Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

171

172

173

174

175

176

177

178

179

180

172 Chapter 13. Firewalls and iptables

iptables man page for more information on these and other targets, including rules regarding

their use.

You may also direct a packet matching this rule to a user-deﬁned chain outside of the current

chain. This allows you to apply other rules against this packet, further ﬁltering it with more speciﬁc

criteria.

If no target is speciﬁed, the packet moves past the rule with no action taken. However, the counter

for this rule is still increased by one, as the packet matched the speciﬁed rule.

• -o — Sets the outgoing network interface for a particular rule, and may only be used with OUTPUT

and FORWARD chains in the filter table and the POSTROUTING chain in the nat and mangle

tables. This parameter’s options are the same as those of the incoming network interface parameter

(-i).

• -p — Sets the IP protocol for the rule, which can be either icmp, tcp, udp, or all, to match every

supported protocol. In addition, lesser used protocols listed in /etc/protocols may also be used.

If this option is omitted when creating a rule, the all option is the default.

• -s — Sets the source for a particular packet, using the same syntax as the destination (-d) param-

eter.

13.3.5. Match Options

Different network protocols provide specialized matching options which may be set in speciﬁc ways

to match a particular packet using that protocol. Of course, the protocol must ﬁrst be speciﬁed in

the iptables command, such as using -p tcp

protocol-name , to make the options for that

protocol available.

13.3.5.1. TCP Protocol

These match options are available for the TCP protocol (-p tcp):

• --dport — Sets the destination port for the packet. You can use either a network service name

(such as www or smtp), port number, or range of port numbers to conﬁgure this option. To browse

the names and aliases of network services and the port numbers they use, view the /etc/services

ﬁle. You can also use --destination-port to specify this match option.

To specify a speciﬁc range of port numbers, separate the two numbers with a colon (:), such as -p

tcp --dport 3000:3200. The largest valid range is 0:65535.

You may also use an exclamation point character (!) as a ﬂag after the --dport option to tell

iptables to match all packets which do not use that network service or port.

• --sport — Sets the source port of the packet, using the same options as --dport. You can also

use --source-port to specify this match option.

• --syn — Applies to all TCP packets designed to initiate communication, commonly called SYN

packets. Any packets that carry a data payload are not touched. Placing an exclamation point char-

acter (!) as a ﬂag after the --syn option causes all non-SYN packets to be matched.

• --tcp-flags — Allows TCP packets with speciﬁc bits, or ﬂags, set to be matched with a rule.

The --tcp-flags match option accepts two parameters after it, which are ﬂags for the various

bits arranged in a comma-separated list. The ﬁrst parameter is the mask, which sets the ﬂags to be

examined on the packet. The second parameter refers to the ﬂags that must be set in the packet to

make a match. The possible ﬂags are ACK, FIN, PSH, RST, SYN, and URG. In addition, ALL and NONE

can also be used to match every ﬂag or none of them.

For example, an iptables rule which contains -p tcp --tcp-flags ACK,FIN,SYN SYN will

only match TCP packets that have the SYN ﬂag set and the ACK and FIN ﬂags unset.