Manpage of IPTABLES
limit
This module matches at a limited rate using a token bucket filter. A rule using this extension will match
until this limit is reached (unless the `!' flag is used). It can be used in combination with the LOG target
to give limited logging, for example.
--limit rate
Maximum average matching rate: specified as a number, with an optional `/second', `/minute',
`/hour', or `/day' suffix; the default is 3/hour.
--limit-burst number
Maximum initial number of packets to match: this number gets recharged by one every time the
limit specified above is not reached, up to this number; the default is 5.
multiport
This module matches a set of source or destination ports. Up to 15 ports can be specified. It can only be
used in conjunction with -p tcp or -p udp.
--source-ports port[,port[,port...]]
Match if the source port is one of the given ports. The flag --sports is a convenient alias for this
option.
--destination-ports port[,port[,port...]]
Match if the destination port is one of the given ports. The flag --dports is a convenient alias for
this option.
--ports port[,port[,port...]]
Match if the both the source and destination ports are equal to each other and to one of the given
ports.
mark
This module matches the netfilter mark field associated with a packet (which can be set using the MARK
target below).
--mark value[/mask]
Matches packets with the given unsigned mark value (if a mask is specified, this is logically
http://www.iptablesrocks.org/syntax/man_iptables.htm (8 of 20) [2/13/2004 8:04:51 PM]