1 These extensions can be used if `\-\-protocol tcp' is specified. It 2 provides the following options: 3 .TP 4 [\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] 5 Source port or port range specification. This can either be a service 6 name or a port number. An inclusive range can also be specified, 7 using the format \fIfirst\fP\fB:\fP\fIlast\fP. 8 If the first port is omitted, "0" is assumed; if the last is omitted, 9 "65535" is assumed. 10 If the first port is greater than the second one they will be swapped. 11 The flag 12 \fB\-\-sport\fP 13 is a convenient alias for this option. 14 .TP 15 [\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] 16 Destination port or port range specification. The flag 17 \fB\-\-dport\fP 18 is a convenient alias for this option. 19 .TP 20 [\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP 21 Match when the TCP flags are as specified. The first argument \fImask\fP is the 22 flags which we should examine, written as a comma-separated list, and 23 the second argument \fIcomp\fP is a comma-separated list of flags which must be 24 set. Flags are: 25 .BR "SYN ACK FIN RST URG PSH ALL NONE" . 26 Hence the command 27 .nf 28 iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN 29 .fi 30 will only match packets with the SYN flag set, and the ACK, FIN and 31 RST flags unset. 32 .TP 33 [\fB!\fP] \fB\-\-syn\fP 34 Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits 35 cleared. Such packets are used to request TCP connection initiation; 36 for example, blocking such packets coming in an interface will prevent 37 incoming TCP connections, but outgoing TCP connections will be 38 unaffected. 39 It is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP. 40 If the "!" flag precedes the "\-\-syn", the sense of the 41 option is inverted. 42 .TP 43 [\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP 44 Match if TCP option set. 45
