creating one rule for both tcp and udp?

creating one rule for both tcp and udp?

[Matt Singerman]

Hi all,

I was wondering, if I wanted to fliter packets on a specific port, can I 
write a single rule to work on both tcp and udp traffic, or will I have 
to write one rule for each?

Support, for instance, that I want to allow TCP and UDP packets from any 
host on port 548 to a machine with IP address 192.168.1.4, could I write 
a rule like:

-A FORWARD -s 0/0 -d 141.161.111.203  -p all --dport 548 -j ACCEPT

(please note, I am just using port 548 as an example.)

Now, I know that this doesn't work, because I tried it :)  I can back 
the error:

iptables v1.3.5: Unknown arg `--dport'

I am guessing that is because "-p all" include ICMP, which doesn't take 
the --dport argument.  Am I wrong about that?

So, to do this, I would have to do two rules:

-A FORWARD -s 0/0 -d 141.161.111.203  -p tcp --dport 548 -j ACCEPT
-A FORWARD -s 0/0 -d 141.161.111.203  -p udp --dport 548 -j ACCEPT

Now, I would prefer not to do this, because in a lot of places, I would 
have to add a whole lot of rules.  So, I ask, is there a way to comine 
TCP and UDP into a single rule?

Thanks!

Re: creating one rule for both tcp and udp?

[Matt Singerman]

Hi David,

That still gives the same error.  From the manpage, it seems that -p is 
needed if using --dport, am I wrong about this?

David Lang wrote:
> just leave out the -p entirely
>
> David Lang
>
> --On Friday, August 25, 2006 01:59:40 PM -0400 Matt Singerman 
> <msingerman@ncemch.org> wrote:
>
>> Hi all,
>>
>> I was wondering, if I wanted to fliter packets on a specific port, can I
>> write a single rule to work on both tcp and udp traffic, or will I have
>> to write one rule for each?
>>
>> Support, for instance, that I want to allow TCP and UDP packets from any
>> host on port 548 to a machine with IP address 192.168.1.4, could I write
>> a rule like:
>>
>> -A FORWARD -s 0/0 -d 141.161.111.203  -p all --dport 548 -j ACCEPT
>>
>> (please note, I am just using port 548 as an example.)
>>
>> Now, I know that this doesn't work, because I tried it :)  I can back 
>> the
>> error:
>>
>> iptables v1.3.5: Unknown arg `--dport'
>>
>> I am guessing that is because "-p all" include ICMP, which doesn't take
>> the --dport argument.  Am I wrong about that?
>>
>> So, to do this, I would have to do two rules:
>>
>> -A FORWARD -s 0/0 -d 141.161.111.203  -p tcp --dport 548 -j ACCEPT
>> -A FORWARD -s 0/0 -d 141.161.111.203  -p udp --dport 548 -j ACCEPT
>>
>> Now, I would prefer not to do this, because in a lot of places, I would
>> have to add a whole lot of rules.  So, I ask, is there a way to comine
>> TCP and UDP into a single rule?
>>
>> Thanks!
>>
>
>
>
>

Re: creating one rule for both tcp and udp?

[Pascal Hambourg]

Hello,

Matt Singerman a écrit :
> 
> -A FORWARD -s 0/0 -d 141.161.111.203  -p all --dport 548 -j ACCEPT
> 
> iptables v1.3.5: Unknown arg `--dport'
> 
> I am guessing that is because "-p all" include ICMP, which doesn't take 
> the --dport argument.  Am I wrong about that?

It's a little more complicated than that. It's not that ICMP or other 
protocols don't take the --dport argument. Actually --dport is valid 
only with the "-m tcp" and "-m udp" matches, which in turn are only 
valid with - and implicitly created by - "-p tcp" and "-p udp" respectively.