Current RH version of iptables - iptables-1.2.4-2 - misdocuments the multiport extension. All of the --*port options should actually be --*ports (ie with and additional s). If used as documented the error message is strange because the options given are legal for the tcp/udp module. Patch attached corrects this part of the man page, and gives --sports as a synonym for --source-ports as well.
Created attachment 48286 [details] iptables man page patch for multiport extension
huh??? # iptables -m tcp --help iptables v1.2.6a .... --source-port [!] port[:port] --sport ... match source port(s) --destination-port [!] port[:port] --dport ... match destination port(s) since when is that????
Its for *multiport* as the original bug said. /sbin/iptables --proto tcp --match multiport --help [...] multiport v1.2.5 options: --source-ports port[,port,port...] --sports ... match source port(s) --destination-ports port[,port,port...] --dports ... match destination port(s) --ports port[,port,port] match both source and destination port(s)
seems to be already fixed in $ rpm -q iptables iptables-1.2.6a-1 $ man iptables ... multiport This module matches a set of source or destination ports. Up to 15 ports can be specified. It can only be used in conjunction with -p tcp or -p udp. --source-ports port[,port[,port...]] Match if the source port is one of the given ports. The flag --sports is a convenient alias for this option. --destination-ports port[,port[,port...]] Match if the destination port is one of the given ports. The flag --dports is a convenient alias for this option. --ports port[,port[,port...]] Match if the both the source and destination ports are equal to each other and to one of the given ports. ...