1These extensions can be used if `--protocol tcp' is specified. It 2provides the following options: 3.TP 4.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" 5Source port or port range specification. This can either be a service 6name or a port number. An inclusive range can also be specified, 7using the format 8.IR port : port . 9If the first port is omitted, "0" is assumed; if the last is omitted, 10"65535" is assumed. 11If the second port greater then the first they will be swapped. 12The flag 13.B --sport 14is a convenient alias for this option. 15.TP 16.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" 17Destination port or port range specification. The flag 18.B --dport 19is a convenient alias for this option. 20.TP 21.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP" 22Match when the TCP flags are as specified. The first argument is the 23flags which we should examine, written as a comma-separated list, and 24the second argument is a comma-separated list of flags which must be 25set. Flags are: 26.BR "SYN ACK FIN RST URG PSH ALL NONE" . 27Hence the command 28.nf 29 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN 30.fi 31will only match packets with the SYN flag set, and the ACK, FIN and 32RST flags unset. 33.TP 34.B "[!] --syn" 35Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits 36cleared. Such packets are used to request TCP connection initiation; 37for example, blocking such packets coming in an interface will prevent 38incoming TCP connections, but outgoing TCP connections will be 39unaffected. 40It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP. 41If the "!" flag precedes the "--syn", the sense of the 42option is inverted. 43.TP 44.BR "--tcp-option " "[!] \fInumber\fP" 45Match if TCP option set. 46