What is an iptables target?

A target is the action a rule takes when a packet matches, specified with -j NAME. Built-in targets like ACCEPT and DROP give a final verdict, while extension targets such as DNAT, LOG and MARK perform a transformation or side effect.

What is the difference between DROP and REJECT?

DROP silently discards the packet so the sender just sees a timeout. REJECT discards it but sends an error back (by default ICMP port-unreachable, or a TCP reset with --reject-with tcp-reset), so the sender learns the connection was refused immediately.

Which targets are terminating?

Terminating targets stop traversal of the current chain: ACCEPT, DROP, REJECT, RETURN, the NAT targets and TPROXY. Non-terminating targets like LOG, MARK, TOS and AUDIT perform their action and let the packet continue to the next rule.

When do I use SNAT versus MASQUERADE?

Both rewrite the source address in POSTROUTING. Use SNAT with --to-source when the outgoing IP is fixed, because it is slightly faster. Use MASQUERADE when the interface gets its address dynamically (DHCP, PPPoE), since it reads the current interface IP each time.

In which table do DNAT and SNAT live?

Both are NAT-table targets. DNAT runs in the nat table's PREROUTING (or OUTPUT) chain to change the destination, and SNAT/MASQUERADE run in POSTROUTING to change the source. They cannot be used in the filter table.

iptables Targets Reference

Choose the right iptables target

When a packet matches an iptables rule, the -j (jump) target decides what happens to it. Some targets are a final verdict — ACCEPT, DROP, REJECT — while others rewrite the packet (DNAT, SNAT, MASQUERADE), tag it (MARK, DSCP) or log it (LOG, NFLOG). This tool lists every common target with the table and chains it belongs to and whether it ends chain traversal.

How it works

iptables organises rules into tables (filter, nat, mangle, raw, security) and chains within them. A rule’s match criteria select packets, and its target acts on them. A terminating target gives a verdict and stops the current chain: ACCEPT lets the packet through, DROP discards it, REJECT discards it with an error reply, and RETURN pops back to the calling chain. A non-terminating target performs a side effect — LOG writes to the kernel log, MARK sets an fwmark for policy routing — and then the packet continues to the next rule. NAT targets only work in the nat table: DNAT/REDIRECT rewrite the destination in PREROUTING, while SNAT/MASQUERADE rewrite the source in POSTROUTING. The same targets apply to ip6tables for IPv6.

Tips and notes

Prefer REJECT over DROP for traffic from trusted internal hosts so clients fail fast instead of waiting for a timeout, but use DROP toward the hostile internet to avoid confirming the port exists. Place LOG rules immediately before the matching terminating rule and add a --log-prefix so entries are easy to grep. For NAT, reach for MASQUERADE on dynamic uplinks and SNAT when the egress address is static. On modern systems remember iptables is often a front-end over nftables; the target names carry over, but consider native nft rules for new firewalls.

iptables Targets Reference

Email me this result

Choose the right iptables target

How it works

Tips and notes