match = -m matchname [per-match-options]
But it confuses me. Here's an example :
iptables -A INPUT -p tcp -m multiport --dports 23,79 --tcp-flags ALL SYN -m recent --update --seconds 180 -m comment --comment "SYN" -j DROP
Can someone explain to me the theory behind it, why I don't have to use -m before --tcp-flags (maybe I should ?), like this :
iptables -A INPUT -p tcp -m multiport --dports 23,79 -m --tcp-flags ALL SYN -m recent --update --seconds 180 -m comment --comment "SYN" -j DROP
It would make more sense to me if it was written like this :
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -m multiport --dports 23,79 -m recent --update --seconds 180 -m comment --comment "SYN" -j DROP
And why should I use -m for comment ? I see it everywhere but I would like to know why and not something else. I'm questioning it a little bit because it's not a match, so that's a bit weird.
Thank you.
-m is used for adding extensions to the regular matching. normally you cannot use
--dportsto specify multiple ports.-m multiportadds this extension. if you only need to match on a single port (or not match on a port at all) there is no reason for-m multiport. There is a "MATCH EXTENSIONS" section of the iptables manpage which describe what other extensions one might use. "state" is a very common one, which will let you match on the state of the connection that the packet is in, like NEW, ESTABLISHED, RELATED.