Re: Converting ipchains rules to iptables!

From: Andrew Carson (
Date: 10/19/02

From: "Andrew Carson" <>
Date: Sat, 19 Oct 2002 20:35:59 +0800

> # Deny TCP and UDP packets to privileged ports
> ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY
> ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY
> now, you helped me with these where $EXTIF and $ANY is assigned with
> # Deny TCP and UDP packets to privileged ports
> iptables -A INPUT -p udp -i $EXTIF -d $ANY 0:1023 -p udp -j LOG
> iptables -A INPUT -p udp -i $EXTIP -d $ANY 0:1023 -j DROP
> iptables -A INPUT -p tcp -i $EXTIF -d $ANY 0:1023 -j LOG
> iptables -A INPUT -p tcp -i $EXTIF -d $ANY 0:1023 -j DROP
> Now, iptables says ...
> Warning: wierd character in interface `-d' (No aliases, :, ! or *).
> Bad argument `0-1023'
> Why is this happening, please?
> thanks in advance.

When referring to a port in iptables, you refer to either destination port
or source port.. so in this case you'd use:
-d $ANY --dport 0:1023

However.. since iptables is stateful, there's no need to do this.. you can
just do:
iptables -A INPUT -p tcp -i $EXTIF -m state --state NEW,INVALID -j DROP
This wont let *any* *new* packets in on $EXTIF, you just put your holes in
afterwards for services you are running.