changing trunk/trunk to trunk

[iptables.git] / extensions / libxt_tcp.man

These extensions can be used if `--protocol tcp' is specified. It
provides the following options:
.TP
[\fB!\fP] \fB--source-port\fP,\fB--sport\fP \fIport\fP[\fB:\fP\fIport\fP]
Source port or port range specification. This can either be a service
name or a port number. An inclusive range can also be specified,
using the format \fIport\fP\fB:\fP\fIport\fP.
If the first port is omitted, "0" is assumed; if the last is omitted,
"65535" is assumed.
If the second port greater then the first they will be swapped.
The flag
.B --sport
is a convenient alias for this option.
.TP
[\fB!\fP] \fB--destination-port\fP,\fB--dport\fP \fIport\fP[\fB,\fP\fIport\fP]
Destination port or port range specification.  The flag
.B --dport
is a convenient alias for this option.
.TP
[\fB!\fP] \fB--tcp-flags\fP \fImask\fP \fIcomp\fP
Match when the TCP flags are as specified.  The first argument \fImask\fP is the
flags which we should examine, written as a comma-separated list, and
the second argument \fIcomp\fP is a comma-separated list of flags which must be
set.  Flags are:
.BR "SYN ACK FIN RST URG PSH ALL NONE" .
Hence the command
.nf
 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
.fi
will only match packets with the SYN flag set, and the ACK, FIN and
RST flags unset.
.TP
[\fB!\fP] \fB--syn\fP
Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
cleared.  Such packets are used to request TCP connection initiation;
for example, blocking such packets coming in an interface will prevent
incoming TCP connections, but outgoing TCP connections will be
unaffected.
It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP.
If the "!" flag precedes the "--syn", the sense of the
option is inverted.
.TP
[\fB!\fP] \fB--tcp-option\fP \fInumber\fP
Match if TCP option set.