Iptables with -m and -p parameter

firewall iptables centos

I have this rule in my iptables:

iptables -A INPUT -p tcp -m tcp --dport 9191 -j DROP

Do I really need "-m tcp"? I already am using "-p tcp", so should I use "-m tcp" to be more secure?


With the -p tcp option the tcp module is already loaded and therefor it is somewhat redundant and not a must to use the -m tcp option and I don't see any reason why using this option would make the rule more secure.

Please see the iptables man page for a better understanding and comparison:

-p, --protocol [!] protocol

The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted.

...

Match Extensions

iptables can use extended packet matching modules. These are loaded in two ways: implicitly, when -p or --protocol is specified, or with the -m or --match options, followed by the matching module name; after these, various extra command line options become available, depending on the specific module. You can specify multiple extended match modules in one line, and you can use the -h or --help options after the module has been specified to receive help specific to that module.

And for a list of available option with -p tcp see here:

http://ipset.netfilter.org/iptables-extensions.man.html#lbCF

As stated above, with the use of -m option it is possible to add extension modules and more matching options are then availble. For example the cpu module:

cpu

[!] --cpu number

Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 Can be used in combination with RPS (Remote Packet Steering) or multiqueue NICs to spread network traffic on different queues.

Example:

iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j REDIRECT --to-port 8080

iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j REDIRECT --to-port 8081

Available since Linux 2.6.36.

Full list of iptables-extensions.

Additional question from OP: I dont understand what does -m match. What string? -m tcp matches what? It tries to find the word "tcp" where?

Answer: -m is for matching module name and not string. By using a particular module you get certain options to match. See the cpu module example above. With the -m tcp the module tcp is loaded. The tcp module allows certain options: --dport, --sport, --tcp-flags, --syn, --tcp-option to use in iptables rules. But using -p tcp already enables tcp module, that's why one can still use those options even without using -m tcp. Hope it clears all your confusion.

Related

Insufficient regional quota to satisfy request for resource: "CPUS"
Ansible has difficulty restarting Supervisor
So how do I force upgrade from Ubuntu LTS to the next LTS without waiting for the point release?
IIS 7 WCF Webservices giving 404 error over HTTPS
Can Squid be used as "TLS termination proxy" to encrypt TCP connections using client certificates?
How does one diagnose Linux LACP issues at the kernel level?
Create Nginx redirect for a url with spaces (%20)
Sending email inside a docker container to hosts smtp running postfix
Kafka logfile location
SMB file server on multiple network cards
How do you perform a dump of a Neo4j database within a Docker container?
Error 0x80070005: Access Denied when first start Hyper-V in Windows 10 Pro