Re: [rhelv5-list] Default fw rules

Wed, 11 May 2011 06:39:43 -0700 

On 05/10/2011 01:52 PM, Marco Shaw wrote:

From my testing, the default firewall rule you get when you add SSH

(via something like system-config-securitylevel) gives you:
...
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
...

I'm particular interested in whether I'm interpreting this part
incorrectly "-m tcp -p tcp --dport 22".  So I'm using the TCP module
(-m tcp), and I would assume this is further defined using the
destination port (--dport 22).  Is the protocol (-p tcp) defined for
the entire line or defined for the module?

Wouldn't one assume it would have to be "-p tcp -m tcp --dport 22" (or
similar) or is iptables smart enough to figure things out and parses
the entire line to join the -m with the --dport?

Marco


According to the man page,

iptables can use extended packet matching modules.  These are loaded in
two  ways:  implicitly, when -p or --protocol is specified, or with the
-m or --match options, followed by  the  matching  module  name;  after
these,  various  extra command line options become available, depending
on the specific module.  You can specify multiple extended  match  mod‐
ules  in  one  line, and you can use the -h or --help options after the
module has been specified to receive help specific to that module.


So, -p tcp implicitly causes the tcp match module to be loaded.

The tcp match module gives you:

--source-port (--sport)
--destination-port (--dport)
--tcp-flags
--syn
--tcp-option
Based on that, it looks like you could leave the -m tcp off and still get the same result.
The -p tcp does apply to the whole line. Per the man page, the syntax for a rule add is: 

-A chain rule-specification

rule-specification = [matches...] [target]
match = -m matchname [per-match options]
target = -j targetname [per-target-options]

So, you can do
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 

and get the same result.
It does work correctly with the -p tcp between -m tcp and --dport. However, if you are writing your own rules, I like your idea of moving -p tcp out from the middle of a -m <match> <matchoptions>. 

HTH,

Hugh

_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

Reply via email to