Red Hat Enterprise Linux 5 Administration Unleashed

Using IPTables Match Extensions 491[!] --updateIf source address of the packet is in the list, update the “last seen” timestamp.[!] --removeIf the source address of the packet is in the list, remove it from the list.[!] --seconds Optional parameter that only allows a match if the address is in the list and waslast seen within the defined number of seconds. Must be used with --rcheck or--update.[!] --hitcount Optional parameter that causes a match only if the address is in the list and thenumber of packets received is greater than or equal to the defined value. Must beused with --rcheck or --update.--rttlOptional parameter that allows a match only if the address is in the list and theTTL of the current packet matches that of the packet that hit the --set rule.Must be used with --rcheck or --update.24sctpUse to match SCTP packets with the -p option: -p sctp--source-port [!] :Specify SCTP source port as an individual port or a range of ports.--destination-port [!] :Specify SCTP destination port as an individual port or a range of ports.--chunk-types [!] :Specify all, any, or only to specify how to match the chunk type list. Replace with a comma-separated list of chunk types. Chunk types: DATA,INIT, INIT_ACK, SACK, HEARTBEAT, HEARTBEAT_ACK, ABORT, SHUTDOWN, SHUTDOWN_ACK,ERROR, COOKIE_ECHO, COOKIE_ACK, ECN_ECNE, ECN_CWR, SHUTDOWN_COMPLETE,ASCONF, ASCONF_ACK. The are optional and are specific to certain chunktypes. If the flag is in uppercase, the flag is set to on. If the flag is in lowercase,the flag is set to off. The DATA chunk type has the flags U, B, E, u, b, and e. TheABORT and SHUTDOWN_COMPLETE chunk types both have the flags T and t.setMatches IP sets defined by ipset.--set is an src, dst, or both separated by commas. If src is listed, packetsmatch if the source address or port number is found in the IP set. If dst is listed,the packets match if the destination address or port number is found in the IPset.