Many Linux administrators encounter this error when trying to open multiple ports in iptables:
iptables -A INPUT -p tcp --dports 110,143,993,995 -j ACCEPT
iptables v1.4.7: unknown option --dports'
Try iptables -h' or 'iptables --help' for more information.
The issue here is a common misconception about iptables syntax. While you might expect --dports to work for multiple ports, the correct approach requires using the multiport module.
Here's how to correctly specify multiple ports:
iptables -A INPUT -p tcp -m multiport --dports 110,143,993,995 -j ACCEPT
Key points to notice:
- The
-m multiportmodule must be loaded first --dportsis now a valid option because it's part of the multiport module
For those who prefer separate rules or need different actions per port:
# Option 1: Separate rules
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT
# Option 2: Port ranges
iptables -A INPUT -p tcp --dport 110:995 -j ACCEPT
The multiport module is optimized for performance, but there are limits:
- Maximum 15 ports can be specified in a single rule
- For more ports, consider grouping by service type
- Port ranges are more efficient than individual ports when sequential
After applying your rules, verify them with:
iptables -L -n -v
Remember to save your rules for reboot persistence:
# For Debian/Ubuntu:
iptables-save > /etc/iptables.rules
# For RHEL/CentOS:
service iptables save
When working with iptables, you might encounter this common syntax error:
# iptables -A INPUT -p tcp --dports 110,143,993,995 -j ACCEPT
iptables v1.4.7: unknown option --dports'
Try iptables -h' or 'iptables --help' for more information.
Despite what the man page might suggest, the --dports option doesn't work as expected when trying to specify multiple ports.
The confusion stems from the fact that --dport (singular) is the actual parameter name in iptables, and it only accepts single port numbers or ranges. The apparent --dports (plural) in documentation is misleading when it comes to comma-separated lists.
Here are several ways to properly handle multiple ports in iptables:
Method 1: Using Multiport Module
The most efficient way is to use the multiport extension:
iptables -A INPUT -p tcp -m multiport --dports 110,143,993,995 -j ACCEPT
Key points:
- You must specify
-m multiportto load the extension - Up to 15 ports can be specified in a single rule
- This creates only one rule in the chain
Method 2: Multiple Single Port Rules
For better readability or when needing different actions per port:
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT
Method 3: Port Ranges
When dealing with consecutive ports:
iptables -A INPUT -p tcp --dport 110:120 -j ACCEPT
When working with multiple ports in iptables:
- Always check if the multiport module is available in your iptables version
- Consider using port ranges instead of individual ports when possible
- For complex setups, create a separate chain for related services
- Remember to persist your rules after testing
Here's a more complex example combining multiple ports with other conditions:
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m limit --limit 30/minute --limit-burst 5 -j ACCEPT
This rule:
- Accepts HTTP and HTTPS traffic
- Only for new connections
- With rate limiting