Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 1 | These extensions are loaded if `--protocol tcp' is specified. It |
| 2 | provides the following options: |
| 3 | .TP |
| 4 | .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" |
| 5 | Source port or port range specification. This can either be a service |
| 6 | name or a port number. An inclusive range can also be specified, |
| 7 | using the format |
| 8 | .IR port : port . |
| 9 | If the first port is omitted, "0" is assumed; if the last is omitted, |
| 10 | "65535" is assumed. |
| 11 | If the second port greater then the first they will be swapped. |
| 12 | The flag |
| 13 | .B --sport |
| 14 | is a convenient alias for this option. |
| 15 | .TP |
| 16 | .BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" |
| 17 | Destination port or port range specification. The flag |
| 18 | .B --dport |
| 19 | is a convenient alias for this option. |
| 20 | .TP |
| 21 | .BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP" |
| 22 | Match when the TCP flags are as specified. The first argument is the |
| 23 | flags which we should examine, written as a comma-separated list, and |
| 24 | the second argument is a comma-separated list of flags which must be |
| 25 | set. Flags are: |
| 26 | .BR "SYN ACK FIN RST URG PSH ALL NONE" . |
| 27 | Hence the command |
| 28 | .nf |
| 29 | iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN |
| 30 | .fi |
| 31 | will only match packets with the SYN flag set, and the ACK, FIN and |
| 32 | RST flags unset. |
| 33 | .TP |
| 34 | .B "[!] --syn" |
| 35 | Only match TCP packets with the SYN bit set and the ACK and RST bits |
| 36 | cleared. Such packets are used to request TCP connection initiation; |
| 37 | for example, blocking such packets coming in an interface will prevent |
| 38 | incoming TCP connections, but outgoing TCP connections will be |
| 39 | unaffected. |
| 40 | It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP. |
| 41 | If the "!" flag precedes the "--syn", the sense of the |
| 42 | option is inverted. |
| 43 | .TP |
| 44 | .BR "--tcp-option " "[!] \fInumber\fP" |
| 45 | Match if TCP option set. |
| 46 | .TP |
| 47 | .BR "--mss " "\fIvalue\fP[:\fIvalue\fP]" |
| 48 | Match TCP SYN or SYN/ACK packets with the specified MSS value (or range), |
| 49 | which control the maximum packet size for that connection. |