Manpage of IPTABLES
This module, when combined with connection tracking, allows access to more connection tracking
information than the "state" match. (this module is present only if iptables was compiled under a kernel
supporting this feature)
--ctstate state
Where state is a comma separated list of the connection states to match. Possible states are
INVALID meaning that the packet is associated with no known connection, ESTABLISHED
meaning that the packet is associated with a connection which has seen packets in both directions,
NEW meaning that the packet has started a new connection, or otherwise associated with a
connection which has not seen packets in both directions, and RELATED meaning that the packet
is starting a new connection, but is associated with an existing connection, such as an FTP data
transfer, or an ICMP error. SNAT A virtual state, matching if the original source address differs
from the reply destination. DNAT A virtual state, matching if the original destination differs from
the reply source.
--ctproto proto
Protocol to match (by number or name)
--ctorigsrc [!] address[/mask]
Match against original source address
--ctorigdst [!] address[/mask]
Match against original destination address
--ctreplsrc [!] address[/mask]
Match against reply source address
--ctrepldst [!] address[/mask]
Match against reply destination address
--ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED][,...]
Match against internal conntrack states
--ctexpire time[:time]
Match remaining lifetime in seconds against given value or range of values (inclusive)
dscp
This module matches the 6 bit DSCP field within the TOS field in the IP header. DSCP has superseded
TOS within the IETF.
--dscp value
Match against a numeric (decimal or hex) value [0-32].
--dscp-class DiffServ Class
Match the DiffServ class. This value may be any of the BE, EF, AFxx or CSx classes. It will then
be converted into it's according numeric value.
http://www.iptablesrocks.org/syntax/man_iptables.htm (10 of 20) [2/13/2004 8:04:51 PM]