ipchains linux command

ipchains

ipchains command [options]

System administration command. Edit IP firewall rules in the 2.2 Linux kernel. A 2.2 Linux kernel compiled with firewall support will examine the headers of all network packets and compare them to matching rules to see what it should do with the packet. A firewall rule consists of some matching criteria and a target, a result to be applied if the packet matches the criteria. The rules are organized into chains. You can use these rules to build a firewall or just reject certain kinds of network connections.

Firewall rules are organized into chains, an ordered checklist that the kernel works through looking for matches. There are three built-in chains input, output, and forward. Packets entering the system are tested against the input chain. Those exiting the system are checked against the output chain. If an incoming packet is destined for some other system, it is checked against the forward chain. Each of these chains has a default target, a policy, in case no match is found. User-defined chains can be created and used as targets for packets, but they have no default policies. If no match can be found in a user-defined chain, the packet is returned to the chain from which it was called and tested against the next rule in that chain.

ipchains only changes the rules in the running kernel. When the system is powered off, all those changes are lost. You can use the ipchains-save command to make a script you can later run with ipchains-restore to restore your firewall settings. Such a script is often called at boot up and many distributions have an ipchains initialization script that uses the output from ipchains-save.

Commands

ipchains is always invoked with one of the following commands:

-A chain rules, --append chain rules

Append new rules to chain.

-I chain number rules, --insert <chain number rules

Insert rules into chain at the ordinal position given by number.

-D chain rules, --delete chain rules

Delete rules from chain. Rules can be specified by their ordinal number in the chain as well as by a general rule description.

-R chain number rule, --replace chain number rule

Replace a rule in chain. The rule to be replaced is specified by its ordinal number.

-C chain rule, --check chain rules

Construct a network packet that matches the given rule and check how chain will handle it. The rule must describe the source, destination, protocol, and interface of the packet to be constructed.

-L [chain], --list $PARAMETER

List the rules in chain. If no chain is specified, list the rules in all chains.

-ML, --masquerading --list

List masquerading connections.

-MS tcp tcpfin udp, --masquerading --set tcp tcpfin udp

Set timeout value in seconds for masquerading connections. -MS always takes three parameters specifying the timeout values for TCP sessions, TCP sessions that have received a FIN packet, and UDP packets.

-F chain, --flush chain

Remove all rules from chain.

-Z [chain], --zero [chain]

Reset the packet and byte counters in chain. If no chain is specified, all chains will be reset. When used without specifying a chain and combined with the -L command, it lists the current counter values before they are reset.

-N chain, --new-chain chain

Create a new chain. The chain's name must be unique.

-X [chain], --delete-chain chain

Delete chain. Only user-defined chains can be deleted, and there can be no references to the chain to be deleted. If no argument is given, all user-defined chains will be deleted.

-P chain target, --policy chain target

Set the policy for a built-in chain; the target itself cannot be a chain.

-h [icmp]

Print a brief help message. If the option icmp is given, print a list of valid ICMP types.

Targets

A target can be the name of a chain or one of the following special values:

ACCEPT

Let the packet through.

DENY

Drop the packet.

MASQ

Masquerade the packet so it appears that it originated from the current system. Reverse packets from masqueraded connections are unmasqueraded automatically. This is a legal target for only the forward chain, or user-defined chains used in forwarding packets. To use this target, the kernel must be compiled with support for IP masquerading.

REDIRECT [port]

Redirect incoming packets to a local port on which you are running a transparent proxy program. If the specified port is 0 or is not given, the destination port of the packet is used as the redirection port. REDIRECT is only a legal target for the input chain or user-defined chains used in handling incoming packets. The kernel must be compiled with support for transparent proxies.

REJECT

Drop the packet and send an ICMP message back to the sender indicating the packet was dropped.

RETURN

Return to the chain from which this chain was called and check the next rule. If RETURN is the target of a rule in a built-in chain, then the built-in chain's default policy is applied.

Rule specification parameters

These options are used to create rules for use with the preceding commands. Rules consist of some matching criteria and usually a target to jump to (-j) if the match is made. Many of the parameters for these matching rules can be expressed as a negative with an exclamation point (!) meaning 'not.' Those rules will match everything except the given parameter.

-p [!] name, --protocol [!]$PARAMETER

Match packets of protocol name. The value of name can be given as a name or number as found in the file /etc/protocols. The most common values are tcp, udp, icmp, or the special value all. The number 0 is equivalent to all, and this is the default value when this option is not used.

-s [!] address[/mask] [!] [port], --source [!] address[/mask] [!] [port]

Specifies the source address and port of the packet that will match this rule. The address may be supplied as a hostname, a network name, or an IP address. The optional mask is the netmask to use and may be supplied either in the traditional form (e.g., /255.255.255.0) or in the modern form (e.g., /24). The optional port specifies the TCP, UDP, or ICMP type that will match. You may supply a port specification only if you've supplied the -p parameter with one of the tcp, udp or icmp protocols. A colon can be used to indicate an inclusive range of ports or ICMP values to be used. (e.g., 20:25 for ports 20 through 25). If the first port parameter is missing, the default value is 0. If the second is omitted, the default value is 65535.

-d [!] address[/mask] [!] [port], --destination [!] address[/mask] [port]

Match packets with the destination address. The syntax for this command's parameters is the same as for the -s option.

-j target, --jump target

Jump to a special target or a user-defined chain. If this option is not specified for a rule, matching the rule only increases the rule's counters and the packet is tested against the next rule.

-i [!] name, --interface name

Match packets from interface name[+]. name is the network interface used by your system (e.g., eth0 or ppp0). A + can be used as a wildcard, so ppp+ would match any interface name beginning with ppp.

[!] -f, [!]--fragment $PARAMETER

The rule applies to everything but the first fragment of a fragmented packet.

--source-port [!] port

Match packets from the source port. The syntax for specifying ports can be found in the preceding description of the -s option.

--destination-port [!] port

Match packets with the destination port. The syntax for specifying ports can be found in the preceding description of the -s option.

--icmp-type [!] type

Match packets with ICMP type name or number of type.

Options

-b, --bidirectional

Put rule in both the input and output chain so packets will be matched in both directions.

-v, --verbose

Verbose mode.

-n, --numeric

Print all IP address and port numbers in numeric form. By default, names are displayed when possible.

-l, --log

Log information for the matching packet to the system log.

-t andmask xormask, --TOS andmask xormask

Change the Type of Service field in the packet's header. The TOS field is first ANDed with the 8-bit hexadecimal mask andmask, then XORed with the 8-bit hexadecimal mask xormask. Rules that would affect the least significant bit (LSB) portion of the TOS field are rejected.

-x, --exact

Expand all numbers in a listing (-L). Display the exact value of the packet and byte counters instead of rounded figures.

[!] -y, --syn

Match only incoming TCP connection requests, those with the SYN bit set and the ACK and FIN bits cleared. This blocks incoming TCP connections but leaves outgoing connections unaffected.

--line-numbers

Used with the -L command. Add the line number to the beginning of each rule in a listing indicating its position in the chain.

--no-warnings

Disable all warnings