| 
Enterprise Linux iptables RPM package, such as LOG, MARK, and REJECT, among others.Refer to the iptables man page for more information about these and other targets.It is also possible to direct a packet matching this rule to a user-defined chain outside of thecurrent chain so that other rules can be applied to the packet.If no target is specified, the packet moves past the rule with no action taken. However, thecounter for this rule increases by one.• -o — Sets the outgoing network interface for a rule and may only be used with OUTPUT andFORWARD chains in the filter table, and the POSTROUTING chain in the nat and mangletables. This parameter's options are the same as those of the incoming network interfaceparameter (-i).• -p — Sets the IP protocol for the rule, which can be either icmp, tcp, udp, or all, to matchevery supported protocol. In addition, any protocols listed in /etc/protocols may also beused. If this option is omitted when creating a rule, the all option is the default.• -s — Sets the source for a particular packet using the same syntax as the destination (-d)parameter.3.4. iptables Match OptionsDifferent network protocols provide specialized matching options which can be configured tomatch a particular packet using that protocol. However, the protocol must first be specified inthe iptables command. For example -p tcp (where isthe target protocol), makes options for the specified protocol available.3.4.1. TCP ProtocolThese match options are available for the TCP protocol (-p tcp):• --dport — Sets the destination port for the packet. Use either a network service name (suchas www or smtp), port number, or range of port numbers to configure this option. To browsethe names and aliases of network services and the port numbers they use, view the/etc/services file. The --destination-port match option is synonymous with --dport.To specify a range of port numbers, separate the two numbers with a colon (:), such as -ptcp --dport 3000:3200. The largest acceptable valid range is 0:65535.Use an exclamation point character (!) after the --dport option to match all packets which donot use that network service or port.• --sport — Sets the source port of the packet using the same options as --dport. The--source-port match option is synonymous with --sport.• --syn — Applies to all TCP packets designed to initiate communication, commonly calledSYN packets. Any packets that carry a data payload are not touched. Placing an exclamationiptables Match Options333 |
