administration tool for IPv4 packet filtering and NAT
|
-A, --append chain rule-specification
Append one or more rules to the end of the selected chain. When the source and/or destination
names resolve to more than one address, a rule will be added for each possible address
combination.
|
[!] -p, --protocol protocol
The protocol of the rule or of the packet to check. The specified protocol can be one of tcp,
udp, udplite, icmp, esp, ah, sctp or the special keyword "all", or it can be a numeric value,
representing one of these protocols or a different one. A protocol name from /etc/protocols is
also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent
to all. "all" will match with all protocols and is taken as default when this option is omitted.
|
[!] --syn
Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits cleared. Such packets
are used to request TCP connection initiation; for example, blocking such packets coming in an
interface will prevent incoming TCP connections, but outgoing TCP connections will be unaffected.
It is equivalent to --tcp-flags SYN,RST,ACK,FIN SYN. If the "!" flag precedes the "--syn", the
sense of the option is inverted.
|
-j, --jump target
This specifies the target of the rule; i.e., what to do if the packet matches it. The target can
be a user-defined chain (other than the one this rule is in), one of the special builtin targets
which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this
option is omitted in a rule (and -g is not used), then matching the rule will have no effect on
the packet's fate, but the counters on the rule will be incremented.
|