User guide
Command Options for IPTables
87
Warning
Secure the /etc/services file to prevent unauthorized editing. If this file is editable, crackers
can use it to enable ports on your machine you have otherwise closed. To secure this file, type
the following commands as root:
[root@myServer ~]# chown root.root /etc/services
[root@myServer ~]# chmod 0644 /etc/services
[root@myServer ~]# chattr +i /etc/services
This prevents the file from being renamed, deleted or having links made to it.
2.6.2.4.1. TCP Protocol
These match options are available for the TCP protocol (-p tcp):
• --dport — Sets the destination port for the packet.
To configure this option, use a network service name (such as www or smtp); a port number; or a
range of port numbers.
To specify a range of port numbers, separate the two numbers with a colon (:). For example: -p
tcp --dport 3000:3200. The largest acceptable valid range is 0:65535.
Use an exclamation point character (!) before the --dport option to match all packets that do not
use that network service or port.
To browse the names and aliases of network services and the port numbers they use, view the /
etc/services file.
The --destination-port match option is synonymous with --dport.
• --sport — Sets the source port of the packet using the same options as --dport. The --
source-port match option is synonymous with --sport.
• --syn — Applies to all TCP packets designed to initiate communication, commonly called SYN
packets. Any packets that carry a data payload are not touched.
Use an exclamation point character (!) before the --syn option to match all non-SYN packets.
• --tcp-flags <tested flag list> <set flag list> — Allows TCP packets that have
specific bits (flags) set, to match a rule.
The --tcp-flags match option accepts two parameters. The first parameter is the mask; a
comma-separated list of flags to be examined in the packet. The second parameter is a comma-
separated list of flags that must be set for the rule to match.
The possible flags are:
• ACK
• FIN
• PSH
• RST