7

This seems like a very simple question. But I don't see anything much about it on the web. The command comes from the RHEL documentation itself, so I would expect that it works... and yet it fails. Any insight?

Command:

/sbin/iptables -A INPUT -m state --state NEW -m tcp -p udp --dport 25150 -j ACCEPT

Output:

iptables: Invalid argument. Run `dmesg' for more information.

dmesg log:

[ 1719.334534] x_tables: ip_tables: tcp match: only valid for protocol 6
Khaled
  • 35,688
  • 8
  • 69
  • 98
Tommy Butler
  • 73
  • 4
  • thinking that it might be an error, I changed "-m tcp -p udp" to "-m tcp -p tcp" because it seems to make more sense. I added a second entry with "-m udp -p udp" just in case. I suppose I'll know if that broke things or fixed them when I attempt to use cobbler. iptables did not choke when I created those rules... – Tommy Butler Jun 02 '15 at 03:03

1 Answers1

8

Congratulations, you found an error in the RHEL documentation.

The iptables rule shown here uses the tcp matcher but then attempts to specify the udp protocol. This doesn't work; the tcp matcher can only be used with protocol 6, which happens to be tcp. Thus the error you received.

To correct the rule you have to first figure out which is wrong, the matcher or the protocol. Unfortunately this error has been propagated all over the Internet so this isn't so easy to figure out from an Internet search, and even the Cobbler documentation doesn't clearly mention it.

You can sort it out easily by inspecting the output of ss -nl, and there you should find cobbler listening on TCP port 25150, not UDP. Thus you replace udp with tcp and then report the documentation error to Red Hat.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940