DESCRIPTION Ipchains is used to set up, maintain, and inspect the IP firewall rules in the Linux kernel. These rules can be divided into 4 different categories: the IP input chain, the IP output chain, the IP forwarding chain, and user defined chains.
For each of these categories, a separate table of rules is maintained, any of which might refer to one of the user- defined chains. See ipfw(4) for more details.
TARGETS A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain, or one of the special values ACCEPT, DENY, REJECT, MASQ, REDIRECT, or RETURN. ACCEPT means to let the packet through. DENY means to drop the packet on the floor. REJECT means the same as drop, but is more polite and easier to debug, since an ICMP message is sent back to the sender indicating that the packet was dropped. (Note that DENY and REJECT are the same for ICMP packets). [Note: this is incorrect; set- ting ICMP to REJECT will cause ICMP port unreachables to be sent!] MASQ is only legal for the forward and user defined chains, and can only be used when the kernel is compiled with CONFIG_IP_MASQUERADE defined. With this, packets will be masqueraded as if they originated from the local host. Furthermore, reverse packets will be recognized as such and they will be demasqueraded automatically, bypass- ing the forwarding chain. REDIRECT is only legal for the input and user-defined chains and can only be used when the Linux kernel is com- piled with CONFIG_IP_TRANSPARENT_PROXY defined. With this, packets will be redirected to a local socket, even if they were sent to a remote host. If the specified redirection port is 0, which is the default value, the destination port of a packet will be used as the redirec- tion port. When this target is used, an optional extra argument (the port number) can be supplied. If the end of a user-defined chain is reached, or a rule
February 8, 1998 1
IPCHAINS(8) IPCHAINS(8)
with target RETURN is matched, then the next rule in the previous (calling) chain is examined. If the end of a builtin chain is reached, or a rule in a builtin chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.
OPTIONS The options that are recognized by ipchains can be divided into several different groups.
COMMANDS These options specify the specific action to perform; only one of them can be specified on the command line, unless otherwise specified below. For all the long versions of the command and option names, you only need to use enough letters to ensure that ipchains can differentiate it from all other options.
-A, --append Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination.
-D, --delete Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.
-R, --replace Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are num- bered starting at 1.
-I, --insert Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain.
-L, --list List all rules in the selected chain. If no chain is selected, all chains are listed. It is legal to specify the -Z (zero) option as well, in which case no chain may be specified. The exact output is effected by the other arguments given.
-F, --flush Flush the selected chain. This is equivalent to deleting all the rules one by one.
February 8, 1998 2
IPCHAINS(8) IPCHAINS(8)
-Z, --zero Zero the packet and byte counters in all chains. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared; if this is done, then no specific chain can be specified (they will all be displayed and cleared.
-N, --new-chain Create a new user-defined chain of the given name. There must be no target of that name already.
-X, --delete-chain Delete the specified user-defined chain. There must be no references to the chain (if there are you must delete or replace the referring rules before the chain can be deleted). If no argument is given, it will attempt to delete every non- builtin chain.
-P, --policy Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only non-userdefined chains can have policies, and neither built-in nor user-defined chains can be policy targets.
-M, --masquerading This option allows viewing of the currently mas- queraded connections (in conjuction with the -L option) or to set the kernel masqerading parameters (with the -S option).
-S, --set tcp tcpfin udp Change the timeout values used for masquerading. This command always takes 3 parameters, represent- ing the timeout values (in seconds) for TCP ses- sions, TCP sessions after receiving a FIN packet, and UDP packets, respectiv