-c — Resets the counters for a particular rule. This parameter accepts the
BYTES options to specify what counter to reset.
-d — Sets the destination hostname, IP address, or network of a packet that matches the rule. When matching a network, the following IP address/netmask formats are supported:
-f — Applies this rule only to fragmented packets.
By using the exclamation point character (
!) option after this parameter, only unfragmented packets are matched.
-i — Sets the incoming network interface, such as
iptables, this optional parameter may only be used with the INPUT and FORWARD chains when used with the
filter table and the PREROUTING chain with the
This parameter also supports the following special options:
Exclamation point character (
!) — Reverses the directive, meaning any specified interfaces are excluded from this rule.
Plus character (
+) — A wildcard character used to match all interfaces that match the specified string. For example, the parameter
-i eth+ would apply this rule to any Ethernet interfaces but exclude any other interfaces, such as
-i parameter is used but no interface is specified, then every interface is affected by the rule.
-j — Jumps to the specified target when a packet matches a particular rule. Valid targets to use after the
-j option include standard options (
RETURN) as well as extended options that are available through modules loaded by default with the Red Hat Enterprise Linux
iptables RPM package, such as
REJECT, among others. Refer to the
iptables man page for more information about these and other targets.
It is also possible to direct a packet matching this rule to a user-defined chain outside of the current chain so that other rules can be applied to the packet.
If no target is specified, the packet moves past the rule with no action taken. However, the counter for this rule increases by one.
-o — Sets the outgoing network interface for a rule and may only be used with OUTPUT and FORWARD chains in the
filter table, and the POSTROUTING chain in the
mangle tables. This parameter's options are the same as those of the incoming network interface parameter (
-p — Sets the IP protocol for the rule, which can be either
all, to match every supported protocol. In addition, any protocols listed in
/etc/protocols may also be used. If this option is omitted when creating a rule, the
all option is the default.
-s — Sets the source for a particular packet using the same syntax as the destination (