6

Running iptables -L -n gives me the following info:

Chain IN_ZONE_work_allow (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW

What are ACCEPT udp 0.0.0.0/0 dest 224.0.0.251 ?

Improve this question

3 Answers 3

Reset to default
5

It means you are allowed to receive multicast dns packets (dpt = destination port, 5353 = multicast dns), udp is the protocol, 224.0.0.251 is a destination multicast address, 0.0.0.0/0 means from anywhere. ctstate new means if the connection is new (packets related to "not new", ie, established, connections would be accepted via a more general rule).

In case you are not aware, on a low level, all computers on a network receive all packets send by any other computer; then they each sort them out themselves.

Improve this answer
4

The rule you've asked about is commonly used by the avahi daemon on Linux to listen for mDNS queries.

That iptables rule is allowing incoming udp packets on port 5353 that are destined for the multicast address 224.0.0.251. IANA defines multicast address usage here, and the mDNS RFC is here.

The iptables -L -n output shown is not the complete picture, as the original match in your INPUT chain might feature more detailed packet matching based on source, the interface(s) these packets are allowed on, and a variety of other attributes. The initial match in the INPUT chain may also jump to other chains before hitting this later rule in the "IN_ZONE_work_allow" chain. To get a better understanding of all the packet attributes that must be present in order for this rule to be triggered, you must work backwards from this chain up to the first time IN_ZONE_work_allow is seen in the target column, then continue in that manner until you find the first jump from INPUT (assuming that this is not actually a forwarding ruleset). In your case most likely, this chain is jumped to directly from INPUT, as evidenced by the note after the chain name: "1 references". I find it much more direct to just look at the output of iptables-save if such is available on the box.

Improve this answer
1

In TCP/IP networking, 0.0.0.0 as an IP address means "any" or "anywhere". The kernel internal format (which is what the above reflects) uses this, the commands setting it up probably just don't give a source.

Improve this answer
1
  • I think he's wondering about the target, 224.x. Commented Mar 8, 2013 at 13:22

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.