iptables + RELATED

iptables + RELATED

[Peter Marshall]

Hi, My name is Peter Marshall.  I am having some problems letting ftp
through my firewall without opening all of the ports.  I was trying to get
RELATED to work, but for some reason it will not.  Here is an example of
what my file looks like

$TABLENAME -A FORWARD -d x.x.x.x -o eth2 -j mychain

$TABLENAME -A mychain -m state --state ESTABLISHED,RELATED -j ACCEPT
$TABLENAME -A mychain -j DROP

I don't think I need the ESTABLISHED, but I put it in anyways.

If anyone could help it would be greatly appriciated.

Thanks


Peter Marshall

iptables related

[Jeffrin]

hello all,

iptables -A INPUT -sport 80 -j ACCEPT

shows error ...

 msservices:~# iptables -A INPUT --sport 80 -j ACCEPT
iptables v1.2.9: Unknown arg `--sport'
Try `iptables -h' or 'iptables --help' for more information.

please help me ...

Re: iptables related

[Antony Stone]

On Monday 08 December 2003 7:19 pm, Jeffrin wrote:

> hello all,
>
> iptables -A INPUT -sport 80 -j ACCEPT
>
> shows error ...
>
>  msservices:~# iptables -A INPUT --sport 80 -j ACCEPT
> iptables v1.2.9: Unknown arg `--sport'
> Try `iptables -h' or 'iptables --help' for more information.
>
> please help me ...

You must specify whether you're talking about a TCP source port, or a UDP one.

iptables -A INPUT -p tcp --sport 80 -j ACCEPT
or
iptables -A INPUT -p udp --sport 80 -j ACCEPT

will work.

Antony.

-- 
"The joy of X!!??  I've always hated compiling graphical shite.  You have a 10 
line program, and it ends up depending on the entire known universe."

 - Philip Hands

                                                     Please reply to the list;
                                                           please don't CC me.

Re: iptables related

[Ralf Spenneberg]

Am Mon, 2003-12-08 um 20.19 schrieb Jeffrin:
> hello all,
> 
> iptables -A INPUT -sport 80 -j ACCEPT
> 
> shows error ...
> 
>  msservices:~# iptables -A INPUT --sport 80 -j ACCEPT
> iptables v1.2.9: Unknown arg `--sport'
You need to specify the protocol: -p tcp or -p udp

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: VPN mit Linux
Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: iptables related

[Jeffrey Laramie]

On Monday 08 December 2003 14:19, Jeffrin wrote:
> hello all,
>
> iptables -A INPUT -sport 80 -j ACCEPT
>
> shows error ...
>
>  msservices:~# iptables -A INPUT --sport 80 -j ACCEPT
> iptables v1.2.9: Unknown arg `--sport'
> Try `iptables -h' or 'iptables --help' for more information.
>
> please help me ...

There are 2 dashes before sport:  --sport 80

Jeff

Re: iptables related

[William Stearns]

Good afternoon, Jeffrin,

On Tue, 9 Dec 2003, Jeffrin wrote:

> hello all,
> 
> iptables -A INPUT -sport 80 -j ACCEPT
> 
> shows error ...
> 
>  msservices:~# iptables -A INPUT --sport 80 -j ACCEPT
> iptables v1.2.9: Unknown arg `--sport'
> Try `iptables -h' or 'iptables --help' for more information.
> 
> please help me ...

	You haven't specified which protocol.  Unlike some firewall types 
that interpret your request as "please match tcp source port 80 or udp 
source port 80", iptables requires you to specify which protocol, and make 
two seperate rules if you want to match tcp or udp.
	Since I assume you're looking to match _tcp_ port 80, try the 
following:

iptables -A INPUT -p tcp -sport 80 -j ACCEPT

	By the way, this will allow someone to portscan your systems as 
long as they're using a source port of 80.  I'd suggest you look into 
using the "state" module to remember outgoing connections, and then allow 
incoming tcp source port 80 traffic _if_ it's part of an extablished 
connection.
	Cheers,
	- Bill

---------------------------------------------------------------------------
	Having Microsoft give us advice on open standards is like W.C. Fields 
giving moral advice to the Mormon Tabernacle Choir
	-- Scott McNealy, Sun Microsystems Inc.
(Courtesy of Michael Remski <mremski@ix.netcom.com>)
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
Linux articles at:                         http://www.opensourcedigest.com
--------------------------------------------------------------------------

Re: iptables related

[Michael Gale]

You need to specify a protocol if you want to specify ports.

For example: 

iptables -A INPUT -p tcp --sport 80 -j ACCEPT

Michael


On Tue, 9 Dec 2003 00:49:47 +0530
Jeffrin <jeffrin@gamebox.net> wrote:

> hello all,
> 
> iptables -A INPUT -sport 80 -j ACCEPT
> 
> shows error ...
> 
>  msservices:~# iptables -A INPUT --sport 80 -j ACCEPT
> iptables v1.2.9: Unknown arg `--sport'
> Try `iptables -h' or 'iptables --help' for more information.
> 
> please help me ...
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: iptables related

[Antony Stone]

On Monday 08 December 2003 7:35 pm, Jeffrey Laramie wrote:

> On Monday 08 December 2003 14:19, Jeffrin wrote:
> > hello all,
> >
> > iptables -A INPUT -sport 80 -j ACCEPT
> >
> > shows error ...
> >
> >  msservices:~# iptables -A INPUT --sport 80 -j ACCEPT
> > iptables v1.2.9: Unknown arg `--sport'
> > Try `iptables -h' or 'iptables --help' for more information.
> >
> > please help me ...
>
> There are 2 dashes before sport:  --sport 80

2 dashes and a protocol :)

Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

                                                     Please reply to the list;
                                                           please don't CC me.

Re: iptables related

[Jeffrin]

hello ,

iptables -P INPUT DROP
iptables -A INPUT -p tcp --sport 80 -j ACCEPT

Iam not able to ping. why ?

Re: iptables related

[Jeffrey Laramie]

On Monday 08 December 2003 14:42, Antony Stone wrote:
> On Monday 08 December 2003 7:35 pm, Jeffrey Laramie wrote:
> > On Monday 08 December 2003 14:19, Jeffrin wrote:
> > > hello all,
> > >
> > > iptables -A INPUT -sport 80 -j ACCEPT
> > >
> > > shows error ...
> > >
> > >  msservices:~# iptables -A INPUT --sport 80 -j ACCEPT
> > > iptables v1.2.9: Unknown arg `--sport'
> > > Try `iptables -h' or 'iptables --help' for more information.
> > >
> > > please help me ...
> >
> > There are 2 dashes before sport:  --sport 80
>
> 2 dashes and a protocol :)
>
> Antony.

I always look for the simple mistakes first cause those are the ones I always 
make!

I think we may have set a record for the largest number of different 
responders to a single post.

Jeff

RE: iptables related

[Daniel Chemko]

Wow! This must be a record!

8 Responses to the same question, and ALL of them are right!!!

-----Original Message-----
From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk] 
Sent: Monday, December 08, 2003 11:42 AM
To: netfilter@lists.netfilter.org
Subject: Re: iptables related


On Monday 08 December 2003 7:35 pm, Jeffrey Laramie wrote:

> On Monday 08 December 2003 14:19, Jeffrin wrote:
> > hello all,
> >
> > iptables -A INPUT -sport 80 -j ACCEPT
> >
> > shows error ...
> >
> >  msservices:~# iptables -A INPUT --sport 80 -j ACCEPT iptables 
> > v1.2.9: Unknown arg `--sport' Try `iptables -h' or 'iptables --help'

> > for more information.
> >
> > please help me ...
>
> There are 2 dashes before sport:  --sport 80

2 dashes and a protocol :)

Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

                                                     Please reply to the
list;
                                                           please don't
CC me.

Re: iptables related

[Jeffrin]

Iam not even able to browse related to internet.

RE: iptables related

[Daniel Chemko]

Because ping is a PROTOCOL called ICMP. It has two different packet
types, ICMP type 0 and 8.

0 == Reply
8 == Request

Hence, if you want to ping the system, you should add the ability for
those protocols to be accepted.

iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

Please do SOME research before asking such elementary questions on a
tools list. This is not a networking newbie list (although there really
should be one somewhere). This is for netfilter related material, but
what you seem to lack is a general misunderstanding of networks.

Arr. I've gotten a lot more impatient with ppl ever since I got a junior
admin... Sorry man, I know you're just learning and all.

-----Original Message-----
From: Jeffrin [mailto:jeffrin@gamebox.net] 
Sent: Monday, December 08, 2003 11:45 AM
To: Antony Stone
Cc: netfilter@lists.netfilter.org
Subject: Re: iptables related


hello ,

iptables -P INPUT DROP
iptables -A INPUT -p tcp --sport 80 -j ACCEPT

Iam not able to ping. why ?

Re: iptables related

[Jeffrey Laramie]

On Monday 08 December 2003 15:12, Jeffrin wrote:
> Iam not even able to browse related to internet.

You should do a few things to help solve your problem:

1. Tell us, or even better, show us what your configutation looks like. We can 
give better advice if we know what you're trying to do.

2. Try the advice that's given, then show us your rules and tell us what 
happened when you tested them.

3. Read the tutorials and study the examples. Iptables is very well 
documented.

Jeff

Re: iptables related

[Renato Carvalho]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Je > hello ,
Je > Iam not able to ping. why ?
Je > iptables -P INPUT DROP
Je > iptables -A INPUT -p tcp --sport 80 -j ACCEPT

You are not able to ping because you dont READ the manual.
There are so many good tutorials about iptables.
First, read this below and you find all your answers. If you cannot find why 
your linux box do not ping, tell us:
http://iptables-tutorial.frozentux.net/


- -- 
- ------------------------------------------------
Renato Carvalho
<carvalho@nooracom.com>
Nooracom/Technet
+55 21 2221-6995
Linux Registered User #208419 <http://counter.li.org>

A UNIX saleslady, Lenore,
Enjoys work, but she likes the beach more.
	She found a good way
	To combine work and play:
She sells C shells by the seashore.
- ------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iQCVAwUBP9heS4RJ2OfKh4GMAQIgIgQAjgzxwPgNTtSKJzlwX1nYkXw9KEITaWPP
l04e27xCIRtJwHjdHDn957iTOz9tGHZZMuxU65CSfuZhVqKtH+/vzLPXEQw7ZfAh
ebs6SG//7TyGCUU7U7Dkz2bBgWM1aPsHtmhilD5TgQOCBZLzJJCJxuSKWOUEtXp+
HrRBrBul1A8=
=iGoC
-----END PGP SIGNATURE-----