A small list of some commonly used options
-p
protocol to match, can be a name that's defined in /etc/protocols or the ip-protocol number
-i
input interface to match, only works in INPUT and FORWARD
-o
output interface to match, only works in FORWARD and OUTPUT
-s
sourceaddress to match, ie. 192.168.1.1 or 192.168.1.0/24
-d
ditto for destinationaddress
-m
an external match module, more on this soon
-j
action to perform if packet matches rule
!
negate the option that follows