Hi, Hey this worked for me too. I didn't know the order of the extensions had any effect.
Interestingly, I *HAD* to use --dports in this rule. If I used --dport without the s, it failed (invalid TCP port/service). I guess the tcp extension already hooked into the --dport key by that point or something (although -p tcp should load the tcp extension, strange). Thanks Jean Christophe. John. On Tue, 2003-06-24 at 11:27, Jean Christophe ANDR� wrote: > Hi *, > > John Leach �crivait : > > yeh I just checked that and I was wrong, whoops. Thanks. > > The message I get trying to add your rule is : > > iptables v1.2.8: multiport can only have one option > > Try `iptables -h' or 'iptables --help' for more information. > > As it says, multiport can't have both --source-port and > > --destination-port in the same rule. > > I expect you'll need to drop multiport and just create 2 rules (as long > > as $EPHEMERAL_PORTS doesn't rely on the multiport functionality). > > Why not use something like this? > > iptables -A OUTPUT \ > -s "$PUB_IP" -o "$PUB_IFACE" -p tcp \ > -m tcp --sport 1024:65535 -m multiport --dports 443,4030 \ > -m state --state NEW -j ACCEPT > > It works for me... > > J.C. -- GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047 HTTP: http://www.johnleach.co.uk
