blocking all traffic except selected ports

Ed netfilter at
Sun Apr 24 00:36:15 CEST 2005

Ed wrote:
> Jason Opperisano wrote:

>>multiport doesn't support ranges, mport does (and it uses a ':' not a
> Again, tiredness :S (glad you caught that).

Actually (after having a pot of coffee) I just looked at `iptables -m
multiport --help` on my box, and saw the following:

multiport v1.3.1 options:
 --source-ports [!] port[,port:port,port...]
 --sports ...
                                match source port(s)
 --destination-ports [!] port[,port:port,port...]
 --dports ...
                                match destination port(s)
 --ports [!] port[,port:port,port]
                                match both source and destination port(s)

It seems multiport has been updated to use port ranges after all.

(Note to self: don't reply to messages right after waking up either.
UGH! I thought there was a reason that I switched from mport to
multiport on my router...)

# uname -r && iptables --version
iptables v1.3.1


> iptables mport match
> Author: Andreas Ferber <af at>
> Status: Deprecated by 'multiport' version1 in 2.6.11-rcX
> This module is an enhanced multiport match. It has support for byte
> ranges as well as for single ports.
> Up to 15 ports are allowed. Note that a portrange uses up 2 port values.
> Examples:
> # iptables -A FORWARD -p tcp -m mport --ports 23:42,65

The way I understand it, if you're using a Linux kernel that is older
than 2.6.11-rcX, use mport.  Otherwise use multiport.

/me still admits being wrong about the ':' separator, as well as
forgetting about the UDP protocol for DNS though. =)

(Thanks for the nitpicking, J, it really is appreciated.  I don't want
to spread *incorrect* information.)

More information about the netfilter mailing list