iptables debian stable problem

When I run my firewall BASH script, this error comes up: Unknown arg –destination-port

Then I replaced every --destination-port with -dport, and then it complains about : Bad Argument '22' (22 being the SSH port).

This works perfectly at home on my Knoppix debian box.

Any ideas?

5 Replies

Linode Staff

I'll venture to guess iptables versions are different??

What's the full line that you're trying to execute?

From the Debian iptables man page:

              These extensions are loaded if `--protocol tcp' is specified. It
              provides the following options:
              --destination-port [!] port[:port]
                     Destination port or port range specification.  The flag --dport 
                     is a convenient alias for this option.


iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp –destination-port ssh -j LOG --log-level 1 --log-prefix STRING -m limit

iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp --destination-port ssh -j ACCEPT

The other line is just the same, but with -dport instead of --destination-port and 22 instead of ssh.

The version on both debians (the knoppix and stable) is 1.2.9.

Hope this clarifies…

Linode Staff

li-20:~# cat /etc/debian_version 3.0 li-20:~# uname -a Linux li-20.members.linode.com 2.4.25-linode24-1um #2 Sun Mar 28 15:14:01 EST 2004 i686 unknown li-20:~# apt-get install iptables Reading Package Lists... Done Building Dependency Tree... Done Sorry, iptables is already the newest version. li-20:~# iptables -V iptables v1.2.6a li-20:~# iptables -A INPUT -s -p tcp --destination-port ssh -j LOG --log-level 1 --log-prefix STRING -m limit li-20:~# iptables -A INPUT -s -p tcp --destination-port ssh -j ACCEPT li-20:~#

Seems to have worked for me… ?

Maybe some funky-ness in your script?


I executed my script line by line, and the last line was causing problems!

Thanks for the help. Happy holidays. :)

One little note: if you want to use -m owner with Debian stable, you'll need to compile iptables against a new kernel source. Somewhere around 2.4.20, they added another member to a struct that iptables uses, breaking old iptables binaries.

It's pretty simple, IIRC. I just downloaded the latest kernel from kernel.org, unpacked it, downloaded the latest iptables, and told the iptables build process where the kernel source was. If you do this, install in /usr/local instead of /usr so you don't overwrite Debian's iptables. Otherwise, if Debian releases a new iptables version that's still older than your hand-compiled one, the update will overwrite yours and break your firewall scripts.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct