Here, you will note the big difference is the optional "-t" command specifying which table to utilize. Other than that, you have some very familiar usage to that of IP Chains.
-P
Again, the "-P" flag allows specifying the default policy (target) for a chain if none of the rules in that chain are matched. Here, the chain names are different from what they were in IP Chains. They are now lower case: input, forward, and output. For any chain, the default target may be ACCEPT, DROP, or REJECT. So, if I wanted to make the default policy for forward to be REJECT, I would set it thusly:
# iptables -P forward REJECT
-A, -D, -C
The "-A" command adds a new rule to the end of a chain. The "-D" command deletes a rule from the chain, and the "-C" creates a new rule. For example, if I wanted to set the interface "eth2" for IP Masqerading in the forward chain, I would use the following:
# iptable -A forward -i eth2 -j MASQ
Options
A rule may include an interface specification, a source IP and port, a destination IP and port, a protocol specification, and a target or disposition for the packet. Each of these is introduced with a dash (-) and the type of item, followed by the value. The value may be preceded by a bang (!) to meant not that value. An interface is specified by -i or --interface, possibly followed by a bang (!), followed by the name of the interface as shown by ifconfig. If the name ends in +, it will act as a wildcard similarily to the way an asterisk (*) does for other programs. As we see in the above example, we specified the third ethernet card with -i eth2, but some other examples include:
-i eth0
-i ! ppp0
A source may be specified by -s or --source; a destination may be specified by -d or --destination. Each of these accepts an IP address, specified either by hots name or by numeric dotted quad. The quad may be followed by a slash (/) and a number indicating the quantity of high-order bits that should be matched. Instead of this number, a dotted quad may be used with each 1 bit tested. The rest of the bits of the address are ignored and may be anything. This address may be followed by a port name, port number, range of port numbers, or ICMP message number or name. The range is indicated by separating a pair of ports with a colon (:). Port names are looked up in /etc/services. If either the low or hight port numbers of a colon-separated range are omitted, it defaults to 0 or 655535, respectively. If not port is specified, then the rule applies to all. If the protocol type is ICMP, then the "port number" instead should be the numeric ICMP code. Some examples are
The ICMP codes can be found in a table on page 499.
A fragment (i.e., the second or subsequent packets of a fragmented message) may be matched with -f. The first fragment may be matched with ! -f. The -t flag will alter the type of service (TOS) that affects the delay, throughput, reliability, and cost in the handling of the packet. More information on this can also be found on page 499.
For more information, please see the manpage for iptables.
