You are not logged in.
Pages: 1
I'm currently trying to get a little better understanding of iptables, and I am reading through the wiki page for Simple Stateful Firewall at
https://wiki.archlinux.org/index.php/Si … l_firewall , which is full of great examples.
On this wiki, they create two user-defined chains, TCP, and UDP:
iptables -N TCP
iptables -N UDP
It appears that they send new incoming tcp or udp traffic to these user-defined chains here:
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
Later it uses these uder-defined chains to open TCP port 80:
iptables -A TCP -p tcp --dport 80 -j ACCEPT
My question is, isnt the "-p tcp" redundant in the port 80 rule since the TCP chain is already classifed as protocol tcp by the use of "-p tcp" in the previous rule?
Offline
EDIT: My mistake, early morning posting bites my butt again.
You need -p tcp there because only the 'udp' and 'tcp' modules load the --dport option, so without -p tcp, the --dport option will fail. So while it is redundant when looking at where the chain is called from, it is required to load the appropriate module for the rest of the rule.
Last edited by fukawi2 (2012-10-23 22:16:24)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
That makes sense. Thanks for your answer.
Offline
Pages: 1