Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

To: debian-firewall@lists.debian.org
Subject: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
From: Jonas Meurer <jonas@freesources.org>
Date: Fri, 10 Sep 2004 20:17:35 +0200
Message-id: <[🔎] 20040910181734.GG3458@resivo.mejo.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20040909210615.16297.qmail@web11908.mail.yahoo.com>
References: <[🔎] 20040909143959.GK3565@resivo.mejo.net> <[🔎] 20040909210615.16297.qmail@web11908.mail.yahoo.com>

On 09/09/2004 Mike Mestnik wrote:
> > iptables -A INPUT  -i eth0 -m state --state NEW \
> > 		-m multiport --dports 210,215,220,225,230 \
> > 		-p tcp -d 62.75.128.98/31 -j ACCEPT
>
> Dose this work w/o ESTABLESHED,RELATED?
> Maby another rule is matching these pkts.

yes, it finally works.

> You would think that NEW,ESTABLESHED,RELATED might match every pkt, this
> might be bad.  This is not the case I'm sure.  For example you woulden't
> want to accept TCP data for a "logical connection" that we have not seen a
> SYN(connection request) for.

so you suggest what? after you told me that ESTABLISHED and RELATED are
also important for input, now the input rule is:

iptables -A INPUT  -i eth0 -m state --state NEW,ESTABLESHED,RELATED \
		-m multiport --dports 210,215,220,225,230 \
		-p tcp -d 62.75.128.98/31 -j ACCEPT

do you mean that i now accept tcp data for connections that have no
connection request. you mean spoofing attacs?

> > so you mean setting the rule for destination-ports and source-ports?
> > the last commands are clear in this case, --ports ... but what about -A
> > INPUT/OUTPUT and -i/-o eth0?
> > 
> I only use ESTABLESHED,RELATED once for each chain and have it effect all
> pkts.  This way I only deny/allow NEW pkts, this workes for both TCP and
> UDP.  It's not optimal and network tools like firehol should try to avoid
> having to do it.  Like this....

anyway firehol doesn't allow to set user specific ports for service 'ftp',
and therefore i have to open these ports manually.

>         iptables -A INPUT -i $IFACE+ -m state --state\
>                 ESTABLISHED,RELATED -j ACCEPT
>         iptables -A FORWARD -i $IFACE+ -m state --state\
>                 ESTABLISHED,RELATED -j ACCEPT
>         iptables -A OUTPUT -o $IFACE+ -m state --state\
>                 ESTABLISHED,RELATED -j ACCEPT

i need no forward, as this is a single server, but in general it looks
very similar to my rules, only my input line still has new packages, as
i'm still not convinced that i can reject them. what are they exactly
meant for?

> > about udp: does ftp sometimes use udp? is it wise to open udp as well
> > for ftp connections?
> > 
> UDP might/will be needed for lets say DNS, NTP, SNMP and a fue others. 
> This is where tcpdump will be of most use, I.E. "tcpdump udp".

so this means that i don't need to open udp ports for ftp ...

bye
 jonas

Reply to:

Follow-Ups:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Mike Mestnik <cheako911@yahoo.com>

References:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Mike Mestnik <cheako911@yahoo.com>

Prev by Date: Re: UNSUBSCRIBE
Next by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Previous by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Index(es):
- Date
- Thread