Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
On 02/09/2004 Mike Mestnik wrote:
> > ok, so can i save this somehow?
>
> Where you using /etc/init.d/iptables to save? This WILL correctly
> save/restore this kind of iptables state.
> Any way of running iptables on boot/ifup will work for you.
as i already mentioned, i use firehol as firewal. firhols configfile
firehol.conf can include bash commands, and therefore the iptables rules
are in this file too.
additionally, i don't have any /etc/init.d/iptables. the old init script
still exists at /usr/share/doc/iptables/examples/oldinitdscript.gz, but
seems to be a depreciated way of using iptables.
i'dd really like to ease the usage of iptables, what means not enter the
full iptables command to firehol.conf for every new rule, but configure
rules more dynamically.
normally, firewall tools are designed to do so, but firehol is very
limited in it's functions, and for example blocking a hole ip requires
manual iptables usage.
> > iptables -A INPUT -i eth0 -m multiport -p tcp -d 62.75.128.98
> > --dports 210,215,220,225,230 -j ACCEPT
> > iptables -A OUTPUT -o eth0 -m multiport -p tcp -d 62.75.128.98
> > --sports 210,215,220,225,230 -j ACCEPT
> > iptables -A INPUT -i eth0 -m multiport -p tcp -d 62.75.128.99
> > --dports 210,215,220,225,230 -j ACCEPT
> > iptables -A OUTPUT -o eth0 -m multiport -p tcp -d 62.75.128.99
> > --sports 210,215,220,225,230 -j ACCEPT
> >
> > this should be ok, correct?
>
> Remove iptable's internal "--sports" and use multiport's options
> "--source-ports". Using a valid "--sports" with multiport will be trixy,
> and worth nothing. Same goes for "--dports".
ok, done. now my lines look like this:
iptables -A INPUT -i eth0 -m multiport -p tcp -d 62.75.128.98
--destination-ports 210,215,220,225,230 -j ACCEPT
iptables -A OUTPUT -o eth0 -m multiport -p tcp -d 62.75.128.98
--source-ports 210,215,220,225,230 -j ACCEPT
iptables -A INPUT -i eth0 -m multiport -p tcp -d 62.75.128.99
--destination-ports 210,215,220,225,230 -j ACCEPT
iptables -A OUTPUT -o eth0 -m multiport -p tcp -d 62.75.128.99
--source-ports 210,215,220,225,230 -j ACCEPT
> You use of "-p tcp" should
> sime times read "-p udp". Same goes for "-d 62.75.128." and "-s
> 62.75.128.".
sorry, but i don't understand this. do you mean that using -p tcp
sometimes fails, and iptables behaves as -p udp should normally causes?
and what about -d, how do you mean this?
last but not least
> Also consider using "-m state"...
> "-A INPUT -i eth0 -d 62.75.128.98 -m state --state
> NEW,ESTABLESHED,RELATED"
> "-A OUTPUT -o eth0 -s 62.75.128.98 -m state --state ESTABLESHED,RELATED"
> You can use "-m" more then once. This would look better as...
> iptables -A INPUT -i eth0 -m state --state ESTABLESHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o eth0 -m state --state ESTABLESHED,RELATED -j ACCEPT
> "-A INPUT -i eth0 -m state --state NEW" For all your open ports/servers.
> "-A OUTPUT -o eth0 -m state --state NEW" For all your client's needs, web
> and DNS maby NTP ect.
i hope that this is done by firehol. normally i care only about special
tasks, firehol cannot fullfill.
last but not least, what about these --source-ports and
--destination-ports options from the 'multiport' module? is there any
documentation about them? i currently use them, and they work, but the
packet-filtering-HOWTO only mentions --source-port (--sport) and
--destination-port (--dport) *without* the final s.
second, the docs tell me that --dport and --sport (supporting at least
2 values) need the ports seperated by colons (":"), not commas.
i'm a bit confused about what to do, but in fact the above pasted
iptables command do exactly what i want. the only thing i'dd like to
change is _how_ to start all this, as the iptables commands could
increase very fast, at least every intrusion attempt - and every new
service not running on default ports require a new rule.
bye
jonas
Reply to: