Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

To: Jonas Meurer <jonas@freesources.org>, debian-firewall@lists.debian.org
Subject: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
From: Mike Mestnik <cheako911@yahoo.com>
Date: Thu, 9 Sep 2004 14:06:15 -0700 (PDT)
Message-id: <[🔎] 20040909210615.16297.qmail@web11908.mail.yahoo.com>
In-reply-to: <[🔎] 20040909143959.GK3565@resivo.mejo.net>

--- Jonas Meurer <jonas@freesources.org> wrote:

> On 03/09/2004 Mike Mestnik wrote:
> > For INPUT the pkts should be "-d you", but for OUTPUT the pkts should
> be
> > "-s you".
> > Sorry about "-p tcp" vs "-p udp", you will use tcp.  It's just that
> your
> > rules could be only for untrusted(-s) data, my missasumtion.
> 
> now i understand ;) i assume that using more than one -m options is ok
> at all, and now have in firehol.conf:
> 
> iptables -A INPUT  -i eth0 -m state --state NEW \
> 		-m multiport --dports 210,215,220,225,230 \
> 		-p tcp -d 62.75.128.98/31 -j ACCEPT
Dose this work w/o ESTABLESHED,RELATED?
Maby another rule is matching these pkts.

You would think that NEW,ESTABLESHED,RELATED might match every pkt, this
might be bad.  This is not the case I'm sure.  For example you woulden't
want to accept TCP data for a "logical connection" that we have not seen a
SYN(connection request) for.

> iptables -A OUTPUT -o eth0 -m state --state ESTABLESHED,RELATED \
> 		-m multiport --sports 210,215,220,225,230 \
> 		-p tcp -s 62.75.128.98/31 -j ACCEPT
> 
> > If you run iptables directly it mostlikely won't be.  There may be
> > default/blanket ESTABLESHED,RELATED rules, but this would be bad for
> > firehol.  Any realy-good fierwall will have specific
> ESTABLESHED,RELATED
> > rules for only expected data.
> > 
> > Your rules for incoming connections should be "INPUT -m sate --state
> NEW"
> > and "OUTPUT -m sate --state ESTABLESHED,RELATED".  For outgoing
> > connections revers INPUT and OUTPUT.  Since your running iptables
> directly
> > it would be OK for you to blanket accept all ESTABLESHED,RELATED for
> input
> > and output, like I do.  Then you would use only one rule for IP and if
> you
> > did have two it would be for udp, like I assumed.
> 
> so you mean setting the rule for destination-ports and source-ports?
> the last commands are clear in this case, --ports ... but what about -A
> INPUT/OUTPUT and -i/-o eth0?
> 
I only use ESTABLESHED,RELATED once for each chain and have it effect all
pkts.  This way I only deny/allow NEW pkts, this workes for both TCP and
UDP.  It's not optimal and network tools like firehol should try to avoid
having to do it.  Like this....

        iptables -A INPUT -i $IFACE+ -m state --state\
                ESTABLISHED,RELATED -j ACCEPT
        iptables -A FORWARD -i $IFACE+ -m state --state\
                ESTABLISHED,RELATED -j ACCEPT
        iptables -A OUTPUT -o $IFACE+ -m state --state\
                ESTABLISHED,RELATED -j ACCEPT

> about udp: does ftp sometimes use udp? is it wise to open udp as well
> for ftp connections?
> 
UDP might/will be needed for lets say DNS, NTP, SNMP and a fue others. 
This is where tcpdump will be of most use, I.E. "tcpdump udp".

> bye
>  jonas
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

Reply to:

Follow-Ups:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

References:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

Prev by Date: Re: Patch-o-Matic??
Next by Date: UNSUBSCRIBE
Previous by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Index(es):
- Date
- Thread