> -----Original Message----- > From: netfilter-admin@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ralf Braga > Sent: Sunday, June 01, 2003 12:11 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: to understand --tcp-flags > > > Hi, > > I dont understand this command: > > iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK \ > -m state --state NEW -j REJECT --reject-with tcp-reset > > Because two times is used --tcp-flags SYN,ACK SYN,ACK ? > > > This example will be bloqued packages for flags syn and ack ? > > Thanks, I don't understand this either. But the man page says --tcp-flags [!] mask comp Match when the TCP flags are as specified. The first argument is the flags which we should examine, written as a comma-sepa- rated list, and the second argument is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. So I think that your command meens that SYN and ACK must be set and it don't mind the others (FIN RST URG PSH) if they are set or unset. Perhaps its better to understand the --state. The god thing about state is that it works with all protocols. The states are: NEW, ESTABLISHED, RELATED, INVALID. Still need more info on the tcp flags? Read rfc 793 (ftp://ftp.rfc-editor.org/in-notes/rfc793.txt). /Klintan
