On Wed, 2007-03-14 at 12:41 -0400, Tony Nelson wrote:
> At 3:13 PM +1030 3/14/07, Tim wrote:
> >On Tue, 2007-03-13 at 10:53 -0400, Tony Nelson wrote:
> >> (Man iptables doens't really explain --dport
> >
> >destination port - the rule will match something wanting to connect to
> >that port.
> >
> >> or --sport,
> >
> >source port - the rule will match something coming from that port/
> >
> >> or --port.
> >
> >Any use of that port.
>
> All that is obvious. What isn't clear from the man page is where they are
> allowed, as they should be documented at the top level of things if they
> are allowed everywhere, instead of being mentioned in a couple of the
> commands that con use them.
The use of a port directive ("--dport", "--sport" or "--port") is only
allowed on lines that specify a protocol that supports the concept of
ports suc has TCP or UDP. So, if you have a "-p tcp" or "-p udp", you
can use port commands.
Trying to specify a port on something like "-p icmp" won't work since
ICMP doesn't use ports.
> Rusty's iptables HOWTO is better, and I think I'm starting to make a good
> mental model.
It is a bit nasty to try to figure out at first. Don't think you're the
only one to be confused...
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxxxxx -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- Squawk! Pieces of Seven! Pieces of Seven! Parity Error! -
----------------------------------------------------------------------
