Red Hat LINUX 7.2 Reference Manual page 305

Section 18.3:Options Used in iptables Commands
• --limit-burst — Sets a limit on the number of packets able to match a rule at one time. This
option should be used in conjunction with the --limit option, and it accepts a number to set the
burst threshold.
If no number is specified, only five packets are initially able to match the rule.
The state module, which uses the --state match option, can match a packet with these particular
connection states:
• ESTABLISHED The matching packet is associated with other packets in an established connec-
tion.
• INVALID The matching packet cannot be tied to a known connection.
• NEW The matching packet is either creating a new connection or is part of a two-way connection
not previously seen.
• RELATED The matching packet is starting a new connection related in some way to an existing
connection.
These connection states can be used in combination with one another by separating them with commas,
such as -m state --state INVALID,NEW.
To specifically match a particular hardware MAC address of an Ethernet device, use the mac module,
which accepts --mac-source plus a MAC address as an option. To exclude a MAC address from
a rule, place an exclamation point (!) after the --mac-source match option.
To view other match options available through modules, see the iptables man page.
18.3.6 Target Options
Once a packet has matched a particular rule, the rule can direct the packet to a number of different
targets that decide its fate and, possibly, take additional actions, such as logging the action. Addition-
ally, each chain has a default target, which is used if none of the rules on that chain match a packet, or
if none of the rules which match the packet specify a target.
There are only a few standard targets available to decide what happens with the packet:
• <user-defined-chain> The name of a previously created and defined chain within this
table with rules that will be checked against this packet, in addition to any other rules in any other
chains that must be checked against this packet. This type of target is useful for further scrutinizing
a packet before deciding what should happen to it or logging information about the packet.
• ACCEPT — Allows the packet to successfully move on to its destination (or another chain, if one
is configured to follow the successful chain).
• DROP — Drops the packet on the floor. The system that sent the packet is not notified of the
failure. The packet is simply removed from the rule checking the chain and discarded.
305