AlterPath ACS Command Reference Guide 127
Network
TCP Extensions
These extensions are loaded if the protocol specified is tcp or “-m tcp” is specified. It
provides the following options:
TCP extension Description
--source-port [!] [port[:port]] Source port or port range specification. This can either be
a service name or a port number. Inclusive range can also
be specified, using the format port:port. If the first port is
omitted, "0" is assumed; if the last is omitted, “65535” is
assumed. If the second port is greater then the first they
will be swapped. The flag - -sport is an alias for this
option.
--destination-port [!] [port[:port]] Destination port or port range specification. The flag
- -dport is an alias for this option.
--tcp-flags [!] mask comp Match when the TCP flags are as specified. The first
argument is the flags which we should examine, written
as a comma-separated list, and the second argument is a
comma-separated list of flags which must be set. Flags
are: SYN ACK FIN RST URG PSH ALL NONE. Hence
the command iptables
-A FORWARD -p tcp - -tcp-flags SYN,ACK,FIN,RST
SYN will only match packets with the SYN flag set, and
the ACK, FIN and RST flags unset.
[!] --syn Only match TCP packets with the SYN bit set and the
ACK and FIN bits cleared. Such packets are used to
request TCP connection initiation; for example, blocking
such packets coming in an interface will prevent
incoming TCP connections, but outgoing TCP
connections will be unaffected. It is equivalent to
- -tcp-flags SYN,RST,ACK SYN.
If the "!" flag precedes the "- -syn," the sense of the option
is inverted.
--tcp-option [!] number Match if TCP option set.
Table 4.5: TCP extensions
To Next Page
