Re: RE: INPUT and PORTS

Re: RE: INPUT and PORTS

[plugthebox.net /dev/null]

I want to thank you all for contributing. 

I'm currently setting up a firewall and a web interface for it. My
strategy is to have:

/sbin/iptables -P INPUT -j DROP
/sbin/iptables -P FORWARD -j DROP
/sbin/iptables -A FORWARD -d 10.2.2.115 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.2.2.115 -j ACCEPT
/sbin/iptables -A INPUT -s 10.2.2.115 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.2.2.116 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.2.2.116 -j ACCEPT
/sbin/iptables -A INPUT -s 10.2.2.116 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.2.2.117 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.2.2.117 -j ACCEPT
/sbin/iptables -A INPUT -s 10.2.2.117 -j ACCEPT
etc...
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A FORWARD -j DROP

Meaning, i want to accept the connections from these 3 IPs, and drop all
the rest. Now i want to let those allowed IPs to only use 3 ports for
the INPUT and more than 30 ports for FORWARDs (p2p and misc ports).

I can't use -m multiport for each FORWARD, there are too many ports that
1 FORWARD line can run. 

I thought by allowing the ports BEFORE the IPs, that it would accept
allow only the ports ACCEPTed to the IPs ACCEPTed, is that correct?

thanks,
Sincerely,

On Wed, 2006-11-01 at 14:57 +0000, bimal pandit wrote:
> Dear All,
> 
> 
> On Wed, 01 Nov 2006 anisha.chandrasekaran@wipro.com wrote :
> >
> >I would like to have a little more clear idea on what you need to do
> >exactly????
> >
> >That is, DO you need to allow only 80 and 20 ports from the specified
> >ip?
> >In that case you can have
> >Iptables -P FORWARD DROP
> >Iptables -A FORWARD -p tcp -s 10.2.2.115 -m multiport --dports 80,22
> -j
> >ACCEPT
> >
> >The above rule will allow only 80 and 22 requests from that ip. Is
> this
> >clear or am I not answering what you are asking????
> >
> >
> >  Regards,
> >
> >Anisha Chandrasekaran
> >
> >
> >
> >-----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org
> >[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of
> >plugthebox.net /dev/null
> >Sent: Wednesday, November 01, 2006 6:19 PM
> >To: netfilter
> >Subject: INPUT and PORTS
> >
> >Hello,
> >I want to do the following, accept in comings from 10.2.2.115 only
> >restricting to port 80,22
> >
> >is this correct?
> >
> >-P rules ...
> >-F rules ...
> >/sbin/iptables -A FORWARD -d 10.2.2.115 -j ACCEPT
> >/sbin/iptables -A FORWARD -s 10.2.2.115 -j ACCEPT
> >/sbin/iptables -A INPUT -s 10.2.2.115 -j ACCEPT
> >/sbin/iptables -A FORWARD -m multiport -p tcp --ports 80,22 -j ACCEPT
> >/sbin/iptables -A INPUT -m multiport -p tcp --ports 80,22 -j ACCEPT
> >
> >Eventhough i saw this setup in many tutorials/howtos,  when ever i
> want
> >to block 10.2.2.115 (by not listing him in the INPUT -j ACCEPT), that
> ip
> >can still connect to port 80 and 22.
> >
> >
> >
> >Thanks
> >Sincerely,
> >
> >
> in my view, since you have already accepted all the connections from
> 10.2.2.115, so there is no question of blocking it as iptables work on
> "FIRST MATCH FOUND".
> 
> regards,
> 
> Bimal Pandit
> 
> 
> 
> 

Re: RE: INPUT and PORTS

[Wakko Warner]

plugthebox.net /dev/null wrote:
> I want to thank you all for contributing. 
> 
> I'm currently setting up a firewall and a web interface for it. My
> strategy is to have:
> 
> /sbin/iptables -P INPUT -j DROP
> /sbin/iptables -P FORWARD -j DROP
> /sbin/iptables -A FORWARD -d 10.2.2.115 -j ACCEPT
> /sbin/iptables -A FORWARD -s 10.2.2.115 -j ACCEPT
> /sbin/iptables -A INPUT -s 10.2.2.115 -j ACCEPT
> /sbin/iptables -A FORWARD -d 10.2.2.116 -j ACCEPT
> /sbin/iptables -A FORWARD -s 10.2.2.116 -j ACCEPT
> /sbin/iptables -A INPUT -s 10.2.2.116 -j ACCEPT
> /sbin/iptables -A FORWARD -d 10.2.2.117 -j ACCEPT
> /sbin/iptables -A FORWARD -s 10.2.2.117 -j ACCEPT
> /sbin/iptables -A INPUT -s 10.2.2.117 -j ACCEPT
> etc...
> /sbin/iptables -A INPUT -j DROP
> /sbin/iptables -A FORWARD -j DROP
> 
> Meaning, i want to accept the connections from these 3 IPs, and drop all
> the rest. Now i want to let those allowed IPs to only use 3 ports for
> the INPUT and more than 30 ports for FORWARDs (p2p and misc ports).
> 
> I can't use -m multiport for each FORWARD, there are too many ports that
> 1 FORWARD line can run. 
> 
> I thought by allowing the ports BEFORE the IPs, that it would accept
> allow only the ports ACCEPTed to the IPs ACCEPTed, is that correct?

If I understand what you are wanting correctly, something I'm currently
doing may be what you want.

If you want to only allow specific IPs to connect to specific ports, you
might want to try this:

create 2 chains:  ip and port (or whatever you want to name them.

iptables -A INPUT -j ip
iptables -A FORWARD -j ip

in ip:
iptables -A ip -j port -s 10.2.2.115
iptables -A ip -j port -d 10.2.2.115
...

in port:
iptables -A port -j ACCEPT -p tcp --dport 80
iptables -A port -j ACCEPT -p tcp --dport 22
...

Since you have the policy already to drop, there's probably no reason to add
DROP rules to INPUT and FORWARD.

If you want to allow any IPs, just ad them to the ip chain.  If you want to
allow the current list of ips to access different ports, just ad that port
to the port chain.

-- 
 Lab tests show that use of micro$oft causes cancer in lab animals
 Got Gas???

RE: RE: INPUT and PORTS

[anisha.chandrasekaran]

I dunno much on this but I could jus help with what I know.

If the 30 ports involve consecutive numbers you could specify it as a
range, say, 10-30.

However if the all the ports are scattered and varied numbers then you
can create a user defined chain which accepts all the port numbers (use
multiport option.Then specify this chain as target when you add a rule
in FORWARD chain. Thereafter you need to specify that list of ports just
once in the user defined chain.

I think this may be helpful but I am not sure if this will suffice your
requirement.


 Regards,

Anisha Chandrasekaran

 
        

-----Original Message-----
From: plugthebox.net /dev/null [mailto:devnull@plugthebox.net]
Sent: Wednesday, November 01, 2006 8:57 PM
To: bimal pandit
Cc: netfilter@lists.netfilter.org; Anisha Chandrasekaran (WT01 -
Broadband Networks)
Subject: Re: RE: INPUT and PORTS

I want to thank you all for contributing.

I'm currently setting up a firewall and a web interface for it. My
strategy is to have:

/sbin/iptables -P INPUT -j DROP
/sbin/iptables -P FORWARD -j DROP
/sbin/iptables -A FORWARD -d 10.2.2.115 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.2.2.115 -j ACCEPT
/sbin/iptables -A INPUT -s 10.2.2.115 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.2.2.116 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.2.2.116 -j ACCEPT
/sbin/iptables -A INPUT -s 10.2.2.116 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.2.2.117 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.2.2.117 -j ACCEPT
/sbin/iptables -A INPUT -s 10.2.2.117 -j ACCEPT
etc...
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A FORWARD -j DROP

Meaning, i want to accept the connections from these 3 IPs, and drop all
the rest. Now i want to let those allowed IPs to only use 3 ports for
the INPUT and more than 30 ports for FORWARDs (p2p and misc ports).

I can't use -m multiport for each FORWARD, there are too many ports that
1 FORWARD line can run.

I thought by allowing the ports BEFORE the IPs, that it would accept
allow only the ports ACCEPTed to the IPs ACCEPTed, is that correct?

thanks,
Sincerely,

On Wed, 2006-11-01 at 14:57 +0000, bimal pandit wrote:
> Dear All,
>
>
> On Wed, 01 Nov 2006 anisha.chandrasekaran@wipro.com wrote :
> >
> >I would like to have a little more clear idea on what you need to do
> >exactly????
> >
> >That is, DO you need to allow only 80 and 20 ports from the specified
> >ip?
> >In that case you can have
> >Iptables -P FORWARD DROP
> >Iptables -A FORWARD -p tcp -s 10.2.2.115 -m multiport --dports 80,22
> -j
> >ACCEPT
> >
> >The above rule will allow only 80 and 22 requests from that ip. Is
> this
> >clear or am I not answering what you are asking????
> >
> >
> >  Regards,
> >
> >Anisha Chandrasekaran
> >
> >
> >
> >-----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org
> >[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of
> >plugthebox.net /dev/null
> >Sent: Wednesday, November 01, 2006 6:19 PM
> >To: netfilter
> >Subject: INPUT and PORTS
> >
> >Hello,
> >I want to do the following, accept in comings from 10.2.2.115 only
> >restricting to port 80,22
> >
> >is this correct?
> >
> >-P rules ...
> >-F rules ...
> >/sbin/iptables -A FORWARD -d 10.2.2.115 -j ACCEPT
> >/sbin/iptables -A FORWARD -s 10.2.2.115 -j ACCEPT
> >/sbin/iptables -A INPUT -s 10.2.2.115 -j ACCEPT
> >/sbin/iptables -A FORWARD -m multiport -p tcp --ports 80,22 -j ACCEPT
> >/sbin/iptables -A INPUT -m multiport -p tcp --ports 80,22 -j ACCEPT
> >
> >Eventhough i saw this setup in many tutorials/howtos,  when ever i
> want
> >to block 10.2.2.115 (by not listing him in the INPUT -j ACCEPT), that
> ip
> >can still connect to port 80 and 22.
> >
> >
> >
> >Thanks
> >Sincerely,
> >
> >
> in my view, since you have already accepted all the connections from
> 10.2.2.115, so there is no question of blocking it as iptables work on
> "FIRST MATCH FOUND".
>
> regards,
>
> Bimal Pandit
>
>
>
>



The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com