Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
On 03/09/2004 Mike Mestnik wrote:
> For INPUT the pkts should be "-d you", but for OUTPUT the pkts should be
> "-s you".
> Sorry about "-p tcp" vs "-p udp", you will use tcp. It's just that your
> rules could be only for untrusted(-s) data, my missasumtion.
now i understand ;) i assume that using more than one -m options is ok
at all, and now have in firehol.conf:
iptables -A INPUT -i eth0 -m state --state NEW \
-m multiport --dports 210,215,220,225,230 \
-p tcp -d 62.75.128.98/31 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLESHED,RELATED \
-m multiport --sports 210,215,220,225,230 \
-p tcp -s 62.75.128.98/31 -j ACCEPT
> If you run iptables directly it mostlikely won't be. There may be
> default/blanket ESTABLESHED,RELATED rules, but this would be bad for
> firehol. Any realy-good fierwall will have specific ESTABLESHED,RELATED
> rules for only expected data.
>
> Your rules for incoming connections should be "INPUT -m sate --state NEW"
> and "OUTPUT -m sate --state ESTABLESHED,RELATED". For outgoing
> connections revers INPUT and OUTPUT. Since your running iptables directly
> it would be OK for you to blanket accept all ESTABLESHED,RELATED for input
> and output, like I do. Then you would use only one rule for IP and if you
> did have two it would be for udp, like I assumed.
so you mean setting the rule for destination-ports and source-ports?
the last commands are clear in this case, --ports ... but what about -A
INPUT/OUTPUT and -i/-o eth0?
about udp: does ftp sometimes use udp? is it wise to open udp as well
for ftp connections?
bye
jonas
Reply to: