493 lines
17 KiB
Groff
Executable File
493 lines
17 KiB
Groff
Executable File
.TH IP6TABLES 8 "Jan 22, 2006" "" ""
|
|
.\"
|
|
.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
|
|
.\" It is based on iptables man page.
|
|
.\"
|
|
.\" iptables page by Herve Eychenne <rv@wallfire.org>
|
|
.\" It is based on ipchains man page.
|
|
.\"
|
|
.\" ipchains page by Paul ``Rusty'' Russell March 1997
|
|
.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
|
|
.\"
|
|
.\" This program is free software; you can redistribute it and/or modify
|
|
.\" it under the terms of the GNU General Public License as published by
|
|
.\" the Free Software Foundation; either version 2 of the License, or
|
|
.\" (at your option) any later version.
|
|
.\"
|
|
.\" This program is distributed in the hope that it will be useful,
|
|
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
.\" GNU General Public License for more details.
|
|
.\"
|
|
.\" You should have received a copy of the GNU General Public License
|
|
.\" along with this program; if not, write to the Free Software
|
|
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
.\"
|
|
.\"
|
|
.SH NAME
|
|
ip6tables \- IPv6 packet filter administration
|
|
.SH SYNOPSIS
|
|
.BR "ip6tables [-t table] -[AD] " "chain rule-specification [options]"
|
|
.br
|
|
.BR "ip6tables [-t table] -I " "chain [rulenum] rule-specification [options]"
|
|
.br
|
|
.BR "ip6tables [-t table] -R " "chain rulenum rule-specification [options]"
|
|
.br
|
|
.BR "ip6tables [-t table] -D " "chain rulenum [options]"
|
|
.br
|
|
.BR "ip6tables [-t table] -[LFZ] " "[chain] [options]"
|
|
.br
|
|
.BR "ip6tables [-t table] -N " "chain"
|
|
.br
|
|
.BR "ip6tables [-t table] -X " "[chain]"
|
|
.br
|
|
.BR "ip6tables [-t table] -P " "chain target [options]"
|
|
.br
|
|
.BR "ip6tables [-t table] -E " "old-chain-name new-chain-name"
|
|
.SH DESCRIPTION
|
|
.B Ip6tables
|
|
is used to set up, maintain, and inspect the tables of IPv6 packet
|
|
filter rules in the Linux kernel. Several different tables
|
|
may be defined. Each table contains a number of built-in
|
|
chains and may also contain user-defined chains.
|
|
|
|
Each chain is a list of rules which can match a set of packets. Each
|
|
rule specifies what to do with a packet that matches. This is called
|
|
a `target', which may be a jump to a user-defined chain in the same
|
|
table.
|
|
|
|
.SH TARGETS
|
|
A firewall rule specifies criteria for a packet, and a target. If the
|
|
packet does not match, the next rule in the chain is the examined; if
|
|
it does match, then the next rule is specified by the value of the
|
|
target, which can be the name of a user-defined chain or one of the
|
|
special values
|
|
.IR ACCEPT ,
|
|
.IR DROP ,
|
|
.IR QUEUE ,
|
|
or
|
|
.IR RETURN .
|
|
.PP
|
|
.I ACCEPT
|
|
means to let the packet through.
|
|
.I DROP
|
|
means to drop the packet on the floor.
|
|
.I QUEUE
|
|
means to pass the packet to userspace. (How the packet can be received
|
|
by a userspace process differs by the particular queue handler. 2.4.x
|
|
and 2.6.x kernels up to 2.6.13 include the
|
|
.B
|
|
ip_queue
|
|
queue handler. Kernels 2.6.14 and later additionally include the
|
|
.B
|
|
nfnetlink_queue
|
|
queue handler. Packets with a target of QUEUE will be sent to queue number '0'
|
|
in this case. Please also see the
|
|
.B
|
|
NFQUEUE
|
|
target as described later in this man page.)
|
|
.I RETURN
|
|
means stop traversing this chain and resume at the next rule in the
|
|
previous (calling) chain. If the end of a built-in chain is reached
|
|
or a rule in a built-in chain with target
|
|
.I RETURN
|
|
is matched, the target specified by the chain policy determines the
|
|
fate of the packet.
|
|
.SH TABLES
|
|
There are currently two independent tables (which tables are present
|
|
at any time depends on the kernel configuration options and which
|
|
modules are present), as nat table has not been implemented yet.
|
|
.TP
|
|
.BI "-t, --table " "table"
|
|
This option specifies the packet matching table which the command
|
|
should operate on. If the kernel is configured with automatic module
|
|
loading, an attempt will be made to load the appropriate module for
|
|
that table if it is not already there.
|
|
|
|
The tables are as follows:
|
|
.RS
|
|
.TP .4i
|
|
.BR "filter" :
|
|
This is the default table (if no -t option is passed). It contains
|
|
the built-in chains
|
|
.B INPUT
|
|
(for packets coming into the box itself),
|
|
.B FORWARD
|
|
(for packets being routed through the box), and
|
|
.B OUTPUT
|
|
(for locally-generated packets).
|
|
.TP
|
|
.BR "mangle" :
|
|
This table is used for specialized packet alteration. Until kernel
|
|
2.4.17 it had two built-in chains:
|
|
.B PREROUTING
|
|
(for altering incoming packets before routing) and
|
|
.B OUTPUT
|
|
(for altering locally-generated packets before routing).
|
|
Since kernel 2.4.18, three other built-in chains are also supported:
|
|
.B INPUT
|
|
(for packets coming into the box itself),
|
|
.B FORWARD
|
|
(for altering packets being routed through the box), and
|
|
.B POSTROUTING
|
|
(for altering packets as they are about to go out).
|
|
.TP
|
|
.BR "raw" :
|
|
This table is used mainly for configuring exemptions from connection
|
|
tracking in combination with the NOTRACK target. It registers at the netfilter
|
|
hooks with higher priority and is thus called before nf_conntrack, or any other
|
|
IP6 tables. It provides the following built-in chains:
|
|
.B PREROUTING
|
|
(for packets arriving via any network interface)
|
|
.B OUTPUT
|
|
(for packets generated by local processes)
|
|
.RE
|
|
.SH OPTIONS
|
|
The options that are recognized by
|
|
.B ip6tables
|
|
can be divided into several different groups.
|
|
.SS COMMANDS
|
|
These options specify the specific action to perform. Only one of them
|
|
can be specified on the command line unless otherwise specified
|
|
below. For all the long versions of the command and option names, you
|
|
need to use only enough letters to ensure that
|
|
.B ip6tables
|
|
can differentiate it from all other options.
|
|
.TP
|
|
.BI "-A, --append " "chain rule-specification"
|
|
Append one or more rules to the end of the selected chain.
|
|
When the source and/or destination names resolve to more than one
|
|
address, a rule will be added for each possible address combination.
|
|
.TP
|
|
.BI "-D, --delete " "chain rule-specification"
|
|
.ns
|
|
.TP
|
|
.BI "-D, --delete " "chain rulenum"
|
|
Delete one or more rules from the selected chain. There are two
|
|
versions of this command: the rule can be specified as a number in the
|
|
chain (starting at 1 for the first rule) or a rule to match.
|
|
.TP
|
|
.B "-I, --insert"
|
|
Insert one or more rules in the selected chain as the given rule
|
|
number. So, if the rule number is 1, the rule or rules are inserted
|
|
at the head of the chain. This is also the default if no rule number
|
|
is specified.
|
|
.TP
|
|
.BI "-R, --replace " "chain rulenum rule-specification"
|
|
Replace a rule in the selected chain. If the source and/or
|
|
destination names resolve to multiple addresses, the command will
|
|
fail. Rules are numbered starting at 1.
|
|
.TP
|
|
.BR "-L, --list " "[\fIchain\fP]"
|
|
List all rules in the selected chain. If no chain is selected, all
|
|
chains are listed. As every other iptables command, it applies to the
|
|
specified table (filter is the default), so mangle rules get listed by
|
|
.nf
|
|
ip6tables -t mangle -n -L
|
|
.fi
|
|
Please note that it is often used with the
|
|
.B -n
|
|
option, in order to avoid long reverse DNS lookups.
|
|
It is legal to specify the
|
|
.B -Z
|
|
(zero) option as well, in which case the chain(s) will be atomically
|
|
listed and zeroed. The exact output is affected by the other
|
|
arguments given. The exact rules are suppressed until you use
|
|
.nf
|
|
ip6tables -L -v
|
|
.fi
|
|
.TP
|
|
.BR "-F, --flush " "[\fIchain\fP]"
|
|
Flush the selected chain (all the chains in the table if none is given).
|
|
This is equivalent to deleting all the rules one by one.
|
|
.TP
|
|
.BR "-Z, --zero " "[\fIchain\fP]"
|
|
Zero the packet and byte counters in all chains. It is legal to
|
|
specify the
|
|
.B "-L, --list"
|
|
(list) option as well, to see the counters immediately before they are
|
|
cleared. (See above.)
|
|
.TP
|
|
.BI "-N, --new-chain " "chain"
|
|
Create a new user-defined chain by the given name. There must be no
|
|
target of that name already.
|
|
.TP
|
|
.BR "-X, --delete-chain " "[\fIchain\fP]"
|
|
Delete the optional user-defined chain specified. There must be no references
|
|
to the chain. If there are, you must delete or replace the referring
|
|
rules before the chain can be deleted. If no argument is given, it
|
|
will attempt to delete every non-builtin chain in the table.
|
|
.TP
|
|
.BI "-P, --policy " "chain target"
|
|
Set the policy for the chain to the given target. See the section
|
|
.B TARGETS
|
|
for the legal targets. Only built-in (non-user-defined) chains can have
|
|
policies, and neither built-in nor user-defined chains can be policy
|
|
targets.
|
|
.TP
|
|
.BI "-E, --rename-chain " "old-chain new-chain"
|
|
Rename the user specified chain to the user supplied name. This is
|
|
cosmetic, and has no effect on the structure of the table.
|
|
.TP
|
|
.B -h
|
|
Help.
|
|
Give a (currently very brief) description of the command syntax.
|
|
.SS PARAMETERS
|
|
The following parameters make up a rule specification (as used in the
|
|
add, delete, insert, replace and append commands).
|
|
.TP
|
|
.BR "-p, --protocol " "[!] \fIprotocol\fP"
|
|
The protocol of the rule or of the packet to check.
|
|
The specified protocol can be one of
|
|
.IR tcp ,
|
|
.IR udp ,
|
|
.IR icmpv6 ,
|
|
.IR esp ,
|
|
.IR all ,
|
|
or it can be a numeric value, representing one of these protocols or a
|
|
different one. A protocol name from /etc/protocols is also allowed.
|
|
But IPv6 extension headers except
|
|
.IR esp
|
|
are not allowed.
|
|
.IR esp ,
|
|
and
|
|
.IR ipv6-nonext
|
|
can be used with Kernel version 2.6.11 or later.
|
|
A "!" argument before the protocol inverts the
|
|
test. The number zero is equivalent to
|
|
.IR all .
|
|
Protocol
|
|
.I all
|
|
will match with all protocols and is taken as default when this
|
|
option is omitted.
|
|
.TP
|
|
.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
|
|
Source specification.
|
|
.I Address
|
|
can be either a hostname (please note that specifying
|
|
any name to be resolved with a remote query such as DNS is a really bad idea),
|
|
a network IPv6 address (with /mask), or a plain IPv6 address.
|
|
(the network name isn't supported now).
|
|
The
|
|
.I mask
|
|
can be either a network mask or a plain number,
|
|
specifying the number of 1's at the left side of the network mask.
|
|
Thus, a mask of
|
|
.I 64
|
|
is equivalent to
|
|
.IR ffff:ffff:ffff:ffff:0000:0000:0000:0000 .
|
|
A "!" argument before the address specification inverts the sense of
|
|
the address. The flag
|
|
.B --src
|
|
is an alias for this option.
|
|
.TP
|
|
.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
|
|
Destination specification.
|
|
See the description of the
|
|
.B -s
|
|
(source) flag for a detailed description of the syntax. The flag
|
|
.B --dst
|
|
is an alias for this option.
|
|
.TP
|
|
.BI "-j, --jump " "target"
|
|
This specifies the target of the rule; i.e., what to do if the packet
|
|
matches it. The target can be a user-defined chain (other than the
|
|
one this rule is in), one of the special builtin targets which decide
|
|
the fate of the packet immediately, or an extension (see
|
|
.B EXTENSIONS
|
|
below). If this
|
|
option is omitted in a rule, then matching the rule will have no
|
|
effect on the packet's fate, but the counters on the rule will be
|
|
incremented.
|
|
.TP
|
|
.BR "-i, --in-interface " "[!] \fIname\fP"
|
|
Name of an interface via which a packet is going to be received (only for
|
|
packets entering the
|
|
.BR INPUT ,
|
|
.B FORWARD
|
|
and
|
|
.B PREROUTING
|
|
chains). When the "!" argument is used before the interface name, the
|
|
sense is inverted. If the interface name ends in a "+", then any
|
|
interface which begins with this name will match. If this option is
|
|
omitted, any interface name will match.
|
|
.TP
|
|
.BR "-o, --out-interface " "[!] \fIname\fP"
|
|
Name of an interface via which a packet is going to be sent (for packets
|
|
entering the
|
|
.BR FORWARD
|
|
and
|
|
.B OUTPUT
|
|
chains). When the "!" argument is used before the interface name, the
|
|
sense is inverted. If the interface name ends in a "+", then any
|
|
interface which begins with this name will match. If this option is
|
|
omitted, any interface name will match.
|
|
.TP
|
|
.\" Currently not supported (header-based)
|
|
.\"
|
|
.\" .B "[!] " "-f, --fragment"
|
|
.\" This means that the rule only refers to second and further fragments
|
|
.\" of fragmented packets. Since there is no way to tell the source or
|
|
.\" destination ports of such a packet (or ICMP type), such a packet will
|
|
.\" not match any rules which specify them. When the "!" argument
|
|
.\" precedes the "-f" flag, the rule will only match head fragments, or
|
|
.\" unfragmented packets.
|
|
.\" .TP
|
|
.B "-c, --set-counters " "PKTS BYTES"
|
|
This enables the administrator to initialize the packet and byte
|
|
counters of a rule (during
|
|
.B INSERT,
|
|
.B APPEND,
|
|
.B REPLACE
|
|
operations).
|
|
.SS "OTHER OPTIONS"
|
|
The following additional options can be specified:
|
|
.TP
|
|
.B "-v, --verbose"
|
|
Verbose output. This option makes the list command show the interface
|
|
name, the rule options (if any), and the TOS masks. The packet and
|
|
byte counters are also listed, with the suffix 'K', 'M' or 'G' for
|
|
1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
|
|
the
|
|
.B -x
|
|
flag to change this).
|
|
For appending, insertion, deletion and replacement, this causes
|
|
detailed information on the rule or rules to be printed.
|
|
.TP
|
|
.B "-n, --numeric"
|
|
Numeric output.
|
|
IP addresses and port numbers will be printed in numeric format.
|
|
By default, the program will try to display them as host names,
|
|
network names, or services (whenever applicable).
|
|
.TP
|
|
.B "-x, --exact"
|
|
Expand numbers.
|
|
Display the exact value of the packet and byte counters,
|
|
instead of only the rounded number in K's (multiples of 1000)
|
|
M's (multiples of 1000K) or G's (multiples of 1000M). This option is
|
|
only relevant for the
|
|
.B -L
|
|
command.
|
|
.TP
|
|
.B "--line-numbers"
|
|
When listing rules, add line numbers to the beginning of each rule,
|
|
corresponding to that rule's position in the chain.
|
|
.TP
|
|
.B "--modprobe=command"
|
|
When adding or inserting rules into a chain, use
|
|
.B command
|
|
to load any necessary modules (targets, match extensions, etc).
|
|
.SH MATCH EXTENSIONS
|
|
ip6tables can use extended packet matching modules. These are loaded
|
|
in two ways: implicitly, when
|
|
.B -p
|
|
or
|
|
.B --protocol
|
|
is specified, or with the
|
|
.B -m
|
|
or
|
|
.B --match
|
|
options, followed by the matching module name; after these, various
|
|
extra command line options become available, depending on the specific
|
|
module. You can specify multiple extended match modules in one line,
|
|
and you can use the
|
|
.B -h
|
|
or
|
|
.B --help
|
|
options after the module has been specified to receive help specific
|
|
to that module.
|
|
|
|
The following are included in the base package, and most of these can
|
|
be preceded by a
|
|
.B !
|
|
to invert the sense of the match.
|
|
.\" @MATCH@
|
|
.SH TARGET EXTENSIONS
|
|
ip6tables can use extended target modules: the following are included
|
|
in the standard distribution.
|
|
.\" @TARGET@
|
|
.SH DIAGNOSTICS
|
|
Various error messages are printed to standard error. The exit code
|
|
is 0 for correct functioning. Errors which appear to be caused by
|
|
invalid or abused command line parameters cause an exit code of 2, and
|
|
other errors cause an exit code of 1.
|
|
.SH BUGS
|
|
Bugs? What's this? ;-)
|
|
Well... the counters are not reliable on sparc64.
|
|
.SH COMPATIBILITY WITH IPCHAINS
|
|
This
|
|
.B ip6tables
|
|
is very similar to ipchains by Rusty Russell. The main difference is
|
|
that the chains
|
|
.B INPUT
|
|
and
|
|
.B OUTPUT
|
|
are only traversed for packets coming into the local host and
|
|
originating from the local host respectively. Hence every packet only
|
|
passes through one of the three chains (except loopback traffic, which
|
|
involves both INPUT and OUTPUT chains); previously a forwarded packet
|
|
would pass through all three.
|
|
.PP
|
|
The other main difference is that
|
|
.B -i
|
|
refers to the input interface;
|
|
.B -o
|
|
refers to the output interface, and both are available for packets
|
|
entering the
|
|
.B FORWARD
|
|
chain.
|
|
.\" .PP The various forms of NAT have been separated out;
|
|
.\" .B iptables
|
|
.\" is a pure packet filter when using the default `filter' table, with
|
|
.\" optional extension modules. This should simplify much of the previous
|
|
.\" confusion over the combination of IP masquerading and packet filtering
|
|
.\" seen previously. So the following options are handled differently:
|
|
.\" .br
|
|
.\" -j MASQ
|
|
.\" .br
|
|
.\" -M -S
|
|
.\" .br
|
|
.\" -M -L
|
|
.\" .br
|
|
There are several other changes in ip6tables.
|
|
.SH SEE ALSO
|
|
.BR ip6tables-save (8),
|
|
.BR ip6tables-restore(8),
|
|
.BR iptables (8),
|
|
.BR iptables-save (8),
|
|
.BR iptables-restore (8),
|
|
.BR libipq (3).
|
|
.P
|
|
The packet-filtering-HOWTO details iptables usage for
|
|
packet filtering, the NAT-HOWTO details NAT,
|
|
the netfilter-extensions-HOWTO details the extensions that are
|
|
not in the standard distribution,
|
|
and the netfilter-hacking-HOWTO details the netfilter internals.
|
|
.br
|
|
See
|
|
.BR "http://www.netfilter.org/" .
|
|
.SH AUTHORS
|
|
Rusty Russell wrote iptables, in early consultation with Michael
|
|
Neuling.
|
|
.PP
|
|
Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
|
|
selection framework in iptables, then wrote the mangle table, the owner match,
|
|
the mark stuff, and ran around doing cool stuff everywhere.
|
|
.PP
|
|
James Morris wrote the TOS target, and tos match.
|
|
.PP
|
|
Jozsef Kadlecsik wrote the REJECT target.
|
|
.PP
|
|
Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, aswell as TTL match+target and libipulog.
|
|
.PP
|
|
The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
|
|
Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
|
|
Harald Welte and Rusty Russell.
|
|
.PP
|
|
ip6tables man page created by Andras Kis-Szabo, based on
|
|
iptables man page written by Herve Eychenne <rv@wallfire.org>.
|
|
.\" .. and did I mention that we are incredibly cool people?
|
|
.\" .. sexy, too ..
|
|
.\" .. witty, charming, powerful ..
|
|
.\" .. and most of all, modest ..
|