* Restricting applications/protocols to use specific ports using iptables, is this possible @ 2007-06-04 11:37 Elvir Kuric 2007-06-04 12:06 ` Marc Haber 0 siblings, 1 reply; 7+ messages in thread From: Elvir Kuric @ 2007-06-04 11:37 UTC (permalink / raw) To: netfilter Hi all, I am interested in one thing, is possible using iptables software limit particular application/protocol to use/bind to particular ports. For example I want to send all reqestes from my machine using ports I specify, not random ones, or accept ping echo-replay on specific ports. Any idea or hint is welcome Best wishes, Elvir Kuric ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Restricting applications/protocols to use specific ports using iptables, is this possible 2007-06-04 11:37 Restricting applications/protocols to use specific ports using iptables, is this possible Elvir Kuric @ 2007-06-04 12:06 ` Marc Haber 2007-06-04 12:39 ` Elvir Kuric 0 siblings, 1 reply; 7+ messages in thread From: Marc Haber @ 2007-06-04 12:06 UTC (permalink / raw) To: netfilter On Mon, Jun 04, 2007 at 01:37:07PM +0200, Elvir Kuric wrote: > I am interested in one thing, is possible using iptables software > limit particular application/protocol to use/bind to particular ports. Why do you want to do that? > For example I want to send all reqestes from my machine using ports I > specify, not random ones, Why? > or accept ping echo-replay on specific ports. Pleas get your facts straight. ICMP does not have ports. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Restricting applications/protocols to use specific ports using iptables, is this possible 2007-06-04 12:06 ` Marc Haber @ 2007-06-04 12:39 ` Elvir Kuric 2007-06-04 14:18 ` Gáspár Lajos 2007-06-05 16:00 ` jwlargent 0 siblings, 2 replies; 7+ messages in thread From: Elvir Kuric @ 2007-06-04 12:39 UTC (permalink / raw) To: Marc Haber; +Cc: netfilter On 6/4/07, Marc Haber <mh+netfilter@zugschlus.de> wrote: > On Mon, Jun 04, 2007 at 01:37:07PM +0200, Elvir Kuric wrote: > > I am interested in one thing, is possible using iptables software > > limit particular application/protocol to use/bind to particular ports. > > Why do you want to do that? :) I want to control which ports are open in output chain. Testing, exploring. I know it is not important which ports are open in output chain, usually putting output policy to accept. > > > For example I want to send all reqestes from my machine using ports I > > specify, not random ones, > > Why? > > > or accept ping echo-replay on specific ports. > > Pleas get your facts straight. ICMP does not have ports. ICMP was just example, first on my mind in that moment :) Regards Elvir Kuric > > Greetings > Marc > > -- > ----------------------------------------------------------------------------- > Marc Haber | "I don't trust Computers. They | Mailadresse im Header > Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 > Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Restricting applications/protocols to use specific ports using iptables, is this possible 2007-06-04 12:39 ` Elvir Kuric @ 2007-06-04 14:18 ` Gáspár Lajos 2007-06-05 16:00 ` jwlargent 1 sibling, 0 replies; 7+ messages in thread From: Gáspár Lajos @ 2007-06-04 14:18 UTC (permalink / raw) To: Elvir Kuric; +Cc: netfilter Elvir Kuric írta: > On 6/4/07, Marc Haber <mh+netfilter@zugschlus.de> wrote: >> On Mon, Jun 04, 2007 at 01:37:07PM +0200, Elvir Kuric wrote: >> > I am interested in one thing, is possible using iptables software >> > limit particular application/protocol to use/bind to particular ports. >> I think this is application and not netfilter specific. You may only be able to use the owner match. But if it is good for you ??? I do not know !!!! :D You can DROP/REJECT packets that came from an disabled port/application but you can not disable the bind function on a specific port to an application. >> Why do you want to do that? > > :) I want to control which ports are open in output chain. Testing, > exploring. > > I know it is not important which ports are open in output chain, > usually putting output policy to accept. > AFAIK, this has only meaning in the lower range of ports... (0-1023) >> >> > For example I want to send all reqestes from my machine using ports I >> > specify, not random ones, >> >> Why? >> >> > or accept ping echo-replay on specific ports. >> >> Pleas get your facts straight. ICMP does not have ports. > > ICMP was just example, first on my mind in that moment :) TCP,UDP... Many things to think about :D > > Regards > > Elvir Kuric >> >> Greetings >> Marc >> >> -- >> ----------------------------------------------------------------------------- >> >> Marc Haber | "I don't trust Computers. They | Mailadresse im >> Header >> Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 >> 72739834 >> Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 >> 2323190 >> >> > > Swifty ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Restricting applications/protocols to use specific ports using iptables, is this possible 2007-06-04 12:39 ` Elvir Kuric 2007-06-04 14:18 ` Gáspár Lajos @ 2007-06-05 16:00 ` jwlargent 2007-06-05 17:00 ` Elvir Kuric 1 sibling, 1 reply; 7+ messages in thread From: jwlargent @ 2007-06-05 16:00 UTC (permalink / raw) To: Elvir Kuric; +Cc: Marc Haber, netfilter -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Elvir Kuric wrote: > On 6/4/07, Marc Haber <mh+netfilter@zugschlus.de> wrote: >> On Mon, Jun 04, 2007 at 01:37:07PM +0200, Elvir Kuric wrote: >> > I am interested in one thing, is possible using iptables software >> > limit particular application/protocol to use/bind to particular >> ports. >> >> Why do you want to do that? > > :) I want to control which ports are open in output chain. Testing, > exploring. > > I know it is not important which ports are open in output chain, > usually putting output policy to accept. It is important to know what ports are open in the output chain. This is exactly the attitude that helps the spread of Trojans and Viruses. You should only open ports you need, for example a user brings in a Trojan that tries to infect other systems and connects back to a monitor somewhere to let it know about the host it just took over. If you are blocking the ports it uses to infect other systems you limit the damage it does. Now there is nothing that keeps it from using a port you have open, say port 80 http., but at least you have tried to limit your exposure. > >> >> > For example I want to send all reqestes from my machine using >> ports I >> > specify, not random ones, >> >> Why? >> >> > or accept ping echo-replay on specific ports. >> >> Pleas get your facts straight. ICMP does not have ports. > > ICMP was just example, first on my mind in that moment :) > > Regards > > Elvir Kuric >> >> Greetings >> Marc >> >> -- >> ----------------------------------------------------------------------------- >> >> Marc Haber | "I don't trust Computers. They | Mailadresse >> im Header >> Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 >> 72739834 >> Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 >> 2323190 >> >> - -- Jeff Largent System Administrator Visual Lease Services Inc. http://www.vlsmaps.com (405) 379-5280 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGZYidd02kARNrtZkRAnIpAJ9DaulTYHRPSX4SWrwhH6n00LcxUQCg4qug 41YEjFzdoMVSJaBKJyfg15Q= =dTnF -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Restricting applications/protocols to use specific ports using iptables, is this possible 2007-06-05 16:00 ` jwlargent @ 2007-06-05 17:00 ` Elvir Kuric 2007-06-05 17:42 ` Marc Haber 0 siblings, 1 reply; 7+ messages in thread From: Elvir Kuric @ 2007-06-05 17:00 UTC (permalink / raw) To: jwlargent; +Cc: netfilter Hi all, I realised that I did not ask question on right way in my last mail to this list. I am trying to find out some tool or whatever else to open in input and output chain only ports I need, I mean to control which ports are open. In other words to have evidence which ports are open and why. Maybe this is funny for more experience users, but I asked this question here because I thought that iptables can help / and maybe can, but I do not know that :). Regards to all, Elvir Kuric On 6/5/07, jwlargent <jwlargent@vlsmaps.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Elvir Kuric wrote: > > On 6/4/07, Marc Haber <mh+netfilter@zugschlus.de> wrote: > >> On Mon, Jun 04, 2007 at 01:37:07PM +0200, Elvir Kuric wrote: > >> > I am interested in one thing, is possible using iptables software > >> > limit particular application/protocol to use/bind to particular > >> ports. > >> > >> Why do you want to do that? > > > > :) I want to control which ports are open in output chain. Testing, > > exploring. > > > > I know it is not important which ports are open in output chain, > > usually putting output policy to accept. > > It is important to know what ports are open in the output chain. This > is exactly the attitude > that helps the spread of Trojans and Viruses. > You should only open ports you need, for example a user brings in > a Trojan that tries to infect other systems and connects back to a monitor > somewhere to let it know about the host it just took over. If you are > blocking the ports it > uses to infect other systems you limit the damage it does. Now there > is nothing that keeps it > from using a port you have open, say port 80 http., but at least you > have tried to limit your exposure. > > > > >> > >> > For example I want to send all reqestes from my machine using > >> ports I > >> > specify, not random ones, > >> > >> Why? > >> > >> > or accept ping echo-replay on specific ports. > >> > >> Pleas get your facts straight. ICMP does not have ports. > > > > ICMP was just example, first on my mind in that moment :) > > > > Regards > > > > Elvir Kuric > >> > >> Greetings > >> Marc > >> > >> -- > >> > ----------------------------------------------------------------------------- > >> > >> Marc Haber | "I don't trust Computers. They | Mailadresse > >> im Header > >> Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 > >> 72739834 > >> Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 > >> 2323190 > >> > >> > > > - -- > Jeff Largent > System Administrator > Visual Lease Services Inc. > http://www.vlsmaps.com > (405) 379-5280 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGZYidd02kARNrtZkRAnIpAJ9DaulTYHRPSX4SWrwhH6n00LcxUQCg4qug > 41YEjFzdoMVSJaBKJyfg15Q= > =dTnF > -----END PGP SIGNATURE----- > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Restricting applications/protocols to use specific ports using iptables, is this possible 2007-06-05 17:00 ` Elvir Kuric @ 2007-06-05 17:42 ` Marc Haber 0 siblings, 0 replies; 7+ messages in thread From: Marc Haber @ 2007-06-05 17:42 UTC (permalink / raw) To: netfilter On Tue, Jun 05, 2007 at 07:00:31PM +0200, Elvir Kuric wrote: > Hi all, I realised that I did not ask question on right way in my > last mail to this list. I am trying to find out some tool or whatever > else to open in input and output chain only ports I need, I mean to > control which ports are open. > In other words to have evidence which ports are open and why. Maybe > this is funny for more experience users, but I asked this question > here because I thought that iptables can help / and maybe can, but I > do not know that :). Netfilter can help you here, but if I wanted to learn, I'd use tcpdump and/or wireshark. An "ACCEPT and log" rule in iptables might help as well. Generally, the port from which a connection originates does only matter in exceptional cases. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2007-06-05 17:42 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-06-04 11:37 Restricting applications/protocols to use specific ports using iptables, is this possible Elvir Kuric 2007-06-04 12:06 ` Marc Haber 2007-06-04 12:39 ` Elvir Kuric 2007-06-04 14:18 ` Gáspár Lajos 2007-06-05 16:00 ` jwlargent 2007-06-05 17:00 ` Elvir Kuric 2007-06-05 17:42 ` Marc Haber
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.