You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2012-10-23 17:33:57
- johni
- Member
- Registered: 2012-02-03
- Posts: 102
iptables question.
I'm currently trying to get a little better understanding of iptables, and I am reading through the wiki page for Simple Stateful Firewall at
https://wiki.archlinux.org/index.php/Si … l_firewall , which is full of great examples.
On this wiki, they create two user-defined chains, TCP, and UDP:
iptables -N TCP
iptables -N UDPIt appears that they send new incoming tcp or udp traffic to these user-defined chains here:
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCPLater it uses these uder-defined chains to open TCP port 80:
iptables -A TCP -p tcp --dport 80 -j ACCEPTMy question is, isnt the "-p tcp" redundant in the port 80 rule since the TCP chain is already classifed as protocol tcp by the use of "-p tcp" in the previous rule?
Offline
#2 2012-10-23 22:14:25
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,223
- Website
Re: iptables question.
EDIT: My mistake, early morning posting bites my butt again.
You need -p tcp there because only the 'udp' and 'tcp' modules load the --dport option, so without -p tcp, the --dport option will fail. So while it is redundant when looking at where the chain is called from, it is required to load the appropriate module for the rest of the rule.
Last edited by fukawi2 (2012-10-23 22:16:24)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
#3 2012-10-23 22:54:54
- johni
- Member
- Registered: 2012-02-03
- Posts: 102
Re: iptables question.
That makes sense. Thanks for your answer.
Offline
Pages: 1