Hello,
Vincent Regnard a écrit :
With iptables 1.2.7 I had some rules where I could write some multiport
(port lists or ranges) both for source and destination ports, like this:
/sbin/iptables -A fw2net_eth3 -p tcp -m multiport -s 82.67.103.87
--sport 1024:65535 -d 0.0.0.0/0 --dports 80,8080,81,8000,1755 -j ACCEPT
iptables was coping well with this and expanded the port matrix into
appropriate single rules
What do you mean ? Could you give an example of such expansion ?
But iptables 1.3.5 refuses to have multiport for both
source and destination ports and objects:
iptables v1.3.5: multiport can only have one option
Well, it seems that my old iptables 1.2.6a already had the same
limitation. I submitted your rule to it and got an error too.
So I have to re-write my firewall rules.
How did you rewrite the above rule ?
If I reorder the options, so that the --sport parameter appears to
belong to the implicit "-m tcp" match created by "-p tcp", the rule is
accepted by my iptables 1.2.6a :
/sbin/iptables -A fw2net_eth3 -s 82.67.103.87 -d 0.0.0.0/0 \
-p tcp --sport 1024:65535 -m multiport --dports 80,8080,81,8000,1755 \
-j ACCEPT
As a general rule it seems to me that it is more logical and readable to
put the parameters of a match right behind the match.
PS: what's the use of "-d 0.0.0.0/0" ?
