* Blocking HTTP source port from an IP
@ 2006-05-24 16:18 Feris Thia
2006-05-24 16:30 ` Marcelus Trojahn
2006-05-24 16:49 ` Drew Leske
0 siblings, 2 replies; 4+ messages in thread
From: Feris Thia @ 2006-05-24 16:18 UTC (permalink / raw)
To: netfilter
Hi All,
I'm quite new to iptables and actually.. how it works. I set up
firewall on a server with IP 192.168.0.40/24 (with an Apache web
server running) and then I have a windows client with IP
192.168.0.30/24 and then I try to block HTTP port request from this
client using this command :
iptables -A INPUT -s 192.168.0.30 -p tcp --sport http -j REJECT
but it fails.... then I try this one :
iptables -A INPUT -s 192.168.0.30 -p tcp --dport http -j REJECT
why is it so ?? As my logic say the request come from http port, so I
specify the -p tcp --sport http, but it doesn't work at all :(
--
Regards,
Feris
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Blocking HTTP source port from an IP
2006-05-24 16:18 Blocking HTTP source port from an IP Feris Thia
@ 2006-05-24 16:30 ` Marcelus Trojahn
2006-05-24 16:49 ` Drew Leske
1 sibling, 0 replies; 4+ messages in thread
From: Marcelus Trojahn @ 2006-05-24 16:30 UTC (permalink / raw)
To: Feris Thia; +Cc: netfilter
Hello,
It's the opposite... The request goes to the tcp port 80 of your server, not
the other way around...
iptables -A INPUT -s 192.168.0.30 -p tcp --dport http -j REJECT
means
Reject tcp packets coming from 192.168.0.30 destined to port 80 of this box.
--
Marcelus Trojahn
Wednesday, May 24, 2006, 1:18:25 PM, voce escreveu:
> Hi All,
> I'm quite new to iptables and actually.. how it works. I set up
> firewall on a server with IP 192.168.0.40/24 (with an Apache web
> server running) and then I have a windows client with IP
> 192.168.0.30/24 and then I try to block HTTP port request from this
> client using this command :
> iptables -A INPUT -s 192.168.0.30 -p tcp --sport http -j REJECT
> but it fails.... then I try this one :
> iptables -A INPUT -s 192.168.0.30 -p tcp --dport http -j REJECT
> why is it so ?? As my logic say the request come from http port, so I
> specify the -p tcp --sport http, but it doesn't work at all :(
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Blocking HTTP source port from an IP
2006-05-24 16:18 Blocking HTTP source port from an IP Feris Thia
2006-05-24 16:30 ` Marcelus Trojahn
@ 2006-05-24 16:49 ` Drew Leske
1 sibling, 0 replies; 4+ messages in thread
From: Drew Leske @ 2006-05-24 16:49 UTC (permalink / raw)
To: Feris Thia; +Cc: netfilter
When the Windows box contacts the web server on the Linux box, it comes from
an available port assigned by the operating system--random so far as the
Linux box and iptables are concerned. On the other hand, the Windows box
(well actually the browser or whatever application) need to know where to go
on the Linux box.
The IP address of the Linux server is like the street address of an
apartment building. The ports are like the apartment numbers. The HTTP
port (port 80) is a "well-known port" in that all web servers by default
will answer on that port. So that's like when all the kids in the
neighbourhood know that the nice old lady in apartment 80 gives out candy.
If you don't want the fat kid from down the street getting any more candy,
you tell the doorman to block him from ringing up the nice old candy lady.
And there's your firewall:
iptables -A INPUT -s fat_kid -p tcp --dport CANDY -j REJECT
Now substitute your Windows box for the fat kid (big stretch, har har) and
HTTP for CANDY:
iptables -A INPUT -s 192.168.0.30 -p tcp --dport HTTP -j REJECT
Hahaha worst analogy ev-ar. Hope it helps!
By the way, the address of the Windows box would be 192.168.0.30, not
192.168.0.30/24. The "/24" at the end specifies a network mask, so when you
say 192.168.0.30/24 you're not specifying a single address but a subnet.
Another post suggested you read up on basic networking and I respectfully
recommend you do that, or you're in for a lot of frustration and pain.
The Linux Documentation Project at www.tldp.org has a lot of useful
information. I'd start with the Guides. Check out "Introduction to Linux -
A Hands on Guide", which probably has a basic networking intro, then move on
to "The Linux System Administrators' Guide". Also check out the how-to's.
Drew.
Feris Thia wrote:
> Hi All,
>
> I'm quite new to iptables and actually.. how it works. I set up
> firewall on a server with IP 192.168.0.40/24 (with an Apache web
> server running) and then I have a windows client with IP
> 192.168.0.30/24 and then I try to block HTTP port request from this
> client using this command :
>
> iptables -A INPUT -s 192.168.0.30 -p tcp --sport http -j REJECT
>
> but it fails.... then I try this one :
>
> iptables -A INPUT -s 192.168.0.30 -p tcp --dport http -j REJECT
>
> why is it so ?? As my logic say the request come from http port, so I
> specify the -p tcp --sport http, but it doesn't work at all :(
>
>
--
Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria
dleske@uvic.ca / +1250 472 5055 (office) / +1250 588 4311 (cel)
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: Blocking HTTP source port from an IP
@ 2006-05-24 16:35 Sietse van Zanen
0 siblings, 0 replies; 4+ messages in thread
From: Sietse van Zanen @ 2006-05-24 16:35 UTC (permalink / raw)
To: Marcelus Trojahn, Feris Thia; +Cc: netfilter
The difference is in the source and destination ports.
A http request has destination port 80. The source port is picked from a
random range, but always above 1024. The reply would then be with source
port of 80 and the destination port that was randomly chosen.
This rule:
Iptables -A INPUT -s 192.168.0.30 -p tcp --sport http -j REJECT
Will actually block http reply packets coming from 192.168.0.30
For more info, go read the documentation, take an IP course and educate
yourself.
-Sietse
-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Marcelus
Trojahn
Sent: Wednesday, May 24, 2006 6:31 PM
To: Feris Thia
Cc: netfilter@lists.netfilter.org
Subject: Re: Blocking HTTP source port from an IP
Hello,
It's the opposite... The request goes to the tcp port 80 of your
server, not
the other way around...
iptables -A INPUT -s 192.168.0.30 -p tcp --dport http -j REJECT
means
Reject tcp packets coming from 192.168.0.30 destined to port 80 of
this box.
--
Marcelus Trojahn
Wednesday, May 24, 2006, 1:18:25 PM, voce escreveu:
> Hi All,
> I'm quite new to iptables and actually.. how it works. I set up
> firewall on a server with IP 192.168.0.40/24 (with an Apache web
> server running) and then I have a windows client with IP
> 192.168.0.30/24 and then I try to block HTTP port request from this
> client using this command :
> iptables -A INPUT -s 192.168.0.30 -p tcp --sport http -j REJECT
> but it fails.... then I try this one :
> iptables -A INPUT -s 192.168.0.30 -p tcp --dport http -j REJECT
> why is it so ?? As my logic say the request come from http port, so I
> specify the -p tcp --sport http, but it doesn't work at all :(
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-05-24 16:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-05-24 16:18 Blocking HTTP source port from an IP Feris Thia
2006-05-24 16:30 ` Marcelus Trojahn
2006-05-24 16:49 ` Drew Leske
-- strict thread matches above, loose matches on Subject: below --
2006-05-24 16:35 Sietse van Zanen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox