When working with iptables on CentOS 6.5, the error unknown option --dport' typically occurs because the option isn't used in isolation. The --dport parameter must be combined with the -p (protocol) and -m (match) options to function properly.
Here's the proper way to implement your Terraria server rule:
iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
iptables -A INPUT -p udp --dport 7777 -j ACCEPTOr for combined TCP/UDP handling (requires multiport module):
iptables -A INPUT -p tcp -m multiport --dports 7777 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 7777 -j ACCEPTThe error Bad built-in chain name occurs because -P is only for built-in chains (INPUT, OUTPUT, FORWARD). For custom chains:
# Create the chain
iptables -N ACCEPT_TCP_UDP
# Add rules to the custom chain
iptables -A ACCEPT_TCP_UDP -p tcp -j ACCEPT
iptables -A ACCEPT_TCP_UDP -p udp -j ACCEPT
# Reference the custom chain from INPUT
iptables -A INPUT -j ACCEPT_TCP_UDPFor port forwarding (DNAT), you still need both forwarding and acceptance rules:
# Enable IP forwarding in sysctl
sysctl -w net.ipv4.ip_forward=1
# Forward port 7777 to internal IP
iptables -t nat -A PREROUTING -p tcp --dport 7777 -j DNAT --to-destination 192.168.1.100:7777
iptables -t nat -A PREROUTING -p udp --dport 7777 -j DNAT --to-destination 192.168.1.100:7777
# Allow forwarded traffic
iptables -A FORWARD -p tcp --dport 7777 -d 192.168.1.100 -j ACCEPT
iptables -A FORWARD -p udp --dport 7777 -d 192.168.1.100 -j ACCEPTOn CentOS 6.5, save your rules permanently with:
service iptables saveAnd ensure they persist after reboot:
chkconfig iptables onWhen working with iptables on CentOS 6.5, you might encounter this frustrating error:
iptables v1.4.7: unknown option --dport'This happens because --dport isn't a standalone option - it must be used with the -p (protocol) flag and requires a match extension. Here's the correct syntax:
iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
iptables -A INPUT -p udp --dport 7777 -j ACCEPTThe error in your custom chain attempt comes from using -P (which sets policy for built-in chains) instead of proper chain creation. Here's how to properly set up a combined TCP/UDP acceptance chain:
# Create the custom chain
iptables -N ACCEPT_TCP_UDP
# Add rules to the custom chain
iptables -A ACCEPT_TCP_UDP -p tcp -j ACCEPT
iptables -A ACCEPT_TCP_UDP -p udp -j ACCEPT
# Reference the custom chain from INPUT
iptables -A INPUT -p tcp --dport 7777 -j ACCEPT_TCP_UDP
iptables -A INPUT -p udp --dport 7777 -j ACCEPT_TCP_UDPFor port forwarding (DNAT), you still need ACCEPT rules. The complete setup for forwarding port 7777 would be:
# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
# NAT rule
iptables -t nat -A PREROUTING -p tcp --dport 7777 -j DNAT --to-destination 192.168.1.100:7777
iptables -t nat -A PREROUTING -p udp --dport 7777 -j DNAT --to-destination 192.168.1.100:7777
# Allow forwarded packets
iptables -A FORWARD -p tcp --dport 7777 -d 192.168.1.100 -j ACCEPT
iptables -A FORWARD -p udp --dport 7777 -d 192.168.1.100 -j ACCEPTWhen iptables behaves unexpectedly:
- Check protocol specification (
-p tcp/udp) before--dport - Verify chain types (built-in vs custom) when setting policies
- Use
iptables -L -v -n --line-numbersfor better rule inspection
Remember that custom chains can't have policies - they're not decision points but rather organizational tools for your ruleset.