IPTables Match Options
Different network protocols provide specialized matching options which can be configured to match a particular packet using that protocol. However, the protocol must first be specified in the iptables
command. For example, -p
enables options for the specified protocol. Note that you can also use the protocol ID, instead of the protocol name. Refer to the following examples, each of which have the same effect:
<protocol-name>
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -p 5813 --icmp-type any -j ACCEPT
Service definitions are provided in the /etc/services
file. For readability, it is recommended that you use the service names rather than the port numbers.
Secure the /etc/services
file to prevent unauthorized editing. If this file is editable, crackers can use it to enable ports on your machine you have otherwise closed. To secure this file, type the following commands as root:
chown root.root /etc/services
chmod 0644 /etc/services
chattr +i /etc/services
This prevents the file from being renamed, deleted or having links made to it.
These match options are available for the TCP protocol ( To configure this option, use a network service name (such as www or smtp); a port number; or a range of port numbers.
To specify a range of port numbers, separate the two numbers with a colon ( Use an exclamation point character ( To browse the names and aliases of network services and the port numbers they use, view the The Use an exclamation point character ( The The possible flags are:
For example, an Use the exclamation point character ( These match options are available for the UDP protocol ( For the The following match options are available for the Internet Control Message Protocol (ICMP) ( Additional match options are available through modules loaded by the To use a match option module, load the module by name using the Many modules are available by default. You can also create modules to provide additional functionality.
The following is a partial list of the most commonly used modules:
When used in conjunction with the Refer to "Target Options" for more information about the The Periods can be specified in seconds, minutes, hours, or days.
If a number and time modifier are not used, the default value of This option is specified as an integer and should be used in conjunction with the If no value is specified, the default value of five (5) is assumed. The These connection states can be used in combination with one another by separating them with commas, such as The Refer to the TCP Protocol
-p tcp
):
--dport
- Sets the destination port for the packet.:
). For example: -p tcp --dport 3000:3200
. The largest acceptable valid range is 0:65535
.
!
) after the --dport
option to match all packets that do not use that network service or port.
/etc/services
file.
--destination-port
match option is synonymous with --dport
.
--sport
- Sets the source port of the packet using the same options as --dport
. The --source-port
match option is synonymous with --sport
.
--syn
- Applies to all TCP packets designed to initiate communication, commonly called SYN packets. Any packets that carry a data payload are not touched.
!
) after the --syn
option to match all non-SYN packets.
--tcp-flags <tested flag list> <set flag list>
- Allows TCP packets that have specific bits (flags) set, to match a rule.
--tcp-flags
match option accepts two parameters. The first parameter is the mask; a comma-separated list of flags to be examined in the packet. The second parameter is a comma-separated list of flags that must be set for the rule to match.
ACK
FIN
PSH
RST
SYN
URG
ALL
NONE
iptables
rule that contains the following specification only matches TCP packets that have the SYN flag set and the ACK and FIN flags not set:
--tcp-flags ACK,FIN,SYN SYN
!
) after the --tcp-flags
to reverse the effect of the match option.
--tcp-option
- Attempts to match with TCP-specific options that can be set within a particular packet. This match option can also be reversed with the exclamation point character (!
).UDP Protocol
-p udp
):
--dport
- Specifies the destination port of the UDP packet, using the service name, port number, or range of port numbers. The --destination-port
match option is synonymous with --dport
.
--sport
- Specifies the source port of the UDP packet, using the service name, port number, or range of port numbers. The --source-port
match option is synonymous with --sport
.--dport
and --sport
options, to specify a range of port numbers, separate the two numbers with a colon (:). For example: -p tcp --dport 3000:3200
. The largest acceptable valid range is 0:65535.ICMP Protocol
-p icmp
):
--icmp-type
- Sets the name or number of the ICMP type to match with the rule. A list of valid ICMP names can be retrieved by typing the iptables -p icmp -h
command.Additional Match Option Modules
iptables
command.
-m
, where <module-name>
<module-name>
is the name of the module.
limit
module - Places limits on how many packets are matched to a particular rule.LOG
target, the limit
module can prevent a flood of matching packets from filling up the system log with repetitive messages or using up system resources.
LOG
target.
limit
module enables the following options:
--limit
- Sets the maximum number of matches for a particular time period, specified as a
pair. For example, using <value>/<period>
--limit 5/hour
allows five rule matches per hour.3/hour
is assumed.
--limit-burst
- Sets a limit on the number of packets able to match a rule at one time.
--limit
option.
state
module - Enables state matching.
state
module enables the following options:
--state
- match a packet with the following connection states:
ESTABLISHED
- The matching packet is associated with other packets in an established connection. You need to accept this state if you want to maintain a connection between a client and a server.INVALID
- The matching packet cannot be tied to a known connection.
NEW
- The matching packet is either creating a new connection or is part of a two-way connection not previously seen. You need to accept this state if you want to allow new connections to a service.
RELATED
- The matching packet is starting a new connection related in some way to an existing connection. An example of this is FTP, which uses one connection for control traffic (port 21), and a separate connection for data transfer (port 20).-m state --state INVALID,NEW
.
mac
module - Enables hardware MAC address matching.
mac
module enables the following option:
--mac-source
- Matches a MAC address of the network interface card that sent the packet. To exclude a MAC address from a rule, place an exclamation point character (!
) after the --mac-source
match option.iptables
man page for more match options available through modules.