iptables error: unknown option --dport

Solution 1:

First give a -p option like -p tcp or -p udp.

Examples:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP

iptables -A INPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT

You could also try -p all but I've never done that and don't find too much support for it in the examples.

Solution 2:

Protocol (-p) is required if you use --dport. Example:

-p tcp

---

Solution 3:

@dmourati and @diegows already answered your first question, so I'll tackle your second question. And bonus question. And I'll also throw in a bonus tip ;)

iptables -P only accepts BUILT-IN chains. In the filter table, that would be INPUT, OUTPUT, and FORWARD chains.

Port forwarding does not get handled by the INPUT chain, so you don't have to open the port in the INPUT chain. It does get handled by the FORWARD chain, though. Be careful on that.

Bonus tip: When learning and/or troubleshooting iptables, the output of iptables-save is heads & shoulders better than the output of iptables -L -v --line-numbers. Try it, you'll be pleasantly surprised :)

---

Solution 4:

Another possible solution is that you're forgetting to run as root. I just ran into this when using the debian tutorial

$ iptables -t nat -p tcp -I PREROUTING --src 0/0 --dst 127.0.0.1  --dport 80 -j REDIRECT --to-ports 8080
iptables v1.8.2 (nf_tables): unknown option "--dport"
$ sudo iptables -t nat -I PREROUTING --src 0/0 --dst 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-ports 8080
# OK

---

Solution 5:

If iptables report that it uses nftables, one needs to use iptables-legacy instead.

For Example:
Use iptables-legacy -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP
Instead of iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP

---

It's kind of old question, but that's the first in the search results.