From fc22b3d6507c6745911b9dfcc68f1e665ae13dbc Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 15 Apr 2024 21:43:11 +0200 Subject: Adding upstream version 4.22.0. Signed-off-by: Daniel Baumann --- .../opensuse-tumbleweed/man8/iptables-extensions.8 | 3023 ++++++++++++++++++++ 1 file changed, 3023 insertions(+) create mode 100644 upstream/opensuse-tumbleweed/man8/iptables-extensions.8 (limited to 'upstream/opensuse-tumbleweed/man8/iptables-extensions.8') diff --git a/upstream/opensuse-tumbleweed/man8/iptables-extensions.8 b/upstream/opensuse-tumbleweed/man8/iptables-extensions.8 new file mode 100644 index 00000000..73121e5e --- /dev/null +++ b/upstream/opensuse-tumbleweed/man8/iptables-extensions.8 @@ -0,0 +1,3023 @@ +.TH iptables-extensions 8 "" "iptables 1.8.10" "iptables 1.8.10" +.SH NAME +iptables-extensions \(em list of extensions in the standard iptables distribution +.SH SYNOPSIS +\fBip6tables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]] +[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...] +.PP +\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]] +[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...] +.SH MATCH EXTENSIONS +iptables can use extended packet matching modules +with the \fB\-m\fP or \fB\-\-match\fP +options, followed by the matching module name; after these, various +extra command line options become available, depending on the specific +module. You can specify multiple extended match modules in one line, +and you can use the \fB\-h\fP or \fB\-\-help\fP +options after the module has been specified to receive help specific +to that module. The extended match modules are evaluated in the order +they are specified in the rule. +.PP +If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an +unknown option is encountered, iptables will try load a match module of the +same name as the protocol, to try making the option available. +.\" @MATCH@ +.SS addrtype +This module matches packets based on their +.B address type. +Address types are used within the kernel networking stack and categorize +addresses into various groups. The exact definition of that group depends on the specific layer three protocol. +.PP +The following address types are possible: +.TP +.BI "UNSPEC" +an unspecified address (i.e. 0.0.0.0) +.TP +.BI "UNICAST" +an unicast address +.TP +.BI "LOCAL" +a local address +.TP +.BI "BROADCAST" +a broadcast address +.TP +.BI "ANYCAST" +an anycast packet +.TP +.BI "MULTICAST" +a multicast address +.TP +.BI "BLACKHOLE" +a blackhole address +.TP +.BI "UNREACHABLE" +an unreachable address +.TP +.BI "PROHIBIT" +a prohibited address +.TP +.BI "THROW" +FIXME +.TP +.BI "NAT" +FIXME +.TP +.BI "XRESOLVE" +.TP +[\fB!\fP] \fB\-\-src\-type\fP \fItype\fP +Matches if the source address is of given type +.TP +[\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP +Matches if the destination address is of given type +.TP +.BI "\-\-limit\-iface\-in" +The address type checking can be limited to the interface the packet is coming +in. This option is only valid in the +.BR PREROUTING , +.B INPUT +and +.B FORWARD +chains. It cannot be specified with the +\fB\-\-limit\-iface\-out\fP +option. +.TP +\fB\-\-limit\-iface\-out\fP +The address type checking can be limited to the interface the packet is going +out. This option is only valid in the +.BR POSTROUTING , +.B OUTPUT +and +.B FORWARD +chains. It cannot be specified with the +\fB\-\-limit\-iface\-in\fP +option. +.SS ah (IPv6-specific) +This module matches the parameters in Authentication header of IPsec packets. +.TP +[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] +Matches SPI. +.TP +[\fB!\fP] \fB\-\-ahlen\fP \fIlength\fP +Total length of this header in octets. +.TP +\fB\-\-ahres\fP +Matches if the reserved field is filled with zero. +.SS ah (IPv4-specific) +This module matches the SPIs in Authentication header of IPsec packets. +.TP +[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] +.SS bpf +Match using Linux Socket Filter. Expects a path to an eBPF object or a cBPF +program in decimal format. +.TP +\fB\-\-object\-pinned\fP \fIpath\fP +Pass a path to a pinned eBPF object. +.PP +Applications load eBPF programs into the kernel with the bpf() system call and +BPF_PROG_LOAD command and can pin them in a virtual filesystem with BPF_OBJ_PIN. +To use a pinned object in iptables, mount the bpf filesystem using +.IP +mount \-t bpf bpf ${BPF_MOUNT} +.PP +then insert the filter in iptables by path: +.IP +iptables \-A OUTPUT \-m bpf \-\-object\-pinned ${BPF_MOUNT}/{PINNED_PATH} \-j ACCEPT +.TP +\fB\-\-bytecode\fP \fIcode\fP +Pass the BPF byte code format as generated by the \fBnfbpf_compile\fP utility. +.PP +The code format is similar to the output of the tcpdump \-ddd command: one line +that stores the number of instructions, followed by one line for each +instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal +notation. Fields encode the operation, jump offset if true, jump offset if +false and generic multiuse field 'K'. Comments are not supported. +.PP +For example, to read only packets matching 'ip proto 6', insert the following, +without the comments or trailing whitespace: +.IP +4 # number of instructions +.br +48 0 0 9 # load byte ip->proto +.br +21 0 1 6 # jump equal IPPROTO_TCP +.br +6 0 0 1 # return pass (non-zero) +.br +6 0 0 0 # return fail (zero) +.PP +You can pass this filter to the bpf match with the following command: +.IP +iptables \-A OUTPUT \-m bpf \-\-bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' \-j ACCEPT +.PP +Or instead, you can invoke the nfbpf_compile utility. +.IP +iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT +.PP +Or use tcpdump -ddd. In that case, generate BPF targeting a device with the +same data link type as the xtables match. Iptables passes packets from the +network layer up, without mac layer. Select a device with data link type RAW, +such as a tun device: +.IP +ip tuntap add tun0 mode tun +.br +ip link set tun0 up +.br +tcpdump -ddd -i tun0 ip proto 6 +.PP +See tcpdump -L -i $dev for a list of known data link types for a given device. +.PP +You may want to learn more about BPF from FreeBSD's bpf(4) manpage. +.SS cgroup +.TP +[\fB!\fP] \fB\-\-path\fP \fIpath\fP +Match cgroup2 membership. + +Each socket is associated with the v2 cgroup of the creating process. +This matches packets coming from or going to all sockets in the +sub-hierarchy of the specified path. The path should be relative to +the root of the cgroup2 hierarchy. +.TP +[\fB!\fP] \fB\-\-cgroup\fP \fIclassid\fP +Match cgroup net_cls classid. + +classid is the marker set through the cgroup net_cls controller. This +option and \-\-path can't be used together. +.PP +Example: +.IP +iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http-server \-j DROP +.IP +iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1 +\-j DROP +.PP +\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup +matcher is currently only of limited functionality, meaning it +will only match on packets that are processed for local sockets +through early socket demuxing. Therefore, general usage on the +INPUT chain is not advised unless the implications are well +understood. +.PP +Available since Linux 3.14. +.SS cluster +Allows you to deploy gateway and back-end load-sharing clusters without the +need of load-balancers. +.PP +This match requires that all the nodes see the same packets. Thus, the cluster +match decides if this node has to handle a packet given the following options: +.TP +\fB\-\-cluster\-total\-nodes\fP \fInum\fP +Set number of total nodes in cluster. +.TP +[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP +Set the local node number ID. +.TP +[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP +Set the local node number ID mask. You can use this option instead +of \fB\-\-cluster\-local\-node\fP. +.TP +\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP +Set seed value of the Jenkins hash. +.PP +Example: +.IP +iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster +\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 +\-\-cluster\-hash\-seed 0xdeadbeef +\-j MARK \-\-set-mark 0xffff +.IP +iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster +\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 +\-\-cluster\-hash\-seed 0xdeadbeef +\-j MARK \-\-set\-mark 0xffff +.IP +iptables \-A PREROUTING \-t mangle \-i eth1 +\-m mark ! \-\-mark 0xffff \-j DROP +.IP +iptables \-A PREROUTING \-t mangle \-i eth2 +\-m mark ! \-\-mark 0xffff \-j DROP +.PP +And the following commands to make all nodes see the same packets: +.IP +ip maddr add 01:00:5e:00:01:01 dev eth1 +.IP +ip maddr add 01:00:5e:00:01:02 dev eth2 +.IP +arptables \-A OUTPUT \-o eth1 \-\-h\-length 6 +\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01 +.IP +arptables \-A INPUT \-i eth1 \-\-h-length 6 +\-\-destination-mac 01:00:5e:00:01:01 +\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 +.IP +arptables \-A OUTPUT \-o eth2 \-\-h\-length 6 +\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02 +.IP +arptables \-A INPUT \-i eth2 \-\-h\-length 6 +\-\-destination\-mac 01:00:5e:00:01:02 +\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 +.PP +\fBNOTE\fP: the arptables commands above use mainstream syntax. If you +are using arptables-jf included in some RedHat, CentOS and Fedora +versions, you will hit syntax errors. Therefore, you'll have to adapt +these to the arptables-jf syntax to get them working. +.PP +In the case of TCP connections, pickup facility has to be disabled +to avoid marking TCP ACK packets coming in the reply direction as +valid. +.IP +echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose +.SS comment +Allows you to add comments (up to 256 characters) to any rule. +.TP +\fB\-\-comment\fP \fIcomment\fP +.TP +Example: +iptables \-A INPUT \-i eth1 \-m comment \-\-comment "my local LAN" +.SS connbytes +Match by how many bytes or packets a connection (or one of the two +flows constituting the connection) has transferred so far, or by +average bytes per packet. +.PP +The counters are 64-bit and are thus not expected to overflow ;) +.PP +The primary use is to detect long-lived downloads and mark them to be +scheduled using a lower priority band in traffic control. +.PP +The transferred bytes per connection can also be viewed through +`conntrack \-L` and accessed via ctnetlink. +.PP +NOTE that for connections which have no accounting information, the match will +always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls +whether \fBnew\fP connections will be byte/packet counted. Existing connection +flows will not be gaining/losing a/the accounting structure when be sysctl flag +is flipped. +.TP +[\fB!\fP] \fB\-\-connbytes\fP \fIfrom\fP[\fB:\fP\fIto\fP] +match packets from a connection whose packets/bytes/average packet +size is more than FROM and less than TO bytes/packets. if TO is +omitted only FROM check is done. "!" is used to match packets not +falling in the range. +.TP +\fB\-\-connbytes\-dir\fP {\fBoriginal\fP|\fBreply\fP|\fBboth\fP} +which packets to consider +.TP +\fB\-\-connbytes\-mode\fP {\fBpackets\fP|\fBbytes\fP|\fBavgpkt\fP} +whether to check the amount of packets, number of bytes transferred or +the average size (in bytes) of all packets received so far. Note that +when "both" is used together with "avgpkt", and data is going (mainly) +only in one direction (for example HTTP), the average packet size will +be about half of the actual data packets. +.TP +Example: +iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ... +.SS connlabel +Module matches or adds connlabels to a connection. +connlabels are similar to connmarks, except labels are bit-based; i.e. +all labels may be attached to a flow at the same time. +Up to 128 unique labels are currently supported. +.TP +[\fB!\fP] \fB\-\-label\fP \fBname\fP +matches if label \fBname\fP has been set on a connection. +Instead of a name (which will be translated to a number, see EXAMPLE below), +a number may be used instead. Using a number always overrides connlabel.conf. +.TP +\fB\-\-set\fP +if the label has not been set on the connection, set it. +Note that setting a label can fail. This is because the kernel allocates the +conntrack label storage area when the connection is created, and it only +reserves the amount of memory required by the ruleset that exists at +the time the connection is created. +In this case, the match will fail (or succeed, in case \fB\-\-label\fP +option was negated). +.PP +This match depends on libnetfilter_conntrack 1.0.4 or later. +Label translation is done via the \fB/etc/xtables/connlabel.conf\fP configuration file. +.PP +Example: +.IP +.nf +0 eth0-in +1 eth0-out +2 ppp-in +3 ppp-out +4 bulk-traffic +5 interactive +.fi +.PP +.SS connlimit +Allows you to restrict the number of parallel connections to a server per +client IP address (or client address block). +.TP +\fB\-\-connlimit\-upto\fP \fIn\fP +Match if the number of existing connections is below or equal \fIn\fP. +.TP +\fB\-\-connlimit\-above\fP \fIn\fP +Match if the number of existing connections is above \fIn\fP. +.TP +\fB\-\-connlimit\-mask\fP \fIprefix_length\fP +Group hosts using the prefix length. For IPv4, this must be a number between +(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the +maximum prefix length for the applicable protocol is used. +.TP +\fB\-\-connlimit\-saddr\fP +Apply the limit onto the source group. This is the default if +\-\-connlimit\-daddr is not specified. +.TP +\fB\-\-connlimit\-daddr\fP +Apply the limit onto the destination group. +.PP +Examples: +.TP +# allow 2 telnet connections per client host +iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-above 2 \-j REJECT +.TP +# you can also match the other way around: +iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-upto 2 \-j ACCEPT +.TP +# limit the number of parallel HTTP requests to 16 per class C sized \ +source network (24 bit netmask) +iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16 +\-\-connlimit\-mask 24 \-j REJECT +.TP +# limit the number of parallel HTTP requests to 16 for the link local network +(ipv6) +ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above +16 \-\-connlimit\-mask 64 \-j REJECT +.TP +# Limit the number of connections to a particular host: +ip6tables \-p tcp \-\-syn \-\-dport 49152:65535 \-d 2001:db8::1 \-m connlimit +\-\-connlimit-above 100 \-j REJECT +.SS connmark +This module matches the netfilter mark field associated with a connection +(which can be set using the \fBCONNMARK\fP target below). +.TP +[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] +Matches packets in connections with the given mark value (if a mask is +specified, this is logically ANDed with the mark before the comparison). +.SS conntrack +This module, when combined with connection tracking, allows access to the +connection tracking state for this packet/connection. +.TP +[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP +\fIstatelist\fP is a comma separated list of the connection states to match. +Possible states are listed below. +.TP +[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP +Layer-4 protocol to match (by number or name) +.TP +[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] +.TP +[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] +.TP +[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] +.TP +[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] +Match against original/reply source/destination address +.TP +[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] +.TP +[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP] +.TP +[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] +.TP +[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP] +Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. +Matching against port ranges is only supported in kernel versions above 2.6.38. +.TP +[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP +\fIstatuslist\fP is a comma separated list of the connection statuses to match. +Possible statuses are listed below. +.TP +[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] +Match remaining lifetime in seconds against given value or range of values +(inclusive) +.TP +\fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} +Match packets that are flowing in the specified direction. If this flag is not +specified at all, matches packets in both directions. +.PP +States for \fB\-\-ctstate\fP: +.TP +\fBINVALID\fP +The packet is associated with no known connection. +.TP +\fBNEW\fP +The packet has started a new connection or otherwise associated +with a connection which has not seen packets in both directions. +.TP +\fBESTABLISHED\fP +The packet is associated with a connection which has seen packets +in both directions. +.TP +\fBRELATED\fP +The packet is starting a new connection, but is associated with an +existing connection, such as an FTP data transfer or an ICMP error. +.TP +\fBUNTRACKED\fP +The packet is not tracked at all, which happens if you explicitly untrack it +by using \-j CT \-\-notrack in the raw table. +.TP +\fBSNAT\fP +A virtual state, matching if the original source address differs from the reply +destination. +.TP +\fBDNAT\fP +A virtual state, matching if the original destination differs from the reply +source. +.PP +Statuses for \fB\-\-ctstatus\fP: +.TP +\fBNONE\fP +None of the below. +.TP +\fBEXPECTED\fP +This is an expected connection (i.e. a conntrack helper set it up). +.TP +\fBSEEN_REPLY\fP +Conntrack has seen packets in both directions. +.TP +\fBASSURED\fP +Conntrack entry should never be early-expired. +.TP +\fBCONFIRMED\fP +Connection is confirmed: originating packet has left box. +.SS cpu +.TP +[\fB!\fP] \fB\-\-cpu\fP \fInumber\fP +Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 +Can be used in combination with RPS (Remote Packet Steering) or +multiqueue NICs to spread network traffic on different queues. +.PP +Example: +.PP +iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 0 +\-j REDIRECT \-\-to\-ports 8080 +.PP +iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 1 +\-j REDIRECT \-\-to\-ports 8081 +.PP +Available since Linux 2.6.36. +.SS dccp +.TP +[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] +.TP +[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] +.TP +[\fB!\fP] \fB\-\-dccp\-types\fP \fImask\fP +Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated +list of packet types. Packet types are: +.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" . +.TP +[\fB!\fP] \fB\-\-dccp\-option\fP \fInumber\fP +Match if DCCP option set. +.SS devgroup +Match device group of a packet's incoming/outgoing interface. +.TP +[\fB!\fP] \fB\-\-src\-group\fP \fIname\fP +Match device group of incoming device +.TP +[\fB!\fP] \fB\-\-dst\-group\fP \fIname\fP +Match device group of outgoing device +.SS dscp +This module matches the 6 bit DSCP field within the TOS field in the +IP header. DSCP has superseded TOS within the IETF. +.TP +[\fB!\fP] \fB\-\-dscp\fP \fIvalue\fP +Match against a numeric (decimal or hex) value [0-63]. +.TP +[\fB!\fP] \fB\-\-dscp\-class\fP \fIclass\fP +Match the DiffServ class. This value may be any of the +BE, EF, AFxx or CSx classes. It will then be converted +into its according numeric value. +.SS dst (IPv6-specific) +This module matches the parameters in Destination Options header +.TP +[\fB!\fP] \fB\-\-dst\-len\fP \fIlength\fP +Total length of this header in octets. +.TP +\fB\-\-dst\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...] +numeric type of option and the length of the option data in octets. +.SS ecn +This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168 +.TP +[\fB!\fP] \fB\-\-ecn\-tcp\-cwr\fP +This matches if the TCP ECN CWR (Congestion Window Received) bit is set. +.TP +[\fB!\fP] \fB\-\-ecn\-tcp\-ece\fP +This matches if the TCP ECN ECE (ECN Echo) bit is set. +.TP +[\fB!\fP] \fB\-\-ecn\-ip\-ect\fP \fInum\fP +This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to specify +a number between `0' and `3'. +.SS esp +This module matches the SPIs in ESP header of IPsec packets. +.TP +[\fB!\fP] \fB\-\-espspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] +.SS eui64 (IPv6-specific) +This module matches the EUI-64 part of a stateless autoconfigured IPv6 address. +It compares the EUI-64 derived from the source MAC address in Ethernet frame +with the lower 64 bits of the IPv6 source address. But "Universal/Local" +bit is not compared. This module doesn't match other link layer frame, and +is only valid in the +.BR PREROUTING , +.BR INPUT +and +.BR FORWARD +chains. +.SS frag (IPv6-specific) +This module matches the parameters in Fragment header. +.TP +[\fB!\fP] \fB\-\-fragid\fP \fIid\fP[\fB:\fP\fIid\fP] +Matches the given Identification or range of it. +.TP +[\fB!\fP] \fB\-\-fraglen\fP \fIlength\fP +This option cannot be used with kernel version 2.6.10 or later. The length of +Fragment header is static and this option doesn't make sense. +.TP +\fB\-\-fragres\fP +Matches if the reserved fields are filled with zero. +.TP +\fB\-\-fragfirst\fP +Matches on the first fragment. +.TP +\fB\-\-fragmore\fP +Matches if there are more fragments. +.TP +\fB\-\-fraglast\fP +Matches if this is the last fragment. +.SS hashlimit +\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the +\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables +rule. Grouping can be done per-hostgroup (source and/or destination address) +and/or per-port. It gives you the ability to express "\fIN\fP packets per time +quantum per group" or "\fIN\fP bytes per seconds" (see below for some examples). +.PP +A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and +\fB\-\-hashlimit\-name\fP are required. +.TP +\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] +Match if the rate is below or equal to \fIamount\fP/quantum. It is specified either as +a number, with an optional time quantum suffix (the default is 3/hour), or as +\fIamount\fPb/second (number of bytes per second). +.TP +\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] +Match if the rate is above \fIamount\fP/quantum. +.TP +\fB\-\-hashlimit\-burst\fP \fIamount\fP +Maximum initial number of packets to match: this number gets recharged by one +every time the limit specified above is not reached, up to this number; the +default is 5. When byte-based rate matching is requested, this option specifies +the amount of bytes that can exceed the given rate. This option should be used +with caution -- if the entry expires, the burst value is reset too. +.TP +\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP... +A comma-separated list of objects to take into consideration. If no +\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the +expensive of doing the hash housekeeping. +.TP +\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP +When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be +grouped according to the given prefix length and the so-created subnet will be +subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note +that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying +srcip for \-\-hashlimit\-mode, but is technically more expensive. +.TP +\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP +Like \-\-hashlimit\-srcmask, but for destination addresses. +.TP +\fB\-\-hashlimit\-name\fP \fIfoo\fP +The name for the /proc/net/ipt_hashlimit/foo entry. +.TP +\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP +The number of buckets of the hash table +.TP +\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP +Maximum entries in the hash. +.TP +\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP +After how many milliseconds do hash entries expire. +.TP +\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP +How many milliseconds between garbage collection intervals. +.TP +\fB\-\-hashlimit\-rate\-match\fP +Classify the flow instead of rate-limiting it. This acts like a +true/false match on whether the rate is above/below a certain number +.TP +\fB\-\-hashlimit\-rate\-interval\fP \fIsec\fP +Can be used with \-\-hashlimit\-rate\-match to specify the interval +at which the rate should be sampled +.PP +Examples: +.TP +matching on source host +"1000 packets per second for every host in 192.168.0.0/16" => +\-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec +.TP +matching on source port +"100 packets per second for every service of 192.168.1.1" => +\-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec +.TP +matching on subnet +"10000 packets per minute for every /28 subnet (groups of 8 addresses) +in 10.0.0.0/8" => +\-s 10.0.0.0/8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min +.TP +matching bytes per second +"flows exceeding 512kbyte/s" => +\-\-hashlimit-mode srcip,dstip,srcport,dstport \-\-hashlimit\-above 512kb/s +.TP +matching bytes per second +"hosts that exceed 512kbyte/s, but permit up to 1Megabytes without matching" +\-\-hashlimit-mode dstip \-\-hashlimit\-above 512kb/s \-\-hashlimit-burst 1mb +.SS hbh (IPv6-specific) +This module matches the parameters in Hop-by-Hop Options header +.TP +[\fB!\fP] \fB\-\-hbh\-len\fP \fIlength\fP +Total length of this header in octets. +.TP +\fB\-\-hbh\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...] +numeric type of option and the length of the option data in octets. +.SS helper +This module matches packets related to a specific conntrack-helper. +.TP +[\fB!\fP] \fB\-\-helper\fP \fIstring\fP +Matches packets related to the specified conntrack-helper. +.RS +.PP +string can be "ftp" for packets related to a ftp-session on default port. +For other ports append \-portnr to the value, ie. "ftp\-2121". +.PP +Same rules apply for other conntrack-helpers. +.RE +.SS hl (IPv6-specific) +This module matches the Hop Limit field in the IPv6 header. +.TP +[\fB!\fP] \fB\-\-hl\-eq\fP \fIvalue\fP +Matches if Hop Limit equals \fIvalue\fP. +.TP +\fB\-\-hl\-lt\fP \fIvalue\fP +Matches if Hop Limit is less than \fIvalue\fP. +.TP +\fB\-\-hl\-gt\fP \fIvalue\fP +Matches if Hop Limit is greater than \fIvalue\fP. +.SS icmp (IPv4-specific) +This extension can be used if `\-\-protocol icmp' is specified. It +provides the following option: +.TP +[\fB!\fP] \fB\-\-icmp\-type\fP {\fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP} +This allows specification of the ICMP type, which can be a numeric +ICMP type, type/code pair, or one of the ICMP type names shown by the command +.nf + iptables \-p icmp \-h +.fi +.SS icmp6 (IPv6-specific) +This extension can be used if `\-\-protocol ipv6\-icmp' or `\-\-protocol icmpv6' is +specified. It provides the following option: +.TP +[\fB!\fP] \fB\-\-icmpv6\-type\fP \fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP +This allows specification of the ICMPv6 type, which can be a numeric +ICMPv6 +.IR type , +.IR type +and +.IR code , +or one of the ICMPv6 type names shown by the command +.nf + ip6tables \-p ipv6\-icmp \-h +.fi +.SS iprange +This matches on a given arbitrary range of IP addresses. +.TP +[\fB!\fP] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] +Match source IP in the specified range. +.TP +[\fB!\fP] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] +Match destination IP in the specified range. +.SS ipv6header (IPv6-specific) +This module matches IPv6 extension headers and/or upper layer header. +.TP +\fB\-\-soft\fP +Matches if the packet includes \fBany\fP of the headers specified with +\fB\-\-header\fP. +.TP +[\fB!\fP] \fB\-\-header\fP \fIheader\fP[\fB,\fP\fIheader\fP...] +Matches the packet which EXACTLY includes all specified headers. The headers +encapsulated with ESP header are out of scope. +Possible \fIheader\fP types can be: +.TP +\fBhop\fP|\fBhop\-by\-hop\fP +Hop-by-Hop Options header +.TP +\fBdst\fP +Destination Options header +.TP +\fBroute\fP +Routing header +.TP +\fBfrag\fP +Fragment header +.TP +\fBauth\fP +Authentication header +.TP +\fBesp\fP +Encapsulating Security Payload header +.TP +\fBnone\fP +No Next header which matches 59 in the 'Next Header field' of IPv6 header or +any IPv6 extension headers +.TP +\fBprot\fP +which matches any upper layer protocol header. A protocol name from +/etc/protocols and numeric value also allowed. The number 255 is equivalent to +\fBprot\fP. +.SS ipvs +Match IPVS connection properties. +.TP +[\fB!\fP] \fB\-\-ipvs\fP +packet belongs to an IPVS connection +.TP +Any of the following options implies \-\-ipvs (even negated) +.TP +[\fB!\fP] \fB\-\-vproto\fP \fIprotocol\fP +VIP protocol to match; by number or name, e.g. "tcp" +.TP +[\fB!\fP] \fB\-\-vaddr\fP \fIaddress\fP[\fB/\fP\fImask\fP] +VIP address to match +.TP +[\fB!\fP] \fB\-\-vport\fP \fIport\fP +VIP port to match; by number or name, e.g. "http" +.TP +\fB\-\-vdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} +flow direction of packet +.TP +[\fB!\fP] \fB\-\-vmethod\fP {\fBGATE\fP|\fBIPIP\fP|\fBMASQ\fP} +IPVS forwarding method used +.TP +[\fB!\fP] \fB\-\-vportctl\fP \fIport\fP +VIP port of the controlling connection to match, e.g. 21 for FTP +.SS length +This module matches the length of the layer-3 payload (e.g. layer-4 packet) +of a packet against a specific value +or range of values. +.TP +[\fB!\fP] \fB\-\-length\fP \fIlength\fP[\fB:\fP\fIlength\fP] +.SS limit +This module matches at a limited rate using a token bucket filter. +A rule using this extension will match until this limit is reached. +It can be used in combination with the +.B LOG +target to give limited logging, for example. +.PP +xt_limit has no negation support - you will have to use \-m hashlimit ! +\-\-hashlimit \fIrate\fP in this case whilst omitting \-\-hashlimit\-mode. +.TP +\fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] +Maximum average matching rate: specified as a number, with an optional +`/second', `/minute', `/hour', or `/day' suffix; the default is +3/hour. +.TP +\fB\-\-limit\-burst\fP \fInumber\fP +Maximum initial number of packets to match: this number gets +recharged by one every time the limit specified above is not reached, +up to this number; the default is 5. +.SS mac +.TP +[\fB!\fP] \fB\-\-mac\-source\fP \fIaddress\fP +Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. +Note that this only makes sense for packets coming from an Ethernet device +and entering the +.BR PREROUTING , +.B FORWARD +or +.B INPUT +chains. +.SS mark +This module matches the netfilter mark field associated with a packet +(which can be set using the +.B MARK +target below). +.TP +[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] +Matches packets with the given unsigned mark value (if a \fImask\fP is +specified, this is logically ANDed with the \fImask\fP before the +comparison). +.SS mh (IPv6-specific) +This extension is loaded if `\-\-protocol ipv6\-mh' or `\-\-protocol mh' is +specified. It provides the following option: +.TP +[\fB!\fP] \fB\-\-mh\-type\fP \fItype\fP[\fB:\fP\fItype\fP] +This allows specification of the Mobility Header(MH) type, which can be +a numeric MH +.IR type , +.IR type +or one of the MH type names shown by the command +.nf + ip6tables \-p mh \-h +.fi +.SS multiport +This module matches a set of source or destination ports. Up to 15 +ports can be specified. A port range (port:port) counts as two +ports. It can only be used in conjunction with one of the +following protocols: +\fBtcp\fP, \fBudp\fP, \fBudplite\fP, \fBdccp\fP and \fBsctp\fP. +.TP +[\fB!\fP] \fB\-\-source\-ports\fP,\fB\-\-sports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]... +Match if the source port is one of the given ports. The flag +\fB\-\-sports\fP +is a convenient alias for this option. Multiple ports or port ranges are +separated using a comma, and a port range is specified using a colon. +\fB53,1024:65535\fP would therefore match ports 53 and all from 1024 through +65535. +.TP +[\fB!\fP] \fB\-\-destination\-ports\fP,\fB\-\-dports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]... +Match if the destination port is one of the given ports. The flag +\fB\-\-dports\fP +is a convenient alias for this option. +.TP +[\fB!\fP] \fB\-\-ports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]... +Match if either the source or destination ports are equal to one of +the given ports. +.SS nfacct +The nfacct match provides the extended accounting infrastructure for iptables. +You have to use this match together with the standalone user-space utility +.B nfacct(8) +.PP +The only option available for this match is the following: +.TP +\fB\-\-nfacct\-name\fP \fIname\fP +This allows you to specify the existing object name that will be use for +accounting the traffic that this rule-set is matching. +.PP +To use this extension, you have to create an accounting object: +.IP +nfacct add http\-traffic +.PP +Then, you have to attach it to the accounting object via iptables: +.IP +iptables \-I INPUT \-p tcp \-\-sport 80 \-m nfacct \-\-nfacct\-name http\-traffic +.IP +iptables \-I OUTPUT \-p tcp \-\-dport 80 \-m nfacct \-\-nfacct\-name http\-traffic +.PP +Then, you can check for the amount of traffic that the rules match: +.IP +nfacct get http\-traffic +.IP +{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic; +.PP +You can obtain +.B nfacct(8) +from https://www.netfilter.org or, alternatively, from the git.netfilter.org +repository. +.SS osf +The osf module does passive operating system fingerprinting. This module +compares some data (Window Size, MSS, options and their order, TTL, DF, +and others) from packets with the SYN bit set. +.TP +[\fB!\fP] \fB\-\-genre\fP \fIstring\fP +Match an operating system genre by using a passive fingerprinting. +.TP +\fB\-\-ttl\fP \fIlevel\fP +Do additional TTL checks on the packet to determine the operating system. +\fIlevel\fP can be one of the following values: +.IP \(bu 4 +0 - True IP address and fingerprint TTL comparison. This generally works for +LANs. +.IP \(bu 4 +1 - Check if the IP header's TTL is less than the fingerprint one. Works for +globally-routable addresses. +.IP \(bu 4 +2 - Do not compare the TTL at all. +.TP +\fB\-\-log\fP \fIlevel\fP +Log determined genres into dmesg even if they do not match the desired one. +\fIlevel\fP can be one of the following values: +.IP \(bu 4 +0 - Log all matched or unknown signatures +.IP \(bu 4 +1 - Log only the first one +.IP \(bu 4 +2 - Log all known matched signatures +.PP +You may find something like this in syslog: +.PP +Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> +11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4 +.PP +OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load +fingerprints from a file, use: +.PP +\fBnfnl_osf \-f /usr/share/xtables/pf.os\fP +.PP +To remove them again, +.PP +\fBnfnl_osf \-f /usr/share/xtables/pf.os \-d\fP +.PP +The fingerprint database can be downloaded from +http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . +.SS owner +This module attempts to match various characteristics of the packet creator, +for locally generated packets. This match is only valid in the OUTPUT and +POSTROUTING chains. Forwarded packets do not have any socket associated with +them. Packets from kernel threads do have a socket, but usually no owner. +.TP +[\fB!\fP] \fB\-\-uid\-owner\fP \fIusername\fP +.TP +[\fB!\fP] \fB\-\-uid\-owner\fP \fIuserid\fP[\fB\-\fP\fIuserid\fP] +Matches if the packet socket's file structure (if it has one) is owned by the +given user. You may also specify a numerical UID, or an UID range. +.TP +[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupname\fP +.TP +[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupid\fP[\fB\-\fP\fIgroupid\fP] +Matches if the packet socket's file structure is owned by the given group. +You may also specify a numerical GID, or a GID range. +.TP +\fB\-\-suppl\-groups\fP +Causes group(s) specified with \fB\-\-gid-owner\fP to be also checked in the +supplementary groups of a process. +.TP +[\fB!\fP] \fB\-\-socket\-exists\fP +Matches if the packet is associated with a socket. +.SS physdev +This module matches on the bridge port input and output devices enslaved +to a bridge device. This module is a part of the infrastructure that enables +a transparent bridging IP firewall and is only useful for kernel versions +above version 2.5.44. +.TP +[\fB!\fP] \fB\-\-physdev\-in\fP \fIname\fP +Name of a bridge port via which a packet is received (only for +packets entering the +.BR INPUT , +.B FORWARD +and +.B PREROUTING +chains). If the interface name ends in a "+", then any +interface which begins with this name will match. If the packet didn't arrive +through a bridge device, this packet won't match this option, unless '!' is used. +.TP +[\fB!\fP] \fB\-\-physdev\-out\fP \fIname\fP +Name of a bridge port via which a packet is going to be sent (for bridged packets +entering the +.BR FORWARD +and +.B POSTROUTING +chains). If the interface name ends in a "+", then any +interface which begins with this name will match. +.TP +[\fB!\fP] \fB\-\-physdev\-is\-in\fP +Matches if the packet has entered through a bridge interface. +.TP +[\fB!\fP] \fB\-\-physdev\-is\-out\fP +Matches if the packet will leave through a bridge interface. +.TP +[\fB!\fP] \fB\-\-physdev\-is\-bridged\fP +Matches if the packet is being bridged and therefore is not being routed. +This is only useful in the FORWARD and POSTROUTING chains. +.SS pkttype +This module matches the link-layer packet type. +.TP +[\fB!\fP] \fB\-\-pkt\-type\fP {\fBunicast\fP|\fBbroadcast\fP|\fBmulticast\fP} +.SS policy +This module matches the policy used by IPsec for handling a packet. +.TP +\fB\-\-dir\fP {\fBin\fP|\fBout\fP} +Used to select whether to match the policy used for decapsulation or the +policy that will be used for encapsulation. +.B in +is valid in the +.B PREROUTING, INPUT and FORWARD +chains, +.B out +is valid in the +.B POSTROUTING, OUTPUT and FORWARD +chains. +.TP +\fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP} +Matches if the packet is subject to IPsec processing. \fB\-\-pol none\fP +cannot be combined with \fB\-\-strict\fP. +.TP +\fB\-\-strict\fP +Selects whether to match the exact policy or match if any rule of +the policy matches the given policy. +.PP +For each policy element that is to be described, one can use one or more of +the following options. When \fB\-\-strict\fP is in effect, at least one must be +used per element. +.TP +[\fB!\fP] \fB\-\-reqid\fP \fIid\fP +Matches the reqid of the policy rule. The reqid can be specified with +.B setkey(8) +using +.B unique:id +as level. +.TP +[\fB!\fP] \fB\-\-spi\fP \fIspi\fP +Matches the SPI of the SA. +.TP +[\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP} +Matches the encapsulation protocol. +.TP +[\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP} +Matches the encapsulation mode. +.TP +[\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP] +Matches the source end-point address of a tunnel mode SA. +Only valid with \fB\-\-mode tunnel\fP. +.TP +[\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP] +Matches the destination end-point address of a tunnel mode SA. +Only valid with \fB\-\-mode tunnel\fP. +.TP +\fB\-\-next\fP +Start the next element in the policy specification. Can only be used with +\fB\-\-strict\fP. +.SS quota +Implements network quotas by decrementing a byte counter with each +packet. The condition matches until the byte counter reaches zero. Behavior +is reversed with negation (i.e. the condition does not match until the +byte counter reaches zero). +.TP +[\fB!\fP] \fB\-\-quota\fP \fIbytes\fP +The quota in bytes. +.SS rateest +The rate estimator can match on estimated rates as collected by the RATEEST +target. It supports matching on absolute bps/pps values, comparing two rate +estimators and matching on the difference between two rate estimators. +.PP +For a better understanding of the available options, these are all possible +combinations: +.\" * Absolute: +.IP \(bu 4 +\fBrateest\fP \fIoperator\fP \fBrateest-bps\fP +.IP \(bu 4 +\fBrateest\fP \fIoperator\fP \fBrateest-pps\fP +.\" * Absolute + Delta: +.IP \(bu 4 +(\fBrateest\fP minus \fBrateest-bps1\fP) \fIoperator\fP \fBrateest-bps2\fP +.IP \(bu 4 +(\fBrateest\fP minus \fBrateest-pps1\fP) \fIoperator\fP \fBrateest-pps2\fP +.\" * Relative: +.IP \(bu 4 +\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-bps\fP(without rate!) +.IP \(bu 4 +\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-pps\fP(without rate!) +.\" * Relative + Delta: +.IP \(bu 4 +(\fBrateest1\fP minus \fBrateest-bps1\fP) \fIoperator\fP +(\fBrateest2\fP minus \fBrateest-bps2\fP) +.IP \(bu 4 +(\fBrateest1\fP minus \fBrateest-pps1\fP) \fIoperator\fP +(\fBrateest2\fP minus \fBrateest-pps2\fP) +.TP +\fB\-\-rateest\-delta\fP +For each estimator (either absolute or relative mode), calculate the difference +between the estimator-determined flow rate and the static value chosen with the +BPS/PPS options. If the flow rate is higher than the specified BPS/PPS, 0 will +be used instead of a negative value. In other words, "max(0, rateest#_rate - +rateest#_bps)" is used. +.TP +[\fB!\fP] \fB\-\-rateest\-lt\fP +Match if rate is less than given rate/estimator. +.TP +[\fB!\fP] \fB\-\-rateest\-gt\fP +Match if rate is greater than given rate/estimator. +.TP +[\fB!\fP] \fB\-\-rateest\-eq\fP +Match if rate is equal to given rate/estimator. +.PP +In the so-called "absolute mode", only one rate estimator is used and compared +against a static value, while in "relative mode", two rate estimators are +compared against another. +.TP +\fB\-\-rateest\fP \fIname\fP +Name of the one rate estimator for absolute mode. +.TP +\fB\-\-rateest1\fP \fIname\fP +.TP +\fB\-\-rateest2\fP \fIname\fP +The names of the two rate estimators for relative mode. +.TP +\fB\-\-rateest\-bps\fP [\fIvalue\fP] +.TP +\fB\-\-rateest\-pps\fP [\fIvalue\fP] +.TP +\fB\-\-rateest\-bps1\fP [\fIvalue\fP] +.TP +\fB\-\-rateest\-bps2\fP [\fIvalue\fP] +.TP +\fB\-\-rateest\-pps1\fP [\fIvalue\fP] +.TP +\fB\-\-rateest\-pps2\fP [\fIvalue\fP] +Compare the estimator(s) by bytes or packets per second, and compare against +the chosen value. See the above bullet list for which option is to be used in +which case. A unit suffix may be used - available ones are: bit, [kmgt]bit, +[KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps. +.PP +Example: This is what can be used to route outgoing data connections from an +FTP server over two lines based on the available bandwidth at the time the data +connection was started: +.PP +# Estimate outgoing rates +.PP +iptables \-t mangle \-A POSTROUTING \-o eth0 \-j RATEEST \-\-rateest\-name eth0 +\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s +.PP +iptables \-t mangle \-A POSTROUTING \-o ppp0 \-j RATEEST \-\-rateest\-name ppp0 +\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s +.PP +# Mark based on available bandwidth +.PP +iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp +\-m rateest \-\-rateest\-delta \-\-rateest1 eth0 \-\-rateest\-bps1 2.5mbit \-\-rateest\-gt +\-\-rateest2 ppp0 \-\-rateest\-bps2 2mbit \-j CONNMARK \-\-set\-mark 1 +.PP +iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp +\-m rateest \-\-rateest\-delta \-\-rateest1 ppp0 \-\-rateest\-bps1 2mbit \-\-rateest\-gt +\-\-rateest2 eth0 \-\-rateest\-bps2 2.5mbit \-j CONNMARK \-\-set\-mark 2 +.PP +iptables \-t mangle \-A balance \-j CONNMARK \-\-restore\-mark +.SS realm (IPv4-specific) +This matches the routing realm. Routing realms are used in complex routing +setups involving dynamic routing protocols like BGP. +.TP +[\fB!\fP] \fB\-\-realm\fP \fIvalue\fP[\fB/\fP\fImask\fP] +Matches a given realm number (and optionally mask). If not a number, value +can be a named realm from /etc/iproute2/rt_realms (mask can not be used in +that case). +Both value and mask are four byte unsigned integers and may be specified in +decimal, hex (by prefixing with "0x") or octal (if a leading zero is given). +.SS recent +Allows you to dynamically create a list of IP addresses and then match against +that list in a few different ways. +.PP +For example, you can create a "badguy" list out of people attempting to connect +to port 139 on your firewall and then DROP all future packets from them without +considering them. +.PP +\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are +mutually exclusive. +.TP +\fB\-\-name\fP \fIname\fP +Specify the list to use for the commands. If no name is given then +\fBDEFAULT\fP will be used. +.TP +[\fB!\fP] \fB\-\-set\fP +This will add the source address of the packet to the list. If the source +address is already in the list, this will update the existing entry. This will +always return success (or failure if \fB!\fP is passed in). +.TP +\fB\-\-rsource\fP +Match/save the source address of each packet in the recent list table. This +is the default. +.TP +\fB\-\-rdest\fP +Match/save the destination address of each packet in the recent list table. +.TP +\fB\-\-mask\fP \fInetmask\fP +Netmask that will be applied to this recent list. +.TP +[\fB!\fP] \fB\-\-rcheck\fP +Check if the source address of the packet is currently in the list. +.TP +[\fB!\fP] \fB\-\-update\fP +Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it +matches. +.TP +[\fB!\fP] \fB\-\-remove\fP +Check if the source address of the packet is currently in the list and if so +that address will be removed from the list and the rule will return true. If +the address is not found, false is returned. +.TP +\fB\-\-seconds\fP \fIseconds\fP +This option must be used in conjunction with one of \fB\-\-rcheck\fP or +\fB\-\-update\fP. When used, this will narrow the match to only happen when the +address is in the list and was seen within the last given number of seconds. +.TP +\fB\-\-reap\fP +This option can only be used in conjunction with \fB\-\-seconds\fP. +When used, this will cause entries older than the last given number of seconds +to be purged. +.TP +\fB\-\-hitcount\fP \fIhits\fP +This option must be used in conjunction with one of \fB\-\-rcheck\fP or +\fB\-\-update\fP. When used, this will narrow the match to only happen when the +address is in the list and packets had been received greater than or equal to +the given value. This option may be used along with \fB\-\-seconds\fP to create +an even narrower match requiring a certain number of hits within a specific +time frame. The maximum value for the hitcount parameter is given by the +"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this +value on the command line will cause the rule to be rejected. +.TP +\fB\-\-rttl\fP +This option may only be used in conjunction with one of \fB\-\-rcheck\fP or +\fB\-\-update\fP. When used, this will narrow the match to only happen when the +address is in the list and the TTL of the current packet matches that of the +packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems +with people faking their source address in order to DoS you via this module by +disallowing others access to your site by sending bogus packets to you. +.PP +Examples: +.IP +iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP +.IP +iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP +.PP +\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information +about each entry of each list. +.PP +Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current +list or written two using the following commands to modify the list: +.TP +\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP +to add \fIaddr\fP to the DEFAULT list +.TP +\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP +to remove \fIaddr\fP from the DEFAULT list +.TP +\fBecho / >/proc/net/xt_recent/DEFAULT\fP +to flush the DEFAULT list (remove all entries). +.PP +The module itself accepts parameters, defaults shown: +.TP +\fBip_list_tot\fP=\fI100\fP +Number of addresses remembered per table. +.TP +\fBip_pkt_list_tot\fP=\fI20\fP +Number of packets per address remembered. +.TP +\fBip_list_hash_size\fP=\fI0\fP +Hash table size. 0 means to calculate it based on ip_list_tot, default: 512. +.TP +\fBip_list_perms\fP=\fI0644\fP +Permissions for /proc/net/xt_recent/* files. +.TP +\fBip_list_uid\fP=\fI0\fP +Numerical UID for ownership of /proc/net/xt_recent/* files. +.TP +\fBip_list_gid\fP=\fI0\fP +Numerical GID for ownership of /proc/net/xt_recent/* files. +.SS rpfilter +Performs a reverse path filter test on a packet. +If a reply to the packet would be sent via the same interface +that the packet arrived on, the packet will match. +Note that, unlike the in-kernel rp_filter, packets protected +by IPSec are not treated specially. Combine this match with +the policy match if you want this. +Also, packets arriving via the loopback interface are always permitted. +This match can only be used in the PREROUTING chain of the raw or mangle table. +.TP +\fB\-\-loose\fP +Used to specify that the reverse path filter test should match +even if the selected output device is not the expected one. +.TP +\fB\-\-validmark\fP +Also use the packets' nfmark value when performing the reverse path route lookup. +.TP +\fB\-\-accept\-local\fP +This will permit packets arriving from the network with a source address that is also +assigned to the local machine. +.TP +\fB\-\-invert\fP +This will invert the sense of the match. Instead of matching packets that passed the +reverse path filter test, match those that have failed it. +.PP +Example to log and drop packets failing the reverse path filter test: + +iptables \-t raw \-N RPFILTER + +iptables \-t raw \-A RPFILTER \-m rpfilter \-j RETURN + +iptables \-t raw \-A RPFILTER \-m limit \-\-limit 10/minute \-j NFLOG \-\-nflog\-prefix "rpfilter drop" + +iptables \-t raw \-A RPFILTER \-j DROP + +iptables \-t raw \-A PREROUTING \-j RPFILTER + +Example to drop failed packets, without logging: + +iptables \-t raw \-A RPFILTER \-m rpfilter \-\-invert \-j DROP +.SS rt (IPv6-specific) +Match on IPv6 routing header +.TP +[\fB!\fP] \fB\-\-rt\-type\fP \fItype\fP +Match the type (numeric). +.TP +[\fB!\fP] \fB\-\-rt\-segsleft\fP \fInum\fP[\fB:\fP\fInum\fP] +Match the `segments left' field (range). +.TP +[\fB!\fP] \fB\-\-rt\-len\fP \fIlength\fP +Match the length of this header. +.TP +\fB\-\-rt\-0\-res\fP +Match the reserved field, too (type=0) +.TP +\fB\-\-rt\-0\-addrs\fP \fIaddr\fP[\fB,\fP\fIaddr\fP...] +Match type=0 addresses (list). +.TP +\fB\-\-rt\-0\-not\-strict\fP +List of type=0 addresses is not a strict list. +.SS sctp +This module matches Stream Control Transmission Protocol headers. +.TP +[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] +.TP +[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] +.TP +[\fB!\fP] \fB\-\-chunk\-types\fP {\fBall\fP|\fBany\fP|\fBonly\fP} \fIchunktype\fP[\fB:\fP\fIflags\fP] [...] +The flag letter in upper case indicates that the flag is to match if set, +in the lower case indicates to match if unset. + +Match types: +.TP +all +Match if all given chunk types are present and flags match. +.TP +any +Match if any of the given chunk types is present with given flags. +.TP +only +Match if only the given chunk types are present with given flags and none are missing. + +Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE I_DATA RE_CONFIG PAD ASCONF ASCONF_ACK FORWARD_TSN I_FORWARD_TSN + +chunk type available flags +.br +DATA I U B E i u b e +.br +I_DATA I U B E i u b e +.br +ABORT T t +.br +SHUTDOWN_COMPLETE T t + +(lowercase means flag should be "off", uppercase means "on") +.P +Examples: + +iptables \-A INPUT \-p sctp \-\-dport 80 \-j DROP + +iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA,INIT \-j DROP + +iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA:Be \-j ACCEPT +.SS set +This module matches IP sets which can be defined by ipset(8). +.TP +[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... +where flags are the comma separated list of +.BR "src" +and/or +.BR "dst" +specifications and there can be no more than six of them. Hence the command +.IP + iptables \-A FORWARD \-m set \-\-match\-set test src,dst +.IP +will match packets, for which (if the set type is ipportmap) the source +address and destination port pair can be found in the specified set. If +the set type of the specified set is single dimension (for example ipmap), +then the command will match packets for which the source address can be +found in the specified set. +.TP +\fB\-\-return\-nomatch\fP +If the \fB\-\-return\-nomatch\fP option is specified and the set type +supports the \fBnomatch\fP flag, then the matching is reversed: a match +with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a +match with a plain element returns \fBfalse\fP. +.TP +\fB!\fP \fB\-\-update\-counters\fP +If the \fB\-\-update\-counters\fP flag is negated, then the packet and +byte counters of the matching element in the set won't be updated. Default +the packet and byte counters are updated. +.TP +\fB!\fP \fB\-\-update\-subcounters\fP +If the \fB\-\-update\-subcounters\fP flag is negated, then the packet and +byte counters of the matching element in the member set of a list type of +set won't be updated. Default the packet and byte counters are updated. +.TP +[\fB!\fP] \fB\-\-packets\-eq\fP \fIvalue\fP +If the packet is matched an element in the set, match only if the +packet counter of the element matches the given value too. +.TP +\fB\-\-packets\-lt\fP \fIvalue\fP +If the packet is matched an element in the set, match only if the +packet counter of the element is less than the given value as well. +.TP +\fB\-\-packets\-gt\fP \fIvalue\fP +If the packet is matched an element in the set, match only if the +packet counter of the element is greater than the given value as well. +.TP +[\fB!\fP] \fB\-\-bytes\-eq\fP \fIvalue\fP +If the packet is matched an element in the set, match only if the +byte counter of the element matches the given value too. +.TP +\fB\-\-bytes\-lt\fP \fIvalue\fP +If the packet is matched an element in the set, match only if the +byte counter of the element is less than the given value as well. +.TP +\fB\-\-bytes\-gt\fP \fIvalue\fP +If the packet is matched an element in the set, match only if the +byte counter of the element is greater than the given value as well. +.PP +The packet and byte counters related options and flags are ignored +when the set was defined without counter support. +.PP +The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does +not clash with an option of other extensions. +.PP +Use of \-m set requires that ipset kernel support is provided, which, for +standard kernels, is the case since Linux 2.6.39. +.SS socket +This matches if an open TCP/UDP socket can be found by doing a socket lookup on the +packet. It matches if there is an established or non\-zero bound listening +socket (possibly with a non\-local address). The lookup is performed using +the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header +\fBembedded\fP in an ICMP/ICPMv6 error packet. +.TP +\fB\-\-transparent\fP +Ignore non-transparent sockets. +.TP +\fB\-\-nowildcard\fP +Do not ignore sockets bound to 'any' address. +The socket match won't accept zero\-bound listeners by default, since +then local services could intercept traffic that would otherwise be forwarded. +This option therefore has security implications when used to match traffic being +forwarded to redirect such packets to local machine with policy routing. +When using the socket match to implement fully transparent +proxies bound to non\-local addresses it is recommended to use the \-\-transparent +option instead. +.PP +Example (assuming packets with mark 1 are delivered locally): +.IP +\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1 +.TP +\fB\-\-restore\-skmark\fP +Set the packet mark to the matching socket's mark. Can be combined with the +\fB\-\-transparent\fP and \fB\-\-nowildcard\fP options to restrict the sockets +to be matched when restoring the packet mark. +.PP +Example: An application opens 2 transparent (\fBIP_TRANSPARENT\fP) sockets and +sets a mark on them with \fBSO_MARK\fP socket option. We can filter matching packets: +.IP +\-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore-skmark \-j action +.IP +\-t mangle \-A action \-m mark \-\-mark 10 \-j action2 +.IP +\-t mangle \-A action \-m mark \-\-mark 11 \-j action3 +.SS state +The "state" extension is a subset of the "conntrack" module. +"state" allows access to the connection tracking state for this packet. +.TP +[\fB!\fP] \fB\-\-state\fP \fIstate\fP +Where state is a comma separated list of the connection states to match. Only a +subset of the states unterstood by "conntrack" are recognized: \fBINVALID\fP, +\fBESTABLISHED\fP, \fBNEW\fP, \fBRELATED\fP or \fBUNTRACKED\fP. For their +description, see the "conntrack" heading in this manpage. +.SS statistic +This module matches packets based on some statistic condition. +It supports two distinct modes settable with the +\fB\-\-mode\fP +option. +.PP +Supported options: +.TP +\fB\-\-mode\fP \fImode\fP +Set the matching mode of the matching rule, supported modes are +.B random +and +.B nth. +.TP +[\fB!\fP] \fB\-\-probability\fP \fIp\fP +Set the probability for a packet to be randomly matched. It only works with the +\fBrandom\fP mode. \fIp\fP must be within 0.0 and 1.0. The supported +granularity is in 1/2147483648th increments. +.TP +[\fB!\fP] \fB\-\-every\fP \fIn\fP +Match one packet every nth packet. It works only with the +.B nth +mode (see also the +\fB\-\-packet\fP +option). +.TP +\fB\-\-packet\fP \fIp\fP +Set the initial counter value (0 <= p <= n\-1, default 0) for the +.B nth +mode. +.SS string +This module matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14. +.TP +\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP} +Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) +.TP +\fB\-\-from\fP \fIoffset\fP +Set the offset from which it starts looking for any matching. If not passed, default is 0. +.TP +\fB\-\-to\fP \fIoffset\fP +Set the offset up to which should be scanned. That is, byte \fIoffset\fP-1 +(counting from 0) is the last one that is scanned. +If not passed, default is the packet size. +.TP +[\fB!\fP] \fB\-\-string\fP \fIpattern\fP +Matches the given pattern. +.TP +[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP +Matches the given pattern in hex notation. +.TP +\fB\-\-icase\fP +Ignore case when searching. +.TP +Examples: +.IP +# The string pattern can be used for simple text characters. +.br +iptables \-A INPUT \-p tcp \-\-dport 80 \-m string \-\-algo bm \-\-string 'GET /index.html' \-j LOG +.IP +# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|. +.br +iptables \-p udp \-\-dport 53 \-m string \-\-algo bm \-\-from 40 \-\-to 57 \-\-hex\-string '|03|www|09|netfilter|03|org|00|' +.P +Note: Since Boyer-Moore (BM) performs searches for matches from right to left and +the kernel may store a packet in multiple discontiguous blocks, it's possible +that a match could be spread over multiple blocks, in which case this algorithm +won't find it. +.P +If you wish to ensure that such thing won't ever happen, use the +Knuth-Pratt-Morris (KMP) algorithm instead. In conclusion, choose the proper +string search algorithm depending on your use-case. +.P +For example, if you're using the module for filtering, NIDS or any similar +security-focused purpose, then choose KMP. On the other hand, if you really care +about performance \(em for example, you're classifying packets to apply Quality +of Service (QoS) policies \(em and you don't mind about missing possible matches +spread over multiple fragments, then choose BM. +.SS tcp +These extensions can be used if `\-\-protocol tcp' is specified. It +provides the following options: +.TP +[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] +Source port or port range specification. This can either be a service +name or a port number. An inclusive range can also be specified, +using the format \fIfirst\fP\fB:\fP\fIlast\fP. +If the first port is omitted, "0" is assumed; if the last is omitted, +"65535" is assumed. +The flag +\fB\-\-sport\fP +is a convenient alias for this option. +.TP +[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] +Destination port or port range specification. The flag +\fB\-\-dport\fP +is a convenient alias for this option. +.TP +[\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP +Match when the TCP flags are as specified. The first argument \fImask\fP is the +flags which we should examine, written as a comma-separated list, and +the second argument \fIcomp\fP is a comma-separated list of flags which must be +set. Flags are: +.BR "SYN ACK FIN RST URG PSH ALL NONE" . +Hence the command +.nf + iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN +.fi +will only match packets with the SYN flag set, and the ACK, FIN and +RST flags unset. +.TP +[\fB!\fP] \fB\-\-syn\fP +Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits +cleared. Such packets are used to request TCP connection initiation; +for example, blocking such packets coming in an interface will prevent +incoming TCP connections, but outgoing TCP connections will be +unaffected. +It is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP. +If the "!" flag precedes the "\-\-syn", the sense of the +option is inverted. +.TP +[\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP +Match if TCP option set. +.SS tcpmss +This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time. +.TP +[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP] +Match a given TCP MSS value or range. If a range is given, the second \fIvalue\fP must be greater than or equal to the first \fIvalue\fP. +.SS time +This matches if the packet arrival time/date is within a given range. All +options are optional, but are ANDed when specified. All times are interpreted +as UTC by default. +.TP +\fB\-\-datestart\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]] +.TP +\fB\-\-datestop\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]] +Only match during the given time, which must be in ISO 8601 "T" notation. +The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07. +.IP +If \-\-datestart or \-\-datestop are not specified, it will default to 1970-01-01 +and 2038-01-19, respectively. +.TP +\fB\-\-timestart\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP] +.TP +\fB\-\-timestop\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP] +Only match during the given daytime. The possible time range is 00:00:00 to +23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted +as base-10. +.TP +[\fB!\fP] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...] +Only match on the given days of the month. Possible values are \fB1\fP +to \fB31\fP. Note that specifying \fB31\fP will of course not match +on months which do not have a 31st day; the same goes for 28- or 29-day +February. +.TP +[\fB!\fP] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...] +Only match on the given weekdays. Possible values are \fBMon\fP, \fBTue\fP, +\fBWed\fP, \fBThu\fP, \fBFri\fP, \fBSat\fP, \fBSun\fP, or values from \fB1\fP +to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP, +\fBTu\fP, etc.). +.TP +\fB\-\-contiguous\fP +When \fB\-\-timestop\fP is smaller than \fB\-\-timestart\fP value, match +this as a single time period instead distinct intervals. See EXAMPLES. +.TP +\fB\-\-kerneltz\fP +Use the kernel timezone instead of UTC to determine whether a packet meets the +time regulations. +.PP +About kernel timezones: Linux keeps the system time in UTC, and always does so. +On boot, system time is initialized from a referential time source. Where this +time source has no timezone information, such as the x86 CMOS RTC, UTC will be +assumed. If the time source is however not in UTC, userspace should provide the +correct system time and timezone to the kernel once it has the information. +.PP +Local time is a feature on top of the (timezone independent) system time. Each +process has its own idea of local time, specified via the TZ environment +variable. The kernel also has its own timezone offset variable. The TZ +userspace environment variable specifies how the UTC-based system time is +displayed, e.g. when you run date(1), or what you see on your desktop clock. +The TZ string may resolve to different offsets at different dates, which is +what enables the automatic time-jumping in userspace. when DST changes. The +kernel's timezone offset variable is used when it has to convert between +non-UTC sources, such as FAT filesystems, to UTC (since the latter is what the +rest of the system uses). +.PP +The caveat with the kernel timezone is that Linux distributions may ignore to +set the kernel timezone, and instead only set the system time. Even if a +particular distribution does set the timezone at boot, it is usually does not +keep the kernel timezone offset - which is what changes on DST - up to date. +ntpd will not touch the kernel timezone, so running it will not resolve the +issue. As such, one may encounter a timezone that is always +0000, or one that +is wrong half of the time of the year. As such, \fBusing \-\-kerneltz is highly +discouraged.\fP +.PP +EXAMPLES. To match on weekends, use: +.IP +\-m time \-\-weekdays Sa,Su +.PP +Or, to match (once) on a national holiday block: +.IP +\-m time \-\-datestart 2007\-12\-24 \-\-datestop 2007\-12\-27 +.PP +Since the stop time is actually inclusive, you would need the following stop +time to not match the first second of the new day: +.IP +\-m time \-\-datestart 2007\-01\-01T17:00 \-\-datestop 2007\-01\-01T23:59:59 +.PP +During lunch hour: +.IP +\-m time \-\-timestart 12:30 \-\-timestop 13:30 +.PP +The fourth Friday in the month: +.IP +\-m time \-\-weekdays Fr \-\-monthdays 22,23,24,25,26,27,28 +.PP +(Note that this exploits a certain mathematical property. It is not possible to +say "fourth Thursday OR fourth Friday" in one rule. It is possible with +multiple rules, though.) +.PP +Matching across days might not do what is expected. For instance, +.IP +\-m time \-\-weekdays Mo \-\-timestart 23:00 \-\-timestop 01:00 +Will match Monday, for one hour from midnight to 1 a.m., and then +again for another hour from 23:00 onwards. If this is unwanted, e.g. if you +would like 'match for two hours from Montay 23:00 onwards' you need to also specify +the \-\-contiguous option in the example above. +.SS tos +This module matches the 8-bit Type of Service field in the IPv4 header (i.e. +including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6 +header. +.TP +[\fB!\fP] \fB\-\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP] +Matches packets with the given TOS mark value. If a mask is specified, it is +logically ANDed with the TOS mark before the comparison. +.TP +[\fB!\fP] \fB\-\-tos\fP \fIsymbol\fP +You can specify a symbolic name when using the tos match for IPv4. The list of +recognized TOS names can be obtained by calling iptables with \fB\-m tos \-h\fP. +Note that this implies a mask of 0x3F, i.e. all but the ECN bits. +.SS ttl (IPv4-specific) +This module matches the time to live field in the IP header. +.TP +[\fB!\fP] \fB\-\-ttl\-eq\fP \fIttl\fP +Matches the given TTL value. +.TP +\fB\-\-ttl\-gt\fP \fIttl\fP +Matches if TTL is greater than the given TTL value. +.TP +\fB\-\-ttl\-lt\fP \fIttl\fP +Matches if TTL is less than the given TTL value. +.SS u32 +U32 tests whether quantities of up to 4 bytes extracted from a packet have +specified values. The specification of what to extract is general enough to +find data at given offsets from tcp headers or payloads. +.TP +[\fB!\fP] \fB\-\-u32\fP \fItests\fP +The argument amounts to a program in a small language described below. +.IP +tests := location "=" value | tests "&&" location "=" value +.IP +value := range | value "," range +.IP +range := number | number ":" number +.PP +a single number, \fIn\fP, is interpreted the same as \fIn:n\fP. \fIn:m\fP is +interpreted as the range of numbers \fB>=n\fP and \fB<=m\fP. +.IP "" 4 +location := number | location operator number +.IP "" 4 +operator := "&" | "<<" | ">>" | "@" +.PP +The operators \fB&\fP, \fB<<\fP, \fB>>\fP and \fB&&\fP mean the same as in C. +The \fB=\fP is really a set membership operator and the value syntax describes +a set. The \fB@\fP operator is what allows moving to the next header and is +described further below. +.PP +There are currently some artificial implementation limits on the size of the +tests: +.IP " *" +no more than 10 of "\fB=\fP" (and 9 "\fB&&\fP"s) in the u32 argument +.IP " *" +no more than 10 ranges (and 9 commas) per value +.IP " *" +no more than 10 numbers (and 9 operators) per location +.PP +To describe the meaning of location, imagine the following machine that +interprets it. There are three registers: +.IP +A is of type \fBchar *\fP, initially the address of the IP header +.IP +B and C are unsigned 32 bit integers, initially zero +.PP +The instructions are: +.TP +.B number +B = number; +.IP +C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3) +.TP +.B &number +C = C & number +.TP +.B << number +C = C << number +.TP +.B >> number +C = C >> number +.TP +.B @number +A = A + C; then do the instruction number +.PP +Any access of memory outside [skb\->data,skb\->end] causes the match to fail. +Otherwise the result of the computation is the final value of C. +.PP +Whitespace is allowed but not required in the tests. However, the characters +that do occur there are likely to require shell quoting, so it is a good idea +to enclose the arguments in quotes. +.PP +Example: +.IP +match IP packets with total length >= 256 +.IP +The IP header contains a total length field in bytes 2-3. +.IP +\-\-u32 "\fB0 & 0xFFFF = 0x100:0xFFFF\fP" +.IP +read bytes 0-3 +.IP +AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the range +[0x100:0xFFFF] +.PP +Example: (more realistic, hence more complicated) +.IP +match ICMP packets with icmp type 0 +.IP +First test that it is an ICMP packet, true iff byte 9 (protocol) = 1 +.IP +\-\-u32 "\fB6 & 0xFF = 1 &&\fP ... +.IP +read bytes 6-9, use \fB&\fP to throw away bytes 6-8 and compare the result to +1. Next test that it is not a fragment. (If so, it might be part of such a +packet but we cannot always tell.) N.B.: This test is generally needed if you +want to match anything beyond the IP header. The last 6 bits of byte 6 and all +of byte 7 are 0 iff this is a complete packet (not a fragment). Alternatively, +you can allow first fragments by only testing the last 5 bits of byte 6. +.IP + ... \fB4 & 0x3FFF = 0 &&\fP ... +.IP +Last test: the first byte past the IP header (the type) is 0. This is where we +have to use the @syntax. The length of the IP header (IHL) in 32 bit words is +stored in the right half of byte 0 of the IP header itself. +.IP + ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fP" +.IP +The first 0 means read bytes 0-3, \fB>>22\fP means shift that 22 bits to the +right. Shifting 24 bits would give the first byte, so only 22 bits is four +times that plus a few more bits. \fB&3C\fP then eliminates the two extra bits +on the right and the first four bits of the first byte. For instance, if IHL=5, +then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in +binary) xxxx0101 yyzzzzzz, \fB>>22\fP gives the 10 bit value xxxx0101yy and +\fB&3C\fP gives 010100. \fB@\fP means to use this number as a new offset into +the packet, and read four bytes starting from there. This is the first 4 bytes +of the ICMP payload, of which byte 0 is the ICMP type. Therefore, we simply +shift the value 24 to the right to throw out all but the first byte and compare +the result with 0. +.PP +Example: +.IP +TCP payload bytes 8-12 is any of 1, 2, 5 or 8 +.IP +First we test that the packet is a tcp packet (similar to ICMP). +.IP +\-\-u32 "\fB6 & 0xFF = 6 &&\fP ... +.IP +Next, test that it is not a fragment (same as above). +.IP + ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fP" +.IP +\fB0>>22&3C\fP as above computes the number of bytes in the IP header. \fB@\fP +makes this the new offset into the packet, which is the start of the TCP +header. The length of the TCP header (again in 32 bit words) is the left half +of byte 12 of the TCP header. The \fB12>>26&3C\fP computes this length in bytes +(similar to the IP header before). "@" makes this the new offset, which is the +start of the TCP payload. Finally, 8 reads bytes 8-12 of the payload and +\fB=\fP checks whether the result is any of 1, 2, 5 or 8. +.SS udp +These extensions can be used if `\-\-protocol udp' is specified. It +provides the following options: +.TP +[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] +Source port or port range specification. +See the description of the +\fB\-\-source\-port\fP +option of the TCP extension for details. +.TP +[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] +Destination port or port range specification. +See the description of the +\fB\-\-destination\-port\fP +option of the TCP extension for details. +.SH TARGET EXTENSIONS +iptables can use extended target modules: the following are included +in the standard distribution. +.\" @TARGET@ +.SS AUDIT +This target creates audit records for packets hitting the target. +It can be used to record accepted, dropped, and rejected packets. See +auditd(8) for additional details. +.TP +\fB\-\-type\fP {\fBaccept\fP|\fBdrop\fP|\fBreject\fP} +Set type of audit record. Starting with linux-4.12, this option has no effect +on generated audit messages anymore. It is still accepted by iptables for +compatibility reasons, but ignored. +.PP +Example: +.IP +iptables \-N AUDIT_DROP +.IP +iptables \-A AUDIT_DROP \-j AUDIT +.IP +iptables \-A AUDIT_DROP \-j DROP +.SS CHECKSUM +This target selectively works around broken/old applications. +It can only be used in the mangle table. +.TP +\fB\-\-checksum\-fill\fP +Compute and fill in the checksum in a packet that lacks a checksum. +This is particularly useful, if you need to work around old applications +such as dhcp clients, that do not work well with checksum offloads, +but don't want to disable checksum offload in your device. +.SS CLASSIFY +This module allows you to set the skb\->priority value (and thus classify the packet into a specific CBQ class). +.TP +\fB\-\-set\-class\fP \fImajor\fP\fB:\fP\fIminor\fP +Set the major and minor class value. The values are always interpreted as +hexadecimal even if no 0x prefix is given. +.SS CLUSTERIP (IPv4-specific) +This module allows you to configure a simple cluster of nodes that share +a certain IP and MAC address without an explicit load balancer in front of +them. Connections are statically distributed between the nodes in this +cluster. +.PP +Please note that CLUSTERIP target is considered deprecated in favour of cluster +match which is more flexible and not limited to IPv4. +.TP +\fB\-\-new\fP +Create a new ClusterIP. You always have to set this on the first rule +for a given ClusterIP. +.TP +\fB\-\-hashmode\fP \fImode\fP +Specify the hashing mode. Has to be one of +\fBsourceip\fP, \fBsourceip\-sourceport\fP, \fBsourceip\-sourceport\-destport\fP. +.TP +\fB\-\-clustermac\fP \fImac\fP +Specify the ClusterIP MAC address. Has to be a link\-layer multicast address +.TP +\fB\-\-total\-nodes\fP \fInum\fP +Number of total nodes within this cluster. +.TP +\fB\-\-local\-node\fP \fInum\fP +Local node number within this cluster. +.TP +\fB\-\-hash\-init\fP \fIrnd\fP +Specify the random seed used for hash initialization. +.SS CONNMARK +This module sets the netfilter mark value associated with a connection. The +mark is 32 bits wide. +.TP +\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP] +Zero out the bits given by \fImask\fP and XOR \fIvalue\fP into the ctmark. +.TP +\fB\-\-save\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP] +Copy the packet mark (nfmark) to the connection mark (ctmark) using the given +masks. The new nfmark value is determined as follows: +.IP +ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) +.IP +i.e. \fIctmask\fP defines what bits to clear and \fInfmask\fP what bits of the +nfmark to XOR into the ctmark. \fIctmask\fP and \fInfmask\fP default to +0xFFFFFFFF. +.TP +\fB\-\-restore\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP] +Copy the connection mark (ctmark) to the packet mark (nfmark) using the given +masks. The new ctmark value is determined as follows: +.IP +nfmark = (nfmark & ~\fInfmask\fP) ^ (ctmark & \fIctmask\fP); +.IP +i.e. \fInfmask\fP defines what bits to clear and \fIctmask\fP what bits of the +ctmark to XOR into the nfmark. \fIctmask\fP and \fInfmask\fP default to +0xFFFFFFFF. +.IP +\fB\-\-restore\-mark\fP is only valid in the \fBmangle\fP table. +.PP +The following mnemonics are available for \fB\-\-set\-xmark\fP: +.TP +\fB\-\-and\-mark\fP \fIbits\fP +Binary AND the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark +0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) +.TP +\fB\-\-or\-mark\fP \fIbits\fP +Binary OR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP +\fIbits\fP\fB/\fP\fIbits\fP.) +.TP +\fB\-\-xor\-mark\fP \fIbits\fP +Binary XOR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP +\fIbits\fP\fB/0\fP.) +.TP +\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] +Set the connection mark. If a mask is specified then only those bits set in the +mask are modified. +.TP +\fB\-\-save\-mark\fP [\fB\-\-mask\fP \fImask\fP] +Copy the nfmark to the ctmark. If a mask is specified, only those bits are +copied. +.TP +\fB\-\-restore\-mark\fP [\fB\-\-mask\fP \fImask\fP] +Copy the ctmark to the nfmark. If a mask is specified, only those bits are +copied. This is only valid in the \fBmangle\fP table. +.SS CONNSECMARK +This module copies security markings from packets to connections +(if unlabeled), and from connections back to packets (also only +if unlabeled). Typically used in conjunction with SECMARK, it is +valid in the +.B security +table (for backwards compatibility with older kernels, it is also +valid in the +.B mangle +table). +.TP +\fB\-\-save\fP +If the packet has a security marking, copy it to the connection +if the connection is not marked. +.TP +\fB\-\-restore\fP +If the packet does not have a security marking, and the connection +does, copy the security marking from the connection to the packet. + +.SS CT +The CT target sets parameters for a packet or its associated +connection. The target attaches a "template" connection tracking entry to +the packet, which is then used by the conntrack core when initializing +a new ct entry. This target is thus only valid in the "raw" table. +.TP +\fB\-\-notrack\fP +Disables connection tracking for this packet. +.TP +\fB\-\-helper\fP \fIname\fP +Use the helper identified by \fIname\fP for the connection. This is more +flexible than loading the conntrack helper modules with preset ports. +.TP +\fB\-\-ctevents\fP \fIevent\fP[\fB,\fP...] +Only generate the specified conntrack events for this connection. Possible +event types are: \fBnew\fP, \fBrelated\fP, \fBdestroy\fP, \fBreply\fP, +\fBassured\fP, \fBprotoinfo\fP, \fBhelper\fP, \fBmark\fP (this refers to +the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark). +.TP +\fB\-\-expevents\fP \fIevent\fP[\fB,\fP...] +Only generate the specified expectation events for this connection. +Possible event types are: \fBnew\fP. +.TP +\fB\-\-zone-orig\fP {\fIid\fP|\fBmark\fP} +For traffic coming from ORIGINAL direction, assign this packet to zone +\fIid\fP and only have lookups done in that zone. If \fBmark\fP is used +instead of \fIid\fP, the zone is derived from the packet nfmark. +.TP +\fB\-\-zone-reply\fP {\fIid\fP|\fBmark\fP} +For traffic coming from REPLY direction, assign this packet to zone +\fIid\fP and only have lookups done in that zone. If \fBmark\fP is used +instead of \fIid\fP, the zone is derived from the packet nfmark. +.TP +\fB\-\-zone\fP {\fIid\fP|\fBmark\fP} +Assign this packet to zone \fIid\fP and only have lookups done in that zone. +If \fBmark\fP is used instead of \fIid\fP, the zone is derived from the +packet nfmark. By default, packets have zone 0. This option applies to both +directions. +.TP +\fB\-\-timeout\fP \fIname\fP +Use the timeout policy identified by \fIname\fP for the connection. This is +provides more flexible timeout policy definition than global timeout values +available at /proc/sys/net/netfilter/nf_conntrack_*_timeout_*. +.SS DNAT +This target is only valid in the +.B nat +table, in the +.B PREROUTING +and +.B OUTPUT +chains, and user-defined chains which are only called from those +chains. It specifies that the destination address of the packet +should be modified (and all future packets in this connection will +also be mangled), and rules should cease being examined. It takes the +following options: +.TP +\fB\-\-to\-destination\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP[\fB/\fIbaseport\fP]]] +which can specify a single new destination IP address, an inclusive +range of IP addresses. Optionally a port range, +if the rule also specifies one of the following protocols: +\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP. +If no port range is specified, then the destination port will never be +modified. If no IP address is specified then only the destination port +will be modified. +If \fBbaseport\fP is given, the difference of the original destination port and +its value is used as offset into the mapping port range. This allows to create +shifted portmap ranges and is available since kernel version 4.18. +For a single port or \fIbaseport\fP, a service name as listed in +\fB/etc/services\fP may be used. +.TP +\fB\-\-random\fP +Randomize source port mapping (kernel >= 2.6.22). +.TP +\fB\-\-persistent\fP +Gives a client the same source-/destination-address for each connection. +This supersedes the SAME target. Support for persistent mappings is available +from 2.6.29-rc2. +.TP +IPv6 support available since Linux kernels >= 3.7. +.SS DNPT (IPv6-specific) +Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as +described by RFC 6296). +.PP +You have to use this target in the +.B mangle +table, not in the +.B nat +table. It takes the following options: +.TP +\fB\-\-src\-pfx\fP [\fIprefix/\fP\fIlength] +Set source prefix that you want to translate and length +.TP +\fB\-\-dst\-pfx\fP [\fIprefix/\fP\fIlength] +Set destination prefix that you want to use in the translation and length +.PP +You have to use the SNPT target to undo the translation. Example: +.IP +ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0 +\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64 +.IP +ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64 +\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64 +.PP +You may need to enable IPv6 neighbor proxy: +.IP +sysctl \-w net.ipv6.conf.all.proxy_ndp=1 +.PP +You also have to use the +.B NOTRACK +target to disable connection tracking for translated flows. +.SS DSCP +This target alters the value of the DSCP bits within the TOS +header of the IPv4 packet. As this manipulates a packet, it can only +be used in the mangle table. +.TP +\fB\-\-set\-dscp\fP \fIvalue\fP +Set the DSCP field to a numerical value (can be decimal or hex) +.TP +\fB\-\-set\-dscp\-class\fP \fIclass\fP +Set the DSCP field to a DiffServ class. +.SS ECN (IPv4-specific) +This target selectively works around known ECN blackholes. +It can only be used in the mangle table. +.TP +\fB\-\-ecn\-tcp\-remove\fP +Remove all ECN bits from the TCP header. Of course, it can only be used +in conjunction with +\fB\-p tcp\fP. +.SS HL (IPv6-specific) +This is used to modify the Hop Limit field in IPv6 header. The Hop Limit field +is similar to what is known as TTL value in IPv4. Setting or incrementing the +Hop Limit field can potentially be very dangerous, so it should be avoided at +any cost. This target is only valid in +.B mangle +table. +.PP +.B Don't ever set or increment the value on packets that leave your local network! +.TP +\fB\-\-hl\-set\fP \fIvalue\fP +Set the Hop Limit to `value'. +.TP +\fB\-\-hl\-dec\fP \fIvalue\fP +Decrement the Hop Limit `value' times. +.TP +\fB\-\-hl\-inc\fP \fIvalue\fP +Increment the Hop Limit `value' times. +.SS HMARK +Like MARK, i.e. set the fwmark, but the mark is calculated from hashing +packet selector at choice. You have also to specify the mark range and, +optionally, the offset to start from. ICMP error messages are inspected +and used to calculate the hashing. +.PP +Existing options are: +.TP +\fB\-\-hmark\-tuple\fP tuple\fI\fP +Possible tuple members are: +.B src +meaning source address (IPv4, IPv6 address), +.B dst +meaning destination address (IPv4, IPv6 address), +.B sport +meaning source port (TCP, UDP, UDPlite, SCTP, DCCP), +.B dport +meaning destination port (TCP, UDP, UDPlite, SCTP, DCCP), +.B spi +meaning Security Parameter Index (AH, ESP), and +.B ct +meaning the usage of the conntrack tuple instead of the packet selectors. +.TP +\fB\-\-hmark\-mod\fP \fIvalue (must be > 0)\fP +Modulus for hash calculation (to limit the range of possible marks) +.TP +\fB\-\-hmark\-offset\fP \fIvalue\fP +Offset to start marks from. +.TP +For advanced usage, instead of using \-\-hmark\-tuple, you can specify custom +prefixes and masks: +.TP +\fB\-\-hmark\-src\-prefix\fP \fIcidr\fP +The source address mask in CIDR notation. +.TP +\fB\-\-hmark\-dst\-prefix\fP \fIcidr\fP +The destination address mask in CIDR notation. +.TP +\fB\-\-hmark\-sport\-mask\fP \fIvalue\fP +A 16 bit source port mask in hexadecimal. +.TP +\fB\-\-hmark\-dport\-mask\fP \fIvalue\fP +A 16 bit destination port mask in hexadecimal. +.TP +\fB\-\-hmark\-spi\-mask\fP \fIvalue\fP +A 32 bit field with spi mask. +.TP +\fB\-\-hmark\-proto\-mask\fP \fIvalue\fP +An 8 bit field with layer 4 protocol number. +.TP +\fB\-\-hmark\-rnd\fP \fIvalue\fP +A 32 bit random custom value to feed hash calculation. +.PP +\fIExamples:\fP +.PP +iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW + \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000 +\-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe +.PP +iptables \-t mangle \-A PREROUTING \-j HMARK \-\-hmark\-offset 10000 +\-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef +.SS IDLETIMER +This target can be used to identify when interfaces have been idle for a +certain period of time. Timers are identified by labels and are created when +a rule is set with a new label. The rules also take a timeout value (in +seconds) as an option. If more than one rule uses the same timer label, the +timer will be restarted whenever any of the rules get a hit. One entry for +each timer is created in sysfs. This attribute contains the timer remaining +for the timer to expire. The attributes are located under the xt_idletimer +class: +.PP +/sys/class/xt_idletimer/timers/