XTABLES-LEGACY(8)                                     System Manager's Manual                                     XTABLES-LEGACY(8)

NAME
       xtables-legacy — iptables using old getsockopt/setsockopt-based kernel api

DESCRIPTION
       xtables-legacy are the original versions of iptables that use old getsockopt/setsockopt-based kernel interface.  This kernel
       interface has some limitations, therefore iptables can also be used with the newer nf_tables based API.  See  xtables-nft(8)
       for information about the xtables-nft variants of iptables.

USAGE
       The xtables-legacy-multi binary can be linked to the traditional names:

            /sbin/iptables -> /sbin/iptables-legacy-multi
            /sbin/ip6tables -> /sbin/ip6tables-legacy-multi
            /sbin/iptables-save -> /sbin/ip6tables-legacy-multi
            /sbin/iptables-restore -> /sbin/ip6tables-legacy-multi

       The iptables version string will indicate whether the legacy API (get/setsockopt) or the new nf_tables API is used:
            iptables -V
            iptables v1.7 (legacy)

LIMITATIONS
       When  inserting a rule using iptables -A or iptables -I, iptables first needs to retrieve the current active ruleset, change
       it to include the new rule, and then commit back the result.  This means that if two instances of iptables are running  con‐
       currently, one of the updates might be lost.  This can be worked around partially with the --wait option.

       There is also no method to monitor changes to the ruleset, except periodically calling iptables-legacy-save and checking for
       any differences in output.

       xtables-monitor(8) will need the xtables-nft(8) versions to work, it cannot display changes made using the.  iptables-legacy
       tools.

SEE ALSO
       xtables-nft(8), xtables-translate(8)

AUTHORS
       Rusty Russell originally wrote iptables, in early consultation with Michael Neuling.

                                                             June 2018                                            XTABLES-LEGACY(8)

iptables v1.8.2

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --check   -C chain            Check for the existence of a rule
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
                                List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
                                Print the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
                                Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
    --ipv4      -4              Nothing (line is ignored by ip6tables-restore)
    --ipv6      -6              Error (line is ignored by iptables-restore)
[!] --protocol  -p proto        protocol: by number or name, eg. `tcp'
[!] --source    -s address[/mask][...]
                                source specification
[!] --destination -d address[/mask][...]
                                destination specification
[!] --in-interface -i input name[+]
                                network interface name ([+] for wildcard)
 --jump -j target
                                target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
[!] --out-interface -o output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --wait        -w [seconds]    maximum wait to acquire xtables lock before give up
  --wait-interval -W [usecs]    wait time to try to acquire xtables lock
                                default is 1 second
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.