Search IPTables Parameter Options

download PDF
Certain iptables commands, including those used to add, append, delete, insert, or replace rules within a particular chain, require various parameters to construct a packet filtering rule.
  • -c — Resets the counters for a particular rule. This parameter accepts the PKTS and BYTES options to specify which counter to reset.
  • -d — Sets the destination hostname, IP address, or network of a packet that matches the rule. When matching a network, the following IP address/netmask formats are supported:
    • N.N.N.N/M.M.M.M — Where N.N.N.N is the IP address range and M.M.M.M is the netmask.
    • N.N.N.N/M — Where N.N.N.N is the IP address range and M is the bitmask.
  • -f — Applies this rule only to fragmented packets.
    You can use the exclamation point character (!) option after this parameter to specify that only unfragmented packets are matched.


    Distinguishing between fragmented and unfragmented packets is desirable, despite fragmented packets being a standard part of the IP protocol.
    Originally designed to allow IP packets to travel over networks with differing frame sizes, these days fragmentation is more commonly used to generate DoS attacks using mal-formed packets. It's also worth noting that IPv6 disallows fragmentation entirely.
  • -i — Sets the incoming network interface, such as eth0 or ppp0. With iptables, this optional parameter may only be used with the INPUT and FORWARD chains when used with the filter table and the PREROUTING chain with the nat and mangle tables.
    This parameter also supports the following special options:
    • Exclamation point character (!) — Reverses the directive, meaning any specified interfaces are excluded from this rule.
    • Plus character (+) — A wildcard character used to match all interfaces that match the specified string. For example, the parameter -i eth+ would apply this rule to any Ethernet interfaces but exclude any other interfaces, such as ppp0.
    If the -i parameter is used but no interface is specified, then every interface is affected by the rule.
  • -j — Jumps to the specified target when a packet matches a particular rule.
    The standard targets are ACCEPT, DROP, QUEUE, and RETURN.
    Extended options are also available through modules loaded by default with the Red Hat Enterprise Linux iptables RPM package. Valid targets in these modules include LOG, MARK, and REJECT, among others. Refer to the iptables man page for more information about these and other targets.
    This option can also be used to direct a packet matching a particular rule to a user-defined chain outside of the current chain so that other rules can be applied to the packet.
    If no target is specified, the packet moves past the rule with no action taken. The counter for this rule, however, increases by one.
  • -o — Sets the outgoing network interface for a rule. This option is only valid for the OUTPUT and FORWARD chains in the filter table, and the POSTROUTING chain in the nat and mangle tables. This parameter accepts the same options as the incoming network interface parameter (-i).
  • -p <protocol> — Sets the IP protocol affected by the rule. This can be either icmp, tcp, udp, or all, or it can be a numeric value, representing one of these or a different protocol. You can also use any protocols listed in the /etc/protocols file.
    The "all" protocol means the rule applies to every supported protocol. If no protocol is listed with this rule, it defaults to "all".
  • -s — Sets the source for a particular packet using the same syntax as the destination (-d) parameter.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.