Additional Match Option Modules

Additional match options are available through modules loaded by the iptables command.

To use a match option module, load the module by name using the -m <module-name>, where <module-name> is the name of the module.

Many modules are available by default. You can also create modules to provide additional functionality.

The following is a partial list of the most commonly used modules:

When used in conjunction with the LOG target, the limit module can prevent a flood of matching packets from filling up the system log with repetitive messages or using up system resources.

Refer to for more information about the LOG target.

The limit module enables the following options:

Periods can be specified in seconds, minutes, hours, or days.

If a number and time modifier are not used, the default value of 3/hour is assumed.

These connection states can be used in combination with one another by separating them with commas, such as -m state --state INVALID,NEW.

Refer to the iptables man page for more match options available through modules.