#Netfilter offers informal help with the Linux packet firewall Netfilter (aka "iptables") and some related tools/concepts such as iproute2, policy routing, etc. This page serves as an FAQ and introduction to getting help on #Netfilter.

Here are some tips you should follow when asking for help. Further reading may be linked from these FAQ items.

FAQ list:

• Asking smart questions
• How to patebin rules
• Manpage resources
• Tools to avoid
• Understanding interfaces
• Links and other resources

You don't need to "ask to ask" here -- just describe your problem and ask your question. For best results, it helps if you've tried to look for the answer yourself in the manpage and on the web. Even if it doesn't answer your question, it gives you tools to ask better questions (and shows us you're willing to help work for an answer, not just wanting us to do your firewall config for you.)

Read more about asking smart questions here.

Short answer: always use the command iptables-save -c to display your rules.

Any other method of displaying your rules at best will make reading them harder, and at worst will omit critical information we will need to provide help. Especially avoid using the iptables -L command (read why further below.)

Several useful manpages are provided with the userland iptables package, described briefly here. Many answers about usage are described inside them, and you might find us giving an answer referring to one of these manpages.

• iptables(8) and ip6tables(8)
  • This manpage describes basic matches and invocation of the iptables command.
• iptables-extensions(8)
  • This manpage contains a list of modules and targets, including available options and syntax. In older iptables releases, this was included in iptables(8).
• iptables-save(8) and ip6tables-save(8)
  • This manage describes how to dump a complete ruleset.
• iptables-restore(8) and ip6tables-restore(8)
  • This manage describes how to load a complete ruleset. The input to iptables-restore is the output of iptables-save, which can be edited and maintained by hand.

The old net-tools programs are obsolete and were replaced during the Linux 2.2 and 2.4 kernel development. Since we're over a decade past this, the replacement tools from the iproute2 package should be used instead.

The old net-tools programs that should be avoided include: ifconfig, route, netstat, arp, and others from this suite. These tools are in many cases disfunctional and will hide, omit, or use old kernel interfaces.

If you're still not convinced, the manpages themselves have been updated to point users to the new tools from the iproute2 package:

• netstat has been officially deprecated
• ifconfig has documented limitations that prevent it displaying some hardware information correctly
• further examples of limitations of ifconfig and route specifically are listed here

These tools are all out of date by over 10 years. Replacements are shown below.

• ifconfig has been replaced with the ip command
  • Addressing uses the ip address subcommand (see ip addr help for usage. See also: ip(8))
  • Link configuration uses the ip link subcommand (see ip link help for usage, or ip(8))
• route has been replaced with the ip route subcommand
  • See ip route help or ip(8) for usage
• arp has been replaced with the ip neighbor subcommand
  • See ip neigh help or ip(8) for usage
• netstat has been replaced with the ss command
  • See ss(8) for usage

In Netfilter, it's common to see the -i and -o used in a ruleset since this allows matching on the inbound or outbound interfaces involved. However, only interfaces are allowed to be used here.

If you see eth0:0 (in the form of <device>:<int>, this is an alias. Aliases are the deprecated way the 2.4 Linux kernel supported multiple IP addresses. You can avoid this deprecated behavior by using the modern ip command (read why to avoid ifconfig here.)

If you are unable to use modern tooling to avoid deprecated "aliases," understand that Netfilter requires your device to be used to -i and -o matches. The device of eth0:0 is eth0. If you attempt to specify an alias, it will not work.

This section gets into the nitty-gritty details of some concepts from above.

There is so much wrong with using iptables -L, and you're likely to get all but ignored if you display your rules in #Netfilter using this output. Avoid using this form of output at all costs.

• Netfilter has 5 tables, and by showing only the implicit filter table, you are omitting rules that are critical to understanding a complete ruleset.
• Use of -L by itself hides information in rules.
• Even if the somewhat more-complete -xnvL sequence is used, it still hides the other tables noted above. Plus the format is so ugly to read by experts (and you're asking these experts to review your rules.) No, we do not like the "column-aligned" format -L spits out, so please do not use it.
• Even if you try and be clever and call -xnvL with the 5 tables using the -t flag, you have now just loaded all 5 tables, even if they weren't loaded before.

If you don't have iptables-save:

• First double-check -- sometimes you need to use the full path /sbin/iptables-save if your $PATH is wrong.
• Verify you are running as root: gathering information from Netfilter requires root access.
• Sometimes bad distros "forget" to link the iptables-save program. It should be linked to the xtables-mutli binary, or sometimes the iptables binary on older installations. Try creating this link yourself if it's missing.
• If none of the above suggestions worked, complain to your distro packager. They are crippling your installation by not providing standard tools.

This section contains helpful links and resources to Netfilter and related topics.

• Netfilter packet flow diagram (svg and png formats available)
• Towards the perfect ruleset -- this write-up offers suggestions on writing efficient rules for Netfilter
• iptables tutorial by Oskar Andreasson -- last updated in 2006, but is still a decent basic tutorial despite some of its older references
  • The basic description of how packets and routers work may be especially helpful to beginners.
  • Some older references, such as references to the state module are simply replaced by newer counter-parts such as the conntrack module (which replaces state.) Much of the information in the tutorial is still valid today so long as you keep these newer changes in mind.

These links are for non-Netfilter related networking concepts useful for Linux.

• The LARTC Howto provides wonderful resources to advanced routing and QoS (aka tc, or traffic control) on Linux.
  • Policy routing in Ch. 4, QoS in Ch. 9.
  • Start at the beginning chapters of this resource if you're new to advanced routing on Linux.