[CentOS] iptables question
ned at unixmail.co.uk
Tue Aug 26 17:47:28 UTC 2008
Joseph L. Casale wrote:
> When do you know you need the "-m multiport" option? I see examples with -dport xx:xxx for example that sometimes use it and sometimes don't?
> I have read the man page and see what "-m multiport" requires, but don't see the requirement involving its use.
I'll take a guess but am happy to be corrected if someone knows better...
My understanding is that --dport can only specify a single port (--dport
80) or port range (--dport 137:139) inclusive. Use of the multiport
module allows up to 15 ports (or port ranges) to be specified.
As for a potential usage - off the top of my head, suppose you wanted to
open ports 137-139 and 445 for SMB/Samba. This could be achieved with a
single rule using the multiport module whereas 2 individual rules would
otherwise be needed. Again, suppose you wanted to open ports 21 (FTP),
22 (SSH) and 110 (POP3) to a select IP address - you could do this in a
single rule rather than 3 individual rules which opens up possibilities
for optimizing/minimizing the number of iptables rules within a chain.
More information about the CentOS