1These extensions can be used if `\-\-protocol tcp' is specified. It 2provides the following options: 3.TP 4[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] 5Source port or port range specification. This can either be a service 6name or a port number. An inclusive range can also be specified, 7using the format \fIfirst\fP\fB:\fP\fIlast\fP. 8If the first port is omitted, "0" is assumed; if the last is omitted, 9"65535" is assumed. 10The flag 11\fB\-\-sport\fP 12is a convenient alias for this option. 13.TP 14[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] 15Destination port or port range specification. The flag 16\fB\-\-dport\fP 17is a convenient alias for this option. 18.TP 19[\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP 20Match when the TCP flags are as specified. The first argument \fImask\fP is the 21flags which we should examine, written as a comma-separated list, and 22the second argument \fIcomp\fP is a comma-separated list of flags which must be 23set. Flags are: 24.BR "SYN ACK FIN RST URG PSH ALL NONE" . 25Hence the command 26.nf 27 iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN 28.fi 29will only match packets with the SYN flag set, and the ACK, FIN and 30RST flags unset. 31.TP 32[\fB!\fP] \fB\-\-syn\fP 33Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits 34cleared. Such packets are used to request TCP connection initiation; 35for example, blocking such packets coming in an interface will prevent 36incoming TCP connections, but outgoing TCP connections will be 37unaffected. 38It is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP. 39If the "!" flag precedes the "\-\-syn", the sense of the 40option is inverted. 41.TP 42[\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP 43Match if TCP option set. 44