1 These extensions can be used if `--protocol tcp' is specified. It
2 provides the following options:
4 .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
5 Source port or port range specification. This can either be a service
6 name or a port number. An inclusive range can also be specified,
9 If the first port is omitted, "0" is assumed; if the last is omitted,
11 If the second port greater then the first they will be swapped.
14 is a convenient alias for this option.
16 .BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
17 Destination port or port range specification. The flag
19 is a convenient alias for this option.
21 .BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
22 Match when the TCP flags are as specified. The first argument is the
23 flags which we should examine, written as a comma-separated list, and
24 the second argument is a comma-separated list of flags which must be
26 .BR "SYN ACK FIN RST URG PSH ALL NONE" .
29 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
31 will only match packets with the SYN flag set, and the ACK, FIN and
35 Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
36 cleared. Such packets are used to request TCP connection initiation;
37 for example, blocking such packets coming in an interface will prevent
38 incoming TCP connections, but outgoing TCP connections will be
40 It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP.
41 If the "!" flag precedes the "--syn", the sense of the
44 .BR "--tcp-option " "[!] \fInumber\fP"
45 Match if TCP option set.