Cedric Are we using different versions of iptables? The syntax "multiport" [as opposed to "mport"] works AOK for me... Steve -----Original Message----- From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx] Sent: 17 December 2003 8.50 To: Knight, Steve Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: quickie - exclamation point with multiport Le mer 17/12/2003 à 09:25, Knight, Steve a écrit : > Justa quick one - I use $DMZPORTS to define the ports I wish to be allowed > inbound on the forward chain - can I use > ! -m multiport --dports $DMZPORTS > to mean "any port that isn't specified by $DMZPORTS"? Match is called "mport", not "multiport". So you call it using : -m mport [...] The syntax you show is not good. You would have to write : -m mport ! --dports $DMZPORTS Eventhough, mport help does not mention inversion : cbr@elendil:~$ iptables -m mport --help [...] mport v1.2.8 options: --source-ports port[,port:port,port...] --sports ... match source port(s) --destination-ports port[,port:port,port...] --dports ... match destination port(s) --ports port[,port:port,port] match both source and destination port(s) So it seems that inversion is not available. If you try to invert, it will not appear afterwards : cbr@elendil:~$ sudo iptables -A INPUT -p tcp -m mport \ ! --dports 22,23 -j ACCEPT cbr@elendil:~$ sudo iptables -L INPUT -vn Chain INPUT (policy ACCEPT 16456 packets, 13M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 mport dports 22,23 So I guess inverting mport is not possible. By the way, you can get it using a user chain : iptables -N invert iptables -A invert -p tcp -m mport --dports 22,23 -j RETURN iptables -A INPUT -p tcp -j invert Now you'll have all TCP packets that does not match TCP 22 and 23 as destination port in invert chain. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ----------------------------------------------------------------------- Information in this email may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. -----------------------------------------------------------------------
