Lines Matching +full:ipv4 +full:- +full:single +full:- +full:target
5 .\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG)
26 iptables/ip6tables \(em administration tool for IPv4/IPv6 packet filtering and NAT
28 \fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
29 \fIchain\fP \fIrule-specification\fP
31 \fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
32 \fIchain rule-specification\fP
34 \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\…
36 \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum rule-specification\fP
38 \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP
40 \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]]
42 \fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP} [\fIchain\fP [\fIrulenum\fP]…
44 \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP
46 \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
48 \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
50 \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
52 rule-specification = [\fImatches...\fP] [\fItarget\fP]
54 match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
56 target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
59 tables of IPv4 and IPv6 packet
61 may be defined. Each table contains a number of built-in
62 chains and may also contain user-defined chains.
66 a `target', which may be a jump to a user-defined chain in the same
69 A firewall rule specifies criteria for a packet and a target. If the
72 target, which can be the name of a user-defined chain, one of the targets
73 described in \fBiptables\-extensions\fP(8), or one of the
80 previous (calling) chain. If the end of a built-in chain is reached
81 or a rule in a built-in chain with target \fBRETURN\fP
82 is matched, the target specified by the chain policy determines the
89 \fB\-t\fP, \fB\-\-table\fP \fItable\fP
99 This is the default table (if no \-t option is passed). It contains
100 the built-in chains \fBINPUT\fP (for packets destined to local sockets),
102 \fBOUTPUT\fP (for locally-generated packets).
106 connection is encountered. It consists of four built-ins: \fBPREROUTING\fP
109 (for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
115 2.4.17 it had two built-in chains: \fBPREROUTING\fP
117 (for altering locally-generated packets before routing).
118 Since kernel 2.4.18, three other built-in chains are also supported:
125 tracking in combination with the NOTRACK target. It registers at the netfilter
127 IP tables. It provides the following built-in chains: \fBPREROUTING\fP
137 before MAC rules. This table provides the following built-in chains:
139 \fBOUTPUT\fP (for altering locally-generated packets before routing), and
152 \fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
157 \fB\-C\fP, \fB\-\-check\fP \fIchain rule-specification\fP
159 selected chain. This command uses the same logic as \fB\-D\fP to
163 \fB\-D\fP, \fB\-\-delete\fP \fIchain rule-specification\fP
166 \fB\-D\fP, \fB\-\-delete\fP \fIchain rulenum\fP
171 \fB\-I\fP, \fB\-\-insert\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
177 \fB\-R\fP, \fB\-\-replace\fP \fIchain rulenum rule-specification\fP
182 \fB\-L\fP, \fB\-\-list\fP [\fIchain\fP]
187 iptables \-t nat \-n \-L
189 Please note that it is often used with the \fB\-n\fP
191 It is legal to specify the \fB\-Z\fP
196 iptables \-L \-v
199 \fBiptables\-save\fP(8).
201 \fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
203 chains are printed like iptables-save. Like every other iptables command,
206 \fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP]
210 \fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]]
214 \fB\-L\fP, \fB\-\-list\fP
218 \fB\-N\fP, \fB\-\-new\-chain\fP \fIchain\fP
219 Create a new user-defined chain by the given name. There must be no
220 target of that name already.
222 \fB\-X\fP, \fB\-\-delete\-chain\fP [\fIchain\fP]
223 Delete the optional user-defined chain specified. There must be no references
227 non-builtin chain in the table.
229 \fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
230 Set the policy for the built-in (non-user-defined) chain to the given target.
231 The policy target must be either \fBACCEPT\fP or \fBDROP\fP.
233 \fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
237 \fB\-h\fP
244 \fB\-4\fP, \fB\-\-ipv4\fP
245 This option has no effect in iptables and iptables-restore.
246 If a rule using the \fB\-4\fP option is inserted with (and only with)
247 ip6tables-restore, it will be silently ignored. Any other uses will throw an
248 error. This option allows IPv4 and IPv6 rules in a single rule file
249 for use with both iptables-restore and ip6tables-restore.
251 \fB\-6\fP, \fB\-\-ipv6\fP
252 If a rule using the \fB\-6\fP option is inserted with (and only with)
253 iptables-restore, it will be silently ignored. Any other uses will throw an
254 error. This option allows IPv4 and IPv6 rules in a single rule file
255 for use with both iptables-restore and ip6tables-restore.
256 This option has no effect in ip6tables and ip6tables-restore.
258 [\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
269 \fBesp\fP and \fBipv6\-nonext\fP
273 even if it were the last, you cannot use \fB\-p 0\fP, but always need
274 \fB\-m hbh\fP.
276 [\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
284 can be either an ipv4 network mask (for iptables) or a plain number,
288 the address. The flag \fB\-\-src\fP is an alias for this option.
290 rules\fP (when adding with \-A), or will cause multiple rules to be
291 deleted (with \-D).
293 [\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
295 See the description of the \fB\-s\fP
297 \fB\-\-dst\fP is an alias for this option.
299 \fB\-m\fP, \fB\-\-match\fP \fImatch\fP
302 target is invoked. Matches are evaluated first to last as specified on the
303 command line and work in short-circuit fashion, i.e. if one extension yields
306 \fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
307 This specifies the target of the rule; i.e., what to do if the packet
308 matches it. The target can be a user-defined chain (other than the
312 option is omitted in a rule (and \fB\-g\fP
317 \fB\-g\fP, \fB\-\-goto\fP \fIchain\fP
319 specified chain. Unlike the \-\-jump option return will not continue
321 \-\-jump.
323 [\fB!\fP] \fB\-i\fP, \fB\-\-in\-interface\fP \fIname\fP
331 [\fB!\fP] \fB\-o\fP, \fB\-\-out\-interface\fP \fIname\fP
339 [\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
340 This means that the rule only refers to second and further IPv4 fragments
344 precedes the "\-f" flag, the rule will only match head fragments, or
345 unfragmented packets. This option is IPv4 specific, it is not available
348 \fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
355 \fB\-v\fP, \fB\-\-verbose\fP
360 the \fB\-x\fP flag to change this).
362 detailed information on the rule or rules to be printed. \fB\-v\fP may be
365 \fB\-w\fP, \fB\-\-wait\fP [\fIseconds\fP]
373 \fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP
378 1 second. This option only works with \fB\-w\fP.
380 \fB\-n\fP, \fB\-\-numeric\fP
386 \fB\-x\fP, \fB\-\-exact\fP
391 only relevant for the \fB\-L\fP command.
393 \fB\-\-line\-numbers\fP
397 \fB\-\-modprobe=\fP\fIcommand\fP
408 .SH MATCH AND TARGET EXTENSIONS
410 iptables can use extended packet matching and target modules.
411 A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
418 Bugs? What's this? ;-)
430 The other main difference is that \fB\-i\fP refers to the input interface;
431 \fB\-o\fP refers to the output interface, and both are available for packets
440 \-j MASQ
441 \-M \-S
442 \-M \-L
446 \fBiptables\-apply\fP(8),
447 \fBiptables\-save\fP(8),
448 \fBiptables\-restore\fP(8),
449 \fBiptables\-extensions\fP(8),
451 The packet-filtering-HOWTO details iptables usage for
452 packet filtering, the NAT-HOWTO details NAT,
453 the netfilter-extensions-HOWTO details the extensions that are
455 and the netfilter-hacking-HOWTO details the netfilter internals.
467 James Morris wrote the TOS target, and tos match.
469 Jozsef Kadlecsik wrote the REJECT target.
471 Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as the TTL, DSCP, ECN matc…