Tcp Extensions; Tcp Extensions - Cyclades AlterPath ACS Command Reference Manual

TCP Extensions

These extensions are loaded if the protocol specified is tcp or "-m tcp" is specified. It
provides the following options:
TCP extension
--source-port [!] [port[:port]]
--destination-port [!] [port[:port]]
--tcp-flags [!] mask comp
[!] --syn
--tcp-option [!] number
AlterPath ACS Command Reference Guide
Network
Source port or port range specification. This can either be
a service name or a port number. Inclusive range can also
be specified, using the format port:port. If the first port is
omitted, "0" is assumed; if the last is omitted, "65535" is
assumed. If the second port is greater then the first they
will be swapped. The flag - -sport is an alias for this
option.
Destination port or port range specification. The flag
- -dport is an alias for this option.
Match when the TCP flags are as specified. The first
argument is the flags which we should examine, written
as a comma-separated list, and the second argument is a
comma-separated list of flags which must be set. Flags
are: SYN ACK FIN RST URG PSH ALL NONE. Hence
the command iptables
-A FORWARD -p tcp - -tcp-flags SYN,ACK,FIN,RST
SYN will only match packets with the SYN flag set, and
the ACK, FIN and RST flags unset.
Only match TCP packets with the SYN bit set and the
ACK and FIN bits cleared. Such packets are used to
request TCP connection initiation; for example, blocking
such packets coming in an interface will prevent
incoming TCP connections, but outgoing TCP
connections will be unaffected. It is equivalent to
- -tcp-flags SYN,RST,ACK SYN.
If the "!" flag precedes the "- -syn," the sense of the option
is inverted.
Match if TCP option set.
Table 4.5: TCP extensions
Description
127