51 | +inspect /proc/sys/kernel/modprobe to determine the executable's path. | |
36 | 52 | .TP |
37 | 53 | \fB\-T\fP, \fB\-\-table\fP \fIname\fP |
38 | 54 | Restore only the named table even if the input stream contains other ones. |
@@ -1,4 +1,4 @@ | ||
1 | -.TH IP6TABLES 8 "" "iptables 1.4.13" "iptables 1.4.13" | |
1 | +.TH IP6TABLES 8 "" "iptables 1.4.18" "iptables 1.4.18" | |
2 | 2 | .\" |
3 | 3 | .\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu> |
4 | 4 | .\" It is based on iptables man page. |
@@ -87,7 +87,7 @@ or a rule in a built-in chain with target \fBRETURN\fP | ||
87 | 87 | is matched, the target specified by the chain policy determines the |
88 | 88 | fate of the packet. |
89 | 89 | .SH TABLES |
90 | -There are currently three independent tables (which tables are present | |
90 | +There are currently five independent tables (which tables are present | |
91 | 91 | at any time depends on the kernel configuration options and which |
92 | 92 | modules are present). |
93 | 93 | .TP |
@@ -106,6 +106,13 @@ the built-in chains \fBINPUT\fP (for packets destined to local sockets), | ||
106 | 106 | \fBFORWARD\fP (for packets being routed through the box), and |
107 | 107 | \fBOUTPUT\fP (for locally-generated packets). |
108 | 108 | .TP |
109 | +\fBnat\fP: | |
110 | +This table is consulted when a packet that creates a new | |
111 | +connection is encountered. It consists of three built-ins: \fBPREROUTING\fP | |
112 | +(for altering packets as soon as they come in), \fBOUTPUT\fP | |
113 | +(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP | |
114 | +(for altering packets as they are about to go out). Available since kernel 3.7. | |
115 | +.TP | |
109 | 116 | \fBmangle\fP: |
110 | 117 | This table is used for specialized packet alteration. Until kernel |
111 | 118 | 2.4.17 it had two built-in chains: \fBPREROUTING\fP |
@@ -240,6 +247,15 @@ Give a (currently very brief) description of the command syntax. | ||
240 | 247 | The following parameters make up a rule specification (as used in the |
241 | 248 | add, delete, insert, replace and append commands). |
242 | 249 | .TP |
250 | +\fB\-4\fP, \fB\-\-ipv4\fP | |
251 | +If a rule using the \fB\-4\fP option is inserted with (and only with) | |
252 | +ip6tables-restore, it will be silently ignored. Any other uses will throw an | |
253 | +error. This option allows to put both IPv4 and IPv6 rules in a single rule file | |
254 | +for use with both iptables-restore and ip6tables-restore. | |
255 | +.TP | |
256 | +\fB\-6\fP, \fB\-\-ipv6\fP | |
257 | +This option has no effect in ip6tables and ip6tables-restore. | |
258 | +.TP | |
243 | 259 | [\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP |
244 | 260 | The protocol of the rule or of the packet to check. |
245 | 261 | The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP, |
@@ -281,6 +297,13 @@ See the description of the \fB\-s\fP | ||
281 | 297 | (source) flag for a detailed description of the syntax. The flag |
282 | 298 | \fB\-\-dst\fP is an alias for this option. |
283 | 299 | .TP |
300 | +\fB\-m\fP, \fB\-\-match\fP \fImatch\fP | |
301 | +Specifies a match to use, that is, an extension module that tests for a | |
302 | +specific property. The set of matches make up the condition under which a | |
303 | +target is invoked. Matches are evaluated first to last as specified on the | |
304 | +command line and work in short-circuit fashion, i.e. if one extension yields | |
305 | +false, evaluation will stop. | |
306 | +.TP | |
284 | 307 | \fB\-j\fP, \fB\-\-jump\fP \fItarget\fP |
285 | 308 | This specifies the target of the rule; i.e., what to do if the packet |
286 | 309 | matches it. The target can be a user-defined chain (other than the |
@@ -362,2083 +385,8 @@ When adding or inserting rules into a chain, use \fIcommand\fP | ||
362 | 385 | to load any necessary modules (targets, match extensions, etc). |
363 | 386 | .SH MATCH EXTENSIONS |
364 | 387 | .PP |
365 | -ip6tables can use extended packet matching modules | |
366 | -with the \fB\-m\fP or \fB\-\-match\fP | |
367 | -options, followed by the matching module name; after these, various | |
368 | -extra command line options become available, depending on the specific | |
369 | -module. You can specify multiple extended match modules in one line, | |
370 | -and you can use the \fB\-h\fP or \fB\-\-help\fP | |
371 | -options after the module has been specified to receive help specific | |
372 | -to that module. | |
373 | -.PP | |
374 | -If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an | |
375 | -unknown option is encountered, ip6tables will try load a match module of the | |
376 | -same name as the protocol, to try making the option available. | |
377 | -.\" @MATCH@ | |
378 | -.SS addrtype | |
379 | -This module matches packets based on their | |
380 | -.B address type. | |
381 | -Address types are used within the kernel networking stack and categorize | |
382 | -addresses into various groups. The exact definition of that group depends on the specific layer three protocol. | |
383 | -.PP | |
384 | -The following address types are possible: | |
385 | -.TP | |
386 | -.BI "UNSPEC" | |
387 | -an unspecified address (i.e. 0.0.0.0) | |
388 | -.TP | |
389 | -.BI "UNICAST" | |
390 | -an unicast address | |
391 | -.TP | |
392 | -.BI "LOCAL" | |
393 | -a local address | |
394 | -.TP | |
395 | -.BI "BROADCAST" | |
396 | -a broadcast address | |
397 | -.TP | |
398 | -.BI "ANYCAST" | |
399 | -an anycast packet | |
400 | -.TP | |
401 | -.BI "MULTICAST" | |
402 | -a multicast address | |
403 | -.TP | |
404 | -.BI "BLACKHOLE" | |
405 | -a blackhole address | |
406 | -.TP | |
407 | -.BI "UNREACHABLE" | |
408 | -an unreachable address | |
409 | -.TP | |
410 | -.BI "PROHIBIT" | |
411 | -a prohibited address | |
412 | -.TP | |
413 | -.BI "THROW" | |
414 | -FIXME | |
415 | -.TP | |
416 | -.BI "NAT" | |
417 | -FIXME | |
418 | -.TP | |
419 | -.BI "XRESOLVE" | |
420 | -.TP | |
421 | -[\fB!\fP] \fB\-\-src\-type\fP \fItype\fP | |
422 | -Matches if the source address is of given type | |
423 | -.TP | |
424 | -[\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP | |
425 | -Matches if the destination address is of given type | |
426 | -.TP | |
427 | -.BI "\-\-limit\-iface\-in" | |
428 | -The address type checking can be limited to the interface the packet is coming | |
429 | -in. This option is only valid in the | |
430 | -.BR PREROUTING , | |
431 | -.B INPUT | |
432 | -and | |
433 | -.B FORWARD | |
434 | -chains. It cannot be specified with the | |
435 | -\fB\-\-limit\-iface\-out\fP | |
436 | -option. | |
437 | -.TP | |
438 | -\fB\-\-limit\-iface\-out\fP | |
439 | -The address type checking can be limited to the interface the packet is going | |
440 | -out. This option is only valid in the | |
441 | -.BR POSTROUTING , | |
442 | -.B OUTPUT | |
443 | -and | |
444 | -.B FORWARD | |
445 | -chains. It cannot be specified with the | |
446 | -\fB\-\-limit\-iface\-in\fP | |
447 | -option. | |
448 | -.SS ah | |
449 | -This module matches the parameters in Authentication header of IPsec packets. | |
450 | -.TP | |
451 | -[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] | |
452 | -Matches SPI. | |
453 | -.TP | |
454 | -[\fB!\fP] \fB\-\-ahlen\fP \fIlength\fP | |
455 | -Total length of this header in octets. | |
456 | -.TP | |
457 | -\fB\-\-ahres\fP | |
458 | -Matches if the reserved field is filled with zero. | |
459 | -.SS cluster | |
460 | -Allows you to deploy gateway and back-end load-sharing clusters without the | |
461 | -need of load-balancers. | |
462 | -.PP | |
463 | -This match requires that all the nodes see the same packets. Thus, the cluster | |
464 | -match decides if this node has to handle a packet given the following options: | |
465 | -.TP | |
466 | -\fB\-\-cluster\-total\-nodes\fP \fInum\fP | |
467 | -Set number of total nodes in cluster. | |
468 | -.TP | |
469 | -[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP | |
470 | -Set the local node number ID. | |
471 | -.TP | |
472 | -[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP | |
473 | -Set the local node number ID mask. You can use this option instead | |
474 | -of \fB\-\-cluster\-local\-node\fP. | |
475 | -.TP | |
476 | -\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP | |
477 | -Set seed value of the Jenkins hash. | |
478 | -.PP | |
479 | -Example: | |
480 | -.IP | |
481 | -iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster | |
482 | -\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 | |
483 | -\-\-cluster\-hash\-seed 0xdeadbeef | |
484 | -\-j MARK \-\-set-mark 0xffff | |
485 | -.IP | |
486 | -iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster | |
487 | -\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 | |
488 | -\-\-cluster\-hash\-seed 0xdeadbeef | |
489 | -\-j MARK -\-set\-mark 0xffff | |
490 | -.IP | |
491 | -iptables \-A PREROUTING \-t mangle \-i eth1 | |
492 | -\-m mark ! \-\-mark 0xffff \-j DROP | |
493 | -.IP | |
494 | -iptables \-A PREROUTING \-t mangle \-i eth2 | |
495 | -\-m mark ! \-\-mark 0xffff \-j DROP | |
496 | -.PP | |
497 | -And the following commands to make all nodes see the same packets: | |
498 | -.IP | |
499 | -ip maddr add 01:00:5e:00:01:01 dev eth1 | |
500 | -.IP | |
501 | -ip maddr add 01:00:5e:00:01:02 dev eth2 | |
502 | -.IP | |
503 | -arptables \-A OUTPUT \-o eth1 \-\-h\-length 6 | |
504 | -\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01 | |
505 | -.IP | |
506 | -arptables \-A INPUT \-i eth1 \-\-h-length 6 | |
507 | -\-\-destination-mac 01:00:5e:00:01:01 | |
508 | -\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 | |
509 | -.IP | |
510 | -arptables \-A OUTPUT \-o eth2 \-\-h\-length 6 | |
511 | -\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02 | |
512 | -.IP | |
513 | -arptables \-A INPUT \-i eth2 \-\-h\-length 6 | |
514 | -\-\-destination\-mac 01:00:5e:00:01:02 | |
515 | -\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 | |
516 | -.PP | |
517 | -In the case of TCP connections, pickup facility has to be disabled | |
518 | -to avoid marking TCP ACK packets coming in the reply direction as | |
519 | -valid. | |
520 | -.IP | |
521 | -echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose | |
522 | -.SS comment | |
523 | -Allows you to add comments (up to 256 characters) to any rule. | |
524 | -.TP | |
525 | -\fB\-\-comment\fP \fIcomment\fP | |
526 | -.TP | |
527 | -Example: | |
528 | -iptables \-A INPUT \-i eth1 \-m comment \-\-comment "my local LAN" | |
529 | -.SS connbytes | |
530 | -Match by how many bytes or packets a connection (or one of the two | |
531 | -flows constituting the connection) has transferred so far, or by | |
532 | -average bytes per packet. | |
533 | -.PP | |
534 | -The counters are 64-bit and are thus not expected to overflow ;) | |
535 | -.PP | |
536 | -The primary use is to detect long-lived downloads and mark them to be | |
537 | -scheduled using a lower priority band in traffic control. | |
538 | -.PP | |
539 | -The transferred bytes per connection can also be viewed through | |
540 | -`conntrack \-L` and accessed via ctnetlink. | |
541 | -.PP | |
542 | -NOTE that for connections which have no accounting information, the match will | |
543 | -always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls | |
544 | -whether \fBnew\fP connections will be byte/packet counted. Existing connection | |
545 | -flows will not be gaining/losing a/the accounting structure when be sysctl flag | |
546 | -is flipped. | |
547 | -.TP | |
548 | -[\fB!\fP] \fB\-\-connbytes\fP \fIfrom\fP[\fB:\fP\fIto\fP] | |
549 | -match packets from a connection whose packets/bytes/average packet | |
550 | -size is more than FROM and less than TO bytes/packets. if TO is | |
551 | -omitted only FROM check is done. "!" is used to match packets not | |
552 | -falling in the range. | |
553 | -.TP | |
554 | -\fB\-\-connbytes\-dir\fP {\fBoriginal\fP|\fBreply\fP|\fBboth\fP} | |
555 | -which packets to consider | |
556 | -.TP | |
557 | -\fB\-\-connbytes\-mode\fP {\fBpackets\fP|\fBbytes\fP|\fBavgpkt\fP} | |
558 | -whether to check the amount of packets, number of bytes transferred or | |
559 | -the average size (in bytes) of all packets received so far. Note that | |
560 | -when "both" is used together with "avgpkt", and data is going (mainly) | |
561 | -only in one direction (for example HTTP), the average packet size will | |
562 | -be about half of the actual data packets. | |
563 | -.TP | |
564 | -Example: | |
565 | -iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ... | |
566 | -.SS connlimit | |
567 | -Allows you to restrict the number of parallel connections to a server per | |
568 | -client IP address (or client address block). | |
569 | -.TP | |
570 | -\fB\-\-connlimit\-upto\fP \fIn\fP | |
571 | -Match if the number of existing connections is below or equal \fIn\fP. | |
572 | -.TP | |
573 | -\fB\-\-connlimit\-above\fP \fIn\fP | |
574 | -Match if the number of existing connections is above \fIn\fP. | |
575 | -.TP | |
576 | -\fB\-\-connlimit\-mask\fP \fIprefix_length\fP | |
577 | -Group hosts using the prefix length. For IPv4, this must be a number between | |
578 | -(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the | |
579 | -maximum prefix length for the applicable protocol is used. | |
580 | -.TP | |
581 | -\fB\-\-connlimit\-saddr\fP | |
582 | -Apply the limit onto the source group. This is the default if | |
583 | -\-\-connlimit\-daddr is not specified. | |
584 | -.TP | |
585 | -\fB\-\-connlimit\-daddr\fP | |
586 | -Apply the limit onto the destination group. | |
587 | -.PP | |
588 | -Examples: | |
589 | -.TP | |
590 | -# allow 2 telnet connections per client host | |
591 | -iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-above 2 \-j REJECT | |
592 | -.TP | |
593 | -# you can also match the other way around: | |
594 | -iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-upto 2 \-j ACCEPT | |
595 | -.TP | |
596 | -# limit the number of parallel HTTP requests to 16 per class C sized \ | |
597 | -source network (24 bit netmask) | |
598 | -iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16 | |
599 | -\-\-connlimit\-mask 24 \-j REJECT | |
600 | -.TP | |
601 | -# limit the number of parallel HTTP requests to 16 for the link local network | |
602 | -(ipv6) | |
603 | -ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above | |
604 | -16 \-\-connlimit\-mask 64 \-j REJECT | |
605 | -.TP | |
606 | -# Limit the number of connections to a particular host: | |
607 | -ip6tables \-p tcp \-\-syn \-\-dport 49152:65535 \-d 2001:db8::1 \-m connlimit | |
608 | -\-\-connlimit-above 100 \-j REJECT | |
609 | -.SS connmark | |
610 | -This module matches the netfilter mark field associated with a connection | |
611 | -(which can be set using the \fBCONNMARK\fP target below). | |
612 | -.TP | |
613 | -[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
614 | -Matches packets in connections with the given mark value (if a mask is | |
615 | -specified, this is logically ANDed with the mark before the comparison). | |
616 | -.SS conntrack | |
617 | -This module, when combined with connection tracking, allows access to the | |
618 | -connection tracking state for this packet/connection. | |
619 | -.TP | |
620 | -[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP | |
621 | -\fIstatelist\fP is a comma separated list of the connection states to match. | |
622 | -Possible states are listed below. | |
623 | -.TP | |
624 | -[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP | |
625 | -Layer-4 protocol to match (by number or name) | |
626 | -.TP | |
627 | -[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
628 | -.TP | |
629 | -[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
630 | -.TP | |
631 | -[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
632 | -.TP | |
633 | -[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
634 | -Match against original/reply source/destination address | |
635 | -.TP | |
636 | -[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
637 | -.TP | |
638 | -[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
639 | -.TP | |
640 | -[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
641 | -.TP | |
642 | -[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
643 | -Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. | |
644 | -Matching against port ranges is only supported in kernel versions above 2.6.38. | |
645 | -.TP | |
646 | -[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP | |
647 | -\fIstatuslist\fP is a comma separated list of the connection statuses to match. | |
648 | -Possible statuses are listed below. | |
649 | -.TP | |
650 | -[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] | |
651 | -Match remaining lifetime in seconds against given value or range of values | |
652 | -(inclusive) | |
653 | -.TP | |
654 | -\fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} | |
655 | -Match packets that are flowing in the specified direction. If this flag is not | |
656 | -specified at all, matches packets in both directions. | |
657 | -.PP | |
658 | -States for \fB\-\-ctstate\fP: | |
659 | -.TP | |
660 | -\fBINVALID\fP | |
661 | -meaning that the packet is associated with no known connection | |
662 | -.TP | |
663 | -\fBNEW\fP | |
664 | -meaning that the packet has started a new connection, or otherwise associated | |
665 | -with a connection which has not seen packets in both directions, and | |
666 | -.TP | |
667 | -\fBESTABLISHED\fP | |
668 | -meaning that the packet is associated with a connection which has seen packets | |
669 | -in both directions, | |
670 | -.TP | |
671 | -\fBRELATED\fP | |
672 | -meaning that the packet is starting a new connection, but is associated with an | |
673 | -existing connection, such as an FTP data transfer, or an ICMP error. | |
674 | -.TP | |
675 | -\fBUNTRACKED\fP | |
676 | -meaning that the packet is not tracked at all, which happens if you use | |
677 | -the NOTRACK target in raw table. | |
678 | -.TP | |
679 | -\fBSNAT\fP | |
680 | -A virtual state, matching if the original source address differs from the reply | |
681 | -destination. | |
682 | -.TP | |
683 | -\fBDNAT\fP | |
684 | -A virtual state, matching if the original destination differs from the reply | |
685 | -source. | |
686 | -.PP | |
687 | -Statuses for \fB\-\-ctstatus\fP: | |
688 | -.TP | |
689 | -\fBNONE\fP | |
690 | -None of the below. | |
691 | -.TP | |
692 | -\fBEXPECTED\fP | |
693 | -This is an expected connection (i.e. a conntrack helper set it up) | |
694 | -.TP | |
695 | -\fBSEEN_REPLY\fP | |
696 | -Conntrack has seen packets in both directions. | |
697 | -.TP | |
698 | -\fBASSURED\fP | |
699 | -Conntrack entry should never be early-expired. | |
700 | -.TP | |
701 | -\fBCONFIRMED\fP | |
702 | -Connection is confirmed: originating packet has left box. | |
703 | -.SS cpu | |
704 | -.TP | |
705 | -[\fB!\fP] \fB\-\-cpu\fP \fInumber\fP | |
706 | -Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 | |
707 | -Can be used in combination with RPS (Remote Packet Steering) or | |
708 | -multiqueue NICs to spread network traffic on different queues. | |
709 | -.PP | |
710 | -Example: | |
711 | -.PP | |
712 | -iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 0 | |
713 | -\-j REDIRECT \-\-to\-port 8080 | |
714 | -.PP | |
715 | -iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 1 | |
716 | -\-j REDIRECT \-\-to\-port 8081 | |
717 | -.PP | |
718 | -Available since Linux 2.6.36. | |
719 | -.SS dccp | |
720 | -.TP | |
721 | -[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
722 | -.TP | |
723 | -[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
724 | -.TP | |
725 | -[\fB!\fP] \fB\-\-dccp\-types\fP \fImask\fP | |
726 | -Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated | |
727 | -list of packet types. Packet types are: | |
728 | -.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" . | |
729 | -.TP | |
730 | -[\fB!\fP] \fB\-\-dccp\-option\fP \fInumber\fP | |
731 | -Match if DCCP option set. | |
732 | -.SS dscp | |
733 | -This module matches the 6 bit DSCP field within the TOS field in the | |
734 | -IP header. DSCP has superseded TOS within the IETF. | |
735 | -.TP | |
736 | -[\fB!\fP] \fB\-\-dscp\fP \fIvalue\fP | |
737 | -Match against a numeric (decimal or hex) value [0-63]. | |
738 | -.TP | |
739 | -[\fB!\fP] \fB\-\-dscp\-class\fP \fIclass\fP | |
740 | -Match the DiffServ class. This value may be any of the | |
741 | -BE, EF, AFxx or CSx classes. It will then be converted | |
742 | -into its according numeric value. | |
743 | -.SS dst | |
744 | -This module matches the parameters in Destination Options header | |
745 | -.TP | |
746 | -[\fB!\fP] \fB\-\-dst\-len\fP \fIlength\fP | |
747 | -Total length of this header in octets. | |
748 | -.TP | |
749 | -\fB\-\-dst\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...] | |
750 | -numeric type of option and the length of the option data in octets. | |
751 | -.SS ecn | |
752 | -This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168 | |
753 | -.TP | |
754 | -[\fB!\fP] \fB\-\-ecn\-tcp\-cwr\fP | |
755 | -This matches if the TCP ECN CWR (Congestion Window Received) bit is set. | |
756 | -.TP | |
757 | -[\fB!\fP] \fB\-\-ecn\-tcp\-ece\fP | |
758 | -This matches if the TCP ECN ECE (ECN Echo) bit is set. | |
759 | -.TP | |
760 | -[\fB!\fP] \fB\-\-ecn\-ip\-ect\fP \fInum\fP | |
761 | -This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to specify | |
762 | -a number between `0' and `3'. | |
763 | -.SS esp | |
764 | -This module matches the SPIs in ESP header of IPsec packets. | |
765 | -.TP | |
766 | -[\fB!\fP] \fB\-\-espspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] | |
767 | -.SS eui64 | |
768 | -This module matches the EUI-64 part of a stateless autoconfigured IPv6 address. | |
769 | -It compares the EUI-64 derived from the source MAC address in Ethernet frame | |
770 | -with the lower 64 bits of the IPv6 source address. But "Universal/Local" | |
771 | -bit is not compared. This module doesn't match other link layer frame, and | |
772 | -is only valid in the | |
773 | -.BR PREROUTING , | |
774 | -.BR INPUT | |
775 | -and | |
776 | -.BR FORWARD | |
777 | -chains. | |
778 | -.SS frag | |
779 | -This module matches the parameters in Fragment header. | |
780 | -.TP | |
781 | -[\fB!\fP] \fB\-\-fragid\fP \fIid\fP[\fB:\fP\fIid\fP] | |
782 | -Matches the given Identification or range of it. | |
783 | -.TP | |
784 | -[\fB!\fP] \fB\-\-fraglen\fP \fIlength\fP | |
785 | -This option cannot be used with kernel version 2.6.10 or later. The length of | |
786 | -Fragment header is static and this option doesn't make sense. | |
787 | -.TP | |
788 | -\fB\-\-fragres\fP | |
789 | -Matches if the reserved fields are filled with zero. | |
790 | -.TP | |
791 | -\fB\-\-fragfirst\fP | |
792 | -Matches on the first fragment. | |
793 | -.TP | |
794 | -\fB\-\-fragmore\fP | |
795 | -Matches if there are more fragments. | |
796 | -.TP | |
797 | -\fB\-\-fraglast\fP | |
798 | -Matches if this is the last fragment. | |
799 | -.SS hashlimit | |
800 | -\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the | |
801 | -\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables | |
802 | -rule. Grouping can be done per-hostgroup (source and/or destination address) | |
803 | -and/or per-port. It gives you the ability to express "\fIN\fP packets per time | |
804 | -quantum per group" (see below for some examples). | |
805 | -.PP | |
806 | -A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and | |
807 | -\fB\-\-hashlimit\-name\fP are required. | |
808 | -.TP | |
809 | -\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] | |
810 | -Match if the rate is below or equal to \fIamount\fP/quantum. It is specified as | |
811 | -a number, with an optional time quantum suffix; the default is 3/hour. | |
812 | -.TP | |
813 | -\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] | |
814 | -Match if the rate is above \fIamount\fP/quantum. | |
815 | -.TP | |
816 | -\fB\-\-hashlimit\-burst\fP \fIamount\fP | |
817 | -Maximum initial number of packets to match: this number gets recharged by one | |
818 | -every time the limit specified above is not reached, up to this number; the | |
819 | -default is 5. | |
820 | -.TP | |
821 | -\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP... | |
822 | -A comma-separated list of objects to take into consideration. If no | |
823 | -\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the | |
824 | -expensive of doing the hash housekeeping. | |
825 | -.TP | |
826 | -\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP | |
827 | -When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be | |
828 | -grouped according to the given prefix length and the so-created subnet will be | |
829 | -subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note | |
830 | -that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying | |
831 | -srcip for \-\-hashlimit\-mode, but is technically more expensive. | |
832 | -.TP | |
833 | -\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP | |
834 | -Like \-\-hashlimit\-srcmask, but for destination addresses. | |
835 | -.TP | |
836 | -\fB\-\-hashlimit\-name\fP \fIfoo\fP | |
837 | -The name for the /proc/net/ipt_hashlimit/foo entry. | |
838 | -.TP | |
839 | -\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP | |
840 | -The number of buckets of the hash table | |
841 | -.TP | |
842 | -\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP | |
843 | -Maximum entries in the hash. | |
844 | -.TP | |
845 | -\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP | |
846 | -After how many milliseconds do hash entries expire. | |
847 | -.TP | |
848 | -\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP | |
849 | -How many milliseconds between garbage collection intervals. | |
850 | -.PP | |
851 | -Examples: | |
852 | -.TP | |
853 | -matching on source host | |
854 | -"1000 packets per second for every host in 192.168.0.0/16" => | |
855 | -\-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec | |
856 | -.TP | |
857 | -matching on source port | |
858 | -"100 packets per second for every service of 192.168.1.1" => | |
859 | -\-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec | |
860 | -.TP | |
861 | -matching on subnet | |
862 | -"10000 packets per minute for every /28 subnet (groups of 8 addresses) | |
863 | -in 10.0.0.0/8" => | |
864 | -\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min | |
865 | -.SS hbh | |
866 | -This module matches the parameters in Hop-by-Hop Options header | |
867 | -.TP | |
868 | -[\fB!\fP] \fB\-\-hbh\-len\fP \fIlength\fP | |
869 | -Total length of this header in octets. | |
870 | -.TP | |
871 | -\fB\-\-hbh\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...] | |
872 | -numeric type of option and the length of the option data in octets. | |
873 | -.SS helper | |
874 | -This module matches packets related to a specific conntrack-helper. | |
875 | -.TP | |
876 | -[\fB!\fP] \fB\-\-helper\fP \fIstring\fP | |
877 | -Matches packets related to the specified conntrack-helper. | |
878 | -.RS | |
879 | -.PP | |
880 | -string can be "ftp" for packets related to a ftp-session on default port. | |
881 | -For other ports append \-portnr to the value, ie. "ftp\-2121". | |
882 | -.PP | |
883 | -Same rules apply for other conntrack-helpers. | |
884 | -.RE | |
885 | -.SS hl | |
886 | -This module matches the Hop Limit field in the IPv6 header. | |
887 | -.TP | |
888 | -[\fB!\fP] \fB\-\-hl\-eq\fP \fIvalue\fP | |
889 | -Matches if Hop Limit equals \fIvalue\fP. | |
890 | -.TP | |
891 | -\fB\-\-hl\-lt\fP \fIvalue\fP | |
892 | -Matches if Hop Limit is less than \fIvalue\fP. | |
893 | -.TP | |
894 | -\fB\-\-hl\-gt\fP \fIvalue\fP | |
895 | -Matches if Hop Limit is greater than \fIvalue\fP. | |
896 | -.SS icmp6 | |
897 | -This extension can be used if `\-\-protocol ipv6\-icmp' or `\-\-protocol icmpv6' is | |
898 | -specified. It provides the following option: | |
899 | -.TP | |
900 | -[\fB!\fP] \fB\-\-icmpv6\-type\fP \fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP | |
901 | -This allows specification of the ICMPv6 type, which can be a numeric | |
902 | -ICMPv6 | |
903 | -.IR type , | |
904 | -.IR type | |
905 | -and | |
906 | -.IR code , | |
907 | -or one of the ICMPv6 type names shown by the command | |
908 | -.nf | |
909 | - ip6tables \-p ipv6\-icmp \-h | |
910 | -.fi | |
911 | -.SS iprange | |
912 | -This matches on a given arbitrary range of IP addresses. | |
913 | -.TP | |
914 | -[\fB!\fP] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] | |
915 | -Match source IP in the specified range. | |
916 | -.TP | |
917 | -[\fB!\fP] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] | |
918 | -Match destination IP in the specified range. | |
919 | -.SS ipv6header | |
920 | -This module matches IPv6 extension headers and/or upper layer header. | |
921 | -.TP | |
922 | -\fB\-\-soft\fP | |
923 | -Matches if the packet includes \fBany\fP of the headers specified with | |
924 | -\fB\-\-header\fP. | |
925 | -.TP | |
926 | -[\fB!\fP] \fB\-\-header\fP \fIheader\fP[\fB,\fP\fIheader\fP...] | |
927 | -Matches the packet which EXACTLY includes all specified headers. The headers | |
928 | -encapsulated with ESP header are out of scope. | |
929 | -Possible \fIheader\fP types can be: | |
930 | -.TP | |
931 | -\fBhop\fP|\fBhop\-by\-hop\fP | |
932 | -Hop-by-Hop Options header | |
933 | -.TP | |
934 | -\fBdst\fP | |
935 | -Destination Options header | |
936 | -.TP | |
937 | -\fBroute\fP | |
938 | -Routing header | |
939 | -.TP | |
940 | -\fBfrag\fP | |
941 | -Fragment header | |
942 | -.TP | |
943 | -\fBauth\fP | |
944 | -Authentication header | |
945 | -.TP | |
946 | -\fBesp\fP | |
947 | -Encapsulating Security Payload header | |
948 | -.TP | |
949 | -\fBnone\fP | |
950 | -No Next header which matches 59 in the 'Next Header field' of IPv6 header or | |
951 | -any IPv6 extension headers | |
952 | -.TP | |
953 | -\fBproto\fP | |
954 | -which matches any upper layer protocol header. A protocol name from | |
955 | -/etc/protocols and numeric value also allowed. The number 255 is equivalent to | |
956 | -\fBproto\fP. | |
957 | -.SS ipvs | |
958 | -Match IPVS connection properties. | |
959 | -.TP | |
960 | -[\fB!\fP] \fB\-\-ipvs\fP | |
961 | -packet belongs to an IPVS connection | |
962 | -.TP | |
963 | -Any of the following options implies \-\-ipvs (even negated) | |
964 | -.TP | |
965 | -[\fB!\fP] \fB\-\-vproto\fP \fIprotocol\fP | |
966 | -VIP protocol to match; by number or name, e.g. "tcp" | |
967 | -.TP | |
968 | -[\fB!\fP] \fB\-\-vaddr\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
969 | -VIP address to match | |
970 | -.TP | |
971 | -[\fB!\fP] \fB\-\-vport\fP \fIport\fP | |
972 | -VIP port to match; by number or name, e.g. "http" | |
973 | -.TP | |
974 | -\fB\-\-vdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} | |
975 | -flow direction of packet | |
976 | -.TP | |
977 | -[\fB!\fP] \fB\-\-vmethod\fP {\fBGATE\fP|\fBIPIP\fP|\fBMASQ\fP} | |
978 | -IPVS forwarding method used | |
979 | -.TP | |
980 | -[\fB!\fP] \fB\-\-vportctl\fP \fIport\fP | |
981 | -VIP port of the controlling connection to match, e.g. 21 for FTP | |
982 | -.SS length | |
983 | -This module matches the length of the layer-3 payload (e.g. layer-4 packet) | |
984 | -of a packet against a specific value | |
985 | -or range of values. | |
986 | -.TP | |
987 | -[\fB!\fP] \fB\-\-length\fP \fIlength\fP[\fB:\fP\fIlength\fP] | |
988 | -.SS limit | |
989 | -This module matches at a limited rate using a token bucket filter. | |
990 | -A rule using this extension will match until this limit is reached. | |
991 | -It can be used in combination with the | |
992 | -.B LOG | |
993 | -target to give limited logging, for example. | |
994 | -.PP | |
995 | -xt_limit has no negation support - you will have to use \-m hashlimit ! | |
996 | -\-\-hashlimit \fIrate\fP in this case whilst omitting \-\-hashlimit\-mode. | |
997 | -.TP | |
998 | -\fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] | |
999 | -Maximum average matching rate: specified as a number, with an optional | |
1000 | -`/second', `/minute', `/hour', or `/day' suffix; the default is | |
1001 | -3/hour. | |
1002 | -.TP | |
1003 | -\fB\-\-limit\-burst\fP \fInumber\fP | |
1004 | -Maximum initial number of packets to match: this number gets | |
1005 | -recharged by one every time the limit specified above is not reached, | |
1006 | -up to this number; the default is 5. | |
1007 | -.SS mac | |
1008 | -.TP | |
1009 | -[\fB!\fP] \fB\-\-mac\-source\fP \fIaddress\fP | |
1010 | -Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. | |
1011 | -Note that this only makes sense for packets coming from an Ethernet device | |
1012 | -and entering the | |
1013 | -.BR PREROUTING , | |
1014 | -.B FORWARD | |
1015 | -or | |
1016 | -.B INPUT | |
1017 | -chains. | |
1018 | -.SS mark | |
1019 | -This module matches the netfilter mark field associated with a packet | |
1020 | -(which can be set using the | |
1021 | -.B MARK | |
1022 | -target below). | |
1023 | -.TP | |
1024 | -[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
1025 | -Matches packets with the given unsigned mark value (if a \fImask\fP is | |
1026 | -specified, this is logically ANDed with the \fImask\fP before the | |
1027 | -comparison). | |
1028 | -.SS mh | |
1029 | -This extension is loaded if `\-\-protocol ipv6\-mh' or `\-\-protocol mh' is | |
1030 | -specified. It provides the following option: | |
1031 | -.TP | |
1032 | -[\fB!\fP] \fB\-\-mh\-type\fP \fItype\fP[\fB:\fP\fItype\fP] | |
1033 | -This allows specification of the Mobility Header(MH) type, which can be | |
1034 | -a numeric MH | |
1035 | -.IR type , | |
1036 | -.IR type | |
1037 | -or one of the MH type names shown by the command | |
1038 | -.nf | |
1039 | - ip6tables \-p ipv6\-mh \-h | |
1040 | -.fi | |
1041 | -.SS multiport | |
1042 | -This module matches a set of source or destination ports. Up to 15 | |
1043 | -ports can be specified. A port range (port:port) counts as two | |
1044 | -ports. It can only be used in conjunction with | |
1045 | -\fB\-p tcp\fP | |
1046 | -or | |
1047 | -\fB\-p udp\fP. | |
1048 | -.TP | |
1049 | -[\fB!\fP] \fB\-\-source\-ports\fP,\fB\-\-sports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]... | |
1050 | -Match if the source port is one of the given ports. The flag | |
1051 | -\fB\-\-sports\fP | |
1052 | -is a convenient alias for this option. Multiple ports or port ranges are | |
1053 | -separated using a comma, and a port range is specified using a colon. | |
1054 | -\fB53,1024:65535\fP would therefore match ports 53 and all from 1024 through | |
1055 | -65535. | |
1056 | -.TP | |
1057 | -[\fB!\fP] \fB\-\-destination\-ports\fP,\fB\-\-dports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]... | |
1058 | -Match if the destination port is one of the given ports. The flag | |
1059 | -\fB\-\-dports\fP | |
1060 | -is a convenient alias for this option. | |
1061 | -.TP | |
1062 | -[\fB!\fP] \fB\-\-ports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]... | |
1063 | -Match if either the source or destination ports are equal to one of | |
1064 | -the given ports. | |
1065 | -.SS nfacct | |
1066 | -The nfacct match provides the extended accounting infrastructure for iptables. | |
1067 | -You have to use this match together with the standalone user-space utility | |
1068 | -.B nfacct(8) | |
1069 | -.PP | |
1070 | -The only option available for this match is the following: | |
1071 | -.TP | |
1072 | -\fB\-\-nfacct\-name\fP \fIname\fP | |
1073 | -This allows you to specify the existing object name that will be use for | |
1074 | -accounting the traffic that this rule-set is matching. | |
1075 | -.PP | |
1076 | -To use this extension, you have to create an accounting object: | |
1077 | -.IP | |
1078 | -nfacct add http\-traffic | |
1079 | -.PP | |
1080 | -Then, you have to attach it to the accounting object via iptables: | |
1081 | -.IP | |
1082 | -iptables \-I INPUT \-p tcp \-\-sport 80 \-m nfacct \-\-nfacct\-name http\-traffic | |
1083 | -.IP | |
1084 | -iptables \-I OUTPUT \-p tcp \-\-dport 80 \-m nfacct \-\-nfacct\-name http\-traffic | |
1085 | -.PP | |
1086 | -Then, you can check for the amount of traffic that the rules match: | |
1087 | -.IP | |
1088 | -nfacct get http\-traffic | |
1089 | -.IP | |
1090 | -{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic; | |
1091 | -.PP | |
1092 | -You can obtain | |
1093 | -.B nfacct(8) | |
1094 | -from http://www.netfilter.org or, alternatively, from the git.netfilter.org | |
1095 | -repository. | |
1096 | -.SS owner | |
1097 | -This module attempts to match various characteristics of the packet creator, | |
1098 | -for locally generated packets. This match is only valid in the OUTPUT and | |
1099 | -POSTROUTING chains. Forwarded packets do not have any socket associated with | |
1100 | -them. Packets from kernel threads do have a socket, but usually no owner. | |
1101 | -.TP | |
1102 | -[\fB!\fP] \fB\-\-uid\-owner\fP \fIusername\fP | |
1103 | -.TP | |
1104 | -[\fB!\fP] \fB\-\-uid\-owner\fP \fIuserid\fP[\fB\-\fP\fIuserid\fP] | |
1105 | -Matches if the packet socket's file structure (if it has one) is owned by the | |
1106 | -given user. You may also specify a numerical UID, or an UID range. | |
1107 | -.TP | |
1108 | -[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupname\fP | |
1109 | -.TP | |
1110 | -[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupid\fP[\fB\-\fP\fIgroupid\fP] | |
1111 | -Matches if the packet socket's file structure is owned by the given group. | |
1112 | -You may also specify a numerical GID, or a GID range. | |
1113 | -.TP | |
1114 | -[\fB!\fP] \fB\-\-socket\-exists\fP | |
1115 | -Matches if the packet is associated with a socket. | |
1116 | -.SS physdev | |
1117 | -This module matches on the bridge port input and output devices enslaved | |
1118 | -to a bridge device. This module is a part of the infrastructure that enables | |
1119 | -a transparent bridging IP firewall and is only useful for kernel versions | |
1120 | -above version 2.5.44. | |
1121 | -.TP | |
1122 | -[\fB!\fP] \fB\-\-physdev\-in\fP \fIname\fP | |
1123 | -Name of a bridge port via which a packet is received (only for | |
1124 | -packets entering the | |
1125 | -.BR INPUT , | |
1126 | -.B FORWARD | |
1127 | -and | |
1128 | -.B PREROUTING | |
1129 | -chains). If the interface name ends in a "+", then any | |
1130 | -interface which begins with this name will match. If the packet didn't arrive | |
1131 | -through a bridge device, this packet won't match this option, unless '!' is used. | |
1132 | -.TP | |
1133 | -[\fB!\fP] \fB\-\-physdev\-out\fP \fIname\fP | |
1134 | -Name of a bridge port via which a packet is going to be sent (for packets | |
1135 | -entering the | |
1136 | -.BR FORWARD , | |
1137 | -.B OUTPUT | |
1138 | -and | |
1139 | -.B POSTROUTING | |
1140 | -chains). If the interface name ends in a "+", then any | |
1141 | -interface which begins with this name will match. Note that in the | |
1142 | -.BR nat " and " mangle | |
1143 | -.B OUTPUT | |
1144 | -chains one cannot match on the bridge output port, however one can in the | |
1145 | -.B "filter OUTPUT" | |
1146 | -chain. If the packet won't leave by a bridge device or if it is yet unknown what | |
1147 | -the output device will be, then the packet won't match this option, | |
1148 | -unless '!' is used. | |
1149 | -.TP | |
1150 | -[\fB!\fP] \fB\-\-physdev\-is\-in\fP | |
1151 | -Matches if the packet has entered through a bridge interface. | |
1152 | -.TP | |
1153 | -[\fB!\fP] \fB\-\-physdev\-is\-out\fP | |
1154 | -Matches if the packet will leave through a bridge interface. | |
1155 | -.TP | |
1156 | -[\fB!\fP] \fB\-\-physdev\-is\-bridged\fP | |
1157 | -Matches if the packet is being bridged and therefore is not being routed. | |
1158 | -This is only useful in the FORWARD and POSTROUTING chains. | |
1159 | -.SS pkttype | |
1160 | -This module matches the link-layer packet type. | |
1161 | -.TP | |
1162 | -[\fB!\fP] \fB\-\-pkt\-type\fP {\fBunicast\fP|\fBbroadcast\fP|\fBmulticast\fP} | |
1163 | -.SS policy | |
1164 | -This modules matches the policy used by IPsec for handling a packet. | |
1165 | -.TP | |
1166 | -\fB\-\-dir\fP {\fBin\fP|\fBout\fP} | |
1167 | -Used to select whether to match the policy used for decapsulation or the | |
1168 | -policy that will be used for encapsulation. | |
1169 | -.B in | |
1170 | -is valid in the | |
1171 | -.B PREROUTING, INPUT and FORWARD | |
1172 | -chains, | |
1173 | -.B out | |
1174 | -is valid in the | |
1175 | -.B POSTROUTING, OUTPUT and FORWARD | |
1176 | -chains. | |
1177 | -.TP | |
1178 | -\fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP} | |
1179 | -Matches if the packet is subject to IPsec processing. \fB\-\-pol none\fP | |
1180 | -cannot be combined with \fB\-\-strict\fP. | |
1181 | -.TP | |
1182 | -\fB\-\-strict\fP | |
1183 | -Selects whether to match the exact policy or match if any rule of | |
1184 | -the policy matches the given policy. | |
1185 | -.PP | |
1186 | -For each policy element that is to be described, one can use one or more of | |
1187 | -the following options. When \fB\-\-strict\fP is in effect, at least one must be | |
1188 | -used per element. | |
1189 | -.TP | |
1190 | -[\fB!\fP] \fB\-\-reqid\fP \fIid\fP | |
1191 | -Matches the reqid of the policy rule. The reqid can be specified with | |
1192 | -.B setkey(8) | |
1193 | -using | |
1194 | -.B unique:id | |
1195 | -as level. | |
1196 | -.TP | |
1197 | -[\fB!\fP] \fB\-\-spi\fP \fIspi\fP | |
1198 | -Matches the SPI of the SA. | |
1199 | -.TP | |
1200 | -[\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP} | |
1201 | -Matches the encapsulation protocol. | |
1202 | -.TP | |
1203 | -[\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP} | |
1204 | -Matches the encapsulation mode. | |
1205 | -.TP | |
1206 | -[\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP] | |
1207 | -Matches the source end-point address of a tunnel mode SA. | |
1208 | -Only valid with \fB\-\-mode tunnel\fP. | |
1209 | -.TP | |
1210 | -[\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP] | |
1211 | -Matches the destination end-point address of a tunnel mode SA. | |
1212 | -Only valid with \fB\-\-mode tunnel\fP. | |
1213 | -.TP | |
1214 | -\fB\-\-next\fP | |
1215 | -Start the next element in the policy specification. Can only be used with | |
1216 | -\fB\-\-strict\fP. | |
1217 | -.SS quota | |
1218 | -Implements network quotas by decrementing a byte counter with each | |
1219 | -packet. The condition matches until the byte counter reaches zero. Behavior | |
1220 | -is reversed with negation (i.e. the condition does not match until the | |
1221 | -byte counter reaches zero). | |
1222 | -.TP | |
1223 | -[\fB!\fP] \fB\-\-quota\fP \fIbytes\fP | |
1224 | -The quota in bytes. | |
1225 | -.SS rateest | |
1226 | -The rate estimator can match on estimated rates as collected by the RATEEST | |
1227 | -target. It supports matching on absolute bps/pps values, comparing two rate | |
1228 | -estimators and matching on the difference between two rate estimators. | |
1229 | -.PP | |
1230 | -For a better understanding of the available options, these are all possible | |
1231 | -combinations: | |
1232 | -.\" * Absolute: | |
1233 | -.IP \(bu 4 | |
1234 | -\fBrateest\fP \fIoperator\fP \fBrateest-bps\fP | |
1235 | -.IP \(bu 4 | |
1236 | -\fBrateest\fP \fIoperator\fP \fBrateest-pps\fP | |
1237 | -.\" * Absolute + Delta: | |
1238 | -.IP \(bu 4 | |
1239 | -(\fBrateest\fP minus \fBrateest-bps1\fP) \fIoperator\fP \fBrateest-bps2\fP | |
1240 | -.IP \(bu 4 | |
1241 | -(\fBrateest\fP minus \fBrateest-pps1\fP) \fIoperator\fP \fBrateest-pps2\fP | |
1242 | -.\" * Relative: | |
1243 | -.IP \(bu 4 | |
1244 | -\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-bps\fP(without rate!) | |
1245 | -.IP \(bu 4 | |
1246 | -\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-pps\fP(without rate!) | |
1247 | -.\" * Relative + Delta: | |
1248 | -.IP \(bu 4 | |
1249 | -(\fBrateest1\fP minus \fBrateest-bps1\fP) \fIoperator\fP | |
1250 | -(\fBrateest2\fP minus \fBrateest-bps2\fP) | |
1251 | -.IP \(bu 4 | |
1252 | -(\fBrateest1\fP minus \fBrateest-pps1\fP) \fIoperator\fP | |
1253 | -(\fBrateest2\fP minus \fBrateest-pps2\fP) | |
1254 | -.TP | |
1255 | -\fB\-\-rateest\-delta\fP | |
1256 | -For each estimator (either absolute or relative mode), calculate the difference | |
1257 | -between the estimator-determined flow rate and the static value chosen with the | |
1258 | -BPS/PPS options. If the flow rate is higher than the specified BPS/PPS, 0 will | |
1259 | -be used instead of a negative value. In other words, "max(0, rateest#_rate - | |
1260 | -rateest#_bps)" is used. | |
1261 | -.TP | |
1262 | -[\fB!\fP] \fB\-\-rateest\-lt\fP | |
1263 | -Match if rate is less than given rate/estimator. | |
1264 | -.TP | |
1265 | -[\fB!\fP] \fB\-\-rateest\-gt\fP | |
1266 | -Match if rate is greater than given rate/estimator. | |
1267 | -.TP | |
1268 | -[\fB!\fP] \fB\-\-rateest\-eq\fP | |
1269 | -Match if rate is equal to given rate/estimator. | |
1270 | -.PP | |
1271 | -In the so-called "absolute mode", only one rate estimator is used and compared | |
1272 | -against a static value, while in "relative mode", two rate estimators are | |
1273 | -compared against another. | |
1274 | -.TP | |
1275 | -\fB\-\-rateest\fP \fIname\fP | |
1276 | -Name of the one rate estimator for absolute mode. | |
1277 | -.TP | |
1278 | -\fB\-\-rateest1\fP \fIname\fP | |
1279 | -.TP | |
1280 | -\fB\-\-rateest2\fP \fIname\fP | |
1281 | -The names of the two rate estimators for relative mode. | |
1282 | -.TP | |
1283 | -\fB\-\-rateest\-bps\fP [\fIvalue\fP] | |
1284 | -.TP | |
1285 | -\fB\-\-rateest\-pps\fP [\fIvalue\fP] | |
1286 | -.TP | |
1287 | -\fB\-\-rateest\-bps1\fP [\fIvalue\fP] | |
1288 | -.TP | |
1289 | -\fB\-\-rateest\-bps2\fP [\fIvalue\fP] | |
1290 | -.TP | |
1291 | -\fB\-\-rateest\-pps1\fP [\fIvalue\fP] | |
1292 | -.TP | |
1293 | -\fB\-\-rateest\-pps2\fP [\fIvalue\fP] | |
1294 | -Compare the estimator(s) by bytes or packets per second, and compare against | |
1295 | -the chosen value. See the above bullet list for which option is to be used in | |
1296 | -which case. A unit suffix may be used - available ones are: bit, [kmgt]bit, | |
1297 | -[KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps. | |
1298 | -.PP | |
1299 | -Example: This is what can be used to route outgoing data connections from an | |
1300 | -FTP server over two lines based on the available bandwidth at the time the data | |
1301 | -connection was started: | |
1302 | -.PP | |
1303 | -# Estimate outgoing rates | |
1304 | -.PP | |
1305 | -iptables \-t mangle \-A POSTROUTING \-o eth0 \-j RATEEST \-\-rateest\-name eth0 | |
1306 | -\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s | |
1307 | -.PP | |
1308 | -iptables \-t mangle \-A POSTROUTING \-o ppp0 \-j RATEEST \-\-rateest\-name ppp0 | |
1309 | -\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s | |
1310 | -.PP | |
1311 | -# Mark based on available bandwidth | |
1312 | -.PP | |
1313 | -iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp | |
1314 | -\-m rateest \-\-rateest\-delta \-\-rateest1 eth0 \-\-rateest\-bps1 2.5mbit \-\-rateest\-gt | |
1315 | -\-\-rateest2 ppp0 \-\-rateest\-bps2 2mbit \-j CONNMARK \-\-set\-mark 1 | |
1316 | -.PP | |
1317 | -iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp | |
1318 | -\-m rateest \-\-rateest\-delta \-\-rateest1 ppp0 \-\-rateest\-bps1 2mbit \-\-rateest\-gt | |
1319 | -\-\-rateest2 eth0 \-\-rateest\-bps2 2.5mbit \-j CONNMARK \-\-set\-mark 2 | |
1320 | -.PP | |
1321 | -iptables \-t mangle \-A balance \-j CONNMARK \-\-restore\-mark | |
1322 | -.SS recent | |
1323 | -Allows you to dynamically create a list of IP addresses and then match against | |
1324 | -that list in a few different ways. | |
1325 | -.PP | |
1326 | -For example, you can create a "badguy" list out of people attempting to connect | |
1327 | -to port 139 on your firewall and then DROP all future packets from them without | |
1328 | -considering them. | |
1329 | -.PP | |
1330 | -\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are | |
1331 | -mutually exclusive. | |
1332 | -.TP | |
1333 | -\fB\-\-name\fP \fIname\fP | |
1334 | -Specify the list to use for the commands. If no name is given then | |
1335 | -\fBDEFAULT\fP will be used. | |
1336 | -.TP | |
1337 | -[\fB!\fP] \fB\-\-set\fP | |
1338 | -This will add the source address of the packet to the list. If the source | |
1339 | -address is already in the list, this will update the existing entry. This will | |
1340 | -always return success (or failure if \fB!\fP is passed in). | |
1341 | -.TP | |
1342 | -\fB\-\-rsource\fP | |
1343 | -Match/save the source address of each packet in the recent list table. This | |
1344 | -is the default. | |
1345 | -.TP | |
1346 | -\fB\-\-rdest\fP | |
1347 | -Match/save the destination address of each packet in the recent list table. | |
1348 | -.TP | |
1349 | -[\fB!\fP] \fB\-\-rcheck\fP | |
1350 | -Check if the source address of the packet is currently in the list. | |
1351 | -.TP | |
1352 | -[\fB!\fP] \fB\-\-update\fP | |
1353 | -Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it | |
1354 | -matches. | |
1355 | -.TP | |
1356 | -[\fB!\fP] \fB\-\-remove\fP | |
1357 | -Check if the source address of the packet is currently in the list and if so | |
1358 | -that address will be removed from the list and the rule will return true. If | |
1359 | -the address is not found, false is returned. | |
1360 | -.TP | |
1361 | -\fB\-\-seconds\fP \fIseconds\fP | |
1362 | -This option must be used in conjunction with one of \fB\-\-rcheck\fP or | |
1363 | -\fB\-\-update\fP. When used, this will narrow the match to only happen when the | |
1364 | -address is in the list and was seen within the last given number of seconds. | |
1365 | -.TP | |
1366 | -\fB\-\-reap\fP | |
1367 | -This option can only be used in conjunction with \fB\-\-seconds\fP. | |
1368 | -When used, this will cause entries older than the last given number of seconds | |
1369 | -to be purged. | |
1370 | -.TP | |
1371 | -\fB\-\-hitcount\fP \fIhits\fP | |
1372 | -This option must be used in conjunction with one of \fB\-\-rcheck\fP or | |
1373 | -\fB\-\-update\fP. When used, this will narrow the match to only happen when the | |
1374 | -address is in the list and packets had been received greater than or equal to | |
1375 | -the given value. This option may be used along with \fB\-\-seconds\fP to create | |
1376 | -an even narrower match requiring a certain number of hits within a specific | |
1377 | -time frame. The maximum value for the hitcount parameter is given by the | |
1378 | -"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this | |
1379 | -value on the command line will cause the rule to be rejected. | |
1380 | -.TP | |
1381 | -\fB\-\-rttl\fP | |
1382 | -This option may only be used in conjunction with one of \fB\-\-rcheck\fP or | |
1383 | -\fB\-\-update\fP. When used, this will narrow the match to only happen when the | |
1384 | -address is in the list and the TTL of the current packet matches that of the | |
1385 | -packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems | |
1386 | -with people faking their source address in order to DoS you via this module by | |
1387 | -disallowing others access to your site by sending bogus packets to you. | |
1388 | -.PP | |
1389 | -Examples: | |
1390 | -.IP | |
1391 | -iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP | |
1392 | -.IP | |
1393 | -iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP | |
1394 | -.PP | |
1395 | -Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has | |
1396 | -some examples of usage. | |
1397 | -.PP | |
1398 | -\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information | |
1399 | -about each entry of each list. | |
1400 | -.PP | |
1401 | -Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current | |
1402 | -list or written two using the following commands to modify the list: | |
1403 | -.TP | |
1404 | -\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP | |
1405 | -to add \fIaddr\fP to the DEFAULT list | |
1406 | -.TP | |
1407 | -\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP | |
1408 | -to remove \fIaddr\fP from the DEFAULT list | |
1409 | -.TP | |
1410 | -\fBecho / >/proc/net/xt_recent/DEFAULT\fP | |
1411 | -to flush the DEFAULT list (remove all entries). | |
1412 | -.PP | |
1413 | -The module itself accepts parameters, defaults shown: | |
1414 | -.TP | |
1415 | -\fBip_list_tot\fP=\fI100\fP | |
1416 | -Number of addresses remembered per table. | |
1417 | -.TP | |
1418 | -\fBip_pkt_list_tot\fP=\fI20\fP | |
1419 | -Number of packets per address remembered. | |
1420 | -.TP | |
1421 | -\fBip_list_hash_size\fP=\fI0\fP | |
1422 | -Hash table size. 0 means to calculate it based on ip_list_tot, default: 512. | |
1423 | -.TP | |
1424 | -\fBip_list_perms\fP=\fI0644\fP | |
1425 | -Permissions for /proc/net/xt_recent/* files. | |
1426 | -.TP | |
1427 | -\fBip_list_uid\fP=\fI0\fP | |
1428 | -Numerical UID for ownership of /proc/net/xt_recent/* files. | |
1429 | -.TP | |
1430 | -\fBip_list_gid\fP=\fI0\fP | |
1431 | -Numerical GID for ownership of /proc/net/xt_recent/* files. | |
1432 | -.SS rpfilter | |
1433 | -Performs a reverse path filter test on a packet. | |
1434 | -If a reply to the packet would be sent via the same interface | |
1435 | -that the packet arrived on, the packet will match. | |
1436 | -Note that, unlike the in-kernel rp_filter, packets protected | |
1437 | -by IPSec are not treated specially. Combine this match with | |
1438 | -the policy match if you want this. | |
1439 | -Also, packets arriving via the loopback interface are always permitted. | |
1440 | -This match can only be used in the PREROUTING chain of the raw or mangle table. | |
1441 | -.TP | |
1442 | -\fB\-\-loose\fP | |
1443 | -Used to specifiy that the reverse path filter test should match | |
1444 | -even if the selected output device is not the expected one. | |
1445 | -.TP | |
1446 | -\fB\-\-validmark\fP | |
1447 | -Also use the packets' nfmark value when performing the reverse path route lookup. | |
1448 | -.TP | |
1449 | -\fB\-\-accept\-local\fP | |
1450 | -This will permit packets arriving from the network with a source address that is also | |
1451 | -assigned to the local machine. | |
1452 | -\fB\-\-invert\fP | |
1453 | -This will invert the sense of the match. Instead of matching packets that passed the | |
1454 | -reverse path filter test, match those that have failed it. | |
1455 | -.PP | |
1456 | -Example to log and drop packets failing the reverse path filter test: | |
1457 | - | |
1458 | -iptables \-t raw \-N RPFILTER | |
1459 | - | |
1460 | -iptables \-t raw \-A RPFILTER \-m rpfilter \-j RETURN | |
1461 | - | |
1462 | -iptables \-t raw \-A RPFILTER \-m limit \-\-limit 10/minute \-j NFLOG \-\-nflog\-prefix "rpfilter drop" | |
1463 | - | |
1464 | -iptables \-t raw \-A RPFILTER \-j DROP | |
1465 | - | |
1466 | -iptables \-t raw \-A PREROUTING \-j RPFILTER | |
1467 | - | |
1468 | -Example to drop failed packets, without logging: | |
1469 | - | |
1470 | -iptables \-t raw \-A RPFILTER \-m rpfilter \-\-invert \-j DROP | |
1471 | -.SS rt | |
1472 | -Match on IPv6 routing header | |
1473 | -.TP | |
1474 | -[\fB!\fP] \fB\-\-rt\-type\fP \fItype\fP | |
1475 | -Match the type (numeric). | |
1476 | -.TP | |
1477 | -[\fB!\fP] \fB\-\-rt\-segsleft\fP \fInum\fP[\fB:\fP\fInum\fP] | |
1478 | -Match the `segments left' field (range). | |
1479 | -.TP | |
1480 | -[\fB!\fP] \fB\-\-rt\-len\fP \fIlength\fP | |
1481 | -Match the length of this header. | |
1482 | -.TP | |
1483 | -\fB\-\-rt\-0\-res\fP | |
1484 | -Match the reserved field, too (type=0) | |
1485 | -.TP | |
1486 | -\fB\-\-rt\-0\-addrs\fP \fIaddr\fP[\fB,\fP\fIaddr\fP...] | |
1487 | -Match type=0 addresses (list). | |
1488 | -.TP | |
1489 | -\fB\-\-rt\-0\-not\-strict\fP | |
1490 | -List of type=0 addresses is not a strict list. | |
1491 | -.SS sctp | |
1492 | -.TP | |
1493 | -[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1494 | -.TP | |
1495 | -[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1496 | -.TP | |
1497 | -[\fB!\fP] \fB\-\-chunk\-types\fP {\fBall\fP|\fBany\fP|\fBonly\fP} \fIchunktype\fP[\fB:\fP\fIflags\fP] [...] | |
1498 | -The flag letter in upper case indicates that the flag is to match if set, | |
1499 | -in the lower case indicates to match if unset. | |
1500 | - | |
1501 | -Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN | |
1502 | - | |
1503 | -chunk type available flags | |
1504 | -.br | |
1505 | -DATA I U B E i u b e | |
1506 | -.br | |
1507 | -ABORT T t | |
1508 | -.br | |
1509 | -SHUTDOWN_COMPLETE T t | |
1510 | - | |
1511 | -(lowercase means flag should be "off", uppercase means "on") | |
1512 | -.P | |
1513 | -Examples: | |
1514 | - | |
1515 | -iptables \-A INPUT \-p sctp \-\-dport 80 \-j DROP | |
1516 | - | |
1517 | -iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA,INIT \-j DROP | |
1518 | - | |
1519 | -iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA:Be \-j ACCEPT | |
1520 | -.SS set | |
1521 | -This module matches IP sets which can be defined by ipset(8). | |
1522 | -.TP | |
1523 | -[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... | |
1524 | -where flags are the comma separated list of | |
1525 | -.BR "src" | |
1526 | -and/or | |
1527 | -.BR "dst" | |
1528 | -specifications and there can be no more than six of them. Hence the command | |
1529 | -.IP | |
1530 | - iptables \-A FORWARD \-m set \-\-match\-set test src,dst | |
1531 | -.IP | |
1532 | -will match packets, for which (if the set type is ipportmap) the source | |
1533 | -address and destination port pair can be found in the specified set. If | |
1534 | -the set type of the specified set is single dimension (for example ipmap), | |
1535 | -then the command will match packets for which the source address can be | |
1536 | -found in the specified set. | |
1537 | -.PP | |
1538 | -The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does | |
1539 | -not clash with an option of other extensions. | |
1540 | -.PP | |
1541 | -Use of -m set requires that ipset kernel support is provided, which, for | |
1542 | -standard kernels, is the case since Linux 2.6.39. | |
1543 | -.SS socket | |
1544 | -This matches if an open socket can be found by doing a socket lookup on the | |
1545 | -packet. | |
1546 | -.TP | |
1547 | -\fB\-\-transparent\fP | |
1548 | -Ignore non-transparent sockets. | |
1549 | -.SS state | |
1550 | -This module, when combined with connection tracking, allows access to | |
1551 | -the connection tracking state for this packet. | |
1552 | -.TP | |
1553 | -[\fB!\fP] \fB\-\-state\fP \fIstate\fP | |
1554 | -Where state is a comma separated list of the connection states to | |
1555 | -match. Possible states are | |
1556 | -.B INVALID | |
1557 | -meaning that the packet could not be identified for some reason which | |
1558 | -includes running out of memory and ICMP errors which don't correspond to any | |
1559 | -known connection, | |
1560 | -.B ESTABLISHED | |
1561 | -meaning that the packet is associated with a connection which has seen | |
1562 | -packets in both directions, | |
1563 | -.B NEW | |
1564 | -meaning that the packet has started a new connection, or otherwise | |
1565 | -associated with a connection which has not seen packets in both | |
1566 | -directions, and | |
1567 | -.B RELATED | |
1568 | -meaning that the packet is starting a new connection, but is | |
1569 | -associated with an existing connection, such as an FTP data transfer, | |
1570 | -or an ICMP error. | |
1571 | -.B UNTRACKED | |
1572 | -meaning that the packet is not tracked at all, which happens if you use | |
1573 | -the NOTRACK target in raw table. | |
1574 | -.SS statistic | |
1575 | -This module matches packets based on some statistic condition. | |
1576 | -It supports two distinct modes settable with the | |
1577 | -\fB\-\-mode\fP | |
1578 | -option. | |
1579 | -.PP | |
1580 | -Supported options: | |
1581 | -.TP | |
1582 | -\fB\-\-mode\fP \fImode\fP | |
1583 | -Set the matching mode of the matching rule, supported modes are | |
1584 | -.B random | |
1585 | -and | |
1586 | -.B nth. | |
1587 | -.TP | |
1588 | -[\fB!\fP] \fB\-\-probability\fP \fIp\fP | |
1589 | -Set the probability for a packet to be randomly matched. It only works with the | |
1590 | -\fBrandom\fP mode. \fIp\fP must be within 0.0 and 1.0. The supported | |
1591 | -granularity is in 1/2147483648th increments. | |
1592 | -.TP | |
1593 | -[\fB!\fP] \fB\-\-every\fP \fIn\fP | |
1594 | -Match one packet every nth packet. It works only with the | |
1595 | -.B nth | |
1596 | -mode (see also the | |
1597 | -\fB\-\-packet\fP | |
1598 | -option). | |
1599 | -.TP | |
1600 | -\fB\-\-packet\fP \fIp\fP | |
1601 | -Set the initial counter value (0 <= p <= n\-1, default 0) for the | |
1602 | -.B nth | |
1603 | -mode. | |
1604 | -.SS string | |
1605 | -This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14. | |
1606 | -.TP | |
1607 | -\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP} | |
1608 | -Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) | |
1609 | -.TP | |
1610 | -\fB\-\-from\fP \fIoffset\fP | |
1611 | -Set the offset from which it starts looking for any matching. If not passed, default is 0. | |
1612 | -.TP | |
1613 | -\fB\-\-to\fP \fIoffset\fP | |
1614 | -Set the offset up to which should be scanned. That is, byte \fIoffset\fP-1 | |
1615 | -(counting from 0) is the last one that is scanned. | |
1616 | -If not passed, default is the packet size. | |
1617 | -.TP | |
1618 | -[\fB!\fP] \fB\-\-string\fP \fIpattern\fP | |
1619 | -Matches the given pattern. | |
1620 | -.TP | |
1621 | -[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP | |
1622 | -Matches the given pattern in hex notation. | |
1623 | -.SS tcp | |
1624 | -These extensions can be used if `\-\-protocol tcp' is specified. It | |
1625 | -provides the following options: | |
1626 | -.TP | |
1627 | -[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1628 | -Source port or port range specification. This can either be a service | |
1629 | -name or a port number. An inclusive range can also be specified, | |
1630 | -using the format \fIfirst\fP\fB:\fP\fIlast\fP. | |
1631 | -If the first port is omitted, "0" is assumed; if the last is omitted, | |
1632 | -"65535" is assumed. | |
1633 | -If the first port is greater than the second one they will be swapped. | |
1634 | -The flag | |
1635 | -\fB\-\-sport\fP | |
1636 | -is a convenient alias for this option. | |
1637 | -.TP | |
1638 | -[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1639 | -Destination port or port range specification. The flag | |
1640 | -\fB\-\-dport\fP | |
1641 | -is a convenient alias for this option. | |
1642 | -.TP | |
1643 | -[\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP | |
1644 | -Match when the TCP flags are as specified. The first argument \fImask\fP is the | |
1645 | -flags which we should examine, written as a comma-separated list, and | |
1646 | -the second argument \fIcomp\fP is a comma-separated list of flags which must be | |
1647 | -set. Flags are: | |
1648 | -.BR "SYN ACK FIN RST URG PSH ALL NONE" . | |
1649 | -Hence the command | |
1650 | -.nf | |
1651 | - iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN | |
1652 | -.fi | |
1653 | -will only match packets with the SYN flag set, and the ACK, FIN and | |
1654 | -RST flags unset. | |
1655 | -.TP | |
1656 | -[\fB!\fP] \fB\-\-syn\fP | |
1657 | -Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits | |
1658 | -cleared. Such packets are used to request TCP connection initiation; | |
1659 | -for example, blocking such packets coming in an interface will prevent | |
1660 | -incoming TCP connections, but outgoing TCP connections will be | |
1661 | -unaffected. | |
1662 | -It is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP. | |
1663 | -If the "!" flag precedes the "\-\-syn", the sense of the | |
1664 | -option is inverted. | |
1665 | -.TP | |
1666 | -[\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP | |
1667 | -Match if TCP option set. | |
1668 | -.SS tcpmss | |
1669 | -This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time. | |
1670 | -.TP | |
1671 | -[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP] | |
1672 | -Match a given TCP MSS value or range. | |
1673 | -.SS time | |
1674 | -This matches if the packet arrival time/date is within a given range. All | |
1675 | -options are optional, but are ANDed when specified. All times are interpreted | |
1676 | -as UTC by default. | |
1677 | -.TP | |
1678 | -\fB\-\-datestart\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]] | |
1679 | -.TP | |
1680 | -\fB\-\-datestop\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]] | |
1681 | -Only match during the given time, which must be in ISO 8601 "T" notation. | |
1682 | -The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07. | |
1683 | -.IP | |
1684 | -If \-\-datestart or \-\-datestop are not specified, it will default to 1970-01-01 | |
1685 | -and 2038-01-19, respectively. | |
1686 | -.TP | |
1687 | -\fB\-\-timestart\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP] | |
1688 | -.TP | |
1689 | -\fB\-\-timestop\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP] | |
1690 | -Only match during the given daytime. The possible time range is 00:00:00 to | |
1691 | -23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted | |
1692 | -as base-10. | |
1693 | -.TP | |
1694 | -[\fB!\fP] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...] | |
1695 | -Only match on the given days of the month. Possible values are \fB1\fP | |
1696 | -to \fB31\fP. Note that specifying \fB31\fP will of course not match | |
1697 | -on months which do not have a 31st day; the same goes for 28- or 29-day | |
1698 | -February. | |
1699 | -.TP | |
1700 | -[\fB!\fP] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...] | |
1701 | -Only match on the given weekdays. Possible values are \fBMon\fP, \fBTue\fP, | |
1702 | -\fBWed\fP, \fBThu\fP, \fBFri\fP, \fBSat\fP, \fBSun\fP, or values from \fB1\fP | |
1703 | -to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP, | |
1704 | -\fBTu\fP, etc.). | |
1705 | -.TP | |
1706 | -\fB\-\-kerneltz\fP | |
1707 | -Use the kernel timezone instead of UTC to determine whether a packet meets the | |
1708 | -time regulations. | |
1709 | -.PP | |
1710 | -About kernel timezones: Linux keeps the system time in UTC, and always does so. | |
1711 | -On boot, system time is initialized from a referential time source. Where this | |
1712 | -time source has no timezone information, such as the x86 CMOS RTC, UTC will be | |
1713 | -assumed. If the time source is however not in UTC, userspace should provide the | |
1714 | -correct system time and timezone to the kernel once it has the information. | |
1715 | -.PP | |
1716 | -Local time is a feature on top of the (timezone independent) system time. Each | |
1717 | -process has its own idea of local time, specified via the TZ environment | |
1718 | -variable. The kernel also has its own timezone offset variable. The TZ | |
1719 | -userspace environment variable specifies how the UTC-based system time is | |
1720 | -displayed, e.g. when you run date(1), or what you see on your desktop clock. | |
1721 | -The TZ string may resolve to different offsets at different dates, which is | |
1722 | -what enables the automatic time-jumping in userspace. when DST changes. The | |
1723 | -kernel's timezone offset variable is used when it has to convert between | |
1724 | -non-UTC sources, such as FAT filesystems, to UTC (since the latter is what the | |
1725 | -rest of the system uses). | |
1726 | -.PP | |
1727 | -The caveat with the kernel timezone is that Linux distributions may ignore to | |
1728 | -set the kernel timezone, and instead only set the system time. Even if a | |
1729 | -particular distribution does set the timezone at boot, it is usually does not | |
1730 | -keep the kernel timezone offset - which is what changes on DST - up to date. | |
1731 | -ntpd will not touch the kernel timezone, so running it will not resolve the | |
1732 | -issue. As such, one may encounter a timezone that is always +0000, or one that | |
1733 | -is wrong half of the time of the year. As such, \fBusing \-\-kerneltz is highly | |
1734 | -discouraged.\fP | |
1735 | -.PP | |
1736 | -EXAMPLES. To match on weekends, use: | |
1737 | -.IP | |
1738 | -\-m time \-\-weekdays Sa,Su | |
1739 | -.PP | |
1740 | -Or, to match (once) on a national holiday block: | |
1741 | -.IP | |
1742 | -\-m time \-\-datestart 2007\-12\-24 \-\-datestop 2007\-12\-27 | |
1743 | -.PP | |
1744 | -Since the stop time is actually inclusive, you would need the following stop | |
1745 | -time to not match the first second of the new day: | |
1746 | -.IP | |
1747 | -\-m time \-\-datestart 2007\-01\-01T17:00 \-\-datestop 2007\-01\-01T23:59:59 | |
1748 | -.PP | |
1749 | -During lunch hour: | |
1750 | -.IP | |
1751 | -\-m time \-\-timestart 12:30 \-\-timestop 13:30 | |
1752 | -.PP | |
1753 | -The fourth Friday in the month: | |
1754 | -.IP | |
1755 | -\-m time \-\-weekdays Fr \-\-monthdays 22,23,24,25,26,27,28 | |
1756 | -.PP | |
1757 | -(Note that this exploits a certain mathematical property. It is not possible to | |
1758 | -say "fourth Thursday OR fourth Friday" in one rule. It is possible with | |
1759 | -multiple rules, though.) | |
1760 | -.SS tos | |
1761 | -This module matches the 8-bit Type of Service field in the IPv4 header (i.e. | |
1762 | -including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6 | |
1763 | -header. | |
1764 | -.TP | |
1765 | -[\fB!\fP] \fB\-\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
1766 | -Matches packets with the given TOS mark value. If a mask is specified, it is | |
1767 | -logically ANDed with the TOS mark before the comparison. | |
1768 | -.TP | |
1769 | -[\fB!\fP] \fB\-\-tos\fP \fIsymbol\fP | |
1770 | -You can specify a symbolic name when using the tos match for IPv4. The list of | |
1771 | -recognized TOS names can be obtained by calling iptables with \fB\-m tos \-h\fP. | |
1772 | -Note that this implies a mask of 0x3F, i.e. all but the ECN bits. | |
1773 | -.SS u32 | |
1774 | -U32 tests whether quantities of up to 4 bytes extracted from a packet have | |
1775 | -specified values. The specification of what to extract is general enough to | |
1776 | -find data at given offsets from tcp headers or payloads. | |
1777 | -.TP | |
1778 | -[\fB!\fP] \fB\-\-u32\fP \fItests\fP | |
1779 | -The argument amounts to a program in a small language described below. | |
1780 | -.IP | |
1781 | -tests := location "=" value | tests "&&" location "=" value | |
1782 | -.IP | |
1783 | -value := range | value "," range | |
1784 | -.IP | |
1785 | -range := number | number ":" number | |
1786 | -.PP | |
1787 | -a single number, \fIn\fP, is interpreted the same as \fIn:n\fP. \fIn:m\fP is | |
1788 | -interpreted as the range of numbers \fB>=n\fP and \fB<=m\fP. | |
1789 | -.IP "" 4 | |
1790 | -location := number | location operator number | |
1791 | -.IP "" 4 | |
1792 | -operator := "&" | "<<" | ">>" | "@" | |
1793 | -.PP | |
1794 | -The operators \fB&\fP, \fB<<\fP, \fB>>\fP and \fB&&\fP mean the same as in C. | |
1795 | -The \fB=\fP is really a set membership operator and the value syntax describes | |
1796 | -a set. The \fB@\fP operator is what allows moving to the next header and is | |
1797 | -described further below. | |
1798 | -.PP | |
1799 | -There are currently some artificial implementation limits on the size of the | |
1800 | -tests: | |
1801 | -.IP " *" | |
1802 | -no more than 10 of "\fB=\fP" (and 9 "\fB&&\fP"s) in the u32 argument | |
1803 | -.IP " *" | |
1804 | -no more than 10 ranges (and 9 commas) per value | |
1805 | -.IP " *" | |
1806 | -no more than 10 numbers (and 9 operators) per location | |
1807 | -.PP | |
1808 | -To describe the meaning of location, imagine the following machine that | |
1809 | -interprets it. There are three registers: | |
1810 | -.IP | |
1811 | -A is of type \fBchar *\fP, initially the address of the IP header | |
1812 | -.IP | |
1813 | -B and C are unsigned 32 bit integers, initially zero | |
1814 | -.PP | |
1815 | -The instructions are: | |
1816 | -.IP | |
1817 | -number B = number; | |
1818 | -.IP | |
1819 | -C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3) | |
1820 | -.IP | |
1821 | -&number C = C & number | |
1822 | -.IP | |
1823 | -<< number C = C << number | |
1824 | -.IP | |
1825 | ->> number C = C >> number | |
1826 | -.IP | |
1827 | -@number A = A + C; then do the instruction number | |
1828 | -.PP | |
1829 | -Any access of memory outside [skb\->data,skb\->end] causes the match to fail. | |
1830 | -Otherwise the result of the computation is the final value of C. | |
1831 | -.PP | |
1832 | -Whitespace is allowed but not required in the tests. However, the characters | |
1833 | -that do occur there are likely to require shell quoting, so it is a good idea | |
1834 | -to enclose the arguments in quotes. | |
1835 | -.PP | |
1836 | -Example: | |
1837 | -.IP | |
1838 | -match IP packets with total length >= 256 | |
1839 | -.IP | |
1840 | -The IP header contains a total length field in bytes 2-3. | |
1841 | -.IP | |
1842 | -\-\-u32 "\fB0 & 0xFFFF = 0x100:0xFFFF\fP" | |
1843 | -.IP | |
1844 | -read bytes 0-3 | |
1845 | -.IP | |
1846 | -AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the range | |
1847 | -[0x100:0xFFFF] | |
1848 | -.PP | |
1849 | -Example: (more realistic, hence more complicated) | |
1850 | -.IP | |
1851 | -match ICMP packets with icmp type 0 | |
1852 | -.IP | |
1853 | -First test that it is an ICMP packet, true iff byte 9 (protocol) = 1 | |
1854 | -.IP | |
1855 | -\-\-u32 "\fB6 & 0xFF = 1 &&\fP ... | |
1856 | -.IP | |
1857 | -read bytes 6-9, use \fB&\fP to throw away bytes 6-8 and compare the result to | |
1858 | -1. Next test that it is not a fragment. (If so, it might be part of such a | |
1859 | -packet but we cannot always tell.) N.B.: This test is generally needed if you | |
1860 | -want to match anything beyond the IP header. The last 6 bits of byte 6 and all | |
1861 | -of byte 7 are 0 iff this is a complete packet (not a fragment). Alternatively, | |
1862 | -you can allow first fragments by only testing the last 5 bits of byte 6. | |
1863 | -.IP | |
1864 | - ... \fB4 & 0x3FFF = 0 &&\fP ... | |
1865 | -.IP | |
1866 | -Last test: the first byte past the IP header (the type) is 0. This is where we | |
1867 | -have to use the @syntax. The length of the IP header (IHL) in 32 bit words is | |
1868 | -stored in the right half of byte 0 of the IP header itself. | |
1869 | -.IP | |
1870 | - ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fP" | |
1871 | -.IP | |
1872 | -The first 0 means read bytes 0-3, \fB>>22\fP means shift that 22 bits to the | |
1873 | -right. Shifting 24 bits would give the first byte, so only 22 bits is four | |
1874 | -times that plus a few more bits. \fB&3C\fP then eliminates the two extra bits | |
1875 | -on the right and the first four bits of the first byte. For instance, if IHL=5, | |
1876 | -then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in | |
1877 | -binary) xxxx0101 yyzzzzzz, \fB>>22\fP gives the 10 bit value xxxx0101yy and | |
1878 | -\fB&3C\fP gives 010100. \fB@\fP means to use this number as a new offset into | |
1879 | -the packet, and read four bytes starting from there. This is the first 4 bytes | |
1880 | -of the ICMP payload, of which byte 0 is the ICMP type. Therefore, we simply | |
1881 | -shift the value 24 to the right to throw out all but the first byte and compare | |
1882 | -the result with 0. | |
1883 | -.PP | |
1884 | -Example: | |
1885 | -.IP | |
1886 | -TCP payload bytes 8-12 is any of 1, 2, 5 or 8 | |
1887 | -.IP | |
1888 | -First we test that the packet is a tcp packet (similar to ICMP). | |
1889 | -.IP | |
1890 | -\-\-u32 "\fB6 & 0xFF = 6 &&\fP ... | |
1891 | -.IP | |
1892 | -Next, test that it is not a fragment (same as above). | |
1893 | -.IP | |
1894 | - ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fP" | |
1895 | -.IP | |
1896 | -\fB0>>22&3C\fP as above computes the number of bytes in the IP header. \fB@\fP | |
1897 | -makes this the new offset into the packet, which is the start of the TCP | |
1898 | -header. The length of the TCP header (again in 32 bit words) is the left half | |
1899 | -of byte 12 of the TCP header. The \fB12>>26&3C\fP computes this length in bytes | |
1900 | -(similar to the IP header before). "@" makes this the new offset, which is the | |
1901 | -start of the TCP payload. Finally, 8 reads bytes 8-12 of the payload and | |
1902 | -\fB=\fP checks whether the result is any of 1, 2, 5 or 8. | |
1903 | -.SS udp | |
1904 | -These extensions can be used if `\-\-protocol udp' is specified. It | |
1905 | -provides the following options: | |
1906 | -.TP | |
1907 | -[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1908 | -Source port or port range specification. | |
1909 | -See the description of the | |
1910 | -\fB\-\-source\-port\fP | |
1911 | -option of the TCP extension for details. | |
1912 | -.TP | |
1913 | -[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1914 | -Destination port or port range specification. | |
1915 | -See the description of the | |
1916 | -\fB\-\-destination\-port\fP | |
1917 | -option of the TCP extension for details. | |
1918 | -.SH TARGET EXTENSIONS | |
1919 | -ip6tables can use extended target modules: the following are included | |
1920 | -in the standard distribution. | |
1921 | -.\" @TARGET@ | |
1922 | -.SS AUDIT | |
1923 | -This target allows to create audit records for packets hitting the target. | |
1924 | -It can be used to record accepted, dropped, and rejected packets. See | |
1925 | -auditd(8) for additional details. | |
1926 | -.TP | |
1927 | -\fB\-\-type\fP {\fBaccept\fP|\fBdrop\fP|\fBreject\fP} | |
1928 | -Set type of audit record. | |
1929 | -.PP | |
1930 | -Example: | |
1931 | -.IP | |
1932 | -iptables \-N AUDIT_DROP | |
1933 | -.IP | |
1934 | -iptables \-A AUDIT_DROP \-j AUDIT \-\-type drop | |
1935 | -.IP | |
1936 | -iptables \-A AUDIT_DROP \-j DROP | |
1937 | -.SS CHECKSUM | |
1938 | -This target allows to selectively work around broken/old applications. | |
1939 | -It can only be used in the mangle table. | |
1940 | -.TP | |
1941 | -\fB\-\-checksum\-fill\fP | |
1942 | -Compute and fill in the checksum in a packet that lacks a checksum. | |
1943 | -This is particularly useful, if you need to work around old applications | |
1944 | -such as dhcp clients, that do not work well with checksum offloads, | |
1945 | -but don't want to disable checksum offload in your device. | |
1946 | -.SS CLASSIFY | |
1947 | -This module allows you to set the skb\->priority value (and thus classify the packet into a specific CBQ class). | |
1948 | -.TP | |
1949 | -\fB\-\-set\-class\fP \fImajor\fP\fB:\fP\fIminor\fP | |
1950 | -Set the major and minor class value. The values are always interpreted as | |
1951 | -hexadecimal even if no 0x prefix is given. | |
1952 | -.SS CONNMARK | |
1953 | -This module sets the netfilter mark value associated with a connection. The | |
1954 | -mark is 32 bits wide. | |
1955 | -.TP | |
1956 | -\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
1957 | -Zero out the bits given by \fImask\fP and XOR \fIvalue\fP into the ctmark. | |
1958 | -.TP | |
1959 | -\fB\-\-save\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP] | |
1960 | -Copy the packet mark (nfmark) to the connection mark (ctmark) using the given | |
1961 | -masks. The new nfmark value is determined as follows: | |
1962 | -.IP | |
1963 | -ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) | |
1964 | -.IP | |
1965 | -i.e. \fIctmask\fP defines what bits to clear and \fInfmask\fP what bits of the | |
1966 | -nfmark to XOR into the ctmark. \fIctmask\fP and \fInfmask\fP default to | |
1967 | -0xFFFFFFFF. | |
1968 | -.TP | |
1969 | -\fB\-\-restore\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP] | |
1970 | -Copy the connection mark (ctmark) to the packet mark (nfmark) using the given | |
1971 | -masks. The new ctmark value is determined as follows: | |
1972 | -.IP | |
1973 | -nfmark = (nfmark & ~\fInfmask\fP) ^ (ctmark & \fIctmask\fP); | |
1974 | -.IP | |
1975 | -i.e. \fInfmask\fP defines what bits to clear and \fIctmask\fP what bits of the | |
1976 | -ctmark to XOR into the nfmark. \fIctmask\fP and \fInfmask\fP default to | |
1977 | -0xFFFFFFFF. | |
1978 | -.IP | |
1979 | -\fB\-\-restore\-mark\fP is only valid in the \fBmangle\fP table. | |
1980 | -.PP | |
1981 | -The following mnemonics are available for \fB\-\-set\-xmark\fP: | |
1982 | -.TP | |
1983 | -\fB\-\-and\-mark\fP \fIbits\fP | |
1984 | -Binary AND the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark | |
1985 | -0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) | |
1986 | -.TP | |
1987 | -\fB\-\-or\-mark\fP \fIbits\fP | |
1988 | -Binary OR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP | |
1989 | -\fIbits\fP\fB/\fP\fIbits\fP.) | |
1990 | -.TP | |
1991 | -\fB\-\-xor\-mark\fP \fIbits\fP | |
1992 | -Binary XOR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP | |
1993 | -\fIbits\fP\fB/0\fP.) | |
1994 | -.TP | |
1995 | -\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
1996 | -Set the connection mark. If a mask is specified then only those bits set in the | |
1997 | -mask are modified. | |
1998 | -.TP | |
1999 | -\fB\-\-save\-mark\fP [\fB\-\-mask\fP \fImask\fP] | |
2000 | -Copy the nfmark to the ctmark. If a mask is specified, only those bits are | |
2001 | -copied. | |
2002 | -.TP | |
2003 | -\fB\-\-restore\-mark\fP [\fB\-\-mask\fP \fImask\fP] | |
2004 | -Copy the ctmark to the nfmark. If a mask is specified, only those bits are | |
2005 | -copied. This is only valid in the \fBmangle\fP table. | |
2006 | -.SS CONNSECMARK | |
2007 | -This module copies security markings from packets to connections | |
2008 | -(if unlabeled), and from connections back to packets (also only | |
2009 | -if unlabeled). Typically used in conjunction with SECMARK, it is | |
2010 | -valid in the | |
2011 | -.B security | |
2012 | -table (for backwards compatibility with older kernels, it is also | |
2013 | -valid in the | |
2014 | -.B mangle | |
2015 | -table). | |
2016 | -.TP | |
2017 | -\fB\-\-save\fP | |
2018 | -If the packet has a security marking, copy it to the connection | |
2019 | -if the connection is not marked. | |
2020 | -.TP | |
2021 | -\fB\-\-restore\fP | |
2022 | -If the packet does not have a security marking, and the connection | |
2023 | -does, copy the security marking from the connection to the packet. | |
2024 | - | |
2025 | -.SS CT | |
2026 | -The CT target allows to set parameters for a packet or its associated | |
2027 | -connection. The target attaches a "template" connection tracking entry to | |
2028 | -the packet, which is then used by the conntrack core when initializing | |
2029 | -a new ct entry. This target is thus only valid in the "raw" table. | |
2030 | -.TP | |
2031 | -\fB\-\-notrack\fP | |
2032 | -Disables connection tracking for this packet. | |
2033 | -.TP | |
2034 | -\fB\-\-helper\fP \fIname\fP | |
2035 | -Use the helper identified by \fIname\fP for the connection. This is more | |
2036 | -flexible than loading the conntrack helper modules with preset ports. | |
2037 | -.TP | |
2038 | -\fB\-\-ctevents\fP \fIevent\fP[\fB,\fP...] | |
2039 | -Only generate the specified conntrack events for this connection. Possible | |
2040 | -event types are: \fBnew\fP, \fBrelated\fP, \fBdestroy\fP, \fBreply\fP, | |
2041 | -\fBassured\fP, \fBprotoinfo\fP, \fBhelper\fP, \fBmark\fP (this refers to | |
2042 | -the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark). | |
2043 | -.TP | |
2044 | -\fB\-\-expevents\fP \fIevent\fP[\fB,\fP...] | |
2045 | -Only generate the specified expectation events for this connection. | |
2046 | -Possible event types are: \fBnew\fP. | |
2047 | -.TP | |
2048 | -\fB\-\-zone\fP \fIid\fP | |
2049 | -Assign this packet to zone \fIid\fP and only have lookups done in that zone. | |
2050 | -By default, packets have zone 0. | |
2051 | -.SS DSCP | |
2052 | -This target allows to alter the value of the DSCP bits within the TOS | |
2053 | -header of the IPv4 packet. As this manipulates a packet, it can only | |
2054 | -be used in the mangle table. | |
2055 | -.TP | |
2056 | -\fB\-\-set\-dscp\fP \fIvalue\fP | |
2057 | -Set the DSCP field to a numerical value (can be decimal or hex) | |
2058 | -.TP | |
2059 | -\fB\-\-set\-dscp\-class\fP \fIclass\fP | |
2060 | -Set the DSCP field to a DiffServ class. | |
2061 | -.SS HL | |
2062 | -This is used to modify the Hop Limit field in IPv6 header. The Hop Limit field | |
2063 | -is similar to what is known as TTL value in IPv4. Setting or incrementing the | |
2064 | -Hop Limit field can potentially be very dangerous, so it should be avoided at | |
2065 | -any cost. This target is only valid in | |
2066 | -.B mangle | |
2067 | -table. | |
2068 | -.PP | |
2069 | -.B Don't ever set or increment the value on packets that leave your local network! | |
2070 | -.TP | |
2071 | -\fB\-\-hl\-set\fP \fIvalue\fP | |
2072 | -Set the Hop Limit to `value'. | |
2073 | -.TP | |
2074 | -\fB\-\-hl\-dec\fP \fIvalue\fP | |
2075 | -Decrement the Hop Limit `value' times. | |
2076 | -.TP | |
2077 | -\fB\-\-hl\-inc\fP \fIvalue\fP | |
2078 | -Increment the Hop Limit `value' times. | |
2079 | -.SS IDLETIMER | |
2080 | -This target can be used to identify when interfaces have been idle for a | |
2081 | -certain period of time. Timers are identified by labels and are created when | |
2082 | -a rule is set with a new label. The rules also take a timeout value (in | |
2083 | -seconds) as an option. If more than one rule uses the same timer label, the | |
2084 | -timer will be restarted whenever any of the rules get a hit. One entry for | |
2085 | -each timer is created in sysfs. This attribute contains the timer remaining | |
2086 | -for the timer to expire. The attributes are located under the xt_idletimer | |
2087 | -class: | |
2088 | -.PP | |
2089 | -/sys/class/xt_idletimer/timers/<label> | |
2090 | -.PP | |
2091 | -When the timer expires, the target module sends a sysfs notification to the | |
2092 | -userspace, which can then decide what to do (eg. disconnect to save power). | |
2093 | -.TP | |
2094 | -\fB\-\-timeout\fP \fIamount\fP | |
2095 | -This is the time in seconds that will trigger the notification. | |
2096 | -.TP | |
2097 | -\fB\-\-label\fP \fIstring\fP | |
2098 | -This is a unique identifier for the timer. The maximum length for the | |
2099 | -label string is 27 characters. | |
2100 | -.SS LOG | |
2101 | -Turn on kernel logging of matching packets. When this option is set | |
2102 | -for a rule, the Linux kernel will print some information on all | |
2103 | -matching packets (like most IPv6 IPv6-header fields) via the kernel log | |
2104 | -(where it can be read with | |
2105 | -.I dmesg | |
2106 | -or | |
2107 | -.IR syslogd (8)). | |
2108 | -This is a "non-terminating target", i.e. rule traversal continues at | |
2109 | -the next rule. So if you want to LOG the packets you refuse, use two | |
2110 | -separate rules with the same matching criteria, first using target LOG | |
2111 | -then DROP (or REJECT). | |
2112 | -.TP | |
2113 | -\fB\-\-log\-level\fP \fIlevel\fP | |
2114 | -Level of logging (numeric or see \fIsyslog.conf\fP(5)). | |
2115 | -.TP | |
2116 | -\fB\-\-log\-prefix\fP \fIprefix\fP | |
2117 | -Prefix log messages with the specified prefix; up to 29 letters long, | |
2118 | -and useful for distinguishing messages in the logs. | |
2119 | -.TP | |
2120 | -\fB\-\-log\-tcp\-sequence\fP | |
2121 | -Log TCP sequence numbers. This is a security risk if the log is | |
2122 | -readable by users. | |
2123 | -.TP | |
2124 | -\fB\-\-log\-tcp\-options\fP | |
2125 | -Log options from the TCP packet header. | |
2126 | -.TP | |
2127 | -\fB\-\-log\-ip\-options\fP | |
2128 | -Log options from the IPv6 packet header. | |
2129 | -.TP | |
2130 | -\fB\-\-log\-uid\fP | |
2131 | -Log the userid of the process which generated the packet. | |
2132 | -.SS MARK | |
2133 | -This target is used to set the Netfilter mark value associated with the packet. | |
2134 | -It can, for example, be used in conjunction with routing based on fwmark (needs | |
2135 | -iproute2). If you plan on doing so, note that the mark needs to be set in the | |
2136 | -PREROUTING chain of the mangle table to affect routing. | |
2137 | -The mark field is 32 bits wide. | |
2138 | -.TP | |
2139 | -\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
2140 | -Zeroes out the bits given by \fImask\fP and XORs \fIvalue\fP into the packet | |
2141 | -mark ("nfmark"). If \fImask\fP is omitted, 0xFFFFFFFF is assumed. | |
2142 | -.TP | |
2143 | -\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
2144 | -Zeroes out the bits given by \fImask\fP and ORs \fIvalue\fP into the packet | |
2145 | -mark. If \fImask\fP is omitted, 0xFFFFFFFF is assumed. | |
2146 | -.PP | |
2147 | -The following mnemonics are available: | |
2148 | -.TP | |
2149 | -\fB\-\-and\-mark\fP \fIbits\fP | |
2150 | -Binary AND the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark | |
2151 | -0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) | |
2152 | -.TP | |
2153 | -\fB\-\-or\-mark\fP \fIbits\fP | |
2154 | -Binary OR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP | |
2155 | -\fIbits\fP\fB/\fP\fIbits\fP.) | |
2156 | -.TP | |
2157 | -\fB\-\-xor\-mark\fP \fIbits\fP | |
2158 | -Binary XOR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP | |
2159 | -\fIbits\fP\fB/0\fP.) | |
2160 | -.SS NFLOG | |
2161 | -This target provides logging of matching packets. When this target is | |
2162 | -set for a rule, the Linux kernel will pass the packet to the loaded | |
2163 | -logging backend to log the packet. This is usually used in combination | |
2164 | -with nfnetlink_log as logging backend, which will multicast the packet | |
2165 | -through a | |
2166 | -.IR netlink | |
2167 | -socket to the specified multicast group. One or more userspace processes | |
2168 | -may subscribe to the group to receive the packets. Like LOG, this is a | |
2169 | -non-terminating target, i.e. rule traversal continues at the next rule. | |
2170 | -.TP | |
2171 | -\fB\-\-nflog\-group\fP \fInlgroup\fP | |
2172 | -The netlink group (0 - 2^16\-1) to which packets are (only applicable for | |
2173 | -nfnetlink_log). The default value is 0. | |
2174 | -.TP | |
2175 | -\fB\-\-nflog\-prefix\fP \fIprefix\fP | |
2176 | -A prefix string to include in the log message, up to 64 characters | |
2177 | -long, useful for distinguishing messages in the logs. | |
2178 | -.TP | |
2179 | -\fB\-\-nflog\-range\fP \fIsize\fP | |
2180 | -The number of bytes to be copied to userspace (only applicable for | |
2181 | -nfnetlink_log). nfnetlink_log instances may specify their own | |
2182 | -range, this option overrides it. | |
2183 | -.TP | |
2184 | -\fB\-\-nflog\-threshold\fP \fIsize\fP | |
2185 | -Number of packets to queue inside the kernel before sending them | |
2186 | -to userspace (only applicable for nfnetlink_log). Higher values | |
2187 | -result in less overhead per packet, but increase delay until the | |
2188 | -packets reach userspace. The default value is 1. | |
2189 | -.BR | |
2190 | -.SS NFQUEUE | |
2191 | -This target is an extension of the QUEUE target. As opposed to QUEUE, it allows | |
2192 | -you to put a packet into any specific queue, identified by its 16-bit queue | |
2193 | -number. | |
2194 | -It can only be used with Kernel versions 2.6.14 or later, since it requires | |
2195 | -the | |
2196 | -.B | |
2197 | -nfnetlink_queue | |
2198 | -kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31, | |
2199 | -\fBqueue-bypass\fP in 2.6.39. | |
2200 | -.TP | |
2201 | -\fB\-\-queue\-num\fP \fIvalue\fP | |
2202 | -This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0. | |
2203 | -.PP | |
2204 | -.TP | |
2205 | -\fB\-\-queue\-balance\fP \fIvalue\fP\fB:\fP\fIvalue\fP | |
2206 | -This specifies a range of queues to use. Packets are then balanced across the given queues. | |
2207 | -This is useful for multicore systems: start multiple instances of the userspace program on | |
2208 | -queues x, x+1, .. x+n and use "\-\-queue\-balance \fIx\fP\fB:\fP\fIx+n\fP". | |
2209 | -Packets belonging to the same connection are put into the same nfqueue. | |
2210 | -.PP | |
2211 | -.TP | |
2212 | -\fB\-\-queue\-bypass\fP | |
2213 | -By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued | |
2214 | -are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The packet | |
2215 | -will move on to the next rule. | |
2216 | -.SS NOTRACK | |
2217 | -This target disables connection tracking for all packets matching that rule. | |
2218 | -.PP | |
2219 | -It can only be used in the | |
2220 | -.B raw | |
2221 | -table. | |
2222 | -.SS RATEEST | |
2223 | -The RATEEST target collects statistics, performs rate estimation calculation | |
2224 | -and saves the results for later evaluation using the \fBrateest\fP match. | |
2225 | -.TP | |
2226 | -\fB\-\-rateest\-name\fP \fIname\fP | |
2227 | -Count matched packets into the pool referred to by \fIname\fP, which is freely | |
2228 | -choosable. | |
2229 | -.TP | |
2230 | -\fB\-\-rateest\-interval\fP \fIamount\fP{\fBs\fP|\fBms\fP|\fBus\fP} | |
2231 | -Rate measurement interval, in seconds, milliseconds or microseconds. | |
2232 | -.TP | |
2233 | -\fB\-\-rateest\-ewmalog\fP \fIvalue\fP | |
2234 | -Rate measurement averaging time constant. | |
2235 | -.SS REJECT | |
2236 | -This is used to send back an error packet in response to the matched | |
2237 | -packet: otherwise it is equivalent to | |
2238 | -.B DROP | |
2239 | -so it is a terminating TARGET, ending rule traversal. | |
2240 | -This target is only valid in the | |
2241 | -.BR INPUT , | |
2242 | -.B FORWARD | |
2243 | -and | |
2244 | -.B OUTPUT | |
2245 | -chains, and user-defined chains which are only called from those | |
2246 | -chains. The following option controls the nature of the error packet | |
2247 | -returned: | |
2248 | -.TP | |
2249 | -\fB\-\-reject\-with\fP \fItype\fP | |
2250 | -The type given can be | |
2251 | -\fBicmp6\-no\-route\fP, | |
2252 | -\fBno\-route\fP, | |
2253 | -\fBicmp6\-adm\-prohibited\fP, | |
2254 | -\fBadm\-prohibited\fP, | |
2255 | -\fBicmp6\-addr\-unreachable\fP, | |
2256 | -\fBaddr\-unreach\fP, | |
2257 | -\fBicmp6\-port\-unreachable\fP or | |
2258 | -\fBport\-unreach\fP | |
2259 | -which return the appropriate ICMPv6 error message (\fBport\-unreach\fP is | |
2260 | -the default). Finally, the option | |
2261 | -\fBtcp\-reset\fP | |
2262 | -can be used on rules which only match the TCP protocol: this causes a | |
2263 | -TCP RST packet to be sent back. This is mainly useful for blocking | |
2264 | -.I ident | |
2265 | -(113/tcp) probes which frequently occur when sending mail to broken mail | |
2266 | -hosts (which won't accept your mail otherwise). | |
2267 | -\fBtcp\-reset\fP | |
2268 | -can only be used with kernel versions 2.6.14 or later. | |
2269 | -.SS SECMARK | |
2270 | -This is used to set the security mark value associated with the | |
2271 | -packet for use by security subsystems such as SELinux. It is | |
2272 | -valid in the | |
2273 | -.B security | |
2274 | -table (for backwards compatibility with older kernels, it is also | |
2275 | -valid in the | |
2276 | -.B mangle | |
2277 | -table). The mark is 32 bits wide. | |
2278 | -.TP | |
2279 | -\fB\-\-selctx\fP \fIsecurity_context\fP | |
2280 | -.SS SET | |
2281 | -This modules adds and/or deletes entries from IP sets which can be defined | |
2282 | -by ipset(8). | |
2283 | -.TP | |
2284 | -\fB\-\-add\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] | |
2285 | -add the address(es)/port(s) of the packet to the sets | |
2286 | -.TP | |
2287 | -\fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] | |
2288 | -delete the address(es)/port(s) of the packet from the sets | |
2289 | -.IP | |
2290 | -where flags are | |
2291 | -.BR "src" | |
2292 | -and/or | |
2293 | -.BR "dst" | |
2294 | -specifications and there can be no more than six of them. | |
2295 | -.TP | |
2296 | -\fB\-\-timeout\fP \fIvalue\fP | |
2297 | -when adding entry, the timeout value to use instead of the default | |
2298 | -one from the set definition | |
2299 | -.TP | |
2300 | -\fB\-\-exist\fP | |
2301 | -when adding entry if it already exists, reset the timeout value | |
2302 | -to the specified one or to the default from the set definition | |
2303 | -.PP | |
2304 | -Use of -j SET requires that ipset kernel support is provided, which, for | |
2305 | -standard kernels, is the case since Linux 2.6.39. | |
2306 | -.SS TCPMSS | |
2307 | -This target allows to alter the MSS value of TCP SYN packets, to control | |
2308 | -the maximum size for that connection (usually limiting it to your | |
2309 | -outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). | |
2310 | -Of course, it can only be used | |
2311 | -in conjunction with | |
2312 | -\fB\-p tcp\fP. | |
2313 | -.PP | |
2314 | -This target is used to overcome criminally braindead ISPs or servers | |
2315 | -which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big" | |
2316 | -packets. The symptoms of this | |
2317 | -problem are that everything works fine from your Linux | |
2318 | -firewall/router, but machines behind it can never exchange large | |
2319 | -packets: | |
2320 | -.IP 1. 4 | |
2321 | -Web browsers connect, then hang with no data received. | |
2322 | -.IP 2. 4 | |
2323 | -Small mail works fine, but large emails hang. | |
2324 | -.IP 3. 4 | |
2325 | -ssh works fine, but scp hangs after initial handshaking. | |
2326 | -.PP | |
2327 | -Workaround: activate this option and add a rule to your firewall | |
2328 | -configuration like: | |
2329 | -.IP | |
2330 | - iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN | |
2331 | - \-j TCPMSS \-\-clamp\-mss\-to\-pmtu | |
2332 | -.TP | |
2333 | -\fB\-\-set\-mss\fP \fIvalue\fP | |
2334 | -Explicitly sets MSS option to specified value. If the MSS of the packet is | |
2335 | -already lower than \fIvalue\fP, it will \fBnot\fP be increased (from Linux | |
2336 | -2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS. | |
2337 | -.TP | |
2338 | -\fB\-\-clamp\-mss\-to\-pmtu\fP | |
2339 | -Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6). | |
2340 | -This may not function as desired where asymmetric routes with differing | |
2341 | -path MTU exist \(em the kernel uses the path MTU which it would use to send | |
2342 | -packets from itself to the source and destination IP addresses. Prior to | |
2343 | -Linux 2.6.25, only the path MTU to the destination IP address was | |
2344 | -considered by this option; subsequent kernels also consider the path MTU | |
2345 | -to the source IP address. | |
2346 | -.PP | |
2347 | -These options are mutually exclusive. | |
2348 | -.SS TCPOPTSTRIP | |
2349 | -This target will strip TCP options off a TCP packet. (It will actually replace | |
2350 | -them by NO-OPs.) As such, you will need to add the \fB\-p tcp\fP parameters. | |
2351 | -.TP | |
2352 | -\fB\-\-strip\-options\fP \fIoption\fP[\fB,\fP\fIoption\fP...] | |
2353 | -Strip the given option(s). The options may be specified by TCP option number or | |
2354 | -by symbolic name. The list of recognized options can be obtained by calling | |
2355 | -iptables with \fB\-j TCPOPTSTRIP \-h\fP. | |
2356 | -.SS TEE | |
2357 | -The \fBTEE\fP target will clone a packet and redirect this clone to another | |
2358 | -machine on the \fBlocal\fP network segment. In other words, the nexthop | |
2359 | -must be the target, or you will have to configure the nexthop to forward it | |
2360 | -further if so desired. | |
2361 | -.TP | |
2362 | -\fB\-\-gateway\fP \fIipaddr\fP | |
2363 | -Send the cloned packet to the host reachable at the given IP address. | |
2364 | -Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid. | |
2365 | -.PP | |
2366 | -To forward all incoming traffic on eth0 to an Network Layer logging box: | |
2367 | -.PP | |
2368 | -\-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1 | |
2369 | -.SS TOS | |
2370 | -This module sets the Type of Service field in the IPv4 header (including the | |
2371 | -"precedence" bits) or the Priority field in the IPv6 header. Note that TOS | |
2372 | -shares the same bits as DSCP and ECN. The TOS target is only valid in the | |
2373 | -\fBmangle\fP table. | |
2374 | -.TP | |
2375 | -\fB\-\-set\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
2376 | -Zeroes out the bits given by \fImask\fP (see NOTE below) and XORs \fIvalue\fP | |
2377 | -into the TOS/Priority field. If \fImask\fP is omitted, 0xFF is assumed. | |
2378 | -.TP | |
2379 | -\fB\-\-set\-tos\fP \fIsymbol\fP | |
2380 | -You can specify a symbolic name when using the TOS target for IPv4. It implies | |
2381 | -a mask of 0xFF (see NOTE below). The list of recognized TOS names can be | |
2382 | -obtained by calling iptables with \fB\-j TOS \-h\fP. | |
2383 | -.PP | |
2384 | -The following mnemonics are available: | |
2385 | -.TP | |
2386 | -\fB\-\-and\-tos\fP \fIbits\fP | |
2387 | -Binary AND the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos | |
2388 | -0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP. | |
2389 | -See NOTE below.) | |
2390 | -.TP | |
2391 | -\fB\-\-or\-tos\fP \fIbits\fP | |
2392 | -Binary OR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP | |
2393 | -\fIbits\fP\fB/\fP\fIbits\fP. See NOTE below.) | |
2394 | -.TP | |
2395 | -\fB\-\-xor\-tos\fP \fIbits\fP | |
2396 | -Binary XOR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP | |
2397 | -\fIbits\fP\fB/0\fP. See NOTE below.) | |
2398 | -.PP | |
2399 | -NOTE: In Linux kernels up to and including 2.6.38, with the exception of | |
2400 | -longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is | |
2401 | -a bug whereby IPv6 TOS mangling does not behave as documented and differs from | |
2402 | -the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it | |
2403 | -needs to be inverted before applying it to the original TOS field. However, the | |
2404 | -aformentioned kernels forgo the inversion which breaks --set-tos and its | |
2405 | -mnemonics. | |
2406 | -.SS TPROXY | |
2407 | -This target is only valid in the \fBmangle\fP table, in the \fBPREROUTING\fP | |
2408 | -chain and user-defined chains which are only called from this chain. It | |
2409 | -redirects the packet to a local socket without changing the packet header in | |
2410 | -any way. It can also change the mark value which can then be used in advanced | |
2411 | -routing rules. | |
2412 | -It takes three options: | |
2413 | -.TP | |
2414 | -\fB\-\-on\-port\fP \fIport\fP | |
2415 | -This specifies a destination port to use. It is a required option, 0 means the | |
2416 | -new destination port is the same as the original. This is only valid if the | |
2417 | -rule also specifies \fB\-p tcp\fP or \fB\-p udp\fP. | |
2418 | -.TP | |
2419 | -\fB\-\-on\-ip\fP \fIaddress\fP | |
2420 | -This specifies a destination address to use. By default the address is the IP | |
2421 | -address of the incoming interface. This is only valid if the rule also | |
2422 | -specifies \fB\-p tcp\fP or \fB\-p udp\fP. | |
2423 | -.TP | |
2424 | -\fB\-\-tproxy\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
2425 | -Marks packets with the given value/mask. The fwmark value set here can be used | |
2426 | -by advanced routing. (Required for transparent proxying to work: otherwise | |
2427 | -these packets will get forwarded, which is probably not what you want.) | |
2428 | -.SS TRACE | |
2429 | -This target marks packets so that the kernel will log every rule which match | |
2430 | -the packets as those traverse the tables, chains, rules. | |
2431 | -.PP | |
2432 | -A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this | |
2433 | -to be visible. | |
2434 | -The packets are logged with the string prefix: | |
2435 | -"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for | |
2436 | -plain rule, "return" for implicit rule at the end of a user defined chain | |
2437 | -and "policy" for the policy of the built in chains. | |
2438 | -.br | |
2439 | -It can only be used in the | |
2440 | -.BR raw | |
2441 | -table. | |
388 | +iptables can use extended packet matching and target modules. | |
389 | +A list of these is available in the \fBiptables\-extensions\fP(8) manpage. | |
2442 | 390 | .SH DIAGNOSTICS |
2443 | 391 | Various error messages are printed to standard error. The exit code |
2444 | 392 | is 0 for correct functioning. Errors which appear to be caused by |
@@ -2465,6 +413,8 @@ There are several other changes in ip6tables. | ||
2465 | 413 | \fBip6tables\-save\fP(8), |
2466 | 414 | \fBip6tables\-restore\fP(8), |
2467 | 415 | \fBiptables\fP(8), |
416 | +\fBiptables\-apply\fP(8), | |
417 | +\fBiptables\-extensions\fP(8), | |
2468 | 418 | \fBiptables\-save\fP(8), |
2469 | 419 | \fBiptables\-restore\fP(8), |
2470 | 420 | \fBlibipq\fP(3). |
@@ -2503,4 +453,4 @@ iptables man page written by Herve Eychenne <rv@wallfire.org>. | ||
2503 | 453 | .\" .. and most of all, modest .. |
2504 | 454 | .SH VERSION |
2505 | 455 | .PP |
2506 | -This manual page applies to ip6tables @PACKAGE_VERSION@. | |
456 | +This manual page applies to ip6tables 1.4.18. |
@@ -18,7 +18,7 @@ connection, the user will not be able to answer affirmatively. In this | ||
18 | 18 | case, the script rolls back to the previous ruleset after the timeout |
19 | 19 | expired. The timeout can be set with \fB\-t\fP. |
20 | 20 | .PP |
21 | -When called as ip6tables\-apply, the script will use | |
21 | +When called as \fBip6tables\-apply\fP, the script will use | |
22 | 22 | ip6tables\-save/\-restore instead. |
23 | 23 | .SH OPTIONS |
24 | 24 | .TP |
@@ -0,0 +1,2649 @@ | ||
1 | +.TH iptables-extensions 8 "" "iptables 1.4.18" "iptables 1.4.18" | |
2 | +.SH NAME | |
3 | +iptables-extensions \(em list of extensions in the standard iptables distribution | |
4 | +.SH SYNOPSIS | |
5 | +\fBip6tables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]] | |
6 | +[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...] | |
7 | +.PP | |
8 | +\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]] | |
9 | +[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...] | |
10 | +.SH MATCH EXTENSIONS | |
11 | +iptables can use extended packet matching modules | |
12 | +with the \fB\-m\fP or \fB\-\-match\fP | |
13 | +options, followed by the matching module name; after these, various | |
14 | +extra command line options become available, depending on the specific | |
15 | +module. You can specify multiple extended match modules in one line, | |
16 | +and you can use the \fB\-h\fP or \fB\-\-help\fP | |
17 | +options after the module has been specified to receive help specific | |
18 | +to that module. The extended match modules are evaluated in the order | |
19 | +they are specified in the rule. | |
20 | +.PP | |
21 | +If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an | |
22 | +unknown option is encountered, iptables will try load a match module of the | |
23 | +same name as the protocol, to try making the option available. | |
24 | +.\" @MATCH@ | |
25 | +.SS addrtype | |
26 | +This module matches packets based on their | |
27 | +.B address type. | |
28 | +Address types are used within the kernel networking stack and categorize | |
29 | +addresses into various groups. The exact definition of that group depends on the specific layer three protocol. | |
30 | +.PP | |
31 | +The following address types are possible: | |
32 | +.TP | |
33 | +.BI "UNSPEC" | |
34 | +an unspecified address (i.e. 0.0.0.0) | |
35 | +.TP | |
36 | +.BI "UNICAST" | |
37 | +an unicast address | |
38 | +.TP | |
39 | +.BI "LOCAL" | |
40 | +a local address | |
41 | +.TP | |
42 | +.BI "BROADCAST" | |
43 | +a broadcast address | |
44 | +.TP | |
45 | +.BI "ANYCAST" | |
46 | +an anycast packet | |
47 | +.TP | |
48 | +.BI "MULTICAST" | |
49 | +a multicast address | |
50 | +.TP | |
51 | +.BI "BLACKHOLE" | |
52 | +a blackhole address | |
53 | +.TP | |
54 | +.BI "UNREACHABLE" | |
55 | +an unreachable address | |
56 | +.TP | |
57 | +.BI "PROHIBIT" | |
58 | +a prohibited address | |
59 | +.TP | |
60 | +.BI "THROW" | |
61 | +FIXME | |
62 | +.TP | |
63 | +.BI "NAT" | |
64 | +FIXME | |
65 | +.TP | |
66 | +.BI "XRESOLVE" | |
67 | +.TP | |
68 | +[\fB!\fP] \fB\-\-src\-type\fP \fItype\fP | |
69 | +Matches if the source address is of given type | |
70 | +.TP | |
71 | +[\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP | |
72 | +Matches if the destination address is of given type | |
73 | +.TP | |
74 | +.BI "\-\-limit\-iface\-in" | |
75 | +The address type checking can be limited to the interface the packet is coming | |
76 | +in. This option is only valid in the | |
77 | +.BR PREROUTING , | |
78 | +.B INPUT | |
79 | +and | |
80 | +.B FORWARD | |
81 | +chains. It cannot be specified with the | |
82 | +\fB\-\-limit\-iface\-out\fP | |
83 | +option. | |
84 | +.TP | |
85 | +\fB\-\-limit\-iface\-out\fP | |
86 | +The address type checking can be limited to the interface the packet is going | |
87 | +out. This option is only valid in the | |
88 | +.BR POSTROUTING , | |
89 | +.B OUTPUT | |
90 | +and | |
91 | +.B FORWARD | |
92 | +chains. It cannot be specified with the | |
93 | +\fB\-\-limit\-iface\-in\fP | |
94 | +option. | |
95 | +.SS ah (IPv6-specific) | |
96 | +This module matches the parameters in Authentication header of IPsec packets. | |
97 | +.TP | |
98 | +[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] | |
99 | +Matches SPI. | |
100 | +.TP | |
101 | +[\fB!\fP] \fB\-\-ahlen\fP \fIlength\fP | |
102 | +Total length of this header in octets. | |
103 | +.TP | |
104 | +\fB\-\-ahres\fP | |
105 | +Matches if the reserved field is filled with zero. | |
106 | +.SS ah (IPv4-specific) | |
107 | +This module matches the SPIs in Authentication header of IPsec packets. | |
108 | +.TP | |
109 | +[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] | |
110 | +.SS cluster | |
111 | +Allows you to deploy gateway and back-end load-sharing clusters without the | |
112 | +need of load-balancers. | |
113 | +.PP | |
114 | +This match requires that all the nodes see the same packets. Thus, the cluster | |
115 | +match decides if this node has to handle a packet given the following options: | |
116 | +.TP | |
117 | +\fB\-\-cluster\-total\-nodes\fP \fInum\fP | |
118 | +Set number of total nodes in cluster. | |
119 | +.TP | |
120 | +[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP | |
121 | +Set the local node number ID. | |
122 | +.TP | |
123 | +[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP | |
124 | +Set the local node number ID mask. You can use this option instead | |
125 | +of \fB\-\-cluster\-local\-node\fP. | |
126 | +.TP | |
127 | +\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP | |
128 | +Set seed value of the Jenkins hash. | |
129 | +.PP | |
130 | +Example: | |
131 | +.IP | |
132 | +iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster | |
133 | +\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 | |
134 | +\-\-cluster\-hash\-seed 0xdeadbeef | |
135 | +\-j MARK \-\-set-mark 0xffff | |
136 | +.IP | |
137 | +iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster | |
138 | +\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 | |
139 | +\-\-cluster\-hash\-seed 0xdeadbeef | |
140 | +\-j MARK -\-set\-mark 0xffff | |
141 | +.IP | |
142 | +iptables \-A PREROUTING \-t mangle \-i eth1 | |
143 | +\-m mark ! \-\-mark 0xffff \-j DROP | |
144 | +.IP | |
145 | +iptables \-A PREROUTING \-t mangle \-i eth2 | |
146 | +\-m mark ! \-\-mark 0xffff \-j DROP | |
147 | +.PP | |
148 | +And the following commands to make all nodes see the same packets: | |
149 | +.IP | |
150 | +ip maddr add 01:00:5e:00:01:01 dev eth1 | |
151 | +.IP | |
152 | +ip maddr add 01:00:5e:00:01:02 dev eth2 | |
153 | +.IP | |
154 | +arptables \-A OUTPUT \-o eth1 \-\-h\-length 6 | |
155 | +\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01 | |
156 | +.IP | |
157 | +arptables \-A INPUT \-i eth1 \-\-h-length 6 | |
158 | +\-\-destination-mac 01:00:5e:00:01:01 | |
159 | +\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 | |
160 | +.IP | |
161 | +arptables \-A OUTPUT \-o eth2 \-\-h\-length 6 | |
162 | +\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02 | |
163 | +.IP | |
164 | +arptables \-A INPUT \-i eth2 \-\-h\-length 6 | |
165 | +\-\-destination\-mac 01:00:5e:00:01:02 | |
166 | +\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 | |
167 | +.PP | |
168 | +In the case of TCP connections, pickup facility has to be disabled | |
169 | +to avoid marking TCP ACK packets coming in the reply direction as | |
170 | +valid. | |
171 | +.IP | |
172 | +echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose | |
173 | +.SS comment | |
174 | +Allows you to add comments (up to 256 characters) to any rule. | |
175 | +.TP | |
176 | +\fB\-\-comment\fP \fIcomment\fP | |
177 | +.TP | |
178 | +Example: | |
179 | +iptables \-A INPUT \-i eth1 \-m comment \-\-comment "my local LAN" | |
180 | +.SS connbytes | |
181 | +Match by how many bytes or packets a connection (or one of the two | |
182 | +flows constituting the connection) has transferred so far, or by | |
183 | +average bytes per packet. | |
184 | +.PP | |
185 | +The counters are 64-bit and are thus not expected to overflow ;) | |
186 | +.PP | |
187 | +The primary use is to detect long-lived downloads and mark them to be | |
188 | +scheduled using a lower priority band in traffic control. | |
189 | +.PP | |
190 | +The transferred bytes per connection can also be viewed through | |
191 | +`conntrack \-L` and accessed via ctnetlink. | |
192 | +.PP | |
193 | +NOTE that for connections which have no accounting information, the match will | |
194 | +always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls | |
195 | +whether \fBnew\fP connections will be byte/packet counted. Existing connection | |
196 | +flows will not be gaining/losing a/the accounting structure when be sysctl flag | |
197 | +is flipped. | |
198 | +.TP | |
199 | +[\fB!\fP] \fB\-\-connbytes\fP \fIfrom\fP[\fB:\fP\fIto\fP] | |
200 | +match packets from a connection whose packets/bytes/average packet | |
201 | +size is more than FROM and less than TO bytes/packets. if TO is | |
202 | +omitted only FROM check is done. "!" is used to match packets not | |
203 | +falling in the range. | |
204 | +.TP | |
205 | +\fB\-\-connbytes\-dir\fP {\fBoriginal\fP|\fBreply\fP|\fBboth\fP} | |
206 | +which packets to consider | |
207 | +.TP | |
208 | +\fB\-\-connbytes\-mode\fP {\fBpackets\fP|\fBbytes\fP|\fBavgpkt\fP} | |
209 | +whether to check the amount of packets, number of bytes transferred or | |
210 | +the average size (in bytes) of all packets received so far. Note that | |
211 | +when "both" is used together with "avgpkt", and data is going (mainly) | |
212 | +only in one direction (for example HTTP), the average packet size will | |
213 | +be about half of the actual data packets. | |
214 | +.TP | |
215 | +Example: | |
216 | +iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ... | |
217 | +.SS connlimit | |
218 | +Allows you to restrict the number of parallel connections to a server per | |
219 | +client IP address (or client address block). | |
220 | +.TP | |
221 | +\fB\-\-connlimit\-upto\fP \fIn\fP | |
222 | +Match if the number of existing connections is below or equal \fIn\fP. | |
223 | +.TP | |
224 | +\fB\-\-connlimit\-above\fP \fIn\fP | |
225 | +Match if the number of existing connections is above \fIn\fP. | |
226 | +.TP | |
227 | +\fB\-\-connlimit\-mask\fP \fIprefix_length\fP | |
228 | +Group hosts using the prefix length. For IPv4, this must be a number between | |
229 | +(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the | |
230 | +maximum prefix length for the applicable protocol is used. | |
231 | +.TP | |
232 | +\fB\-\-connlimit\-saddr\fP | |
233 | +Apply the limit onto the source group. This is the default if | |
234 | +\-\-connlimit\-daddr is not specified. | |
235 | +.TP | |
236 | +\fB\-\-connlimit\-daddr\fP | |
237 | +Apply the limit onto the destination group. | |
238 | +.PP | |
239 | +Examples: | |
240 | +.TP | |
241 | +# allow 2 telnet connections per client host | |
242 | +iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-above 2 \-j REJECT | |
243 | +.TP | |
244 | +# you can also match the other way around: | |
245 | +iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-upto 2 \-j ACCEPT | |
246 | +.TP | |
247 | +# limit the number of parallel HTTP requests to 16 per class C sized \ | |
248 | +source network (24 bit netmask) | |
249 | +iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16 | |
250 | +\-\-connlimit\-mask 24 \-j REJECT | |
251 | +.TP | |
252 | +# limit the number of parallel HTTP requests to 16 for the link local network | |
253 | +(ipv6) | |
254 | +ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above | |
255 | +16 \-\-connlimit\-mask 64 \-j REJECT | |
256 | +.TP | |
257 | +# Limit the number of connections to a particular host: | |
258 | +ip6tables \-p tcp \-\-syn \-\-dport 49152:65535 \-d 2001:db8::1 \-m connlimit | |
259 | +\-\-connlimit-above 100 \-j REJECT | |
260 | +.SS connmark | |
261 | +This module matches the netfilter mark field associated with a connection | |
262 | +(which can be set using the \fBCONNMARK\fP target below). | |
263 | +.TP | |
264 | +[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
265 | +Matches packets in connections with the given mark value (if a mask is | |
266 | +specified, this is logically ANDed with the mark before the comparison). | |
267 | +.SS conntrack | |
268 | +This module, when combined with connection tracking, allows access to the | |
269 | +connection tracking state for this packet/connection. | |
270 | +.TP | |
271 | +[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP | |
272 | +\fIstatelist\fP is a comma separated list of the connection states to match. | |
273 | +Possible states are listed below. | |
274 | +.TP | |
275 | +[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP | |
276 | +Layer-4 protocol to match (by number or name) | |
277 | +.TP | |
278 | +[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
279 | +.TP | |
280 | +[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
281 | +.TP | |
282 | +[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
283 | +.TP | |
284 | +[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
285 | +Match against original/reply source/destination address | |
286 | +.TP | |
287 | +[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
288 | +.TP | |
289 | +[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
290 | +.TP | |
291 | +[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
292 | +.TP | |
293 | +[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
294 | +Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. | |
295 | +Matching against port ranges is only supported in kernel versions above 2.6.38. | |
296 | +.TP | |
297 | +[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP | |
298 | +\fIstatuslist\fP is a comma separated list of the connection statuses to match. | |
299 | +Possible statuses are listed below. | |
300 | +.TP | |
301 | +[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] | |
302 | +Match remaining lifetime in seconds against given value or range of values | |
303 | +(inclusive) | |
304 | +.TP | |
305 | +\fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} | |
306 | +Match packets that are flowing in the specified direction. If this flag is not | |
307 | +specified at all, matches packets in both directions. | |
308 | +.PP | |
309 | +States for \fB\-\-ctstate\fP: | |
310 | +.TP | |
311 | +\fBINVALID\fP | |
312 | +The packet is associated with no known connection. | |
313 | +.TP | |
314 | +\fBNEW\fP | |
315 | +The packet has started a new connection, or otherwise associated | |
316 | +with a connection which has not seen packets in both directions. | |
317 | +.TP | |
318 | +\fBESTABLISHED\fP | |
319 | +The packet is associated with a connection which has seen packets | |
320 | +in both directions. | |
321 | +.TP | |
322 | +\fBRELATED\fP | |
323 | +The packet is starting a new connection, but is associated with an | |
324 | +existing connection, such as an FTP data transfer, or an ICMP error. | |
325 | +.TP | |
326 | +\fBUNTRACKED\fP | |
327 | +The packet is not tracked at all, which happens if you explicitly untrack it | |
328 | +by using \-j CT \-\-notrack in the raw table. | |
329 | +.TP | |
330 | +\fBSNAT\fP | |
331 | +A virtual state, matching if the original source address differs from the reply | |
332 | +destination. | |
333 | +.TP | |
334 | +\fBDNAT\fP | |
335 | +A virtual state, matching if the original destination differs from the reply | |
336 | +source. | |
337 | +.PP | |
338 | +Statuses for \fB\-\-ctstatus\fP: | |
339 | +.TP | |
340 | +\fBNONE\fP | |
341 | +None of the below. | |
342 | +.TP | |
343 | +\fBEXPECTED\fP | |
344 | +This is an expected connection (i.e. a conntrack helper set it up). | |
345 | +.TP | |
346 | +\fBSEEN_REPLY\fP | |
347 | +Conntrack has seen packets in both directions. | |
348 | +.TP | |
349 | +\fBASSURED\fP | |
350 | +Conntrack entry should never be early-expired. | |
351 | +.TP | |
352 | +\fBCONFIRMED\fP | |
353 | +Connection is confirmed: originating packet has left box. | |
354 | +.SS cpu | |
355 | +.TP | |
356 | +[\fB!\fP] \fB\-\-cpu\fP \fInumber\fP | |
357 | +Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 | |
358 | +Can be used in combination with RPS (Remote Packet Steering) or | |
359 | +multiqueue NICs to spread network traffic on different queues. | |
360 | +.PP | |
361 | +Example: | |
362 | +.PP | |
363 | +iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 0 | |
364 | +\-j REDIRECT \-\-to\-port 8080 | |
365 | +.PP | |
366 | +iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 1 | |
367 | +\-j REDIRECT \-\-to\-port 8081 | |
368 | +.PP | |
369 | +Available since Linux 2.6.36. | |
370 | +.SS dccp | |
371 | +.TP | |
372 | +[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
373 | +.TP | |
374 | +[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
375 | +.TP | |
376 | +[\fB!\fP] \fB\-\-dccp\-types\fP \fImask\fP | |
377 | +Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated | |
378 | +list of packet types. Packet types are: | |
379 | +.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" . | |
380 | +.TP | |
381 | +[\fB!\fP] \fB\-\-dccp\-option\fP \fInumber\fP | |
382 | +Match if DCCP option set. | |
383 | +.SS devgroup | |
384 | +Match device group of a packets incoming/outgoing interface. | |
385 | +.TP | |
386 | +[\fB!\fP] \fB\-\-src\-group\fP \fIname\fP | |
387 | +Match device group of incoming device | |
388 | +.TP | |
389 | +[\fB!\fP] \fB\-\-dst\-group\fP \fIname\fP | |
390 | +Match device group of outgoing device | |
391 | +.SS dscp | |
392 | +This module matches the 6 bit DSCP field within the TOS field in the | |
393 | +IP header. DSCP has superseded TOS within the IETF. | |
394 | +.TP | |
395 | +[\fB!\fP] \fB\-\-dscp\fP \fIvalue\fP | |
396 | +Match against a numeric (decimal or hex) value [0-63]. | |
397 | +.TP | |
398 | +[\fB!\fP] \fB\-\-dscp\-class\fP \fIclass\fP | |
399 | +Match the DiffServ class. This value may be any of the | |
400 | +BE, EF, AFxx or CSx classes. It will then be converted | |
401 | +into its according numeric value. | |
402 | +.SS dst (IPv6-specific) | |
403 | +This module matches the parameters in Destination Options header | |
404 | +.TP | |
405 | +[\fB!\fP] \fB\-\-dst\-len\fP \fIlength\fP | |
406 | +Total length of this header in octets. | |
407 | +.TP | |
408 | +\fB\-\-dst\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...] | |
409 | +numeric type of option and the length of the option data in octets. | |
410 | +.SS ecn | |
411 | +This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168 | |
412 | +.TP | |
413 | +[\fB!\fP] \fB\-\-ecn\-tcp\-cwr\fP | |
414 | +This matches if the TCP ECN CWR (Congestion Window Received) bit is set. | |
415 | +.TP | |
416 | +[\fB!\fP] \fB\-\-ecn\-tcp\-ece\fP | |
417 | +This matches if the TCP ECN ECE (ECN Echo) bit is set. | |
418 | +.TP | |
419 | +[\fB!\fP] \fB\-\-ecn\-ip\-ect\fP \fInum\fP | |
420 | +This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to specify | |
421 | +a number between `0' and `3'. | |
422 | +.SS esp | |
423 | +This module matches the SPIs in ESP header of IPsec packets. | |
424 | +.TP | |
425 | +[\fB!\fP] \fB\-\-espspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] | |
426 | +.SS eui64 (IPv6-specific) | |
427 | +This module matches the EUI-64 part of a stateless autoconfigured IPv6 address. | |
428 | +It compares the EUI-64 derived from the source MAC address in Ethernet frame | |
429 | +with the lower 64 bits of the IPv6 source address. But "Universal/Local" | |
430 | +bit is not compared. This module doesn't match other link layer frame, and | |
431 | +is only valid in the | |
432 | +.BR PREROUTING , | |
433 | +.BR INPUT | |
434 | +and | |
435 | +.BR FORWARD | |
436 | +chains. | |
437 | +.SS frag (IPv6-specific) | |
438 | +This module matches the parameters in Fragment header. | |
439 | +.TP | |
440 | +[\fB!\fP] \fB\-\-fragid\fP \fIid\fP[\fB:\fP\fIid\fP] | |
441 | +Matches the given Identification or range of it. | |
442 | +.TP | |
443 | +[\fB!\fP] \fB\-\-fraglen\fP \fIlength\fP | |
444 | +This option cannot be used with kernel version 2.6.10 or later. The length of | |
445 | +Fragment header is static and this option doesn't make sense. | |
446 | +.TP | |
447 | +\fB\-\-fragres\fP | |
448 | +Matches if the reserved fields are filled with zero. | |
449 | +.TP | |
450 | +\fB\-\-fragfirst\fP | |
451 | +Matches on the first fragment. | |
452 | +.TP | |
453 | +\fB\-\-fragmore\fP | |
454 | +Matches if there are more fragments. | |
455 | +.TP | |
456 | +\fB\-\-fraglast\fP | |
457 | +Matches if this is the last fragment. | |
458 | +.SS hashlimit | |
459 | +\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the | |
460 | +\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables | |
461 | +rule. Grouping can be done per-hostgroup (source and/or destination address) | |
462 | +and/or per-port. It gives you the ability to express "\fIN\fP packets per time | |
463 | +quantum per group" or "\fIN\fP bytes per seconds" (see below for some examples). | |
464 | +.PP | |
465 | +A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and | |
466 | +\fB\-\-hashlimit\-name\fP are required. | |
467 | +.TP | |
468 | +\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] | |
469 | +Match if the rate is below or equal to \fIamount\fP/quantum. It is specified either as | |
470 | +a number, with an optional time quantum suffix (the default is 3/hour), or as | |
471 | +\fIamount\fPb/second (number of bytes per second). | |
472 | +.TP | |
473 | +\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] | |
474 | +Match if the rate is above \fIamount\fP/quantum. | |
475 | +.TP | |
476 | +\fB\-\-hashlimit\-burst\fP \fIamount\fP | |
477 | +Maximum initial number of packets to match: this number gets recharged by one | |
478 | +every time the limit specified above is not reached, up to this number; the | |
479 | +default is 5. When byte-based rate matching is requested, this option specifies | |
480 | +the amount of bytes that can exceed the given rate. This option should be used | |
481 | +with caution -- if the entry expires, the burst value is reset too. | |
482 | +.TP | |
483 | +\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP... | |
484 | +A comma-separated list of objects to take into consideration. If no | |
485 | +\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the | |
486 | +expensive of doing the hash housekeeping. | |
487 | +.TP | |
488 | +\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP | |
489 | +When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be | |
490 | +grouped according to the given prefix length and the so-created subnet will be | |
491 | +subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note | |
492 | +that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying | |
493 | +srcip for \-\-hashlimit\-mode, but is technically more expensive. | |
494 | +.TP | |
495 | +\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP | |
496 | +Like \-\-hashlimit\-srcmask, but for destination addresses. | |
497 | +.TP | |
498 | +\fB\-\-hashlimit\-name\fP \fIfoo\fP | |
499 | +The name for the /proc/net/ipt_hashlimit/foo entry. | |
500 | +.TP | |
501 | +\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP | |
502 | +The number of buckets of the hash table | |
503 | +.TP | |
504 | +\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP | |
505 | +Maximum entries in the hash. | |
506 | +.TP | |
507 | +\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP | |
508 | +After how many milliseconds do hash entries expire. | |
509 | +.TP | |
510 | +\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP | |
511 | +How many milliseconds between garbage collection intervals. | |
512 | +.PP | |
513 | +Examples: | |
514 | +.TP | |
515 | +matching on source host | |
516 | +"1000 packets per second for every host in 192.168.0.0/16" => | |
517 | +\-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec | |
518 | +.TP | |
519 | +matching on source port | |
520 | +"100 packets per second for every service of 192.168.1.1" => | |
521 | +\-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec | |
522 | +.TP | |
523 | +matching on subnet | |
524 | +"10000 packets per minute for every /28 subnet (groups of 8 addresses) | |
525 | +in 10.0.0.0/8" => | |
526 | +\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min | |
527 | +.TP | |
528 | +matching bytes per second | |
529 | +"flows exceeding 512kbyte/s" => | |
530 | +\-\-hashlimit-mode srcip,dstip,srcport,dstport \-\-hashlimit\-above 512kb/s | |
531 | +.TP | |
532 | +matching bytes per second | |
533 | +"hosts that exceed 512kbyte/s, but permit up to 1Megabytes without matching" | |
534 | +\-\-hashlimit-mode dstip \-\-hashlimit\-above 512kb/s \-\-hashlimit-burst 1mb | |
535 | +.SS hbh (IPv6-specific) | |
536 | +This module matches the parameters in Hop-by-Hop Options header | |
537 | +.TP | |
538 | +[\fB!\fP] \fB\-\-hbh\-len\fP \fIlength\fP | |
539 | +Total length of this header in octets. | |
540 | +.TP | |
541 | +\fB\-\-hbh\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...] | |
542 | +numeric type of option and the length of the option data in octets. | |
543 | +.SS helper | |
544 | +This module matches packets related to a specific conntrack-helper. | |
545 | +.TP | |
546 | +[\fB!\fP] \fB\-\-helper\fP \fIstring\fP | |
547 | +Matches packets related to the specified conntrack-helper. | |
548 | +.RS | |
549 | +.PP | |
550 | +string can be "ftp" for packets related to a ftp-session on default port. | |
551 | +For other ports append \-portnr to the value, ie. "ftp\-2121". | |
552 | +.PP | |
553 | +Same rules apply for other conntrack-helpers. | |
554 | +.RE | |
555 | +.SS hl (IPv6-specific) | |
556 | +This module matches the Hop Limit field in the IPv6 header. | |
557 | +.TP | |
558 | +[\fB!\fP] \fB\-\-hl\-eq\fP \fIvalue\fP | |
559 | +Matches if Hop Limit equals \fIvalue\fP. | |
560 | +.TP | |
561 | +\fB\-\-hl\-lt\fP \fIvalue\fP | |
562 | +Matches if Hop Limit is less than \fIvalue\fP. | |
563 | +.TP | |
564 | +\fB\-\-hl\-gt\fP \fIvalue\fP | |
565 | +Matches if Hop Limit is greater than \fIvalue\fP. | |
566 | +.SS icmp (IPv4-specific) | |
567 | +This extension can be used if `\-\-protocol icmp' is specified. It | |
568 | +provides the following option: | |
569 | +.TP | |
570 | +[\fB!\fP] \fB\-\-icmp\-type\fP {\fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP} | |
571 | +This allows specification of the ICMP type, which can be a numeric | |
572 | +ICMP type, type/code pair, or one of the ICMP type names shown by the command | |
573 | +.nf | |
574 | + iptables \-p icmp \-h | |
575 | +.fi | |
576 | +.SS icmp6 (IPv6-specific) | |
577 | +This extension can be used if `\-\-protocol ipv6\-icmp' or `\-\-protocol icmpv6' is | |
578 | +specified. It provides the following option: | |
579 | +.TP | |
580 | +[\fB!\fP] \fB\-\-icmpv6\-type\fP \fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP | |
581 | +This allows specification of the ICMPv6 type, which can be a numeric | |
582 | +ICMPv6 | |
583 | +.IR type , | |
584 | +.IR type | |
585 | +and | |
586 | +.IR code , | |
587 | +or one of the ICMPv6 type names shown by the command | |
588 | +.nf | |
589 | + ip6tables \-p ipv6\-icmp \-h | |
590 | +.fi | |
591 | +.SS iprange | |
592 | +This matches on a given arbitrary range of IP addresses. | |
593 | +.TP | |
594 | +[\fB!\fP] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] | |
595 | +Match source IP in the specified range. | |
596 | +.TP | |
597 | +[\fB!\fP] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] | |
598 | +Match destination IP in the specified range. | |
599 | +.SS ipv6header (IPv6-specific) | |
600 | +This module matches IPv6 extension headers and/or upper layer header. | |
601 | +.TP | |
602 | +\fB\-\-soft\fP | |
603 | +Matches if the packet includes \fBany\fP of the headers specified with | |
604 | +\fB\-\-header\fP. | |
605 | +.TP | |
606 | +[\fB!\fP] \fB\-\-header\fP \fIheader\fP[\fB,\fP\fIheader\fP...] | |
607 | +Matches the packet which EXACTLY includes all specified headers. The headers | |
608 | +encapsulated with ESP header are out of scope. | |
609 | +Possible \fIheader\fP types can be: | |
610 | +.TP | |
611 | +\fBhop\fP|\fBhop\-by\-hop\fP | |
612 | +Hop-by-Hop Options header | |
613 | +.TP | |
614 | +\fBdst\fP | |
615 | +Destination Options header | |
616 | +.TP | |
617 | +\fBroute\fP | |
618 | +Routing header | |
619 | +.TP | |
620 | +\fBfrag\fP | |
621 | +Fragment header | |
622 | +.TP | |
623 | +\fBauth\fP | |
624 | +Authentication header | |
625 | +.TP | |
626 | +\fBesp\fP | |
627 | +Encapsulating Security Payload header | |
628 | +.TP | |
629 | +\fBnone\fP | |
630 | +No Next header which matches 59 in the 'Next Header field' of IPv6 header or | |
631 | +any IPv6 extension headers | |
632 | +.TP | |
633 | +\fBproto\fP | |
634 | +which matches any upper layer protocol header. A protocol name from | |
635 | +/etc/protocols and numeric value also allowed. The number 255 is equivalent to | |
636 | +\fBproto\fP. | |
637 | +.SS ipvs | |
638 | +Match IPVS connection properties. | |
639 | +.TP | |
640 | +[\fB!\fP] \fB\-\-ipvs\fP | |
641 | +packet belongs to an IPVS connection | |
642 | +.TP | |
643 | +Any of the following options implies \-\-ipvs (even negated) | |
644 | +.TP | |
645 | +[\fB!\fP] \fB\-\-vproto\fP \fIprotocol\fP | |
646 | +VIP protocol to match; by number or name, e.g. "tcp" | |
647 | +.TP | |
648 | +[\fB!\fP] \fB\-\-vaddr\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
649 | +VIP address to match | |
650 | +.TP | |
651 | +[\fB!\fP] \fB\-\-vport\fP \fIport\fP | |
652 | +VIP port to match; by number or name, e.g. "http" | |
653 | +.TP | |
654 | +\fB\-\-vdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} | |
655 | +flow direction of packet | |
656 | +.TP | |
657 | +[\fB!\fP] \fB\-\-vmethod\fP {\fBGATE\fP|\fBIPIP\fP|\fBMASQ\fP} | |
658 | +IPVS forwarding method used | |
659 | +.TP | |
660 | +[\fB!\fP] \fB\-\-vportctl\fP \fIport\fP | |
661 | +VIP port of the controlling connection to match, e.g. 21 for FTP | |
662 | +.SS length | |
663 | +This module matches the length of the layer-3 payload (e.g. layer-4 packet) | |
664 | +of a packet against a specific value | |
665 | +or range of values. | |
666 | +.TP | |
667 | +[\fB!\fP] \fB\-\-length\fP \fIlength\fP[\fB:\fP\fIlength\fP] | |
668 | +.SS limit | |
669 | +This module matches at a limited rate using a token bucket filter. | |
670 | +A rule using this extension will match until this limit is reached. | |
671 | +It can be used in combination with the | |
672 | +.B LOG | |
673 | +target to give limited logging, for example. | |
674 | +.PP | |
675 | +xt_limit has no negation support - you will have to use \-m hashlimit ! | |
676 | +\-\-hashlimit \fIrate\fP in this case whilst omitting \-\-hashlimit\-mode. | |
677 | +.TP | |
678 | +\fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] | |
679 | +Maximum average matching rate: specified as a number, with an optional | |
680 | +`/second', `/minute', `/hour', or `/day' suffix; the default is | |
681 | +3/hour. | |
682 | +.TP | |
683 | +\fB\-\-limit\-burst\fP \fInumber\fP | |
684 | +Maximum initial number of packets to match: this number gets | |
685 | +recharged by one every time the limit specified above is not reached, | |
686 | +up to this number; the default is 5. | |
687 | +.SS mac | |
688 | +.TP | |
689 | +[\fB!\fP] \fB\-\-mac\-source\fP \fIaddress\fP | |
690 | +Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. | |
691 | +Note that this only makes sense for packets coming from an Ethernet device | |
692 | +and entering the | |
693 | +.BR PREROUTING , | |
694 | +.B FORWARD | |
695 | +or | |
696 | +.B INPUT | |
697 | +chains. | |
698 | +.SS mark | |
699 | +This module matches the netfilter mark field associated with a packet | |
700 | +(which can be set using the | |
701 | +.B MARK | |
702 | +target below). | |
703 | +.TP | |
704 | +[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
705 | +Matches packets with the given unsigned mark value (if a \fImask\fP is | |
706 | +specified, this is logically ANDed with the \fImask\fP before the | |
707 | +comparison). | |
708 | +.SS mh (IPv6-specific) | |
709 | +This extension is loaded if `\-\-protocol ipv6\-mh' or `\-\-protocol mh' is | |
710 | +specified. It provides the following option: | |
711 | +.TP | |
712 | +[\fB!\fP] \fB\-\-mh\-type\fP \fItype\fP[\fB:\fP\fItype\fP] | |
713 | +This allows specification of the Mobility Header(MH) type, which can be | |
714 | +a numeric MH | |
715 | +.IR type , | |
716 | +.IR type | |
717 | +or one of the MH type names shown by the command | |
718 | +.nf | |
719 | + ip6tables \-p ipv6\-mh \-h | |
720 | +.fi | |
721 | +.SS multiport | |
722 | +This module matches a set of source or destination ports. Up to 15 | |
723 | +ports can be specified. A port range (port:port) counts as two | |
724 | +ports. It can only be used in conjunction with | |
725 | +\fB\-p tcp\fP | |
726 | +or | |
727 | +\fB\-p udp\fP. | |
728 | +.TP | |
729 | +[\fB!\fP] \fB\-\-source\-ports\fP,\fB\-\-sports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]... | |
730 | +Match if the source port is one of the given ports. The flag | |
731 | +\fB\-\-sports\fP | |
732 | +is a convenient alias for this option. Multiple ports or port ranges are | |
733 | +separated using a comma, and a port range is specified using a colon. | |
734 | +\fB53,1024:65535\fP would therefore match ports 53 and all from 1024 through | |
735 | +65535. | |
736 | +.TP | |
737 | +[\fB!\fP] \fB\-\-destination\-ports\fP,\fB\-\-dports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]... | |
738 | +Match if the destination port is one of the given ports. The flag | |
739 | +\fB\-\-dports\fP | |
740 | +is a convenient alias for this option. | |
741 | +.TP | |
742 | +[\fB!\fP] \fB\-\-ports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]... | |
743 | +Match if either the source or destination ports are equal to one of | |
744 | +the given ports. | |
745 | +.SS nfacct | |
746 | +The nfacct match provides the extended accounting infrastructure for iptables. | |
747 | +You have to use this match together with the standalone user-space utility | |
748 | +.B nfacct(8) | |
749 | +.PP | |
750 | +The only option available for this match is the following: | |
751 | +.TP | |
752 | +\fB\-\-nfacct\-name\fP \fIname\fP | |
753 | +This allows you to specify the existing object name that will be use for | |
754 | +accounting the traffic that this rule-set is matching. | |
755 | +.PP | |
756 | +To use this extension, you have to create an accounting object: | |
757 | +.IP | |
758 | +nfacct add http\-traffic | |
759 | +.PP | |
760 | +Then, you have to attach it to the accounting object via iptables: | |
761 | +.IP | |
762 | +iptables \-I INPUT \-p tcp \-\-sport 80 \-m nfacct \-\-nfacct\-name http\-traffic | |
763 | +.IP | |
764 | +iptables \-I OUTPUT \-p tcp \-\-dport 80 \-m nfacct \-\-nfacct\-name http\-traffic | |
765 | +.PP | |
766 | +Then, you can check for the amount of traffic that the rules match: | |
767 | +.IP | |
768 | +nfacct get http\-traffic | |
769 | +.IP | |
770 | +{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic; | |
771 | +.PP | |
772 | +You can obtain | |
773 | +.B nfacct(8) | |
774 | +from http://www.netfilter.org or, alternatively, from the git.netfilter.org | |
775 | +repository. | |
776 | +.SS osf | |
777 | +The osf module does passive operating system fingerprinting. This modules | |
778 | +compares some data (Window Size, MSS, options and their order, TTL, DF, | |
779 | +and others) from packets with the SYN bit set. | |
780 | +.TP | |
781 | +[\fB!\fP] \fB\-\-genre\fP \fIstring\fP | |
782 | +Match an operating system genre by using a passive fingerprinting. | |
783 | +.TP | |
784 | +\fB\-\-ttl\fP \fIlevel\fP | |
785 | +Do additional TTL checks on the packet to determine the operating system. | |
786 | +\fIlevel\fP can be one of the following values: | |
787 | +.IP \(bu 4 | |
788 | +0 - True IP address and fingerprint TTL comparison. This generally works for | |
789 | +LANs. | |
790 | +.IP \(bu 4 | |
791 | +1 - Check if the IP header's TTL is less than the fingerprint one. Works for | |
792 | +globally-routable addresses. | |
793 | +.IP \(bu 4 | |
794 | +2 - Do not compare the TTL at all. | |
795 | +.TP | |
796 | +\fB\-\-log\fP \fIlevel\fP | |
797 | +Log determined genres into dmesg even if they do not match the desired one. | |
798 | +\fIlevel\fP can be one of the following values: | |
799 | +.IP \(bu 4 | |
800 | +0 - Log all matched or unknown signatures | |
801 | +.IP \(bu 4 | |
802 | +1 - Log only the first one | |
803 | +.IP \(bu 4 | |
804 | +2 - Log all known matched signatures | |
805 | +.PP | |
806 | +You may find something like this in syslog: | |
807 | +.PP | |
808 | +Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> | |
809 | +11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4 | |
810 | +.PP | |
811 | +OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load | |
812 | +fingerprints from a file, use: | |
813 | +.PP | |
814 | +\fBnfnl_osf -f /usr/share/xtables/pf.os\fP | |
815 | +.PP | |
816 | +To remove them again, | |
817 | +.PP | |
818 | +\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP | |
819 | +.PP | |
820 | +The fingerprint database can be downlaoded from | |
821 | +http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . | |
822 | +.SS owner | |
823 | +This module attempts to match various characteristics of the packet creator, | |
824 | +for locally generated packets. This match is only valid in the OUTPUT and | |
825 | +POSTROUTING chains. Forwarded packets do not have any socket associated with | |
826 | +them. Packets from kernel threads do have a socket, but usually no owner. | |
827 | +.TP | |
828 | +[\fB!\fP] \fB\-\-uid\-owner\fP \fIusername\fP | |
829 | +.TP | |
830 | +[\fB!\fP] \fB\-\-uid\-owner\fP \fIuserid\fP[\fB\-\fP\fIuserid\fP] | |
831 | +Matches if the packet socket's file structure (if it has one) is owned by the | |
832 | +given user. You may also specify a numerical UID, or an UID range. | |
833 | +.TP | |
834 | +[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupname\fP | |
835 | +.TP | |
836 | +[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupid\fP[\fB\-\fP\fIgroupid\fP] | |
837 | +Matches if the packet socket's file structure is owned by the given group. | |
838 | +You may also specify a numerical GID, or a GID range. | |
839 | +.TP | |
840 | +[\fB!\fP] \fB\-\-socket\-exists\fP | |
841 | +Matches if the packet is associated with a socket. | |
842 | +.SS physdev | |
843 | +This module matches on the bridge port input and output devices enslaved | |
844 | +to a bridge device. This module is a part of the infrastructure that enables | |
845 | +a transparent bridging IP firewall and is only useful for kernel versions | |
846 | +above version 2.5.44. | |
847 | +.TP | |
848 | +[\fB!\fP] \fB\-\-physdev\-in\fP \fIname\fP | |
849 | +Name of a bridge port via which a packet is received (only for | |
850 | +packets entering the | |
851 | +.BR INPUT , | |
852 | +.B FORWARD | |
853 | +and | |
854 | +.B PREROUTING | |
855 | +chains). If the interface name ends in a "+", then any | |
856 | +interface which begins with this name will match. If the packet didn't arrive | |
857 | +through a bridge device, this packet won't match this option, unless '!' is used. | |
858 | +.TP | |
859 | +[\fB!\fP] \fB\-\-physdev\-out\fP \fIname\fP | |
860 | +Name of a bridge port via which a packet is going to be sent (for packets | |
861 | +entering the | |
862 | +.BR FORWARD , | |
863 | +.B OUTPUT | |
864 | +and | |
865 | +.B POSTROUTING | |
866 | +chains). If the interface name ends in a "+", then any | |
867 | +interface which begins with this name will match. Note that in the | |
868 | +.BR nat " and " mangle | |
869 | +.B OUTPUT | |
870 | +chains one cannot match on the bridge output port, however one can in the | |
871 | +.B "filter OUTPUT" | |
872 | +chain. If the packet won't leave by a bridge device or if it is yet unknown what | |
873 | +the output device will be, then the packet won't match this option, | |
874 | +unless '!' is used. | |
875 | +.TP | |
876 | +[\fB!\fP] \fB\-\-physdev\-is\-in\fP | |
877 | +Matches if the packet has entered through a bridge interface. | |
878 | +.TP | |
879 | +[\fB!\fP] \fB\-\-physdev\-is\-out\fP | |
880 | +Matches if the packet will leave through a bridge interface. | |
881 | +.TP | |
882 | +[\fB!\fP] \fB\-\-physdev\-is\-bridged\fP | |
883 | +Matches if the packet is being bridged and therefore is not being routed. | |
884 | +This is only useful in the FORWARD and POSTROUTING chains. | |
885 | +.SS pkttype | |
886 | +This module matches the link-layer packet type. | |
887 | +.TP | |
888 | +[\fB!\fP] \fB\-\-pkt\-type\fP {\fBunicast\fP|\fBbroadcast\fP|\fBmulticast\fP} | |
889 | +.SS policy | |
890 | +This modules matches the policy used by IPsec for handling a packet. | |
891 | +.TP | |
892 | +\fB\-\-dir\fP {\fBin\fP|\fBout\fP} | |
893 | +Used to select whether to match the policy used for decapsulation or the | |
894 | +policy that will be used for encapsulation. | |
895 | +.B in | |
896 | +is valid in the | |
897 | +.B PREROUTING, INPUT and FORWARD | |
898 | +chains, | |
899 | +.B out | |
900 | +is valid in the | |
901 | +.B POSTROUTING, OUTPUT and FORWARD | |
902 | +chains. | |
903 | +.TP | |
904 | +\fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP} | |
905 | +Matches if the packet is subject to IPsec processing. \fB\-\-pol none\fP | |
906 | +cannot be combined with \fB\-\-strict\fP. | |
907 | +.TP | |
908 | +\fB\-\-strict\fP | |
909 | +Selects whether to match the exact policy or match if any rule of | |
910 | +the policy matches the given policy. | |
911 | +.PP | |
912 | +For each policy element that is to be described, one can use one or more of | |
913 | +the following options. When \fB\-\-strict\fP is in effect, at least one must be | |
914 | +used per element. | |
915 | +.TP | |
916 | +[\fB!\fP] \fB\-\-reqid\fP \fIid\fP | |
917 | +Matches the reqid of the policy rule. The reqid can be specified with | |
918 | +.B setkey(8) | |
919 | +using | |
920 | +.B unique:id | |
921 | +as level. | |
922 | +.TP | |
923 | +[\fB!\fP] \fB\-\-spi\fP \fIspi\fP | |
924 | +Matches the SPI of the SA. | |
925 | +.TP | |
926 | +[\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP} | |
927 | +Matches the encapsulation protocol. | |
928 | +.TP | |
929 | +[\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP} | |
930 | +Matches the encapsulation mode. | |
931 | +.TP | |
932 | +[\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP] | |
933 | +Matches the source end-point address of a tunnel mode SA. | |
934 | +Only valid with \fB\-\-mode tunnel\fP. | |
935 | +.TP | |
936 | +[\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP] | |
937 | +Matches the destination end-point address of a tunnel mode SA. | |
938 | +Only valid with \fB\-\-mode tunnel\fP. | |
939 | +.TP | |
940 | +\fB\-\-next\fP | |
941 | +Start the next element in the policy specification. Can only be used with | |
942 | +\fB\-\-strict\fP. | |
943 | +.SS quota | |
944 | +Implements network quotas by decrementing a byte counter with each | |
945 | +packet. The condition matches until the byte counter reaches zero. Behavior | |
946 | +is reversed with negation (i.e. the condition does not match until the | |
947 | +byte counter reaches zero). | |
948 | +.TP | |
949 | +[\fB!\fP] \fB\-\-quota\fP \fIbytes\fP | |
950 | +The quota in bytes. | |
951 | +.SS rateest | |
952 | +The rate estimator can match on estimated rates as collected by the RATEEST | |
953 | +target. It supports matching on absolute bps/pps values, comparing two rate | |
954 | +estimators and matching on the difference between two rate estimators. | |
955 | +.PP | |
956 | +For a better understanding of the available options, these are all possible | |
957 | +combinations: | |
958 | +.\" * Absolute: | |
959 | +.IP \(bu 4 | |
960 | +\fBrateest\fP \fIoperator\fP \fBrateest-bps\fP | |
961 | +.IP \(bu 4 | |
962 | +\fBrateest\fP \fIoperator\fP \fBrateest-pps\fP | |
963 | +.\" * Absolute + Delta: | |
964 | +.IP \(bu 4 | |
965 | +(\fBrateest\fP minus \fBrateest-bps1\fP) \fIoperator\fP \fBrateest-bps2\fP | |
966 | +.IP \(bu 4 | |
967 | +(\fBrateest\fP minus \fBrateest-pps1\fP) \fIoperator\fP \fBrateest-pps2\fP | |
968 | +.\" * Relative: | |
969 | +.IP \(bu 4 | |
970 | +\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-bps\fP(without rate!) | |
971 | +.IP \(bu 4 | |
972 | +\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-pps\fP(without rate!) | |
973 | +.\" * Relative + Delta: | |
974 | +.IP \(bu 4 | |
975 | +(\fBrateest1\fP minus \fBrateest-bps1\fP) \fIoperator\fP | |
976 | +(\fBrateest2\fP minus \fBrateest-bps2\fP) | |
977 | +.IP \(bu 4 | |
978 | +(\fBrateest1\fP minus \fBrateest-pps1\fP) \fIoperator\fP | |
979 | +(\fBrateest2\fP minus \fBrateest-pps2\fP) | |
980 | +.TP | |
981 | +\fB\-\-rateest\-delta\fP | |
982 | +For each estimator (either absolute or relative mode), calculate the difference | |
983 | +between the estimator-determined flow rate and the static value chosen with the | |
984 | +BPS/PPS options. If the flow rate is higher than the specified BPS/PPS, 0 will | |
985 | +be used instead of a negative value. In other words, "max(0, rateest#_rate - | |
986 | +rateest#_bps)" is used. | |
987 | +.TP | |
988 | +[\fB!\fP] \fB\-\-rateest\-lt\fP | |
989 | +Match if rate is less than given rate/estimator. | |
990 | +.TP | |
991 | +[\fB!\fP] \fB\-\-rateest\-gt\fP | |
992 | +Match if rate is greater than given rate/estimator. | |
993 | +.TP | |
994 | +[\fB!\fP] \fB\-\-rateest\-eq\fP | |
995 | +Match if rate is equal to given rate/estimator. | |
996 | +.PP | |
997 | +In the so-called "absolute mode", only one rate estimator is used and compared | |
998 | +against a static value, while in "relative mode", two rate estimators are | |
999 | +compared against another. | |
1000 | +.TP | |
1001 | +\fB\-\-rateest\fP \fIname\fP | |
1002 | +Name of the one rate estimator for absolute mode. | |
1003 | +.TP | |
1004 | +\fB\-\-rateest1\fP \fIname\fP | |
1005 | +.TP | |
1006 | +\fB\-\-rateest2\fP \fIname\fP | |
1007 | +The names of the two rate estimators for relative mode. | |
1008 | +.TP | |
1009 | +\fB\-\-rateest\-bps\fP [\fIvalue\fP] | |
1010 | +.TP | |
1011 | +\fB\-\-rateest\-pps\fP [\fIvalue\fP] | |
1012 | +.TP | |
1013 | +\fB\-\-rateest\-bps1\fP [\fIvalue\fP] | |
1014 | +.TP | |
1015 | +\fB\-\-rateest\-bps2\fP [\fIvalue\fP] | |
1016 | +.TP | |
1017 | +\fB\-\-rateest\-pps1\fP [\fIvalue\fP] | |
1018 | +.TP | |
1019 | +\fB\-\-rateest\-pps2\fP [\fIvalue\fP] | |
1020 | +Compare the estimator(s) by bytes or packets per second, and compare against | |
1021 | +the chosen value. See the above bullet list for which option is to be used in | |
1022 | +which case. A unit suffix may be used - available ones are: bit, [kmgt]bit, | |
1023 | +[KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps. | |
1024 | +.PP | |
1025 | +Example: This is what can be used to route outgoing data connections from an | |
1026 | +FTP server over two lines based on the available bandwidth at the time the data | |
1027 | +connection was started: | |
1028 | +.PP | |
1029 | +# Estimate outgoing rates | |
1030 | +.PP | |
1031 | +iptables \-t mangle \-A POSTROUTING \-o eth0 \-j RATEEST \-\-rateest\-name eth0 | |
1032 | +\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s | |
1033 | +.PP | |
1034 | +iptables \-t mangle \-A POSTROUTING \-o ppp0 \-j RATEEST \-\-rateest\-name ppp0 | |
1035 | +\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s | |
1036 | +.PP | |
1037 | +# Mark based on available bandwidth | |
1038 | +.PP | |
1039 | +iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp | |
1040 | +\-m rateest \-\-rateest\-delta \-\-rateest1 eth0 \-\-rateest\-bps1 2.5mbit \-\-rateest\-gt | |
1041 | +\-\-rateest2 ppp0 \-\-rateest\-bps2 2mbit \-j CONNMARK \-\-set\-mark 1 | |
1042 | +.PP | |
1043 | +iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp | |
1044 | +\-m rateest \-\-rateest\-delta \-\-rateest1 ppp0 \-\-rateest\-bps1 2mbit \-\-rateest\-gt | |
1045 | +\-\-rateest2 eth0 \-\-rateest\-bps2 2.5mbit \-j CONNMARK \-\-set\-mark 2 | |
1046 | +.PP | |
1047 | +iptables \-t mangle \-A balance \-j CONNMARK \-\-restore\-mark | |
1048 | +.SS realm (IPv4-specific) | |
1049 | +This matches the routing realm. Routing realms are used in complex routing | |
1050 | +setups involving dynamic routing protocols like BGP. | |
1051 | +.TP | |
1052 | +[\fB!\fP] \fB\-\-realm\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
1053 | +Matches a given realm number (and optionally mask). If not a number, value | |
1054 | +can be a named realm from /etc/iproute2/rt_realms (mask can not be used in | |
1055 | +that case). | |
1056 | +.SS recent | |
1057 | +Allows you to dynamically create a list of IP addresses and then match against | |
1058 | +that list in a few different ways. | |
1059 | +.PP | |
1060 | +For example, you can create a "badguy" list out of people attempting to connect | |
1061 | +to port 139 on your firewall and then DROP all future packets from them without | |
1062 | +considering them. | |
1063 | +.PP | |
1064 | +\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are | |
1065 | +mutually exclusive. | |
1066 | +.TP | |
1067 | +\fB\-\-name\fP \fIname\fP | |
1068 | +Specify the list to use for the commands. If no name is given then | |
1069 | +\fBDEFAULT\fP will be used. | |
1070 | +.TP | |
1071 | +[\fB!\fP] \fB\-\-set\fP | |
1072 | +This will add the source address of the packet to the list. If the source | |
1073 | +address is already in the list, this will update the existing entry. This will | |
1074 | +always return success (or failure if \fB!\fP is passed in). | |
1075 | +.TP | |
1076 | +\fB\-\-rsource\fP | |
1077 | +Match/save the source address of each packet in the recent list table. This | |
1078 | +is the default. | |
1079 | +.TP | |
1080 | +\fB\-\-rdest\fP | |
1081 | +Match/save the destination address of each packet in the recent list table. | |
1082 | +.TP | |
1083 | +\fB\-\-mask\fPnetmask | |
1084 | +Netmask that will be applied to this recent list. | |
1085 | +.TP | |
1086 | +[\fB!\fP] \fB\-\-rcheck\fP | |
1087 | +Check if the source address of the packet is currently in the list. | |
1088 | +.TP | |
1089 | +[\fB!\fP] \fB\-\-update\fP | |
1090 | +Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it | |
1091 | +matches. | |
1092 | +.TP | |
1093 | +[\fB!\fP] \fB\-\-remove\fP | |
1094 | +Check if the source address of the packet is currently in the list and if so | |
1095 | +that address will be removed from the list and the rule will return true. If | |
1096 | +the address is not found, false is returned. | |
1097 | +.TP | |
1098 | +\fB\-\-seconds\fP \fIseconds\fP | |
1099 | +This option must be used in conjunction with one of \fB\-\-rcheck\fP or | |
1100 | +\fB\-\-update\fP. When used, this will narrow the match to only happen when the | |
1101 | +address is in the list and was seen within the last given number of seconds. | |
1102 | +.TP | |
1103 | +\fB\-\-reap\fP | |
1104 | +This option can only be used in conjunction with \fB\-\-seconds\fP. | |
1105 | +When used, this will cause entries older than the last given number of seconds | |
1106 | +to be purged. | |
1107 | +.TP | |
1108 | +\fB\-\-hitcount\fP \fIhits\fP | |
1109 | +This option must be used in conjunction with one of \fB\-\-rcheck\fP or | |
1110 | +\fB\-\-update\fP. When used, this will narrow the match to only happen when the | |
1111 | +address is in the list and packets had been received greater than or equal to | |
1112 | +the given value. This option may be used along with \fB\-\-seconds\fP to create | |
1113 | +an even narrower match requiring a certain number of hits within a specific | |
1114 | +time frame. The maximum value for the hitcount parameter is given by the | |
1115 | +"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this | |
1116 | +value on the command line will cause the rule to be rejected. | |
1117 | +.TP | |
1118 | +\fB\-\-rttl\fP | |
1119 | +This option may only be used in conjunction with one of \fB\-\-rcheck\fP or | |
1120 | +\fB\-\-update\fP. When used, this will narrow the match to only happen when the | |
1121 | +address is in the list and the TTL of the current packet matches that of the | |
1122 | +packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems | |
1123 | +with people faking their source address in order to DoS you via this module by | |
1124 | +disallowing others access to your site by sending bogus packets to you. | |
1125 | +.PP | |
1126 | +Examples: | |
1127 | +.IP | |
1128 | +iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP | |
1129 | +.IP | |
1130 | +iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP | |
1131 | +.PP | |
1132 | +Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has | |
1133 | +some examples of usage. | |
1134 | +.PP | |
1135 | +\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information | |
1136 | +about each entry of each list. | |
1137 | +.PP | |
1138 | +Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current | |
1139 | +list or written two using the following commands to modify the list: | |
1140 | +.TP | |
1141 | +\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP | |
1142 | +to add \fIaddr\fP to the DEFAULT list | |
1143 | +.TP | |
1144 | +\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP | |
1145 | +to remove \fIaddr\fP from the DEFAULT list | |
1146 | +.TP | |
1147 | +\fBecho / >/proc/net/xt_recent/DEFAULT\fP | |
1148 | +to flush the DEFAULT list (remove all entries). | |
1149 | +.PP | |
1150 | +The module itself accepts parameters, defaults shown: | |
1151 | +.TP | |
1152 | +\fBip_list_tot\fP=\fI100\fP | |
1153 | +Number of addresses remembered per table. | |
1154 | +.TP | |
1155 | +\fBip_pkt_list_tot\fP=\fI20\fP | |
1156 | +Number of packets per address remembered. | |
1157 | +.TP | |
1158 | +\fBip_list_hash_size\fP=\fI0\fP | |
1159 | +Hash table size. 0 means to calculate it based on ip_list_tot, default: 512. | |
1160 | +.TP | |
1161 | +\fBip_list_perms\fP=\fI0644\fP | |
1162 | +Permissions for /proc/net/xt_recent/* files. | |
1163 | +.TP | |
1164 | +\fBip_list_uid\fP=\fI0\fP | |
1165 | +Numerical UID for ownership of /proc/net/xt_recent/* files. | |
1166 | +.TP | |
1167 | +\fBip_list_gid\fP=\fI0\fP | |
1168 | +Numerical GID for ownership of /proc/net/xt_recent/* files. | |
1169 | +.SS rpfilter | |
1170 | +Performs a reverse path filter test on a packet. | |
1171 | +If a reply to the packet would be sent via the same interface | |
1172 | +that the packet arrived on, the packet will match. | |
1173 | +Note that, unlike the in-kernel rp_filter, packets protected | |
1174 | +by IPSec are not treated specially. Combine this match with | |
1175 | +the policy match if you want this. | |
1176 | +Also, packets arriving via the loopback interface are always permitted. | |
1177 | +This match can only be used in the PREROUTING chain of the raw or mangle table. | |
1178 | +.TP | |
1179 | +\fB\-\-loose\fP | |
1180 | +Used to specifiy that the reverse path filter test should match | |
1181 | +even if the selected output device is not the expected one. | |
1182 | +.TP | |
1183 | +\fB\-\-validmark\fP | |
1184 | +Also use the packets' nfmark value when performing the reverse path route lookup. | |
1185 | +.TP | |
1186 | +\fB\-\-accept\-local\fP | |
1187 | +This will permit packets arriving from the network with a source address that is also | |
1188 | +assigned to the local machine. | |
1189 | +.TP | |
1190 | +\fB\-\-invert\fP | |
1191 | +This will invert the sense of the match. Instead of matching packets that passed the | |
1192 | +reverse path filter test, match those that have failed it. | |
1193 | +.PP | |
1194 | +Example to log and drop packets failing the reverse path filter test: | |
1195 | + | |
1196 | +iptables \-t raw \-N RPFILTER | |
1197 | + | |
1198 | +iptables \-t raw \-A RPFILTER \-m rpfilter \-j RETURN | |
1199 | + | |
1200 | +iptables \-t raw \-A RPFILTER \-m limit \-\-limit 10/minute \-j NFLOG \-\-nflog\-prefix "rpfilter drop" | |
1201 | + | |
1202 | +iptables \-t raw \-A RPFILTER \-j DROP | |
1203 | + | |
1204 | +iptables \-t raw \-A PREROUTING \-j RPFILTER | |
1205 | + | |
1206 | +Example to drop failed packets, without logging: | |
1207 | + | |
1208 | +iptables \-t raw \-A RPFILTER \-m rpfilter \-\-invert \-j DROP | |
1209 | +.SS rt (IPv6-specific) | |
1210 | +Match on IPv6 routing header | |
1211 | +.TP | |
1212 | +[\fB!\fP] \fB\-\-rt\-type\fP \fItype\fP | |
1213 | +Match the type (numeric). | |
1214 | +.TP | |
1215 | +[\fB!\fP] \fB\-\-rt\-segsleft\fP \fInum\fP[\fB:\fP\fInum\fP] | |
1216 | +Match the `segments left' field (range). | |
1217 | +.TP | |
1218 | +[\fB!\fP] \fB\-\-rt\-len\fP \fIlength\fP | |
1219 | +Match the length of this header. | |
1220 | +.TP | |
1221 | +\fB\-\-rt\-0\-res\fP | |
1222 | +Match the reserved field, too (type=0) | |
1223 | +.TP | |
1224 | +\fB\-\-rt\-0\-addrs\fP \fIaddr\fP[\fB,\fP\fIaddr\fP...] | |
1225 | +Match type=0 addresses (list). | |
1226 | +.TP | |
1227 | +\fB\-\-rt\-0\-not\-strict\fP | |
1228 | +List of type=0 addresses is not a strict list. | |
1229 | +.SS sctp | |
1230 | +.TP | |
1231 | +[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1232 | +.TP | |
1233 | +[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1234 | +.TP | |
1235 | +[\fB!\fP] \fB\-\-chunk\-types\fP {\fBall\fP|\fBany\fP|\fBonly\fP} \fIchunktype\fP[\fB:\fP\fIflags\fP] [...] | |
1236 | +The flag letter in upper case indicates that the flag is to match if set, | |
1237 | +in the lower case indicates to match if unset. | |
1238 | + | |
1239 | +Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN | |
1240 | + | |
1241 | +chunk type available flags | |
1242 | +.br | |
1243 | +DATA I U B E i u b e | |
1244 | +.br | |
1245 | +ABORT T t | |
1246 | +.br | |
1247 | +SHUTDOWN_COMPLETE T t | |
1248 | + | |
1249 | +(lowercase means flag should be "off", uppercase means "on") | |
1250 | +.P | |
1251 | +Examples: | |
1252 | + | |
1253 | +iptables \-A INPUT \-p sctp \-\-dport 80 \-j DROP | |
1254 | + | |
1255 | +iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA,INIT \-j DROP | |
1256 | + | |
1257 | +iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA:Be \-j ACCEPT | |
1258 | +.SS set | |
1259 | +This module matches IP sets which can be defined by ipset(8). | |
1260 | +.TP | |
1261 | +[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... | |
1262 | +where flags are the comma separated list of | |
1263 | +.BR "src" | |
1264 | +and/or | |
1265 | +.BR "dst" | |
1266 | +specifications and there can be no more than six of them. Hence the command | |
1267 | +.IP | |
1268 | + iptables \-A FORWARD \-m set \-\-match\-set test src,dst | |
1269 | +.IP | |
1270 | +will match packets, for which (if the set type is ipportmap) the source | |
1271 | +address and destination port pair can be found in the specified set. If | |
1272 | +the set type of the specified set is single dimension (for example ipmap), | |
1273 | +then the command will match packets for which the source address can be | |
1274 | +found in the specified set. | |
1275 | +.TP | |
1276 | +\fB\-\-return\-\-nomatch\fP | |
1277 | +If the \fB\-\-return\-\-nomatch\fP option is specified and the set type | |
1278 | +supports the \fBnomatch\fP flag, then the matching is reversed: a match | |
1279 | +with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a | |
1280 | +match with a plain element returns \fBfalse\fP. | |
1281 | +.PP | |
1282 | +The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does | |
1283 | +not clash with an option of other extensions. | |
1284 | +.PP | |
1285 | +Use of -m set requires that ipset kernel support is provided, which, for | |
1286 | +standard kernels, is the case since Linux 2.6.39. | |
1287 | +.SS socket | |
1288 | +This matches if an open socket can be found by doing a socket lookup on the | |
1289 | +packet. | |
1290 | +.TP | |
1291 | +\fB\-\-transparent\fP | |
1292 | +Ignore non-transparent sockets. | |
1293 | +.SS state | |
1294 | +The "state" extension is a subset of the "conntrack" module. | |
1295 | +"state" allows access to the connection tracking state for this packet. | |
1296 | +.TP | |
1297 | +[\fB!\fP] \fB\-\-state\fP \fIstate\fP | |
1298 | +Where state is a comma separated list of the connection states to match. Only a | |
1299 | +subset of the states unterstood by "conntrack" are recognized: \fBINVALID\fP, | |
1300 | +\fBESTABLISHED\fP, \fBNEW\fP, \fBRELATED\fP or \fBUNTRACKED\fP. For their | |
1301 | +description, see the "conntrack" heading in this manpage. | |
1302 | +.SS statistic | |
1303 | +This module matches packets based on some statistic condition. | |
1304 | +It supports two distinct modes settable with the | |
1305 | +\fB\-\-mode\fP | |
1306 | +option. | |
1307 | +.PP | |
1308 | +Supported options: | |
1309 | +.TP | |
1310 | +\fB\-\-mode\fP \fImode\fP | |
1311 | +Set the matching mode of the matching rule, supported modes are | |
1312 | +.B random | |
1313 | +and | |
1314 | +.B nth. | |
1315 | +.TP | |
1316 | +[\fB!\fP] \fB\-\-probability\fP \fIp\fP | |
1317 | +Set the probability for a packet to be randomly matched. It only works with the | |
1318 | +\fBrandom\fP mode. \fIp\fP must be within 0.0 and 1.0. The supported | |
1319 | +granularity is in 1/2147483648th increments. | |
1320 | +.TP | |
1321 | +[\fB!\fP] \fB\-\-every\fP \fIn\fP | |
1322 | +Match one packet every nth packet. It works only with the | |
1323 | +.B nth | |
1324 | +mode (see also the | |
1325 | +\fB\-\-packet\fP | |
1326 | +option). | |
1327 | +.TP | |
1328 | +\fB\-\-packet\fP \fIp\fP | |
1329 | +Set the initial counter value (0 <= p <= n\-1, default 0) for the | |
1330 | +.B nth | |
1331 | +mode. | |
1332 | +.SS string | |
1333 | +This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14. | |
1334 | +.TP | |
1335 | +\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP} | |
1336 | +Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) | |
1337 | +.TP | |
1338 | +\fB\-\-from\fP \fIoffset\fP | |
1339 | +Set the offset from which it starts looking for any matching. If not passed, default is 0. | |
1340 | +.TP | |
1341 | +\fB\-\-to\fP \fIoffset\fP | |
1342 | +Set the offset up to which should be scanned. That is, byte \fIoffset\fP-1 | |
1343 | +(counting from 0) is the last one that is scanned. | |
1344 | +If not passed, default is the packet size. | |
1345 | +.TP | |
1346 | +[\fB!\fP] \fB\-\-string\fP \fIpattern\fP | |
1347 | +Matches the given pattern. | |
1348 | +.TP | |
1349 | +[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP | |
1350 | +Matches the given pattern in hex notation. | |
1351 | +.SS tcp | |
1352 | +These extensions can be used if `\-\-protocol tcp' is specified. It | |
1353 | +provides the following options: | |
1354 | +.TP | |
1355 | +[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1356 | +Source port or port range specification. This can either be a service | |
1357 | +name or a port number. An inclusive range can also be specified, | |
1358 | +using the format \fIfirst\fP\fB:\fP\fIlast\fP. | |
1359 | +If the first port is omitted, "0" is assumed; if the last is omitted, | |
1360 | +"65535" is assumed. | |
1361 | +If the first port is greater than the second one they will be swapped. | |
1362 | +The flag | |
1363 | +\fB\-\-sport\fP | |
1364 | +is a convenient alias for this option. | |
1365 | +.TP | |
1366 | +[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1367 | +Destination port or port range specification. The flag | |
1368 | +\fB\-\-dport\fP | |
1369 | +is a convenient alias for this option. | |
1370 | +.TP | |
1371 | +[\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP | |
1372 | +Match when the TCP flags are as specified. The first argument \fImask\fP is the | |
1373 | +flags which we should examine, written as a comma-separated list, and | |
1374 | +the second argument \fIcomp\fP is a comma-separated list of flags which must be | |
1375 | +set. Flags are: | |
1376 | +.BR "SYN ACK FIN RST URG PSH ALL NONE" . | |
1377 | +Hence the command | |
1378 | +.nf | |
1379 | + iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN | |
1380 | +.fi | |
1381 | +will only match packets with the SYN flag set, and the ACK, FIN and | |
1382 | +RST flags unset. | |
1383 | +.TP | |
1384 | +[\fB!\fP] \fB\-\-syn\fP | |
1385 | +Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits | |
1386 | +cleared. Such packets are used to request TCP connection initiation; | |
1387 | +for example, blocking such packets coming in an interface will prevent | |
1388 | +incoming TCP connections, but outgoing TCP connections will be | |
1389 | +unaffected. | |
1390 | +It is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP. | |
1391 | +If the "!" flag precedes the "\-\-syn", the sense of the | |
1392 | +option is inverted. | |
1393 | +.TP | |
1394 | +[\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP | |
1395 | +Match if TCP option set. | |
1396 | +.SS tcpmss | |
1397 | +This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time. | |
1398 | +.TP | |
1399 | +[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP] | |
1400 | +Match a given TCP MSS value or range. | |
1401 | +.SS time | |
1402 | +This matches if the packet arrival time/date is within a given range. All | |
1403 | +options are optional, but are ANDed when specified. All times are interpreted | |
1404 | +as UTC by default. | |
1405 | +.TP | |
1406 | +\fB\-\-datestart\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]] | |
1407 | +.TP | |
1408 | +\fB\-\-datestop\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]] | |
1409 | +Only match during the given time, which must be in ISO 8601 "T" notation. | |
1410 | +The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07. | |
1411 | +.IP | |
1412 | +If \-\-datestart or \-\-datestop are not specified, it will default to 1970-01-01 | |
1413 | +and 2038-01-19, respectively. | |
1414 | +.TP | |
1415 | +\fB\-\-timestart\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP] | |
1416 | +.TP | |
1417 | +\fB\-\-timestop\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP] | |
1418 | +Only match during the given daytime. The possible time range is 00:00:00 to | |
1419 | +23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted | |
1420 | +as base-10. | |
1421 | +.TP | |
1422 | +[\fB!\fP] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...] | |
1423 | +Only match on the given days of the month. Possible values are \fB1\fP | |
1424 | +to \fB31\fP. Note that specifying \fB31\fP will of course not match | |
1425 | +on months which do not have a 31st day; the same goes for 28- or 29-day | |
1426 | +February. | |
1427 | +.TP | |
1428 | +[\fB!\fP] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...] | |
1429 | +Only match on the given weekdays. Possible values are \fBMon\fP, \fBTue\fP, | |
1430 | +\fBWed\fP, \fBThu\fP, \fBFri\fP, \fBSat\fP, \fBSun\fP, or values from \fB1\fP | |
1431 | +to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP, | |
1432 | +\fBTu\fP, etc.). | |
1433 | +.TP | |
1434 | +\fB\-\-contiguous\fP | |
1435 | +When \fB\-\-timestop\fP is smaller than \fB\-\-timestart\fP value, match | |
1436 | +this as a single time period instead distinct intervals. See EXAMPLES. | |
1437 | +.TP | |
1438 | +\fB\-\-kerneltz\fP | |
1439 | +Use the kernel timezone instead of UTC to determine whether a packet meets the | |
1440 | +time regulations. | |
1441 | +.PP | |
1442 | +About kernel timezones: Linux keeps the system time in UTC, and always does so. | |
1443 | +On boot, system time is initialized from a referential time source. Where this | |
1444 | +time source has no timezone information, such as the x86 CMOS RTC, UTC will be | |
1445 | +assumed. If the time source is however not in UTC, userspace should provide the | |
1446 | +correct system time and timezone to the kernel once it has the information. | |
1447 | +.PP | |
1448 | +Local time is a feature on top of the (timezone independent) system time. Each | |
1449 | +process has its own idea of local time, specified via the TZ environment | |
1450 | +variable. The kernel also has its own timezone offset variable. The TZ | |
1451 | +userspace environment variable specifies how the UTC-based system time is | |
1452 | +displayed, e.g. when you run date(1), or what you see on your desktop clock. | |
1453 | +The TZ string may resolve to different offsets at different dates, which is | |
1454 | +what enables the automatic time-jumping in userspace. when DST changes. The | |
1455 | +kernel's timezone offset variable is used when it has to convert between | |
1456 | +non-UTC sources, such as FAT filesystems, to UTC (since the latter is what the | |
1457 | +rest of the system uses). | |
1458 | +.PP | |
1459 | +The caveat with the kernel timezone is that Linux distributions may ignore to | |
1460 | +set the kernel timezone, and instead only set the system time. Even if a | |
1461 | +particular distribution does set the timezone at boot, it is usually does not | |
1462 | +keep the kernel timezone offset - which is what changes on DST - up to date. | |
1463 | +ntpd will not touch the kernel timezone, so running it will not resolve the | |
1464 | +issue. As such, one may encounter a timezone that is always +0000, or one that | |
1465 | +is wrong half of the time of the year. As such, \fBusing \-\-kerneltz is highly | |
1466 | +discouraged.\fP | |
1467 | +.PP | |
1468 | +EXAMPLES. To match on weekends, use: | |
1469 | +.IP | |
1470 | +\-m time \-\-weekdays Sa,Su | |
1471 | +.PP | |
1472 | +Or, to match (once) on a national holiday block: | |
1473 | +.IP | |
1474 | +\-m time \-\-datestart 2007\-12\-24 \-\-datestop 2007\-12\-27 | |
1475 | +.PP | |
1476 | +Since the stop time is actually inclusive, you would need the following stop | |
1477 | +time to not match the first second of the new day: | |
1478 | +.IP | |
1479 | +\-m time \-\-datestart 2007\-01\-01T17:00 \-\-datestop 2007\-01\-01T23:59:59 | |
1480 | +.PP | |
1481 | +During lunch hour: | |
1482 | +.IP | |
1483 | +\-m time \-\-timestart 12:30 \-\-timestop 13:30 | |
1484 | +.PP | |
1485 | +The fourth Friday in the month: | |
1486 | +.IP | |
1487 | +\-m time \-\-weekdays Fr \-\-monthdays 22,23,24,25,26,27,28 | |
1488 | +.PP | |
1489 | +(Note that this exploits a certain mathematical property. It is not possible to | |
1490 | +say "fourth Thursday OR fourth Friday" in one rule. It is possible with | |
1491 | +multiple rules, though.) | |
1492 | +.PP | |
1493 | +Matching across days might not do what is expected. For instance, | |
1494 | +.IP | |
1495 | +\-m time \-\-weekdays Mo \-\-timestart 23:00 \-\-timestop 01:00 | |
1496 | +Will match Monday, for one hour from midnight to 1 a.m., and then | |
1497 | +again for another hour from 23:00 onwards. If this is unwanted, e.g. if you | |
1498 | +would like 'match for two hours from Montay 23:00 onwards' you need to also specify | |
1499 | +the \-\-contiguous option in the example above. | |
1500 | +.SS tos | |
1501 | +This module matches the 8-bit Type of Service field in the IPv4 header (i.e. | |
1502 | +including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6 | |
1503 | +header. | |
1504 | +.TP | |
1505 | +[\fB!\fP] \fB\-\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
1506 | +Matches packets with the given TOS mark value. If a mask is specified, it is | |
1507 | +logically ANDed with the TOS mark before the comparison. | |
1508 | +.TP | |
1509 | +[\fB!\fP] \fB\-\-tos\fP \fIsymbol\fP | |
1510 | +You can specify a symbolic name when using the tos match for IPv4. The list of | |
1511 | +recognized TOS names can be obtained by calling iptables with \fB\-m tos \-h\fP. | |
1512 | +Note that this implies a mask of 0x3F, i.e. all but the ECN bits. | |
1513 | +.SS ttl (IPv4-specific) | |
1514 | +This module matches the time to live field in the IP header. | |
1515 | +.TP | |
1516 | +[\fB!\fP] \fB\-\-ttl\-eq\fP \fIttl\fP | |
1517 | +Matches the given TTL value. | |
1518 | +.TP | |
1519 | +\fB\-\-ttl\-gt\fP \fIttl\fP | |
1520 | +Matches if TTL is greater than the given TTL value. | |
1521 | +.TP | |
1522 | +\fB\-\-ttl\-lt\fP \fIttl\fP | |
1523 | +Matches if TTL is less than the given TTL value. | |
1524 | +.SS u32 | |
1525 | +U32 tests whether quantities of up to 4 bytes extracted from a packet have | |
1526 | +specified values. The specification of what to extract is general enough to | |
1527 | +find data at given offsets from tcp headers or payloads. | |
1528 | +.TP | |
1529 | +[\fB!\fP] \fB\-\-u32\fP \fItests\fP | |
1530 | +The argument amounts to a program in a small language described below. | |
1531 | +.IP | |
1532 | +tests := location "=" value | tests "&&" location "=" value | |
1533 | +.IP | |
1534 | +value := range | value "," range | |
1535 | +.IP | |
1536 | +range := number | number ":" number | |
1537 | +.PP | |
1538 | +a single number, \fIn\fP, is interpreted the same as \fIn:n\fP. \fIn:m\fP is | |
1539 | +interpreted as the range of numbers \fB>=n\fP and \fB<=m\fP. | |
1540 | +.IP "" 4 | |
1541 | +location := number | location operator number | |
1542 | +.IP "" 4 | |
1543 | +operator := "&" | "<<" | ">>" | "@" | |
1544 | +.PP | |
1545 | +The operators \fB&\fP, \fB<<\fP, \fB>>\fP and \fB&&\fP mean the same as in C. | |
1546 | +The \fB=\fP is really a set membership operator and the value syntax describes | |
1547 | +a set. The \fB@\fP operator is what allows moving to the next header and is | |
1548 | +described further below. | |
1549 | +.PP | |
1550 | +There are currently some artificial implementation limits on the size of the | |
1551 | +tests: | |
1552 | +.IP " *" | |
1553 | +no more than 10 of "\fB=\fP" (and 9 "\fB&&\fP"s) in the u32 argument | |
1554 | +.IP " *" | |
1555 | +no more than 10 ranges (and 9 commas) per value | |
1556 | +.IP " *" | |
1557 | +no more than 10 numbers (and 9 operators) per location | |
1558 | +.PP | |
1559 | +To describe the meaning of location, imagine the following machine that | |
1560 | +interprets it. There are three registers: | |
1561 | +.IP | |
1562 | +A is of type \fBchar *\fP, initially the address of the IP header | |
1563 | +.IP | |
1564 | +B and C are unsigned 32 bit integers, initially zero | |
1565 | +.PP | |
1566 | +The instructions are: | |
1567 | +.IP | |
1568 | +number B = number; | |
1569 | +.IP | |
1570 | +C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3) | |
1571 | +.IP | |
1572 | +&number C = C & number | |
1573 | +.IP | |
1574 | +<< number C = C << number | |
1575 | +.IP | |
1576 | +>> number C = C >> number | |
1577 | +.IP | |
1578 | +@number A = A + C; then do the instruction number | |
1579 | +.PP | |
1580 | +Any access of memory outside [skb\->data,skb\->end] causes the match to fail. | |
1581 | +Otherwise the result of the computation is the final value of C. | |
1582 | +.PP | |
1583 | +Whitespace is allowed but not required in the tests. However, the characters | |
1584 | +that do occur there are likely to require shell quoting, so it is a good idea | |
1585 | +to enclose the arguments in quotes. | |
1586 | +.PP | |
1587 | +Example: | |
1588 | +.IP | |
1589 | +match IP packets with total length >= 256 | |
1590 | +.IP | |
1591 | +The IP header contains a total length field in bytes 2-3. | |
1592 | +.IP | |
1593 | +\-\-u32 "\fB0 & 0xFFFF = 0x100:0xFFFF\fP" | |
1594 | +.IP | |
1595 | +read bytes 0-3 | |
1596 | +.IP | |
1597 | +AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the range | |
1598 | +[0x100:0xFFFF] | |
1599 | +.PP | |
1600 | +Example: (more realistic, hence more complicated) | |
1601 | +.IP | |
1602 | +match ICMP packets with icmp type 0 | |
1603 | +.IP | |
1604 | +First test that it is an ICMP packet, true iff byte 9 (protocol) = 1 | |
1605 | +.IP | |
1606 | +\-\-u32 "\fB6 & 0xFF = 1 &&\fP ... | |
1607 | +.IP | |
1608 | +read bytes 6-9, use \fB&\fP to throw away bytes 6-8 and compare the result to | |
1609 | +1. Next test that it is not a fragment. (If so, it might be part of such a | |
1610 | +packet but we cannot always tell.) N.B.: This test is generally needed if you | |
1611 | +want to match anything beyond the IP header. The last 6 bits of byte 6 and all | |
1612 | +of byte 7 are 0 iff this is a complete packet (not a fragment). Alternatively, | |
1613 | +you can allow first fragments by only testing the last 5 bits of byte 6. | |
1614 | +.IP | |
1615 | + ... \fB4 & 0x3FFF = 0 &&\fP ... | |
1616 | +.IP | |
1617 | +Last test: the first byte past the IP header (the type) is 0. This is where we | |
1618 | +have to use the @syntax. The length of the IP header (IHL) in 32 bit words is | |
1619 | +stored in the right half of byte 0 of the IP header itself. | |
1620 | +.IP | |
1621 | + ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fP" | |
1622 | +.IP | |
1623 | +The first 0 means read bytes 0-3, \fB>>22\fP means shift that 22 bits to the | |
1624 | +right. Shifting 24 bits would give the first byte, so only 22 bits is four | |
1625 | +times that plus a few more bits. \fB&3C\fP then eliminates the two extra bits | |
1626 | +on the right and the first four bits of the first byte. For instance, if IHL=5, | |
1627 | +then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in | |
1628 | +binary) xxxx0101 yyzzzzzz, \fB>>22\fP gives the 10 bit value xxxx0101yy and | |
1629 | +\fB&3C\fP gives 010100. \fB@\fP means to use this number as a new offset into | |
1630 | +the packet, and read four bytes starting from there. This is the first 4 bytes | |
1631 | +of the ICMP payload, of which byte 0 is the ICMP type. Therefore, we simply | |
1632 | +shift the value 24 to the right to throw out all but the first byte and compare | |
1633 | +the result with 0. | |
1634 | +.PP | |
1635 | +Example: | |
1636 | +.IP | |
1637 | +TCP payload bytes 8-12 is any of 1, 2, 5 or 8 | |
1638 | +.IP | |
1639 | +First we test that the packet is a tcp packet (similar to ICMP). | |
1640 | +.IP | |
1641 | +\-\-u32 "\fB6 & 0xFF = 6 &&\fP ... | |
1642 | +.IP | |
1643 | +Next, test that it is not a fragment (same as above). | |
1644 | +.IP | |
1645 | + ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fP" | |
1646 | +.IP | |
1647 | +\fB0>>22&3C\fP as above computes the number of bytes in the IP header. \fB@\fP | |
1648 | +makes this the new offset into the packet, which is the start of the TCP | |
1649 | +header. The length of the TCP header (again in 32 bit words) is the left half | |
1650 | +of byte 12 of the TCP header. The \fB12>>26&3C\fP computes this length in bytes | |
1651 | +(similar to the IP header before). "@" makes this the new offset, which is the | |
1652 | +start of the TCP payload. Finally, 8 reads bytes 8-12 of the payload and | |
1653 | +\fB=\fP checks whether the result is any of 1, 2, 5 or 8. | |
1654 | +.SS udp | |
1655 | +These extensions can be used if `\-\-protocol udp' is specified. It | |
1656 | +provides the following options: | |
1657 | +.TP | |
1658 | +[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1659 | +Source port or port range specification. | |
1660 | +See the description of the | |
1661 | +\fB\-\-source\-port\fP | |
1662 | +option of the TCP extension for details. | |
1663 | +.TP | |
1664 | +[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1665 | +Destination port or port range specification. | |
1666 | +See the description of the | |
1667 | +\fB\-\-destination\-port\fP | |
1668 | +option of the TCP extension for details. | |
1669 | +.SS unclean (IPv4-specific) | |
1670 | +This module takes no options, but attempts to match packets which seem | |
1671 | +malformed or unusual. This is regarded as experimental. | |
1672 | +.SH TARGET EXTENSIONS | |
1673 | +iptables can use extended target modules: the following are included | |
1674 | +in the standard distribution. | |
1675 | +.\" @TARGET@ | |
1676 | +.SS AUDIT | |
1677 | +This target allows to create audit records for packets hitting the target. | |
1678 | +It can be used to record accepted, dropped, and rejected packets. See | |
1679 | +auditd(8) for additional details. | |
1680 | +.TP | |
1681 | +\fB\-\-type\fP {\fBaccept\fP|\fBdrop\fP|\fBreject\fP} | |
1682 | +Set type of audit record. | |
1683 | +.PP | |
1684 | +Example: | |
1685 | +.IP | |
1686 | +iptables \-N AUDIT_DROP | |
1687 | +.IP | |
1688 | +iptables \-A AUDIT_DROP \-j AUDIT \-\-type drop | |
1689 | +.IP | |
1690 | +iptables \-A AUDIT_DROP \-j DROP | |
1691 | +.SS CHECKSUM | |
1692 | +This target allows to selectively work around broken/old applications. | |
1693 | +It can only be used in the mangle table. | |
1694 | +.TP | |
1695 | +\fB\-\-checksum\-fill\fP | |
1696 | +Compute and fill in the checksum in a packet that lacks a checksum. | |
1697 | +This is particularly useful, if you need to work around old applications | |
1698 | +such as dhcp clients, that do not work well with checksum offloads, | |
1699 | +but don't want to disable checksum offload in your device. | |
1700 | +.SS CLASSIFY | |
1701 | +This module allows you to set the skb\->priority value (and thus classify the packet into a specific CBQ class). | |
1702 | +.TP | |
1703 | +\fB\-\-set\-class\fP \fImajor\fP\fB:\fP\fIminor\fP | |
1704 | +Set the major and minor class value. The values are always interpreted as | |
1705 | +hexadecimal even if no 0x prefix is given. | |
1706 | +.SS CLUSTERIP (IPv4-specific) | |
1707 | +This module allows you to configure a simple cluster of nodes that share | |
1708 | +a certain IP and MAC address without an explicit load balancer in front of | |
1709 | +them. Connections are statically distributed between the nodes in this | |
1710 | +cluster. | |
1711 | +.TP | |
1712 | +\fB\-\-new\fP | |
1713 | +Create a new ClusterIP. You always have to set this on the first rule | |
1714 | +for a given ClusterIP. | |
1715 | +.TP | |
1716 | +\fB\-\-hashmode\fP \fImode\fP | |
1717 | +Specify the hashing mode. Has to be one of | |
1718 | +\fBsourceip\fP, \fBsourceip\-sourceport\fP, \fBsourceip\-sourceport\-destport\fP. | |
1719 | +.TP | |
1720 | +\fB\-\-clustermac\fP \fImac\fP | |
1721 | +Specify the ClusterIP MAC address. Has to be a link\-layer multicast address | |
1722 | +.TP | |
1723 | +\fB\-\-total\-nodes\fP \fInum\fP | |
1724 | +Number of total nodes within this cluster. | |
1725 | +.TP | |
1726 | +\fB\-\-local\-node\fP \fInum\fP | |
1727 | +Local node number within this cluster. | |
1728 | +.TP | |
1729 | +\fB\-\-hash\-init\fP \fIrnd\fP | |
1730 | +Specify the random seed used for hash initialization. | |
1731 | +.SS CONNMARK | |
1732 | +This module sets the netfilter mark value associated with a connection. The | |
1733 | +mark is 32 bits wide. | |
1734 | +.TP | |
1735 | +\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
1736 | +Zero out the bits given by \fImask\fP and XOR \fIvalue\fP into the ctmark. | |
1737 | +.TP | |
1738 | +\fB\-\-save\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP] | |
1739 | +Copy the packet mark (nfmark) to the connection mark (ctmark) using the given | |
1740 | +masks. The new nfmark value is determined as follows: | |
1741 | +.IP | |
1742 | +ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) | |
1743 | +.IP | |
1744 | +i.e. \fIctmask\fP defines what bits to clear and \fInfmask\fP what bits of the | |
1745 | +nfmark to XOR into the ctmark. \fIctmask\fP and \fInfmask\fP default to | |
1746 | +0xFFFFFFFF. | |
1747 | +.TP | |
1748 | +\fB\-\-restore\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP] | |
1749 | +Copy the connection mark (ctmark) to the packet mark (nfmark) using the given | |
1750 | +masks. The new ctmark value is determined as follows: | |
1751 | +.IP | |
1752 | +nfmark = (nfmark & ~\fInfmask\fP) ^ (ctmark & \fIctmask\fP); | |
1753 | +.IP | |
1754 | +i.e. \fInfmask\fP defines what bits to clear and \fIctmask\fP what bits of the | |
1755 | +ctmark to XOR into the nfmark. \fIctmask\fP and \fInfmask\fP default to | |
1756 | +0xFFFFFFFF. | |
1757 | +.IP | |
1758 | +\fB\-\-restore\-mark\fP is only valid in the \fBmangle\fP table. | |
1759 | +.PP | |
1760 | +The following mnemonics are available for \fB\-\-set\-xmark\fP: | |
1761 | +.TP | |
1762 | +\fB\-\-and\-mark\fP \fIbits\fP | |
1763 | +Binary AND the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark | |
1764 | +0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) | |
1765 | +.TP | |
1766 | +\fB\-\-or\-mark\fP \fIbits\fP | |
1767 | +Binary OR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP | |
1768 | +\fIbits\fP\fB/\fP\fIbits\fP.) | |
1769 | +.TP | |
1770 | +\fB\-\-xor\-mark\fP \fIbits\fP | |
1771 | +Binary XOR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP | |
1772 | +\fIbits\fP\fB/0\fP.) | |
1773 | +.TP | |
1774 | +\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
1775 | +Set the connection mark. If a mask is specified then only those bits set in the | |
1776 | +mask are modified. | |
1777 | +.TP | |
1778 | +\fB\-\-save\-mark\fP [\fB\-\-mask\fP \fImask\fP] | |
1779 | +Copy the nfmark to the ctmark. If a mask is specified, only those bits are | |
1780 | +copied. | |
1781 | +.TP | |
1782 | +\fB\-\-restore\-mark\fP [\fB\-\-mask\fP \fImask\fP] | |
1783 | +Copy the ctmark to the nfmark. If a mask is specified, only those bits are | |
1784 | +copied. This is only valid in the \fBmangle\fP table. | |
1785 | +.SS CONNSECMARK | |
1786 | +This module copies security markings from packets to connections | |
1787 | +(if unlabeled), and from connections back to packets (also only | |
1788 | +if unlabeled). Typically used in conjunction with SECMARK, it is | |
1789 | +valid in the | |
1790 | +.B security | |
1791 | +table (for backwards compatibility with older kernels, it is also | |
1792 | +valid in the | |
1793 | +.B mangle | |
1794 | +table). | |
1795 | +.TP | |
1796 | +\fB\-\-save\fP | |
1797 | +If the packet has a security marking, copy it to the connection | |
1798 | +if the connection is not marked. | |
1799 | +.TP | |
1800 | +\fB\-\-restore\fP | |
1801 | +If the packet does not have a security marking, and the connection | |
1802 | +does, copy the security marking from the connection to the packet. | |
1803 | + | |
1804 | +.SS CT | |
1805 | +The CT target allows to set parameters for a packet or its associated | |
1806 | +connection. The target attaches a "template" connection tracking entry to | |
1807 | +the packet, which is then used by the conntrack core when initializing | |
1808 | +a new ct entry. This target is thus only valid in the "raw" table. | |
1809 | +.TP | |
1810 | +\fB\-\-notrack\fP | |
1811 | +Disables connection tracking for this packet. | |
1812 | +.TP | |
1813 | +\fB\-\-helper\fP \fIname\fP | |
1814 | +Use the helper identified by \fIname\fP for the connection. This is more | |
1815 | +flexible than loading the conntrack helper modules with preset ports. | |
1816 | +.TP | |
1817 | +\fB\-\-ctevents\fP \fIevent\fP[\fB,\fP...] | |
1818 | +Only generate the specified conntrack events for this connection. Possible | |
1819 | +event types are: \fBnew\fP, \fBrelated\fP, \fBdestroy\fP, \fBreply\fP, | |
1820 | +\fBassured\fP, \fBprotoinfo\fP, \fBhelper\fP, \fBmark\fP (this refers to | |
1821 | +the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark). | |
1822 | +.TP | |
1823 | +\fB\-\-expevents\fP \fIevent\fP[\fB,\fP...] | |
1824 | +Only generate the specified expectation events for this connection. | |
1825 | +Possible event types are: \fBnew\fP. | |
1826 | +.TP | |
1827 | +\fB\-\-zone\fP \fIid\fP | |
1828 | +Assign this packet to zone \fIid\fP and only have lookups done in that zone. | |
1829 | +By default, packets have zone 0. | |
1830 | +.TP | |
1831 | +\fB\-\-timeout\fP \fIname\fP | |
1832 | +Use the timeout policy identified by \fIname\fP for the connection. This is | |
1833 | +provides more flexible timeout policy definition than global timeout values | |
1834 | +available at /proc/sys/net/netfilter/nf_conntrack_*_timeout_*. | |
1835 | +.SS DNAT (IPv4-specific) | |
1836 | +This target is only valid in the | |
1837 | +.B nat | |
1838 | +table, in the | |
1839 | +.B PREROUTING | |
1840 | +and | |
1841 | +.B OUTPUT | |
1842 | +chains, and user-defined chains which are only called from those | |
1843 | +chains. It specifies that the destination address of the packet | |
1844 | +should be modified (and all future packets in this connection will | |
1845 | +also be mangled), and rules should cease being examined. It takes one | |
1846 | +type of option: | |
1847 | +.TP | |
1848 | +\fB\-\-to\-destination\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]] | |
1849 | +which can specify a single new destination IP address, an inclusive | |
1850 | +range of IP addresses, and optionally, a port range (which is only | |
1851 | +valid if the rule also specifies | |
1852 | +\fB\-p tcp\fP | |
1853 | +or | |
1854 | +\fB\-p udp\fP). | |
1855 | +If no port range is specified, then the destination port will never be | |
1856 | +modified. If no IP address is specified then only the destination port | |
1857 | +will be modified. | |
1858 | + | |
1859 | +In Kernels up to 2.6.10 you can add several \-\-to\-destination options. For | |
1860 | +those kernels, if you specify more than one destination address, either via an | |
1861 | +address range or multiple \-\-to\-destination options, a simple round-robin (one | |
1862 | +after another in cycle) load balancing takes place between these addresses. | |
1863 | +Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges | |
1864 | +anymore. | |
1865 | +.TP | |
1866 | +\fB\-\-random\fP | |
1867 | +If option | |
1868 | +\fB\-\-random\fP | |
1869 | +is used then port mapping will be randomized (kernel >= 2.6.22). | |
1870 | +.TP | |
1871 | +\fB\-\-persistent\fP | |
1872 | +Gives a client the same source-/destination-address for each connection. | |
1873 | +This supersedes the SAME target. Support for persistent mappings is available | |
1874 | +from 2.6.29-rc2. | |
1875 | +.SS DSCP | |
1876 | +This target allows to alter the value of the DSCP bits within the TOS | |
1877 | +header of the IPv4 packet. As this manipulates a packet, it can only | |
1878 | +be used in the mangle table. | |
1879 | +.TP | |
1880 | +\fB\-\-set\-dscp\fP \fIvalue\fP | |
1881 | +Set the DSCP field to a numerical value (can be decimal or hex) | |
1882 | +.TP | |
1883 | +\fB\-\-set\-dscp\-class\fP \fIclass\fP | |
1884 | +Set the DSCP field to a DiffServ class. | |
1885 | +.SS ECN (IPv4-specific) | |
1886 | +This target allows to selectively work around known ECN blackholes. | |
1887 | +It can only be used in the mangle table. | |
1888 | +.TP | |
1889 | +\fB\-\-ecn\-tcp\-remove\fP | |
1890 | +Remove all ECN bits from the TCP header. Of course, it can only be used | |
1891 | +in conjunction with | |
1892 | +\fB\-p tcp\fP. | |
1893 | +.SS HL (IPv6-specific) | |
1894 | +This is used to modify the Hop Limit field in IPv6 header. The Hop Limit field | |
1895 | +is similar to what is known as TTL value in IPv4. Setting or incrementing the | |
1896 | +Hop Limit field can potentially be very dangerous, so it should be avoided at | |
1897 | +any cost. This target is only valid in | |
1898 | +.B mangle | |
1899 | +table. | |
1900 | +.PP | |
1901 | +.B Don't ever set or increment the value on packets that leave your local network! | |
1902 | +.TP | |
1903 | +\fB\-\-hl\-set\fP \fIvalue\fP | |
1904 | +Set the Hop Limit to `value'. | |
1905 | +.TP | |
1906 | +\fB\-\-hl\-dec\fP \fIvalue\fP | |
1907 | +Decrement the Hop Limit `value' times. | |
1908 | +.TP | |
1909 | +\fB\-\-hl\-inc\fP \fIvalue\fP | |
1910 | +Increment the Hop Limit `value' times. | |
1911 | +.SS HMARK | |
1912 | +Like MARK, i.e. set the fwmark, but the mark is calculated from hashing | |
1913 | +packet selector at choice. You have also to specify the mark range and, | |
1914 | +optionally, the offset to start from. ICMP error messages are inspected | |
1915 | +and used to calculate the hashing. | |
1916 | +.PP | |
1917 | +Existing options are: | |
1918 | +.TP | |
1919 | +\fB\-\-hmark\-tuple\fP tuple\fI\fP | |
1920 | +Possible tuple members are: | |
1921 | +.B src | |
1922 | +meaning source address (IPv4, IPv6 address), | |
1923 | +.B dst | |
1924 | +meaning destination address (IPv4, IPv6 address), | |
1925 | +.B sport | |
1926 | +meaning source port (TCP, UDP, UDPlite, SCTP, DCCP), | |
1927 | +.B dport | |
1928 | +meaning destination port (TCP, UDP, UDPlite, SCTP, DCCP), | |
1929 | +.B spi | |
1930 | +meaning Security Parameter Index (AH, ESP), and | |
1931 | +.B ct | |
1932 | +meaning the usage of the conntrack tuple instead of the packet selectors. | |
1933 | +.TP | |
1934 | +\fB\-\-hmark\-mod\fP \fIvalue (must be > 0)\fP | |
1935 | +Modulus for hash calculation (to limit the range of possible marks) | |
1936 | +.TP | |
1937 | +\fB\-\-hmark\-offset\fP \fIvalue\fP | |
1938 | +Offset to start marks from. | |
1939 | +.TP | |
1940 | +For advanced usage, instead of using \-\-hmark\-tuple, you can specify custom | |
1941 | +prefixes and masks: | |
1942 | +.TP | |
1943 | +\fB\-\-hmark\-src\-prefix\fP \fIcidr\fP | |
1944 | +The source address mask in CIDR notation. | |
1945 | +.TP | |
1946 | +\fB\-\-hmark\-dst\-prefix\fP \fIcidr\fP | |
1947 | +The destination address mask in CIDR notation. | |
1948 | +.TP | |
1949 | +\fB\-\-hmark\-sport\-mask\fP \fIvalue\fP | |
1950 | +A 16 bit source port mask in hexadecimal. | |
1951 | +.TP | |
1952 | +\fB\-\-hmark\-dport\-mask\fP \fIvalue\fP | |
1953 | +A 16 bit destination port mask in hexadecimal. | |
1954 | +.TP | |
1955 | +\fB\-\-hmark\-spi\-mask\fP \fIvalue\fP | |
1956 | +A 32 bit field with spi mask. | |
1957 | +.TP | |
1958 | +\fB\-\-hmark\-proto\-mask\fP \fIvalue\fP | |
1959 | +An 8 bit field with layer 4 protocol number. | |
1960 | +.TP | |
1961 | +\fB\-\-hmark\-rnd\fP \fIvalue\fP | |
1962 | +A 32 bit random custom value to feed hash calculation. | |
1963 | +.PP | |
1964 | +\fIExamples:\fP | |
1965 | +.PP | |
1966 | +iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW | |
1967 | + \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000 | |
1968 | +\-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe | |
1969 | +.PP | |
1970 | +iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000 | |
1971 | +\-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef | |
1972 | +.SS IDLETIMER | |
1973 | +This target can be used to identify when interfaces have been idle for a | |
1974 | +certain period of time. Timers are identified by labels and are created when | |
1975 | +a rule is set with a new label. The rules also take a timeout value (in | |
1976 | +seconds) as an option. If more than one rule uses the same timer label, the | |
1977 | +timer will be restarted whenever any of the rules get a hit. One entry for | |
1978 | +each timer is created in sysfs. This attribute contains the timer remaining | |
1979 | +for the timer to expire. The attributes are located under the xt_idletimer | |
1980 | +class: | |
1981 | +.PP | |
1982 | +/sys/class/xt_idletimer/timers/<label> | |
1983 | +.PP | |
1984 | +When the timer expires, the target module sends a sysfs notification to the | |
1985 | +userspace, which can then decide what to do (eg. disconnect to save power). | |
1986 | +.TP | |
1987 | +\fB\-\-timeout\fP \fIamount\fP | |
1988 | +This is the time in seconds that will trigger the notification. | |
1989 | +.TP | |
1990 | +\fB\-\-label\fP \fIstring\fP | |
1991 | +This is a unique identifier for the timer. The maximum length for the | |
1992 | +label string is 27 characters. | |
1993 | +.SS LED | |
1994 | +This creates an LED-trigger that can then be attached to system indicator | |
1995 | +lights, to blink or illuminate them when certain packets pass through the | |
1996 | +system. One example might be to light up an LED for a few minutes every time | |
1997 | +an SSH connection is made to the local machine. The following options control | |
1998 | +the trigger behavior: | |
1999 | +.TP | |
2000 | +\fB\-\-led\-trigger\-id\fP \fIname\fP | |
2001 | +This is the name given to the LED trigger. The actual name of the trigger | |
2002 | +will be prefixed with "netfilter-". | |
2003 | +.TP | |
2004 | +\fB\-\-led-delay\fP \fIms\fP | |
2005 | +This indicates how long (in milliseconds) the LED should be left illuminated | |
2006 | +when a packet arrives before being switched off again. The default is 0 | |
2007 | +(blink as fast as possible.) The special value \fIinf\fP can be given to | |
2008 | +leave the LED on permanently once activated. (In this case the trigger will | |
2009 | +need to be manually detached and reattached to the LED device to switch it | |
2010 | +off again.) | |
2011 | +.TP | |
2012 | +\fB\-\-led\-always\-blink\fP | |
2013 | +Always make the LED blink on packet arrival, even if the LED is already on. | |
2014 | +This allows notification of new packets even with long delay values (which | |
2015 | +otherwise would result in a silent prolonging of the delay time.) | |
2016 | +.TP | |
2017 | +Example: | |
2018 | +.TP | |
2019 | +Create an LED trigger for incoming SSH traffic: | |
2020 | +iptables \-A INPUT \-p tcp \-\-dport 22 \-j LED \-\-led\-trigger\-id ssh | |
2021 | +.TP | |
2022 | +Then attach the new trigger to an LED: | |
2023 | +echo netfilter\-ssh >/sys/class/leds/\fIledname\fP/trigger | |
2024 | +.SS LOG (IPv6-specific) | |
2025 | +Turn on kernel logging of matching packets. When this option is set | |
2026 | +for a rule, the Linux kernel will print some information on all | |
2027 | +matching packets (like most IPv6 IPv6-header fields) via the kernel log | |
2028 | +(where it can be read with | |
2029 | +.I dmesg | |
2030 | +or | |
2031 | +.IR syslogd (8)). | |
2032 | +This is a "non-terminating target", i.e. rule traversal continues at | |
2033 | +the next rule. So if you want to LOG the packets you refuse, use two | |
2034 | +separate rules with the same matching criteria, first using target LOG | |
2035 | +then DROP (or REJECT). | |
2036 | +.TP | |
2037 | +\fB\-\-log\-level\fP \fIlevel\fP | |
2038 | +Level of logging, which can be (system-specific) numeric or a mnemonic. | |
2039 | +Possible values are (in decreasing order of priority): \fBemerg\fP, | |
2040 | +\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP | |
2041 | +or \fBdebug\fP. | |
2042 | +.TP | |
2043 | +\fB\-\-log\-prefix\fP \fIprefix\fP | |
2044 | +Prefix log messages with the specified prefix; up to 29 letters long, | |
2045 | +and useful for distinguishing messages in the logs. | |
2046 | +.TP | |
2047 | +\fB\-\-log\-tcp\-sequence\fP | |
2048 | +Log TCP sequence numbers. This is a security risk if the log is | |
2049 | +readable by users. | |
2050 | +.TP | |
2051 | +\fB\-\-log\-tcp\-options\fP | |
2052 | +Log options from the TCP packet header. | |
2053 | +.TP | |
2054 | +\fB\-\-log\-ip\-options\fP | |
2055 | +Log options from the IPv6 packet header. | |
2056 | +.TP | |
2057 | +\fB\-\-log\-uid\fP | |
2058 | +Log the userid of the process which generated the packet. | |
2059 | +.SS LOG (IPv4-specific) | |
2060 | +Turn on kernel logging of matching packets. When this option is set | |
2061 | +for a rule, the Linux kernel will print some information on all | |
2062 | +matching packets (like most IP header fields) via the kernel log | |
2063 | +(where it can be read with | |
2064 | +.I dmesg | |
2065 | +or | |
2066 | +.IR syslogd (8)). | |
2067 | +This is a "non-terminating target", i.e. rule traversal continues at | |
2068 | +the next rule. So if you want to LOG the packets you refuse, use two | |
2069 | +separate rules with the same matching criteria, first using target LOG | |
2070 | +then DROP (or REJECT). | |
2071 | +.TP | |
2072 | +\fB\-\-log\-level\fP \fIlevel\fP | |
2073 | +Level of logging, which can be (system-specific) numeric or a mnemonic. | |
2074 | +Possible values are (in decreasing order of priority): \fBemerg\fP, | |
2075 | +\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP | |
2076 | +or \fBdebug\fP. | |
2077 | +.TP | |
2078 | +\fB\-\-log\-prefix\fP \fIprefix\fP | |
2079 | +Prefix log messages with the specified prefix; up to 29 letters long, | |
2080 | +and useful for distinguishing messages in the logs. | |
2081 | +.TP | |
2082 | +\fB\-\-log\-tcp\-sequence\fP | |
2083 | +Log TCP sequence numbers. This is a security risk if the log is | |
2084 | +readable by users. | |
2085 | +.TP | |
2086 | +\fB\-\-log\-tcp\-options\fP | |
2087 | +Log options from the TCP packet header. | |
2088 | +.TP | |
2089 | +\fB\-\-log\-ip\-options\fP | |
2090 | +Log options from the IP packet header. | |
2091 | +.TP | |
2092 | +\fB\-\-log\-uid\fP | |
2093 | +Log the userid of the process which generated the packet. | |
2094 | +.SS MARK | |
2095 | +This target is used to set the Netfilter mark value associated with the packet. | |
2096 | +It can, for example, be used in conjunction with routing based on fwmark (needs | |
2097 | +iproute2). If you plan on doing so, note that the mark needs to be set in the | |
2098 | +PREROUTING chain of the mangle table to affect routing. | |
2099 | +The mark field is 32 bits wide. | |
2100 | +.TP | |
2101 | +\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
2102 | +Zeroes out the bits given by \fImask\fP and XORs \fIvalue\fP into the packet | |
2103 | +mark ("nfmark"). If \fImask\fP is omitted, 0xFFFFFFFF is assumed. | |
2104 | +.TP | |
2105 | +\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
2106 | +Zeroes out the bits given by \fImask\fP and ORs \fIvalue\fP into the packet | |
2107 | +mark. If \fImask\fP is omitted, 0xFFFFFFFF is assumed. | |
2108 | +.PP | |
2109 | +The following mnemonics are available: | |
2110 | +.TP | |
2111 | +\fB\-\-and\-mark\fP \fIbits\fP | |
2112 | +Binary AND the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark | |
2113 | +0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) | |
2114 | +.TP | |
2115 | +\fB\-\-or\-mark\fP \fIbits\fP | |
2116 | +Binary OR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP | |
2117 | +\fIbits\fP\fB/\fP\fIbits\fP.) | |
2118 | +.TP | |
2119 | +\fB\-\-xor\-mark\fP \fIbits\fP | |
2120 | +Binary XOR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP | |
2121 | +\fIbits\fP\fB/0\fP.) | |
2122 | +.SS MASQUERADE (IPv6-specific) | |
2123 | +This target is only valid in the | |
2124 | +.B nat | |
2125 | +table, in the | |
2126 | +.B POSTROUTING | |
2127 | +chain. It should only be used with dynamically assigned IPv6 (dialup) | |
2128 | +connections: if you have a static IP address, you should use the SNAT | |
2129 | +target. Masquerading is equivalent to specifying a mapping to the IP | |
2130 | +address of the interface the packet is going out, but also has the | |
2131 | +effect that connections are | |
2132 | +.I forgotten | |
2133 | +when the interface goes down. This is the correct behavior when the | |
2134 | +next dialup is unlikely to have the same interface address (and hence | |
2135 | +any established connections are lost anyway). | |
2136 | +.TP | |
2137 | +\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP] | |
2138 | +This specifies a range of source ports to use, overriding the default | |
2139 | +.B SNAT | |
2140 | +source port-selection heuristics (see above). This is only valid | |
2141 | +if the rule also specifies | |
2142 | +\fB\-p tcp\fP | |
2143 | +or | |
2144 | +\fB\-p udp\fP. | |
2145 | +.TP | |
2146 | +\fB\-\-random\fP | |
2147 | +Randomize source port mapping | |
2148 | +If option | |
2149 | +\fB\-\-random\fP | |
2150 | +is used then port mapping will be randomized. | |
2151 | +.RS | |
2152 | +.PP | |
2153 | +.SS MASQUERADE (IPv4-specific) | |
2154 | +This target is only valid in the | |
2155 | +.B nat | |
2156 | +table, in the | |
2157 | +.B POSTROUTING | |
2158 | +chain. It should only be used with dynamically assigned IP (dialup) | |
2159 | +connections: if you have a static IP address, you should use the SNAT | |
2160 | +target. Masquerading is equivalent to specifying a mapping to the IP | |
2161 | +address of the interface the packet is going out, but also has the | |
2162 | +effect that connections are | |
2163 | +.I forgotten | |
2164 | +when the interface goes down. This is the correct behavior when the | |
2165 | +next dialup is unlikely to have the same interface address (and hence | |
2166 | +any established connections are lost anyway). | |
2167 | +.TP | |
2168 | +\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP] | |
2169 | +This specifies a range of source ports to use, overriding the default | |
2170 | +.B SNAT | |
2171 | +source port-selection heuristics (see above). This is only valid | |
2172 | +if the rule also specifies | |
2173 | +\fB\-p tcp\fP | |
2174 | +or | |
2175 | +\fB\-p udp\fP. | |
2176 | +.TP | |
2177 | +\fB\-\-random\fP | |
2178 | +Randomize source port mapping | |
2179 | +If option | |
2180 | +\fB\-\-random\fP | |
2181 | +is used then port mapping will be randomized (kernel >= 2.6.21). | |
2182 | +.RS | |
2183 | +.PP | |
2184 | +.SS MIRROR (IPv4-specific) | |
2185 | +This is an experimental demonstration target which inverts the source | |
2186 | +and destination fields in the IP header and retransmits the packet. | |
2187 | +It is only valid in the | |
2188 | +.BR INPUT , | |
2189 | +.B FORWARD | |
2190 | +and | |
2191 | +.B PREROUTING | |
2192 | +chains, and user-defined chains which are only called from those | |
2193 | +chains. Note that the outgoing packets are | |
2194 | +.B NOT | |
2195 | +seen by any packet filtering chains, connection tracking or NAT, to | |
2196 | +avoid loops and other problems. | |
2197 | +.SS NETMAP (IPv4-specific) | |
2198 | +This target allows you to statically map a whole network of addresses onto | |
2199 | +another network of addresses. It can only be used from rules in the | |
2200 | +.B nat | |
2201 | +table. | |
2202 | +.TP | |
2203 | +\fB\-\-to\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
2204 | +Network address to map to. The resulting address will be constructed in the | |
2205 | +following way: All 'one' bits in the mask are filled in from the new `address'. | |
2206 | +All bits that are zero in the mask are filled in from the original address. | |
2207 | +.SS NFLOG | |
2208 | +This target provides logging of matching packets. When this target is | |
2209 | +set for a rule, the Linux kernel will pass the packet to the loaded | |
2210 | +logging backend to log the packet. This is usually used in combination | |
2211 | +with nfnetlink_log as logging backend, which will multicast the packet | |
2212 | +through a | |
2213 | +.IR netlink | |
2214 | +socket to the specified multicast group. One or more userspace processes | |
2215 | +may subscribe to the group to receive the packets. Like LOG, this is a | |
2216 | +non-terminating target, i.e. rule traversal continues at the next rule. | |
2217 | +.TP | |
2218 | +\fB\-\-nflog\-group\fP \fInlgroup\fP | |
2219 | +The netlink group (0 - 2^16\-1) to which packets are (only applicable for | |
2220 | +nfnetlink_log). The default value is 0. | |
2221 | +.TP | |
2222 | +\fB\-\-nflog\-prefix\fP \fIprefix\fP | |
2223 | +A prefix string to include in the log message, up to 64 characters | |
2224 | +long, useful for distinguishing messages in the logs. | |
2225 | +.TP | |
2226 | +\fB\-\-nflog\-range\fP \fIsize\fP | |
2227 | +The number of bytes to be copied to userspace (only applicable for | |
2228 | +nfnetlink_log). nfnetlink_log instances may specify their own | |
2229 | +range, this option overrides it. | |
2230 | +.TP | |
2231 | +\fB\-\-nflog\-threshold\fP \fIsize\fP | |
2232 | +Number of packets to queue inside the kernel before sending them | |
2233 | +to userspace (only applicable for nfnetlink_log). Higher values | |
2234 | +result in less overhead per packet, but increase delay until the | |
2235 | +packets reach userspace. The default value is 1. | |
2236 | +.BR | |
2237 | +.SS NFQUEUE | |
2238 | +This target is an extension of the QUEUE target. As opposed to QUEUE, it allows | |
2239 | +you to put a packet into any specific queue, identified by its 16-bit queue | |
2240 | +number. | |
2241 | +It can only be used with Kernel versions 2.6.14 or later, since it requires | |
2242 | +the | |
2243 | +.B | |
2244 | +nfnetlink_queue | |
2245 | +kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31, | |
2246 | +\fBqueue-bypass\fP in 2.6.39. | |
2247 | +.TP | |
2248 | +\fB\-\-queue\-num\fP \fIvalue\fP | |
2249 | +This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0. | |
2250 | +.PP | |
2251 | +.TP | |
2252 | +\fB\-\-queue\-balance\fP \fIvalue\fP\fB:\fP\fIvalue\fP | |
2253 | +This specifies a range of queues to use. Packets are then balanced across the given queues. | |
2254 | +This is useful for multicore systems: start multiple instances of the userspace program on | |
2255 | +queues x, x+1, .. x+n and use "\-\-queue\-balance \fIx\fP\fB:\fP\fIx+n\fP". | |
2256 | +Packets belonging to the same connection are put into the same nfqueue. | |
2257 | +.PP | |
2258 | +.TP | |
2259 | +\fB\-\-queue\-bypass\fP | |
2260 | +By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued | |
2261 | +are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The packet | |
2262 | +will move on to the next rule. | |
2263 | +.SS NOTRACK | |
2264 | +This target disables connection tracking for all packets matching that rule. | |
2265 | +It is obsoleted by \-j CT \-\-notrack. Like CT, NOTRACK can only be used in | |
2266 | +the \fBraw\fP table. | |
2267 | +.SS RATEEST | |
2268 | +The RATEEST target collects statistics, performs rate estimation calculation | |
2269 | +and saves the results for later evaluation using the \fBrateest\fP match. | |
2270 | +.TP | |
2271 | +\fB\-\-rateest\-name\fP \fIname\fP | |
2272 | +Count matched packets into the pool referred to by \fIname\fP, which is freely | |
2273 | +choosable. | |
2274 | +.TP | |
2275 | +\fB\-\-rateest\-interval\fP \fIamount\fP{\fBs\fP|\fBms\fP|\fBus\fP} | |
2276 | +Rate measurement interval, in seconds, milliseconds or microseconds. | |
2277 | +.TP | |
2278 | +\fB\-\-rateest\-ewmalog\fP \fIvalue\fP | |
2279 | +Rate measurement averaging time constant. | |
2280 | +.SS REDIRECT (IPv4-specific) | |
2281 | +This target is only valid in the | |
2282 | +.B nat | |
2283 | +table, in the | |
2284 | +.B PREROUTING | |
2285 | +and | |
2286 | +.B OUTPUT | |
2287 | +chains, and user-defined chains which are only called from those | |
2288 | +chains. It redirects the packet to the machine itself by changing the | |
2289 | +destination IP to the primary address of the incoming interface | |
2290 | +(locally-generated packets are mapped to the 127.0.0.1 address). | |
2291 | +.TP | |
2292 | +\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP] | |
2293 | +This specifies a destination port or range of ports to use: without | |
2294 | +this, the destination port is never altered. This is only valid | |
2295 | +if the rule also specifies | |
2296 | +\fB\-p tcp\fP | |
2297 | +or | |
2298 | +\fB\-p udp\fP. | |
2299 | +.TP | |
2300 | +\fB\-\-random\fP | |
2301 | +If option | |
2302 | +\fB\-\-random\fP | |
2303 | +is used then port mapping will be randomized (kernel >= 2.6.22). | |
2304 | +.RS | |
2305 | +.PP | |
2306 | +.SS REJECT (IPv6-specific) | |
2307 | +This is used to send back an error packet in response to the matched | |
2308 | +packet: otherwise it is equivalent to | |
2309 | +.B DROP | |
2310 | +so it is a terminating TARGET, ending rule traversal. | |
2311 | +This target is only valid in the | |
2312 | +.BR INPUT , | |
2313 | +.B FORWARD | |
2314 | +and | |
2315 | +.B OUTPUT | |
2316 | +chains, and user-defined chains which are only called from those | |
2317 | +chains. The following option controls the nature of the error packet | |
2318 | +returned: | |
2319 | +.TP | |
2320 | +\fB\-\-reject\-with\fP \fItype\fP | |
2321 | +The type given can be | |
2322 | +\fBicmp6\-no\-route\fP, | |
2323 | +\fBno\-route\fP, | |
2324 | +\fBicmp6\-adm\-prohibited\fP, | |
2325 | +\fBadm\-prohibited\fP, | |
2326 | +\fBicmp6\-addr\-unreachable\fP, | |
2327 | +\fBaddr\-unreach\fP, | |
2328 | +\fBicmp6\-port\-unreachable\fP or | |
2329 | +\fBport\-unreach\fP | |
2330 | +which return the appropriate ICMPv6 error message (\fBport\-unreach\fP is | |
2331 | +the default). Finally, the option | |
2332 | +\fBtcp\-reset\fP | |
2333 | +can be used on rules which only match the TCP protocol: this causes a | |
2334 | +TCP RST packet to be sent back. This is mainly useful for blocking | |
2335 | +.I ident | |
2336 | +(113/tcp) probes which frequently occur when sending mail to broken mail | |
2337 | +hosts (which won't accept your mail otherwise). | |
2338 | +\fBtcp\-reset\fP | |
2339 | +can only be used with kernel versions 2.6.14 or later. | |
2340 | +.SS REJECT (IPv4-specific) | |
2341 | +This is used to send back an error packet in response to the matched | |
2342 | +packet: otherwise it is equivalent to | |
2343 | +.B DROP | |
2344 | +so it is a terminating TARGET, ending rule traversal. | |
2345 | +This target is only valid in the | |
2346 | +.BR INPUT , | |
2347 | +.B FORWARD | |
2348 | +and | |
2349 | +.B OUTPUT | |
2350 | +chains, and user-defined chains which are only called from those | |
2351 | +chains. The following option controls the nature of the error packet | |
2352 | +returned: | |
2353 | +.TP | |
2354 | +\fB\-\-reject\-with\fP \fItype\fP | |
2355 | +The type given can be | |
2356 | +\fBicmp\-net\-unreachable\fP, | |
2357 | +\fBicmp\-host\-unreachable\fP, | |
2358 | +\fBicmp\-port\-unreachable\fP, | |
2359 | +\fBicmp\-proto\-unreachable\fP, | |
2360 | +\fBicmp\-net\-prohibited\fP, | |
2361 | +\fBicmp\-host\-prohibited\fP or | |
2362 | +\fBicmp\-admin\-prohibited\fP (*) | |
2363 | +which return the appropriate ICMP error message (\fBport\-unreachable\fP is | |
2364 | +the default). The option | |
2365 | +\fBtcp\-reset\fP | |
2366 | +can be used on rules which only match the TCP protocol: this causes a | |
2367 | +TCP RST packet to be sent back. This is mainly useful for blocking | |
2368 | +.I ident | |
2369 | +(113/tcp) probes which frequently occur when sending mail to broken mail | |
2370 | +hosts (which won't accept your mail otherwise). | |
2371 | +.PP | |
2372 | +(*) Using icmp\-admin\-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT | |
2373 | +.SS SAME (IPv4-specific) | |
2374 | +Similar to SNAT/DNAT depending on chain: it takes a range of addresses | |
2375 | +(`\-\-to 1.2.3.4\-1.2.3.7') and gives a client the same | |
2376 | +source-/destination-address for each connection. | |
2377 | +.PP | |
2378 | +N.B.: The DNAT target's \fB\-\-persistent\fP option replaced the SAME target. | |
2379 | +.TP | |
2380 | +\fB\-\-to\fP \fIipaddr\fP[\fB\-\fP\fIipaddr\fP] | |
2381 | +Addresses to map source to. May be specified more than once for | |
2382 | +multiple ranges. | |
2383 | +.TP | |
2384 | +\fB\-\-nodst\fP | |
2385 | +Don't use the destination-ip in the calculations when selecting the | |
2386 | +new source-ip | |
2387 | +.TP | |
2388 | +\fB\-\-random\fP | |
2389 | +Port mapping will be forcibly randomized to avoid attacks based on | |
2390 | +port prediction (kernel >= 2.6.21). | |
2391 | +.SS SECMARK | |
2392 | +This is used to set the security mark value associated with the | |
2393 | +packet for use by security subsystems such as SELinux. It is | |
2394 | +valid in the | |
2395 | +.B security | |
2396 | +table (for backwards compatibility with older kernels, it is also | |
2397 | +valid in the | |
2398 | +.B mangle | |
2399 | +table). The mark is 32 bits wide. | |
2400 | +.TP | |
2401 | +\fB\-\-selctx\fP \fIsecurity_context\fP | |
2402 | +.SS SET | |
2403 | +This module adds and/or deletes entries from IP sets which can be defined | |
2404 | +by ipset(8). | |
2405 | +.TP | |
2406 | +\fB\-\-add\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] | |
2407 | +add the address(es)/port(s) of the packet to the set | |
2408 | +.TP | |
2409 | +\fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] | |
2410 | +delete the address(es)/port(s) of the packet from the set | |
2411 | +.IP | |
2412 | +where \fIflag\fP(s) are | |
2413 | +.BR "src" | |
2414 | +and/or | |
2415 | +.BR "dst" | |
2416 | +specifications and there can be no more than six of them. | |
2417 | +.TP | |
2418 | +\fB\-\-timeout\fP \fIvalue\fP | |
2419 | +when adding an entry, the timeout value to use instead of the default | |
2420 | +one from the set definition | |
2421 | +.TP | |
2422 | +\fB\-\-exist\fP | |
2423 | +when adding an entry if it already exists, reset the timeout value | |
2424 | +to the specified one or to the default from the set definition | |
2425 | +.PP | |
2426 | +Use of -j SET requires that ipset kernel support is provided, which, for | |
2427 | +standard kernels, is the case since Linux 2.6.39. | |
2428 | +.SS SNAT (IPv4-specific) | |
2429 | +This target is only valid in the | |
2430 | +.B nat | |
2431 | +table, in the | |
2432 | +.B POSTROUTING | |
2433 | +chain. It specifies that the source address of the packet should be | |
2434 | +modified (and all future packets in this connection will also be | |
2435 | +mangled), and rules should cease being examined. It takes one type | |
2436 | +of option: | |
2437 | +.TP | |
2438 | +\fB\-\-to\-source\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]] | |
2439 | +which can specify a single new source IP address, an inclusive range | |
2440 | +of IP addresses, and optionally, a port range (which is only valid if | |
2441 | +the rule also specifies | |
2442 | +\fB\-p tcp\fP | |
2443 | +or | |
2444 | +\fB\-p udp\fP). | |
2445 | +If no port range is specified, then source ports below 512 will be | |
2446 | +mapped to other ports below 512: those between 512 and 1023 inclusive | |
2447 | +will be mapped to ports below 1024, and other ports will be mapped to | |
2448 | +1024 or above. Where possible, no port alteration will occur. | |
2449 | + | |
2450 | +In Kernels up to 2.6.10, you can add several \-\-to\-source options. For those | |
2451 | +kernels, if you specify more than one source address, either via an address | |
2452 | +range or multiple \-\-to\-source options, a simple round-robin (one after another | |
2453 | +in cycle) takes place between these addresses. | |
2454 | +Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges | |
2455 | +anymore. | |
2456 | +.TP | |
2457 | +\fB\-\-random\fP | |
2458 | +If option | |
2459 | +\fB\-\-random\fP | |
2460 | +is used then port mapping will be randomized (kernel >= 2.6.21). | |
2461 | +.TP | |
2462 | +\fB\-\-persistent\fP | |
2463 | +Gives a client the same source-/destination-address for each connection. | |
2464 | +This supersedes the SAME target. Support for persistent mappings is available | |
2465 | +from 2.6.29-rc2. | |
2466 | +.SS TCPMSS | |
2467 | +This target allows to alter the MSS value of TCP SYN packets, to control | |
2468 | +the maximum size for that connection (usually limiting it to your | |
2469 | +outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). | |
2470 | +Of course, it can only be used | |
2471 | +in conjunction with | |
2472 | +\fB\-p tcp\fP. | |
2473 | +.PP | |
2474 | +This target is used to overcome criminally braindead ISPs or servers | |
2475 | +which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big" | |
2476 | +packets. The symptoms of this | |
2477 | +problem are that everything works fine from your Linux | |
2478 | +firewall/router, but machines behind it can never exchange large | |
2479 | +packets: | |
2480 | +.IP 1. 4 | |
2481 | +Web browsers connect, then hang with no data received. | |
2482 | +.IP 2. 4 | |
2483 | +Small mail works fine, but large emails hang. | |
2484 | +.IP 3. 4 | |
2485 | +ssh works fine, but scp hangs after initial handshaking. | |
2486 | +.PP | |
2487 | +Workaround: activate this option and add a rule to your firewall | |
2488 | +configuration like: | |
2489 | +.IP | |
2490 | + iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN | |
2491 | + \-j TCPMSS \-\-clamp\-mss\-to\-pmtu | |
2492 | +.TP | |
2493 | +\fB\-\-set\-mss\fP \fIvalue\fP | |
2494 | +Explicitly sets MSS option to specified value. If the MSS of the packet is | |
2495 | +already lower than \fIvalue\fP, it will \fBnot\fP be increased (from Linux | |
2496 | +2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS. | |
2497 | +.TP | |
2498 | +\fB\-\-clamp\-mss\-to\-pmtu\fP | |
2499 | +Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6). | |
2500 | +This may not function as desired where asymmetric routes with differing | |
2501 | +path MTU exist \(em the kernel uses the path MTU which it would use to send | |
2502 | +packets from itself to the source and destination IP addresses. Prior to | |
2503 | +Linux 2.6.25, only the path MTU to the destination IP address was | |
2504 | +considered by this option; subsequent kernels also consider the path MTU | |
2505 | +to the source IP address. | |
2506 | +.PP | |
2507 | +These options are mutually exclusive. | |
2508 | +.SS TCPOPTSTRIP | |
2509 | +This target will strip TCP options off a TCP packet. (It will actually replace | |
2510 | +them by NO-OPs.) As such, you will need to add the \fB\-p tcp\fP parameters. | |
2511 | +.TP | |
2512 | +\fB\-\-strip\-options\fP \fIoption\fP[\fB,\fP\fIoption\fP...] | |
2513 | +Strip the given option(s). The options may be specified by TCP option number or | |
2514 | +by symbolic name. The list of recognized options can be obtained by calling | |
2515 | +iptables with \fB\-j TCPOPTSTRIP \-h\fP. | |
2516 | +.SS TEE | |
2517 | +The \fBTEE\fP target will clone a packet and redirect this clone to another | |
2518 | +machine on the \fBlocal\fP network segment. In other words, the nexthop | |
2519 | +must be the target, or you will have to configure the nexthop to forward it | |
2520 | +further if so desired. | |
2521 | +.TP | |
2522 | +\fB\-\-gateway\fP \fIipaddr\fP | |
2523 | +Send the cloned packet to the host reachable at the given IP address. | |
2524 | +Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid. | |
2525 | +.PP | |
2526 | +To forward all incoming traffic on eth0 to an Network Layer logging box: | |
2527 | +.PP | |
2528 | +\-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1 | |
2529 | +.SS TOS | |
2530 | +This module sets the Type of Service field in the IPv4 header (including the | |
2531 | +"precedence" bits) or the Priority field in the IPv6 header. Note that TOS | |
2532 | +shares the same bits as DSCP and ECN. The TOS target is only valid in the | |
2533 | +\fBmangle\fP table. | |
2534 | +.TP | |
2535 | +\fB\-\-set\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
2536 | +Zeroes out the bits given by \fImask\fP (see NOTE below) and XORs \fIvalue\fP | |
2537 | +into the TOS/Priority field. If \fImask\fP is omitted, 0xFF is assumed. | |
2538 | +.TP | |
2539 | +\fB\-\-set\-tos\fP \fIsymbol\fP | |
2540 | +You can specify a symbolic name when using the TOS target for IPv4. It implies | |
2541 | +a mask of 0xFF (see NOTE below). The list of recognized TOS names can be | |
2542 | +obtained by calling iptables with \fB\-j TOS \-h\fP. | |
2543 | +.PP | |
2544 | +The following mnemonics are available: | |
2545 | +.TP | |
2546 | +\fB\-\-and\-tos\fP \fIbits\fP | |
2547 | +Binary AND the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos | |
2548 | +0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP. | |
2549 | +See NOTE below.) | |
2550 | +.TP | |
2551 | +\fB\-\-or\-tos\fP \fIbits\fP | |
2552 | +Binary OR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP | |
2553 | +\fIbits\fP\fB/\fP\fIbits\fP. See NOTE below.) | |
2554 | +.TP | |
2555 | +\fB\-\-xor\-tos\fP \fIbits\fP | |
2556 | +Binary XOR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP | |
2557 | +\fIbits\fP\fB/0\fP. See NOTE below.) | |
2558 | +.PP | |
2559 | +NOTE: In Linux kernels up to and including 2.6.38, with the exception of | |
2560 | +longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is | |
2561 | +a bug whereby IPv6 TOS mangling does not behave as documented and differs from | |
2562 | +the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it | |
2563 | +needs to be inverted before applying it to the original TOS field. However, the | |
2564 | +aformentioned kernels forgo the inversion which breaks --set-tos and its | |
2565 | +mnemonics. | |
2566 | +.SS TPROXY | |
2567 | +This target is only valid in the \fBmangle\fP table, in the \fBPREROUTING\fP | |
2568 | +chain and user-defined chains which are only called from this chain. It | |
2569 | +redirects the packet to a local socket without changing the packet header in | |
2570 | +any way. It can also change the mark value which can then be used in advanced | |
2571 | +routing rules. | |
2572 | +It takes three options: | |
2573 | +.TP | |
2574 | +\fB\-\-on\-port\fP \fIport\fP | |
2575 | +This specifies a destination port to use. It is a required option, 0 means the | |
2576 | +new destination port is the same as the original. This is only valid if the | |
2577 | +rule also specifies \fB\-p tcp\fP or \fB\-p udp\fP. | |
2578 | +.TP | |
2579 | +\fB\-\-on\-ip\fP \fIaddress\fP | |
2580 | +This specifies a destination address to use. By default the address is the IP | |
2581 | +address of the incoming interface. This is only valid if the rule also | |
2582 | +specifies \fB\-p tcp\fP or \fB\-p udp\fP. | |
2583 | +.TP | |
2584 | +\fB\-\-tproxy\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
2585 | +Marks packets with the given value/mask. The fwmark value set here can be used | |
2586 | +by advanced routing. (Required for transparent proxying to work: otherwise | |
2587 | +these packets will get forwarded, which is probably not what you want.) | |
2588 | +.SS TRACE | |
2589 | +This target marks packets so that the kernel will log every rule which match | |
2590 | +the packets as those traverse the tables, chains, rules. | |
2591 | +.PP | |
2592 | +A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this | |
2593 | +to be visible. | |
2594 | +The packets are logged with the string prefix: | |
2595 | +"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for | |
2596 | +plain rule, "return" for implicit rule at the end of a user defined chain | |
2597 | +and "policy" for the policy of the built in chains. | |
2598 | +.br | |
2599 | +It can only be used in the | |
2600 | +.BR raw | |
2601 | +table. | |
2602 | +.SS TTL (IPv4-specific) | |
2603 | +This is used to modify the IPv4 TTL header field. The TTL field determines | |
2604 | +how many hops (routers) a packet can traverse until it's time to live is | |
2605 | +exceeded. | |
2606 | +.PP | |
2607 | +Setting or incrementing the TTL field can potentially be very dangerous, | |
2608 | +so it should be avoided at any cost. This target is only valid in | |
2609 | +.B mangle | |
2610 | +table. | |
2611 | +.PP | |
2612 | +.B Don't ever set or increment the value on packets that leave your local network! | |
2613 | +.TP | |
2614 | +\fB\-\-ttl\-set\fP \fIvalue\fP | |
2615 | +Set the TTL value to `value'. | |
2616 | +.TP | |
2617 | +\fB\-\-ttl\-dec\fP \fIvalue\fP | |
2618 | +Decrement the TTL value `value' times. | |
2619 | +.TP | |
2620 | +\fB\-\-ttl\-inc\fP \fIvalue\fP | |
2621 | +Increment the TTL value `value' times. | |
2622 | +.SS ULOG (IPv4-specific) | |
2623 | +This target provides userspace logging of matching packets. When this | |
2624 | +target is set for a rule, the Linux kernel will multicast this packet | |
2625 | +through a | |
2626 | +.IR netlink | |
2627 | +socket. One or more userspace processes may then subscribe to various | |
2628 | +multicast groups and receive the packets. | |
2629 | +Like LOG, this is a "non-terminating target", i.e. rule traversal | |
2630 | +continues at the next rule. | |
2631 | +.TP | |
2632 | +\fB\-\-ulog\-nlgroup\fP \fInlgroup\fP | |
2633 | +This specifies the netlink group (1-32) to which the packet is sent. | |
2634 | +Default value is 1. | |
2635 | +.TP | |
2636 | +\fB\-\-ulog\-prefix\fP \fIprefix\fP | |
2637 | +Prefix log messages with the specified prefix; up to 32 characters | |
2638 | +long, and useful for distinguishing messages in the logs. | |
2639 | +.TP | |
2640 | +\fB\-\-ulog\-cprange\fP \fIsize\fP | |
2641 | +Number of bytes to be copied to userspace. A value of 0 always copies | |
2642 | +the entire packet, regardless of its size. Default is 0. | |
2643 | +.TP | |
2644 | +\fB\-\-ulog\-qthreshold\fP \fIsize\fP | |
2645 | +Number of packet to queue inside kernel. Setting this value to, e.g. 10 | |
2646 | +accumulates ten packets inside the kernel and transmits them as one | |
2647 | +netlink multipart message to userspace. Default is 1 (for backwards | |
2648 | +compatibility). | |
2649 | +.br |
@@ -21,7 +21,8 @@ | ||
21 | 21 | .SH NAME |
22 | 22 | iptables-restore \(em Restore IP Tables |
23 | 23 | .SH SYNOPSIS |
24 | -\fBiptables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP] | |
24 | +\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP] | |
25 | +[\fB\-T\fP \fIname\fP] | |
25 | 26 | .SH DESCRIPTION |
26 | 27 | .PP |
27 | 28 | .B iptables-restore |
@@ -31,10 +32,23 @@ I/O redirection provided by your shell to read from a file | ||
31 | 32 | \fB\-c\fR, \fB\-\-counters\fR |
32 | 33 | restore the values of all packet and byte counters |
33 | 34 | .TP |
35 | +\fB\-h\fP, \fB\-\-help\fP | |
36 | +Print a short option summary. | |
37 | +.TP | |
34 | 38 | \fB\-n\fR, \fB\-\-noflush\fR |
35 | 39 | don't flush the previous contents of the table. If not specified, |
36 | 40 | .B iptables-restore |
37 | -flushes (deletes) all previous contents of the respective IP Table. | |
41 | +flushes (deletes) all previous contents of the respective table. | |
42 | +.TP | |
43 | +\fB\-t\fP, \fB\-\-test\fP | |
44 | +Only parse and construct the ruleset, but do not commit it. | |
45 | +.TP | |
46 | +\fB\-v\fP, \fB\-\-verbose\fP | |
47 | +Print additional debug info during ruleset processing. | |
48 | +.TP | |
49 | +\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP | |
50 | +Specify the path to the modprobe program. By default, iptables-restore will | |
51 | +inspect /proc/sys/kernel/modprobe to determine the executable's path. | |
38 | 52 | .TP |
39 | 53 | \fB\-T\fP, \fB\-\-table\fP \fIname\fP |
40 | 54 | Restore only the named table even if the input stream contains other ones. |
@@ -1,4 +1,4 @@ | ||
1 | -.TH IPTABLES 8 "" "iptables 1.4.13" "iptables 1.4.13" | |
1 | +.TH IPTABLES 8 "" "iptables 1.4.18" "iptables 1.4.18" | |
2 | 2 | .\" |
3 | 3 | .\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999) |
4 | 4 | .\" It is based on ipchains page. |
@@ -86,7 +86,7 @@ or a rule in a built-in chain with target \fBRETURN\fP | ||
86 | 86 | is matched, the target specified by the chain policy determines the |
87 | 87 | fate of the packet. |
88 | 88 | .SH TABLES |
89 | -There are currently three independent tables (which tables are present | |
89 | +There are currently five independent tables (which tables are present | |
90 | 90 | at any time depends on the kernel configuration options and which |
91 | 91 | modules are present). |
92 | 92 | .TP |
@@ -243,6 +243,15 @@ Give a (currently very brief) description of the command syntax. | ||
243 | 243 | The following parameters make up a rule specification (as used in the |
244 | 244 | add, delete, insert, replace and append commands). |
245 | 245 | .TP |
246 | +\fB\-4\fP, \fB\-\-ipv4\fP | |
247 | +This option has no effect in iptables and iptables-restore. | |
248 | +.TP | |
249 | +\fB\-6\fP, \fB\-\-ipv6\fP | |
250 | +If a rule using the \fB\-6\fP option is inserted with (and only with) | |
251 | +iptables-restore, it will be silently ignored. Any other uses will throw an | |
252 | +error. This option allows to put both IPv4 and IPv6 rules in a single rule file | |
253 | +for use with both iptables-restore and ip6tables-restore. | |
254 | +.TP | |
246 | 255 | [\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP |
247 | 256 | The protocol of the rule or of the packet to check. |
248 | 257 | The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP, |
@@ -277,6 +286,13 @@ See the description of the \fB\-s\fP | ||
277 | 286 | (source) flag for a detailed description of the syntax. The flag |
278 | 287 | \fB\-\-dst\fP is an alias for this option. |
279 | 288 | .TP |
289 | +\fB\-m\fP, \fB\-\-match\fP \fImatch\fP | |
290 | +Specifies a match to use, that is, an extension module that tests for a | |
291 | +specific property. The set of matches make up the condition under which a | |
292 | +target is invoked. Matches are evaluated first to last as specified on the | |
293 | +command line and work in short-circuit fashion, i.e. if one extension yields | |
294 | +false, evaluation will stop. | |
295 | +.TP | |
280 | 296 | \fB\-j\fP, \fB\-\-jump\fP \fItarget\fP |
281 | 297 | This specifies the target of the rule; i.e., what to do if the packet |
282 | 298 | matches it. The target can be a user-defined chain (other than the |
@@ -355,2249 +371,10 @@ corresponding to that rule's position in the chain. | ||
355 | 371 | \fB\-\-modprobe=\fP\fIcommand\fP |
356 | 372 | When adding or inserting rules into a chain, use \fIcommand\fP |
357 | 373 | to load any necessary modules (targets, match extensions, etc). |
358 | -.SH MATCH EXTENSIONS | |
359 | -.PP | |
360 | -iptables can use extended packet matching modules | |
361 | -with the \fB\-m\fP or \fB\-\-match\fP | |
362 | -options, followed by the matching module name; after these, various | |
363 | -extra command line options become available, depending on the specific | |
364 | -module. You can specify multiple extended match modules in one line, | |
365 | -and you can use the \fB\-h\fP or \fB\-\-help\fP | |
366 | -options after the module has been specified to receive help specific | |
367 | -to that module. | |
368 | -.PP | |
369 | -If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an | |
370 | -unknown option is encountered, iptables will try load a match module of the | |
371 | -same name as the protocol, to try making the option available. | |
372 | -.\" @MATCH@ | |
373 | -.SS addrtype | |
374 | -This module matches packets based on their | |
375 | -.B address type. | |
376 | -Address types are used within the kernel networking stack and categorize | |
377 | -addresses into various groups. The exact definition of that group depends on the specific layer three protocol. | |
378 | -.PP | |
379 | -The following address types are possible: | |
380 | -.TP | |
381 | -.BI "UNSPEC" | |
382 | -an unspecified address (i.e. 0.0.0.0) | |
383 | -.TP | |
384 | -.BI "UNICAST" | |
385 | -an unicast address | |
386 | -.TP | |
387 | -.BI "LOCAL" | |
388 | -a local address | |
389 | -.TP | |
390 | -.BI "BROADCAST" | |
391 | -a broadcast address | |
392 | -.TP | |
393 | -.BI "ANYCAST" | |
394 | -an anycast packet | |
395 | -.TP | |
396 | -.BI "MULTICAST" | |
397 | -a multicast address | |
398 | -.TP | |
399 | -.BI "BLACKHOLE" | |
400 | -a blackhole address | |
401 | -.TP | |
402 | -.BI "UNREACHABLE" | |
403 | -an unreachable address | |
404 | -.TP | |
405 | -.BI "PROHIBIT" | |
406 | -a prohibited address | |
407 | -.TP | |
408 | -.BI "THROW" | |
409 | -FIXME | |
410 | -.TP | |
411 | -.BI "NAT" | |
412 | -FIXME | |
413 | -.TP | |
414 | -.BI "XRESOLVE" | |
415 | -.TP | |
416 | -[\fB!\fP] \fB\-\-src\-type\fP \fItype\fP | |
417 | -Matches if the source address is of given type | |
418 | -.TP | |
419 | -[\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP | |
420 | -Matches if the destination address is of given type | |
421 | -.TP | |
422 | -.BI "\-\-limit\-iface\-in" | |
423 | -The address type checking can be limited to the interface the packet is coming | |
424 | -in. This option is only valid in the | |
425 | -.BR PREROUTING , | |
426 | -.B INPUT | |
427 | -and | |
428 | -.B FORWARD | |
429 | -chains. It cannot be specified with the | |
430 | -\fB\-\-limit\-iface\-out\fP | |
431 | -option. | |
432 | -.TP | |
433 | -\fB\-\-limit\-iface\-out\fP | |
434 | -The address type checking can be limited to the interface the packet is going | |
435 | -out. This option is only valid in the | |
436 | -.BR POSTROUTING , | |
437 | -.B OUTPUT | |
438 | -and | |
439 | -.B FORWARD | |
440 | -chains. It cannot be specified with the | |
441 | -\fB\-\-limit\-iface\-in\fP | |
442 | -option. | |
443 | -.SS ah | |
444 | -This module matches the SPIs in Authentication header of IPsec packets. | |
445 | -.TP | |
446 | -[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] | |
447 | -.SS cluster | |
448 | -Allows you to deploy gateway and back-end load-sharing clusters without the | |
449 | -need of load-balancers. | |
450 | -.PP | |
451 | -This match requires that all the nodes see the same packets. Thus, the cluster | |
452 | -match decides if this node has to handle a packet given the following options: | |
453 | -.TP | |
454 | -\fB\-\-cluster\-total\-nodes\fP \fInum\fP | |
455 | -Set number of total nodes in cluster. | |
456 | -.TP | |
457 | -[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP | |
458 | -Set the local node number ID. | |
459 | -.TP | |
460 | -[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP | |
461 | -Set the local node number ID mask. You can use this option instead | |
462 | -of \fB\-\-cluster\-local\-node\fP. | |
463 | -.TP | |
464 | -\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP | |
465 | -Set seed value of the Jenkins hash. | |
466 | -.PP | |
467 | -Example: | |
468 | -.IP | |
469 | -iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster | |
470 | -\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 | |
471 | -\-\-cluster\-hash\-seed 0xdeadbeef | |
472 | -\-j MARK \-\-set-mark 0xffff | |
473 | -.IP | |
474 | -iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster | |
475 | -\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 | |
476 | -\-\-cluster\-hash\-seed 0xdeadbeef | |
477 | -\-j MARK -\-set\-mark 0xffff | |
478 | -.IP | |
479 | -iptables \-A PREROUTING \-t mangle \-i eth1 | |
480 | -\-m mark ! \-\-mark 0xffff \-j DROP | |
481 | -.IP | |
482 | -iptables \-A PREROUTING \-t mangle \-i eth2 | |
483 | -\-m mark ! \-\-mark 0xffff \-j DROP | |
484 | -.PP | |
485 | -And the following commands to make all nodes see the same packets: | |
486 | -.IP | |
487 | -ip maddr add 01:00:5e:00:01:01 dev eth1 | |
488 | -.IP | |
489 | -ip maddr add 01:00:5e:00:01:02 dev eth2 | |
490 | -.IP | |
491 | -arptables \-A OUTPUT \-o eth1 \-\-h\-length 6 | |
492 | -\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01 | |
493 | -.IP | |
494 | -arptables \-A INPUT \-i eth1 \-\-h-length 6 | |
495 | -\-\-destination-mac 01:00:5e:00:01:01 | |
496 | -\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 | |
497 | -.IP | |
498 | -arptables \-A OUTPUT \-o eth2 \-\-h\-length 6 | |
499 | -\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02 | |
500 | -.IP | |
501 | -arptables \-A INPUT \-i eth2 \-\-h\-length 6 | |
502 | -\-\-destination\-mac 01:00:5e:00:01:02 | |
503 | -\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 | |
504 | -.PP | |
505 | -In the case of TCP connections, pickup facility has to be disabled | |
506 | -to avoid marking TCP ACK packets coming in the reply direction as | |
507 | -valid. | |
508 | -.IP | |
509 | -echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose | |
510 | -.SS comment | |
511 | -Allows you to add comments (up to 256 characters) to any rule. | |
512 | -.TP | |
513 | -\fB\-\-comment\fP \fIcomment\fP | |
514 | -.TP | |
515 | -Example: | |
516 | -iptables \-A INPUT \-i eth1 \-m comment \-\-comment "my local LAN" | |
517 | -.SS connbytes | |
518 | -Match by how many bytes or packets a connection (or one of the two | |
519 | -flows constituting the connection) has transferred so far, or by | |
520 | -average bytes per packet. | |
521 | -.PP | |
522 | -The counters are 64-bit and are thus not expected to overflow ;) | |
523 | -.PP | |
524 | -The primary use is to detect long-lived downloads and mark them to be | |
525 | -scheduled using a lower priority band in traffic control. | |
526 | -.PP | |
527 | -The transferred bytes per connection can also be viewed through | |
528 | -`conntrack \-L` and accessed via ctnetlink. | |
529 | -.PP | |
530 | -NOTE that for connections which have no accounting information, the match will | |
531 | -always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls | |
532 | -whether \fBnew\fP connections will be byte/packet counted. Existing connection | |
533 | -flows will not be gaining/losing a/the accounting structure when be sysctl flag | |
534 | -is flipped. | |
535 | -.TP | |
536 | -[\fB!\fP] \fB\-\-connbytes\fP \fIfrom\fP[\fB:\fP\fIto\fP] | |
537 | -match packets from a connection whose packets/bytes/average packet | |
538 | -size is more than FROM and less than TO bytes/packets. if TO is | |
539 | -omitted only FROM check is done. "!" is used to match packets not | |
540 | -falling in the range. | |
541 | -.TP | |
542 | -\fB\-\-connbytes\-dir\fP {\fBoriginal\fP|\fBreply\fP|\fBboth\fP} | |
543 | -which packets to consider | |
544 | -.TP | |
545 | -\fB\-\-connbytes\-mode\fP {\fBpackets\fP|\fBbytes\fP|\fBavgpkt\fP} | |
546 | -whether to check the amount of packets, number of bytes transferred or | |
547 | -the average size (in bytes) of all packets received so far. Note that | |
548 | -when "both" is used together with "avgpkt", and data is going (mainly) | |
549 | -only in one direction (for example HTTP), the average packet size will | |
550 | -be about half of the actual data packets. | |
551 | -.TP | |
552 | -Example: | |
553 | -iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ... | |
554 | -.SS connlimit | |
555 | -Allows you to restrict the number of parallel connections to a server per | |
556 | -client IP address (or client address block). | |
557 | -.TP | |
558 | -\fB\-\-connlimit\-upto\fP \fIn\fP | |
559 | -Match if the number of existing connections is below or equal \fIn\fP. | |
560 | -.TP | |
561 | -\fB\-\-connlimit\-above\fP \fIn\fP | |
562 | -Match if the number of existing connections is above \fIn\fP. | |
563 | -.TP | |
564 | -\fB\-\-connlimit\-mask\fP \fIprefix_length\fP | |
565 | -Group hosts using the prefix length. For IPv4, this must be a number between | |
566 | -(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the | |
567 | -maximum prefix length for the applicable protocol is used. | |
568 | -.TP | |
569 | -\fB\-\-connlimit\-saddr\fP | |
570 | -Apply the limit onto the source group. This is the default if | |
571 | -\-\-connlimit\-daddr is not specified. | |
572 | -.TP | |
573 | -\fB\-\-connlimit\-daddr\fP | |
574 | -Apply the limit onto the destination group. | |
575 | -.PP | |
576 | -Examples: | |
577 | -.TP | |
578 | -# allow 2 telnet connections per client host | |
579 | -iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-above 2 \-j REJECT | |
580 | -.TP | |
581 | -# you can also match the other way around: | |
582 | -iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-upto 2 \-j ACCEPT | |
583 | -.TP | |
584 | -# limit the number of parallel HTTP requests to 16 per class C sized \ | |
585 | -source network (24 bit netmask) | |
586 | -iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16 | |
587 | -\-\-connlimit\-mask 24 \-j REJECT | |
588 | -.TP | |
589 | -# limit the number of parallel HTTP requests to 16 for the link local network | |
590 | -(ipv6) | |
591 | -ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above | |
592 | -16 \-\-connlimit\-mask 64 \-j REJECT | |
593 | -.TP | |
594 | -# Limit the number of connections to a particular host: | |
595 | -ip6tables \-p tcp \-\-syn \-\-dport 49152:65535 \-d 2001:db8::1 \-m connlimit | |
596 | -\-\-connlimit-above 100 \-j REJECT | |
597 | -.SS connmark | |
598 | -This module matches the netfilter mark field associated with a connection | |
599 | -(which can be set using the \fBCONNMARK\fP target below). | |
600 | -.TP | |
601 | -[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
602 | -Matches packets in connections with the given mark value (if a mask is | |
603 | -specified, this is logically ANDed with the mark before the comparison). | |
604 | -.SS conntrack | |
605 | -This module, when combined with connection tracking, allows access to the | |
606 | -connection tracking state for this packet/connection. | |
607 | -.TP | |
608 | -[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP | |
609 | -\fIstatelist\fP is a comma separated list of the connection states to match. | |
610 | -Possible states are listed below. | |
611 | -.TP | |
612 | -[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP | |
613 | -Layer-4 protocol to match (by number or name) | |
614 | -.TP | |
615 | -[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
616 | -.TP | |
617 | -[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
618 | -.TP | |
619 | -[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
620 | -.TP | |
621 | -[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
622 | -Match against original/reply source/destination address | |
623 | -.TP | |
624 | -[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
625 | -.TP | |
626 | -[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
627 | -.TP | |
628 | -[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
629 | -.TP | |
630 | -[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
631 | -Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. | |
632 | -Matching against port ranges is only supported in kernel versions above 2.6.38. | |
633 | -.TP | |
634 | -[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP | |
635 | -\fIstatuslist\fP is a comma separated list of the connection statuses to match. | |
636 | -Possible statuses are listed below. | |
637 | -.TP | |
638 | -[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] | |
639 | -Match remaining lifetime in seconds against given value or range of values | |
640 | -(inclusive) | |
641 | -.TP | |
642 | -\fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} | |
643 | -Match packets that are flowing in the specified direction. If this flag is not | |
644 | -specified at all, matches packets in both directions. | |
645 | -.PP | |
646 | -States for \fB\-\-ctstate\fP: | |
647 | -.TP | |
648 | -\fBINVALID\fP | |
649 | -meaning that the packet is associated with no known connection | |
650 | -.TP | |
651 | -\fBNEW\fP | |
652 | -meaning that the packet has started a new connection, or otherwise associated | |
653 | -with a connection which has not seen packets in both directions, and | |
654 | -.TP | |
655 | -\fBESTABLISHED\fP | |
656 | -meaning that the packet is associated with a connection which has seen packets | |
657 | -in both directions, | |
658 | -.TP | |
659 | -\fBRELATED\fP | |
660 | -meaning that the packet is starting a new connection, but is associated with an | |
661 | -existing connection, such as an FTP data transfer, or an ICMP error. | |
662 | -.TP | |
663 | -\fBUNTRACKED\fP | |
664 | -meaning that the packet is not tracked at all, which happens if you use | |
665 | -the NOTRACK target in raw table. | |
666 | -.TP | |
667 | -\fBSNAT\fP | |
668 | -A virtual state, matching if the original source address differs from the reply | |
669 | -destination. | |
670 | -.TP | |
671 | -\fBDNAT\fP | |
672 | -A virtual state, matching if the original destination differs from the reply | |
673 | -source. | |
674 | -.PP | |
675 | -Statuses for \fB\-\-ctstatus\fP: | |
676 | -.TP | |
677 | -\fBNONE\fP | |
678 | -None of the below. | |
679 | -.TP | |
680 | -\fBEXPECTED\fP | |
681 | -This is an expected connection (i.e. a conntrack helper set it up) | |
682 | -.TP | |
683 | -\fBSEEN_REPLY\fP | |
684 | -Conntrack has seen packets in both directions. | |
685 | -.TP | |
686 | -\fBASSURED\fP | |
687 | -Conntrack entry should never be early-expired. | |
688 | -.TP | |
689 | -\fBCONFIRMED\fP | |
690 | -Connection is confirmed: originating packet has left box. | |
691 | -.SS cpu | |
692 | -.TP | |
693 | -[\fB!\fP] \fB\-\-cpu\fP \fInumber\fP | |
694 | -Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 | |
695 | -Can be used in combination with RPS (Remote Packet Steering) or | |
696 | -multiqueue NICs to spread network traffic on different queues. | |
697 | -.PP | |
698 | -Example: | |
699 | -.PP | |
700 | -iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 0 | |
701 | -\-j REDIRECT \-\-to\-port 8080 | |
702 | -.PP | |
703 | -iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 1 | |
704 | -\-j REDIRECT \-\-to\-port 8081 | |
705 | -.PP | |
706 | -Available since Linux 2.6.36. | |
707 | -.SS dccp | |
708 | -.TP | |
709 | -[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
710 | -.TP | |
711 | -[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
712 | -.TP | |
713 | -[\fB!\fP] \fB\-\-dccp\-types\fP \fImask\fP | |
714 | -Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated | |
715 | -list of packet types. Packet types are: | |
716 | -.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" . | |
717 | -.TP | |
718 | -[\fB!\fP] \fB\-\-dccp\-option\fP \fInumber\fP | |
719 | -Match if DCCP option set. | |
720 | -.SS dscp | |
721 | -This module matches the 6 bit DSCP field within the TOS field in the | |
722 | -IP header. DSCP has superseded TOS within the IETF. | |
723 | -.TP | |
724 | -[\fB!\fP] \fB\-\-dscp\fP \fIvalue\fP | |
725 | -Match against a numeric (decimal or hex) value [0-63]. | |
726 | -.TP | |
727 | -[\fB!\fP] \fB\-\-dscp\-class\fP \fIclass\fP | |
728 | -Match the DiffServ class. This value may be any of the | |
729 | -BE, EF, AFxx or CSx classes. It will then be converted | |
730 | -into its according numeric value. | |
731 | -.SS ecn | |
732 | -This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168 | |
733 | -.TP | |
734 | -[\fB!\fP] \fB\-\-ecn\-tcp\-cwr\fP | |
735 | -This matches if the TCP ECN CWR (Congestion Window Received) bit is set. | |
736 | -.TP | |
737 | -[\fB!\fP] \fB\-\-ecn\-tcp\-ece\fP | |
738 | -This matches if the TCP ECN ECE (ECN Echo) bit is set. | |
739 | -.TP | |
740 | -[\fB!\fP] \fB\-\-ecn\-ip\-ect\fP \fInum\fP | |
741 | -This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to specify | |
742 | -a number between `0' and `3'. | |
743 | -.SS esp | |
744 | -This module matches the SPIs in ESP header of IPsec packets. | |
745 | -.TP | |
746 | -[\fB!\fP] \fB\-\-espspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] | |
747 | -.SS hashlimit | |
748 | -\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the | |
749 | -\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables | |
750 | -rule. Grouping can be done per-hostgroup (source and/or destination address) | |
751 | -and/or per-port. It gives you the ability to express "\fIN\fP packets per time | |
752 | -quantum per group" (see below for some examples). | |
753 | -.PP | |
754 | -A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and | |
755 | -\fB\-\-hashlimit\-name\fP are required. | |
756 | -.TP | |
757 | -\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] | |
758 | -Match if the rate is below or equal to \fIamount\fP/quantum. It is specified as | |
759 | -a number, with an optional time quantum suffix; the default is 3/hour. | |
760 | -.TP | |
761 | -\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] | |
762 | -Match if the rate is above \fIamount\fP/quantum. | |
763 | -.TP | |
764 | -\fB\-\-hashlimit\-burst\fP \fIamount\fP | |
765 | -Maximum initial number of packets to match: this number gets recharged by one | |
766 | -every time the limit specified above is not reached, up to this number; the | |
767 | -default is 5. | |
768 | -.TP | |
769 | -\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP... | |
770 | -A comma-separated list of objects to take into consideration. If no | |
771 | -\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the | |
772 | -expensive of doing the hash housekeeping. | |
773 | -.TP | |
774 | -\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP | |
775 | -When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be | |
776 | -grouped according to the given prefix length and the so-created subnet will be | |
777 | -subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note | |
778 | -that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying | |
779 | -srcip for \-\-hashlimit\-mode, but is technically more expensive. | |
780 | -.TP | |
781 | -\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP | |
782 | -Like \-\-hashlimit\-srcmask, but for destination addresses. | |
783 | -.TP | |
784 | -\fB\-\-hashlimit\-name\fP \fIfoo\fP | |
785 | -The name for the /proc/net/ipt_hashlimit/foo entry. | |
786 | -.TP | |
787 | -\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP | |
788 | -The number of buckets of the hash table | |
789 | -.TP | |
790 | -\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP | |
791 | -Maximum entries in the hash. | |
792 | -.TP | |
793 | -\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP | |
794 | -After how many milliseconds do hash entries expire. | |
795 | -.TP | |
796 | -\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP | |
797 | -How many milliseconds between garbage collection intervals. | |
798 | -.PP | |
799 | -Examples: | |
800 | -.TP | |
801 | -matching on source host | |
802 | -"1000 packets per second for every host in 192.168.0.0/16" => | |
803 | -\-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec | |
804 | -.TP | |
805 | -matching on source port | |
806 | -"100 packets per second for every service of 192.168.1.1" => | |
807 | -\-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec | |
808 | -.TP | |
809 | -matching on subnet | |
810 | -"10000 packets per minute for every /28 subnet (groups of 8 addresses) | |
811 | -in 10.0.0.0/8" => | |
812 | -\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min | |
813 | -.SS helper | |
814 | -This module matches packets related to a specific conntrack-helper. | |
815 | -.TP | |
816 | -[\fB!\fP] \fB\-\-helper\fP \fIstring\fP | |
817 | -Matches packets related to the specified conntrack-helper. | |
818 | -.RS | |
819 | -.PP | |
820 | -string can be "ftp" for packets related to a ftp-session on default port. | |
821 | -For other ports append \-portnr to the value, ie. "ftp\-2121". | |
822 | -.PP | |
823 | -Same rules apply for other conntrack-helpers. | |
824 | -.RE | |
825 | -.SS icmp | |
826 | -This extension can be used if `\-\-protocol icmp' is specified. It | |
827 | -provides the following option: | |
828 | -.TP | |
829 | -[\fB!\fP] \fB\-\-icmp\-type\fP {\fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP} | |
830 | -This allows specification of the ICMP type, which can be a numeric | |
831 | -ICMP type, type/code pair, or one of the ICMP type names shown by the command | |
832 | -.nf | |
833 | - iptables \-p icmp \-h | |
834 | -.fi | |
835 | -.SS iprange | |
836 | -This matches on a given arbitrary range of IP addresses. | |
837 | -.TP | |
838 | -[\fB!\fP] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] | |
839 | -Match source IP in the specified range. | |
840 | -.TP | |
841 | -[\fB!\fP] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] | |
842 | -Match destination IP in the specified range. | |
843 | -.SS ipvs | |
844 | -Match IPVS connection properties. | |
845 | -.TP | |
846 | -[\fB!\fP] \fB\-\-ipvs\fP | |
847 | -packet belongs to an IPVS connection | |
848 | -.TP | |
849 | -Any of the following options implies \-\-ipvs (even negated) | |
850 | -.TP | |
851 | -[\fB!\fP] \fB\-\-vproto\fP \fIprotocol\fP | |
852 | -VIP protocol to match; by number or name, e.g. "tcp" | |
853 | -.TP | |
854 | -[\fB!\fP] \fB\-\-vaddr\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
855 | -VIP address to match | |
856 | -.TP | |
857 | -[\fB!\fP] \fB\-\-vport\fP \fIport\fP | |
858 | -VIP port to match; by number or name, e.g. "http" | |
859 | -.TP | |
860 | -\fB\-\-vdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} | |
861 | -flow direction of packet | |
862 | -.TP | |
863 | -[\fB!\fP] \fB\-\-vmethod\fP {\fBGATE\fP|\fBIPIP\fP|\fBMASQ\fP} | |
864 | -IPVS forwarding method used | |
865 | -.TP | |
866 | -[\fB!\fP] \fB\-\-vportctl\fP \fIport\fP | |
867 | -VIP port of the controlling connection to match, e.g. 21 for FTP | |
868 | -.SS length | |
869 | -This module matches the length of the layer-3 payload (e.g. layer-4 packet) | |
870 | -of a packet against a specific value | |
871 | -or range of values. | |
872 | -.TP | |
873 | -[\fB!\fP] \fB\-\-length\fP \fIlength\fP[\fB:\fP\fIlength\fP] | |
874 | -.SS limit | |
875 | -This module matches at a limited rate using a token bucket filter. | |
876 | -A rule using this extension will match until this limit is reached. | |
877 | -It can be used in combination with the | |
878 | -.B LOG | |
879 | -target to give limited logging, for example. | |
880 | -.PP | |
881 | -xt_limit has no negation support - you will have to use \-m hashlimit ! | |
882 | -\-\-hashlimit \fIrate\fP in this case whilst omitting \-\-hashlimit\-mode. | |
883 | -.TP | |
884 | -\fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] | |
885 | -Maximum average matching rate: specified as a number, with an optional | |
886 | -`/second', `/minute', `/hour', or `/day' suffix; the default is | |
887 | -3/hour. | |
888 | -.TP | |
889 | -\fB\-\-limit\-burst\fP \fInumber\fP | |
890 | -Maximum initial number of packets to match: this number gets | |
891 | -recharged by one every time the limit specified above is not reached, | |
892 | -up to this number; the default is 5. | |
893 | -.SS mac | |
894 | -.TP | |
895 | -[\fB!\fP] \fB\-\-mac\-source\fP \fIaddress\fP | |
896 | -Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. | |
897 | -Note that this only makes sense for packets coming from an Ethernet device | |
898 | -and entering the | |
899 | -.BR PREROUTING , | |
900 | -.B FORWARD | |
901 | -or | |
902 | -.B INPUT | |
903 | -chains. | |
904 | -.SS mark | |
905 | -This module matches the netfilter mark field associated with a packet | |
906 | -(which can be set using the | |
907 | -.B MARK | |
908 | -target below). | |
909 | -.TP | |
910 | -[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
911 | -Matches packets with the given unsigned mark value (if a \fImask\fP is | |
912 | -specified, this is logically ANDed with the \fImask\fP before the | |
913 | -comparison). | |
914 | -.SS multiport | |
915 | -This module matches a set of source or destination ports. Up to 15 | |
916 | -ports can be specified. A port range (port:port) counts as two | |
917 | -ports. It can only be used in conjunction with | |
918 | -\fB\-p tcp\fP | |
919 | -or | |
920 | -\fB\-p udp\fP. | |
921 | -.TP | |
922 | -[\fB!\fP] \fB\-\-source\-ports\fP,\fB\-\-sports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]... | |
923 | -Match if the source port is one of the given ports. The flag | |
924 | -\fB\-\-sports\fP | |
925 | -is a convenient alias for this option. Multiple ports or port ranges are | |
926 | -separated using a comma, and a port range is specified using a colon. | |
927 | -\fB53,1024:65535\fP would therefore match ports 53 and all from 1024 through | |
928 | -65535. | |
929 | -.TP | |
930 | -[\fB!\fP] \fB\-\-destination\-ports\fP,\fB\-\-dports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]... | |
931 | -Match if the destination port is one of the given ports. The flag | |
932 | -\fB\-\-dports\fP | |
933 | -is a convenient alias for this option. | |
934 | -.TP | |
935 | -[\fB!\fP] \fB\-\-ports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]... | |
936 | -Match if either the source or destination ports are equal to one of | |
937 | -the given ports. | |
938 | -.SS nfacct | |
939 | -The nfacct match provides the extended accounting infrastructure for iptables. | |
940 | -You have to use this match together with the standalone user-space utility | |
941 | -.B nfacct(8) | |
942 | -.PP | |
943 | -The only option available for this match is the following: | |
944 | -.TP | |
945 | -\fB\-\-nfacct\-name\fP \fIname\fP | |
946 | -This allows you to specify the existing object name that will be use for | |
947 | -accounting the traffic that this rule-set is matching. | |
948 | -.PP | |
949 | -To use this extension, you have to create an accounting object: | |
950 | -.IP | |
951 | -nfacct add http\-traffic | |
952 | -.PP | |
953 | -Then, you have to attach it to the accounting object via iptables: | |
954 | -.IP | |
955 | -iptables \-I INPUT \-p tcp \-\-sport 80 \-m nfacct \-\-nfacct\-name http\-traffic | |
956 | -.IP | |
957 | -iptables \-I OUTPUT \-p tcp \-\-dport 80 \-m nfacct \-\-nfacct\-name http\-traffic | |
958 | -.PP | |
959 | -Then, you can check for the amount of traffic that the rules match: | |
960 | -.IP | |
961 | -nfacct get http\-traffic | |
962 | -.IP | |
963 | -{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic; | |
964 | -.PP | |
965 | -You can obtain | |
966 | -.B nfacct(8) | |
967 | -from http://www.netfilter.org or, alternatively, from the git.netfilter.org | |
968 | -repository. | |
969 | -.SS osf | |
970 | -The osf module does passive operating system fingerprinting. This modules | |
971 | -compares some data (Window Size, MSS, options and their order, TTL, DF, | |
972 | -and others) from packets with the SYN bit set. | |
973 | -.TP | |
974 | -[\fB!\fP] \fB\-\-genre\fP \fIstring\fP | |
975 | -Match an operating system genre by using a passive fingerprinting. | |
976 | -.TP | |
977 | -\fB\-\-ttl\fP \fIlevel\fP | |
978 | -Do additional TTL checks on the packet to determine the operating system. | |
979 | -\fIlevel\fP can be one of the following values: | |
980 | -.IP \(bu 4 | |
981 | -0 - True IP address and fingerprint TTL comparison. This generally works for | |
982 | -LANs. | |
983 | -.IP \(bu 4 | |
984 | -1 - Check if the IP header's TTL is less than the fingerprint one. Works for | |
985 | -globally-routable addresses. | |
986 | -.IP \(bu 4 | |
987 | -2 - Do not compare the TTL at all. | |
988 | -.TP | |
989 | -\fB\-\-log\fP \fIlevel\fP | |
990 | -Log determined genres into dmesg even if they do not match the desired one. | |
991 | -\fIlevel\fP can be one of the following values: | |
992 | -.IP \(bu 4 | |
993 | -0 - Log all matched or unknown signatures | |
994 | -.IP \(bu 4 | |
995 | -1 - Log only the first one | |
996 | -.IP \(bu 4 | |
997 | -2 - Log all known matched signatures | |
998 | -.PP | |
999 | -You may find something like this in syslog: | |
1000 | -.PP | |
1001 | -Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> | |
1002 | -11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4 | |
1003 | -.PP | |
1004 | -OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load | |
1005 | -fingerprints from a file, use: | |
1006 | -.PP | |
1007 | -\fBnfnl_osf -f /usr/share/xtables/pf.os\fP | |
1008 | -.PP | |
1009 | -To remove them again, | |
1010 | -.PP | |
1011 | -\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP | |
1012 | -.PP | |
1013 | -The fingerprint database can be downlaoded from | |
1014 | -http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . | |
1015 | -.SS owner | |
1016 | -This module attempts to match various characteristics of the packet creator, | |
1017 | -for locally generated packets. This match is only valid in the OUTPUT and | |
1018 | -POSTROUTING chains. Forwarded packets do not have any socket associated with | |
1019 | -them. Packets from kernel threads do have a socket, but usually no owner. | |
1020 | -.TP | |
1021 | -[\fB!\fP] \fB\-\-uid\-owner\fP \fIusername\fP | |
1022 | -.TP | |
1023 | -[\fB!\fP] \fB\-\-uid\-owner\fP \fIuserid\fP[\fB\-\fP\fIuserid\fP] | |
1024 | -Matches if the packet socket's file structure (if it has one) is owned by the | |
1025 | -given user. You may also specify a numerical UID, or an UID range. | |
1026 | -.TP | |
1027 | -[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupname\fP | |
1028 | -.TP | |
1029 | -[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupid\fP[\fB\-\fP\fIgroupid\fP] | |
1030 | -Matches if the packet socket's file structure is owned by the given group. | |
1031 | -You may also specify a numerical GID, or a GID range. | |
1032 | -.TP | |
1033 | -[\fB!\fP] \fB\-\-socket\-exists\fP | |
1034 | -Matches if the packet is associated with a socket. | |
1035 | -.SS physdev | |
1036 | -This module matches on the bridge port input and output devices enslaved | |
1037 | -to a bridge device. This module is a part of the infrastructure that enables | |
1038 | -a transparent bridging IP firewall and is only useful for kernel versions | |
1039 | -above version 2.5.44. | |
1040 | -.TP | |
1041 | -[\fB!\fP] \fB\-\-physdev\-in\fP \fIname\fP | |
1042 | -Name of a bridge port via which a packet is received (only for | |
1043 | -packets entering the | |
1044 | -.BR INPUT , | |
1045 | -.B FORWARD | |
1046 | -and | |
1047 | -.B PREROUTING | |
1048 | -chains). If the interface name ends in a "+", then any | |
1049 | -interface which begins with this name will match. If the packet didn't arrive | |
1050 | -through a bridge device, this packet won't match this option, unless '!' is used. | |
1051 | -.TP | |
1052 | -[\fB!\fP] \fB\-\-physdev\-out\fP \fIname\fP | |
1053 | -Name of a bridge port via which a packet is going to be sent (for packets | |
1054 | -entering the | |
1055 | -.BR FORWARD , | |
1056 | -.B OUTPUT | |
1057 | -and | |
1058 | -.B POSTROUTING | |
1059 | -chains). If the interface name ends in a "+", then any | |
1060 | -interface which begins with this name will match. Note that in the | |
1061 | -.BR nat " and " mangle | |
1062 | -.B OUTPUT | |
1063 | -chains one cannot match on the bridge output port, however one can in the | |
1064 | -.B "filter OUTPUT" | |
1065 | -chain. If the packet won't leave by a bridge device or if it is yet unknown what | |
1066 | -the output device will be, then the packet won't match this option, | |
1067 | -unless '!' is used. | |
1068 | -.TP | |
1069 | -[\fB!\fP] \fB\-\-physdev\-is\-in\fP | |
1070 | -Matches if the packet has entered through a bridge interface. | |
1071 | -.TP | |
1072 | -[\fB!\fP] \fB\-\-physdev\-is\-out\fP | |
1073 | -Matches if the packet will leave through a bridge interface. | |
1074 | -.TP | |
1075 | -[\fB!\fP] \fB\-\-physdev\-is\-bridged\fP | |
1076 | -Matches if the packet is being bridged and therefore is not being routed. | |
1077 | -This is only useful in the FORWARD and POSTROUTING chains. | |
1078 | -.SS pkttype | |
1079 | -This module matches the link-layer packet type. | |
1080 | -.TP | |
1081 | -[\fB!\fP] \fB\-\-pkt\-type\fP {\fBunicast\fP|\fBbroadcast\fP|\fBmulticast\fP} | |
1082 | -.SS policy | |
1083 | -This modules matches the policy used by IPsec for handling a packet. | |
1084 | -.TP | |
1085 | -\fB\-\-dir\fP {\fBin\fP|\fBout\fP} | |
1086 | -Used to select whether to match the policy used for decapsulation or the | |
1087 | -policy that will be used for encapsulation. | |
1088 | -.B in | |
1089 | -is valid in the | |
1090 | -.B PREROUTING, INPUT and FORWARD | |
1091 | -chains, | |
1092 | -.B out | |
1093 | -is valid in the | |
1094 | -.B POSTROUTING, OUTPUT and FORWARD | |
1095 | -chains. | |
1096 | -.TP | |
1097 | -\fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP} | |
1098 | -Matches if the packet is subject to IPsec processing. \fB\-\-pol none\fP | |
1099 | -cannot be combined with \fB\-\-strict\fP. | |
1100 | -.TP | |
1101 | -\fB\-\-strict\fP | |
1102 | -Selects whether to match the exact policy or match if any rule of | |
1103 | -the policy matches the given policy. | |
1104 | -.PP | |
1105 | -For each policy element that is to be described, one can use one or more of | |
1106 | -the following options. When \fB\-\-strict\fP is in effect, at least one must be | |
1107 | -used per element. | |
1108 | -.TP | |
1109 | -[\fB!\fP] \fB\-\-reqid\fP \fIid\fP | |
1110 | -Matches the reqid of the policy rule. The reqid can be specified with | |
1111 | -.B setkey(8) | |
1112 | -using | |
1113 | -.B unique:id | |
1114 | -as level. | |
1115 | -.TP | |
1116 | -[\fB!\fP] \fB\-\-spi\fP \fIspi\fP | |
1117 | -Matches the SPI of the SA. | |
1118 | -.TP | |
1119 | -[\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP} | |
1120 | -Matches the encapsulation protocol. | |
1121 | -.TP | |
1122 | -[\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP} | |
1123 | -Matches the encapsulation mode. | |
1124 | -.TP | |
1125 | -[\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP] | |
1126 | -Matches the source end-point address of a tunnel mode SA. | |
1127 | -Only valid with \fB\-\-mode tunnel\fP. | |
1128 | -.TP | |
1129 | -[\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP] | |
1130 | -Matches the destination end-point address of a tunnel mode SA. | |
1131 | -Only valid with \fB\-\-mode tunnel\fP. | |
1132 | -.TP | |
1133 | -\fB\-\-next\fP | |
1134 | -Start the next element in the policy specification. Can only be used with | |
1135 | -\fB\-\-strict\fP. | |
1136 | -.SS quota | |
1137 | -Implements network quotas by decrementing a byte counter with each | |
1138 | -packet. The condition matches until the byte counter reaches zero. Behavior | |
1139 | -is reversed with negation (i.e. the condition does not match until the | |
1140 | -byte counter reaches zero). | |
1141 | -.TP | |
1142 | -[\fB!\fP] \fB\-\-quota\fP \fIbytes\fP | |
1143 | -The quota in bytes. | |
1144 | -.SS rateest | |
1145 | -The rate estimator can match on estimated rates as collected by the RATEEST | |
1146 | -target. It supports matching on absolute bps/pps values, comparing two rate | |
1147 | -estimators and matching on the difference between two rate estimators. | |
1148 | -.PP | |
1149 | -For a better understanding of the available options, these are all possible | |
1150 | -combinations: | |
1151 | -.\" * Absolute: | |
1152 | -.IP \(bu 4 | |
1153 | -\fBrateest\fP \fIoperator\fP \fBrateest-bps\fP | |
1154 | -.IP \(bu 4 | |
1155 | -\fBrateest\fP \fIoperator\fP \fBrateest-pps\fP | |
1156 | -.\" * Absolute + Delta: | |
1157 | -.IP \(bu 4 | |
1158 | -(\fBrateest\fP minus \fBrateest-bps1\fP) \fIoperator\fP \fBrateest-bps2\fP | |
1159 | -.IP \(bu 4 | |
1160 | -(\fBrateest\fP minus \fBrateest-pps1\fP) \fIoperator\fP \fBrateest-pps2\fP | |
1161 | -.\" * Relative: | |
1162 | -.IP \(bu 4 | |
1163 | -\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-bps\fP(without rate!) | |
1164 | -.IP \(bu 4 | |
1165 | -\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-pps\fP(without rate!) | |
1166 | -.\" * Relative + Delta: | |
1167 | -.IP \(bu 4 | |
1168 | -(\fBrateest1\fP minus \fBrateest-bps1\fP) \fIoperator\fP | |
1169 | -(\fBrateest2\fP minus \fBrateest-bps2\fP) | |
1170 | -.IP \(bu 4 | |
1171 | -(\fBrateest1\fP minus \fBrateest-pps1\fP) \fIoperator\fP | |
1172 | -(\fBrateest2\fP minus \fBrateest-pps2\fP) | |
1173 | -.TP | |
1174 | -\fB\-\-rateest\-delta\fP | |
1175 | -For each estimator (either absolute or relative mode), calculate the difference | |
1176 | -between the estimator-determined flow rate and the static value chosen with the | |
1177 | -BPS/PPS options. If the flow rate is higher than the specified BPS/PPS, 0 will | |
1178 | -be used instead of a negative value. In other words, "max(0, rateest#_rate - | |
1179 | -rateest#_bps)" is used. | |
1180 | -.TP | |
1181 | -[\fB!\fP] \fB\-\-rateest\-lt\fP | |
1182 | -Match if rate is less than given rate/estimator. | |
1183 | -.TP | |
1184 | -[\fB!\fP] \fB\-\-rateest\-gt\fP | |
1185 | -Match if rate is greater than given rate/estimator. | |
1186 | -.TP | |
1187 | -[\fB!\fP] \fB\-\-rateest\-eq\fP | |
1188 | -Match if rate is equal to given rate/estimator. | |
1189 | -.PP | |
1190 | -In the so-called "absolute mode", only one rate estimator is used and compared | |
1191 | -against a static value, while in "relative mode", two rate estimators are | |
1192 | -compared against another. | |
1193 | -.TP | |
1194 | -\fB\-\-rateest\fP \fIname\fP | |
1195 | -Name of the one rate estimator for absolute mode. | |
1196 | -.TP | |
1197 | -\fB\-\-rateest1\fP \fIname\fP | |
1198 | -.TP | |
1199 | -\fB\-\-rateest2\fP \fIname\fP | |
1200 | -The names of the two rate estimators for relative mode. | |
1201 | -.TP | |
1202 | -\fB\-\-rateest\-bps\fP [\fIvalue\fP] | |
1203 | -.TP | |
1204 | -\fB\-\-rateest\-pps\fP [\fIvalue\fP] | |
1205 | -.TP | |
1206 | -\fB\-\-rateest\-bps1\fP [\fIvalue\fP] | |
1207 | -.TP | |
1208 | -\fB\-\-rateest\-bps2\fP [\fIvalue\fP] | |
1209 | -.TP | |
1210 | -\fB\-\-rateest\-pps1\fP [\fIvalue\fP] | |
1211 | -.TP | |
1212 | -\fB\-\-rateest\-pps2\fP [\fIvalue\fP] | |
1213 | -Compare the estimator(s) by bytes or packets per second, and compare against | |
1214 | -the chosen value. See the above bullet list for which option is to be used in | |
1215 | -which case. A unit suffix may be used - available ones are: bit, [kmgt]bit, | |
1216 | -[KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps. | |
1217 | -.PP | |
1218 | -Example: This is what can be used to route outgoing data connections from an | |
1219 | -FTP server over two lines based on the available bandwidth at the time the data | |
1220 | -connection was started: | |
1221 | -.PP | |
1222 | -# Estimate outgoing rates | |
1223 | -.PP | |
1224 | -iptables \-t mangle \-A POSTROUTING \-o eth0 \-j RATEEST \-\-rateest\-name eth0 | |
1225 | -\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s | |
1226 | -.PP | |
1227 | -iptables \-t mangle \-A POSTROUTING \-o ppp0 \-j RATEEST \-\-rateest\-name ppp0 | |
1228 | -\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s | |
1229 | -.PP | |
1230 | -# Mark based on available bandwidth | |
1231 | -.PP | |
1232 | -iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp | |
1233 | -\-m rateest \-\-rateest\-delta \-\-rateest1 eth0 \-\-rateest\-bps1 2.5mbit \-\-rateest\-gt | |
1234 | -\-\-rateest2 ppp0 \-\-rateest\-bps2 2mbit \-j CONNMARK \-\-set\-mark 1 | |
1235 | -.PP | |
1236 | -iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp | |
1237 | -\-m rateest \-\-rateest\-delta \-\-rateest1 ppp0 \-\-rateest\-bps1 2mbit \-\-rateest\-gt | |
1238 | -\-\-rateest2 eth0 \-\-rateest\-bps2 2.5mbit \-j CONNMARK \-\-set\-mark 2 | |
1239 | -.PP | |
1240 | -iptables \-t mangle \-A balance \-j CONNMARK \-\-restore\-mark | |
1241 | -.SS realm | |
1242 | -This matches the routing realm. Routing realms are used in complex routing | |
1243 | -setups involving dynamic routing protocols like BGP. | |
1244 | -.TP | |
1245 | -[\fB!\fP] \fB\-\-realm\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
1246 | -Matches a given realm number (and optionally mask). If not a number, value | |
1247 | -can be a named realm from /etc/iproute2/rt_realms (mask can not be used in | |
1248 | -that case). | |
1249 | -.SS recent | |
1250 | -Allows you to dynamically create a list of IP addresses and then match against | |
1251 | -that list in a few different ways. | |
1252 | -.PP | |
1253 | -For example, you can create a "badguy" list out of people attempting to connect | |
1254 | -to port 139 on your firewall and then DROP all future packets from them without | |
1255 | -considering them. | |
1256 | -.PP | |
1257 | -\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are | |
1258 | -mutually exclusive. | |
1259 | -.TP | |
1260 | -\fB\-\-name\fP \fIname\fP | |
1261 | -Specify the list to use for the commands. If no name is given then | |
1262 | -\fBDEFAULT\fP will be used. | |
1263 | -.TP | |
1264 | -[\fB!\fP] \fB\-\-set\fP | |
1265 | -This will add the source address of the packet to the list. If the source | |
1266 | -address is already in the list, this will update the existing entry. This will | |
1267 | -always return success (or failure if \fB!\fP is passed in). | |
1268 | -.TP | |
1269 | -\fB\-\-rsource\fP | |
1270 | -Match/save the source address of each packet in the recent list table. This | |
1271 | -is the default. | |
1272 | -.TP | |
1273 | -\fB\-\-rdest\fP | |
1274 | -Match/save the destination address of each packet in the recent list table. | |
1275 | -.TP | |
1276 | -[\fB!\fP] \fB\-\-rcheck\fP | |
1277 | -Check if the source address of the packet is currently in the list. | |
1278 | -.TP | |
1279 | -[\fB!\fP] \fB\-\-update\fP | |
1280 | -Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it | |
1281 | -matches. | |
1282 | -.TP | |
1283 | -[\fB!\fP] \fB\-\-remove\fP | |
1284 | -Check if the source address of the packet is currently in the list and if so | |
1285 | -that address will be removed from the list and the rule will return true. If | |
1286 | -the address is not found, false is returned. | |
1287 | -.TP | |
1288 | -\fB\-\-seconds\fP \fIseconds\fP | |
1289 | -This option must be used in conjunction with one of \fB\-\-rcheck\fP or | |
1290 | -\fB\-\-update\fP. When used, this will narrow the match to only happen when the | |
1291 | -address is in the list and was seen within the last given number of seconds. | |
1292 | -.TP | |
1293 | -\fB\-\-reap\fP | |
1294 | -This option can only be used in conjunction with \fB\-\-seconds\fP. | |
1295 | -When used, this will cause entries older than the last given number of seconds | |
1296 | -to be purged. | |
1297 | -.TP | |
1298 | -\fB\-\-hitcount\fP \fIhits\fP | |
1299 | -This option must be used in conjunction with one of \fB\-\-rcheck\fP or | |
1300 | -\fB\-\-update\fP. When used, this will narrow the match to only happen when the | |
1301 | -address is in the list and packets had been received greater than or equal to | |
1302 | -the given value. This option may be used along with \fB\-\-seconds\fP to create | |
1303 | -an even narrower match requiring a certain number of hits within a specific | |
1304 | -time frame. The maximum value for the hitcount parameter is given by the | |
1305 | -"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this | |
1306 | -value on the command line will cause the rule to be rejected. | |
1307 | -.TP | |
1308 | -\fB\-\-rttl\fP | |
1309 | -This option may only be used in conjunction with one of \fB\-\-rcheck\fP or | |
1310 | -\fB\-\-update\fP. When used, this will narrow the match to only happen when the | |
1311 | -address is in the list and the TTL of the current packet matches that of the | |
1312 | -packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems | |
1313 | -with people faking their source address in order to DoS you via this module by | |
1314 | -disallowing others access to your site by sending bogus packets to you. | |
1315 | -.PP | |
1316 | -Examples: | |
1317 | -.IP | |
1318 | -iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP | |
1319 | -.IP | |
1320 | -iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP | |
1321 | -.PP | |
1322 | -Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has | |
1323 | -some examples of usage. | |
374 | +.SH MATCH AND TARGET EXTENSIONS | |
1324 | 375 | .PP |
1325 | -\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information | |
1326 | -about each entry of each list. | |
1327 | -.PP | |
1328 | -Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current | |
1329 | -list or written two using the following commands to modify the list: | |
1330 | -.TP | |
1331 | -\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP | |
1332 | -to add \fIaddr\fP to the DEFAULT list | |
1333 | -.TP | |
1334 | -\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP | |
1335 | -to remove \fIaddr\fP from the DEFAULT list | |
1336 | -.TP | |
1337 | -\fBecho / >/proc/net/xt_recent/DEFAULT\fP | |
1338 | -to flush the DEFAULT list (remove all entries). | |
1339 | -.PP | |
1340 | -The module itself accepts parameters, defaults shown: | |
1341 | -.TP | |
1342 | -\fBip_list_tot\fP=\fI100\fP | |
1343 | -Number of addresses remembered per table. | |
1344 | -.TP | |
1345 | -\fBip_pkt_list_tot\fP=\fI20\fP | |
1346 | -Number of packets per address remembered. | |
1347 | -.TP | |
1348 | -\fBip_list_hash_size\fP=\fI0\fP | |
1349 | -Hash table size. 0 means to calculate it based on ip_list_tot, default: 512. | |
1350 | -.TP | |
1351 | -\fBip_list_perms\fP=\fI0644\fP | |
1352 | -Permissions for /proc/net/xt_recent/* files. | |
1353 | -.TP | |
1354 | -\fBip_list_uid\fP=\fI0\fP | |
1355 | -Numerical UID for ownership of /proc/net/xt_recent/* files. | |
1356 | -.TP | |
1357 | -\fBip_list_gid\fP=\fI0\fP | |
1358 | -Numerical GID for ownership of /proc/net/xt_recent/* files. | |
1359 | -.SS rpfilter | |
1360 | -Performs a reverse path filter test on a packet. | |
1361 | -If a reply to the packet would be sent via the same interface | |
1362 | -that the packet arrived on, the packet will match. | |
1363 | -Note that, unlike the in-kernel rp_filter, packets protected | |
1364 | -by IPSec are not treated specially. Combine this match with | |
1365 | -the policy match if you want this. | |
1366 | -Also, packets arriving via the loopback interface are always permitted. | |
1367 | -This match can only be used in the PREROUTING chain of the raw or mangle table. | |
1368 | -.TP | |
1369 | -\fB\-\-loose\fP | |
1370 | -Used to specifiy that the reverse path filter test should match | |
1371 | -even if the selected output device is not the expected one. | |
1372 | -.TP | |
1373 | -\fB\-\-validmark\fP | |
1374 | -Also use the packets' nfmark value when performing the reverse path route lookup. | |
1375 | -.TP | |
1376 | -\fB\-\-accept\-local\fP | |
1377 | -This will permit packets arriving from the network with a source address that is also | |
1378 | -assigned to the local machine. | |
1379 | -\fB\-\-invert\fP | |
1380 | -This will invert the sense of the match. Instead of matching packets that passed the | |
1381 | -reverse path filter test, match those that have failed it. | |
1382 | -.PP | |
1383 | -Example to log and drop packets failing the reverse path filter test: | |
1384 | - | |
1385 | -iptables \-t raw \-N RPFILTER | |
1386 | - | |
1387 | -iptables \-t raw \-A RPFILTER \-m rpfilter \-j RETURN | |
1388 | - | |
1389 | -iptables \-t raw \-A RPFILTER \-m limit \-\-limit 10/minute \-j NFLOG \-\-nflog\-prefix "rpfilter drop" | |
1390 | - | |
1391 | -iptables \-t raw \-A RPFILTER \-j DROP | |
1392 | - | |
1393 | -iptables \-t raw \-A PREROUTING \-j RPFILTER | |
1394 | - | |
1395 | -Example to drop failed packets, without logging: | |
1396 | - | |
1397 | -iptables \-t raw \-A RPFILTER \-m rpfilter \-\-invert \-j DROP | |
1398 | -.SS sctp | |
1399 | -.TP | |
1400 | -[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1401 | -.TP | |
1402 | -[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1403 | -.TP | |
1404 | -[\fB!\fP] \fB\-\-chunk\-types\fP {\fBall\fP|\fBany\fP|\fBonly\fP} \fIchunktype\fP[\fB:\fP\fIflags\fP] [...] | |
1405 | -The flag letter in upper case indicates that the flag is to match if set, | |
1406 | -in the lower case indicates to match if unset. | |
1407 | - | |
1408 | -Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN | |
1409 | - | |
1410 | -chunk type available flags | |
1411 | -.br | |
1412 | -DATA I U B E i u b e | |
1413 | -.br | |
1414 | -ABORT T t | |
1415 | -.br | |
1416 | -SHUTDOWN_COMPLETE T t | |
1417 | - | |
1418 | -(lowercase means flag should be "off", uppercase means "on") | |
1419 | -.P | |
1420 | -Examples: | |
1421 | - | |
1422 | -iptables \-A INPUT \-p sctp \-\-dport 80 \-j DROP | |
1423 | - | |
1424 | -iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA,INIT \-j DROP | |
1425 | - | |
1426 | -iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA:Be \-j ACCEPT | |
1427 | -.SS set | |
1428 | -This module matches IP sets which can be defined by ipset(8). | |
1429 | -.TP | |
1430 | -[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... | |
1431 | -where flags are the comma separated list of | |
1432 | -.BR "src" | |
1433 | -and/or | |
1434 | -.BR "dst" | |
1435 | -specifications and there can be no more than six of them. Hence the command | |
1436 | -.IP | |
1437 | - iptables \-A FORWARD \-m set \-\-match\-set test src,dst | |
1438 | -.IP | |
1439 | -will match packets, for which (if the set type is ipportmap) the source | |
1440 | -address and destination port pair can be found in the specified set. If | |
1441 | -the set type of the specified set is single dimension (for example ipmap), | |
1442 | -then the command will match packets for which the source address can be | |
1443 | -found in the specified set. | |
1444 | -.PP | |
1445 | -The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does | |
1446 | -not clash with an option of other extensions. | |
1447 | -.PP | |
1448 | -Use of -m set requires that ipset kernel support is provided, which, for | |
1449 | -standard kernels, is the case since Linux 2.6.39. | |
1450 | -.SS socket | |
1451 | -This matches if an open socket can be found by doing a socket lookup on the | |
1452 | -packet. | |
1453 | -.TP | |
1454 | -\fB\-\-transparent\fP | |
1455 | -Ignore non-transparent sockets. | |
1456 | -.SS state | |
1457 | -This module, when combined with connection tracking, allows access to | |
1458 | -the connection tracking state for this packet. | |
1459 | -.TP | |
1460 | -[\fB!\fP] \fB\-\-state\fP \fIstate\fP | |
1461 | -Where state is a comma separated list of the connection states to | |
1462 | -match. Possible states are | |
1463 | -.B INVALID | |
1464 | -meaning that the packet could not be identified for some reason which | |
1465 | -includes running out of memory and ICMP errors which don't correspond to any | |
1466 | -known connection, | |
1467 | -.B ESTABLISHED | |
1468 | -meaning that the packet is associated with a connection which has seen | |
1469 | -packets in both directions, | |
1470 | -.B NEW | |
1471 | -meaning that the packet has started a new connection, or otherwise | |
1472 | -associated with a connection which has not seen packets in both | |
1473 | -directions, and | |
1474 | -.B RELATED | |
1475 | -meaning that the packet is starting a new connection, but is | |
1476 | -associated with an existing connection, such as an FTP data transfer, | |
1477 | -or an ICMP error. | |
1478 | -.B UNTRACKED | |
1479 | -meaning that the packet is not tracked at all, which happens if you use | |
1480 | -the NOTRACK target in raw table. | |
1481 | -.SS statistic | |
1482 | -This module matches packets based on some statistic condition. | |
1483 | -It supports two distinct modes settable with the | |
1484 | -\fB\-\-mode\fP | |
1485 | -option. | |
1486 | -.PP | |
1487 | -Supported options: | |
1488 | -.TP | |
1489 | -\fB\-\-mode\fP \fImode\fP | |
1490 | -Set the matching mode of the matching rule, supported modes are | |
1491 | -.B random | |
1492 | -and | |
1493 | -.B nth. | |
1494 | -.TP | |
1495 | -[\fB!\fP] \fB\-\-probability\fP \fIp\fP | |
1496 | -Set the probability for a packet to be randomly matched. It only works with the | |
1497 | -\fBrandom\fP mode. \fIp\fP must be within 0.0 and 1.0. The supported | |
1498 | -granularity is in 1/2147483648th increments. | |
1499 | -.TP | |
1500 | -[\fB!\fP] \fB\-\-every\fP \fIn\fP | |
1501 | -Match one packet every nth packet. It works only with the | |
1502 | -.B nth | |
1503 | -mode (see also the | |
1504 | -\fB\-\-packet\fP | |
1505 | -option). | |
1506 | -.TP | |
1507 | -\fB\-\-packet\fP \fIp\fP | |
1508 | -Set the initial counter value (0 <= p <= n\-1, default 0) for the | |
1509 | -.B nth | |
1510 | -mode. | |
1511 | -.SS string | |
1512 | -This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14. | |
1513 | -.TP | |
1514 | -\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP} | |
1515 | -Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) | |
1516 | -.TP | |
1517 | -\fB\-\-from\fP \fIoffset\fP | |
1518 | -Set the offset from which it starts looking for any matching. If not passed, default is 0. | |
1519 | -.TP | |
1520 | -\fB\-\-to\fP \fIoffset\fP | |
1521 | -Set the offset up to which should be scanned. That is, byte \fIoffset\fP-1 | |
1522 | -(counting from 0) is the last one that is scanned. | |
1523 | -If not passed, default is the packet size. | |
1524 | -.TP | |
1525 | -[\fB!\fP] \fB\-\-string\fP \fIpattern\fP | |
1526 | -Matches the given pattern. | |
1527 | -.TP | |
1528 | -[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP | |
1529 | -Matches the given pattern in hex notation. | |
1530 | -.SS tcp | |
1531 | -These extensions can be used if `\-\-protocol tcp' is specified. It | |
1532 | -provides the following options: | |
1533 | -.TP | |
1534 | -[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1535 | -Source port or port range specification. This can either be a service | |
1536 | -name or a port number. An inclusive range can also be specified, | |
1537 | -using the format \fIfirst\fP\fB:\fP\fIlast\fP. | |
1538 | -If the first port is omitted, "0" is assumed; if the last is omitted, | |
1539 | -"65535" is assumed. | |
1540 | -If the first port is greater than the second one they will be swapped. | |
1541 | -The flag | |
1542 | -\fB\-\-sport\fP | |
1543 | -is a convenient alias for this option. | |
1544 | -.TP | |
1545 | -[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1546 | -Destination port or port range specification. The flag | |
1547 | -\fB\-\-dport\fP | |
1548 | -is a convenient alias for this option. | |
1549 | -.TP | |
1550 | -[\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP | |
1551 | -Match when the TCP flags are as specified. The first argument \fImask\fP is the | |
1552 | -flags which we should examine, written as a comma-separated list, and | |
1553 | -the second argument \fIcomp\fP is a comma-separated list of flags which must be | |
1554 | -set. Flags are: | |
1555 | -.BR "SYN ACK FIN RST URG PSH ALL NONE" . | |
1556 | -Hence the command | |
1557 | -.nf | |
1558 | - iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN | |
1559 | -.fi | |
1560 | -will only match packets with the SYN flag set, and the ACK, FIN and | |
1561 | -RST flags unset. | |
1562 | -.TP | |
1563 | -[\fB!\fP] \fB\-\-syn\fP | |
1564 | -Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits | |
1565 | -cleared. Such packets are used to request TCP connection initiation; | |
1566 | -for example, blocking such packets coming in an interface will prevent | |
1567 | -incoming TCP connections, but outgoing TCP connections will be | |
1568 | -unaffected. | |
1569 | -It is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP. | |
1570 | -If the "!" flag precedes the "\-\-syn", the sense of the | |
1571 | -option is inverted. | |
1572 | -.TP | |
1573 | -[\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP | |
1574 | -Match if TCP option set. | |
1575 | -.SS tcpmss | |
1576 | -This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time. | |
1577 | -.TP | |
1578 | -[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP] | |
1579 | -Match a given TCP MSS value or range. | |
1580 | -.SS time | |
1581 | -This matches if the packet arrival time/date is within a given range. All | |
1582 | -options are optional, but are ANDed when specified. All times are interpreted | |
1583 | -as UTC by default. | |
1584 | -.TP | |
1585 | -\fB\-\-datestart\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]] | |
1586 | -.TP | |
1587 | -\fB\-\-datestop\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]] | |
1588 | -Only match during the given time, which must be in ISO 8601 "T" notation. | |
1589 | -The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07. | |
1590 | -.IP | |
1591 | -If \-\-datestart or \-\-datestop are not specified, it will default to 1970-01-01 | |
1592 | -and 2038-01-19, respectively. | |
1593 | -.TP | |
1594 | -\fB\-\-timestart\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP] | |
1595 | -.TP | |
1596 | -\fB\-\-timestop\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP] | |
1597 | -Only match during the given daytime. The possible time range is 00:00:00 to | |
1598 | -23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted | |
1599 | -as base-10. | |
1600 | -.TP | |
1601 | -[\fB!\fP] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...] | |
1602 | -Only match on the given days of the month. Possible values are \fB1\fP | |
1603 | -to \fB31\fP. Note that specifying \fB31\fP will of course not match | |
1604 | -on months which do not have a 31st day; the same goes for 28- or 29-day | |
1605 | -February. | |
1606 | -.TP | |
1607 | -[\fB!\fP] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...] | |
1608 | -Only match on the given weekdays. Possible values are \fBMon\fP, \fBTue\fP, | |
1609 | -\fBWed\fP, \fBThu\fP, \fBFri\fP, \fBSat\fP, \fBSun\fP, or values from \fB1\fP | |
1610 | -to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP, | |
1611 | -\fBTu\fP, etc.). | |
1612 | -.TP | |
1613 | -\fB\-\-kerneltz\fP | |
1614 | -Use the kernel timezone instead of UTC to determine whether a packet meets the | |
1615 | -time regulations. | |
1616 | -.PP | |
1617 | -About kernel timezones: Linux keeps the system time in UTC, and always does so. | |
1618 | -On boot, system time is initialized from a referential time source. Where this | |
1619 | -time source has no timezone information, such as the x86 CMOS RTC, UTC will be | |
1620 | -assumed. If the time source is however not in UTC, userspace should provide the | |
1621 | -correct system time and timezone to the kernel once it has the information. | |
1622 | -.PP | |
1623 | -Local time is a feature on top of the (timezone independent) system time. Each | |
1624 | -process has its own idea of local time, specified via the TZ environment | |
1625 | -variable. The kernel also has its own timezone offset variable. The TZ | |
1626 | -userspace environment variable specifies how the UTC-based system time is | |
1627 | -displayed, e.g. when you run date(1), or what you see on your desktop clock. | |
1628 | -The TZ string may resolve to different offsets at different dates, which is | |
1629 | -what enables the automatic time-jumping in userspace. when DST changes. The | |
1630 | -kernel's timezone offset variable is used when it has to convert between | |
1631 | -non-UTC sources, such as FAT filesystems, to UTC (since the latter is what the | |
1632 | -rest of the system uses). | |
1633 | -.PP | |
1634 | -The caveat with the kernel timezone is that Linux distributions may ignore to | |
1635 | -set the kernel timezone, and instead only set the system time. Even if a | |
1636 | -particular distribution does set the timezone at boot, it is usually does not | |
1637 | -keep the kernel timezone offset - which is what changes on DST - up to date. | |
1638 | -ntpd will not touch the kernel timezone, so running it will not resolve the | |
1639 | -issue. As such, one may encounter a timezone that is always +0000, or one that | |
1640 | -is wrong half of the time of the year. As such, \fBusing \-\-kerneltz is highly | |
1641 | -discouraged.\fP | |
1642 | -.PP | |
1643 | -EXAMPLES. To match on weekends, use: | |
1644 | -.IP | |
1645 | -\-m time \-\-weekdays Sa,Su | |
1646 | -.PP | |
1647 | -Or, to match (once) on a national holiday block: | |
1648 | -.IP | |
1649 | -\-m time \-\-datestart 2007\-12\-24 \-\-datestop 2007\-12\-27 | |
1650 | -.PP | |
1651 | -Since the stop time is actually inclusive, you would need the following stop | |
1652 | -time to not match the first second of the new day: | |
1653 | -.IP | |
1654 | -\-m time \-\-datestart 2007\-01\-01T17:00 \-\-datestop 2007\-01\-01T23:59:59 | |
1655 | -.PP | |
1656 | -During lunch hour: | |
1657 | -.IP | |
1658 | -\-m time \-\-timestart 12:30 \-\-timestop 13:30 | |
1659 | -.PP | |
1660 | -The fourth Friday in the month: | |
1661 | -.IP | |
1662 | -\-m time \-\-weekdays Fr \-\-monthdays 22,23,24,25,26,27,28 | |
1663 | -.PP | |
1664 | -(Note that this exploits a certain mathematical property. It is not possible to | |
1665 | -say "fourth Thursday OR fourth Friday" in one rule. It is possible with | |
1666 | -multiple rules, though.) | |
1667 | -.SS tos | |
1668 | -This module matches the 8-bit Type of Service field in the IPv4 header (i.e. | |
1669 | -including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6 | |
1670 | -header. | |
1671 | -.TP | |
1672 | -[\fB!\fP] \fB\-\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
1673 | -Matches packets with the given TOS mark value. If a mask is specified, it is | |
1674 | -logically ANDed with the TOS mark before the comparison. | |
1675 | -.TP | |
1676 | -[\fB!\fP] \fB\-\-tos\fP \fIsymbol\fP | |
1677 | -You can specify a symbolic name when using the tos match for IPv4. The list of | |
1678 | -recognized TOS names can be obtained by calling iptables with \fB\-m tos \-h\fP. | |
1679 | -Note that this implies a mask of 0x3F, i.e. all but the ECN bits. | |
1680 | -.SS ttl | |
1681 | -This module matches the time to live field in the IP header. | |
1682 | -.TP | |
1683 | -[\fB!\fP] \fB\-\-ttl\-eq\fP \fIttl\fP | |
1684 | -Matches the given TTL value. | |
1685 | -.TP | |
1686 | -\fB\-\-ttl\-gt\fP \fIttl\fP | |
1687 | -Matches if TTL is greater than the given TTL value. | |
1688 | -.TP | |
1689 | -\fB\-\-ttl\-lt\fP \fIttl\fP | |
1690 | -Matches if TTL is less than the given TTL value. | |
1691 | -.SS u32 | |
1692 | -U32 tests whether quantities of up to 4 bytes extracted from a packet have | |
1693 | -specified values. The specification of what to extract is general enough to | |
1694 | -find data at given offsets from tcp headers or payloads. | |
1695 | -.TP | |
1696 | -[\fB!\fP] \fB\-\-u32\fP \fItests\fP | |
1697 | -The argument amounts to a program in a small language described below. | |
1698 | -.IP | |
1699 | -tests := location "=" value | tests "&&" location "=" value | |
1700 | -.IP | |
1701 | -value := range | value "," range | |
1702 | -.IP | |
1703 | -range := number | number ":" number | |
1704 | -.PP | |
1705 | -a single number, \fIn\fP, is interpreted the same as \fIn:n\fP. \fIn:m\fP is | |
1706 | -interpreted as the range of numbers \fB>=n\fP and \fB<=m\fP. | |
1707 | -.IP "" 4 | |
1708 | -location := number | location operator number | |
1709 | -.IP "" 4 | |
1710 | -operator := "&" | "<<" | ">>" | "@" | |
1711 | -.PP | |
1712 | -The operators \fB&\fP, \fB<<\fP, \fB>>\fP and \fB&&\fP mean the same as in C. | |
1713 | -The \fB=\fP is really a set membership operator and the value syntax describes | |
1714 | -a set. The \fB@\fP operator is what allows moving to the next header and is | |
1715 | -described further below. | |
1716 | -.PP | |
1717 | -There are currently some artificial implementation limits on the size of the | |
1718 | -tests: | |
1719 | -.IP " *" | |
1720 | -no more than 10 of "\fB=\fP" (and 9 "\fB&&\fP"s) in the u32 argument | |
1721 | -.IP " *" | |
1722 | -no more than 10 ranges (and 9 commas) per value | |
1723 | -.IP " *" | |
1724 | -no more than 10 numbers (and 9 operators) per location | |
1725 | -.PP | |
1726 | -To describe the meaning of location, imagine the following machine that | |
1727 | -interprets it. There are three registers: | |
1728 | -.IP | |
1729 | -A is of type \fBchar *\fP, initially the address of the IP header | |
1730 | -.IP | |
1731 | -B and C are unsigned 32 bit integers, initially zero | |
1732 | -.PP | |
1733 | -The instructions are: | |
1734 | -.IP | |
1735 | -number B = number; | |
1736 | -.IP | |
1737 | -C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3) | |
1738 | -.IP | |
1739 | -&number C = C & number | |
1740 | -.IP | |
1741 | -<< number C = C << number | |
1742 | -.IP | |
1743 | ->> number C = C >> number | |
1744 | -.IP | |
1745 | -@number A = A + C; then do the instruction number | |
1746 | -.PP | |
1747 | -Any access of memory outside [skb\->data,skb\->end] causes the match to fail. | |
1748 | -Otherwise the result of the computation is the final value of C. | |
1749 | -.PP | |
1750 | -Whitespace is allowed but not required in the tests. However, the characters | |
1751 | -that do occur there are likely to require shell quoting, so it is a good idea | |
1752 | -to enclose the arguments in quotes. | |
1753 | -.PP | |
1754 | -Example: | |
1755 | -.IP | |
1756 | -match IP packets with total length >= 256 | |
1757 | -.IP | |
1758 | -The IP header contains a total length field in bytes 2-3. | |
1759 | -.IP | |
1760 | -\-\-u32 "\fB0 & 0xFFFF = 0x100:0xFFFF\fP" | |
1761 | -.IP | |
1762 | -read bytes 0-3 | |
1763 | -.IP | |
1764 | -AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the range | |
1765 | -[0x100:0xFFFF] | |
1766 | -.PP | |
1767 | -Example: (more realistic, hence more complicated) | |
1768 | -.IP | |
1769 | -match ICMP packets with icmp type 0 | |
1770 | -.IP | |
1771 | -First test that it is an ICMP packet, true iff byte 9 (protocol) = 1 | |
1772 | -.IP | |
1773 | -\-\-u32 "\fB6 & 0xFF = 1 &&\fP ... | |
1774 | -.IP | |
1775 | -read bytes 6-9, use \fB&\fP to throw away bytes 6-8 and compare the result to | |
1776 | -1. Next test that it is not a fragment. (If so, it might be part of such a | |
1777 | -packet but we cannot always tell.) N.B.: This test is generally needed if you | |
1778 | -want to match anything beyond the IP header. The last 6 bits of byte 6 and all | |
1779 | -of byte 7 are 0 iff this is a complete packet (not a fragment). Alternatively, | |
1780 | -you can allow first fragments by only testing the last 5 bits of byte 6. | |
1781 | -.IP | |
1782 | - ... \fB4 & 0x3FFF = 0 &&\fP ... | |
1783 | -.IP | |
1784 | -Last test: the first byte past the IP header (the type) is 0. This is where we | |
1785 | -have to use the @syntax. The length of the IP header (IHL) in 32 bit words is | |
1786 | -stored in the right half of byte 0 of the IP header itself. | |
1787 | -.IP | |
1788 | - ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fP" | |
1789 | -.IP | |
1790 | -The first 0 means read bytes 0-3, \fB>>22\fP means shift that 22 bits to the | |
1791 | -right. Shifting 24 bits would give the first byte, so only 22 bits is four | |
1792 | -times that plus a few more bits. \fB&3C\fP then eliminates the two extra bits | |
1793 | -on the right and the first four bits of the first byte. For instance, if IHL=5, | |
1794 | -then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in | |
1795 | -binary) xxxx0101 yyzzzzzz, \fB>>22\fP gives the 10 bit value xxxx0101yy and | |
1796 | -\fB&3C\fP gives 010100. \fB@\fP means to use this number as a new offset into | |
1797 | -the packet, and read four bytes starting from there. This is the first 4 bytes | |
1798 | -of the ICMP payload, of which byte 0 is the ICMP type. Therefore, we simply | |
1799 | -shift the value 24 to the right to throw out all but the first byte and compare | |
1800 | -the result with 0. | |
1801 | -.PP | |
1802 | -Example: | |
1803 | -.IP | |
1804 | -TCP payload bytes 8-12 is any of 1, 2, 5 or 8 | |
1805 | -.IP | |
1806 | -First we test that the packet is a tcp packet (similar to ICMP). | |
1807 | -.IP | |
1808 | -\-\-u32 "\fB6 & 0xFF = 6 &&\fP ... | |
1809 | -.IP | |
1810 | -Next, test that it is not a fragment (same as above). | |
1811 | -.IP | |
1812 | - ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fP" | |
1813 | -.IP | |
1814 | -\fB0>>22&3C\fP as above computes the number of bytes in the IP header. \fB@\fP | |
1815 | -makes this the new offset into the packet, which is the start of the TCP | |
1816 | -header. The length of the TCP header (again in 32 bit words) is the left half | |
1817 | -of byte 12 of the TCP header. The \fB12>>26&3C\fP computes this length in bytes | |
1818 | -(similar to the IP header before). "@" makes this the new offset, which is the | |
1819 | -start of the TCP payload. Finally, 8 reads bytes 8-12 of the payload and | |
1820 | -\fB=\fP checks whether the result is any of 1, 2, 5 or 8. | |
1821 | -.SS udp | |
1822 | -These extensions can be used if `\-\-protocol udp' is specified. It | |
1823 | -provides the following options: | |
1824 | -.TP | |
1825 | -[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1826 | -Source port or port range specification. | |
1827 | -See the description of the | |
1828 | -\fB\-\-source\-port\fP | |
1829 | -option of the TCP extension for details. | |
1830 | -.TP | |
1831 | -[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] | |
1832 | -Destination port or port range specification. | |
1833 | -See the description of the | |
1834 | -\fB\-\-destination\-port\fP | |
1835 | -option of the TCP extension for details. | |
1836 | -.SS unclean | |
1837 | -This module takes no options, but attempts to match packets which seem | |
1838 | -malformed or unusual. This is regarded as experimental. | |
1839 | -.SH TARGET EXTENSIONS | |
1840 | -iptables can use extended target modules: the following are included | |
1841 | -in the standard distribution. | |
1842 | -.\" @TARGET@ | |
1843 | -.SS AUDIT | |
1844 | -This target allows to create audit records for packets hitting the target. | |
1845 | -It can be used to record accepted, dropped, and rejected packets. See | |
1846 | -auditd(8) for additional details. | |
1847 | -.TP | |
1848 | -\fB\-\-type\fP {\fBaccept\fP|\fBdrop\fP|\fBreject\fP} | |
1849 | -Set type of audit record. | |
1850 | -.PP | |
1851 | -Example: | |
1852 | -.IP | |
1853 | -iptables \-N AUDIT_DROP | |
1854 | -.IP | |
1855 | -iptables \-A AUDIT_DROP \-j AUDIT \-\-type drop | |
1856 | -.IP | |
1857 | -iptables \-A AUDIT_DROP \-j DROP | |
1858 | -.SS CHECKSUM | |
1859 | -This target allows to selectively work around broken/old applications. | |
1860 | -It can only be used in the mangle table. | |
1861 | -.TP | |
1862 | -\fB\-\-checksum\-fill\fP | |
1863 | -Compute and fill in the checksum in a packet that lacks a checksum. | |
1864 | -This is particularly useful, if you need to work around old applications | |
1865 | -such as dhcp clients, that do not work well with checksum offloads, | |
1866 | -but don't want to disable checksum offload in your device. | |
1867 | -.SS CLASSIFY | |
1868 | -This module allows you to set the skb\->priority value (and thus classify the packet into a specific CBQ class). | |
1869 | -.TP | |
1870 | -\fB\-\-set\-class\fP \fImajor\fP\fB:\fP\fIminor\fP | |
1871 | -Set the major and minor class value. The values are always interpreted as | |
1872 | -hexadecimal even if no 0x prefix is given. | |
1873 | -.SS CLUSTERIP | |
1874 | -This module allows you to configure a simple cluster of nodes that share | |
1875 | -a certain IP and MAC address without an explicit load balancer in front of | |
1876 | -them. Connections are statically distributed between the nodes in this | |
1877 | -cluster. | |
1878 | -.TP | |
1879 | -\fB\-\-new\fP | |
1880 | -Create a new ClusterIP. You always have to set this on the first rule | |
1881 | -for a given ClusterIP. | |
1882 | -.TP | |
1883 | -\fB\-\-hashmode\fP \fImode\fP | |
1884 | -Specify the hashing mode. Has to be one of | |
1885 | -\fBsourceip\fP, \fBsourceip\-sourceport\fP, \fBsourceip\-sourceport\-destport\fP. | |
1886 | -.TP | |
1887 | -\fB\-\-clustermac\fP \fImac\fP | |
1888 | -Specify the ClusterIP MAC address. Has to be a link\-layer multicast address | |
1889 | -.TP | |
1890 | -\fB\-\-total\-nodes\fP \fInum\fP | |
1891 | -Number of total nodes within this cluster. | |
1892 | -.TP | |
1893 | -\fB\-\-local\-node\fP \fInum\fP | |
1894 | -Local node number within this cluster. | |
1895 | -.TP | |
1896 | -\fB\-\-hash\-init\fP \fIrnd\fP | |
1897 | -Specify the random seed used for hash initialization. | |
1898 | -.SS CONNMARK | |
1899 | -This module sets the netfilter mark value associated with a connection. The | |
1900 | -mark is 32 bits wide. | |
1901 | -.TP | |
1902 | -\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
1903 | -Zero out the bits given by \fImask\fP and XOR \fIvalue\fP into the ctmark. | |
1904 | -.TP | |
1905 | -\fB\-\-save\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP] | |
1906 | -Copy the packet mark (nfmark) to the connection mark (ctmark) using the given | |
1907 | -masks. The new nfmark value is determined as follows: | |
1908 | -.IP | |
1909 | -ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) | |
1910 | -.IP | |
1911 | -i.e. \fIctmask\fP defines what bits to clear and \fInfmask\fP what bits of the | |
1912 | -nfmark to XOR into the ctmark. \fIctmask\fP and \fInfmask\fP default to | |
1913 | -0xFFFFFFFF. | |
1914 | -.TP | |
1915 | -\fB\-\-restore\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP] | |
1916 | -Copy the connection mark (ctmark) to the packet mark (nfmark) using the given | |
1917 | -masks. The new ctmark value is determined as follows: | |
1918 | -.IP | |
1919 | -nfmark = (nfmark & ~\fInfmask\fP) ^ (ctmark & \fIctmask\fP); | |
1920 | -.IP | |
1921 | -i.e. \fInfmask\fP defines what bits to clear and \fIctmask\fP what bits of the | |
1922 | -ctmark to XOR into the nfmark. \fIctmask\fP and \fInfmask\fP default to | |
1923 | -0xFFFFFFFF. | |
1924 | -.IP | |
1925 | -\fB\-\-restore\-mark\fP is only valid in the \fBmangle\fP table. | |
1926 | -.PP | |
1927 | -The following mnemonics are available for \fB\-\-set\-xmark\fP: | |
1928 | -.TP | |
1929 | -\fB\-\-and\-mark\fP \fIbits\fP | |
1930 | -Binary AND the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark | |
1931 | -0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) | |
1932 | -.TP | |
1933 | -\fB\-\-or\-mark\fP \fIbits\fP | |
1934 | -Binary OR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP | |
1935 | -\fIbits\fP\fB/\fP\fIbits\fP.) | |
1936 | -.TP | |
1937 | -\fB\-\-xor\-mark\fP \fIbits\fP | |
1938 | -Binary XOR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP | |
1939 | -\fIbits\fP\fB/0\fP.) | |
1940 | -.TP | |
1941 | -\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
1942 | -Set the connection mark. If a mask is specified then only those bits set in the | |
1943 | -mask are modified. | |
1944 | -.TP | |
1945 | -\fB\-\-save\-mark\fP [\fB\-\-mask\fP \fImask\fP] | |
1946 | -Copy the nfmark to the ctmark. If a mask is specified, only those bits are | |
1947 | -copied. | |
1948 | -.TP | |
1949 | -\fB\-\-restore\-mark\fP [\fB\-\-mask\fP \fImask\fP] | |
1950 | -Copy the ctmark to the nfmark. If a mask is specified, only those bits are | |
1951 | -copied. This is only valid in the \fBmangle\fP table. | |
1952 | -.SS CONNSECMARK | |
1953 | -This module copies security markings from packets to connections | |
1954 | -(if unlabeled), and from connections back to packets (also only | |
1955 | -if unlabeled). Typically used in conjunction with SECMARK, it is | |
1956 | -valid in the | |
1957 | -.B security | |
1958 | -table (for backwards compatibility with older kernels, it is also | |
1959 | -valid in the | |
1960 | -.B mangle | |
1961 | -table). | |
1962 | -.TP | |
1963 | -\fB\-\-save\fP | |
1964 | -If the packet has a security marking, copy it to the connection | |
1965 | -if the connection is not marked. | |
1966 | -.TP | |
1967 | -\fB\-\-restore\fP | |
1968 | -If the packet does not have a security marking, and the connection | |
1969 | -does, copy the security marking from the connection to the packet. | |
1970 | - | |
1971 | -.SS CT | |
1972 | -The CT target allows to set parameters for a packet or its associated | |
1973 | -connection. The target attaches a "template" connection tracking entry to | |
1974 | -the packet, which is then used by the conntrack core when initializing | |
1975 | -a new ct entry. This target is thus only valid in the "raw" table. | |
1976 | -.TP | |
1977 | -\fB\-\-notrack\fP | |
1978 | -Disables connection tracking for this packet. | |
1979 | -.TP | |
1980 | -\fB\-\-helper\fP \fIname\fP | |
1981 | -Use the helper identified by \fIname\fP for the connection. This is more | |
1982 | -flexible than loading the conntrack helper modules with preset ports. | |
1983 | -.TP | |
1984 | -\fB\-\-ctevents\fP \fIevent\fP[\fB,\fP...] | |
1985 | -Only generate the specified conntrack events for this connection. Possible | |
1986 | -event types are: \fBnew\fP, \fBrelated\fP, \fBdestroy\fP, \fBreply\fP, | |
1987 | -\fBassured\fP, \fBprotoinfo\fP, \fBhelper\fP, \fBmark\fP (this refers to | |
1988 | -the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark). | |
1989 | -.TP | |
1990 | -\fB\-\-expevents\fP \fIevent\fP[\fB,\fP...] | |
1991 | -Only generate the specified expectation events for this connection. | |
1992 | -Possible event types are: \fBnew\fP. | |
1993 | -.TP | |
1994 | -\fB\-\-zone\fP \fIid\fP | |
1995 | -Assign this packet to zone \fIid\fP and only have lookups done in that zone. | |
1996 | -By default, packets have zone 0. | |
1997 | -.SS DNAT | |
1998 | -This target is only valid in the | |
1999 | -.B nat | |
2000 | -table, in the | |
2001 | -.B PREROUTING | |
2002 | -and | |
2003 | -.B OUTPUT | |
2004 | -chains, and user-defined chains which are only called from those | |
2005 | -chains. It specifies that the destination address of the packet | |
2006 | -should be modified (and all future packets in this connection will | |
2007 | -also be mangled), and rules should cease being examined. It takes one | |
2008 | -type of option: | |
2009 | -.TP | |
2010 | -\fB\-\-to\-destination\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]] | |
2011 | -which can specify a single new destination IP address, an inclusive | |
2012 | -range of IP addresses, and optionally, a port range (which is only | |
2013 | -valid if the rule also specifies | |
2014 | -\fB\-p tcp\fP | |
2015 | -or | |
2016 | -\fB\-p udp\fP). | |
2017 | -If no port range is specified, then the destination port will never be | |
2018 | -modified. If no IP address is specified then only the destination port | |
2019 | -will be modified. | |
2020 | - | |
2021 | -In Kernels up to 2.6.10 you can add several \-\-to\-destination options. For | |
2022 | -those kernels, if you specify more than one destination address, either via an | |
2023 | -address range or multiple \-\-to\-destination options, a simple round-robin (one | |
2024 | -after another in cycle) load balancing takes place between these addresses. | |
2025 | -Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges | |
2026 | -anymore. | |
2027 | -.TP | |
2028 | -\fB\-\-random\fP | |
2029 | -If option | |
2030 | -\fB\-\-random\fP | |
2031 | -is used then port mapping will be randomized (kernel >= 2.6.22). | |
2032 | -.TP | |
2033 | -\fB\-\-persistent\fP | |
2034 | -Gives a client the same source-/destination-address for each connection. | |
2035 | -This supersedes the SAME target. Support for persistent mappings is available | |
2036 | -from 2.6.29-rc2. | |
2037 | -.SS DSCP | |
2038 | -This target allows to alter the value of the DSCP bits within the TOS | |
2039 | -header of the IPv4 packet. As this manipulates a packet, it can only | |
2040 | -be used in the mangle table. | |
2041 | -.TP | |
2042 | -\fB\-\-set\-dscp\fP \fIvalue\fP | |
2043 | -Set the DSCP field to a numerical value (can be decimal or hex) | |
2044 | -.TP | |
2045 | -\fB\-\-set\-dscp\-class\fP \fIclass\fP | |
2046 | -Set the DSCP field to a DiffServ class. | |
2047 | -.SS ECN | |
2048 | -This target allows to selectively work around known ECN blackholes. | |
2049 | -It can only be used in the mangle table. | |
2050 | -.TP | |
2051 | -\fB\-\-ecn\-tcp\-remove\fP | |
2052 | -Remove all ECN bits from the TCP header. Of course, it can only be used | |
2053 | -in conjunction with | |
2054 | -\fB\-p tcp\fP. | |
2055 | -.SS IDLETIMER | |
2056 | -This target can be used to identify when interfaces have been idle for a | |
2057 | -certain period of time. Timers are identified by labels and are created when | |
2058 | -a rule is set with a new label. The rules also take a timeout value (in | |
2059 | -seconds) as an option. If more than one rule uses the same timer label, the | |
2060 | -timer will be restarted whenever any of the rules get a hit. One entry for | |
2061 | -each timer is created in sysfs. This attribute contains the timer remaining | |
2062 | -for the timer to expire. The attributes are located under the xt_idletimer | |
2063 | -class: | |
2064 | -.PP | |
2065 | -/sys/class/xt_idletimer/timers/<label> | |
2066 | -.PP | |
2067 | -When the timer expires, the target module sends a sysfs notification to the | |
2068 | -userspace, which can then decide what to do (eg. disconnect to save power). | |
2069 | -.TP | |
2070 | -\fB\-\-timeout\fP \fIamount\fP | |
2071 | -This is the time in seconds that will trigger the notification. | |
2072 | -.TP | |
2073 | -\fB\-\-label\fP \fIstring\fP | |
2074 | -This is a unique identifier for the timer. The maximum length for the | |
2075 | -label string is 27 characters. | |
2076 | -.SS LOG | |
2077 | -Turn on kernel logging of matching packets. When this option is set | |
2078 | -for a rule, the Linux kernel will print some information on all | |
2079 | -matching packets (like most IP header fields) via the kernel log | |
2080 | -(where it can be read with | |
2081 | -.I dmesg | |
2082 | -or | |
2083 | -.IR syslogd (8)). | |
2084 | -This is a "non-terminating target", i.e. rule traversal continues at | |
2085 | -the next rule. So if you want to LOG the packets you refuse, use two | |
2086 | -separate rules with the same matching criteria, first using target LOG | |
2087 | -then DROP (or REJECT). | |
2088 | -.TP | |
2089 | -\fB\-\-log\-level\fP \fIlevel\fP | |
2090 | -Level of logging (numeric or see \fIsyslog.conf\fP(5)). | |
2091 | -.TP | |
2092 | -\fB\-\-log\-prefix\fP \fIprefix\fP | |
2093 | -Prefix log messages with the specified prefix; up to 29 letters long, | |
2094 | -and useful for distinguishing messages in the logs. | |
2095 | -.TP | |
2096 | -\fB\-\-log\-tcp\-sequence\fP | |
2097 | -Log TCP sequence numbers. This is a security risk if the log is | |
2098 | -readable by users. | |
2099 | -.TP | |
2100 | -\fB\-\-log\-tcp\-options\fP | |
2101 | -Log options from the TCP packet header. | |
2102 | -.TP | |
2103 | -\fB\-\-log\-ip\-options\fP | |
2104 | -Log options from the IP packet header. | |
2105 | -.TP | |
2106 | -\fB\-\-log\-uid\fP | |
2107 | -Log the userid of the process which generated the packet. | |
2108 | -.SS MARK | |
2109 | -This target is used to set the Netfilter mark value associated with the packet. | |
2110 | -It can, for example, be used in conjunction with routing based on fwmark (needs | |
2111 | -iproute2). If you plan on doing so, note that the mark needs to be set in the | |
2112 | -PREROUTING chain of the mangle table to affect routing. | |
2113 | -The mark field is 32 bits wide. | |
2114 | -.TP | |
2115 | -\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
2116 | -Zeroes out the bits given by \fImask\fP and XORs \fIvalue\fP into the packet | |
2117 | -mark ("nfmark"). If \fImask\fP is omitted, 0xFFFFFFFF is assumed. | |
2118 | -.TP | |
2119 | -\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
2120 | -Zeroes out the bits given by \fImask\fP and ORs \fIvalue\fP into the packet | |
2121 | -mark. If \fImask\fP is omitted, 0xFFFFFFFF is assumed. | |
2122 | -.PP | |
2123 | -The following mnemonics are available: | |
2124 | -.TP | |
2125 | -\fB\-\-and\-mark\fP \fIbits\fP | |
2126 | -Binary AND the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark | |
2127 | -0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) | |
2128 | -.TP | |
2129 | -\fB\-\-or\-mark\fP \fIbits\fP | |
2130 | -Binary OR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP | |
2131 | -\fIbits\fP\fB/\fP\fIbits\fP.) | |
2132 | -.TP | |
2133 | -\fB\-\-xor\-mark\fP \fIbits\fP | |
2134 | -Binary XOR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP | |
2135 | -\fIbits\fP\fB/0\fP.) | |
2136 | -.SS MASQUERADE | |
2137 | -This target is only valid in the | |
2138 | -.B nat | |
2139 | -table, in the | |
2140 | -.B POSTROUTING | |
2141 | -chain. It should only be used with dynamically assigned IP (dialup) | |
2142 | -connections: if you have a static IP address, you should use the SNAT | |
2143 | -target. Masquerading is equivalent to specifying a mapping to the IP | |
2144 | -address of the interface the packet is going out, but also has the | |
2145 | -effect that connections are | |
2146 | -.I forgotten | |
2147 | -when the interface goes down. This is the correct behavior when the | |
2148 | -next dialup is unlikely to have the same interface address (and hence | |
2149 | -any established connections are lost anyway). | |
2150 | -.TP | |
2151 | -\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP] | |
2152 | -This specifies a range of source ports to use, overriding the default | |
2153 | -.B SNAT | |
2154 | -source port-selection heuristics (see above). This is only valid | |
2155 | -if the rule also specifies | |
2156 | -\fB\-p tcp\fP | |
2157 | -or | |
2158 | -\fB\-p udp\fP. | |
2159 | -.TP | |
2160 | -\fB\-\-random\fP | |
2161 | -Randomize source port mapping | |
2162 | -If option | |
2163 | -\fB\-\-random\fP | |
2164 | -is used then port mapping will be randomized (kernel >= 2.6.21). | |
2165 | -.RS | |
2166 | -.PP | |
2167 | -.SS MIRROR | |
2168 | -This is an experimental demonstration target which inverts the source | |
2169 | -and destination fields in the IP header and retransmits the packet. | |
2170 | -It is only valid in the | |
2171 | -.BR INPUT , | |
2172 | -.B FORWARD | |
2173 | -and | |
2174 | -.B PREROUTING | |
2175 | -chains, and user-defined chains which are only called from those | |
2176 | -chains. Note that the outgoing packets are | |
2177 | -.B NOT | |
2178 | -seen by any packet filtering chains, connection tracking or NAT, to | |
2179 | -avoid loops and other problems. | |
2180 | -.SS NETMAP | |
2181 | -This target allows you to statically map a whole network of addresses onto | |
2182 | -another network of addresses. It can only be used from rules in the | |
2183 | -.B nat | |
2184 | -table. | |
2185 | -.TP | |
2186 | -\fB\-\-to\fP \fIaddress\fP[\fB/\fP\fImask\fP] | |
2187 | -Network address to map to. The resulting address will be constructed in the | |
2188 | -following way: All 'one' bits in the mask are filled in from the new `address'. | |
2189 | -All bits that are zero in the mask are filled in from the original address. | |
2190 | -.SS NFLOG | |
2191 | -This target provides logging of matching packets. When this target is | |
2192 | -set for a rule, the Linux kernel will pass the packet to the loaded | |
2193 | -logging backend to log the packet. This is usually used in combination | |
2194 | -with nfnetlink_log as logging backend, which will multicast the packet | |
2195 | -through a | |
2196 | -.IR netlink | |
2197 | -socket to the specified multicast group. One or more userspace processes | |
2198 | -may subscribe to the group to receive the packets. Like LOG, this is a | |
2199 | -non-terminating target, i.e. rule traversal continues at the next rule. | |
2200 | -.TP | |
2201 | -\fB\-\-nflog\-group\fP \fInlgroup\fP | |
2202 | -The netlink group (0 - 2^16\-1) to which packets are (only applicable for | |
2203 | -nfnetlink_log). The default value is 0. | |
2204 | -.TP | |
2205 | -\fB\-\-nflog\-prefix\fP \fIprefix\fP | |
2206 | -A prefix string to include in the log message, up to 64 characters | |
2207 | -long, useful for distinguishing messages in the logs. | |
2208 | -.TP | |
2209 | -\fB\-\-nflog\-range\fP \fIsize\fP | |
2210 | -The number of bytes to be copied to userspace (only applicable for | |
2211 | -nfnetlink_log). nfnetlink_log instances may specify their own | |
2212 | -range, this option overrides it. | |
2213 | -.TP | |
2214 | -\fB\-\-nflog\-threshold\fP \fIsize\fP | |
2215 | -Number of packets to queue inside the kernel before sending them | |
2216 | -to userspace (only applicable for nfnetlink_log). Higher values | |
2217 | -result in less overhead per packet, but increase delay until the | |
2218 | -packets reach userspace. The default value is 1. | |
2219 | -.BR | |
2220 | -.SS NFQUEUE | |
2221 | -This target is an extension of the QUEUE target. As opposed to QUEUE, it allows | |
2222 | -you to put a packet into any specific queue, identified by its 16-bit queue | |
2223 | -number. | |
2224 | -It can only be used with Kernel versions 2.6.14 or later, since it requires | |
2225 | -the | |
2226 | -.B | |
2227 | -nfnetlink_queue | |
2228 | -kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31, | |
2229 | -\fBqueue-bypass\fP in 2.6.39. | |
2230 | -.TP | |
2231 | -\fB\-\-queue\-num\fP \fIvalue\fP | |
2232 | -This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0. | |
2233 | -.PP | |
2234 | -.TP | |
2235 | -\fB\-\-queue\-balance\fP \fIvalue\fP\fB:\fP\fIvalue\fP | |
2236 | -This specifies a range of queues to use. Packets are then balanced across the given queues. | |
2237 | -This is useful for multicore systems: start multiple instances of the userspace program on | |
2238 | -queues x, x+1, .. x+n and use "\-\-queue\-balance \fIx\fP\fB:\fP\fIx+n\fP". | |
2239 | -Packets belonging to the same connection are put into the same nfqueue. | |
2240 | -.PP | |
2241 | -.TP | |
2242 | -\fB\-\-queue\-bypass\fP | |
2243 | -By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued | |
2244 | -are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The packet | |
2245 | -will move on to the next rule. | |
2246 | -.SS NOTRACK | |
2247 | -This target disables connection tracking for all packets matching that rule. | |
2248 | -.PP | |
2249 | -It can only be used in the | |
2250 | -.B raw | |
2251 | -table. | |
2252 | -.SS RATEEST | |
2253 | -The RATEEST target collects statistics, performs rate estimation calculation | |
2254 | -and saves the results for later evaluation using the \fBrateest\fP match. | |
2255 | -.TP | |
2256 | -\fB\-\-rateest\-name\fP \fIname\fP | |
2257 | -Count matched packets into the pool referred to by \fIname\fP, which is freely | |
2258 | -choosable. | |
2259 | -.TP | |
2260 | -\fB\-\-rateest\-interval\fP \fIamount\fP{\fBs\fP|\fBms\fP|\fBus\fP} | |
2261 | -Rate measurement interval, in seconds, milliseconds or microseconds. | |
2262 | -.TP | |
2263 | -\fB\-\-rateest\-ewmalog\fP \fIvalue\fP | |
2264 | -Rate measurement averaging time constant. | |
2265 | -.SS REDIRECT | |
2266 | -This target is only valid in the | |
2267 | -.B nat | |
2268 | -table, in the | |
2269 | -.B PREROUTING | |
2270 | -and | |
2271 | -.B OUTPUT | |
2272 | -chains, and user-defined chains which are only called from those | |
2273 | -chains. It redirects the packet to the machine itself by changing the | |
2274 | -destination IP to the primary address of the incoming interface | |
2275 | -(locally-generated packets are mapped to the 127.0.0.1 address). | |
2276 | -.TP | |
2277 | -\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP] | |
2278 | -This specifies a destination port or range of ports to use: without | |
2279 | -this, the destination port is never altered. This is only valid | |
2280 | -if the rule also specifies | |
2281 | -\fB\-p tcp\fP | |
2282 | -or | |
2283 | -\fB\-p udp\fP. | |
2284 | -.TP | |
2285 | -\fB\-\-random\fP | |
2286 | -If option | |
2287 | -\fB\-\-random\fP | |
2288 | -is used then port mapping will be randomized (kernel >= 2.6.22). | |
2289 | -.RS | |
2290 | -.PP | |
2291 | -.SS REJECT | |
2292 | -This is used to send back an error packet in response to the matched | |
2293 | -packet: otherwise it is equivalent to | |
2294 | -.B DROP | |
2295 | -so it is a terminating TARGET, ending rule traversal. | |
2296 | -This target is only valid in the | |
2297 | -.BR INPUT , | |
2298 | -.B FORWARD | |
2299 | -and | |
2300 | -.B OUTPUT | |
2301 | -chains, and user-defined chains which are only called from those | |
2302 | -chains. The following option controls the nature of the error packet | |
2303 | -returned: | |
2304 | -.TP | |
2305 | -\fB\-\-reject\-with\fP \fItype\fP | |
2306 | -The type given can be | |
2307 | -\fBicmp\-net\-unreachable\fP, | |
2308 | -\fBicmp\-host\-unreachable\fP, | |
2309 | -\fBicmp\-port\-unreachable\fP, | |
2310 | -\fBicmp\-proto\-unreachable\fP, | |
2311 | -\fBicmp\-net\-prohibited\fP, | |
2312 | -\fBicmp\-host\-prohibited\fP or | |
2313 | -\fBicmp\-admin\-prohibited\fP (*) | |
2314 | -which return the appropriate ICMP error message (\fBport\-unreachable\fP is | |
2315 | -the default). The option | |
2316 | -\fBtcp\-reset\fP | |
2317 | -can be used on rules which only match the TCP protocol: this causes a | |
2318 | -TCP RST packet to be sent back. This is mainly useful for blocking | |
2319 | -.I ident | |
2320 | -(113/tcp) probes which frequently occur when sending mail to broken mail | |
2321 | -hosts (which won't accept your mail otherwise). | |
2322 | -.PP | |
2323 | -(*) Using icmp\-admin\-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT | |
2324 | -.SS SAME | |
2325 | -Similar to SNAT/DNAT depending on chain: it takes a range of addresses | |
2326 | -(`\-\-to 1.2.3.4\-1.2.3.7') and gives a client the same | |
2327 | -source-/destination-address for each connection. | |
2328 | -.PP | |
2329 | -N.B.: The DNAT target's \fB\-\-persistent\fP option replaced the SAME target. | |
2330 | -.TP | |
2331 | -\fB\-\-to\fP \fIipaddr\fP[\fB\-\fP\fIipaddr\fP] | |
2332 | -Addresses to map source to. May be specified more than once for | |
2333 | -multiple ranges. | |
2334 | -.TP | |
2335 | -\fB\-\-nodst\fP | |
2336 | -Don't use the destination-ip in the calculations when selecting the | |
2337 | -new source-ip | |
2338 | -.TP | |
2339 | -\fB\-\-random\fP | |
2340 | -Port mapping will be forcibly randomized to avoid attacks based on | |
2341 | -port prediction (kernel >= 2.6.21). | |
2342 | -.SS SECMARK | |
2343 | -This is used to set the security mark value associated with the | |
2344 | -packet for use by security subsystems such as SELinux. It is | |
2345 | -valid in the | |
2346 | -.B security | |
2347 | -table (for backwards compatibility with older kernels, it is also | |
2348 | -valid in the | |
2349 | -.B mangle | |
2350 | -table). The mark is 32 bits wide. | |
2351 | -.TP | |
2352 | -\fB\-\-selctx\fP \fIsecurity_context\fP | |
2353 | -.SS SET | |
2354 | -This modules adds and/or deletes entries from IP sets which can be defined | |
2355 | -by ipset(8). | |
2356 | -.TP | |
2357 | -\fB\-\-add\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] | |
2358 | -add the address(es)/port(s) of the packet to the sets | |
2359 | -.TP | |
2360 | -\fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] | |
2361 | -delete the address(es)/port(s) of the packet from the sets | |
2362 | -.IP | |
2363 | -where flags are | |
2364 | -.BR "src" | |
2365 | -and/or | |
2366 | -.BR "dst" | |
2367 | -specifications and there can be no more than six of them. | |
2368 | -.TP | |
2369 | -\fB\-\-timeout\fP \fIvalue\fP | |
2370 | -when adding entry, the timeout value to use instead of the default | |
2371 | -one from the set definition | |
2372 | -.TP | |
2373 | -\fB\-\-exist\fP | |
2374 | -when adding entry if it already exists, reset the timeout value | |
2375 | -to the specified one or to the default from the set definition | |
2376 | -.PP | |
2377 | -Use of -j SET requires that ipset kernel support is provided, which, for | |
2378 | -standard kernels, is the case since Linux 2.6.39. | |
2379 | -.SS SNAT | |
2380 | -This target is only valid in the | |
2381 | -.B nat | |
2382 | -table, in the | |
2383 | -.B POSTROUTING | |
2384 | -chain. It specifies that the source address of the packet should be | |
2385 | -modified (and all future packets in this connection will also be | |
2386 | -mangled), and rules should cease being examined. It takes one type | |
2387 | -of option: | |
2388 | -.TP | |
2389 | -\fB\-\-to\-source\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]] | |
2390 | -which can specify a single new source IP address, an inclusive range | |
2391 | -of IP addresses, and optionally, a port range (which is only valid if | |
2392 | -the rule also specifies | |
2393 | -\fB\-p tcp\fP | |
2394 | -or | |
2395 | -\fB\-p udp\fP). | |
2396 | -If no port range is specified, then source ports below 512 will be | |
2397 | -mapped to other ports below 512: those between 512 and 1023 inclusive | |
2398 | -will be mapped to ports below 1024, and other ports will be mapped to | |
2399 | -1024 or above. Where possible, no port alteration will occur. | |
2400 | - | |
2401 | -In Kernels up to 2.6.10, you can add several \-\-to\-source options. For those | |
2402 | -kernels, if you specify more than one source address, either via an address | |
2403 | -range or multiple \-\-to\-source options, a simple round-robin (one after another | |
2404 | -in cycle) takes place between these addresses. | |
2405 | -Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges | |
2406 | -anymore. | |
2407 | -.TP | |
2408 | -\fB\-\-random\fP | |
2409 | -If option | |
2410 | -\fB\-\-random\fP | |
2411 | -is used then port mapping will be randomized (kernel >= 2.6.21). | |
2412 | -.TP | |
2413 | -\fB\-\-persistent\fP | |
2414 | -Gives a client the same source-/destination-address for each connection. | |
2415 | -This supersedes the SAME target. Support for persistent mappings is available | |
2416 | -from 2.6.29-rc2. | |
2417 | -.SS TCPMSS | |
2418 | -This target allows to alter the MSS value of TCP SYN packets, to control | |
2419 | -the maximum size for that connection (usually limiting it to your | |
2420 | -outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). | |
2421 | -Of course, it can only be used | |
2422 | -in conjunction with | |
2423 | -\fB\-p tcp\fP. | |
2424 | -.PP | |
2425 | -This target is used to overcome criminally braindead ISPs or servers | |
2426 | -which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big" | |
2427 | -packets. The symptoms of this | |
2428 | -problem are that everything works fine from your Linux | |
2429 | -firewall/router, but machines behind it can never exchange large | |
2430 | -packets: | |
2431 | -.IP 1. 4 | |
2432 | -Web browsers connect, then hang with no data received. | |
2433 | -.IP 2. 4 | |
2434 | -Small mail works fine, but large emails hang. | |
2435 | -.IP 3. 4 | |
2436 | -ssh works fine, but scp hangs after initial handshaking. | |
2437 | -.PP | |
2438 | -Workaround: activate this option and add a rule to your firewall | |
2439 | -configuration like: | |
2440 | -.IP | |
2441 | - iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN | |
2442 | - \-j TCPMSS \-\-clamp\-mss\-to\-pmtu | |
2443 | -.TP | |
2444 | -\fB\-\-set\-mss\fP \fIvalue\fP | |
2445 | -Explicitly sets MSS option to specified value. If the MSS of the packet is | |
2446 | -already lower than \fIvalue\fP, it will \fBnot\fP be increased (from Linux | |
2447 | -2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS. | |
2448 | -.TP | |
2449 | -\fB\-\-clamp\-mss\-to\-pmtu\fP | |
2450 | -Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6). | |
2451 | -This may not function as desired where asymmetric routes with differing | |
2452 | -path MTU exist \(em the kernel uses the path MTU which it would use to send | |
2453 | -packets from itself to the source and destination IP addresses. Prior to | |
2454 | -Linux 2.6.25, only the path MTU to the destination IP address was | |
2455 | -considered by this option; subsequent kernels also consider the path MTU | |
2456 | -to the source IP address. | |
2457 | -.PP | |
2458 | -These options are mutually exclusive. | |
2459 | -.SS TCPOPTSTRIP | |
2460 | -This target will strip TCP options off a TCP packet. (It will actually replace | |
2461 | -them by NO-OPs.) As such, you will need to add the \fB\-p tcp\fP parameters. | |
2462 | -.TP | |
2463 | -\fB\-\-strip\-options\fP \fIoption\fP[\fB,\fP\fIoption\fP...] | |
2464 | -Strip the given option(s). The options may be specified by TCP option number or | |
2465 | -by symbolic name. The list of recognized options can be obtained by calling | |
2466 | -iptables with \fB\-j TCPOPTSTRIP \-h\fP. | |
2467 | -.SS TEE | |
2468 | -The \fBTEE\fP target will clone a packet and redirect this clone to another | |
2469 | -machine on the \fBlocal\fP network segment. In other words, the nexthop | |
2470 | -must be the target, or you will have to configure the nexthop to forward it | |
2471 | -further if so desired. | |
2472 | -.TP | |
2473 | -\fB\-\-gateway\fP \fIipaddr\fP | |
2474 | -Send the cloned packet to the host reachable at the given IP address. | |
2475 | -Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid. | |
2476 | -.PP | |
2477 | -To forward all incoming traffic on eth0 to an Network Layer logging box: | |
2478 | -.PP | |
2479 | -\-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1 | |
2480 | -.SS TOS | |
2481 | -This module sets the Type of Service field in the IPv4 header (including the | |
2482 | -"precedence" bits) or the Priority field in the IPv6 header. Note that TOS | |
2483 | -shares the same bits as DSCP and ECN. The TOS target is only valid in the | |
2484 | -\fBmangle\fP table. | |
2485 | -.TP | |
2486 | -\fB\-\-set\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
2487 | -Zeroes out the bits given by \fImask\fP (see NOTE below) and XORs \fIvalue\fP | |
2488 | -into the TOS/Priority field. If \fImask\fP is omitted, 0xFF is assumed. | |
2489 | -.TP | |
2490 | -\fB\-\-set\-tos\fP \fIsymbol\fP | |
2491 | -You can specify a symbolic name when using the TOS target for IPv4. It implies | |
2492 | -a mask of 0xFF (see NOTE below). The list of recognized TOS names can be | |
2493 | -obtained by calling iptables with \fB\-j TOS \-h\fP. | |
2494 | -.PP | |
2495 | -The following mnemonics are available: | |
2496 | -.TP | |
2497 | -\fB\-\-and\-tos\fP \fIbits\fP | |
2498 | -Binary AND the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos | |
2499 | -0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP. | |
2500 | -See NOTE below.) | |
2501 | -.TP | |
2502 | -\fB\-\-or\-tos\fP \fIbits\fP | |
2503 | -Binary OR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP | |
2504 | -\fIbits\fP\fB/\fP\fIbits\fP. See NOTE below.) | |
2505 | -.TP | |
2506 | -\fB\-\-xor\-tos\fP \fIbits\fP | |
2507 | -Binary XOR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP | |
2508 | -\fIbits\fP\fB/0\fP. See NOTE below.) | |
2509 | -.PP | |
2510 | -NOTE: In Linux kernels up to and including 2.6.38, with the exception of | |
2511 | -longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is | |
2512 | -a bug whereby IPv6 TOS mangling does not behave as documented and differs from | |
2513 | -the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it | |
2514 | -needs to be inverted before applying it to the original TOS field. However, the | |
2515 | -aformentioned kernels forgo the inversion which breaks --set-tos and its | |
2516 | -mnemonics. | |
2517 | -.SS TPROXY | |
2518 | -This target is only valid in the \fBmangle\fP table, in the \fBPREROUTING\fP | |
2519 | -chain and user-defined chains which are only called from this chain. It | |
2520 | -redirects the packet to a local socket without changing the packet header in | |
2521 | -any way. It can also change the mark value which can then be used in advanced | |
2522 | -routing rules. | |
2523 | -It takes three options: | |
2524 | -.TP | |
2525 | -\fB\-\-on\-port\fP \fIport\fP | |
2526 | -This specifies a destination port to use. It is a required option, 0 means the | |
2527 | -new destination port is the same as the original. This is only valid if the | |
2528 | -rule also specifies \fB\-p tcp\fP or \fB\-p udp\fP. | |
2529 | -.TP | |
2530 | -\fB\-\-on\-ip\fP \fIaddress\fP | |
2531 | -This specifies a destination address to use. By default the address is the IP | |
2532 | -address of the incoming interface. This is only valid if the rule also | |
2533 | -specifies \fB\-p tcp\fP or \fB\-p udp\fP. | |
2534 | -.TP | |
2535 | -\fB\-\-tproxy\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] | |
2536 | -Marks packets with the given value/mask. The fwmark value set here can be used | |
2537 | -by advanced routing. (Required for transparent proxying to work: otherwise | |
2538 | -these packets will get forwarded, which is probably not what you want.) | |
2539 | -.SS TRACE | |
2540 | -This target marks packets so that the kernel will log every rule which match | |
2541 | -the packets as those traverse the tables, chains, rules. | |
2542 | -.PP | |
2543 | -A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this | |
2544 | -to be visible. | |
2545 | -The packets are logged with the string prefix: | |
2546 | -"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for | |
2547 | -plain rule, "return" for implicit rule at the end of a user defined chain | |
2548 | -and "policy" for the policy of the built in chains. | |
2549 | -.br | |
2550 | -It can only be used in the | |
2551 | -.BR raw | |
2552 | -table. | |
2553 | -.SS TTL | |
2554 | -This is used to modify the IPv4 TTL header field. The TTL field determines | |
2555 | -how many hops (routers) a packet can traverse until it's time to live is | |
2556 | -exceeded. | |
2557 | -.PP | |
2558 | -Setting or incrementing the TTL field can potentially be very dangerous, | |
2559 | -so it should be avoided at any cost. This target is only valid in | |
2560 | -.B mangle | |
2561 | -table. | |
2562 | -.PP | |
2563 | -.B Don't ever set or increment the value on packets that leave your local network! | |
2564 | -.TP | |
2565 | -\fB\-\-ttl\-set\fP \fIvalue\fP | |
2566 | -Set the TTL value to `value'. | |
2567 | -.TP | |
2568 | -\fB\-\-ttl\-dec\fP \fIvalue\fP | |
2569 | -Decrement the TTL value `value' times. | |
2570 | -.TP | |
2571 | -\fB\-\-ttl\-inc\fP \fIvalue\fP | |
2572 | -Increment the TTL value `value' times. | |
2573 | -.SS ULOG | |
2574 | -This target provides userspace logging of matching packets. When this | |
2575 | -target is set for a rule, the Linux kernel will multicast this packet | |
2576 | -through a | |
2577 | -.IR netlink | |
2578 | -socket. One or more userspace processes may then subscribe to various | |
2579 | -multicast groups and receive the packets. | |
2580 | -Like LOG, this is a "non-terminating target", i.e. rule traversal | |
2581 | -continues at the next rule. | |
2582 | -.TP | |
2583 | -\fB\-\-ulog\-nlgroup\fP \fInlgroup\fP | |
2584 | -This specifies the netlink group (1-32) to which the packet is sent. | |
2585 | -Default value is 1. | |
2586 | -.TP | |
2587 | -\fB\-\-ulog\-prefix\fP \fIprefix\fP | |
2588 | -Prefix log messages with the specified prefix; up to 32 characters | |
2589 | -long, and useful for distinguishing messages in the logs. | |
2590 | -.TP | |
2591 | -\fB\-\-ulog\-cprange\fP \fIsize\fP | |
2592 | -Number of bytes to be copied to userspace. A value of 0 always copies | |
2593 | -the entire packet, regardless of its size. Default is 0. | |
2594 | -.TP | |
2595 | -\fB\-\-ulog\-qthreshold\fP \fIsize\fP | |
2596 | -Number of packet to queue inside kernel. Setting this value to, e.g. 10 | |
2597 | -accumulates ten packets inside the kernel and transmits them as one | |
2598 | -netlink multipart message to userspace. Default is 1 (for backwards | |
2599 | -compatibility). | |
2600 | -.br | |
376 | +iptables can use extended packet matching and target modules. | |
377 | +A list of these is available in the \fBiptables\-extensions\fP(8) manpage. | |
2601 | 378 | .SH DIAGNOSTICS |
2602 | 379 | Various error messages are printed to standard error. The exit code |
2603 | 380 | is 0 for correct functioning. Errors which appear to be caused by |
@@ -2632,8 +409,10 @@ seen previously. So the following options are handled differently: | ||
2632 | 409 | .fi |
2633 | 410 | There are several other changes in iptables. |
2634 | 411 | .SH SEE ALSO |
412 | +\fBiptables\-apply\fP(8), | |
2635 | 413 | \fBiptables\-save\fP(8), |
2636 | 414 | \fBiptables\-restore\fP(8), |
415 | +\fBiptables\-extensions\fP(8), | |
2637 | 416 | \fBip6tables\fP(8), |
2638 | 417 | \fBip6tables\-save\fP(8), |
2639 | 418 | \fBip6tables\-restore\fP(8), |
@@ -2672,4 +451,4 @@ Man page originally written by Herve Eychenne <rv@wallfire.org>. | ||
2672 | 451 | .\" .. and most of all, modest .. |
2673 | 452 | .SH VERSION |
2674 | 453 | .PP |
2675 | -This manual page applies to iptables @PACKAGE_VERSION@. | |
454 | +This manual page applies to iptables 1.4.18. |
@@ -1,8 +1,8 @@ | ||
1 | 1 | diff --git a/manual/iptables/original/man3/libipq.3 b/manual/iptables/original/man3/libipq.3 |
2 | -index 1a0984d..a2dfbfb 100644 | |
2 | +index 611fcdf..e619c23 100644 | |
3 | 3 | --- a/manual/iptables/original/man3/libipq.3 |
4 | 4 | +++ b/manual/iptables/original/man3/libipq.3 |
5 | -@@ -48,9 +48,9 @@ and queued for userspace processing via the QUEUE target. For example, | |
5 | +@@ -46,9 +46,9 @@ and queued for userspace processing via the QUEUE target. For example, | |
6 | 6 | running the following commands: |
7 | 7 | .PP |
8 | 8 | # modprobe iptable_filter |
@@ -11,89 +11,6 @@ index 1a0984d..a2dfbfb 100644 | ||
11 | 11 | # modprobe ip_queue |
12 | 12 | -.br |
13 | 13 | +.br |
14 | - # iptables -A OUTPUT -p icmp -j QUEUE | |
14 | + # iptables \-A OUTPUT \-p icmp \-j QUEUE | |
15 | 15 | .PP |
16 | 16 | will cause any locally generated ICMP packets (e.g. ping output) to |
17 | -diff --git a/manual/iptables/original/man8/ip6tables-restore.8 b/manual/iptables/original/man8/ip6tables-restore.8 | |
18 | -index 43c1268..55e82ce 100644 | |
19 | ---- a/manual/iptables/original/man8/ip6tables-restore.8 | |
20 | -+++ b/manual/iptables/original/man8/ip6tables-restore.8 | |
21 | -@@ -33,7 +33,6 @@ I/O redirection provided by your shell to read from a file | |
22 | - restore the values of all packet and byte counters | |
23 | - .TP | |
24 | - \fB\-n\fR, \fB\-\-noflush\fR | |
25 | --.TP | |
26 | - don't flush the previous contents of the table. If not specified, | |
27 | - .B ip6tables-restore | |
28 | - flushes (deletes) all previous contents of the respective IPv6 Table. | |
29 | -diff --git a/manual/iptables/original/man8/ip6tables-save.8 b/manual/iptables/original/man8/ip6tables-save.8 | |
30 | -index c8b3e96..48c70a6 100644 | |
31 | ---- a/manual/iptables/original/man8/ip6tables-save.8 | |
32 | -+++ b/manual/iptables/original/man8/ip6tables-save.8 | |
33 | -@@ -33,7 +33,6 @@ to STDOUT. Use I/O-redirection provided by your shell to write to a file. | |
34 | - include the current values of all packet and byte counters in the output | |
35 | - .TP | |
36 | - \fB\-t\fR, \fB\-\-table\fR \fBtablename\fR | |
37 | --.TP | |
38 | - restrict output to only one table. If not specified, output includes all | |
39 | - available tables. | |
40 | - .SH BUGS | |
41 | -diff --git a/manual/iptables/original/man8/iptables-restore.8 b/manual/iptables/original/man8/iptables-restore.8 | |
42 | -index e2649e5..e80d943 100644 | |
43 | ---- a/manual/iptables/original/man8/iptables-restore.8 | |
44 | -+++ b/manual/iptables/original/man8/iptables-restore.8 | |
45 | -@@ -33,7 +33,6 @@ I/O redirection provided by your shell to read from a file | |
46 | - restore the values of all packet and byte counters | |
47 | - .TP | |
48 | - \fB\-n\fR, \fB\-\-noflush\fR | |
49 | --.TP | |
50 | - don't flush the previous contents of the table. If not specified, | |
51 | - .B iptables-restore | |
52 | - flushes (deletes) all previous contents of the respective IP Table. | |
53 | -diff --git a/manual/iptables/original/man8/iptables-save.8 b/manual/iptables/original/man8/iptables-save.8 | |
54 | -index f9c7d65..152e4db 100644 | |
55 | ---- a/manual/iptables/original/man8/iptables-save.8 | |
56 | -+++ b/manual/iptables/original/man8/iptables-save.8 | |
57 | -@@ -33,7 +33,6 @@ to STDOUT. Use I/O-redirection provided by your shell to write to a file. | |
58 | - include the current values of all packet and byte counters in the output | |
59 | - .TP | |
60 | - \fB\-t\fR, \fB\-\-table\fR \fBtablename\fR | |
61 | --.TP | |
62 | - restrict output to only one table. If not specified, output includes all | |
63 | - available tables. | |
64 | - .SH BUGS | |
65 | -diff --git a/manual/iptables/original/man8/iptables.8 b/manual/iptables/original/man8/iptables.8 | |
66 | -index b79f1ec..258fce3 100644 | |
67 | ---- a/manual/iptables/original/man8/iptables.8 | |
68 | -+++ b/manual/iptables/original/man8/iptables.8 | |
69 | -@@ -589,8 +589,8 @@ interface which begins with this name will match. Note that in the | |
70 | - chains one cannot match on the bridge output port, however one can in the | |
71 | - .B "filter OUTPUT" | |
72 | - chain. If the packet won't leave by a bridge device or it is yet unknown what | |
73 | --the output device will be, then the packet won't match this option, unless | |
74 | --'!' is used. | |
75 | -+the output device will be, then the packet won't match this option, | |
76 | -+unless '!' is used. | |
77 | - .TP | |
78 | - .B --physdev-is-in | |
79 | - Matches if the packet has entered through a bridge interface. | |
80 | -@@ -883,7 +883,8 @@ TCP RST packet to be sent back. This is mainly useful for blocking | |
81 | - .I ident | |
82 | - (113/tcp) probes which frequently occur when sending mail to broken mail | |
83 | - hosts (which won't accept your mail otherwise). | |
84 | --.TP | |
85 | -+.RS | |
86 | -+.PP | |
87 | - (*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT | |
88 | - .SS SNAT | |
89 | - This target is only valid in the | |
90 | -@@ -1021,7 +1022,8 @@ refers to the output interface, and both are available for packets | |
91 | - entering the | |
92 | - .B FORWARD | |
93 | - chain. | |
94 | --.PP The various forms of NAT have been separated out; | |
95 | -+.PP | |
96 | -+The various forms of NAT have been separated out; | |
97 | - .B iptables | |
98 | - is a pure packet filter when using the default `filter' table, with | |
99 | - optional extension modules. This should simplify much of the previous |
@@ -1,19 +1,20 @@ | ||
1 | -×:iptables:1.4.13:2012/03/27:iptables-xml:1::::: | |
2 | -×:iptables:1.4.13:2012/03/27:ipq_create_handle:3::::: | |
3 | -※:iptables:1.4.13:2012/03/27:ipq_destroy_handle:3:ipq_create_handle:3: | |
4 | -×:iptables:1.4.13:2012/03/27:ipq_errstr:3::::: | |
5 | -※:iptables:1.4.13:2012/03/27:ipq_get_msgerr:3:ipq_message_type:3: | |
6 | -※:iptables:1.4.13:2012/03/27:ipq_get_packet:3:ipq_message_type:3: | |
7 | -×:iptables:1.4.13:2012/03/27:ipq_message_type:3::::: | |
8 | -※:iptables:1.4.13:2012/03/27:ipq_perror:3:ipq_errstr:3: | |
9 | -×:iptables:1.4.13:2012/03/27:ipq_read:3::::: | |
10 | -×:iptables:1.4.13:2012/03/27:ipq_set_mode:3::::: | |
11 | -×:iptables:1.4.13:2012/03/27:ipq_set_verdict:3::::: | |
12 | -×:iptables:1.4.13:2012/03/27:libipq:3::::: | |
13 | -☆:iptables:1.2.9=>1.4.13:2012/03/27:ip6tables:8:2004/03/12::ysato444@yahoo.co.jp:Yuichi SATO: | |
14 | -☆:iptables:1.2.9=>1.4.13:2012/03/27:ip6tables-restore:8:2003/05/13::ysato444@yahoo.co.jp:Yuichi SATO: | |
15 | -☆:iptables:1.2.9=>1.4.13:2012/03/27:ip6tables-save:8:2003/05/13::ysato444@yahoo.co.jp:Yuichi SATO: | |
16 | -☆:iptables:1.2.9=>1.4.13:2012/03/27:iptables:8:2004/03/12::ysato444@yahoo.co.jp:Yuichi SATO: | |
17 | -×:iptables:1.4.13:2012/03/27:iptables-apply:8::::: | |
18 | -☆:iptables:1.2.9=>1.4.13:2012/03/27:iptables-restore:8:2001/05/15::ysato@h4.dion.ne.jp:Yuichi SATO: | |
19 | -☆:iptables:1.2.9=>1.4.13:2012/03/27:iptables-save:8:2001/05/15::ysato@h4.dion.ne.jp:Yuichi SATO: | |
1 | +×:iptables:1.4.18:2012/03/27:iptables-xml:1::::: | |
2 | +×:iptables:1.4.18:2012/03/27:ipq_create_handle:3::::: | |
3 | +※:iptables:1.4.18:2012/03/27:ipq_destroy_handle:3:ipq_create_handle:3: | |
4 | +×:iptables:1.4.18:2012/03/27:ipq_errstr:3::::: | |
5 | +※:iptables:1.4.18:2012/03/27:ipq_get_msgerr:3:ipq_message_type:3: | |
6 | +※:iptables:1.4.18:2012/03/27:ipq_get_packet:3:ipq_message_type:3: | |
7 | +×:iptables:1.4.18:2012/03/27:ipq_message_type:3::::: | |
8 | +※:iptables:1.4.18:2012/03/27:ipq_perror:3:ipq_errstr:3: | |
9 | +×:iptables:1.4.18:2012/03/27:ipq_read:3::::: | |
10 | +×:iptables:1.4.18:2012/03/27:ipq_set_mode:3::::: | |
11 | +×:iptables:1.4.18:2012/03/27:ipq_set_verdict:3::::: | |
12 | +×:iptables:1.4.18:2012/03/27:libipq:3::::: | |
13 | +☆:iptables:1.2.9=>1.4.18:2013/03/03:ip6tables:8:2004/03/12::ysato444@yahoo.co.jp:Yuichi SATO: | |
14 | +☆:iptables:1.2.9=>1.4.18:2013/03/03:ip6tables-restore:8:2003/05/13::ysato444@yahoo.co.jp:Yuichi SATO: | |
15 | +☆:iptables:1.2.9=>1.4.18:2012/03/27:ip6tables-save:8:2003/05/13::ysato444@yahoo.co.jp:Yuichi SATO: | |
16 | +☆:iptables:1.2.9=>1.4.18:2013/03/03:iptables:8:2004/03/12::ysato444@yahoo.co.jp:Yuichi SATO: | |
17 | +×:iptables:1.4.18:2013/03/03:iptables-apply:8::::: | |
18 | +×:iptables:1.4.18:2013/03/03:iptables-extensions:8::::: | |
19 | +☆:iptables:1.2.9=>1.4.18:2013/03/03:iptables-restore:8:2001/05/15::ysato@h4.dion.ne.jp:Yuichi SATO: | |
20 | +☆:iptables:1.2.9=>1.4.18:2012/03/27:iptables-save:8:2001/05/15::ysato@h4.dion.ne.jp:Yuichi SATO: |