iptables error: unknown option --dport
Solution 1:
First give a -p
option like -p tcp
or -p udp
.
Examples:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP
iptables -A INPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT
You could also try -p all
but I've never done that and don't find too much support for it in the examples.
Solution 2:
Protocol (-p) is required if you use --dport. Example:
-p tcp
Solution 3:
@dmourati and @diegows already answered your first question, so I'll tackle your second question. And bonus question. And I'll also throw in a bonus tip ;)
iptables -P
only accepts BUILT-IN chains. In the filter
table, that would be INPUT
, OUTPUT
, and FORWARD
chains.
Port forwarding does not get handled by the INPUT
chain, so you don't have to open the port in the INPUT
chain. It does get handled by the FORWARD
chain, though. Be careful on that.
Bonus tip: When learning and/or troubleshooting iptables
, the output of iptables-save
is heads & shoulders better than the output of iptables -L -v --line-numbers
. Try it, you'll be pleasantly surprised :)
Solution 4:
Another possible solution is that you're forgetting to run as root. I just ran into this when using the debian tutorial
$ iptables -t nat -p tcp -I PREROUTING --src 0/0 --dst 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
iptables v1.8.2 (nf_tables): unknown option "--dport"
$ sudo iptables -t nat -I PREROUTING --src 0/0 --dst 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-ports 8080
# OK
Solution 5:
If iptables
report that it uses nftables
, one needs to use iptables-legacy
instead.
For Example:
Use iptables-legacy -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP
Instead of iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP
It's kind of old question, but that's the first in the search results.