Descriptions of the Most Commonly Used Targets
Target | Description | Most Common Options |
|---|
ACCEPT | iptables stops further processing. The packet is handed over to the end application or the operating system for processing. | N/A |
DROP | iptables stops further processing. The packet is blocked. | N/A |
LOG | The packet information is sent to the syslog daemon for logging. iptables continues processing with the next rule in the table. As you can't log and drop at the same time, it is common to have two similar rules in sequence. The first logs the packet, the second drops it. | --log-prefix "string" Tells iptables to prefix all log messages with a user defined string. Frequently used to tell why the logged packet was dropped. |
REJECT | Works like the DROP target, but also returns an error message to the host sending the packet that the packet was blocked. | --reject-with qualifier The qualifier tells what type of reject message is returned. Qualifiers include
icmp-port-unreachable (default)
icmp-net-unreachable
icmp-host-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited
tcp-reset
echo-reply
|
DNAT | Used to do destination network address translation, rewriting the destination IP address of the packet. | --to-destination ipaddress Tells iptables what the destination IP address should be. |
SNAT | Used to do source network address translation, rewriting the source IP address of the packet. | --to-source <address> [-<address>][:<port>-<port>] The source IP address is user defined.
Specifies the source IP address and ports to be used by SNAT.
|
MASQUERADE | Used to do source network address translation.
By default the source IP address is the same as that used by the firewall's interface.
| [--to-ports <port>[-<port>]] Specifies the range of source ports to which the original source port can be mapped. |
