diff options
| author | Jinkun Jang <jinkun.jang@samsung.com> | 2013-03-13 01:42:55 +0900 |
|---|---|---|
| committer | Jinkun Jang <jinkun.jang@samsung.com> | 2013-03-13 01:42:55 +0900 |
| commit | cb06be6ecc10920c73293799689ce9803262a922 (patch) | |
| tree | 5d21c5f26a156067e733c9faa79782ecc26196e9 /extensions/libxt_tcp.man | |
| parent | dbc5ef4889caa206f4d47d83345357780ceef73e (diff) | |
| download | iptables-2.2_release.tar.gz iptables-2.2_release.tar.bz2 iptables-2.2_release.zip | |
Tizen 2.1 basesubmit/tizen_2.2/20130714.145952submit/tizen_2.1/20130424.225212accepted/tizen_2.1/20130425.0251492.2_release2.1b_releasetizen_2.1
Diffstat (limited to 'extensions/libxt_tcp.man')
| -rw-r--r-- | extensions/libxt_tcp.man | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/extensions/libxt_tcp.man b/extensions/libxt_tcp.man new file mode 100644 index 0000000..7a16118 --- /dev/null +++ b/extensions/libxt_tcp.man @@ -0,0 +1,44 @@ +These extensions can be used if `\-\-protocol tcp' is specified. It +provides the following options: +.TP +[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] +Source port or port range specification. This can either be a service +name or a port number. An inclusive range can also be specified, +using the format \fIfirst\fP\fB:\fP\fIlast\fP. +If the first port is omitted, "0" is assumed; if the last is omitted, +"65535" is assumed. +If the first port is greater than the second one they will be swapped. +The flag +\fB\-\-sport\fP +is a convenient alias for this option. +.TP +[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] +Destination port or port range specification. The flag +\fB\-\-dport\fP +is a convenient alias for this option. +.TP +[\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP +Match when the TCP flags are as specified. The first argument \fImask\fP is the +flags which we should examine, written as a comma-separated list, and +the second argument \fIcomp\fP is a comma-separated list of flags which must be +set. Flags are: +.BR "SYN ACK FIN RST URG PSH ALL NONE" . +Hence the command +.nf + iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN +.fi +will only match packets with the SYN flag set, and the ACK, FIN and +RST flags unset. +.TP +[\fB!\fP] \fB\-\-syn\fP +Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits +cleared. Such packets are used to request TCP connection initiation; +for example, blocking such packets coming in an interface will prevent +incoming TCP connections, but outgoing TCP connections will be +unaffected. +It is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP. +If the "!" flag precedes the "\-\-syn", the sense of the +option is inverted. +.TP +[\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP +Match if TCP option set. |