iptables: why use both -p and -m to match the target protocol?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables: why use both -p and -m to match the target protocol?
The title is the question.. I've seen it a few times, what's the difference between, ie:
iptables -A INPUT -p udp --dport 1234 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1234 -j ACCEPT
The second line has -m specified. It looks like it's the same, but is there an actual difference?
My guess is that when specifying -m, instead of just trusting the IP stack on the protocol, iptables will also analyze the packet headers (?) But then is that really more secure, and does it takes significantly more processor power? Is it worth it?.. Or am i just way off and there's no difference whatsoever?
It looks like it's the same, but is there an actual difference?
No. As noted in the iptables man page, specifying the protocol with -p
implicitly loads the match extensions for that protocol, so, e.g., the following are
equivalent:
Code:
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
From the man page:
Quote:
...
iptables can use extended packet matching modules. These are loaded in
two ways: implicitly, when -p or --protocol is specified, or with the
-m or --match options, followed by the matching module name;
...
heh I guess that people who wrote the examples i've seen use the -m out of a habit of loading other modules.. Or maybe just because they don't know its useless..
Anyways, Thanks for the clear explanation Berhanie!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.