Choose the right iptables target
When a packet matches an iptables rule, the -j (jump) target decides what happens to it. Some targets give a final verdict — ACCEPT, DROP, REJECT — while others rewrite the packet (DNAT, SNAT, MASQUERADE), tag it (MARK, DSCP), or log it (LOG, NFLOG). This reference lists every common target with the table and chains it belongs to and whether it ends chain traversal.
The five iptables tables
Every iptables rule lives in one of five tables, and targets only make sense in the tables they are designed for:
| Table | Purpose | Common targets |
|---|---|---|
filter | Allow or block packets | ACCEPT, DROP, REJECT, LOG, RETURN |
nat | Rewrite addresses and ports | DNAT, SNAT, MASQUERADE, REDIRECT |
mangle | Modify packet headers (TTL, TOS, MARK) | MARK, DSCP, TTL, TOS |
raw | Bypass connection tracking | NOTRACK (CT) |
security | SELinux context labeling | SECMARK, CONNSECMARK |
Terminating vs. non-terminating targets
Terminating targets give a verdict and stop the current chain — no further rules in that chain are evaluated for the packet:
ACCEPT— let the packet through to its destination.DROP— silently discard the packet; the sender sees a timeout.REJECT— discard with an ICMP error reply (default: port-unreachable) or TCP reset (--reject-with tcp-reset); the sender learns immediately.RETURN— stop traversal of the current chain and return to the calling chain (or, if in a built-in chain, apply the chain’s policy).
Non-terminating targets perform a side effect and then the packet continues to the next rule:
LOG— write a record to the kernel log (visible viadmesgorjournalctl -k). Add--log-prefix "DROPPED: "to make grep easy.MARK— set or AND/OR an fwmark value for use in policy routing or tc.DSCP— rewrite the DSCP field for QoS marking.AUDIT— generate an audit log entry.
NAT targets: DNAT, SNAT, and MASQUERADE
NAT targets rewrite addresses and only work in the nat table:
- DNAT (Destination NAT) runs in
PREROUTING(orOUTPUT) and rewrites the destination address and optionally the port. Used to forward inbound traffic from a public IP to an internal host — for example port forwarding80 → 192.168.1.100:8080. - SNAT (Source NAT) runs in
POSTROUTINGand rewrites the source address to a specific IP. Use when the router has a static outbound IP and you want to control masquerading precisely. - MASQUERADE also runs in
POSTROUTINGand rewrites the source to the outbound interface’s current IP, reading it dynamically each time. Use on dynamic uplinks (DHCP, PPPoE) where the IP can change. - REDIRECT is a special form of DNAT that redirects the packet to a local port, useful for transparent proxies.
Practical rules of thumb
- Use
REJECToverDROPfor internal trusted networks — clients fail immediately rather than hanging for a timeout, which makes debugging much faster. - Use
DROPfor traffic from the hostile internet — the sender learns nothing about whether the port exists. - Always place a
LOGrule immediately before the corresponding terminating rule, with a--log-prefix, so you can grep kernel logs without ambiguity. - Use
MASQUERADEon dynamic uplinks; useSNAT --to-sourceon static IPs for slightly better performance sinceSNATavoids the per-packet interface lookup. - On modern Linux distributions,
iptablesis often a compatibility frontend overnftables. The target semantics carry over, but new firewall configurations should consider nativenftsyntax.
Notes
This reference covers targets available in iptables/ip6tables on standard Linux kernels. Extension targets like TPROXY, SYNPROXY, NFQUEUE, and TEE require specific kernel modules. Check iptables -m <module> --help for extension-specific options.