administration tool for IPv4 packet filtering and NAT

-A, --append chain rule-specification
       Append one or more rules to the end of the selected chain.  When  the  source  and/or  destination
       names  resolve  to  more  than  one  address,  a  rule  will  be  added  for each possible address
       combination.

[!] -p, --protocol protocol
       The protocol of the rule or of the packet to check.  The specified protocol can  be  one  of  tcp,
       udp,  udplite,  icmp,  esp,  ah,  sctp or the special keyword "all", or it can be a numeric value,
       representing one of these protocols or a different one.  A protocol name  from  /etc/protocols  is
       also allowed.  A "!" argument before the protocol inverts the test.  The number zero is equivalent
       to all. "all" will match with all protocols and is taken as default when this option is omitted.

[!] --syn
       Only  match  TCP  packets with the SYN bit set and the ACK,RST and FIN bits cleared.  Such packets
       are used to request TCP connection initiation; for example, blocking such  packets  coming  in  an
       interface  will prevent incoming TCP connections, but outgoing TCP connections will be unaffected.
       It is equivalent to --tcp-flags SYN,RST,ACK,FIN SYN.  If the "!" flag precedes  the  "--syn",  the
       sense of the option is inverted.

-j, --jump target
       This  specifies the target of the rule; i.e., what to do if the packet matches it.  The target can
       be a user-defined chain (other than the one this rule is in), one of the special  builtin  targets
       which  decide the fate of the packet immediately, or an extension (see EXTENSIONS below).  If this
       option is omitted in a rule (and -g is not used), then matching the rule will have  no  effect  on
       the packet's fate, but the counters on the rule will be incremented.