LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-04-2015, 06:15 AM   #1
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 588

Rep: Reputation: 52
-m tcp seems redundant in iptables


Given
Code:
iptables -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW  -j ACCEPT
Why is -m tcp necessary in this case?

The old-fashioned way of using stateful rules (-m state) in iptables doesn't require the -m tcp, it seems a little bit redundant, as -p tcp is already included. Or the other way around, maybe -p is redundant. Of course, I understand none of them is, but what's the purpose?
 
Old 07-04-2015, 11:19 AM   #2
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: Redhat/Centos, Ubuntu, Raspbian, Fedora
Posts: 1,689

Rep: Reputation: 353Reputation: 353Reputation: 353Reputation: 353
it's required for the dport parameter.
 
Old 07-04-2015, 01:18 PM   #3
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 588

Original Poster
Rep: Reputation: 52
Quote:
Originally Posted by berndbausch View Post
it's required for the dport parameter.
Then what is -p tcp required for then?
 
Old 07-05-2015, 07:14 AM   #4
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: Redhat/Centos, Ubuntu, Raspbian, Fedora
Posts: 1,689

Rep: Reputation: 353Reputation: 353Reputation: 353Reputation: 353
Quote:
Originally Posted by vincix View Post
Then what is -p tcp required for then?
An iptables command specifies conditions for a packet, and the action (-j) that will be taken when a packet matches all conditions.
Furthermore, iptables is extensible. You can add modules that implement special processing for special packets.

Regarding your example:
  • -p is the protocol condition. In your example, a TCP packet matches the condition, a UDP, ICMP, GRE etc packet doesn't match.
  • the -m option is not a condition, but loads the tcp module, which allows processing of TCP packets. The --dport parameter (note the double dash, whereas -p and -m have a single dash) is an argument of the tcp module and provides a further condition, namely destination port 22.
  • conntrack is another module that is loaded by your example. --ctstate is a parameter of that module.

To summarize, your iptables command defines three conditions, two of which are implemented by modules that are loaded using the -m option.
 
2 members found this post helpful.
  


Reply

Tags
iptables, state


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help me iptables TCP wwfkk Linux - Security 4 06-05-2014 03:33 AM
[SOLVED] redirecting 80/tcp to 443/tcp using iptables rgdacosta Linux - Security 2 08-11-2010 03:12 PM
iptables and general tcp/ip dividingbyzero Linux - Security 12 05-29-2008 09:14 PM
not work: iptables -I INPUT 5 -m state --state NEW -m tcp -p tcp --dport 3306 -j DROP abefroman Linux - Security 1 07-18-2007 08:19 AM
tcp wrappers or iptables? dominant Linux - Security 3 02-23-2004 12:56 PM


All times are GMT -5. The time now is 06:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration