Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

171

172

173

174

175

176

177

178

179

180

Chapter 13. Firewalls and iptables 173

Like many other options, using the exclamation point character (!) after --tcp-flags reverses the

effect of the match option, so that the second parameter’s ﬂags must not be set in order to match.

• --tcp-option — Attempts to match with TCP-speciﬁc options that can be set within a particular

packet. This match option can also be reversed with the exclamation point character (!).

13.3.5.2. UDP Protocol

These match options are available for the UDP protocol (-p udp):

• --dport — Speciﬁes the destination port of the UDP packet, using the service name, port number,

or range of port numbers. The --destination-port match option may be used instead of --

dport. See the --dport match option in Section 13.3.5.1 for various ways to use this option.

• --sport — Speciﬁes the source port of the UDP packet, using the service name, port number, or

range of port numbers. The --source-port match option may be used instead of --sport. See

the --dport match option in Section 13.3.5.1 for various ways to use this option.

13.3.5.3. ICMP Protocol

Packets using the Internet Control Message Protocol (ICMP) can be matched using the following

option when -p icmp is speciﬁed:

• --icmp-type — Sets the name or number of the ICMP type to match with the rule. A list of valid

ICMP names can be seen by typing the iptables -p icmp -h command.

13.3.5.4. Modules with Additional Match Options

Additional match options are also available through modules loaded when the iptables command

calls them. To use a match option module, you must load the module by name by including -m

module-name in the iptables command.

A large number of modules are available by default. It is even possible to create your own modules

to provide additional match option functionality. Many modules exist, but only the most popular ones

are discussed here.

The limit module allows you to place a limit on how many packets will be matched to a particular

rule. This is especially beneﬁcial when logging rule matches so that a ﬂood of matching packets will

not ﬁll up your logs with repetitive messages or use too many system resources.

• --limit — Sets the number of matches for a particular range of time, speciﬁed with a number and

time modiﬁer arranged in a number / time format. For example, using --limit 5/hour

only lets a rule match ﬁve times in a single hour.

If a number and time modiﬁer are not used, the default value of 3/hour is assumed.

• --limit-burst — Sets a limit on the number of packets able to match a rule at one time. This

option should be used in conjunction with the --limit option, and it accepts a number to set the

burst threshold.

If no number is speciﬁed, only ﬁve packets are initially able to match the rule.

The state module, which uses the --state match option, can match a packet with these particular

connection states:

• ESTABLISHED — The matching packet is associated with other packets in an established connec-

tion.