Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
--- Jonas Meurer <jonas@freesources.org> wrote:
> On 02/09/2004 Mike Mestnik wrote:
> > > ok, so can i save this somehow?
> >
> > Where you using /etc/init.d/iptables to save? This WILL correctly
> > save/restore this kind of iptables state.
> > Any way of running iptables on boot/ifup will work for you.
>
> as i already mentioned, i use firehol as firewal. firhols configfile
> firehol.conf can include bash commands, and therefore the iptables rules
> are in this file too.
>
> additionally, i don't have any /etc/init.d/iptables. the old init script
> still exists at /usr/share/doc/iptables/examples/oldinitdscript.gz, but
> seems to be a depreciated way of using iptables.
>
> i'dd really like to ease the usage of iptables, what means not enter the
> full iptables command to firehol.conf for every new rule, but configure
> rules more dynamically.
> normally, firewall tools are designed to do so, but firehol is very
> limited in it's functions, and for example blocking a hole ip requires
> manual iptables usage.
>
> > > iptables -A INPUT -i eth0 -m multiport -p tcp -d 62.75.128.98
> > > --dports 210,215,220,225,230 -j ACCEPT
> > > iptables -A OUTPUT -o eth0 -m multiport -p tcp -d 62.75.128.98
> > > --sports 210,215,220,225,230 -j ACCEPT
> > > iptables -A INPUT -i eth0 -m multiport -p tcp -d 62.75.128.99
> > > --dports 210,215,220,225,230 -j ACCEPT
> > > iptables -A OUTPUT -o eth0 -m multiport -p tcp -d 62.75.128.99
> > > --sports 210,215,220,225,230 -j ACCEPT
> > >
> > > this should be ok, correct?
> >
> > Remove iptable's internal "--sports" and use multiport's options
> > "--source-ports". Using a valid "--sports" with multiport will be
> trixy,
> > and worth nothing. Same goes for "--dports".
>
> ok, done. now my lines look like this:
> iptables -A INPUT -i eth0 -m multiport -p tcp -d 62.75.128.98
> --destination-ports 210,215,220,225,230 -j ACCEPT
> iptables -A OUTPUT -o eth0 -m multiport -p tcp -d 62.75.128.98
> --source-ports 210,215,220,225,230 -j ACCEPT
> iptables -A INPUT -i eth0 -m multiport -p tcp -d 62.75.128.99
> --destination-ports 210,215,220,225,230 -j ACCEPT
> iptables -A OUTPUT -o eth0 -m multiport -p tcp -d 62.75.128.99
> --source-ports 210,215,220,225,230 -j ACCEPT
>
> > You use of "-p tcp" should
> > sime times read "-p udp". Same goes for "-d 62.75.128." and "-s
> > 62.75.128.".
>
> sorry, but i don't understand this. do you mean that using -p tcp
> sometimes fails, and iptables behaves as -p udp should normally causes?
>
> and what about -d, how do you mean this?
>
For INPUT the pkts should be "-d you", but for OUTPUT the pkts should be
"-s you".
Sorry about "-p tcp" vs "-p udp", you will use tcp. It's just that your
rules could be only for untrusted(-s) data, my missasumtion.
>
> last but not least
>
> > Also consider using "-m state"...
> > "-A INPUT -i eth0 -d 62.75.128.98 -m state --state
> > NEW,ESTABLESHED,RELATED"
> > "-A OUTPUT -o eth0 -s 62.75.128.98 -m state --state
> ESTABLESHED,RELATED"
> > You can use "-m" more then once. This would look better as...
> > iptables -A INPUT -i eth0 -m state --state ESTABLESHED,RELATED -j
> ACCEPT
> > iptables -A OUTPUT -o eth0 -m state --state ESTABLESHED,RELATED -j
> ACCEPT
> > "-A INPUT -i eth0 -m state --state NEW" For all your open
> ports/servers.
> > "-A OUTPUT -o eth0 -m state --state NEW" For all your client's needs,
> web
> > and DNS maby NTP ect.
>
> i hope that this is done by firehol. normally i care only about special
> tasks, firehol cannot fullfill.
>
If you run iptables directly it mostlikely won't be. There may be
default/blanket ESTABLESHED,RELATED rules, but this would be bad for
firehol. Any realy-good fierwall will have specific ESTABLESHED,RELATED
rules for only expected data.
Your rules for incoming connections should be "INPUT -m sate --state NEW"
and "OUTPUT -m sate --state ESTABLESHED,RELATED". For outgoing
connections revers INPUT and OUTPUT. Since your running iptables directly
it would be OK for you to blanket accept all ESTABLESHED,RELATED for input
and output, like I do. Then you would use only one rule for IP and if you
did have two it would be for udp, like I assumed.
>
> last but not least, what about these --source-ports and
> --destination-ports options from the 'multiport' module? is there any
> documentation about them? i currently use them, and they work, but the
> packet-filtering-HOWTO only mentions --source-port (--sport) and
> --destination-port (--dport) *without* the final s.
>
> second, the docs tell me that --dport and --sport (supporting at least
> 2 values) need the ports seperated by colons (":"), not commas.
>
man iptables, this is a must read/may understand.
> i'm a bit confused about what to do, but in fact the above pasted
> iptables command do exactly what i want. the only thing i'dd like to
> change is _how_ to start all this, as the iptables commands could
> increase very fast, at least every intrusion attempt - and every new
> service not running on default ports require a new rule.
>
This is where subneting comes into play, you can put all your severs in
the same, I.E. /28, subnet.
> bye
> jonas
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
_______________________________
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.
http://promotions.yahoo.com/goldrush
Reply to: