Rule syntax for iptables

Source: Internet
Author: User


rule syntax for iptablesCategory: firewalls 2012-04-19 17:09 1228 people read Comments (0) favorite reports inputtcpfilter Firewall Output Network


Basic syntax

Iptables-t filter-a input-p icmp-j DROP

Advanced syntax

Iptables-t filter-a input-m mac–mac-source 00:1c:23:3b:2e:b1-j DROP

Differences between advanced syntax and basic syntax: first, the filter mechanism is provided by the Iptables_filter.ko module, and the module itself provides some simple matching filtering, while the so-called basic syntax refers to the use of only Iptable_ The functionality provided by the Filter.ko module itself. Advanced syntax must invoke the functionality of other modules. Take the example of advanced syntax, "-MMAC" is to inform the Iptables tool, we want to use the function of Xt_mac.ko module, because it is called other modules, so the syntax of the parts will be changed with different modules, and each module syntax is not the same, this is called " Advanced syntax ".

Example 1: ICMP packet drop sent to native

Syntax: iptables-a input-p icmp-s DROP

Syntax Explanation:


Protecting objects

Because this example uses Inputchain, the object it protects is the native



-pprotocol (Protocol)


Match a specific protocol packet, this example is a packet that matches ICMP


-P ICMP,-ptcp, -pudp-p all, etc.



-S Source

The corresponding parameters



Match the IP on the "source" or "destination" side of the package


-s222.24.21.195-s, such as, by example, the IP location can be represented by a single IP or standard CID network segment, as for the Qdn part, in fact Iptables is to send the FQDN to the DNS to perform the parsing, finally added to the rule or IP





Packages that meet both of these criteria are "processed" in a specific way

More common ways of handling:


Allowed through


Discard the packet, this processing will cause the source to mistakenly think the packet is lost, and constantly resend the packet, this action will continue until the connection timeout


Discards the packet and sends back an destinationunreachable ICMP packet to the sender, which terminates the connection action after receiving the error message packet.

Example 2: hosts are not allowed to perform name resolution through the native DNS service

Syntax: iptables-a input-p udp-s 53-j REJECT

Syntax Explanation:


--dportdestination Port

corresponding parameters

--sportsource Port

Span style= "FONT-SIZE:16PX;" > match the TCP, UDP header "source port" or "destination port", so you can determine the connection to access the service, for example:-pudp–dport 53  Represents the client to access UDP 53port, and UDP 53port is the DNS service


--dport 、--sport80, but note that When using the--dport or--sport parameters, be sure to indicate whether TCP or UDP is the protocol. Note: Be sure to add "-pudp or-ptcp" parameters whenever the "Port parameter" is used in the rule syntax.

Example 3: Allow the host of the network segment to make any service request to

Syntax: iptables-a input-p all-s ACCEPT

Syntax Explanation:



Match all Protocol Packages



Match packets from the source-side IP to the network segment



Open a package that meets the above 3 conditions

Example 4: Only native SSH services that allow client-side hosts to access from eth1

Syntax: iptables-a input-p tcp-i eth1--dport 22-j ACCEPT

Syntax Explanation:




The corresponding parameters



Access interface for matching packets



Example 5: The native application is not allowed to send packets from the Eth0 interface to access the website

Syntax: iptables-a output-o eth0-p tcp-d 80-j REJECT

Syntax Explanation:


objects that are restricted

Because the example uses the Outpuchain, the purpose is to restrict the external connection of the machine


There are several examples to understand the basic syntax of iptables, the following to summarize the parameters.

(1) Matching parameters of the interface

Parameter name

-I ,-o

Parameter values

The parameter values will vary depending on the physical interface used by the firewall host, and the common network interface names are listed below:

* eth0 : The interface name of the Ethernet network.

* The name of the PPP0:PPP interface.

* Lo : Localloopback interface.

* Fddi0: Light interface

Usage examples

-I eth0: matching packets fed from Eth0 interface


Matching packet ingress and egress interface


Can be paired with "! "To represent the reverse, for example,"-i! Eth0 "means matching packets that are not entered from the Eth0 interface

(2) matching parameters of upper layer protocol (Upperlayer protocal)

Parameter name


Parameter values

These parameters vary depending on the matching upper layer protocol, and the usual parameters are as follows:

* TCP : matches the upper layer protocol for the TCP protocol.

* UDP : Matches the upper layer protocol for the UDP protocol.

* ICMP : matches the upper layer protocol for the ICMP protocol.

* all: Matches all upper-level protocols.

For other upper layer protocols, refer to the/etc/protocols documentation, and now take part of the content:


Hopopt 0 hopopt




Ipencap 4 Ip-encap


Note: The first and second fields are for the system to use, for example, we write-ptcp can also be written as-P6. Because the TCP code is 6, the third field is used by the administrator to identify.

(3) IP address matching source/destination

Parameter name


source and destination IP address matching, the acceptable IP address format is as follows:

* Matches a single IP.

*  : Matches a network segment of Class B.

*  : Matches a CLASSC network segment.

*  : It can also be any standard CIDR network segment.

* :  can also be a URL, but finally stored in the value of chain or IP


Usage examples

-s192.168.0.1 : Matching packets sent from the host

-S192.168.0.0/24 : Matches packets sent from the network segment

-d192.168.0.10 : Match packets to be sent to the host


Match packet source or destination IP address


Can be paired with "! "To represent the reverse, for example:"-s! "means a packet that matches the source IP is not a network segment

(4) Port location matching source/destination

Parameter name


Parameter values

We can use-sport or-dport to match the service we want to access, for example, we can use the--DPORT80 parameter to match the packet that accesses the webserver, or we can use the

--sport80 parameters match packets with webserver response to the client

Usage examples

--dport : Matches the packet of the accessed webserver.

--sport 110: Matches the packet that is responded to by POP3 Server to the client.


Port that matches the source or destination of the packet


Can be paired with "! "To represent the reverse, such as"--sport! 80 "stands for matching packets not sent from webserver

(5) Treatment method

Parameter name


Parameter values

The more common 3 kinds of treatment, respectively, are as follows:

* ACCEPT: Allow

* Drop : Discard the packet

* REJECT : Discards the packet and responds to an ICMP packet on the sending side

Usage examples

-j Accept Allow

-j Drop discards the packet


Handle eligible packets in a specific way

Rule syntax for iptables

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: