Problem when using -p ALL -s -d and --dport/--sport
Ian Mortimer
ian@ian.physics.uq.edu.au
Wed, 17 Oct 2001 09:51:33 +1000
Hi Lewis
> I've had a lot of joy from the netfilter code and extremely grateful to be
> able to use it. I have noticed what appears to be a minor glitch, which I'm
> not sure has been mentioned previously. The error occurs when specifying
> the protocol as -p ALL while simultaneously specifying the -d & -s and
> --dport or --sport. Consider the following;
> iptables -A FORWARD -p ALL --dport 53 -i eth0 -s 10.0.0.1 -d 10.0.0.2 -m
> state --state NEW,ESTABLISHED -j ACCEPT
>
> we get the error...
>
> iptables v1.2.2: Unknown arg `--dport'
> Try `iptables -h' or 'iptables --help' for more information.
>
> As soon as you change the protocol to -p tcp or -p udp the error disappears.
It's not an error or a glitch. That's how it's supposed to work.
The --dport and --sport tests are extensions which are only available
if the relevant protocols are loaded.
See:
http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filt
ering-HOWTO.linuxdoc-7.html#ss7.1
Ian