iptables Targets Reference

All iptables/ip6tables target names with required modules and behavior.

Searchable iptables target reference covering ACCEPT, DROP, REJECT, RETURN, DNAT, SNAT, MASQUERADE, LOG, MARK and other extension targets, with the table they apply to and whether they end the chain. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is an iptables target?

A target is the action a rule takes when a packet matches, specified with -j NAME. Built-in targets like ACCEPT and DROP give a final verdict, while extension targets such as DNAT, LOG and MARK perform a transformation or side effect.

Choose the right iptables target

When a packet matches an iptables rule, the -j (jump) target decides what happens to it. Some targets give a final verdict — ACCEPT, DROP, REJECT — while others rewrite the packet (DNAT, SNAT, MASQUERADE), tag it (MARK, DSCP), or log it (LOG, NFLOG). This reference lists every common target with the table and chains it belongs to and whether it ends chain traversal.

The five iptables tables

Every iptables rule lives in one of five tables, and targets only make sense in the tables they are designed for:

TablePurposeCommon targets
filterAllow or block packetsACCEPT, DROP, REJECT, LOG, RETURN
natRewrite addresses and portsDNAT, SNAT, MASQUERADE, REDIRECT
mangleModify packet headers (TTL, TOS, MARK)MARK, DSCP, TTL, TOS
rawBypass connection trackingNOTRACK (CT)
securitySELinux context labelingSECMARK, CONNSECMARK

Terminating vs. non-terminating targets

Terminating targets give a verdict and stop the current chain — no further rules in that chain are evaluated for the packet:

  • ACCEPT — let the packet through to its destination.
  • DROP — silently discard the packet; the sender sees a timeout.
  • REJECT — discard with an ICMP error reply (default: port-unreachable) or TCP reset (--reject-with tcp-reset); the sender learns immediately.
  • RETURN — stop traversal of the current chain and return to the calling chain (or, if in a built-in chain, apply the chain’s policy).

Non-terminating targets perform a side effect and then the packet continues to the next rule:

  • LOG — write a record to the kernel log (visible via dmesg or journalctl -k). Add --log-prefix "DROPPED: " to make grep easy.
  • MARK — set or AND/OR an fwmark value for use in policy routing or tc.
  • DSCP — rewrite the DSCP field for QoS marking.
  • AUDIT — generate an audit log entry.

NAT targets: DNAT, SNAT, and MASQUERADE

NAT targets rewrite addresses and only work in the nat table:

  • DNAT (Destination NAT) runs in PREROUTING (or OUTPUT) and rewrites the destination address and optionally the port. Used to forward inbound traffic from a public IP to an internal host — for example port forwarding 80 → 192.168.1.100:8080.
  • SNAT (Source NAT) runs in POSTROUTING and rewrites the source address to a specific IP. Use when the router has a static outbound IP and you want to control masquerading precisely.
  • MASQUERADE also runs in POSTROUTING and rewrites the source to the outbound interface’s current IP, reading it dynamically each time. Use on dynamic uplinks (DHCP, PPPoE) where the IP can change.
  • REDIRECT is a special form of DNAT that redirects the packet to a local port, useful for transparent proxies.

Practical rules of thumb

  • Use REJECT over DROP for internal trusted networks — clients fail immediately rather than hanging for a timeout, which makes debugging much faster.
  • Use DROP for traffic from the hostile internet — the sender learns nothing about whether the port exists.
  • Always place a LOG rule immediately before the corresponding terminating rule, with a --log-prefix, so you can grep kernel logs without ambiguity.
  • Use MASQUERADE on dynamic uplinks; use SNAT --to-source on static IPs for slightly better performance since SNAT avoids the per-packet interface lookup.
  • On modern Linux distributions, iptables is often a compatibility frontend over nftables. The target semantics carry over, but new firewall configurations should consider native nft syntax.

Notes

This reference covers targets available in iptables/ip6tables on standard Linux kernels. Extension targets like TPROXY, SYNPROXY, NFQUEUE, and TEE require specific kernel modules. Check iptables -m <module> --help for extension-specific options.