[LARTC] Another newbyish question I'm afraid, -m state --state matters

[LARTC] Another newbyish question I'm afraid, -m state --state matters

[Paul]

<PRE>I'd like to be able to deny all new connections to a firewall, with the
exception of port 22 (sshd) and some ports I'd like to forward internally.

Now, there is this nice feature Rusty describes to do that:

iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

However, it seems I can't make a rule that is using the state AND a source/dest
port in there. Eg the following won't work:

iptables -A INPUT -i eth0 -m state --state NEW,INVALID --dport 22 -j DROP
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

Anyone? :)

Paul
-- 
Just patent your virus and sue the anti-virus companies for reverse
enineering it.
                  --- <A HREF="mailto:cne_pc@youknowwhattodo.yahoo.com">cne_pc@youknowwhattodo.yahoo.com</A>, in response to Norton's
                      patent on &quot;software updates&quot;



</PRE>

[LARTC] Another newbyish question I'm afraid, -m state --state matters

[Patrik]

<PRE>Please post this on the netfilter mailinglist instead of here as this is an
iproute2-mailinglist, not dedicated to iproute2.

See more info at <A HREF="http://netfilter.samba.org">http://netfilter.samba.org</A>

use iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport ! 22 -j
DROP

/Patrik

-----Original Message-----
From: <A HREF="mailto:lartc-admin@mailman.ds9a.nl">lartc-admin@mailman.ds9a.nl</A> [mailto:<A HREF="mailto:lartc-admin@mailman.ds9a.nl">lartc-admin@mailman.ds9a.nl</A>]On
Behalf Of Paul Wouters
Sent: den 28 februari 2001 18:07
To: <A HREF="mailto:lartc@mailman.ds9a.nl">lartc@mailman.ds9a.nl</A>
Subject: [LARTC] Another newbyish question I'm afraid, -m state --state
matters


I'd like to be able to deny all new connections to a firewall, with the
exception of port 22 (sshd) and some ports I'd like to forward internally.

Now, there is this nice feature Rusty describes to do that:

iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

However, it seems I can't make a rule that is using the state AND a
source/dest
port in there. Eg the following won't work:

iptables -A INPUT -i eth0 -m state --state NEW,INVALID --dport 22 -j DROP
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID --dport 25 -j
ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

Anyone? :)

Paul
--
Just patent your virus and sue the anti-virus companies for reverse
enineering it.
                  --- <A HREF="mailto:cne_pc@youknowwhattodo.yahoo.com">cne_pc@youknowwhattodo.yahoo.com</A>, in response to
Norton's
                      patent on &quot;software updates&quot;


_______________________________________________
LARTC mailing list / <A HREF="mailto:LARTC@mailman.ds9a.nl">LARTC@mailman.ds9a.nl</A>
<A HREF="http://mailman.ds9a.nl/mailman/listinfo/lartc">http://mailman.ds9a.nl/mailman/listinfo/lartc</A> HOWTO:
<A HREF="http://ds9a.nl/2.4Routing/">http://ds9a.nl/2.4Routing/</A>



</PRE>

[LARTC] Another newbyish question I'm afraid, -m state --state

[Arthur]

<PRE>On Wed, 28 Feb 2001, Paul Wouters wrote:

&gt;<i> I'd like to be able to deny all new connections to a firewall, with the
</I>&gt;<i> exception of port 22 (sshd) and some ports I'd like to forward internally.
</I>
&gt;<i> However, it seems I can't make a rule that is using the state
</I>&gt;<i> AND a source/dest port in there. Eg the following won't work:
</I>&gt;<i>
</I>&gt;<i> iptables -A INPUT -i eth0 -m state --state NEW,INVALID --dport 22 -j DROP
</I>&gt;<i> iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
</I>&gt;<i> iptables -A FORWARD -i eth0 -m state --state NEW,INVALID --dport 25 -j ACCEPT
</I>&gt;<i> iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
</I>&gt;<i>
</I>&gt;<i> Anyone? :)
</I>
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,INVALID -j DROP
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

--sport and --dport need the -p tcp or -p udp flags to be set, as source and
destination ports may not make sense for certain protocols, most notably
ICMP.

Doei, Arthur.

-- 
  /\    / |      <A HREF="mailto:arthurvl@sci.kun.nl">arthurvl@sci.kun.nl</A>      | Work like you don't need the money
 /__\  /  | A friend is someone with whom | Love like you have never been hurt
/    \/__ | you can dare to be yourself   | Dance like there's nobody watching



</PRE>