Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual page 743

The --tcp-flags match option accepts two parameters. The first parameter is the mask; a
comma-separated list of flags to be examined in the packet. The second parameter is a comma-
separated list of flags that must be set for the rule to match.
The possible flags are:
• ACK
• FIN
• PSH
• RST
• SYN
• URG
• ALL
• NONE
For example, an iptables rule that contains the following specification only matches TCP packets
that have the SYN flag set and the ACK and FIN flags not set:
--tcp-flags ACK,FIN,SYN SYN
Use the exclamation point character (!) after the --tcp-flags to reverse the effect of the match
option.
• --tcp-option — Attempts to match with TCP-specific options that can be set within a particular
packet. This match option can also be reversed with the exclamation point character (!).
43.9.3.4.2. UDP Protocol
These match options are available for the UDP protocol (-p udp):
• --dport — Specifies the destination port of the UDP packet, using the service name, port number,
or range of port numbers. The --destination-port match option is synonymous with --dport.
• --sport — Specifies the source port of the UDP packet, using the service name, port number, or
range of port numbers. The --source-port match option is synonymous with --sport.
For the --dport and --sport options, to specify a range of port numbers, separate the two
numbers with a colon (:). For example: -p tcp --dport 3000:3200. The largest acceptable valid
range is 0:65535.
43.9.3.4.3. ICMP Protocol
The following match options are available for the Internet Control Message Protocol (ICMP) (-p
icmp):
• --icmp-type — Sets the name or number of the ICMP type to match with the rule. A list of valid
ICMP names can be retrieved by typing the iptables -p icmp -h command.
Command Options for IPTables
717