| These extensions can be used if `--protocol tcp' is specified. It |
| provides the following options: |
| .TP |
| [\fB!\fP] \fB--source-port\fP,\fB--sport\fP \fIport\fP[\fB:\fP\fIport\fP] |
| Source port or port range specification. This can either be a service |
| name or a port number. An inclusive range can also be specified, |
| using the format \fIport\fP\fB:\fP\fIport\fP. |
| If the first port is omitted, "0" is assumed; if the last is omitted, |
| "65535" is assumed. |
| If the second port greater then the first they will be swapped. |
| The flag |
| .B --sport |
| is a convenient alias for this option. |
| .TP |
| [\fB!\fP] \fB--destination-port\fP,\fB--dport\fP \fIport\fP[\fB,\fP\fIport\fP] |
| Destination port or port range specification. The flag |
| .B --dport |
| is a convenient alias for this option. |
| .TP |
| [\fB!\fP] \fB--tcp-flags\fP \fImask\fP \fIcomp\fP |
| Match when the TCP flags are as specified. The first argument \fImask\fP is the |
| flags which we should examine, written as a comma-separated list, and |
| the second argument \fIcomp\fP is a comma-separated list of flags which must be |
| set. Flags are: |
| .BR "SYN ACK FIN RST URG PSH ALL NONE" . |
| Hence the command |
| .nf |
| iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN |
| .fi |
| will only match packets with the SYN flag set, and the ACK, FIN and |
| RST flags unset. |
| .TP |
| [\fB!\fP] \fB--syn\fP |
| Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits |
| cleared. Such packets are used to request TCP connection initiation; |
| for example, blocking such packets coming in an interface will prevent |
| incoming TCP connections, but outgoing TCP connections will be |
| unaffected. |
| It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP. |
| If the "!" flag precedes the "--syn", the sense of the |
| option is inverted. |
| .TP |
| [\fB!\fP] \fB--tcp-option\fP \fInumber\fP |
| Match if TCP option set. |