Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

To: Jonas Meurer <jonas@freesources.org>, debian-firewall@lists.debian.org
Subject: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
From: Mike Mestnik <cheako911@yahoo.com>
Date: Fri, 10 Sep 2004 22:41:08 -0700 (PDT)
Message-id: <[🔎] 20040911054108.70511.qmail@web11903.mail.yahoo.com>
In-reply-to: <[🔎] 20040910181734.GG3458@resivo.mejo.net>

--- Jonas Meurer <jonas@freesources.org> wrote:

> On 09/09/2004 Mike Mestnik wrote:
> > > iptables -A INPUT  -i eth0 -m state --state NEW \
> > > 		-m multiport --dports 210,215,220,225,230 \
> > > 		-p tcp -d 62.75.128.98/31 -j ACCEPT
> >
> > Dose this work w/o ESTABLESHED,RELATED?
> > Maby another rule is matching these pkts.
> 
> yes, it finally works.
> 
What?  I'm just cerious as to what finally works?
I was hoping you would find the rule that was matching the pkts you where
not letting throught?  -OR- If you had to cahnge the above rule to do so?

> > You would think that NEW,ESTABLESHED,RELATED might match every pkt,
> this
> > might be bad.  This is not the case I'm sure.  For example you
> woulden't
> > want to accept TCP data for a "logical connection" that we have not
> seen a
> > SYN(connection request) for.
> 
> so you suggest what? after you told me that ESTABLISHED and RELATED are
> also important for input, now the input rule is:
> 
I was trying to get an answer from some one who knows.  I'm sure the
netfilter ppl have thoguth of this and nothing need be done.

> iptables -A INPUT  -i eth0 -m state --state NEW,ESTABLESHED,RELATED \
> 		-m multiport --dports 210,215,220,225,230 \
> 		-p tcp -d 62.75.128.98/31 -j ACCEPT
> 
> do you mean that i now accept tcp data for connections that have no
> connection request. you mean spoofing attacs?
> 
No no no :) Every thing is fine.  The above rule lookes great.

> > > so you mean setting the rule for destination-ports and source-ports?
> > > the last commands are clear in this case, --ports ... but what about
> -A
> > > INPUT/OUTPUT and -i/-o eth0?
> > > 
> > I only use ESTABLESHED,RELATED once for each chain and have it effect
> all
> > pkts.  This way I only deny/allow NEW pkts, this workes for both TCP
> and
> > UDP.  It's not optimal and network tools like firehol should try to
> avoid
> > having to do it.  Like this....
> 
> anyway firehol doesn't allow to set user specific ports for service
> 'ftp',
> and therefore i have to open these ports manually.
> 
?user specific? You mean 20 (ftp-data) and not just 21 (ftp)?  Connection
tracking FTP should handel this, but only for your clients and not for any
servers you could be running.

Turn this on with a 'modprobe ip_conntrack_ftp' and if your doing nat
'modprobe ip_nat_ftp'.  I add these into /etc/modules.

> >         iptables -A INPUT -i $IFACE+ -m state --state\
> >                 ESTABLISHED,RELATED -j ACCEPT
> >         iptables -A FORWARD -i $IFACE+ -m state --state\
> >                 ESTABLISHED,RELATED -j ACCEPT
> >         iptables -A OUTPUT -o $IFACE+ -m state --state\
> >                 ESTABLISHED,RELATED -j ACCEPT
> 
> i need no forward, as this is a single server, but in general it looks
> very similar to my rules, only my input line still has new packages, as
> i'm still not convinced that i can reject them. what are they exactly
> meant for?
> 
These are only for "ESTABLISHED,RELATED".  I have many other rules that
deny/allow "NEW" pkts.  This way I don't worry about adding
"ESTABLISHED,RELATED" twice for each client/server.  See for every NEW
used in OUTPUT you will need ESTABLISHED,RELATED for INPUT as well as
OUTPUT.

Also 'ip_conntrack_ftp' won't be used, since I'd never have a rule for the
ports it would open up, typicaly 'all' ports above 1024 would be expected
to be used for ftp-data and these would need to have ESTABLISHED,RELATED
rules.  I thought since I was using ESTABLISHED,RELATED on more then %80
of all the ports 1024 to 65535 it would be fine to use on the rest 0 to
1023.

> > > about udp: does ftp sometimes use udp? is it wise to open udp as
> well
> > > for ftp connections?
> > > 
> > UDP might/will be needed for lets say DNS, NTP, SNMP and a fue others.
> 
> > This is where tcpdump will be of most use, I.E. "tcpdump udp".
> 
> so this means that i don't need to open udp ports for ftp ...
> 
That depends, do you plan to use host names instead of IPs?  If yes then
you will need to let DNS(udp) throught, fireho might do this for you.

> bye
>  jonas
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail

Reply to:

Follow-Ups:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

References:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

Prev by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Previous by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Index(es):
- Date
- Thread