Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
--- Jonas Meurer <jonas@freesources.org> wrote:
> On 09/09/2004 Mike Mestnik wrote:
> > > iptables -A INPUT -i eth0 -m state --state NEW \
> > > -m multiport --dports 210,215,220,225,230 \
> > > -p tcp -d 62.75.128.98/31 -j ACCEPT
> >
> > Dose this work w/o ESTABLESHED,RELATED?
> > Maby another rule is matching these pkts.
>
> yes, it finally works.
>
What? I'm just cerious as to what finally works?
I was hoping you would find the rule that was matching the pkts you where
not letting throught? -OR- If you had to cahnge the above rule to do so?
> > You would think that NEW,ESTABLESHED,RELATED might match every pkt,
> this
> > might be bad. This is not the case I'm sure. For example you
> woulden't
> > want to accept TCP data for a "logical connection" that we have not
> seen a
> > SYN(connection request) for.
>
> so you suggest what? after you told me that ESTABLISHED and RELATED are
> also important for input, now the input rule is:
>
I was trying to get an answer from some one who knows. I'm sure the
netfilter ppl have thoguth of this and nothing need be done.
> iptables -A INPUT -i eth0 -m state --state NEW,ESTABLESHED,RELATED \
> -m multiport --dports 210,215,220,225,230 \
> -p tcp -d 62.75.128.98/31 -j ACCEPT
>
> do you mean that i now accept tcp data for connections that have no
> connection request. you mean spoofing attacs?
>
No no no :) Every thing is fine. The above rule lookes great.
> > > so you mean setting the rule for destination-ports and source-ports?
> > > the last commands are clear in this case, --ports ... but what about
> -A
> > > INPUT/OUTPUT and -i/-o eth0?
> > >
> > I only use ESTABLESHED,RELATED once for each chain and have it effect
> all
> > pkts. This way I only deny/allow NEW pkts, this workes for both TCP
> and
> > UDP. It's not optimal and network tools like firehol should try to
> avoid
> > having to do it. Like this....
>
> anyway firehol doesn't allow to set user specific ports for service
> 'ftp',
> and therefore i have to open these ports manually.
>
?user specific? You mean 20 (ftp-data) and not just 21 (ftp)? Connection
tracking FTP should handel this, but only for your clients and not for any
servers you could be running.
Turn this on with a 'modprobe ip_conntrack_ftp' and if your doing nat
'modprobe ip_nat_ftp'. I add these into /etc/modules.
> > iptables -A INPUT -i $IFACE+ -m state --state\
> > ESTABLISHED,RELATED -j ACCEPT
> > iptables -A FORWARD -i $IFACE+ -m state --state\
> > ESTABLISHED,RELATED -j ACCEPT
> > iptables -A OUTPUT -o $IFACE+ -m state --state\
> > ESTABLISHED,RELATED -j ACCEPT
>
> i need no forward, as this is a single server, but in general it looks
> very similar to my rules, only my input line still has new packages, as
> i'm still not convinced that i can reject them. what are they exactly
> meant for?
>
These are only for "ESTABLISHED,RELATED". I have many other rules that
deny/allow "NEW" pkts. This way I don't worry about adding
"ESTABLISHED,RELATED" twice for each client/server. See for every NEW
used in OUTPUT you will need ESTABLISHED,RELATED for INPUT as well as
OUTPUT.
Also 'ip_conntrack_ftp' won't be used, since I'd never have a rule for the
ports it would open up, typicaly 'all' ports above 1024 would be expected
to be used for ftp-data and these would need to have ESTABLISHED,RELATED
rules. I thought since I was using ESTABLISHED,RELATED on more then %80
of all the ports 1024 to 65535 it would be fine to use on the rest 0 to
1023.
> > > about udp: does ftp sometimes use udp? is it wise to open udp as
> well
> > > for ftp connections?
> > >
> > UDP might/will be needed for lets say DNS, NTP, SNMP and a fue others.
>
> > This is where tcpdump will be of most use, I.E. "tcpdump udp".
>
> so this means that i don't need to open udp ports for ftp ...
>
That depends, do you plan to use host names instead of IPs? If yes then
you will need to let DNS(udp) throught, fireho might do this for you.
> bye
> jonas
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
Reply to: