Additional match options are available through modules loaded by the iptables command.
To use a match option module, load the module by name using the -m <module-name>, where <module-name> is the name of the module.
Many modules are available by default. You can also create modules to provide additional functionality.
The following is a partial list of the most commonly used modules:
limit module — Places limits on how many packets are matched to a particular rule.
When used in conjunction with the LOG target, the limit module can prevent a flood of matching packets from filling up the system log with repetitive messages or using up system resources.
--limit — Sets the maximum number of matches for a particular time period, specified as a <value>/<period> pair. For example, using --limit 5/hour allows five rule matches per hour.
Periods can be specified in seconds, minutes, hours, or days.
If a number and time modifier are not used, the default value of 3/hour is assumed.
--limit-burst — Sets a limit on the number of packets able to match a rule at one time.
This option is specified as an integer and should be used in conjunction with the --limit option.
If no value is specified, the default value of five (5) is assumed.
state module — Enables state matching.
The state module enables the following options:
--state — match a packet with the following connection states:
ESTABLISHED — The matching packet is associated with other packets in an established connection. You need to accept this state if you want to maintain a connection between a client and a server.
INVALID — The matching packet cannot be tied to a known connection.
NEW — The matching packet is either creating a new connection or is part of a two-way connection not previously seen. You need to accept this state if you want to allow new connections to a service.
RELATED — The matching packet is starting a new connection related in some way to an existing connection. An example of this is FTP, which uses one connection for control traffic (port 21), and a separate connection for data transfer (port 20).
These connection states can be used in combination with one another by separating them with commas, such as -m state --state INVALID,NEW.
mac module — Enables hardware MAC address matching.
The mac module enables the following option:
--mac-source — Matches a MAC address of the network interface card that sent the packet. To exclude a MAC address from a rule, place an exclamation point character (!) after the --mac-source match option.
Refer to the iptables man page for more match options available through modules.