iptables with multiport problem

Linux Netfilter discussions
 help / color / mirror / Atom feed

* iptables with multiport problem
@ 2004-10-05 12:47 bruce
  2004-10-05 13:02 ` Ted Kaczmarek
  2004-10-05 18:31 ` Jason Opperisano
  0 siblings, 2 replies; 4+ messages in thread
From: bruce @ 2004-10-05 12:47 UTC (permalink / raw)
  To: netfilter

Hi all,

I am  working with linux firewall implementation

I am using iptables version  v1.2.11 and  linux kernal 2.4.27.
If multiport option comes with iptables(iptable rules are below), the 
services are not working. But individual services are working properly. 
The following filtering rules are not giving any syntatical errors.
I checked logs no info..

#/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 192.168.2.0/24 -m 
multiport --dport 24,80 -m multiport --sport 0:65535  -d 192.168.1.2  -j 
ACCEPT

#/sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.1.2 -m multiport 
--sport 24,80 -d 192.168.2.0/24 -m multiport --dport 0:65535 -j ACCEPT

Please give any solution or hints for the below problem.
Thanks
Bruce

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: iptables with multiport problem
  2004-10-05 12:47 iptables with multiport problem bruce
@ 2004-10-05 13:02 ` Ted Kaczmarek
  2004-10-05 18:31 ` Jason Opperisano
  1 sibling, 0 replies; 4+ messages in thread
From: Ted Kaczmarek @ 2004-10-05 13:02 UTC (permalink / raw)
  To: bruce; +Cc: netfilter

On Tue, 2004-10-05 at 18:17 +0530, bruce wrote:
> Hi all,
> 
> I am  working with linux firewall implementation
> 
> 
> I am using iptables version  v1.2.11 and  linux kernal 2.4.27.
> If multiport option comes with iptables(iptable rules are below), the 
> services are not working. But individual services are working properly. 
> The following filtering rules are not giving any syntatical errors.
> I checked logs no info..
> 
> #/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 192.168.2.0/24 -m 
> multiport --dport 24,80 -m multiport --sport 0:65535  -d 192.168.1.2  -j 
> ACCEPT
> 
> #/sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.1.2 -m multiport 
> --sport 24,80 -d 192.168.2.0/24 -m multiport --dport 0:65535 -j ACCEPT
> 
> Please give any solution or hints for the below problem.
> Thanks
> Bruce
> 
I kind of remember multiport support coming via a patch. 
Also your 0:65535 is not multiport.

Ted



^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: iptables with multiport problem
@ 2004-10-05 16:29 Daniel Chemko
  0 siblings, 0 replies; 4+ messages in thread
From: Daniel Chemko @ 2004-10-05 16:29 UTC (permalink / raw)
  To: tedkaz, bruce; +Cc: netfilter

Ted Kaczmarek wrote:
> On Tue, 2004-10-05 at 18:17 +0530, bruce wrote:
>> Hi all,
>> 
>> I am  working with linux firewall implementation
>> 
>> 
>> I am using iptables version  v1.2.11 and  linux kernal 2.4.27.
>> If multiport option comes with iptables(iptable rules are below), the
>> services are not working. But individual services are working
>> properly. 
>> The following filtering rules are not giving any syntatical errors.
>> I checked logs no info..
>> 
>> #/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 192.168.2.0/24
>> -m multiport --dport 24,80 -m multiport --sport 0:65535  -d
>> 192.168.1.2  -j ACCEPT 
>> 
>> #/sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.1.2 -m
>> multiport --sport 24,80 -d 192.168.2.0/24 -m multiport --dport
>> 0:65535 -j ACCEPT 
>> 
>> Please give any solution or hints for the below problem.
>> Thanks
>> Bruce
>> 
> I kind of remember multiport support coming via a patch.
> Also your 0:65535 is not multiport.

Well, 0:65535 is a valid range, but it'll always return true, so leaving
it out amounts to the same thing. Your real problem is that you call
multiport twice and the fact that you use dport instead of dports and
sport instead of sports which the multiport patch requires. If in doubt
of the command syntax, type iptables -m <module> --help or iptables -j
<target> --help from the command line.



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: iptables with multiport problem
  2004-10-05 12:47 iptables with multiport problem bruce
  2004-10-05 13:02 ` Ted Kaczmarek
@ 2004-10-05 18:31 ` Jason Opperisano
  1 sibling, 0 replies; 4+ messages in thread
From: Jason Opperisano @ 2004-10-05 18:31 UTC (permalink / raw)
  To: netfilter

On Tue, 2004-10-05 at 08:47, bruce wrote:
> Hi all,
> 
> I am  working with linux firewall implementation
> 
> 
> I am using iptables version  v1.2.11 and  linux kernal 2.4.27.
> If multiport option comes with iptables(iptable rules are below), the 
> services are not working. But individual services are working properly. 
> The following filtering rules are not giving any syntatical errors.
> I checked logs no info..
> 
> #/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 192.168.2.0/24 -m 
> multiport --dport 24,80 -m multiport --sport 0:65535  -d 192.168.1.2  -j 
> ACCEPT

try:

  iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 192.168.2.0/24 \
    -m multiport --dports 24,80 -d 192.168.1.2  -j ACCEPT
                        ^
                        |- multiport uses "--dports" with an 's'

and what on earth is TCP port 24?  should that be a 25, perhaps?

and "-m multiport" does not support byte ranges (21:23), use mport for
that, or a regular port match.

-j

-- 
Jason Opperisano <opie@817west.com>



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2004-10-05 18:31 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-10-05 12:47 iptables with multiport problem bruce
2004-10-05 13:02 ` Ted Kaczmarek
2004-10-05 18:31 ` Jason Opperisano
  -- strict thread matches above, loose matches on Subject: below --
2004-10-05 16:29 Daniel Chemko

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox