Re: Multiport trouble

To: HdV@DTO.TUDelft.NL
Cc: debian-firewall@lists.debian.org
Subject: Re: Multiport trouble
From: John Leach <john@johnleach.co.uk>
Date: 24 Jun 2003 11:23:57 +0100
Message-id: <[🔎] 1056450236.17743.49.camel@peppard.dark.lan>
In-reply-to: <[🔎] Pine.GSO.4.44.0306241043410.10214-100000@sanders.rc.tudelft.nl>
References: <[🔎] Pine.GSO.4.44.0306241043410.10214-100000@sanders.rc.tudelft.nl>

Hi again,

> iptables -A OUTPUT -o $PUB_IFACE -p tcp \
>          -m multiport --destination-port 80,8080,8888 \
>          -s $PUB_IP --source-port $EPHEMERAL_PORTS
>          -m state --state NEW -j ACCEPT

You missed a \ on the 3rd line.  This is the reason for the "-m: command
not found" message.

After experimenting a bit, I'm now thinking this might be a bug. 
Firstly though, multiport won't allow you to specify source and
destination ports in the same rule.  Only one or the other.  They are
mutually exclusive.

On top of that, it doesn't seem to like being given ranges (such as
1024:65535).  As I say, I think this is either a bug or just a
limitation of the multiport code (or I'm doing something silly).  Either
way, even if it was working ok, you shouldn't be able to specify both
source and destination ports when using multiport.

The following example works fine, but you'll need to repeat the whole
thing for all destination ports (80,8080,8888) as you can only specify
one at a time (as we can't use multiport and ranges).

iptables -A OUTPUT -o $PUB_IFACE -p tcp \
	--dport 80 -s $PUB_IP -s $EPHEMERAL_PORTS \
	-m state --state NEW -j ACCEPT

John.
-- 
GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047
   HTTP: http://www.johnleach.co.uk

Reply to:

Follow-Ups:
- Re: Multiport trouble
  - From: HdV@DTO.TUDelft.NL

References:
- Re: Multiport trouble
  - From: HdV@DTO.TUDelft.NL

Prev by Date: Re: Multiport trouble
Next by Date: Re: Multiport trouble
Previous by thread: Re: Multiport trouble
Next by thread: Re: Multiport trouble
Index(es):
- Date
- Thread