blocking all traffic except selected ports

Ed netfilter at crazeecanuck.homelinux.net
Sun Apr 24 00:36:15 CEST 2005


Ed wrote:
> Jason Opperisano wrote:
> 

>>multiport doesn't support ranges, mport does (and it uses a ':' not a
>>'-'):
> 
> 
> Again, tiredness :S (glad you caught that).
> 
> 

Actually (after having a pot of coffee) I just looked at `iptables -m
multiport --help` on my box, and saw the following:


multiport v1.3.1 options:
 --source-ports [!] port[,port:port,port...]
 --sports ...
                                match source port(s)
 --destination-ports [!] port[,port:port,port...]
 --dports ...
                                match destination port(s)
 --ports [!] port[,port:port,port]
                                match both source and destination port(s)


It seems multiport has been updated to use port ranges after all.

(Note to self: don't reply to messages right after waking up either.
UGH! I thought there was a reason that I switched from mport to
multiport on my router...)

https://lists.netfilter.org/pipermail/netfilter-devel/2005-January/017977.html

# uname -r && iptables --version
2.6.11.7
iptables v1.3.1

>From http://www.netfilter.org/patch-o-matic/pom-obsolete.html

> iptables mport match
> Author: Andreas Ferber <af at devcon.net>
> Status: Deprecated by 'multiport' version1 in 2.6.11-rcX
> 
> This module is an enhanced multiport match. It has support for byte
> ranges as well as for single ports.
> Up to 15 ports are allowed. Note that a portrange uses up 2 port values.
> 
> Examples:
> # iptables -A FORWARD -p tcp -m mport --ports 23:42,65

The way I understand it, if you're using a Linux kernel that is older
than 2.6.11-rcX, use mport.  Otherwise use multiport.

/me still admits being wrong about the ':' separator, as well as
forgetting about the UDP protocol for DNS though. =)

(Thanks for the nitpicking, J, it really is appreciated.  I don't want
to spread *incorrect* information.)





More information about the netfilter mailing list