- account
- ACCOUNT target is a high performance accounting system for large local networks
- asn
- match a packet by its source or destination Autonomous System Number
- chaos
- CHAOS target causes confusion on the other end by doing odd things with incoming packets
- condition
- matches if a specific condition variable is (un)set
- delude
- DELUDE target will reply to a SYN packet with SYN-ACK, and to all other packets with an RST
- dhcpmac
- DHCPMAC target/match in conjunction with ebtables can be used to completely change all MAC addresses from and to a VMware-based virtual machine
- dnetmap
- DNETMAP target allows dynamic two-way 1:1 mapping of IPv4 subnets
- echo
- ECHO target sends back all packets it received
- fuzzy
- matches a rate limit based on a fuzzy logic controller (FLC)
- geoip
- match a packet by its source or destination country
- gradm
- match packets based on grsecurity RBAC status
- iface
- match allows to check interface states
- ipmark
- IPMARK target allows mark a received packet basing on its IP address
- ipp2p
- matches certain packets in P2P flows
- ipv4options
- match against a set of IPv4 header options
- length2
- matches the length of a packet against a specific value or range of values
- logmark
- LOGMARK target will log packet and connection marks to syslog
- lscan
- match detects simple low-level scan attemps based upon the packet's contents
- pknock
- match implements so-called "port knocking", a stealthy system for network authentication
- proto
- modifies the protocol number in IP packet header
- psd
- match attempts to detect TCP and UDP port scans (derived from Solar Designer's scanlogd)
- quota2
- match implements a named counter which can be increased or decreased on a per-match basis
- sysrq
- SYSRQ target allows to remotely trigger sysrq on the local machine over the network
- tarpit
- TARPIT target captures and holds incoming TCP connections using no local per-connection resources