blocking all traffic except selected ports
netfilter at crazeecanuck.homelinux.net
Sun Apr 24 00:36:15 CEST 2005
> Jason Opperisano wrote:
>>multiport doesn't support ranges, mport does (and it uses a ':' not a
> Again, tiredness :S (glad you caught that).
Actually (after having a pot of coffee) I just looked at `iptables -m
multiport --help` on my box, and saw the following:
multiport v1.3.1 options:
--source-ports [!] port[,port:port,port...]
match source port(s)
--destination-ports [!] port[,port:port,port...]
match destination port(s)
--ports [!] port[,port:port,port]
match both source and destination port(s)
It seems multiport has been updated to use port ranges after all.
(Note to self: don't reply to messages right after waking up either.
UGH! I thought there was a reason that I switched from mport to
multiport on my router...)
# uname -r && iptables --version
> iptables mport match
> Author: Andreas Ferber <af at devcon.net>
> Status: Deprecated by 'multiport' version1 in 2.6.11-rcX
> This module is an enhanced multiport match. It has support for byte
> ranges as well as for single ports.
> Up to 15 ports are allowed. Note that a portrange uses up 2 port values.
> # iptables -A FORWARD -p tcp -m mport --ports 23:42,65
The way I understand it, if you're using a Linux kernel that is older
than 2.6.11-rcX, use mport. Otherwise use multiport.
/me still admits being wrong about the ':' separator, as well as
forgetting about the UDP protocol for DNS though. =)
(Thanks for the nitpicking, J, it really is appreciated. I don't want
to spread *incorrect* information.)
More information about the netfilter