Netfilter and iptables notes

Abbreviations:

Protocol abbreviations are taken from /etc/protocols.
Port abbreviations are taken from /etc/services.

Predefined tables:

filter
nat
mangle
raw

Predefined chains:

PREROUTING
INPUT - traffic entering the system
FORWARD - packets being routed
OUTPUT - traffic which originated locally
POSTROUTING

Chain order:

network → PREROUTING → INPUT → system
network → PREROUTING → FORWARD → POSTROUTING → network
system → OUTPUT → POSTROUTING → network

Chain usage:

filtering: INPUT, FORWARD, OUTPUT
SNAT: PREROUTING
DNAT: OUTPUT, POSTROUTING
connection tracking: PREROUTING, OUTPUT

Match Extensions (selected):

-m state connection tracking state

-m conntrack connection tracking

-m limit token bucket filter

-m iprange range of IPv4 addr

-m random random percent of packets

-m recent

State matches (-m state):

INVALID - connection is in an invalid state
ESTABLISHED - up and running connection
NEW - new, not yet tracked, connection
RELATED - provided by a protocol helper module

Conntrack state matches: (--ctstate state):

INVALID - connection is in an invalid state
ESTABLISHED - up and running connection
NEW - new, not yet tracked, connection
RELATED - provided by a protocol helper module
SNAT - orig src address differs from reply dest (virtual state)
DNAT - orig dst differs from reply source (virtual state)

Target Extensions (selected):

CLUSTERIP simple cluster sharing IP and MAC without balancer

LOG kernel logging

REJECT returns error packet

TCPMSS allows altering of the MSS value of TCP SYN packets

ULOG userspace logging

Netfilter and iptables notes

Navigation menu

Search

-m state	connection tracking state
-m conntrack	connection tracking
-m limit	token bucket filter
-m iprange	range of IPv4 addr
-m random	random percent of packets
-m recent

CLUSTERIP	simple cluster sharing IP and MAC without balancer
LOG	kernel logging
REJECT	returns error packet
TCPMSS	allows altering of the MSS value of TCP SYN packets
ULOG	userspace logging