Red Hat LINUX 7.2 Reference Manual page 302

302
• -d Sets the destination hostname, IP address, or network of a packet that will match the rule.
When matching a network, you can use two different methods for signifying the netmasks, such
as 192.168.0.0/255.255.255.0 or 192.168.0.0/24.
• -f Applies this rule only to fragmented packets.
By using the ! option after this parameter, only unfragmented packets will be matched.
• -i Sets the incoming network interface, such as eth0 or ppp0, to use with a particular rule. With
iptables, this optional parameter may only be used with the INPUT and FORWARD chains
when used with the filter table and the PREROUTING chain with the nat and mangle tables.
This parameter features several useful options that may be used before specifying the name of an
interface:
– ! — Tells this parameter not to match, meaning that any specified interfaces are specifically
excluded from this rule.
– + — A wildcard character used to match all interfaces that match a particular string. For
example, the parameter -i eth+ would apply this rule to any Ethernet interfaces on your
system but exclude any other interfaces, such as ppp0.
If the -i parameter is used but no interface is specified, then every interface is affected by the rule.
• -j Tells iptables to jump to a particular target when a packet matches a particular rule. Valid
targets to be used after the -j option include the standard options, ACCEPT, DROP, QUEUE, and
RETURN, as well as extended options that are available through modules loaded by default with
the Red Hat Linux iptables RPM package, such as LOG, MARK, and REJECT, among others.
See the iptables man page for more information on these and other targets, including rules
regarding their use, as many targets may only be used with a particular table.
Other than specifying target action, you may also direct a packet matching this rule to a user-
defined chain outside of the current chain. This allows you to apply other rules against this packet,
further filtering it with more specific criteria.
If no target is specified, the packet moves past the rule with no action taken. However, the counter
for this rule is still increased by 1, as the packet matched the specified rule.
• -o Sets the outgoing network interface for a particular rule, and may only be used with OUT-
PUT and FORWARD chains in the filter table and the POSTROUTING chain in the nat and
mangle tables. This parameter's options are the same as those of the incoming network interface
parameter (-i).
• -p Sets the IP protocol for the rule, which can be either icmp, tcp, udp, or all, to match
every possible protocol. In addition, lesser used protocols listed in /etc/protocols can also
be utilized. If this option is omitted when creating a rule, the all option is the default.
• -s Sets the source for a particular packet, using the same syntax as the destination (-d) parameter.
Chapter 18:Firewalling with iptables