Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
The ONE Campaign to make poverty history

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
Copyright Info
Terms of Use
Privacy Info
Masthead / Impressum
Your Account

Private Messages

News Archive
Submit News
User Articles
Web Links


The Web

Who's Online
There are currently, 57 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here




       ip6tables   [-t  table]  -[ADC]  chain  rule-specification
       ip6tables [-t table] -I chain [rulenum] rule-specification
       ip6tables  [-t  table] -R chain rulenum rule-specification
       ip6tables [-t table] -D chain rulenum [options]
       ip6tables [-t table] -[LFZ] [chain] [options]
       ip6tables [-t table] -N chain
       ip6tables [-t table] -X [chain]
       ip6tables [-t table] -P chain target [options]
       ip6tables [-t table] -E old-chain-name new-chain-name


       Ip6tables is used to set up,  maintain,  and  inspect  the
       tables  of  IPv6  packet filter rules in the Linux kernel.
       Several different tables may be defined.  Each table  con­
       tains  a  number  of  built-in chains and may also contain
       user-defined chains.

       Each chain is a list of rules which can  match  a  set  of
       packets.   Each  rule  specifies  what to do with a packet
       that matches.  This is called a `target', which may  be  a
       jump to a user-defined chain in the same table.


       A  firewall  rule  specifies  criteria for a packet, and a
       target.  If the packet does not match, the  next  rule  in
       the chain is the examined; if it does match, then the next
       rule is specified by the value of the target, which can be
       the  name  of  a  user-defined chain or one of the special
       values ACCEPT, DROP, QUEUE, or RETURN.

       ACCEPT means to let the packet  through.   DROP  means  to
       drop  the  packet  on  the floor.  QUEUE means to pass the
       packet to userspace (if supported by the kernel).   RETURN
       means  stop  traversing  this chain and resume at the next
       rule in the previous (calling) chain.  If  the  end  of  a
       built-in  chain  is  reached or a rule in a built-in chain
       with target RETURN is matched, the target specified by the
       chain policy determines the fate of the packet.


       There  are  currently two independent tables (which tables
       are present at any time depends on the  kernel  configura­
       tion  options and which modules are present), as nat table
       has not been implemented yet.

       -t, --table table
              This option specifies  the  packet  matching  table
              ation.   Until  kernel  2.4.17  it had two built-in
              chains: PREROUTING (for altering  incoming  packets
              before  routing)  and OUTPUT (for altering locally-
              generated packets before  routing).   Since  kernel
              2.4.18,  three  other built-in chains are also sup­
              ported: INPUT (for  packets  coming  into  the  box
              itself), FORWARD (for altering packets being routed
              through the box),  and  POSTROUTING  (for  altering
              packets as they are about to go out).


       The  options  that  are  recognized  by  ip6tables  can be
       divided into several different groups.

       These options specify  the  specific  action  to  perform.
       Only  one  of  them  can  be specified on the command line
       unless otherwise specified below.  For all the  long  ver­
       sions  of  the  command  and option names, you need to use
       only enough letters to ensure that ip6tables can differen­
       tiate it from all other options.

       -A, --append chain rule-specification
              Append one or more rules to the end of the selected
              chain.  When the source  and/or  destination  names
              resolve  to  more  than one address, a rule will be
              added for each possible address combination.

       -D, --delete chain rule-specification
       -D, --delete chain rulenum
              Delete one or more rules from the  selected  chain.
              There  are  two  versions of this command: the rule
              can be specified as a number in the chain (starting
              at 1 for the first rule) or a rule to match.

       -I, --insert
              Insert  one  or more rules in the selected chain as
              the given rule number.  So, if the rule  number  is
              1,  the  rule  or rules are inserted at the head of
              the chain.  This is also the  default  if  no  rule
              number is specified.

       -R, --replace chain rulenum rule-specification
              Replace  a  rule  in  the  selected  chain.  If the
              source and/or destination names resolve to multiple
              addresses,  the  command will fail.  Rules are num­
              bered starting at 1.

       -L, --list [chain]
              List all rules in the selected chain.  If no  chain
              is selected, all chains are listed.  As every other
              iptables command, it applies to the specified table
              deleting all the rules one by one.

       -Z, --zero [chain]
              Zero the packet and byte counters  in  all  chains.
              It is legal to specify the -L, --list (list) option
              as well, to see  the  counters  immediately  before
              they are cleared. (See above.)

       -N, --new-chain chain
              Create  a new user-defined chain by the given name.
              There must be no target of that name already.

       -X, --delete-chain [chain]
              Delete the optional user-defined  chain  specified.
              There must be no references to the chain.  If there
              are, you must delete or replace the referring rules
              before the chain can be deleted.  If no argument is
              given, it will attempt to delete every  non-builtin
              chain in the table.

       -P, --policy chain target
              Set  the  policy for the chain to the given target.
              See the section  TARGETS  for  the  legal  targets.
              Only  built-in  (non-user-defined)  chains can have
              policies, and  neither  built-in  nor  user-defined
              chains can be policy targets.

       -E, --rename-chain old-chain new-chain
              Rename  the  user  specified chain to the user sup­
              plied name.  This is cosmetic, and has no effect on
              the structure of the table.

       -h     Help.  Give a (currently very brief) description of
              the command syntax.

       The following parameters make up a rule specification  (as
       used  in  the add, delete, insert, replace and append com­

       -p, --protocol [!] protocol
              The protocol of the rule or of the packet to check.
              The  specified  protocol  can  be  one of tcp, udp,
              ipv6-icmp|icmpv6, or all, or it can  be  a  numeric
              value,  representing  one  of  these protocols or a
              different one.  A protocol name from /etc/protocols
              is  also allowed.  A "!" argument before the proto­
              col inverts the test.  The number zero  is  equiva­
              lent to all.  Protocol all will match with all pro­
              tocols and is taken as default when this option  is

       -d, --destination [!] address[/mask]
              Destination  specification.  See the description of
              the -s (source) flag for a detailed description  of
              the  syntax.   The  flag --dst is an alias for this

       -j, --jump target
              This specifies the target of the rule;  i.e.,  what
              to  do if the packet matches it.  The target can be
              a user-defined chain (other than the one this  rule
              is  in),  one  of the special builtin targets which
              decide the fate of the packet  immediately,  or  an
              extension  (see  EXTENSIONS below).  If this option
              is omitted in a rule, then matching the  rule  will
              have  no effect on the packet's fate, but the coun­
              ters on the rule will be incremented.

       -i, --in-interface [!] name
              Name of an interface via which a packet is going to
              be  received  (only for packets entering the INPUT,
              FORWARD and PREROUTING chains).  When the "!" argu­
              ment  is  used before the interface name, the sense
              is inverted.  If the interface name ends in a  "+",
              then any interface which begins with this name will
              match.  If this option is  omitted,  any  interface
              name will match.

       -o, --out-interface [!] name
              Name of an interface via which a packet is going to
              be sent (for packets entering the FORWARD and  OUT­
              PUT  chains).  When the "!" argument is used before
              the interface name, the sense is inverted.  If  the
              interface  name  ends  in a "+", then any interface
              which begins with this name will  match.   If  this
              option is omitted, any interface name will match.

       -c, --set-counters  PKTS BYTES
              This  enables  the  administrator to initialize the
              packet and byte counters of a rule (during  INSERT,
              APPEND, REPLACE operations).

       The following additional options can be specified:

       -v, --verbose
              Verbose output.  This option makes the list command
              show the interface name, the rule options (if any),
              and  the  TOS  masks.  The packet and byte counters
              are also listed, with the suffix 'K',  'M'  or  'G'
              for  1000,  1,000,000 and 1,000,000,000 multipliers
              respectively (but see the -x flag to change  this).
              tiples of 1000K) or G's (multiples of 1000M).  This
              option is only relevant for the -L command.

              When listing rules, add line numbers to the  begin­
              ning  of  each  rule,  corresponding to that rule's
              position in the chain.

              When adding or inserting rules into  a  chain,  use
              command  to  load  any  necessary modules (targets,
              match extensions, etc).


       ip6tables can use extended packet matching modules.  These
       are  loaded in two ways: implicitly, when -p or --protocol
       is specified, or with the -m or --match options,  followed
       by  the  matching  module name; after these, various extra
       command line options become available,  depending  on  the
       specific  module.  You can specify multiple extended match
       modules in one line, and you can  use  the  -h  or  --help
       options  after  the  module  has been specified to receive
       help specific to that module.

       The following are included in the base package,  and  most
       of  these  can  be preceded by a !  to invert the sense of
       the match.

       These extensions are loaded if `--protocol tcp' is  speci­
       fied. It provides the following options:

       --source-port [!] port[:port]
              Source  port  or port range specification. This can
              either be a service  name  or  a  port  number.  An
              inclusive  range  can  also be specified, using the
              format port:port.  If the first  port  is  omitted,
              "0"  is assumed; if the last is omitted, "65535" is
              assumed.  If the second port greater then the first
              they will be swapped.  The flag --sport is a conve­
              nient alias for this option.

       --destination-port [!] port[:port]
              Destination port or port range specification.   The
              flag --dport is a convenient alias for this option.

       --tcp-flags [!] mask comp
              Match when the TCP flags  are  as  specified.   The
              first  argument  is the flags which we should exam­
              ine, written as a  comma-separated  list,  and  the
              second  argument is a comma-separated list of flags
              which must be set.  Flags are: SYN ACK FIN RST  URG
              precedes the "--syn", the sense of  the  option  is

       --tcp-option [!] number
              Match if TCP option set.

       These  extensions are loaded if `--protocol udp' is speci­
       fied.  It provides the following options:

       --source-port [!] port[:port]
              Source port or port range specification.   See  the
              description  of the --source-port option of the TCP
              extension for details.

       --destination-port [!] port[:port]
              Destination port or port range specification.   See
              the description of the --destination-port option of
              the TCP extension for details.

       This extension is  loaded  if  `--protocol  ipv6-icmp'  or
       `--protocol  icmpv6' is specified. It provides the follow­
       ing option:

       --icmpv6-type [!] typename
              This allows specification of the ICMP  type,  which
              can  be  a  numeric  IPv6-ICMP  type, or one of the
              IPv6-ICMP type names shown by the command
               ip6tables -p ipv6-icmp -h

       --mac-source [!] address
              Match source MAC address.  It must be of  the  form
              XX:XX:XX:XX:XX:XX.  Note that this only makes sense
              for packets coming  from  an  Ethernet  device  and
              entering the PREROUTING, FORWARD or INPUT chains.

       This module matches at a limited rate using a token bucket
       filter.  A rule using this extension will match until this
       limit is reached (unless the `!' flag is used).  It can be
       used in combination with the LOG target  to  give  limited
       logging, for example.

       --limit rate
              Maximum  average matching rate: specified as a num­
              ber,  with  an   optional   `/second',   `/minute',
              `/hour', or `/day' suffix; the default is 3/hour.

       --limit-burst number
              Maximum  initial  number  of packets to match: this

       --destination-ports port[,port[,port...]]
              Match if the destination port is one of  the  given
              ports.  The flag --dports is a convenient alias for
              this option.

       --ports port[,port[,port...]]
              Match if the both the source and destination  ports
              are  equal  to  each  other and to one of the given

       This module matches the netfilter  mark  field  associated
       with  a  packet  (which  can  be set using the MARK target

       --mark value[/mask]
              Matches packets with the given unsigned mark  value
              (if  a  mask  is specified, this is logically ANDed
              with the mask before the comparison).

       This module attempts to match various  characteristics  of
       the  packet creator, for locally-generated packets.  It is
       only valid in the OUTPUT chain, and even this some packets
       (such as ICMP ping responses) may have no owner, and hence
       never match.  This is regarded as experimental.

       --uid-owner userid
              Matches if the packet was created by a process with
              the given effective user id.

       --gid-owner groupid
              Matches if the packet was created by a process with
              the given effective group id.

       --pid-owner processid
              Matches if the packet was created by a process with
              the given process id.

       --sid-owner sessionid
              Matches  if  the packet was created by a process in
              the given session group.


       ip6tables can use extended target modules:  the  following
       are included in the standard distribution.

       Turn  on  kernel  logging  of matching packets.  When this
       option is set for a rule, the Linux kernel will print some
       information  on  all  matching  packets  (like  most  IPv6
       IPv6-header fields) via the kernel log (where  it  can  be
              Log  TCP  sequence numbers. This is a security risk
              if the log is readable by users.

              Log options from the TCP packet header.

              Log options from the IPv6 packet header.

       This is used to set the netfilter  mark  value  associated
       with the packet.  It is only valid in the mangle table.

       --set-mark mark

       This  is  used to send back an error packet in response to
       the matched packet: otherwise it is equivalent to DROP  so
       it  is  a terminating TARGET, ending rule traversal.  This
       target is only valid in  the  INPUT,  FORWARD  and  OUTPUT
       chains, and user-defined chains which are only called from
       those chains.  The following option controls the nature of
       the error packet returned:

       --reject-with type
              The  type  given  can  be icmp6-no-route, no-route,
              icmp6-adm-prohibited,  adm-prohibited,  icmp6-addr-
              unreachable,  addr-unreach, icmp6-port-unreachable,
              port-unreach,   which   return   the    appropriate
              IPv6-ICMP   error   message  (port-unreach  is  the
              default). Finally, the option tcp-reset can be used
              on  rules  which  only match the TCP protocol: this
              causes a TCP RST packet to be sent back.   This  is
              mainly  useful  for blocking ident (113/tcp) probes
              which frequently occur when sending mail to  broken
              mail  hosts  (which  won't  accept your mail other­


       Various error messages are printed to standard error.  The
       exit  code  is  0  for  correct functioning.  Errors which
       appear to be caused by  invalid  or  abused  command  line
       parameters cause an exit code of 2, and other errors cause
       an exit code of 1.


       Bugs?  What's this? ;-) Well... the counters are not reli­
       able on sparc64.


       This  ip6tables  is very similar to ipchains by Rusty Rus­
       ables-save(8), iptables-restore(8).

       The  packet-filtering-HOWTO  details  iptables  usage  for
       packet filtering, the NAT-HOWTO details NAT,  the  netfil­
       ter-extensions-HOWTO  details  the extensions that are not
       in the standard distribution, and  the  netfilter-hacking-
       HOWTO details the netfilter internals.
       See http://www.netfilter.org/.


       Rusty  Russell  wrote iptables, in early consultation with
       Michael Neuling.

       Marc Boucher made Rusty abandon ipnatctl by lobbying for a
       generic packet selection framework in iptables, then wrote
       the mangle table, the owner match, the mark stuff, and ran
       around doing cool stuff everywhere.

       James Morris wrote the TOS target, and tos match.

       Jozsef Kadlecsik wrote the REJECT target.

       Harald  Welte  wrote the ULOG target, TTL match+target and

       The Netfilter Core Team is: Marc Boucher,  Jozsef  Kadlec­
       sik, James Morris, Harald Welte and Rusty Russell.

       ip6tables  man  page created by Andras Kis-Szabo, based on
       iptables man page  written  by  Herve  Eychenne  <rv@wall­

                           Mar 09, 2002              IP6TABLES(8)



Security Code
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!

Amazon Wish List

Did You Know?
You can get all the latest Site and Linux news by checking out our news page.


Tell a Friend About Us

Bookmark and Share

Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.09 Seconds