1 These extensions can be used if `--protocol tcp' is specified. It
2 provides the following options:
4 [\fB!\fP] \fB--source-port\fP,\fB--sport\fP \fIport\fP[\fB:\fP\fIport\fP]
5 Source port or port range specification. This can either be a service
6 name or a port number. An inclusive range can also be specified,
7 using the format \fIport\fP\fB:\fP\fIport\fP.
8 If the first port is omitted, "0" is assumed; if the last is omitted,
10 If the second port greater then the first they will be swapped.
13 is a convenient alias for this option.
15 [\fB!\fP] \fB--destination-port\fP,\fB--dport\fP \fIport\fP[\fB,\fP\fIport\fP]
16 Destination port or port range specification. The flag
18 is a convenient alias for this option.
20 [\fB!\fP] \fB--tcp-flags\fP \fImask\fP \fIcomp\fP
21 Match when the TCP flags are as specified. The first argument \fImask\fP is the
22 flags which we should examine, written as a comma-separated list, and
23 the second argument \fIcomp\fP is a comma-separated list of flags which must be
25 .BR "SYN ACK FIN RST URG PSH ALL NONE" .
28 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
30 will only match packets with the SYN flag set, and the ACK, FIN and
34 Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
35 cleared. Such packets are used to request TCP connection initiation;
36 for example, blocking such packets coming in an interface will prevent
37 incoming TCP connections, but outgoing TCP connections will be
39 It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP.
40 If the "!" flag precedes the "--syn", the sense of the
43 [\fB!\fP] \fB--tcp-option\fP \fInumber\fP
44 Match if TCP option set.