The iptables command is extensible through dynamically loaded libraries. It is included in the netfilter source package available at http://www.netfilter.org/. It will also be included in any Linux distribution based on the 2.4 series kernels.
The iptables command is used to configure IP filtering and NAT (along with other packet-processing applications, including accounting, logging, and mangling). To facilitate this, there are two tables of rules called filter and nat. The filter table is assumed if you do not specify the -t option to override it. Five built-in chains are also provided. The INPUT and FORWARD chains are available for the filter table, the PREROUTING and POSTROUTING chains are available for the nat table, and the OUTPUT chain is available for both tables. In this chapter we'll discuss only the filter table. We'll look at the nat table in Chapter 9.
The general syntax of most iptables commands is:
# iptables command rule-specification extensions Now we'll take a look at some options in detail, after which we'll review some examples.
Most of the options for the iptables command can be grouped into subcommands and rule match criteria. Table 7-6 describes the other options.
|
Option |
Description |
|---|---|
|
When combined with the -A, -I, or -R subcommand, sets the packet counter to packets and the byte counter to bytes for the new or modified rule. | |
|
Synonym for -x. | |
|
Displays information on iptables usage. If it appears after -m match or -j target, then any additional help related to the extension match or target (respectively) is also displayed. | |
|
Synonym for -h. | |
|
Determines what to do with packets matching this rule. The target can be the name of a user-defined chain, one of the built-in targets, or an iptables extension (in which case there may be additional options). | |
|
Synonym for -j. | |
|
When combined with the -L subcommand, displays numbers for the rules in each chain, so you can refer to the rules by index when inserting rules into (via -I) or deleting rules from (via -D) a chain. Be aware that the line numbering changes as you add and remove rules in the chain. | |
|
Invoke extended match, possibly with additional options. | |
|
Synonym for -m. | |
|
Used to load an iptables module (with new targets or match extensions) when appending, inserting, or replacing rules. | |
|
Synonym for -M. | |
|
Displays numeric addresses and ports, instead of looking up domain names for the IP addresses and service names for the port numbers. This can be especially useful if your DNS service is slow or down. | |
|
Synonym for -n. | |
|
Synonym for -c. | |
|
Performs the specified subcommand on table. If this option is not used, the subcommand operates on the filter table by default. | |
|
Synonym for -t. | |
|
Produces verbose output. | |
|
Synonym for -v. | |
|
Displays exact numbers for packet and byte counters, rather than the default abbreviated format with metric suffixes (K, M, or G). |
iptables provides some source of online help. You can get basic information via the folowing commands:
iptables -h | --help iptables -m match -h iptables -j TARGET -h man iptables
|