3.1.1 Criteria

A rule is a collection of criteria that describes network packets. The available parameters are described as follows.

• Protocol: this specifies the network layer protocol. tcp is a connection-based protocol. udp is a datagram (connectionless) protocol. icmp is Internet Control Message Protocol, it is used to for control purposes. tcp and udp, on the other hand, are used for data transmission at the network layer. all specifies all three types of protocols.
• Source: this is a description of the source of a network packet.
• Destination: this is a description of the destination of a network packet.
• Source port: this is the originating port number of a packet.
• Destination port: this is the destination (receiving) port number of a packet.

There are several ways to describe a network address:

• Network name or host name: generally speaking, using names in iptables is not a good idea. The only exception is when the name can be looked up without any network traffic. For example, entries in hosts can be used safely.
• Network address with mask: 192.168.1.0/24 specifies that the leftmost 24 bits of 192.168.1.0 is the network address.
• IP address: 192.168.1.65 specifies a particular IP address.

In addition to criteria based on individual packets, iptables can also utilize criteria based on the interface (often translating to a NIC) that physically receives or transmit a packet:

• In interface: this specifies the name of the interface that receives a packet. Common name include eth0 for a single ethernet port 0, or eth+ for all ethernet ports.
• Out interface: this specifies the name of the interface that transmit a packet. Same naming convention as in interface.

A criterion can also specify “fragments”. A packet can be broken into fragments as it is transmitted over a network. This allows a certain rule to be associated only with either the first fragment of a packet, or all other fragments of a packet.

Note that each criteria can also accept negation specifications. For example, you can specify “source not from 76.25.62.44”, or “protocol other than icmp ”.