- Create a new chain (-N).
- Delete an empty chain (-X).
- Change the policy for a built-in chain. (-P).
- List the rules in a chain (-L).
- Flush the rules out of a chain (-F).
- Zero the packet and byte counters on all rules in a chain (-Z).
There are several ways to manipulate rules inside a chain:
- Append a new rule to a chain (-A).
- Insert a new rule at some position in a chain (-I).
- Replace a rule at some position in a chain (-R).
- Delete a rule at some position in a chain (-D).
- Delete the first rule that matches in a chain (-D).
Some examples:
iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
we append (-A) to the `INPUT' chain, a rule specifying that for
packets from 127.0.0.1 (`-s 127.0.0.1') with protocol ICMP (`-p icmp')
we should jump to DROP (`-j DROP').
We can delete the rule in one of two ways.
Firstly, since we know
that it is the only rule in the input chain, we can use a numbered
delete, as in: iptables -D INPUT 1
The second way is to mirror the -A command.eg: ipchains -D INPUT -s 127.0.0.1 -p icmp -j DROP
Filtering Spectifications:
Specifying Source and Destination IP Addresses
Source (`-s', `--source' or `--src') and destination (`-d',
`--destination' or `--dst') IP addresses can be specified in four
ways. The most common way is to use the full name, such as
`localhost' or `www.linuxhq.com'. The second way is to specify the IP
address such as `127.0.0.1'.
The third and fourth ways allow specification of a group of IP
addresses, such as `199.95.207.0/24' or `199.95.207.0/255.255.255.0'.
These both specify any IP address from 199.95.207.0 to 199.95.207.255
inclusive; the digits after the `/' tell which parts of the IP address
are significant. `/32' or `/255.255.255.255' is the default (match
all of the IP address).
To specify any IP address at all `/0' can be
used, like so:
# ipchains -A input -s 0/0 -j DENY This is rarely used, as the effect above is the same as not specifying
the `-s' option at all.
Many flags, including the `-s' and `-d' flags can have their arguments
preceded by `!' (pronounced `not') to match addresses NOT equal to the
ones given. For example. `-s ! localhost' matches any packet not
coming from localhost.
Specifying Protocol
The protocol can be specified with the `-p' flag. Protocol can be a
number (if you know the numeric protocol values for IP) or a name for
the special cases of `TCP', `UDP' or `ICMP'. Case doesn't matter, so
`tcp' works as well as `TCP'.
The protocol name can be prefixed by a `!', to invert it, such as `-p
! TCP'.
The `-i' (or `--in-interface') and `-o' (or `--out-interface') options
specify the name of an interface to match.
Only packets traversing the FORWARD chain have both an
input and output interface.
iptables -A OUTPUT -f -d 192.168.1.1 -j DROP will drop any fragments going to 192.168.1.1:
- --tcp-flags
- Followed by an optional `!', then two strings
of flags, allows you to filter on specific TCP flags. The first
string of flags is the mask: a list of flags you want to examine. The
second string of flags tells which one(s) should be set. For example, iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DENY
- This indicates that all flags should be examined (`ALL' is synonymous
with `SYN,ACK,FIN,RST,URG,PSH'), but only SYN and ACK should be set.
There is also an argument `NONE' meaning no flags.
--syn
Optionally preceded by a `!', this is shorthand
for `--tcp-flags SYN,RST,ACK SYN'.
- --source-port
- followed by an optional `!', then either a
single TCP port, or a range of ports. Ports can be port names, as
listed in /etc/services, or numeric. Ranges are either two port names
separated by a `-', or (to specify greater than or equal to a given
port) a port with a `-' appended, or (to specify less than or equal to
a given port), a port preceded by a `-'.
- --sport
- is synonymous with `--source-port'.
- --destination-port
- and
- --dport
- are the same as
above, only they specify the destination, rather than source, port to
match.
- --tcp-option
- followed by an optional `!' and a number,
matches a packet with a TCP option equaling that number. A packet
which does not have a complete TCP header is dropped automatically if
at attempt is made to examine its TCP options.
The `--syn' flag is used for this: it is only valid for rules which
specify TCP as their protocol.
For example, to specify TCP connection
attempts from 192.168.1.1:This flag can be inverted by preceding it with a `!', which means
every packet other than the connection initiation.
UDP Extensions
These extensions are automatically loaded if `--protocol udp' is
specified, and no other match is specified. It provides the options
`--source-port', `--sport', `--destination-port' and `--dport' as
detailed for TCP above.
ICMP Extensions
This extension is automatically loaded if `--protocol icmp' is
specified, and no other match is specified. It provides only one
new option:
- --icmp-type
followed by an optional `!', then either an
icmp type name (eg `host-unreachable'), or a numeric type (eg. `3'),
or a numeric type and code separated by a `/' (eg. `3/3'). A list
of available icmp type names is given using `-p icmp --help'.
Other Match Extensions
The other two extensions in the netfilter package are demonstration
extensions, which (if installed) can be invoked with the `-m' option.
- mac
This module must be explicitly specified with `-m mac'
or `--match mac'. It is used for matching incoming packet's source
Ethernet (MAC) address, and thus only useful for packets traversing
the INPUT and FORWARD chains. It provides only one option:
- --mac-source
followed by an optional `!', then an
ethernet address in colon-separated hexbyte notation, eg
`--mac-source 00:60:08:91:CC:B7'.
- limit
This module must be explicitly specified with `-m
limit' or `--match limit'. It is used to restrict the rate of
matches, such as for suppressing log messages. It will only match a
given number of times per second (by default 3 matches per hour,
with a burst of 5). It takes two optional arguments:
- --limit
followed by a number; specifies the maximum
average number of matches to allow per second. The number can
specify units explicitly, using `/second', `/minute', `/hour' or
`/day', or parts of them (so `5/second' is the same as `5/s').
- --limit-burst
followed by a number, indicating the
maximum burst before the above limit kicks in.
This match can often be used with the LOG target to do rate-limited
logging. To understand how it works, let's look at the following
rule, which logs packets with the default limit parameters:
# iptables -A FORWARD -m limit -j LOG
The first time this rule is reached, the packet will be logged; in
fact, since the default burst is 5, the first five packets will be
logged. After this, it will be twenty minutes before a packet will be
logged from this rule, regardless of how many packets reach it. Also,
every twenty minutes which passes without matching a packet, one of
the burst will be regained; if no packets hit the rule for 100
minutes, the burst will be fully recharged; back where we started.
You cannot currently create a rule with a recharge time greater
than about 59 hours, so if you set an average rate of one per day,
then your burst rate must be less than 3.
- unclean
This module must be explicitly specified with `-m
unclean or `--match unclean'. It does various random sanity checks on
packets. This module has not been audited, and should not be used as
a security device (it probably makes things worse, since it may well
have bugs itself). It provides no options.
-p TCP -s 192.168.1.1 --syn |
