creating one rule for both tcp and udp?

Hi all,

I was wondering, if I wanted to fliter packets on a specific
port, can I 
write a single rule to work on both tcp and udp traffic, or
will I have 
to write one rule for each?

Support, for instance, that I want to allow TCP and UDP
packets from any 
host on port 548 to a machine with IP address 192.168.1.4,
could I write 
a rule like:

-A FORWARD -s 0/0 -d 141.161.111.203  -p all --dport 548 -j
ACCEPT

(please note, I am just using port 548 as an example.)

Now, I know that this doesn't work, because I tried it   I can
back 
the error:

iptables v1.3.5: Unknown arg `--dport'

I am guessing that is because "-p all" include
ICMP, which doesn't take 
the --dport argument.  Am I wrong about that?

So, to do this, I would have to do two rules:

-A FORWARD -s 0/0 -d 141.161.111.203  -p tcp --dport 548 -j
ACCEPT
-A FORWARD -s 0/0 -d 141.161.111.203  -p udp --dport 548 -j
ACCEPT

Now, I would prefer not to do this, because in a lot of
places, I would 
have to add a whole lot of rules.  So, I ask, is there a way
to comine 
TCP and UDP into a single rule?

Thanks!

Hello,

Matt Singerman a écrit :
> 
> -A FORWARD -s 0/0 -d 141.161.111.203  -p all --dport
548 -j ACCEPT
> 
> iptables v1.3.5: Unknown arg `--dport'
> 
> I am guessing that is because "-p all"
include ICMP, which doesn't take 
> the --dport argument.  Am I wrong about that?

It's a little more complicated than that. It's not that
ICMP or other 
protocols don't take the --dport argument. Actually --dport
is valid 
only with the "-m tcp" and "-m udp"
matches, which in turn are only 
valid with - and implicitly created by - "-p
tcp" and "-p udp" respectively.