iptables command from RHEL documentation for cobbler, fails in RHEL 7

Tommy Butler asked:

This seems like a very simple question. But I don’t see anything much about it on the web. The command comes from the RHEL documentation itself, so I would expect that it works… and yet it fails. Any insight?

Command:

/sbin/iptables -A INPUT -m state --state NEW -m tcp -p udp --dport 25150 -j ACCEPT

Output:

iptables: Invalid argument. Run `dmesg' for more information.

dmesg log:

[ 1719.334534] x_tables: ip_tables: tcp match: only valid for protocol 6

My answer:


Congratulations, you found an error in the RHEL documentation.

The iptables rule shown here uses the tcp matcher but then attempts to specify the udp protocol. This doesn’t work; the tcp matcher can only be used with protocol 6, which happens to be tcp. Thus the error you received.

To correct the rule you have to first figure out which is wrong, the matcher or the protocol. Unfortunately this error has been propagated all over the Internet so this isn’t so easy to figure out from an Internet search, and even the Cobbler documentation doesn’t clearly mention it.

You can sort it out easily by inspecting the output of ss -nl, and there you should find cobbler listening on TCP port 25150, not UDP. Thus you replace udp with tcp and then report the documentation error to Red Hat.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.