On Wednesday 2011-10-05 07:09, David Alanis wrote: >> iptables -A SERVICES -i eth0 -p tcp -m tcp --dport 22 -m comment >> --comment "allow ssh into machine, from eth0" -j ACCEPT > > Your way is another way of doing it, but isn't Ganesh's rule wrong? > > The man page says that you can specify the protocol with *-p* or with the match > option *-m* so essentially that would be incorrect? > > MATCH EXTENSIONS > iptables can use extended packet matching modules. These are loaded in two > ways: implicitly, when -p or --protocol is specified, or with the -m or > --match options, followed by the matching module name; after these, > various extra command line options become available, depending on the specific > module. You can specify multiple extended match modules in one line, and you > can use the -h or --help options after the module has been specified to receive > help specific to that module. The manpage is a little unclear here. -p and -m are very much doing two different things, and omitting -p usually gets you to not matching. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
