PDA

Click to See Complete Forum and Search --> : iptables says "--dport" is an "Unknown Argument" ?

Floog
05-04-2004, 08:37 PM
Hmm.
Am I using the --dport parameter incorrectly? Bad syntax?? I don't get it, i've used it in the past with no problems.

Here are the iptables rules causing the error message:

$IPTABLES -t nat -A PREROUTING -i eth0 -p all --dport 3297 -j DNAT --to 199.201.13.11
$IPTABLES -t nat -A PREROUTING -i eth0 -p all --dport 3298 -j DNAT --to 199.201.13.11
$IPTABLES -t nat -A PREROUTING -i eth0 -p all --dport 3299 -j DNAT --to 199.201.13.11
$IPTABLES -t nat -A PREROUTING -i eth0 -p all --dport 3300 -j DNAT --to 199.201.13.11
$IPTABLES -t nat -A PREROUTING -i eth0 -p all --dport 3301 -j DNAT --to 199.201.13.11
$IPTABLES -t nat -A PREROUTING -i eth0 -p all --dport 3397 -j DNAT --to 199.201.13.11
$IPTABLES -t nat -A PREROUTING -i eth0 -p all --dport 3497 -j DNAT --to 199.201.13.11
$IPTABLES -t nat -A PREROUTING -i eth0 -p all --dport 17677 -j DNAT --to 199.201.13.11
$IPTABLES -t nat -A PREROUTING -i eth0 -p all --dport 30477 -j DNAT --to 199.201.13.11
$IPTABLES -t nat -A PREROUTING -i eth0 -p all --dport 34297 -j DNAT --to 199.201.13.11
$IPTABLES -t nat -A PREROUTING -i eth0 -p all --dport 34397 -j DNAT --to 199.201.13.11
$IPTABLES -t nat -A PREROUTING -i eth0 -p all --dport 34447 -j DNAT --to 199.201.13.11
$IPTABLES -t nat -A PREROUTING -i eth0 -p all --dport 34496 -j DNAT --to 199.201.13.11


And here's all the "Unknown Argument" messages:

iptables v1.2.9: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
* Stopping firewall... [ ok ]
* Loading iptables state and starting firewall...
* Restoring iptables ruleset
* Enabling forwarding for ipv4 [ ok ]
bash-2.05b#

Can someone lend a hand here.
I can't seem to make any progress trying get a WinBox on my LAN to be able to host games over the net. No one can see my host.

Thanks for your guidance.

Floog
bwkaz
05-04-2004, 10:12 PM
You can't use --dport with "-p all". Not all protocols have the concept of ports -- ICMP, for example, does not.

Ports only exist with TCP and UDP. I assume you want --proto tcp instead of --proto all, since very little runs on UDP (of course, I don't recognize any of those ports, so who knows with them).
Floog
05-05-2004, 01:56 AM
Mr. Bwkaz,

Thank you for your reply.
I completely forgot ICMP not relating to ports in any way.
It's always the little things that get overlooked when you're too focused on some other aspect.

In my case, I've been trying for close to a month, to figure out how to host internet games again from behind my firewall. I bought a new version of a racing simulation game and now nothing I try will allow players to see my host over the net and join my game.

Very frustrating.

Always good to hear from you, Bwkaz.

Floog




Originally posted by bwkaz
You can't use --dport with "-p all". Not all protocols have the concept of ports -- ICMP, for example, does not.

Ports only exist with TCP and UDP. I assume you want --proto tcp instead of --proto all, since very little runs on UDP (of course, I don't recognize any of those ports, so who knows with them).
bwkaz
05-05-2004, 07:06 PM
You could always try one iptables rule with -p udp --dport whatever, and then another rule with -p tcp --dport whatever (the same "whatever" both times).

If what you have still isn't working -- I'm not entirely clear on whether it is or not. ;)
Floog
05-07-2004, 04:16 PM
Mr. B,

The solution to this problem is embarrassingly simple.

First, you are absolutely right -- usin the -p (protocol) rule with "-p tcp" in one statement and then repeating the same rule and port number with "-p udp" in the next statement worked perfectly.

Second, my rules originally had this very setup, but my firewall wasn't working so I kept trying to wrangle with new/different rules to try to get it working. It turns out my problem had nothing to do with misunderstanding iptables rules and everything to do with not understanding how initscripts work in Gentoo Linux.

See, coming from a long history with Slackware, I just got used to changing my rc.firewall file and then restarting iptables with a command placed into my rc.local file. But now I'm using Gentoo so it's handled a little differently. I read in the Gentoo handbook that the configuration files are kept in /etc/conf.d/...... and the initialization scripts are kept in /etc/init.d/..........

All I did was edit my /etc/conf.d/iptables file and then restart the iptables firewall using the command init.d script.

What I didn't realize is that I need to perform /etc/init.d/iptables save. Basically, none of my changes to the /etc/conf.d/iptables were being saved and recognized into the /var/lib/iptables/rules-save file that gets read by the init.d script. What can I say, I just didn't know. I've never run into this kind of setup before coming from a Slack-o-centric background.

Man o man that was a lesson learned the hard way.

My iptables rules are correct.
I got an opportunity to review the wondrous theory, grammar, and syntax that is iptables.
The firewall works.
I can go about hosting F1 Racing games in my free time.

Life is good once again.

Thanks for hangin' in with me through this problem, Mr. B.

Floog




Originally posted by bwkaz
You could always try one iptables rule with -p udp --dport whatever, and then another rule with -p tcp --dport whatever (the same "whatever" both times).
bwkaz
05-07-2004, 07:41 PM
Originally posted by Floog
What I didn't realize is that I need to perform /etc/init.d/iptables save. Ah. Gentoo's init scripts apparently use the iptables-restore binary to pull the rules in from an external file (and they don't save the rules to that file when they shut down, only when you run the iptables script in save mode).

Glad it works!