[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Multiport trouble

On Tue, 24 Jun 2003, Jean Christophe [iso-8859-1] ANDRÉ wrote:

> Why not use something like this?
>
>   iptables -A OUTPUT \
>     -s "$PUB_IP" -o "$PUB_IFACE" -p tcp \
>     -m tcp --sport 1024:65535 -m multiport --dports 443,4030 \
>     -m state --state NEW -j ACCEPT

Thanks! You put me on the right track.

Now I am using this

#===============================================================================
#Allow local HTTP clients to connect to any remote server on common ports
#===============================================================================

if [ "$CONNECTION_TRACKING" = "1" ]; then
  iptables -A OUTPUT -o $PUB_IFACE -p tcp \
           -s $PUB_IP --sport $EPHEMERAL_PORTS \
           -m multiport --dports 80,8080,8888 \
           -m state --state NEW -j ACCEPT
fi

iptables -A OUTPUT -o $PUB_IFACE -p tcp \
         -s $PUB_IP --sport $EPHEMERAL_PORTS \
         -m multiport --dports 80,8080,8888 \
         -j ACCEPT

iptables -A INPUT -i $PUB_IFACE -p tcp \
         -m multiport --sports 80,8080,8888 ! --syn \
         -d $PUB_IP --dport $EPHEMERAL_PORTS -j ACCEPT

#===============================================================================

Judging from the output of

/sbin/iptables --line-numbers --numeric --verbose --list

everything is now as I wanted it.

Grx HdV
Reply to: