Skip to content

Linux Iptables

Rule Function

Iptables is the basic firewall functionality built into linux. It is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets.

Note that this rule can also be used with linux Uncomplicated Firewall (UFW). UFW is a wrapper on top of Iptables to make Iptables configuration and administration easier.

The purpose of this rule is to set user tags various user tags for the fields in the Iptables log messages.

Vendor Documentation

Incoming Log Format

The log format is comprised of space-separated fields, most of which are in the form of key=value. These fields are listed in the next section. This log message is logged as a linux kernel message (or in some cases produced by certain network devices).

User Tags

Tagged Tag Name Field Name Example Description
IntIn IN eth0 incoming network interface
IntOut OUT eth0 outgoing network interface
MAC MAC 4a:2a:b8:8e:09:87:fe:00:00:00:01:01:08:00 interface MAC address
SrcIP SRC source IP address
DstIP DST destination IP address
Protocol PROTO TCP network protocol
SPT 50369 source IP port
DstPort DPT 110 dest IP port
LEN 40 length of the packet
TOS 0x00 "TOS" field of the IP packet header
PREC 0x00 "precedence" field of the IP packet header
TTL 246 packet time-to-live
ID 57949 ufw/os internal id
WINDOW 1024 size of packet the sender is willing to receive
RES 0x00 reserved for future use, always 0
SYN URGP 0 two parts: 1) whether connection requires 3-way-handshake; 2) whether urgent field is relevant

Lua User Tag Map

    IN = "IntIn",  
    OUT = "IntOut",  
    MAC = "MAC",  
    SRC = "SrcIP",  
    DST = "DstIP",  
    PROTO = "Protocol",  
    SPT = "SrcPort",  
    DPT = "DstPort",  

HC Tags

    "SrcIP to DstIP",
    "SrcIP to Port"

Field Notes


This provides a 14-byte combination of the Destination MAC, Source MAC, and EtherType fields, following the order found in the Ethernet II header.

SRC (and DST)

This indicates the source IP, who sent the packet initially (or in the case of DST the recipient). Some IPs are routable over the internet, some will only communicate over a LAN, and some will only route back to the source computer.


This field will mainly be one of: TCP, UDP, ICMP.

Log Examples

Packet blocked by firewall IN=eth0 OUT= MAC=4a:2a:b8:8e:09:87:fe:00:00:00:01:01:08:00 SRC= DST= LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=57949 PROTO=TCP SPT=50369 DPT=110 WINDOW=1024 RES=0x00 SYN URGP=0