If this option is enabled, the kernel will include support for queueing packets via NFNETLINK.
If this option is enabled, the kernel will include support for logging packets via NFNETLINK. This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, and is also scheduled to replace the old syslog-based ipt_LOG and ip6t_LOG modules.
Connection tracking keeps a record of what packets have passed through your machine, in order to figure out how they are related into connections. This is required to do Masquerading or other kinds of Network Address Translation. It can also be used to enhance packet filtering (see `Connection state match support' below). To compile it as a module, choose M here. If unsure, say N.
This option enables support for connection marks, used by the `CONNMARK' target and `connmark' match. Similar to the mark value of packets, but this mark value is kept in the conntrack session instead of the individual packets.
This option enables security markings to be applied to connections. Typically they are copied to connections from packets using the CONNSECMARK target and copied back from connections to packets with the same target, with the packets being originally labeled via SECMARK. If unsure, say 'N'.
This option enables support for connection tracking zones. Normally, each connection needs to have a unique system wide identity. Connection tracking zones allow to have multiple connections using the same identity, as long as they are contained in different zones. If unsure, say `N'.
If this option is enabled, the connection tracking code will provide a notifier chain that can be used by other kernel code to get notified about changes in the connection tracking state. If unsure, say `N'.
This option enables support for connection tracking timestamping. This allows you to store the flow start-time and to obtain the flow-stop time (once it has been destroyed) via Connection tracking events. If unsure, say `N'.
With this option enabled, the layer 3 independent connection tracking code will be able to do state tracking on DCCP connections. If unsure, say 'N'.
With this option enabled, the layer 3 independent connection tracking code will be able to do state tracking on SCTP connections. If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
With this option enabled, the layer 3 independent connection tracking code will be able to do state tracking on UDP-Lite connections. To compile it as a module, choose M here. If unsure, say N.
If you are running the Amanda backup package <http://www.amanda.org/> on this machine or machines that will be MASQUERADED through this machine, then you may want to enable this feature. This allows the connection tracking and natting code to allow the sub-channels that Amanda requires for communication of the backup data, messages and index. To compile it as a module, choose M here. If unsure, say N.
Tracking FTP connections is problematic: special helpers are required for tracking them, and doing masquerading and other forms of Network Address Translation on them. This is FTP support on Layer 3 independent connection tracking. Layer 3 independent connection tracking is experimental scheme which generalize ip_conntrack to support other layer 3 protocols. To compile it as a module, choose M here. If unsure, say N.
H.323 is a VoIP signalling protocol from ITU-T. As one of the most important VoIP protocols, it is widely used by voice hardware and software including voice gateways, IP phones, Netmeeting, OpenPhone, Gnomemeeting, etc. With this module you can support H.323 on a connection tracking/NAT firewall. This module supports RAS, Fast Start, H.245 Tunnelling, Call Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, whiteboard, file transfer, etc. For more information, please visit http://nath323.sourceforge.net/. To compile it as a module, choose M here. If unsure, say N.
There is a commonly-used extension to IRC called Direct Client-to-Client Protocol (DCC). This enables users to send files to each other, and also chat to each other without the need of a server. DCC Sending is used anywhere you send files over IRC, and DCC Chat is most commonly used by Eggdrop bots. If you are using NAT, this extension will enable you to send files and initiate chats. Note that you do NOT need this extension to get files or have others initiate chats, or everything else in IRC. To compile it as a module, choose M here. If unsure, say N.
NetBIOS name service requests are sent as broadcast messages from an unprivileged port and responded to with unicast messages to the same port. This make them hard to firewall properly because connection tracking doesn't deal with broadcasts. This helper tracks locally originating NetBIOS name service requests and the corresponding responses. It relies on correct IP address configuration, specifically netmask and broadcast address. When properly configured, the output of "ip address show" should look similar to this: $ ip -4 address show eth0 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 To compile it as a module, choose M here. If unsure, say N.
SNMP service requests are sent as broadcast messages from an unprivileged port and responded to with unicast messages to the same port. This make them hard to firewall properly because connection tracking doesn't deal with broadcasts. This helper tracks locally originating SNMP service requests and the corresponding responses. It relies on correct IP address configuration, specifically netmask and broadcast address. To compile it as a module, choose M here. If unsure, say N.
This module adds support for PPTP (Point to Point Tunnelling Protocol, RFC2637) connection tracking and NAT. If you are running PPTP sessions over a stateful firewall or NAT box, you may want to enable this feature. Please note that not all PPTP modes of operation are supported yet. Specifically these limitations exist: - Blindly assumes that control connections are always established in PNS->PAC direction. This is a violation of RFC2637. - Only supports a single call within each session To compile it as a module, choose M here. If unsure, say N.
SANE is a protocol for remote access to scanners as implemented by the 'saned' daemon. Like FTP, it uses separate control and data connections. With this module you can support SANE on a connection tracking firewall. To compile it as a module, choose M here. If unsure, say N.
SIP is an application-layer control protocol that can establish, modify, and terminate multimedia sessions (conferences) such as Internet telephony calls. With the ip_conntrack_sip and the nf_nat_sip modules you can support the protocol on a connection tracking/NATing firewall. To compile it as a module, choose M here. If unsure, say N.
TFTP connection tracking helper, this is required depending on how restrictive your ruleset is. If you are using a tftp client behind -j SNAT or -j MASQUERADING you will need this. To compile it as a module, choose M here. If unsure, say N.
This option enables support for a netlink-based userspace interface
This option enables transparent proxying support, that is, support for handling non-locally bound IPv4 TCP and UDP sockets. For it to work you will have to configure certain iptables rules and use policy routing. For more information on how to set it up see Documentation/networking/tproxy.txt. To compile it as a module, choose M here. If unsure, say N.
This is required if you intend to use any of ip_tables, ip6_tables or arp_tables.
This option adds the "MARK" target and "mark" match. Netfilter mark matching allows you to match packets based on the "nfmark" value in the packet. The target allows you to create rules in the "mangle" table which alter the netfilter mark (nfmark) field associated with the packet. Prior to routing, the nfmark can influence the routing method (see "Use netfilter MARK value as routing key") and can also be used by other subsystems to change their behavior.
This option adds the "CONNMARK" target and "connmark" match. Netfilter allows you to store a mark value per connection (a.k.a. ctmark), similarly to the packet mark (nfmark). Using this target and match, you can set and match on this mark.
This option adds the "SET" target and "set" match. Using this target and match, you can add/delete and match elements in the sets created by ipset(8). To compile it as a module, choose M here. If unsure, say N.
This option adds a 'AUDIT' target, which can be used to create audit records for packets dropped/accepted. To compileit as a module, choose M here. If unsure, say N.
This option adds a `CHECKSUM' target, which can be used in the iptables mangle table. You can use this target to compute and fill in the checksum in a packet that lacks a checksum. This is particularly useful, if you need to work around old applications such as dhcp clients, that do not work well with checksum offloads, but don't want to disable checksum offload in your device. To compile it as a module, choose M here. If unsure, say N.
This option adds a `CLASSIFY' target, which enables the user to set the priority of a packet. Some qdiscs can use this value for classification, among these are: atm, cbq, dsmark, pfifo_fast, htb, prio To compile it as a module, choose M here. If unsure, say N.
This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
The CONNSECMARK target copies security markings from packets to connections, and restores security markings from connections to packets (if the packets are not already marked). This would normally be used in conjunction with the SECMARK target. To compile it as a module, choose M here. If unsure, say N.
This options adds a `CT' target, which allows to specify initial connection tracking parameters like events to be delivered and the helper to be used. To compile it as a module, choose M here. If unsure, say N.
This option adds a `DSCP' target, which allows you to manipulate the IPv4/IPv6 header DSCP field (differentiated services codepoint). The DSCP field can have any value between 0x0 and 0x3f inclusive. It also adds the "TOS" target, which allows you to create rules in the "mangle" table which alter the Type Of Service field of an IPv4 or the Priority field of an IPv6 packet, prior to routing. To compile it as a module, choose M here. If unsure, say N.
This option adds the "HL" (for IPv6) and "TTL" (for IPv4) targets, which enable the user to change the hoplimit/time-to-live value of the IP header. While it is safe to decrement the hoplimit/TTL value, the modules also allow to increment and set the hoplimit value of the header to arbitrary values. This is EXTREMELY DANGEROUS since you can easily create immortal packets that loop forever on the network.
This option adds the `IDLETIMER' target. Each matching packet resets the timer associated with label specified when the rule is added. When the timer expires, it triggers a sysfs notification. The remaining time for expiration can be read via sysfs. To compile it as a module, choose M here. If unsure, say N.
This option adds a `LED' target, which allows you to blink LEDs in response to particular packets passing through your machine. This can be used to turn a spare LED into a network activity LED, which only flashes in response to FTP transfers, for example. Or you could have an LED which lights up for a minute or two every time somebody connects to your machine via SSH. You will need support for the "led" class to make this work. To create an LED trigger for incoming SSH traffic: iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 Then attach the new trigger to an LED on your system: echo netfilter-ssh > /sys/class/leds/<ledname>/trigger For more information on the LEDs available on your system, see Documentation/leds-class.txt
This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
This option enables the NFLOG target, which allows to LOG messages through nfnetlink_log. To compile it as a module, choose M here. If unsure, say N.
This target replaced the old obsolete QUEUE target. As opposed to QUEUE, it supports 65535 different queues, not just one. To compile it as a module, choose M here. If unsure, say N.
The NOTRACK target allows a select rule to specify which packets *not* to enter the conntrack/NAT subsystem with all the consequences (no ICMP error tracking, no protocol helpers for the selected packets). If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
This option adds a `RATEEST' target, which allows to measure rates similar to TC estimators. The `rateest' match can be used to match on the measured rates. To compile it as a module, choose M here. If unsure, say N.
This option adds a "TEE" target with which a packet can be cloned and this clone be rerouted to another nexthop.
This option adds a `TPROXY' target, which is somewhat similar to REDIRECT. It can only be used in the mangle table and is useful to redirect traffic to a transparent proxy. It does _not_ depend on Netfilter connection tracking and NAT, unlike REDIRECT. To compile it as a module, choose M here. If unsure, say N.
The TRACE target allows you to mark packets so that the kernel will log every rule which match the packets as those traverse the tables, chains, rules. If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
The SECMARK target allows security marking of network packets, for use with security subsystems. To compile it as a module, choose M here. If unsure, say N.
This option adds a `TCPMSS' target, which allows you to alter the MSS value of TCP SYN packets, to control the maximum size for that connection (usually limiting it to your outgoing interface's MTU minus 40). This is used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can never exchange large packets: 1) Web browsers connect, then hang with no data received. 2) Small mail works fine, but large emails hang. 3) ssh works fine, but scp hangs after initial handshaking. Workaround: activate this option and add a rule to your firewall configuration like: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu To compile it as a module, choose M here. If unsure, say N.
This option adds a "TCPOPTSTRIP" target, which allows you to strip TCP options from TCP packets.
This option allows you to match what routing thinks of an address, eg. UNICAST, LOCAL, BROADCAST, ... If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
This option allows you to build work-load-sharing clusters of network servers/stateful firewalls without having a dedicated load-balancing router/server/switch. Basically, this match returns true when the packet must be handled by this cluster node. Thus, all nodes see all packets and this match decides which node handles what packets. The work-load sharing algorithm is based on source address hashing. If you say Y or M here, try `iptables -m cluster --help` for more information.
This option adds a `comment' dummy-match, which allows you to put comments in your iptables ruleset. If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
This option adds a `connbytes' match, which allows you to match the number of bytes and/or packets for each direction within a connection. If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
This match allows you to match against the number of parallel connections to a server per client IP address (or address block).
This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
This is a general conntrack match module, a superset of the state match. It allows matching on additional conntrack information, which is useful in complex configurations, such as NAT gateways with multiple internet links or tunnels. To compile it as a module, choose M here. If unsure, say N.
CPU matching allows you to match packets based on the CPU currently handling the packet. To compile it as a module, choose M here. If unsure, say N.
With this option enabled, you will be able to use the iptables `dccp' match in order to match on DCCP source/destination ports and DCCP flags. If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
This options adds a `devgroup' match, which allows to match on the device group a network device is assigned to. To compile it as a module, choose M here. If unsure, say N.
This option adds a `DSCP' match, which allows you to match against the IPv4/IPv6 header DSCP field (differentiated services codepoint). The DSCP field can have any value between 0x0 and 0x3f inclusive. It will also add a "tos" match, which allows you to match packets based on the Type Of Service fields of the IPv4 packet (which share the same bits as DSCP). To compile it as a module, choose M here. If unsure, say N.
This match extension allows you to match a range of SPIs inside ESP header of IPSec packets. To compile it as a module, choose M here. If unsure, say N.
This option adds a `hashlimit' match. As opposed to `limit', this match dynamically creates a hash table of limit buckets, based on your selection of source/destination addresses and/or ports. It enables you to express policies like `10kpps for any given destination address' or `500pps from any given source address' with a single rule.
Helper matching allows you to match packets in dynamic connections tracked by a conntrack-helper, ie. ip_conntrack_ftp To compile it as a module, choose M here. If unsure, say Y.
HL matching allows you to match packets based on the hoplimit in the IPv6 header, or the time-to-live field in the IPv4 header of the packet.
This option adds a "iprange" match, which allows you to match based on an IP address range. (Normal iptables only matches on single addresses with an optional mask.) If unsure, say M.
This option allows you to match against IPVS properties of a packet. If unsure, say N.
This option allows you to match the length of a packet against a specific value or range of values. To compile it as a module, choose M here. If unsure, say N.
limit matching allows you to control the rate at which a rule can be
matched: mainly useful in combination with the LOG target ("LOG
target support", below) and to avoid some Denial of Service attacks.
To compile it as a module, choose M here. If unsure, say N.
MAC matching allows you to match packets based on the source Ethernet address of the packet. To compile it as a module, choose M here. If unsure, say N.
This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
Multiport matching allows you to match TCP or UDP packets based on a series of source or destination ports: normally a rule can only match a single range of ports. To compile it as a module, choose M here. If unsure, say N.
This option selects the Passive OS Fingerprinting match module that allows to passively match the remote operating system by analyzing incoming TCP SYN packets. Rules and loading software can be downloaded from http://www.ioremap.net/projects/osf To compile it as a module, choose M here. If unsure, say N.
Socket owner matching allows you to match locally-generated packets based on who created the socket: the user or group. It is also possible to check whether a socket actually exists.
Policy matching allows you to match packets based on the IPsec policy that was used during decapsulation/will be used during encapsulation. To compile it as a module, choose M here. If unsure, say N.
Physdev packet matching matches against the physical bridge ports the IP packet arrived on or will leave by. To compile it as a module, choose M here. If unsure, say N.
Packet type matching allows you to match a packet by its "class", eg. BROADCAST, MULTICAST, ... Typical usage: iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG To compile it as a module, choose M here. If unsure, say N.
This option adds a `quota' match, which allows to match on a byte counter. If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
This option adds a `rateest' match, which allows to match on the rate estimated by the RATEEST target. To compile it as a module, choose M here. If unsure, say N.
This option adds a `realm' match, which allows you to use the realm key from the routing subsystem inside iptables. This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option in tc world. If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
This match is used for creating one or many lists of recently used addresses and then matching against that/those list(s). Short options are available by using 'iptables -m recent -h' Official Website: <http://snowman.net/projects/ipt_recent/>
With this option enabled, you will be able to use the `sctp' match in order to match on SCTP source/destination ports and SCTP chunk types. If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
This option adds a `socket' match, which can be used to match packets for which a TCP or UDP socket lookup finds a valid socket. It can be used in combination with the MARK target and policy routing to implement full featured non-locally bound sockets. To compile it as a module, choose M here. If unsure, say N.
Connection state matching allows you to match packets based on their relationship to a tracked connection (ie. previous packets). This is a powerful tool for packet classification. To compile it as a module, choose M here. If unsure, say N.
This option adds a `statistic' match, which allows you to match on packets periodically or randomly with a given percentage. To compile it as a module, choose M here. If unsure, say N.
This option adds a `string' match, which allows you to look for pattern matchings in packets. To compile it as a module, choose M here. If unsure, say N.
This option adds a `tcpmss' match, which allows you to examine the MSS value of TCP SYN packets, which control the maximum packet size for that connection. To compile it as a module, choose M here. If unsure, say N.
This option adds a "time" match, which allows you to match based on the packet arrival time (at the machine which netfilter is running) on) or departure time/date (for locally generated packets). If you say Y here, try `iptables -m time --help` for more information. If you want to compile it as a module, say M here. If unsure, say N.
u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Details and examples are in the kernel module source.