11
2
Firewall configuration written by system-config-firewall
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
11
2
Firewall configuration written by system-config-firewall
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
10
Per the manual, it's an unusual but harmless explicit invocation of the tcp
iptables module; this module is implicitly invoked when -p tcp
(TCP protocol) is specified, and only works when -p tcp
is specified anyway, but apparently whoever wrote system-config-firewall's rule generator believed in the belt-and-suspenders theory of reliability.
5
From iptables manual page:
-m, --match match
Specifies a match to use, that is, an extension module that tests for a specific property. The set of matches make up the condition under which a target is invoked. Matches are evaluated first to last as specified on the command line and work in short-circuit fashion, i.e. if one extension yields false, evaluation will stop.
In this case TCP match
is being used.
TCP matches
These matches are protocol specific and are only available when working with TCP packets and streams. To use these matches, you need to specify --protocol tcp
on the command line before trying to use them. Note that the --protocol tcp
match must be to the left of the protocol specific matches. These matches are loaded implicitly in a sense, just as the UDP and ICMP matches are loaded implicitly. The other matches will be looked over in the continuation of this section, after the TCP match section.
ip{,6}tables-save adds it explicitly by default. – selurvedu – 2017-11-01T05:13:37.180