[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Specifying multiple services to Netfilter

"Laurence J. Lane" wrote:
Look at the multiport option in the iptables manpage.

As an example:

  /sbin/iptables --insert INPUT --protocol tcp --match multiport \
    --destination-port www,ssh,pop3 --jump ACCEPT

Thanks for the tip, so far I've come up with:

#!/bin/sh -x


# TCP --incomming and outgoing rules
# First, reject all well know TCP ports and services

iptables -A INPUT --protocol tcp -i $DSLIFACE -d $ANYADDR \
    --destination-port :1023 -j REJECT
iptables -A INPUT --protocol tcp -i $DSLIFACE -s $ANYADDR \
    --source-port :1023 -j REJECT

# Second, keep all TCP datagrams belonging to existing connections

iptables -A INPUT --match multiport --protocol tcp -d $ANYADDR \
    --destination-port $TCPIN --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A INPUT --match multiport --protocol tcp -d $ANYADDR \
    --source-port $TCPIN --tcp-flags SYN,ACK ACK -j ACCEPT

# Now allow connections to those services that we wish to use.

iptables -A INPUT --match multiport --protocol tcp -i $DSLIFACE \
    -d $ANYADDR --destination-port $TCPIN --syn -j ACCEPT

Seems a little refined from last time, eh?

Anyway, I'm having a few problems with this configuration. It doesn't work!! After I run the script I can ping websites (which means ICMP works along with DNS, but I'm running BIND as a caching-only nameserver) but cannot use any of the other TCP services that I have listed above.

What's missing? All default policies are set to ACCEPT and UDP and ICMP datagrams have not been filtered.

> #!/bin/sh
Try "#!/bin/sh -x" instead.

Whats the difference? I'd like to know, my brain is always working (or so I like to think)

Thanks for your time


Reply to: