* [LARTC] Another newbyish question I'm afraid, -m state --state matters
@ 2001-02-28 17:06 Paul
2001-02-28 18:37 ` Patrik
2001-03-01 9:21 ` [LARTC] Another newbyish question I'm afraid, -m state --state Arthur
0 siblings, 2 replies; 3+ messages in thread
From: Paul @ 2001-02-28 17:06 UTC (permalink / raw)
To: lartc
<PRE>I'd like to be able to deny all new connections to a firewall, with the
exception of port 22 (sshd) and some ports I'd like to forward internally.
Now, there is this nice feature Rusty describes to do that:
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
However, it seems I can't make a rule that is using the state AND a source/dest
port in there. Eg the following won't work:
iptables -A INPUT -i eth0 -m state --state NEW,INVALID --dport 22 -j DROP
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
Anyone? :)
Paul
--
Just patent your virus and sue the anti-virus companies for reverse
enineering it.
--- <A HREF="mailto:cne_pc@youknowwhattodo.yahoo.com">cne_pc@youknowwhattodo.yahoo.com</A>, in response to Norton's
patent on "software updates"
</PRE>
^ permalink raw reply [flat|nested] 3+ messages in thread* [LARTC] Another newbyish question I'm afraid, -m state --state matters
2001-02-28 17:06 [LARTC] Another newbyish question I'm afraid, -m state --state matters Paul
@ 2001-02-28 18:37 ` Patrik
2001-03-01 9:21 ` [LARTC] Another newbyish question I'm afraid, -m state --state Arthur
1 sibling, 0 replies; 3+ messages in thread
From: Patrik @ 2001-02-28 18:37 UTC (permalink / raw)
To: lartc
<PRE>Please post this on the netfilter mailinglist instead of here as this is an
iproute2-mailinglist, not dedicated to iproute2.
See more info at <A HREF="http://netfilter.samba.org">http://netfilter.samba.org</A>
use iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport ! 22 -j
DROP
/Patrik
-----Original Message-----
From: <A HREF="mailto:lartc-admin@mailman.ds9a.nl">lartc-admin@mailman.ds9a.nl</A> [mailto:<A HREF="mailto:lartc-admin@mailman.ds9a.nl">lartc-admin@mailman.ds9a.nl</A>]On
Behalf Of Paul Wouters
Sent: den 28 februari 2001 18:07
To: <A HREF="mailto:lartc@mailman.ds9a.nl">lartc@mailman.ds9a.nl</A>
Subject: [LARTC] Another newbyish question I'm afraid, -m state --state
matters
I'd like to be able to deny all new connections to a firewall, with the
exception of port 22 (sshd) and some ports I'd like to forward internally.
Now, there is this nice feature Rusty describes to do that:
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
However, it seems I can't make a rule that is using the state AND a
source/dest
port in there. Eg the following won't work:
iptables -A INPUT -i eth0 -m state --state NEW,INVALID --dport 22 -j DROP
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID --dport 25 -j
ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
Anyone? :)
Paul
--
Just patent your virus and sue the anti-virus companies for reverse
enineering it.
--- <A HREF="mailto:cne_pc@youknowwhattodo.yahoo.com">cne_pc@youknowwhattodo.yahoo.com</A>, in response to
Norton's
patent on "software updates"
_______________________________________________
LARTC mailing list / <A HREF="mailto:LARTC@mailman.ds9a.nl">LARTC@mailman.ds9a.nl</A>
<A HREF="http://mailman.ds9a.nl/mailman/listinfo/lartc">http://mailman.ds9a.nl/mailman/listinfo/lartc</A> HOWTO:
<A HREF="http://ds9a.nl/2.4Routing/">http://ds9a.nl/2.4Routing/</A>
</PRE>
^ permalink raw reply [flat|nested] 3+ messages in thread* [LARTC] Another newbyish question I'm afraid, -m state --state
2001-02-28 17:06 [LARTC] Another newbyish question I'm afraid, -m state --state matters Paul
2001-02-28 18:37 ` Patrik
@ 2001-03-01 9:21 ` Arthur
1 sibling, 0 replies; 3+ messages in thread
From: Arthur @ 2001-03-01 9:21 UTC (permalink / raw)
To: lartc
<PRE>On Wed, 28 Feb 2001, Paul Wouters wrote:
><i> I'd like to be able to deny all new connections to a firewall, with the
</I>><i> exception of port 22 (sshd) and some ports I'd like to forward internally.
</I>
><i> However, it seems I can't make a rule that is using the state
</I>><i> AND a source/dest port in there. Eg the following won't work:
</I>><i>
</I>><i> iptables -A INPUT -i eth0 -m state --state NEW,INVALID --dport 22 -j DROP
</I>><i> iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
</I>><i> iptables -A FORWARD -i eth0 -m state --state NEW,INVALID --dport 25 -j ACCEPT
</I>><i> iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
</I>><i>
</I>><i> Anyone? :)
</I>
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,INVALID -j DROP
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
--sport and --dport need the -p tcp or -p udp flags to be set, as source and
destination ports may not make sense for certain protocols, most notably
ICMP.
Doei, Arthur.
--
/\ / | <A HREF="mailto:arthurvl@sci.kun.nl">arthurvl@sci.kun.nl</A> | Work like you don't need the money
/__\ / | A friend is someone with whom | Love like you have never been hurt
/ \/__ | you can dare to be yourself | Dance like there's nobody watching
</PRE>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2001-03-01 9:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-02-28 17:06 [LARTC] Another newbyish question I'm afraid, -m state --state matters Paul
2001-02-28 18:37 ` Patrik
2001-03-01 9:21 ` [LARTC] Another newbyish question I'm afraid, -m state --state Arthur
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.