[!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]
State(s) to match
conntrack match options:
[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]
State(s) to match
[!] --ctproto proto Protocol to match; by number or name, e.g. "tcp"
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask]
Original/Reply source/destination address
[!] --ctorigsrcport port
[!] --ctorigdstport port
[!] --ctreplsrcport port
[!] --ctrepldstport port
TCP/UDP/SCTP orig./reply source/destination port
[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]
Status(es) to match
[!] --ctexpire time[:time] Match remaining lifetime in seconds against
value or range of values (inclusive)
--ctdir {ORIGINAL|REPLY} Flow direction of packet
connmark match options:
[!] --mark value[/mask] Match ctmark value with optional mask
[root@localhost proc]##
statistic match options:
--mode mode Match mode (random, nth)
random mode:
[!] --probability p Probability
nth mode:
[!] --every n Match every nth packet
--packet p Initial counter value (0 <= p <= n-1, default 0)
tcp match options:
[!] --tcp-flags mask comp match when TCP flags & mask == comp
(Flags: SYN ACK FIN RST URG PSH ALL NONE)
[!] --syn match when only SYN flag set
(equivalent to --tcp-flags SYN,RST,ACK,FIN SYN)
[!] --source-port port[:port]
--sport ...
match source port(s)
[!] --destination-port port[:port]
--dport ...
match destination port(s)
[!] --tcp-option number match if TCP option set
udp match options:
[!] --source-port port[:port]
--sport ...
match source port(s)
[!] --destination-port port[:port]
--dport ...
match destination port(s)
--hashlimit-upto <avg> max average match rate
[Packets per second unless followed by
/sec /minute /hour /day postfixes]
--hashlimit-above <avg> min average match rate
--hashlimit-mode <mode> mode is a comma-separated list of
dstip,srcip,dstport,srcport (or none)
--hashlimit-srcmask <length> source address grouping prefix length
--hashlimit-dstmask <length> destination address grouping prefix length
--hashlimit-name <name> name for /proc/net/ipt_hashlimit
--hashlimit-burst <num> number to match in a burst, default 5
--hashlimit-htable-size <num> number of hashtable buckets
--hashlimit-htable-max <num> number of hashtable entries
--hashlimit-htable-gcinterval interval between garbage collection runs
--hashlimit-htable-expire after which time are idle entries expired?
limit match options:
--limit avg max average match rate: default 3/hour
[Packets per second unless followed by
/sec /minute /hour /day postfixes]
--limit-burst number number to match in a burst, default 5
helper match options:
[!] --helper string Match helper identified by string
SNAT target options:
--to-source [<ipaddr>[-<ipaddr>]][:port[-port]]
Address to map source to.
[--random] [--persistent]
DNAT target options:
--to-destination [<ipaddr>[-<ipaddr>]][:port[-port]]
Address to map destination to.
[--random] [--persistent]
MASQUERADE target options:
--to-ports <port>[-<port>]
Port (range) to map to.
--random
Randomize source port.
REDIRECT target options:
--to-ports <port>[-<port>]
Port (range) to map to.
MARK target options:
--set-xmark value[/mask] Clear bits in mask and XOR value into nfmark
--set-mark value[/mask] Clear bits in mask and OR value into nfmark
--and-mark bits Binary AND the nfmark with bits
--or-mark bits Binary OR the nfmark with bits
--xor-mask bits Binary XOR the nfmark with bits
CT target options:
--notrack Don't track connection
--helper name Use conntrack helper 'name' for connection
--timeout name Use timeout policy 'name' for connection
--ctevents event[,event...] Generate specified conntrack events for connection
--expevents event[,event...] Generate specified expectation events for connection
--zone ID Assign/Lookup connection in zone ID
CONNMARK target options:
--set-xmark value[/ctmask] Zero mask bits and XOR ctmark with value
--save-mark [--ctmask mask] [--nfmask mask]
Copy nfmark to ctmark using masks
--restore-mark [--ctmask mask] [--nfmask mask]
Copy ctmark to nfmark using masks
--set-mark value[/mask] Set conntrack mark value
--save-mark [--mask mask] Save the packet nfmark in the connection
--restore-mark [--mask mask] Restore saved nfmark value
--and-mark value Binary AND the ctmark with bits
--or-mark value Binary OR the ctmark with bits
--xor-mark value Binary XOR the ctmark with bits
LOG target options:
--log-level level Level of logging (numeric or see syslog.conf)
--log-prefix prefix Prefix log messages with this prefix.
--log-tcp-sequence Log TCP sequence numbers.
--log-tcp-options Log TCP options.
--log-ip-options Log IP options.
--log-uid Log UID owning the local socket.
--log-macdecode Decode MAC addresses and protocol.