Chapter 13. Firewalls and


iptables


173


Like many other options, using the exclamation point character (


!


) after


  tcp flags


reverses the


effect of the match option, so that the second parameter's flags must not be set in order to match.


  tcp option


  Attempts to match with TCP specific options that can be set within a particular


packet. This match option can also be reversed with the exclamation point character (


!


).


13.3.5.2. UDP Protocol


These match options are available for the UDP protocol (


 p udp


):


  dport


  Specifies the destination port of the UDP packet, using the service name, port number,


or range of port numbers. The


  destination port


match option may be used instead of


  


dport


. See the


  dport


match option in Section 13.3.5.1 for various ways to use this option.


  sport


  Specifies the source port of the UDP packet, using the service name, port number, or


range of port numbers. The


  source port


match option may be used instead of


  sport


. See


the


  dport


match option in Section 13.3.5.1 for various ways to use this option.


13.3.5.3. ICMP Protocol


Packets using the Internet Control Message Protocol (ICMP) can be matched using the following


option when


 p icmp


is specified:


  icmp type


  Sets the name or number of the ICMP type to match with the rule. A list of valid


ICMP names can be seen by typing the


iptables  p icmp  h


command.


13.3.5.4. Modules with Additional Match Options


Additional match options are also available through modules loaded when the


iptables


command


calls them. To use a match option module, you must load the module by name by including


 m


n


module name


in the


iptables


command.


o


A large number of modules are available by default. It is even possible to create your own modules


to provide additional match option functionality. Many modules exist, but only the most popular ones


are discussed here.


The


limit


module allows you to place a limit on how many packets will be matched to a particular


rule. This is especially beneficial when logging rule matches so that a flood of matching packets will


not fill up your logs with repetitive messages or use too many system resources.


  limit


  Sets the number of matches for a particular range of time, specified with a number and


time modifier arranged in a


n


number /


n


time


format. For example, using


  limit 5/hour


o


o


only lets a rule match five times in a single hour.


If a number and time modifier are not used, the default value of


3/hour


is assumed.


  limit burst


  Sets a limit on the number of packets able to match a rule at one time. This


option should be used in conjunction with the


  limit


option, and it accepts a number to set the


burst threshold.


If no number is specified, only five packets are initially able to match the rule.


The


state


module, which uses the


  state


match option, can match a packet with these particular


connection states:


ESTABLISHED


  The matching packet is associated with other packets in an established connec 


tion.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      tomcat hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved