Basic iptables question

kbnuts · 10-14-2014, 03:06 AM

Hi, I'm mondering why people set both protocol and match in rules..

eg:

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

surely just

-A INPUT -p tcp --dport 22 -j ACCEPT

is sufficient as you've already said you're examining the tcp protocol so don't need to then also "match" it.

Or am I missing something?

keefaz · 10-14-2014, 05:01 AM

It is as the manual says, use -m --match if you want to use extension module to test specific property (--dport 22 property for example with tcp module)

But in your example, tcp match is implicitly set with -p tcp, so you don't need to explicitly use -m tcp here

kbnuts · 10-14-2014, 06:00 AM

Ah good, so it's not functionally needed there, it's just "good grammar".