On Tuesday 18 June 2002 4:50 pm, Christoph Gossen wrote: > Hello, > > I think there's a bug in the behaviour of the multiport module - for > example, a line like > > iptables -p tcp -A OUTPUT -m multiport ! --dport 25 -j DROP > > causes the same behaviour as > > iptables -p tcp -A OUTPUT -m multiport --dport 25 -j DROP > > or > > iptables -p tcp -A OUTPUT --dport 25 -j DROP > > and NOT (as one would expect) that one caused by > > iptables -p tcp -A OUTPUT ! --dport 25 -j DROP > > Inverting the (set of) port(s) due to the "!" sign in the first line > above is just ignored > (no syntax error occures)! > > Any comments?
I don't use the multiport match myself, but I'd expect it to be: iptables -p tcp -A OUTPUT -m multiport --dport ! 25 -j DROP In other words "a destination port which isn't 25".... What does that do for you ? I note from the man page for iptables, though, that --dport has the [ ! ] option, but "multiport --dport" doesn't, so maybe negating multiports is not supported at all ? If you enter all the above rules, what do you get from iptables -L OUTPUT -v -n ? Antony.
