netfilter was designed from the ground, up to be modular in design. iptables follows a similar structural logic. Its core feature set is expanded through the use of extensions, which are modules hooked into iptables that perform various functions against packets and/or connections. Most extensions cannot be applied to every iptables chain or table.
There are two categories of extensions: Match and Target. Not all extensions are available under all circumstances. Below, you will find examples of some extensions and when they may be applied.
Only select common extensions are included below. Many more exist (see here for a complete list).
Match Extension Chains and Tables
Here is a list of each iptables match extension and the corresponding chains and tables they may be used in:
| Match Extension | Chains | Table(s) |
|---|---|---|
| connmark | PREROUTING, POSTROUTING | mangle, filter |
| conntrack | INPUT, PREROUTING | filter |
| iprange | PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING | filter |
| mac | PREROUTING, INPUT, FORWARD | filter |
| mark | INPUT, PREROUTING, POSTROUTING | mangle, filter |
| multiport | INPUT, FORWARD, OUTPUT, PREROUTING | nat, filter |
| owner | OUTPUT, POSTROUTING | filter |
Target Extension Chains and Tables
Here is a list of each iptables target extension and the corresponding chains and tables they may be used in:
| Target Extension | Chains | Table(s) |
|---|---|---|
| CONNMARK | PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING | mangle |
| CT | PREROUTING, OUTPUT | raw |
| DNAT | PREROUTING, OUTPUT | nat |
| MARK | PREROUTING, INPUT, OUTPUT | mangle |
| MASQUERADE | POSTROUTING | nat |
| REJECT | INPUT, FORWARD, OUTPUT | nat, filter |
| SNAT | POSTROUTING | nat |
Inverse Operand
It's possible to invert a match parameter by preceding the -- in front of the extension option with the inverse operand (" ! "). Let's take a look at a portion of a command line filtering based on an IPv4 range.
... -m iprange --src-range 192.168.1.1-192.168.1.255
Normally, this match extension would limit the iptables rule to the range of IPv4 source addresses between 192.168.1.1 and 192.168.1.255. If you placed an inverse operand character in front of the --src-range option, you would instruct iptables to do the opposite.
... -m iprange ! --src-range 192.168.1.1-192.168.1.255
The command above would instruct iptables to apply the rule to any IPv4 source address NOT between 192.168.1.1 and 192.168.1.255. The opposite effect of the original command option.
Breaking it down, we have:
- -m is the iptables extension being called (in this case, match)
- iprange is the name of the filter
- --src-range (source range) is the option being called within the iprange filter
- 192.168.1.1-192.168.1.255 are the affected range of IPv4 addresses
- Alternatively, the use of ! --src-range (inverted source range) instructs iptables to action all source IPv4 ranges except for 192.168.1.1-192.168.1.255.
Loopback Adapter
The Loopback adapter (LO) is only applicable in the INPUT and OUTPUT chains.
Connection Tracking
As explained under CONNTRACK, connection tracking is an extension (also known as a module) to iptables that allows monitoring the status of a network connection. All traffic coming into or going out of your server is transmitted as network packets, and each of those packets is part of a connection. New connections are those where the packet is the very first packet. It could be an outgoing packet that originated from your server or an incoming packet arriving from another host. The Connection Tracking or ConnTrack module is unusual in that it adds both match and target extensions to iptables.