Ed wrote:
> Jason Opperisano wrote:
>
>>multiport doesn't support ranges, mport does (and it uses a ':' not a
>>'-'):
>
>
> Again, tiredness :S (glad you caught that).
>
>
Actually (after having a pot of coffee) I just looked at `iptables -m
multiport --help` on my box, and saw the following:
multiport v1.3.1 options:
--source-ports [!] port[,port:port,port...]
--sports ...
match source port(s)
--destination-ports [!] port[,port:port,port...]
--dports ...
match destination port(s)
--ports [!] port[,port:port,port]
match both source and destination port(s)
It seems multiport has been updated to use port ranges after all.
(Note to self: don't reply to messages right after waking up either.
UGH! I thought there was a reason that I switched from mport to
multiport on my router...)
https://lists.netfilter.org/pipermail/netfilter-devel/2005-January/017977.html
# uname -r && iptables --version
2.6.11.7
iptables v1.3.1
>From http://www.netfilter.org/patch-o-matic/pom-obsolete.html
> iptables mport match
> Author: Andreas Ferber <af@xxxxxxxxxx>
> Status: Deprecated by 'multiport' version1 in 2.6.11-rcX
>
> This module is an enhanced multiport match. It has support for byte
> ranges as well as for single ports.
> Up to 15 ports are allowed. Note that a portrange uses up 2 port values.
>
> Examples:
> # iptables -A FORWARD -p tcp -m mport --ports 23:42,65
The way I understand it, if you're using a Linux kernel that is older
than 2.6.11-rcX, use mport. Otherwise use multiport.
/me still admits being wrong about the ':' separator, as well as
forgetting about the UDP protocol for DNS though. =)
(Thanks for the nitpicking, J, it really is appreciated. I don't want
to spread *incorrect* information.)
