iptables

NOTE: Iptables produces output that must be passed, line by line, to the 'iptables/ip6tables' command line. For 'iptables-restore' compatible output, please use the Speedway generator.

Header Format

The Iptables header designation has the following format:

targets:
    iptables: [INPUT|OUTPUT|FORWARD|custom] {ACCEPT|DROP} {truncatenames} {nostate} {inet|inet6}
  • INPUT: apply the terms to the input filter.
  • OUTPUT: apply the terms to the output filter.
  • FORWARD: apply the terms to the forwarding filter.
  • custom: create the terms under a custom filter name, which must then be linked/jumped to from one of the default filters (e.g. iptables -A input -j custom)
  • ACCEPT: specifies that the default policy on the filter should be 'accept'.
  • DROP: specifies that the default policy on the filter should be to 'drop'.
  • inet: specifies that the resulting filter should only render IPv4 addresses.
  • inet6: specifies that the resulting filter should only render IPv6 addresses.
  • truncatenames: specifies to abbreviate term names if necessary (see lib/iptables.py:_CheckTerMLength for abbreviation table)
  • nostate: specifies to produce 'stateless' filter output (e.g. no connection tracking)

Term Format

  • for common keys see common.md

  • counter: Update a counter for matching packets

  • destination-exclude: Exclude one or more address tokens from the specified destination-address
  • destination-interface: Specify specific interface a term should apply to (e.g. destination-interface:: eth3)
  • destination-prefix: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
  • fragement-offset: specify a fragment offset of a fragmented packet
  • icmp-code: Specifies the ICMP code to filter on.
  • logging: Specify that this packet should be logged via syslog.
  • owner: Owner of the term, used for organizational purposes.
  • packet-length: specify packet length.
  • routing-instance: specify routing instance for matching packets.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • source-interface: specify specific interface a term should apply to (e.g. source-interface:: eth3).
  • source-prefix: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • ack: Match on ACK flag being present.
  • all: Matches all protocols.
  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • fin: Match on FIN flag being present.
  • first-fragment: Only match on first fragment of a fragmented pakcet.
  • initial: Only matches on initial packet.
  • is-fragment: Matches on if a packet is a fragment.
  • none: Matches none.
  • psh: Match on PSH flag being present.
  • rst: Match on RST flag being present.
  • sample: Samples traffic for netflow.
  • syn: Match on SYN flag being present.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial: Only match initial packet for TCP protocol.
  • urg: Match on URG flag being present.