Originally Posted by vincix
Then what is -p tcp required for then?
An iptables command specifies conditions for a packet, and the action (-j) that will be taken when a packet matches all conditions.
Furthermore, iptables is extensible. You can add modules that implement special processing for special packets.
Regarding your example:
- -p is the protocol condition. In your example, a TCP packet matches the condition, a UDP, ICMP, GRE etc packet doesn't match.
- the -m option is not a condition, but loads the tcp module, which allows processing of TCP packets. The --dport parameter (note the double dash, whereas -p and -m have a single dash) is an argument of the tcp module and provides a further condition, namely destination port 22.
- conntrack is another module that is loaded by your example. --ctstate is a parameter of that module.
To summarize, your iptables command defines three conditions, two of which are implemented by modules that are loaded using the -m option.