There are many extended target modules, most of which only apply to specific tables orsituations. A couple of the most popular target modules included by default in Red HatEnterprise Linux are:• LOG — Logs all packets that match this rule. Since the packets are logged by the kernel, the/etc/syslog.conf file determines where these log entries are written. By default, they areplaced in the /var/log/messages file.Additional options can be used after the LOG target to specify the way in which logging occurs:• --log-level — Sets the priority level of a logging event. A list of priority levels can befound within the syslog.conf man page.• --log-ip-options — Logs any options set in the header of a IP packet.• --log-prefix — Places a string of up to 29 characters before the log line when it iswritten. This is useful for writing syslog filters for use in conjunction with packet logging.• --log-tcp-options — Logs any options set in the header of a TCP packet.• --log-tcp-sequence — Writes the TCP sequence number for the packet in the log.• REJECT — Sends an error packet back to the remote system and drops the packet.The REJECT target accepts --reject-with (where is the rejection type)allowing more detailed information to be sent back with the error packet. The messageport-unreachable is the default error given if no other option is used. For a full list of options, refer to the iptables man page.Other target extensions, including several that are useful for IP masquerading using the nattable or with packet alteration using the mangle table, can be found in the iptables man page.3.6. Listing OptionsThe default list command, iptables -L, provides a very basic overview of the default filtertable's current chains. Additional options provide more information:• -v — Displays verbose output, such as the number of packets and bytes each chain hasseen, the number of packets and bytes each rule has matched, and which interfaces apply toa particular rule.• -x — Expands numbers into their exact values. On a busy system, the number of packetsand bytes seen by a particular chain or rule may be abbreviated using K (thousands), M(millions), and G (billions) at the end of the number. This option forces the full number to bedisplayed.• -n — Displays IP addresses and port numbers in numeric format, rather than the defaultListing Options337
