Generic Matches

-p – Protocol – the IP protocol of the packet
- Can be specified with the protocol number, e.g., iptables -D OUTPUT -p 1 -j DROP
- Can be specified with the protocol name as long as the name is listed in /etc/protocols
- Can accept a comma delimited list iptables -I FORWARD 1 -p 50,51,57 -j ACCEPT
-f – Fragments – this match matches fragments in a chain
- Fragments will not match port based rules
- Balance between security and usability – fragments may be provoked in a VPN

-p – Protocol – the IP protocol of the packet