1 These extensions are loaded if `--protocol tcp' is specified. It 2 provides the following options: 3 .TP 4 .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" 5 Source port or port range specification. This can either be a service 6 name or a port number. An inclusive range can also be specified, 7 using the format 8 .IR port : port . 9 If the first port is omitted, "0" is assumed; if the last is omitted, 10 "65535" is assumed. 11 If the second port greater then the first they will be swapped. 12 The flag 13 .B --sport 14 is a convenient alias for this option. 15 .TP 16 .BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" 17 Destination port or port range specification. The flag 18 .B --dport 19 is a convenient alias for this option. 20 .TP 21 .BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP" 22 Match when the TCP flags are as specified. The first argument is the 23 flags which we should examine, written as a comma-separated list, and 24 the second argument is a comma-separated list of flags which must be 25 set. Flags are: 26 .BR "SYN ACK FIN RST URG PSH ALL NONE" . 27 Hence the command 28 .nf 29 ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN 30 .fi 31 will only match packets with the SYN flag set, and the ACK, FIN and 32 RST flags unset. 33 .TP 34 .B "[!] --syn" 35 Only match TCP packets with the SYN bit set and the ACK and RST bits 36 cleared. Such packets are used to request TCP connection initiation; 37 for example, blocking such packets coming in an interface will prevent 38 incoming TCP connections, but outgoing TCP connections will be 39 unaffected. 40 It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP. 41 If the "!" flag precedes the "--syn", the sense of the 42 option is inverted. 43 .TP 44 .BR "--tcp-option " "[!] \fInumber\fP" 45 Match if TCP option set. 46
