Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
919293949596979899100
Chapter 2. Securing Your Network
86
If the -i parameter is used but no interface is specified, then every interface is affected by the rule.
-j — Jumps to the specified target when a packet matches a particular rule.
The standard targets are ACCEPT, DROP, QUEUE, and RETURN.
Extended options are also available through modules loaded by default with the Red Hat Enterprise
Linux iptables RPM package. Valid targets in these modules include LOG, MARK, and REJECT,
among others. Refer to the iptables man page for more information about these and other
targets.
This option can also be used to direct a packet matching a particular rule to a user-defined chain
outside of the current chain so that other rules can be applied to the packet.
If no target is specified, the packet moves past the rule with no action taken. The counter for this
rule, however, increases by one.
-o — Sets the outgoing network interface for a rule. This option is only valid for the OUTPUT and
FORWARD chains in the filter table, and the POSTROUTING chain in the nat and mangle
tables. This parameter accepts the same options as the incoming network interface parameter (-i).
-p <protocol> — Sets the IP protocol affected by the rule. This can be either icmp, tcp, udp, or
all, or it can be a numeric value, representing one of these or a different protocol. You can also use
any protocols listed in the /etc/protocols file.
The "all" protocol means the rule applies to every supported protocol. If no protocol is listed with
this rule, it defaults to "all".
-s — Sets the source for a particular packet using the same syntax as the destination (-d)
parameter.
2.6.2.4. IPTables Match Options
Different network protocols provide specialized matching options which can be configured to match a
particular packet using that protocol. However, the protocol must first be specified in the iptables
command. For example, -p <protocol-name> enables options for the specified protocol. Note that
you can also use the protocol ID, instead of the protocol name. Refer to the following examples, each
of which have the same effect:
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -p 5813 --icmp-type any -j ACCEPT
Service definitions are provided in the /etc/services file. For readability, it is recommended that
you use the service names rather than the port numbers.