Specifying multiple services to Netfilter
I'm in the middle of writing a Netfilter script and seem to be having a
problem or two. For some reason I can't figure out how I can pass
multiple port number in a single rule.
For example:
#!/bin/sh
# TCP services that we wish to pass as listed in /etc/services
TCPIN="smtp www ftp ftp-data"
TCPOUT="smtp www ftp ftp-data"
##TCP --incomming and outgoing rules
# First, reject all well know ports and services in both directions
iptables -A INPUT --protocol tcp -i $DSLIFACE -s $ANYADDR --sport :1023
-j REJECT
iptables -A OUTPUT --protocol tcp -o $DSLIFACE -d $ANYADDR --dport :1023
-j REJECT
# Second, keep all TCP datagrams belonging to existing connections
iptables -A INPUT -m multiport --protocol tcp -i $DSLIFACE --sport
$TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A OUTPUT -m multiport --protocol tcp -o $DSLIFACE --dport
$TCPOUT ! --tcp-flags SYN,ACK ACK -j ACCEPT
# Now allow those services that we wish to use.
iptables -A INPUT --protocol tcp -i $DSLIFACE -s $ANYADDR --sport $TCPIN
-j ACCEPT
iptables -A OUPUT --protocol tcp -o $DSLIFACE -d $ANYADDR --dport
$TCPOUT -j ACCEPT
When I attemp to run this script and test it I get:
Bad argument `www'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `www'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `www'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `www'
Try `iptables -h' or 'iptables --help' for more information.
This leads me to beleive that I'm passing off my services/ports wrong to
netfilter. I've tried using comma's with a space and comma's without a
space but nothing seems to help. Is there a way to pass multiple
services/ports in a single rule?'
Thanks for your help :-D
BTW -> These rules are still in the making so feel free to point out any
mistakes that I might have made!!
Stef
Reply to: