Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

171

172

173

174

175

176

177

178

179

180

Chapter 13. Firewalls and iptables 171

Caution

Be aware of which option (-A or -I) you are using when adding a rule. The order of the rules can

be very important when determining if a particular packet applies to one rule or another. Make

sure when adding a rule to the beginning or end of the chain that it does not affect other rules in

that chain.

• -L — Lists all of the rules in the chain speciﬁed after the command. To list all rules in all chains in

the default filter table, do not specify a chain or table. Otherwise, the following syntax should

be used to list the rules in a speciﬁc chain in a particular table:

iptables -L

chain-name -t table-name

Powerful options for the -L command that provide rule numbers and allow more verbose rule

descriptions, among others, are described in Section 13.3.7.

• -N — Creates a new chain with a user-speciﬁed name.

• -P — Sets the default policy for a particular chain, so that when packets traverse an entire chain

without matching a rule, they will be sent on to a particular target, such as ACCEPT or DROP.

• -R — Replaces a rule in a particular chain. You must use a rule’s number after the chain’s name to

replace that rule. The ﬁrst rule in a chain relates to rule number 1.

• -X — Deletes a user-speciﬁed chain. Deleting a built-in chain for any table is not allowed.

• -Z — Zeros the byte and packet counters in all chains for a particular table.

13.3.4. Parameters

Once certain iptables commands are speciﬁed, including those used to add, append, delete, insert,

or replace rules within a particular chain, parameters are required to begin the construction of the

packet ﬁltering rule.

• -c — Resets the counters for a particular rule. This parameter accepts the PKTS and BYTES options

to specify what counter to reset.

• -d — Sets the destination hostname, IP address, or network of a packet that will match the rule.

When matching a network, you can use two different methods for signifying the netmask, such as

192.168.0.0/255.255.255.0 or 192.168.0.0/24.

• -f — Applies this rule only to fragmented packets.

By using the ! option after this parameter, only unfragmented packets will be matched.

• -i — Sets the incoming network interface, such as eth0 or ppp0, to use with a particular rule.

With iptables, this optional parameter may only be used with the INPUT and FORWARD chains

when used with the filter table and the PREROUTING chain with the nat and mangle tables.

This parameter features several useful options that may be used before specifying the name of an

interface:

• ! — Tells this parameter not to match, meaning that any speciﬁed interfaces are speciﬁcally

excluded from this rule.

• + — A wildcard character used to match all interfaces which match a particular string. For

example, the parameter -i eth+ would apply this rule to any Ethernet interfaces on your system

but exclude any other interfaces, such as ppp0.

If the -i parameter is used but no interface is speciﬁed, then every interface is affected by the rule.

• -j — Tells iptables to jump to a particular target when a packet matches a particular rule. Valid

targets to be used after the -j option include the standard options, ACCEPT, DROP, QUEUE, and

RETURN, as well as extended options that are available through modules loaded by default with the

Red Hat Linux iptables RPM package, such as LOG, MARK, and REJECT, among others. See the