[CentOS] iptables question

Tue Aug 26 17:47:28 UTC 2008
Ned Slider <ned at unixmail.co.uk>

Joseph L. Casale wrote:
> When do you know you need the "-m multiport" option? I see examples with -dport xx:xxx for example that sometimes use it and sometimes don't?
> I have read the man page and see what "-m multiport" requires, but don't see the requirement involving its use.
> 
> Thanks!
> jlc

I'll take a guess but am happy to be corrected if someone knows better...

My understanding is that --dport can only specify a single port (--dport 
80) or port range (--dport 137:139) inclusive. Use of the multiport 
module allows up to 15 ports (or port ranges) to be specified.

As for a potential usage - off the top of my head, suppose you wanted to 
open ports 137-139 and 445 for SMB/Samba. This could be achieved with a 
single rule using the multiport module whereas 2 individual rules would 
otherwise be needed. Again, suppose you wanted to open ports 21 (FTP), 
22 (SSH) and 110 (POP3) to a select IP address - you could do this in a 
single rule rather than 3 individual rules which opens up possibilities 
for optimizing/minimizing the number of iptables rules within a chain.

Ned