I'm in the middle of writing a Netfilter script and seem to be having a problem or two. For some reason I can't figure out how I can pass multiple port number in a single rule.
For example: #!/bin/sh # TCP services that we wish to pass as listed in /etc/services TCPIN="smtp www ftp ftp-data" TCPOUT="smtp www ftp ftp-data" ##TCP --incomming and outgoing rules # First, reject all well know ports and services in both directions iptables -A INPUT --protocol tcp -i $DSLIFACE -s $ANYADDR --sport :1023 -j REJECT iptables -A OUTPUT --protocol tcp -o $DSLIFACE -d $ANYADDR --dport :1023 -j REJECT # Second, keep all TCP datagrams belonging to existing connections iptables -A INPUT -m multiport --protocol tcp -i $DSLIFACE --sport $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT iptables -A OUTPUT -m multiport --protocol tcp -o $DSLIFACE --dport $TCPOUT ! --tcp-flags SYN,ACK ACK -j ACCEPT # Now allow those services that we wish to use. iptables -A INPUT --protocol tcp -i $DSLIFACE -s $ANYADDR --sport $TCPIN -j ACCEPT iptables -A OUPUT --protocol tcp -o $DSLIFACE -d $ANYADDR --dport $TCPOUT -j ACCEPT When I attemp to run this script and test it I get: Bad argument `www' Try `iptables -h' or 'iptables --help' for more information. Bad argument `www' Try `iptables -h' or 'iptables --help' for more information. Bad argument `www' Try `iptables -h' or 'iptables --help' for more information. Bad argument `www' Try `iptables -h' or 'iptables --help' for more information. This leads me to beleive that I'm passing off my services/ports wrong to netfilter. I've tried using comma's with a space and comma's without a space but nothing seems to help. Is there a way to pass multiple services/ports in a single rule?' Thanks for your help :-D BTW -> These rules are still in the making so feel free to point out any mistakes that I might have made!! Stef
