Product SiteDocumentation Site

2.6.2.4. IPTables Match Options

Different network protocols provide specialized matching options which can be configured to match a particular packet using that protocol. However, the protocol must first be specified in the iptables command. For example, -p <protocol-name> enables options for the specified protocol. Note that you can also use the protocol ID, instead of the protocol name. Refer to the following examples, each of which have the same effect: 
 iptables -A INPUT -p icmp --icmp-type any -j ACCEPT 
 iptables -A INPUT -p 5813 --icmp-type any -j ACCEPT
Service definitions are provided in the /etc/services file. For readability, it is recommended that you use the service names rather than the port numbers.

Warning

Secure the /etc/services file to prevent unauthorized editing. If this file is editable, crackers can use it to enable ports on your machine you have otherwise closed. To secure this file, type the following commands as root: 
[root@myServer ~]# chown root.root /etc/services 
[root@myServer ~]# chmod 0644 /etc/services
[root@myServer ~]# chattr +i /etc/services
This prevents the file from being renamed, deleted or having links made to it.
2.6.2.4.1. TCP Protocol
These match options are available for the TCP protocol (-p tcp):
  • --dport — Sets the destination port for the packet.
    To configure this option, use a network service name (such as www or smtp); a port number; or a range of port numbers.
    To specify a range of port numbers, separate the two numbers with a colon (:). For example: -p tcp --dport 3000:3200. The largest acceptable valid range is 0:65535.
    Use an exclamation point character (!) before the --dport option to match all packets that do not use that network service or port.
    To browse the names and aliases of network services and the port numbers they use, view the /etc/services file.
    The --destination-port match option is synonymous with --dport.
  • --sport — Sets the source port of the packet using the same options as --dport. The --source-port match option is synonymous with --sport.
  • --syn — Applies to all TCP packets designed to initiate communication, commonly called SYN packets. Any packets that carry a data payload are not touched.
    Use an exclamation point character (!) before the --syn option to match all non-SYN packets.
  • --tcp-flags <tested flag list> <set flag list> — Allows TCP packets that have specific bits (flags) set, to match a rule.
    The --tcp-flags match option accepts two parameters. The first parameter is the mask; a comma-separated list of flags to be examined in the packet. The second parameter is a comma-separated list of flags that must be set for the rule to match.
    The possible flags are:
    • ACK
    • FIN
    • PSH
    • RST
    • SYN
    • URG
    • ALL
    • NONE
    For example, an iptables rule that contains the following specification only matches TCP packets that have the SYN flag set and the ACK and FIN flags not set:
    --tcp-flags ACK,FIN,SYN SYN
    Use the exclamation point character (!) before the --tcp-flags to reverse the effect of the match option.
  • --tcp-option — Attempts to match with TCP-specific options that can be set within a particular packet. This match option can also be reversed with the exclamation point character (!).