655:
27:
178:
132:
511:(one of the built-in decisions). As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or may not. Matches make up the large part of rulesets, as they contain the conditions packets are tested for. These can happen for about any layer in the
403:
669:
399:. Packets are processed by sequentially traversing the rules in chains. A rule in a chain can cause a goto or jump to another chain, and this can be repeated to whatever level of nesting is desired. (A jump is like a βcallβ, i.e. the point that was jumped from is remembered.) Every network packet arriving at or leaving from the computer traverses at least one chain.
613:
with a set of predefined rules, or rules expanded from a template with the help of a simple configuration file. Linux distributions commonly employ the latter scheme of using templates. Such a template-based approach is practically a limited form of a rule generator, and such generators also exist in
617:
Such front-ends, generators and scripts are often limited by their built-in template systems and where the templates offer substitution spots for user-defined rules. Also, the generated rules are generally not optimized for the particular firewalling effect the user wishes, as doing so will likely
418:, for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. These chains have no policy; if a packet reaches the end of the chain it is returned to the chain which called it. A chain may be empty.
289:
modules. The filters are organized in a set of tables, which contain chains of rules for how to treat network traffic packets. Different kernel modules and programs are currently used for different protocols;
864:
431:: Packet is going to be locally delivered. It does not have anything to do with processes having an opened socket; local delivery is controlled by the "local-delivery" routing table:
618:
increase the maintenance cost for the developer. Users who reasonably understand iptables and want their ruleset optimized are advised to construct their own ruleset.
352:
is the name of the kernel module carrying the shared code portion used by all four modules that also provides the API used for extensions; subsequently,
1205:
891:
1321:
1367:
802:
660:
601:
There are numerous third-party software applications for iptables that try to facilitate setting up rules. Front-ends in
1362:
70:
48:
761:
41:
1352:
406:
Packet flow paths. Packets start at a given box and will flow along a certain path, depending on the circumstances.
222:
414:(mapping to the five available Netfilter hooks), though a table may not have all chains. Predefined chains have a
884:
642:β a gateway/firewall configuration tool, making it possible to use easier rules and have them mapped to iptables
1357:
1342:
337:, but since iptables is more like a service rather than an "essential binary", the preferred location remains
1235:
1200:
1230:
916:
155:
1195:
534:
a rule matches the packet and decides the ultimate fate of the packet, for example by calling one of the
303:
123:
453:: Routing decision has been made. Packets enter this chain just before handing them off to the hardware.
1347:
877:
854:
1273:
1220:
1215:
503:
Each rule in a chain contains the specification of which packets it matches. It may also contain a
191:
35:
588:
is an internal name) to continue with the next rule as if no target/verdict was specified at all.
131:
1316:
1008:
961:
740:
718:
52:
1190:
605:
or graphical fashion allow users to click-generate simple rulesets; scripts usually refer to
441:: All packets that have been routed and were not for local delivery will traverse this chain.
368:
1245:
1225:
911:
900:
630:β a shell script wrapping iptables with an easy-to-understand plain-text configuration file
380:
282:
271:
8:
356:
is more or less used to refer to the entire firewall (v4, v6, arp, and eb) architecture.
177:
1018:
552:
the end of the chain is reached; traversal either continues in the parent chain (as if
410:
The origin of the packet determines which chain it traverses initially. There are five
210:
1175:
926:
921:
798:
708:
837:
732:
609:(but other scripting languages are possible too) that call iptables or (the faster)
1240:
1003:
931:
321:, otherwise it fails to function. On most Linux systems, iptables is installed as
234:
198:
1026:
792:
1095:
849:
687:
311:
227:
396:
317:
iptables requires elevated privileges to operate and must be executed by user
1336:
1155:
1150:
1100:
859:
692:
275:
94:
1165:
1299:
1160:
843:
674:
348:
is also commonly used to inclusively refer to the kernel-level components.
279:
824:
556:
was used), or the base chain policy, which is an ultimate fate, is used.
402:
1210:
1090:
1046:
697:
606:
267:
101:
89:
1294:
1278:
1056:
998:
971:
966:
639:
523:
parameters, and there are also protocol-independent matches, such as
512:
318:
286:
215:
164:
869:
1265:
1255:
1123:
1085:
981:
829:
713:
703:
682:
447:: Packets sent from the machine itself will be visiting this chain.
364:
360:
326:
549:
verdict, in which case processing returns to the calling chain; or
425:: Packets will enter this chain before a routing decision is made.
1250:
1128:
1041:
993:
988:
956:
627:
602:
794:
Linux iptables Pocket
Reference: Firewalls, NAT & Accounting
367:, which was released on 19 January 2014 and was merged into the
1105:
1031:
762:"Linux 3.13, Section 1.2. nftables, the successor of iptables"
395:
for the treatment of packets. Each table is associated with a
1142:
941:
203:
818:
489:, which shows some chains and their rules, is equivalent to
250:
1051:
1036:
865:
Acceleration of iptables Linux Packet
Filtering using GPGPU
633:
1070:
668:
239:
530:
The packet continues to traverse the chain until either
650:
636:β an authenticating firewall extension to Netfilter
614:standalone fashion, for example, as PHP web pages.
457:A chain does not exist by itself; it belongs to a
542:, or a module returning such an ultimate fate; or
1334:
846: – countermeasures against nmap
790:
1206:Microsoft Forefront Threat Management Gateway
885:
855:Iptables Tutorial 1.2.2 by Oskar Andreasson
738:
485:table by default. For example, the command
892:
878:
176:
130:
838:The netfilter/iptables documentation page
71:Learn how and when to remove this message
1322:List of router or firewall distributions
401:
333:when installed. It may also be found in
34:This article includes a list of general
819:The netfilter/iptables project Web page
1335:
621:
591:
899:
873:
844:Detecting and deceiving network scans
860:IPTABLES: The Default Linux Firewall
850:The IPTables ManPage for syntax help
661:Free and open-source software portal
20:
560:Targets also return a verdict like
397:different kind of packet processing
363:; and the successor of iptables is
13:
791:Gregor N. Purdy (25 August 2004).
40:it lacks sufficient corresponding
14:
1379:
812:
667:
653:
473:. Unless preceded by the option
25:
739:Phil Sutter (10 October 2023).
754:
270:utility program that allows a
1:
1368:Free software programmed in C
1236:Trend Micro Internet Security
1201:McAfee Personal Firewall Plus
784:
725:
596:
1231:Symantec Endpoint Protection
917:Context-based access control
576:module), but may also imply
329:, which can be opened using
7:
1196:Kaspersky Internet Security
646:
491:iptables -t filter -L -v -n
374:
285:, implemented as different
10:
1384:
493:. To show chains of table
461:. There are three tables:
1312:
1287:
1264:
1183:
1174:
1141:
1116:
1078:
1069:
1017:
949:
940:
907:
741:"iptables 1.8.10 release"
568:modules will do this) or
507:(used for extensions) or
433:ip route show table local
245:
233:
221:
209:
197:
187:
154:
150:
122:
118:
110:
100:
88:
1363:Linux-only free software
1274:Comodo Internet Security
1221:Norton Personal Firewall
1216:Norton Internet Security
515:model, as with e.g. the
499:iptables -t nat -L -v -n
371:in kernel version 3.13.
1353:Linux security software
1317:Comparison of firewalls
797:. O'Reilly Media, Inc.
137:; 11 months ago
55:more precise citations.
16:Linux firewall software
1009:Uncomplicated Firewall
719:Uncomplicated Firewall
407:
325:and documented in its
276:IP packet filter rules
1358:Linux kernel features
1343:Command-line software
1191:Check Point Integrity
481:command concerns the
405:
369:Linux kernel mainline
1246:Windows Live OneCare
1226:Outpost Firewall Pro
912:Application firewall
381:system administrator
379:iptables allows the
359:iptables superseded
272:system administrator
135:/ 10 October 2023
622:Other notable tools
592:Userspace utilities
106:Netfilter Core Team
85:
497:, use the command
408:
323:/usr/sbin/iptables
90:Original author(s)
83:
1348:Firewall software
1330:
1329:
1308:
1307:
1137:
1136:
1065:
1064:
927:Stateful firewall
922:Personal firewall
901:Firewall software
804:978-1-4493-7898-1
768:. 19 January 2014
766:kernelnewbies.org
545:a rule calls the
487:iptables -L -v -n
412:predefined chains
294:applies to IPv4,
274:to configure the
261:
260:
81:
80:
73:
1375:
1241:Windows Firewall
1181:
1180:
1076:
1075:
947:
946:
932:Virtual firewall
894:
887:
880:
871:
870:
834:
808:
778:
777:
775:
773:
758:
752:
751:
749:
747:
736:
677:
672:
671:
663:
658:
657:
656:
612:
611:iptables-restore
587:
583:
579:
575:
571:
567:
563:
555:
548:
541:
537:
526:
522:
518:
500:
492:
488:
480:
452:
446:
440:
434:
430:
424:
340:
336:
332:
324:
257:
254:
252:
228:Packet filtering
199:Operating system
180:
175:
172:
170:
168:
166:
145:
143:
138:
134:
86:
82:
76:
69:
65:
62:
56:
51:this article by
42:inline citations
29:
28:
21:
1383:
1382:
1378:
1377:
1376:
1374:
1373:
1372:
1333:
1332:
1331:
1326:
1304:
1283:
1260:
1170:
1166:VirusBarrier X6
1133:
1112:
1061:
1027:Endian Firewall
1013:
936:
903:
898:
823:
815:
805:
787:
782:
781:
771:
769:
760:
759:
755:
745:
743:
737:
733:
728:
673:
666:
659:
654:
652:
649:
624:
610:
599:
594:
585:
581:
577:
573:
569:
565:
561:
553:
546:
539:
535:
524:
520:
516:
498:
490:
486:
478:
450:
444:
438:
432:
428:
422:
377:
338:
334:
330:
322:
312:Ethernet frames
249:
183:
163:
146:
142:10 October 2023
141:
139:
136:
111:Initial release
77:
66:
60:
57:
47:Please help to
46:
30:
26:
17:
12:
11:
5:
1381:
1371:
1370:
1365:
1360:
1355:
1350:
1345:
1328:
1327:
1325:
1324:
1319:
1313:
1310:
1309:
1306:
1305:
1303:
1302:
1297:
1291:
1289:
1285:
1284:
1282:
1281:
1276:
1270:
1268:
1262:
1261:
1259:
1258:
1253:
1248:
1243:
1238:
1233:
1228:
1223:
1218:
1213:
1208:
1203:
1198:
1193:
1187:
1185:
1178:
1172:
1171:
1169:
1168:
1163:
1158:
1153:
1147:
1145:
1139:
1138:
1135:
1134:
1132:
1131:
1126:
1120:
1118:
1114:
1113:
1111:
1110:
1109:
1108:
1098:
1093:
1088:
1082:
1080:
1073:
1067:
1066:
1063:
1062:
1060:
1059:
1054:
1049:
1044:
1039:
1034:
1029:
1023:
1021:
1015:
1014:
1012:
1011:
1006:
1001:
996:
991:
986:
985:
984:
979:
969:
964:
959:
953:
951:
944:
938:
937:
935:
934:
929:
924:
919:
914:
908:
905:
904:
897:
896:
889:
882:
874:
868:
867:
862:
857:
852:
847:
841:
835:
821:
814:
813:External links
811:
810:
809:
803:
786:
783:
780:
779:
753:
730:
729:
727:
724:
723:
722:
716:
711:
706:
701:
695:
690:
688:NPF (firewall)
685:
679:
678:
664:
648:
645:
644:
643:
637:
631:
623:
620:
598:
595:
593:
590:
558:
557:
550:
543:
521:-p tcp --dport
455:
454:
448:
442:
436:
426:
376:
373:
335:/sbin/iptables
259:
258:
247:
243:
242:
237:
231:
230:
225:
219:
218:
213:
207:
206:
201:
195:
194:
189:
185:
184:
182:
181:
160:
158:
152:
151:
148:
147:
128:
126:
124:Stable release
120:
119:
116:
115:
112:
108:
107:
104:
98:
97:
92:
79:
78:
33:
31:
24:
15:
9:
6:
4:
3:
2:
1380:
1369:
1366:
1364:
1361:
1359:
1356:
1354:
1351:
1349:
1346:
1344:
1341:
1340:
1338:
1323:
1320:
1318:
1315:
1314:
1311:
1301:
1298:
1296:
1293:
1292:
1290:
1286:
1280:
1277:
1275:
1272:
1271:
1269:
1267:
1263:
1257:
1254:
1252:
1249:
1247:
1244:
1242:
1239:
1237:
1234:
1232:
1229:
1227:
1224:
1222:
1219:
1217:
1214:
1212:
1209:
1207:
1204:
1202:
1199:
1197:
1194:
1192:
1189:
1188:
1186:
1182:
1179:
1177:
1173:
1167:
1164:
1162:
1159:
1157:
1156:NetBarrier X4
1154:
1152:
1151:Little Snitch
1149:
1148:
1146:
1144:
1140:
1130:
1127:
1125:
1122:
1121:
1119:
1115:
1107:
1104:
1103:
1102:
1099:
1097:
1094:
1092:
1089:
1087:
1084:
1083:
1081:
1077:
1074:
1072:
1068:
1058:
1055:
1053:
1050:
1048:
1045:
1043:
1040:
1038:
1035:
1033:
1030:
1028:
1025:
1024:
1022:
1020:
1016:
1010:
1007:
1005:
1002:
1000:
997:
995:
992:
990:
987:
983:
980:
978:
975:
974:
973:
970:
968:
965:
963:
960:
958:
955:
954:
952:
948:
945:
943:
939:
933:
930:
928:
925:
923:
920:
918:
915:
913:
910:
909:
906:
902:
895:
890:
888:
883:
881:
876:
875:
872:
866:
863:
861:
858:
856:
853:
851:
848:
845:
842:
839:
836:
832:
831:
826:
822:
820:
817:
816:
806:
800:
796:
795:
789:
788:
767:
763:
757:
742:
735:
731:
720:
717:
715:
712:
710:
707:
705:
702:
699:
696:
694:
693:PF (firewall)
691:
689:
686:
684:
681:
680:
676:
670:
665:
662:
651:
641:
638:
635:
632:
629:
626:
625:
619:
615:
608:
607:shell scripts
604:
589:
551:
544:
533:
532:
531:
528:
514:
510:
506:
501:
496:
484:
476:
472:
468:
464:
460:
449:
443:
437:
427:
421:
420:
419:
417:
413:
404:
400:
398:
394:
390:
386:
382:
372:
370:
366:
362:
357:
355:
351:
347:
342:
328:
320:
315:
313:
309:
305:
301:
297:
293:
288:
284:
281:
277:
273:
269:
265:
256:
248:
244:
241:
238:
236:
232:
229:
226:
224:
220:
217:
214:
212:
208:
205:
202:
200:
196:
193:
190:
186:
179:
174:
162:
161:
159:
157:
153:
149:
133:
127:
125:
121:
117:
113:
109:
105:
103:
99:
96:
95:Rusty Russell
93:
91:
87:
75:
72:
64:
54:
50:
44:
43:
37:
32:
23:
22:
19:
1300:PeerGuardian
1161:PeerGuardian
976:
828:
793:
770:. Retrieved
765:
756:
744:. Retrieved
734:
675:Linux portal
616:
600:
559:
529:
517:--mac-source
508:
504:
502:
494:
482:
474:
470:
466:
462:
458:
456:
415:
411:
409:
392:
388:
384:
378:
358:
353:
349:
345:
343:
331:man iptables
316:
307:
299:
295:
291:
280:Linux kernel
263:
262:
129:1.8.10
102:Developer(s)
67:
58:
39:
18:
1288:Open-source
962:Firestarter
451:POSTROUTING
387:containing
53:introducing
1337:Categories
1211:Norton 360
1184:Commercial
1091:ipfirewall
1047:SmoothWall
840:(outdated)
825:"iptables"
785:Literature
772:20 January
746:10 October
726:References
721:(firewall)
698:ipfirewall
597:Front-ends
580:(e.g. the
572:(e.g. the
423:PREROUTING
383:to define
268:user-space
253:.netfilter
188:Written in
167:.netfilter
156:Repository
61:April 2015
36:references
1295:PeerBlock
1279:ZoneAlarm
1057:Zeroshell
999:Shorewall
972:Netfilter
967:firewalld
640:Shorewall
344:The term
339:/usr/sbin
327:man pages
300:arptables
298:to IPv6,
296:ip6tables
287:Netfilter
216:Netfilter
171:/iptables
1266:Freemium
1256:WinRoute
1124:OPNsense
1086:IPFilter
982:nftables
977:iptables
830:Freecode
714:ipchains
704:ipfilter
683:nftables
647:See also
586:CONTINUE
584:module;
578:CONTINUE
479:iptables
375:Overview
365:nftables
361:ipchains
350:x_tables
346:iptables
308:ebtables
292:iptables
283:firewall
264:iptables
211:Platform
84:iptables
1251:WinGate
1176:Windows
1129:pfSense
1117:Distros
1042:OpenWrt
1019:Distros
994:Privoxy
989:MoBlock
957:FireHOL
628:FireHOL
603:textual
525:-m time
509:verdict
439:FORWARD
354:Xtables
278:of the
246:Website
235:License
140: (
49:improve
1106:pfsync
1032:IPFire
801:
700:(ipfw)
574:REJECT
562:ACCEPT
554:RETURN
547:RETURN
536:ACCEPT
505:target
483:filter
471:mangle
469:, and
467:filter
445:OUTPUT
416:policy
389:chains
385:tables
306:, and
38:, but
1143:macOS
1004:Squid
942:Linux
477:, an
459:table
429:INPUT
393:rules
266:is a
204:Linux
1079:Apps
1052:VyOS
1037:LEDE
950:Apps
799:ISBN
774:2014
748:2023
634:NuFW
570:DROP
540:DROP
519:and
319:root
255:.org
223:Type
169:.org
114:1998
1096:NPF
1071:BSD
709:XDP
582:LOG
566:NAT
538:or
513:OSI
495:nat
463:nat
391:of
310:to
304:ARP
302:to
251:www
240:GPL
165:git
1339::
1101:PF
827:.
764:.
527:.
475:-t
465:,
341:.
314:.
893:e
886:t
879:v
833:.
807:.
776:.
750:.
564:(
435:.
192:C
173:/
144:)
74:)
68:(
63:)
59:(
45:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.