Home / ubuntu / Questions / 1249836
Accepted
user1046658
Asked: 2020-06-13 20:31:46 +0800 CST

What is an extension module in iptables?

  • 772

The iptables manual page for -m, --match match is:

Specifies a match to use, that is, an extension module that tests for a specific property. The set of matches make up the condition under which a target is invoked. Matches are evaluated first to last as specified on the command line and work in short-circuit fashion, i.e. if one extension yields false, evaluation will stop.

I do not understand what this means, specifically, what does the extension module mean?

Also, how is iptables -A INPUT -m tcp ... different from iptables -A INPUT -p tcp ... ?

iptables command-line

1 Answers

  1. Best Answer

    Extension modules are just that: they extend the capabilities of iptables. For example, consider the owner module. The iptable options -m owner --uid-owner lp will select all packets sent by user lp. This feature is only available if you specify, as above, the owner module. Likewise, the tcp module makes available options for selecting, among other things, tcp flags such as ACK or RST. The available modules and their features are detailed in:

    man iptables-extensions

    Also note that iptables is out-of-date. You should be using nftables instead.

    • 2