Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 1 | These extensions can be used if `\-\-protocol tcp' is specified. It |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 2 | provides the following options: |
| 3 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 4 | [\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 5 | Source port or port range specification. This can either be a service |
| 6 | name or a port number. An inclusive range can also be specified, |
Ian Bruce | ae737f0 | 2009-06-06 06:04:24 +0200 | [diff] [blame^] | 7 | using the format \fIfirst\fP\fB:\fP\fIlast\fP. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 8 | If the first port is omitted, "0" is assumed; if the last is omitted, |
| 9 | "65535" is assumed. |
Ian Bruce | ae737f0 | 2009-06-06 06:04:24 +0200 | [diff] [blame^] | 10 | If the first port is greater than the second one they will be swapped. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 11 | The flag |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 12 | \fB\-\-sport\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 13 | is a convenient alias for this option. |
| 14 | .TP |
Frank Tobin | 156f586 | 2009-05-21 05:09:00 +0200 | [diff] [blame] | 15 | [\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 16 | Destination port or port range specification. The flag |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 17 | \fB\-\-dport\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 18 | is a convenient alias for this option. |
| 19 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 20 | [\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP |
Patrick McHardy | 510aef9 | 2008-06-02 12:48:48 +0200 | [diff] [blame] | 21 | Match when the TCP flags are as specified. The first argument \fImask\fP is the |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 22 | flags which we should examine, written as a comma-separated list, and |
Patrick McHardy | 510aef9 | 2008-06-02 12:48:48 +0200 | [diff] [blame] | 23 | the second argument \fIcomp\fP is a comma-separated list of flags which must be |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 24 | set. Flags are: |
| 25 | .BR "SYN ACK FIN RST URG PSH ALL NONE" . |
| 26 | Hence the command |
| 27 | .nf |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 28 | iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 29 | .fi |
| 30 | will only match packets with the SYN flag set, and the ACK, FIN and |
| 31 | RST flags unset. |
| 32 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 33 | [\fB!\fP] \fB\-\-syn\fP |
Harald Welte | 38ed421 | 2005-05-04 07:34:37 +0000 | [diff] [blame] | 34 | Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 35 | cleared. Such packets are used to request TCP connection initiation; |
| 36 | for example, blocking such packets coming in an interface will prevent |
| 37 | incoming TCP connections, but outgoing TCP connections will be |
| 38 | unaffected. |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 39 | It is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP. |
| 40 | If the "!" flag precedes the "\-\-syn", the sense of the |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 41 | option is inverted. |
| 42 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 43 | [\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 44 | Match if TCP option set. |