Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
On 09/09/2004 Mike Mestnik wrote:
> > iptables -A INPUT -i eth0 -m state --state NEW \
> > -m multiport --dports 210,215,220,225,230 \
> > -p tcp -d 62.75.128.98/31 -j ACCEPT
>
> Dose this work w/o ESTABLESHED,RELATED?
> Maby another rule is matching these pkts.
yes, it finally works.
> You would think that NEW,ESTABLESHED,RELATED might match every pkt, this
> might be bad. This is not the case I'm sure. For example you woulden't
> want to accept TCP data for a "logical connection" that we have not seen a
> SYN(connection request) for.
so you suggest what? after you told me that ESTABLISHED and RELATED are
also important for input, now the input rule is:
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLESHED,RELATED \
-m multiport --dports 210,215,220,225,230 \
-p tcp -d 62.75.128.98/31 -j ACCEPT
do you mean that i now accept tcp data for connections that have no
connection request. you mean spoofing attacs?
> > so you mean setting the rule for destination-ports and source-ports?
> > the last commands are clear in this case, --ports ... but what about -A
> > INPUT/OUTPUT and -i/-o eth0?
> >
> I only use ESTABLESHED,RELATED once for each chain and have it effect all
> pkts. This way I only deny/allow NEW pkts, this workes for both TCP and
> UDP. It's not optimal and network tools like firehol should try to avoid
> having to do it. Like this....
anyway firehol doesn't allow to set user specific ports for service 'ftp',
and therefore i have to open these ports manually.
> iptables -A INPUT -i $IFACE+ -m state --state\
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $IFACE+ -m state --state\
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o $IFACE+ -m state --state\
> ESTABLISHED,RELATED -j ACCEPT
i need no forward, as this is a single server, but in general it looks
very similar to my rules, only my input line still has new packages, as
i'm still not convinced that i can reject them. what are they exactly
meant for?
> > about udp: does ftp sometimes use udp? is it wise to open udp as well
> > for ftp connections?
> >
> UDP might/will be needed for lets say DNS, NTP, SNMP and a fue others.
> This is where tcpdump will be of most use, I.E. "tcpdump udp".
so this means that i don't need to open udp ports for ftp ...
bye
jonas
Reply to: