17.3. Options Used within iptables Commands

Rules for filtering packets are put in place using the iptables command. When using the iptables command, the following aspects of the packet are most often used as criteria:

For more information on specific options which address these aspects of a packet, refer to Section 17.3.4 iptables Match Options and Section 17.3.5 Target Options.

The options used with given iptables rule must be grouped logically, based on the purpose and conditions of the overall rule, for the rule to be valid. The remainder of this section explains commonly-used options for the iptables command.

17.3.1. Structure of iptables Options

Many iptables commands have the following structure:

iptables [-t <table-name>] <command> <chain-name> <parameter-1> \
         <option-1> <parameter-n> <option-n>

The <table-name> option allows the user to select a table other than the default filter table to use with the command. The <command> option dictates a specific action to perform, such as appending or deleting the rule specified by the <chain-name> option. Following the <chain-name> are pairs of parameters and options that define what happens when a packet matches the rule.

When looking at the structure of an iptables command, it is important to remember that, unlike most other commands, the length and complexity of an iptables command can change based on its purpose. A command to remove a rule from a chain can be very short, while a command designed to filter packets from a particular subnet using a variety of specific parameters and options can be rather lengthy. When creating iptables commands it is helpful to recognize that some parameters and options may create the need for other parameters and options to further specify the previous option's request. To construct a valid rule, this must continue until every parameter and option that requires another set of options is satisfied.

Type iptables -h to view a comprehensive list of iptables command structures.

17.3.2. Command Options

Command options instruct iptables to perform a specific action. Only one command option is allowed per iptables command. With the exception of the help command, all commands are written in upper-case characters.

The iptables commands are as follows:

17.3.3. iptables Parameter Options

Once certain iptables commands are specified, including those used to add, append, delete, insert, or replace rules within a particular chain, parameters are required to construct a packet filtering rule.

17.3.4. iptables Match Options

Different network protocols provide specialized matching options which can be configured to match a particular packet using that protocol. However, the protocol must first be specified in the iptables command. For example -p tcp <protocol-name> (where <protocol-name> is the target protocol), makes options for the specified protocol available. TCP Protocol

These match options are available for the TCP protocol (-p tcp):

  • --dport — Sets the destination port for the packet. Use either a network service name (such as www or smtp), port number, or range of port numbers to configure this option. To browse the names and aliases of network services and the port numbers they use, view the /etc/services file. The --destination-port match option is synonymous with --dport.

    To specify a specific range of port numbers, separate the two numbers with a colon (:), such as -p tcp --dport 3000:3200. The largest acceptable valid range is 0:65535.

    Use an exclamation point character (!) after the --dport option to match all packets which do not use that network service or port.

  • --sport — Sets the source port of the packet using the same options as --dport. The --source-port match option is synonymous with --sport.

  • --syn — Applies to all TCP packets designed to initiate communication, commonly called SYN packets. Any packets that carry a data payload are not touched. Placing an exclamation point character (!) as a flag after the --syn option causes all non-SYN packets to be matched.

  • --tcp-flags — Allows TCP packets with specific bits, or flags, set to be matched with a rule. The --tcp-flags match option accepts two parameters. The first parameter is the mask, which sets the flags to be examined in the packet. The second parameter refers to the flag that must be set to match.

    The possible flags are:

    • ACK

    • FIN

    • PSH

    • RST

    • SYN

    • URG

    • ALL

    • NONE

    For example, an iptables rule which contains -p tcp --tcp-flags ACK,FIN,SYN SYN only matches TCP packets that have the SYN flag set and the ACK and FIN flags unset.

    Using the exclamation point character (!) after --tcp-flags reverses the effect of the match option.

  • --tcp-option — Attempts to match with TCP-specific options that can be set within a particular packet. This match option can also be reversed with the exclamation point character (!). UDP Protocol

These match options are available for the UDP protocol (-p udp):

  • --dport — Specifies the destination port of the UDP packet, using the service name, port number, or range of port numbers. The --destination-port match option is synonymous with --dport. Refer to the --dport match option in Section TCP Protocol for ways to use this option.

  • --sport — Specifies the source port of the UDP packet, using the service name, port number, or range of port numbers. The --source-port match option is synonymous with --sport. Refer to the --sport match option in Section TCP Protocol for ways to use this option. ICMP Protocol

The following match options are available for the Internet Control Message Protocol (ICMP) (-p icmp):

  • --icmp-type — Sets the name or number of the ICMP type to match with the rule. A list of valid ICMP names can be retrieved by typing the iptables -p icmp -h command. Additional Match Option Modules

Additional match options are also available through modules loaded by the iptables command. To use a match option module, load the module by name using the -m option, such as -m <module-name> (replacing <module-name> with the name of the module).

A large number of modules are available by default. It is even possible to create modules that provide additional functionality.

The following is a partial list of the most commonly used modules:

  • limit module — Places limits on how many packets are matched to a particular rule. This is especially beneficial when used in conjunction with the LOG target as it can prevent a flood of matching packets from filling up the system log with repetitive messages or using up system resources. Refer to Section 17.3.5 Target Options for more information about the LOG target.

    The limit module enables the following options:

    • --limit — Sets the number of matches for a particular range of time, specified with a number and time modifier arranged in a <number>/<time> format. For example, using --limit 5/hour only lets a rule match 5 times in a single hour.

      If a number and time modifier are not used, the default value of 3/hour is assumed.

    • --limit-burst — Sets a limit on the number of packets able to match a rule at one time. This option should be used in conjunction with the --limit option, and it accepts a number to set the burst threshold.

      If no number is specified, only five packets are initially able to match the rule.

  • state module — Enables state matching.

    The state module enables the following options:

    • --state — match a packet with the following connection states:

      • ESTABLISHED — The matching packet is associated with other packets in an established connection.

      • INVALID — The matching packet cannot be tied to a known connection.

      • NEW — The matching packet is either creating a new connection or is part of a two-way connection not previously seen.

      • RELATED — The matching packet is starting a new connection related in some way to an existing connection.

      These connection states can be used in combination with one another by separating them with commas, such as -m state --state INVALID,NEW.

  • mac module — Enables hardware MAC address matching.

    The mac module enables the following option:

    • --mac-source — Matches a MAC address of the network interface card that sent the packet. To exclude a MAC address from a rule, place an exclamation point (!) after the --mac-source match option.

To view other match options available through modules, refer to the iptables man page.

17.3.5. Target Options

Once a packet has matched a particular rule, the rule can direct the packet to a number of different targets that decide its fate and, possibly, take additional actions. Each chain has a default target, which is used if none of the rules on that chain match a packet or if none of the rules which match the packet specify a target.

The following are the standard targets:

In addition to these standard targets, various other targets may be used with extensions called target modules. For more information about match option modules, refer to Section Additional Match Option Modules.

There are many extended target modules, most of which only apply to specific tables or situations. A couple of the most popular target modules included by default in Red Hat Enterprise Linux are:

Other target extensions, including several that are useful for IP masquerading using the nat table or with packet alteration using the mangle table, can be found in the iptables man page.

17.3.6. Listing Options

The default list command, iptables -L, provides a very basic overview of the default filter table's current chains. Additional options provide more information: