Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

To: Jonas Meurer <jonas@freesources.org>, debian-firewall@lists.debian.org
Subject: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
From: Mike Mestnik <cheako911@yahoo.com>
Date: Thu, 2 Sep 2004 10:00:27 -0700 (PDT)
Message-id: <[🔎] 20040902170027.27947.qmail@web11905.mail.yahoo.com>
In-reply-to: <[🔎] 20040902121736.GC4047@resivo.mejo.net>

--- Jonas Meurer <jonas@freesources.org> wrote:

> On 01/09/2004 Mike Mestnik wrote:
> > > wee, sounds very interesting, but how do i create this rule
> > > "local_rules"?
> > > 
> > Sorry chain, not table, chains go into the filter, nat, and mangle
> tables.
> > Make the chain named "local_rules" with "-N local_rules".
> 
> ok, so can i save this somehow?
> 
Where you using /etc/init.d/iptables to save?  This WILL correctly
save/restore this kind of iptables state.
Any way of running iptables on boot/ifup will work for you.

> > iptables module, not like a kmod.  Use "-m" to load iptable modules. 
> > There should be a related kmod you will need, but it should be
> loaded/used
> > for you.
> > 
> > > after loading the module, simply replace --dport and --sport with
> > > --destination-ports and --source-ports and give 5 ips as argument
> > > instead of one, correct?
> > > 
> > Yep, must use "-m multiport" previous to any "--ports" options.
> 
> now i have:
> iptables -A INPUT -i eth0 -m multiport -p tcp -d 62.75.128.98
> 	--dports 210,215,220,225,230 -j ACCEPT
> iptables -A OUTPUT -o eth0 -m multiport -p tcp -d 62.75.128.98
> 	--sports 210,215,220,225,230 -j ACCEPT
> iptables -A INPUT -i eth0 -m multiport -p tcp -d 62.75.128.99
> 	--dports 210,215,220,225,230 -j ACCEPT
> iptables -A OUTPUT -o eth0 -m multiport -p tcp -d 62.75.128.99
> 	--sports 210,215,220,225,230 -j ACCEPT
> 
> 
> this should be ok, correct?
> 
Remove iptable's internal "--sports" and use multiport's options
"--source-ports".  Using a valid "--sports" with multiport will be trixy,
and worth nothing.  Same goes for "--dports".  You use of "-p tcp" should
sime times read "-p udp".  Same goes for "-d 62.75.128." and "-s
62.75.128.".

Also consider using "-m state"...
"-A INPUT -i eth0 -d 62.75.128.98 -m state --state
NEW,ESTABLESHED,RELATED"
"-A OUTPUT -o eth0 -s 62.75.128.98 -m state --state ESTABLESHED,RELATED"
You can use "-m" more then once.  This would look better as...
iptables -A INPUT -i eth0 -m state --state ESTABLESHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLESHED,RELATED -j ACCEPT
"-A INPUT -i eth0 -m state --state NEW" For all your open ports/servers.
"-A OUTPUT -o eth0 -m state --state NEW" For all your client's needs, web
and DNS maby NTP ect.

> bye
>  jonas
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail

Reply to:

Follow-Ups:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

References:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

Prev by Date: Re: (woody) ip_forward from "1" to "0" after an arp spoof
Next by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Previous by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Index(es):
- Date
- Thread