[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

There are several things you can do.  I would make a new table called
local_rules or something and put each "-p tcp --?port" rule in there. 
Then it as easy as "-d ??.??.128.98 -j local_rules" and "-d ??.??.128.99
-j local_rules".

There is also "-m multiport "...
This  module  matches  a  set of source or destination ports.  Up to 15
ports can be specified.  It can only be used in conjunction with -p tcp or
-p udp.

       --source-ports port[,port[,port...]]
       --destination-ports port[,port[,port...]]
       --ports port[,port[,port...]]

--- Jonas Meurer <jonas@freesources.org> wrote:

> On 31/08/2004 Jonas Meurer wrote:
> >         [...]
> >         iptables -A INPUT -i eth0 -p tcp --dport 210 -j ACCEPT
> >         iptables -A OUTPUT -o eth0 -p tcp --sport 210 -j ACCEPT
> >         iptables -A INPUT -i eth0 -p tcp --dport 215 -j ACCEPT
> >         iptables -A OUTPUT -o eth0 -p tcp --sport 215 -j ACCEPT
> >         iptables -A INPUT -i eth0 -p tcp --dport 220 -j ACCEPT
> >         iptables -A OUTPUT -o eth0 -p tcp --sport 220 -j ACCEPT
> >         iptables -A INPUT -i eth0 -p tcp --dport 225 -j ACCEPT
> >         iptables -A OUTPUT -o eth0 -p tcp --sport 225 -j ACCEPT
> >         iptables -A INPUT -i eth0 -p tcp --dport 230 -j ACCEPT
> >         iptables -A OUTPUT -o eth0 -p tcp --sport 230 -j ACCEPT
> > 
> > since some weeks, the ftp server doesn't respond to requests on ports
> > except 21 and 215 any longer, and i've no glue what the problem could
> > be.
> 
> now i found the problem: ftpd runs on two ips, 128.98 and 128.99.
> for some reason, the iptables rules didn't open ports on all ips.
> 
> now i have
>         iptables -A INPUT -i eth0 -p tcp -d ??.??.128.98 --dport 210 -j
> ACCEPT
>         iptables -A OUTPUT -o eth0 -p tcp -d ??.??.128.98 --sport 210 -j
> ACCEPT
>         iptables -A INPUT -i eth0 -p tcp -d ??.??.128.99 --dport 210 -j
> ACCEPT
>         iptables -A OUTPUT -o eth0 -p tcp -d ??.??.128.99 --sport 210 -j
> ACCEPT
> 
>         iptables -A INPUT -i eth0 -p tcp -d ??.??.128.98 --dport 215 -j
> ACCEPT
>         iptables -A OUTPUT -o eth0 -p tcp -d ??.??.128.98 --sport 215 -j
> ACCEPT
>         iptables -A INPUT -i eth0 -p tcp -d ??.??.128.99 --dport 215 -j
> ACCEPT
>         iptables -A OUTPUT -o eth0 -p tcp -d ??.??.128.99 --sport 215 -j
> ACCEPT
> 
>         iptables -A INPUT -i eth0 -p tcp -d ??.??.128.98 --dport 220 -j
> ACCEPT
>         iptables -A OUTPUT -o eth0 -p tcp -d ??.??.128.98 --sport 220 -j
> ACCEPT
>         iptables -A INPUT -i eth0 -p tcp -d ??.??.128.99 --dport 220 -j
> ACCEPT
>         iptables -A OUTPUT -o eth0 -p tcp -d ??.??.128.99 --sport 220 -j
> ACCEPT
> 
>         iptables -A INPUT -i eth0 -p tcp -d ??.??.128.98 --dport 225 -j
> ACCEPT
>         iptables -A OUTPUT -o eth0 -p tcp -d ??.??.128.98 --sport 225 -j
> ACCEPT
>         iptables -A INPUT -i eth0 -p tcp -d ??.??.128.99 --dport 225 -j
> ACCEPT
>         iptables -A OUTPUT -o eth0 -p tcp -d ??.??.128.99 --sport 225 -j
> ACCEPT
> 
>         iptables -A INPUT -i eth0 -p tcp -d ??.??.128.98 --dport 230 -j
> ACCEPT
>         iptables -A OUTPUT -o eth0 -p tcp -d ??.??.128.98 --sport 230 -j
> ACCEPT
>         iptables -A INPUT -i eth0 -p tcp -d ??.??.128.99 --dport 230 -j
> ACCEPT
>         iptables -A OUTPUT -o eth0 -p tcp -d ??.??.128.99 --sport 230 -j
> ACCEPT
> 
> it really works like a charm, but is there any way to shorten this?
> can i give multible ports and/or ips to iptables?
> 
> bye
>  jonas
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
Reply to: