Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual page 746

Chapter 43. Securing Your Network
Note
Due to an issue with this option, you should add a trailing space to the log-prefix
value.
• --log-tcp-options — Logs any options set in the header of a TCP packet.
• --log-tcp-sequence — Writes the TCP sequence number for the packet in the log.
• REJECT — Sends an error packet back to the remote system and drops the packet.
The REJECT target accepts --reject-with <type> (where <type> is the rejection type)
allowing more detailed information to be returned with the error packet. The message port-
unreachable is the default error type given if no other option is used. Refer to the iptables man
page for a full list of <type> options.
Other target extensions, including several that are useful for IP masquerading using the nat table, or
with packet alteration using the mangle table, can be found in the iptables man page.
43.9.3.6. Listing Options
The default list command, iptables -L [<chain-name>], provides a very basic overview of the
default filter table's current chains. Additional options provide more information:
• -v — Displays verbose output, such as the number of packets and bytes each chain has
processed, the number of packets and bytes each rule has matched, and which interfaces apply to a
particular rule.
• -x — Expands numbers into their exact values. On a busy system, the number of packets and
bytes processed by a particular chain or rule may be abbreviated to Kilobytes, Megabytes
(Megabytes) or Gigabytes. This option forces the full number to be displayed.
• -n — Displays IP addresses and port numbers in numeric format, rather than the default hostname
and network service format.
• --line-numbers — Lists rules in each chain next to their numeric order in the chain. This option
is useful when attempting to delete the specific rule in a chain or to locate where to insert a rule
within a chain.
• -t <table-name> — Specifies a table name. If omitted, defaults to the filter table.
The following examples illustrate the use of several of these options. Note the difference in the byte
display by including the -x option.
[root@myserver ~]# iptables -L OUTPUT -v -n -x
Chain OUTPUT (policy ACCEPT 64005 packets, 6445791 bytes)
pkts bytes target
1593 133812 ACCEPT
[root@myserver ~]#iptables -L OUTPUT -v -n
Chain OUTPUT (policy ACCEPT 64783 packets, 6492K bytes)
pkts bytes target
1819 153K ACCEPT
720
prot opt in
icmp -- * *
prot opt in out
icmp -- * *
out source
0.0.0.0/0
source
0.0.0.0/0
destination
0.0.0.0/0
destination
0.0.0.0/0