Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual page 740

Chapter 43. Securing Your Network
This is especially important when adding rules using the -I with an integer argument. If
you specify an existing number when adding a rule to a chain, iptables adds the new
rule before (or above) the existing rule.
• -L — Lists all of the rules in the chain specified after the command. To list all rules in all chains in
the default filter table, do not specify a chain or table. Otherwise, the following syntax should be
used to list the rules in a specific chain in a particular table:
iptables -L <chain-name> -t <table-name>
Additional options for the -L command option, which provide rule numbers and allow more verbose
rule descriptions, are described in
• -N — Creates a new chain with a user-specified name. The chain name must be unique, otherwise
an error message is displayed.
• -P — Sets the default policy for the specified chain, so that when packets traverse an entire chain
without matching a rule, they are sent to the specified target, such as ACCEPT or DROP.
• -R — Replaces a rule in the specified chain. The rule's number must be specified after the chain's
name. The first rule in a chain corresponds to rule number one.
• -X — Deletes a user-specified chain. You cannot delete a built-in chain.
• -Z — Sets the byte and packet counters in all chains for a table to zero.
43.9.3.3. IPTables Parameter Options
Certain iptables commands, including those used to add, append, delete, insert, or replace rules
within a particular chain, require various parameters to construct a packet filtering rule.
• -c — Resets the counters for a particular rule. This parameter accepts the PKTS and BYTES options
to specify which counter to reset.
• -d — Sets the destination hostname, IP address, or network of a packet that matches the rule.
When matching a network, the following IP address/netmask formats are supported:
• N.N.N.N/M.M.M.M — Where N.N.N.N is the IP address range and M.M.M.M is the netmask.
• N.N.N.N/M — Where N.N.N.N is the IP address range and M is the bitmask.
• -f — Applies this rule only to fragmented packets.
You can use the exclamation point character (!) option after this parameter to specify that only
unfragmented packets are matched.
Note
Distinguishing between fragmented and unfragmented packets is desirable, despite
fragmented packets being a standard part of the IP protocol.
714
Section 43.9.3.6, "Listing Options".