Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
919293949596979899100
Command Options for IPTables
85
-N — Creates a new chain with a user-specified name. The chain name must be unique, otherwise
an error message is displayed.
-P — Sets the default policy for the specified chain, so that when packets traverse an entire chain
without matching a rule, they are sent to the specified target, such as ACCEPT or DROP.
-R — Replaces a rule in the specified chain. The rule's number must be specified after the chain's
name. The first rule in a chain corresponds to rule number one.
-X — Deletes a user-specified chain. You cannot delete a built-in chain.
-Z — Sets the byte and packet counters in all chains for a table to zero.
2.6.2.3. IPTables Parameter Options
Certain iptables commands, including those used to add, append, delete, insert, or replace rules
within a particular chain, require various parameters to construct a packet filtering rule.
-c — Resets the counters for a particular rule. This parameter accepts the PKTS and BYTES options
to specify which counter to reset.
-d — Sets the destination hostname, IP address, or network of a packet that matches the rule.
When matching a network, the following IP address/netmask formats are supported:
N.N.N.N/M.M.M.M — Where N.N.N.N is the IP address range and M.M.M.M is the netmask.
N.N.N.N/M — Where N.N.N.N is the IP address range and M is the bitmask.
-f — Applies this rule only to fragmented packets.
You can use the exclamation point character (!) option before this parameter to specify that only
unfragmented packets are matched.
Note
Distinguishing between fragmented and unfragmented packets is desirable, despite
fragmented packets being a standard part of the IP protocol.
Originally designed to allow IP packets to travel over networks with differing frame sizes,
these days fragmentation is more commonly used to generate DoS attacks using mal-formed
packets. It's also worth noting that IPv6 disallows fragmentation entirely.
-i — Sets the incoming network interface, such as eth0 or ppp0. With iptables, this optional
parameter may only be used with the INPUT and FORWARD chains when used with the filter
table and the PREROUTING chain with the nat and mangle tables.
This parameter also supports the following special options:
Exclamation point character (!) — Reverses the directive, meaning any specified interfaces are
excluded from this rule.
Plus character (+) — A wildcard character used to match all interfaces that match the specified
string. For example, the parameter -i eth+ would apply this rule to any Ethernet interfaces but
exclude any other interfaces, such as ppp0.