TCP Extensions

The TCP extensions are automatically loaded if `-p tcp' is specified. It provides the following options (none of which match fragments).

--tcp-flags

    Followed by an optional `!', then two strings of flags, allows you to filter on specific TCP flags. The first string of flags is the mask: a list of flags you want to examine. The second string of flags tells which one(s) should be set. For example,

        # iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

    This indicates that all flags should be examined (`ALL' is synonymous with `SYN,ACK,FIN,RST,URG,PSH'), but only SYN and ACK should be set. There is also an argument `NONE' meaning no flags.
--syn

    Optionally preceded by a `!', this is shorthand for `--tcp-flags SYN,RST,ACK SYN'.
--source-port

    followed by an optional `!', then either a single TCP port, or a range of ports. Ports can be port names, as listed in /etc/services, or numeric. Ranges are either two port names separated by a `:', or (to specify greater than or equal to a given port) a port with a `:' appended, or (to specify less than or equal to a given port), a port preceded by a `:'.
--sport

    is synonymous with `--source-port'.
--destination-port

    and
--dport

    are the same as above, only they specify the destination, rather than source, port to match.
--tcp-option

    followed by an optional `!' and a number, matches a packet with a TCP option equaling that number. A packet which does not have a complete TCP header is dropped automatically if an attempt is made to examine its TCP options.