iptables error: unknown option --dport

Question

The command iptables no longer recognizes one of the most commonly used options when defining rules: --dport.

I get this error:

[root@dragonweyr /home/calyodelphi]# iptables -A INPUT --dport 7777 -j ACCEPT_TCP_UDP
iptables v1.4.7: unknown option `--dport'
Try `iptables -h' or 'iptables --help' for more information.

The add rule command above is just an example for enabling Terraria connections.

Here's what I currently have as a barebones iptables configuration (listiptables is aliased to iptables -L -v --line-numbers), and it's obvious that --dport has worked in the past:

root@dragonweyr /home/calyodelphi]# listiptables 
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       39  4368 ACCEPT     all  --  lo     any     anywhere             anywhere            
2      114 10257 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
3        1    64 ACCEPT     tcp  --  eth1   any     anywhere             anywhere            tcp dpt:EtherNet/IP-1 
4       72 11610 ACCEPT     all  --  eth1   any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 91 packets, 10045 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain ACCEPT_TCP_UDP (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere

I'm also trying to define a custom chain (inspired by this question) to accept tcp & udp connections so that I don't have to define two rules for everything that I want to enable tcp and udp for (such as a Minecraft or Terraria server, or another service entirely). But even this doesn't work:

[root@dragonweyr /home/calyodelphi]# iptables -P ACCEPT_TCP_UDP DROP
iptables: Bad built-in chain name.

This is getting to be very frustrating, in polite terms (the amount of cussing involved with this would make a sailor tell me to watch my mouth). My Google-fu is terrible, so I've yet to find a working solution for any of this. I'm running CentOS 6.5 on the router. Any help and pointers that you guys can offer would be awesome.

EDIT:

Bonus question: I'm also planning to configure port forwarding as well. Is it still necessary to set rules to accept incoming connections over specific ports?

score 54 · Accepted Answer · answered Dec 22 '13 at 18:58

First give a -p option like -p tcp or -p udp.

Examples:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP

iptables -A INPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT

You could also try -p all but I've never done that and don't find too much support for it in the examples.

Theo Belaire · Answer 2 · 2021-09-26T13:31:34.327

41

Another possible solution is that you're forgetting to run as root. I just ran into this when using the debian tutorial

$ iptables -t nat -p tcp -I PREROUTING --src 0/0 --dst 127.0.0.1  --dport 80 -j REDIRECT --to-ports 8080
iptables v1.8.2 (nf_tables): unknown option "--dport"
$ sudo iptables -t nat -p tcp -I PREROUTING --src 0/0 --dst 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
# OK

edited Sep 26 '21 at 13:31

answered Jan 16 '21 at 00:45

Theo Belaire

531

Diego Woitasen · Answer 3 · 2013-12-30T20:18:38.240

14

Protocol (-p) is required if you use --dport. Example:

-p tcp

edited Dec 30 '13 at 20:18

answered Dec 22 '13 at 18:53

Diego Woitasen

981

score 7 · Answer 4 · answered Aug 27 '20 at 16:35

If iptables report that it uses nftables, one needs to use iptables-legacy instead.

For Example:
Use iptables-legacy -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP
Instead of iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP

It's kind of old question, but that's the first in the search results.

score 3 · Answer 5 · answered Dec 30 '13 at 09:34

@dmourati and @diegows already answered your first question, so I'll tackle your second question. And bonus question. And I'll also throw in a bonus tip ;)

iptables -P only accepts BUILT-IN chains. In the filter table, that would be INPUT, OUTPUT, and FORWARD chains.

Port forwarding does not get handled by the INPUT chain, so you don't have to open the port in the INPUT chain. It does get handled by the FORWARD chain, though. Be careful on that.

Bonus tip: When learning and/or troubleshooting iptables, the output of iptables-save is heads & shoulders better than the output of iptables -L -v --line-numbers. Try it, you'll be pleasantly surprised :)

score 0 · Answer 6 · answered Feb 18 '22 at 17:54

Maybe an edge case scenario, but I got this error when I had apparently upgraded my kernel and not rebooted yet and some kernel module was not loaded yet. The module could not be loaded because the running kernel was a different version than the installed kernel. Rebooting solved the problem.

score 0 · Answer 7 · answered Oct 10 '24 at 18:14

0

May be not loaded needed module

modprobe ipt_tcp

answered Oct 10 '24 at 18:14

vladadm

1

iptables error: unknown option --dport

7 Answers7

Linked