48.9.3.5. Target Options


When a packet has matched a particular rule, the rule can direct the packet to a number of different targets which determine the appropriate action. Each chain has a default target, which is used if none of the rules on that chain match a packet or if none of the rules which match the packet specify a target.
The following are the standard targets:
  • <user-defined-chain> — A user-defined chain within the table. User-defined chain names must be unique. This target passes the packet to the specified chain.
  • ACCEPT — Allows the packet through to its destination or to another chain.
  • DROP — Drops the packet without responding to the requester. The system that sent the packet is not notified of the failure.
  • QUEUE — The packet is queued for handling by a user-space application.
  • RETURN — Stops checking the packet against rules in the current chain. If the packet with a RETURN target matches a rule in a chain called from another chain, the packet is returned to the first chain to resume rule checking where it left off. If the RETURN rule is used on a built-in chain and the packet cannot move up to its previous chain, the default target for the current chain is used.
In addition, extensions are available which allow other targets to be specified. These extensions are called target modules or match option modules and most only apply to specific tables and situations. Refer to Section 48.9.3.4.4, “Additional Match Option Modules” for more information about match option modules.
Many extended target modules exist, most of which only apply to specific tables or situations. Some of the most popular target modules included by default in Red Hat Enterprise Linux are:
  • LOG — Logs all packets that match this rule. Because the packets are logged by the kernel, the /etc/syslog.conf file determines where these log entries are written. By default, they are placed in the /var/log/messages file.
    Additional options can be used after the LOG target to specify the way in which logging occurs:
    • --log-level — Sets the priority level of a logging event. Refer to the syslog.conf man page for a list of priority levels.
    • --log-ip-options — Logs any options set in the header of an IP packet.
    • --log-prefix — Places a string of up to 29 characters before the log line when it is written. This is useful for writing syslog filters for use in conjunction with packet logging.

      Note

      Due to an issue with this option, you should add a trailing space to the log-prefix value.
    • --log-tcp-options — Logs any options set in the header of a TCP packet.
    • --log-tcp-sequence — Writes the TCP sequence number for the packet in the log.
  • REJECT — Sends an error packet back to the remote system and drops the packet.
    The REJECT target accepts --reject-with <type> (where <type> is the rejection type) allowing more detailed information to be returned with the error packet. The message port-unreachable is the default error type given if no other option is used. Refer to the iptables man page for a full list of <type> options.
Other target extensions, including several that are useful for IP masquerading using the nat table, or with packet alteration using the mangle table, can be found in the iptables man page.
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.