Red Hat ENTERPRISE LINUX 3 Reference Manual page 275

iptables
Chapter 17.
— Sets the destination hostname, IP address, or network of a packet that matches the rule. When
• -d
matching a network, the following IP address/netmask formats are supported:
N.N.N.N /M.M.M.M
•
— Where N.N.N.N is the IP address range and M is the bitmask.
N.N.N.N /M
•
— Applies this rule only to fragmented packets.
• -f
By using the option after this parameter, only unfragmented packets are matched.
!
— Sets the incoming network interface, such as
• -i
parameter may only be used with the INPUT and FORWARD chains when used with the
table and the PREROUTING chain with the
This parameter also supports the following special options:
— Reverses the directive, meaning any specified interfaces are excluded from this rule.
!
•
— A wildcard character used to match all interfaces that match the specified string. For ex-
+
•
ample, the parameter
other interfaces, such as
If the parameter is used but no interface is specified, then every interface is affected by the rule.
-i
— Jumps to the specified target when a packet matches a particular rule. Valid targets to be
• -j
used after the
-j
well as extended options that are available through modules loaded by default with the Red Hat
Enterprise Linux
iptables
to the man page for more information about these and other targets.
iptables
It is also possible to direct a packet matching this rule to a user-defined chain outside of the current
chain so that other rules can be applied to the packet.
If no target is specified, the packet moves past the rule with no action taken. However, the counter
for this rule increases by one.
— Sets the outgoing network interface for a rule and may only be used with OUTPUT and
• -o
FORWARD chains in the
tables. This parameter's options are the same as those of the incoming network interface parameter
( ).
-i
— Sets the IP protocol for the rule, which can be either
• -p
supported protocol. In addition, any protocols listed in
option is omitted when creating a rule, the
— Sets the source for a particular packet using the same syntax as the destination (
• -s
17.3.4.
iptables
Different network protocols provide specialized matching options which can be configured to match
a particular packet using that protocol. However, the protocol must first be specified in the
command. For example
protocol), makes options for the specified protocol available.
17.3.4.1. TCP Protocol
These match options are available for the TCP protocol (
— Sets the destination port for the packet. Use either a network service name (such as
•
--dport
or ), port number, or range of port numbers to configure this option. To browse the names
www smtp
— Where N.N.N.N is the IP address range and M.M.M.M is the netmask.
would apply this rule to any Ethernet interfaces but exclude any
-i eth+
.
ppp0
option include the standard options (
RPM package, such as
table, and the POSTROUTING chain in the
filter
Match Options
-p tcp protocol-name
or
eth0 ppp0
and tables.
nat mangle
ACCEPT
, , and
LOG MARK
icmp
/etc/protocols
option is the default.
all
(where
):
-p tcp
. With
iptables
, , , and
DROP QUEUE
, among others. Refer
REJECT
nat
, , , or , to match every
tcp udp all
may also be used. If this
-d
protocol-name
257
, this optional
filter
) as
RETURN
and
mangle
) parameter.
iptables
is the target