Current set of default tables:
filter (default table): Starts with built-in chains:
INPUT: Arriving. FORWARD: Being routed. OUTPUT: Locally generated
nat (traffic that creates new connections): Starts with built-in chains:
PREROUTING: Arriving. OUTPUT: Locally generated. POSTROUTING: Exiting.
mangle (specialised packet alteration): Starts with built-in chains:
PREROUTING: Incoming, before routing. OUTPUT: Locally generated. INPUT: Arriving. FORWARD: Being routed. POSTROUTING: Exiting.
The admin can create/delete/rename additional chains for any target.
Each chain consists of a set of rules, consulted in order (thus the term "chain") until one's conditions match. If none match, the default policy applies, "-P" option. (Policies exist only for built-in chains.
Policy target may only be one of the four predefined rules.) Each rule has:
criterion: Which packets will be affected.
target: Which rule to consult next. (May optionally be one of the predefined rules ACCEPT, DROP, QUEUE=userspace-handled, or RETURN=policy.)
Each rule is assigned a rulenum, which can be used to refer to it in iptables commands.
Since rulesets live in RAM, one can preserve them to disk or reload them using iptables-save and iptables-restore, respectively.
Many of the more interesting features, such as stateful inspection, are via dynamically-loaded helper modules (option "-m").
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
## Create chain that blocks new connections, except if coming from inside.
# iptables -N block # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT # iptables -A block -j DROP## Jump to that chain from INPUT and FORWARD chains.
# iptables -A INPUT -j block # iptables -A FORWARD -j block
Type of Service (TOS) prioritisation: To maximize ssh response while maintaining maximum file data transfer over HTTP connections:
# /sbin/iptables -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay # /sbin/iptables -A PREROUTING -t mangle -p tcp --sport http -j TOS --set-tos Maximize-Throughput