iptables -p all --dport

Question

iptables doesn't seem to recognize --dport with -p all.

iptables -A INPUT -p all --dport www -j ACCEPT

yields:

iptables v1.4.4: unknown option `--dport'
Try `iptables -h' or 'iptables --help' for more information.

--destination-port doesn't work either: iptables v1.4.4: unknown option `--destination-port'

Adding two separate rules for -p tcp and -p udp works fine, so why doesn't it work for -p all?

In case it matters, this is on an Ubuntu 10.04 LTS Server with iptables package version 1.4.4-2ubuntu2

score 22 · Accepted Answer · edited Mar 16 '21 at 14:15

--dport is not a flag for general iptables rules. It's a flag for one of it's extended packet matching modules. These are loaded when you use -p protocol or -m. Unless you specify -m <protocol> or -p <protocol> with a specific protocol you can't use --dport

You'll see this within the iptables(8) or iptables-extensions(8) manual page:

   tcp
       These extensions can be used if `--protocol tcp' is specified. It provides the
       following options:
       ...
       [!] --destination-port,--dport port[:port]
              Destination port or port range specification.  The flag --dport is a
              convenient alias for this option.
       ...

Not all protocols have a --dport flag because not all protocols support the notion of ports

This doesn't explain why wrt can support the usage of `-p all --dport`， see: https://serverfault.com/questions/307087/iptables-rules-for-dns-transparent-proxy-with-ip-exceptions — ASBai, Jun 08 '22 at 18:04

score 10 · Answer 2 · answered Jun 10 '11 at 23:19

10

'all' encompasses more than just TCP and UDP; it also covers protocols like ICMP which have no concept of port numbers, and thus can't take a --dport parameter.

answered Jun 10 '11 at 23:19

techieb0y

4,179
17
17

iptables -p all --dport

2 Answers2