Restricting applications/protocols to use specific ports using iptables, is this possible

Restricting applications/protocols to use specific ports using iptables, is this possible

[Elvir Kuric]

Hi all,

I am interested in one thing, is possible using iptables software
limit particular application/protocol to use/bind to particular ports.
For example I want to send all reqestes from my machine using ports I
specify, not random ones, or accept ping echo-replay on specific
ports.

Any idea or hint is welcome

Best wishes,

Elvir Kuric

Re: Restricting applications/protocols to use specific ports using iptables, is this possible

[Marc Haber]

On Mon, Jun 04, 2007 at 01:37:07PM +0200, Elvir Kuric wrote:
> I am interested in one thing, is possible using iptables software
> limit particular application/protocol to use/bind to particular ports.

Why do you want to do that?

> For example I want to send all reqestes from my machine using ports I
> specify, not random ones,

Why?

>  or accept ping echo-replay on specific ports.

Pleas get your facts straight. ICMP does not have ports.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Re: Restricting applications/protocols to use specific ports using iptables, is this possible

[Elvir Kuric]

On 6/4/07, Marc Haber <mh+netfilter@zugschlus.de> wrote:
> On Mon, Jun 04, 2007 at 01:37:07PM +0200, Elvir Kuric wrote:
> > I am interested in one thing, is possible using iptables software
> > limit particular application/protocol to use/bind to particular ports.
>
> Why do you want to do that?

:) I want to control which ports are open in output chain. Testing, exploring.

I know it is not important which ports are open in output chain,
usually putting output policy to accept.

>
> > For example I want to send all reqestes from my machine using ports I
> > specify, not random ones,
>
> Why?
>
> >  or accept ping echo-replay on specific ports.
>
> Pleas get your facts straight. ICMP does not have ports.

ICMP was just example, first on my mind in that moment :)

Regards

Elvir Kuric
>
> Greetings
> Marc
>
> --
> -----------------------------------------------------------------------------
> Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
> Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
> Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
>
>

Re: Restricting applications/protocols to use specific ports using iptables, is this possible

[Gáspár Lajos]

Elvir Kuric írta:
> On 6/4/07, Marc Haber <mh+netfilter@zugschlus.de> wrote:
>> On Mon, Jun 04, 2007 at 01:37:07PM +0200, Elvir Kuric wrote:
>> > I am interested in one thing, is possible using iptables software
>> > limit particular application/protocol to use/bind to particular ports.
>>
I think this is application and not netfilter specific. You may only be 
able to use the owner match.
But if it is good for you ??? I do not know !!!! :D
You can DROP/REJECT packets that came from an disabled port/application 
but you can not disable the bind function on a specific port to an 
application.
>> Why do you want to do that?
>
> :) I want to control which ports are open in output chain. Testing, 
> exploring.
>
> I know it is not important which ports are open in output chain,
> usually putting output policy to accept.
>
AFAIK, this has only meaning in the lower range of ports... (0-1023)
>>
>> > For example I want to send all reqestes from my machine using ports I
>> > specify, not random ones,
>>
>> Why?
>>
>> >  or accept ping echo-replay on specific ports.
>>
>> Pleas get your facts straight. ICMP does not have ports.
>
> ICMP was just example, first on my mind in that moment :)
TCP,UDP... Many things to think about :D
>
> Regards
>
> Elvir Kuric
>>
>> Greetings
>> Marc
>>
>> -- 
>> ----------------------------------------------------------------------------- 
>>
>> Marc Haber         | "I don't trust Computers. They | Mailadresse im 
>> Header
>> Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 
>> 72739834
>> Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 
>> 2323190
>>
>>
>
>
Swifty

Re: Restricting applications/protocols to use specific ports using iptables, is this possible

[jwlargent]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Elvir Kuric wrote:
> On 6/4/07, Marc Haber <mh+netfilter@zugschlus.de> wrote:
>> On Mon, Jun 04, 2007 at 01:37:07PM +0200, Elvir Kuric wrote:
>> > I am interested in one thing, is possible using iptables software
>> > limit particular application/protocol to use/bind to particular
>> ports.
>>
>> Why do you want to do that?
>
> :) I want to control which ports are open in output chain. Testing,
> exploring.
>
> I know it is not important which ports are open in output chain,
> usually putting output policy to accept.

It is important to know what ports are open in the output chain.  This
is exactly the attitude
that helps the spread of Trojans and Viruses.
You should only open ports you need, for example a user brings in
a Trojan that tries to infect other systems and connects back to a monitor
somewhere to let it know about the host it just took over.  If you are
blocking the ports it
uses to infect other systems you limit the damage it does.  Now there
is nothing that keeps it
from using a port you have open, say port 80 http., but at least you
have tried to limit your exposure.

>
>>
>> > For example I want to send all reqestes from my machine using
>> ports I
>> > specify, not random ones,
>>
>> Why?
>>
>> >  or accept ping echo-replay on specific ports.
>>
>> Pleas get your facts straight. ICMP does not have ports.
>
> ICMP was just example, first on my mind in that moment :)
>
> Regards
>
> Elvir Kuric
>>
>> Greetings
>> Marc
>>
>> --
>>
-----------------------------------------------------------------------------
>>
>> Marc Haber         | "I don't trust Computers. They | Mailadresse
>> im Header
>> Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621
>> 72739834
>> Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221
>> 2323190
>>
>>


- --
Jeff Largent
System Administrator
Visual Lease Services Inc.
http://www.vlsmaps.com
(405) 379-5280
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGZYidd02kARNrtZkRAnIpAJ9DaulTYHRPSX4SWrwhH6n00LcxUQCg4qug
41YEjFzdoMVSJaBKJyfg15Q=
=dTnF
-----END PGP SIGNATURE-----

Re: Restricting applications/protocols to use specific ports using iptables, is this possible

[Elvir Kuric]

Hi all,  I realised that I did not ask question on right way in my
last mail to this list. I am trying to find  out some tool or whatever
else to open in input and output chain only ports I need, I mean to
control which ports are open.
In other words to have evidence which ports are open and why. Maybe
this is funny for more experience users, but I asked this question
here because I thought that iptables can help / and maybe can, but I
do not know that :).


Regards to all,

Elvir Kuric


On 6/5/07, jwlargent <jwlargent@vlsmaps.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Elvir Kuric wrote:
> > On 6/4/07, Marc Haber <mh+netfilter@zugschlus.de> wrote:
> >> On Mon, Jun 04, 2007 at 01:37:07PM +0200, Elvir Kuric wrote:
> >> > I am interested in one thing, is possible using iptables software
> >> > limit particular application/protocol to use/bind to particular
> >> ports.
> >>
> >> Why do you want to do that?
> >
> > :) I want to control which ports are open in output chain. Testing,
> > exploring.
> >
> > I know it is not important which ports are open in output chain,
> > usually putting output policy to accept.
>
> It is important to know what ports are open in the output chain.  This
> is exactly the attitude
> that helps the spread of Trojans and Viruses.
> You should only open ports you need, for example a user brings in
> a Trojan that tries to infect other systems and connects back to a monitor
> somewhere to let it know about the host it just took over.  If you are
> blocking the ports it
> uses to infect other systems you limit the damage it does.  Now there
> is nothing that keeps it
> from using a port you have open, say port 80 http., but at least you
> have tried to limit your exposure.
>
> >
> >>
> >> > For example I want to send all reqestes from my machine using
> >> ports I
> >> > specify, not random ones,
> >>
> >> Why?
> >>
> >> >  or accept ping echo-replay on specific ports.
> >>
> >> Pleas get your facts straight. ICMP does not have ports.
> >
> > ICMP was just example, first on my mind in that moment :)
> >
> > Regards
> >
> > Elvir Kuric
> >>
> >> Greetings
> >> Marc
> >>
> >> --
> >>
> -----------------------------------------------------------------------------
> >>
> >> Marc Haber         | "I don't trust Computers. They | Mailadresse
> >> im Header
> >> Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621
> >> 72739834
> >> Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221
> >> 2323190
> >>
> >>
>
>
> - --
> Jeff Largent
> System Administrator
> Visual Lease Services Inc.
> http://www.vlsmaps.com
> (405) 379-5280
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGZYidd02kARNrtZkRAnIpAJ9DaulTYHRPSX4SWrwhH6n00LcxUQCg4qug
> 41YEjFzdoMVSJaBKJyfg15Q=
> =dTnF
> -----END PGP SIGNATURE-----
>
>

Re: Restricting applications/protocols to use specific ports using iptables, is this possible

[Marc Haber]

On Tue, Jun 05, 2007 at 07:00:31PM +0200, Elvir Kuric wrote:
> Hi all,  I realised that I did not ask question on right way in my
> last mail to this list. I am trying to find  out some tool or whatever
> else to open in input and output chain only ports I need, I mean to
> control which ports are open.
> In other words to have evidence which ports are open and why. Maybe
> this is funny for more experience users, but I asked this question
> here because I thought that iptables can help / and maybe can, but I
> do not know that :).

Netfilter can help you here, but if I wanted to learn, I'd use tcpdump
and/or wireshark. An "ACCEPT and log" rule in iptables might help as
well.

Generally, the port from which a connection originates does only
matter in exceptional cases.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190