Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
919293949596979899100
Chapter 2. Securing Your Network
88
SYN
URG
ALL
NONE
For example, an iptables rule that contains the following specification only matches TCP packets
that have the SYN flag set and the ACK and FIN flags not set:
--tcp-flags ACK,FIN,SYN SYN
Use the exclamation point character (!) before the --tcp-flags to reverse the effect of the match
option.
--tcp-option — Attempts to match with TCP-specific options that can be set within a particular
packet. This match option can also be reversed with the exclamation point character (!).
2.6.2.4.2. UDP Protocol
These match options are available for the UDP protocol (-p udp):
--dport — Specifies the destination port of the UDP packet, using the service name, port number,
or range of port numbers. The --destination-port match option is synonymous with --dport.
--sport — Specifies the source port of the UDP packet, using the service name, port number, or
range of port numbers. The --source-port match option is synonymous with --sport.
For the --dport and --sport options, to specify a range of port numbers, separate the two
numbers with a colon (:). For example: -p tcp --dport 3000:3200. The largest acceptable valid
range is 0:65535.
2.6.2.4.3. ICMP Protocol
The following match options are available for the Internet Control Message Protocol (ICMP) (-p
icmp):
--icmp-type — Sets the name or number of the ICMP type to match with the rule. A list of valid
ICMP names can be retrieved by typing the iptables -p icmp -h command.
2.6.2.4.4. Additional Match Option Modules
Additional match options are available through modules loaded by the iptables command.
To use a match option module, load the module by name using the -m <module-name>, where
<module-name> is the name of the module.
Many modules are available by default. You can also create modules to provide additional
functionality.
The following is a partial list of the most commonly used modules:
limit module — Places limits on how many packets are matched to a particular rule.
When used in conjunction with the LOG target, the limit module can prevent a flood of matching
packets from filling up the system log with repetitive messages or using up system resources.
Refer to Section 2.6.2.5, “Target Options” for more information about the LOG target.