iptables; match and protocol question

[quovadisnp]

Below, what is the difference between using -m to specify a tcp match as well as -p to specify tcp protocol instead of just using -p to specify the tcp protocol?

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT


Is there a difference? What does specifying a match of "-m tcp" do for us that "-p tcp" by itself doesn't?

Appreciate any help or thoughts

[Lazydog]

That is a good question. I have never setup rules that use both as I do not believe it is required. I haven't found anything in the tutorial I have that would state anything about this use.

[lenfried_ga_suki]

If you have an option (e.g. --dport) for an iptables module (e.g. -m tcp) that you have not specified (as in your second command), iptables will assume the the module of whatever you specify as your protocol. In this case, tcp.

To quote the iptables-extensions man page: "If the -p or --protocol was specified and if and only if an unknown option is encountered, iptables will try load a match module of the same name as the protocol, to try making the option available."

Also, in your first command, the --dport 22 should come after -m tcp. Otherwise it's just falling back to the aforementioned rule, and you're loading the tcp module but not doing anything with it. ...Or you could just not specify -m tcp at all and use the second command.

[Lazydog]

@quovadisnp

I did some research on this topic.
There are
Implicit matches which do not require the '-m' module flag.
and then there is
Explicit matches for which the '-m' module flag is required.

You can read more here, MATCHES

[lenfried_ga_suki]

Note that all the "implicit matches" are protocols, as I stated previously. Nice find, though.