multiports

multiports

[Peggy Kam]

Hi,

Is it possible to match multiple source and destination ports at the
same time?  It seems to me that it is not possible.  I am using iptables
version 1.2.11 and I have tried the following command:

iptables -A INPUT -p tcp --src 192.168.1.0/255.255.255.0 -m tcp -m
multiport --sports 22,80  --dst 192.168.22.123 -m multiport --dports
22,80 -j ACCEPT

Please correct me if I have the wrong syntax.  Any advice is
appreciated.

Thanks in advance,
Peggy

Re: multiports

[Jan Engelhardt]

>Is it possible to match multiple source and destination ports at the
>same time?  It seems to me that it is not possible.  I am using iptables
>version 1.2.11 and I have tried the following command:
>
>iptables -A INPUT -p tcp --src 192.168.1.0/255.255.255.0 -m tcp -m
>multiport --sports 22,80  --dst 192.168.22.123 -m multiport --dports
>22,80 -j ACCEPT

Everything is ANDed, so the following combinations are only possible with your 
rule:

22/22
22/80
80/22
80/80

Probably not what you want, given that most HTTP clients connect from some 
high-random port.

You need to separate rules,
-m multiport --dports 22,80
-m multiport --sports 22,80
to get an OR behavior


Jan Engelhardt
-- 

Maximum number of ports?

[Peggy Kam]

Hi,

What is the maximum number of ports that I can define in the iptables?
What is the limitation?

Thanks in advance,
Peggy

Re: Maximum number of ports?

[/dev/rob0]

On Wednesday 2005-August-10 15:13, Peggy Kam wrote:
> What is the maximum number of ports that I can define in the
> iptables? What is the limitation?

Are you asking about the multiport match extension? If so please find 
the following in "man iptables" and post again if you do not understand 
it:

   multiport
       This  module matches a set of source or destination ports.
       Up to 15 ports can be specified.  It can only be used  in
       conjunction with -p tcp or -p udp

That particular limitation only applies to a single multiport command. 
You can have as many of those as you need. Perhaps you're asking about 
the maximum number of rules you can have? I don't know what that limit 
might be (if I was curious I would Google), but I bet it's higher than 
the 64K TCP ports plus the 64K UDP ports.

If you're writing a firewall with that many rules, it is probable that 
you could have done it better and more efficiently using a different 
approach. For instance, default policies of DROP and only ACCEPT the 
port/protocol combinations you need, plus the standard "-m state 
--state RELATED,ESTABLISHED -j ACCEPT" rules.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Maximum number of rules in iptables?

[Peggy Kam]

Hi,

What is the maximum number of policies I can define in the iptables?  
ie. how much memory is allocated for iptables?

Thanks in advance,
Peggy

Re: Maximum number of rules in iptables?

[Edmundo Carmona]

that's a NFI for me. A whole bunch.... I've seen red hat scripts that
are way longer than mine. ;-)

On 9/13/05, Peggy Kam <ppkam@n-dsi.com> wrote:
> Hi,
> 
> What is the maximum number of policies I can define in the iptables?
> ie. how much memory is allocated for iptables?
> 
> Thanks in advance,
> Peggy
> 
> 
> 
> 
>

Re: Maximum number of rules in iptables?

[/dev/rob0]

> On 9/13/05, Peggy Kam <ppkam@n-dsi.com> wrote:
> > What is the maximum number of policies I can define in the
> > iptables? ie. how much memory is allocated for iptables?

I'm sure the answer is in the kernel source code if you need it. This 
forum is more for users than developers. You could try asking on LKML 
or on netfilter-devel, but I don't think you would be well-received 
there unless you showed an effort to find your own answers.

Opinion as a user: it's probably dynamically allocated; more memory is 
used in cases where there are more rules, or where the rules require.

Remembered from Googling: it's not ever likely to be a factor.

Personal experience: an 8MB 80386 is quite capable of handling NAT for 
home and small business broadband connections. I increased the default 
number of connection tracking table (ip_conntrack_max) entries, but 
otherwise had no problem.

On Tuesday 2005-September-13 22:41, Edmundo Carmona wrote:
> that's a NFI for me. A whole bunch.... I've seen red hat scripts that
> are way longer than mine. ;-)

I think it's safe to say that if you're making that many rules, you're 
doing something wrong. :) I said the same thing in this thread to this 
poster over a month ago.

Red Hat iptables rules (that I have seen) are terrible. Do they have 
anyone on staff who understands firewalling? If so, they're not working 
on the firewalls.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Fwd: Maximum number of rules in iptables?

[Edmundo Carmona]

Tiem and time again.... I forgot to mail netfilter. I always remember
to do it half a second after I press "send". :-(

---------- Forwarded message ----------
From: Edmundo Carmona <eantoranz@gmail.com>
Date: Sep 14, 2005 9:41 AM
Subject: Re: Maximum number of rules in iptables?
To: /dev/rob0 <rob0@gmx.co.uk>


Well... I guess they happen to be so many rules in those scripts
because they <b>could</b> come out (programatically speaking) more
easily that way.... I'm not saying it's because of that (haven't sat
down to think about a firewall script generator tool)... but it could
play a part.

On 9/14/05, /dev/rob0 <rob0@gmx.co.uk> wrote:
> > On 9/13/05, Peggy Kam <ppkam@n-dsi.com> wrote:
> > > What is the maximum number of policies I can define in the
> > > iptables? ie. how much memory is allocated for iptables?
>
> I'm sure the answer is in the kernel source code if you need it. This
> forum is more for users than developers. You could try asking on LKML
> or on netfilter-devel, but I don't think you would be well-received
> there unless you showed an effort to find your own answers.
>
> Opinion as a user: it's probably dynamically allocated; more memory is
> used in cases where there are more rules, or where the rules require.
>
> Remembered from Googling: it's not ever likely to be a factor.
>
> Personal experience: an 8MB 80386 is quite capable of handling NAT for
> home and small business broadband connections. I increased the default
> number of connection tracking table (ip_conntrack_max) entries, but
> otherwise had no problem.
>
> On Tuesday 2005-September-13 22:41, Edmundo Carmona wrote:
> > that's a NFI for me. A whole bunch.... I've seen red hat scripts that
> > are way longer than mine. ;-)
>
> I think it's safe to say that if you're making that many rules, you're
> doing something wrong. :) I said the same thing in this thread to this
> poster over a month ago.
>
> Red Hat iptables rules (that I have seen) are terrible. Do they have
> anyone on staff who understands firewalling? If so, they're not working
> on the firewalls.
> --
>     mail to this address is discarded unless "/dev/rob0"
>     or "not-spam" is in Subject: header
>
>

iptables rules

[Peggy Kam]

Hi,

I have defined the following firewall rule in iptables:

iptables -I FORWARD -s 192.168.22.102 -d 192.168.1.112 -p tcp -m tcp -m
multiport --ports 22,23,24,25 -j ACCEPT

why were the packets able to get to 192.168.1.112 on port 22 when the
packets does not even come from ports 22,23,24 or 25?

Thanks in advance,
Peggy

Re: iptables rules

[Jörg Harmuth]

Peggy Kam wrote:
> Hi,
> 
> I have defined the following firewall rule in iptables:
> 
> iptables -I FORWARD -s 192.168.22.102 -d 192.168.1.112 -p tcp -m tcp -m
> multiport --ports 22,23,24,25 -j ACCEPT
> 
> why were the packets able to get to 192.168.1.112 on port 22 when the
> packets does not even come from ports 22,23,24 or 25?

man iptables:

--ports [!] port[,port[,port:port...]]
               Match if either the source or destination
               ports are equal to one
               of the given ports.

So, this is expected behaviour, provided that there are no other rules 
in the way.

HTH,

Joerg

Re: iptables rules

[Jörg Harmuth]

For the sake of completeness :)

Peggy Kam wrote:
> Hi,
> 
> I have defined the following firewall rule in iptables:
> 
> iptables -I FORWARD -s 192.168.22.102 -d 192.168.1.112 -p tcp -m tcp -m
> multiport --ports 22,23,24,25 -j ACCEPT
> 
> why were the packets able to get to 192.168.1.112 on port 22 when the
> packets does not even come from ports 22,23,24 or 25?

man iptables:

multiport

...

       --ports [!] port[,port[,port:port...]]
               Match if either the source or destination
               ports are equal to one
               of the given ports.

So, this is expected behavior, provided that there are no other rules
in the way.

HTH,

Joerg



!DSPAM:43299390313231087616080!

Re: iptables rules

[Peggy Kam]

did the manpage gets changed recently?  the iptables manpage that I see
states that:

--port [port[,port]]
        Match if the both the source and destination ports are equal to
        each other and to one of the given ports.


On Thu, 2005-09-15 at 17:26 +0200, Jörg Harmuth wrote:
> Peggy Kam wrote:
> > Hi,
> > 
> > I have defined the following firewall rule in iptables:
> > 
> > iptables -I FORWARD -s 192.168.22.102 -d 192.168.1.112 -p tcp -m tcp -m
> > multiport --ports 22,23,24,25 -j ACCEPT
> > 
> > why were the packets able to get to 192.168.1.112 on port 22 when the
> > packets does not even come from ports 22,23,24 or 25?
> 
> man iptables:
> 
> --ports [!] port[,port[,port:port...]]
>                Match if either the source or destination
>                ports are equal to one
>                of the given ports.
> 
> So, this is expected behaviour, provided that there are no other rules 
> in the way.
> 
> HTH,
> 
> Joerg
> 
> 

Re: iptables rules

[Jörg Harmuth]

Peggy Kam wrote:
> did the manpage gets changed recently?  the iptables manpage that I see
> states that:
> 
> --port [port[,port]]
>         Match if the both the source and destination ports are equal to
>         each other and to one of the given ports.


I see. You are referring to -m mport --port*s* (by the way, there is a 
typo or are you referring to another module ?), which is different from 
-m multiport --port*s* port[...] - which I was referring to. Your rule was

... -m multiport --ports 22,23,24,25 -j ACCEPT

So I looked for multiport.

HTH,

Joerg

Re: iptables rules

[Realos]

Jörg Harmuth wanted us to know:


>I see. You are referring to -m mport --port*s* (by the way, there is a 
>typo or are you referring to another module ?), which is different from 
>-m multiport --port*s* port[...] - which I was referring to. Your rule was
>
>... -m multiport --ports 22,23,24,25 -j ACCEPT
>
>So I looked for multiport.

There seems to be an inconsistence between man pages Jörg Harmuth has installed
and of some other people (the original poster and myself at least).

man iptables:

mport
...
 --ports port[,port[,port...]]
	Match if the both the source and destination ports are
	equal to each other and to one  of  the  given
	ports.

multiport
...
	used in conjunction with -p tcp or -p udp.
	rts port[,port[,port...]]
	Match if the both the source and destination ports
	are equal to each other and to one  of  the  given
	ports.

Mar 09, 2002 IPTABLES(8)

BTW, what is the diffence between mport and multiport modules?


-- 
Realos

RE: iptables rules

[Rob Sterenborg]

> There seems to be an inconsistence between man pages Jörg
> Harmuth has installed and of some other people (the original poster
> and myself at least). 
> 
> man iptables:
> 
> mport
> ...
>  --ports port[,port[,port...]]
> 	Match if the both the source and destination ports are
> 	equal to each other and to one  of  the  given
> 	ports.
> 
> multiport
> ...
> 	used in conjunction with -p tcp or -p udp.
> 	rts port[,port[,port...]]
> 	Match if the both the source and destination ports
> 	are equal to each other and to one  of  the  given 	ports.
> 
> Mar 09, 2002 IPTABLES(8)
> 
> BTW, what is the diffence between mport and multiport modules?

Mport is obsoleted according to :
http://www.netfilter.org/projects/patch-o-matic/pom-obsolete.html

Searching the Netfilter site I read that mport was to be combined with
multiport :
http://www.netfilter.org/documentation/conferences/nf-workshop-2004-summ
ary.html (mport TODO: combine with multiport). So, I think this work has
been done.


Gr,
Rob

Re: iptables rules

[Jörg Harmuth]

Realos wrote:
> Jörg Harmuth wanted us to know:
> 
> 
>> I see. You are referring to -m mport --port*s* (by the way, there is a 
>> typo or are you referring to another module ?), which is different from 
>> -m multiport --port*s* port[...] - which I was referring to. Your rule was
>>
>> ... -m multiport --ports 22,23,24,25 -j ACCEPT
>>
>> So I looked for multiport.
> 
> There seems to be an inconsistence between man pages Jörg Harmuth has installed
> and of some other people (the original poster and myself at least).
> 
> man iptables:
> 
> mport
> ...
>  --ports port[,port[,port...]]
> 	Match if the both the source and destination ports are
> 	equal to each other and to one  of  the  given
> 	ports.
> 
> multiport
> ...
> 	used in conjunction with -p tcp or -p udp.
> 	rts port[,port[,port...]]
> 	Match if the both the source and destination ports
> 	are equal to each other and to one  of  the  given
> 	ports.
> 
> Mar 09, 2002 IPTABLES(8)
> 
> BTW, what is the diffence between mport and multiport modules?
> 
> 

Hmm, interesting. I looked again and I see:

man iptables:

  mport
    --ports port[,port[,port...]]
            Match if the both the source and destination ports are
            equal to each other and to one of the given ports.

  multiport
    --ports [!] port[,port[,port:port...]]
            Match if either the source or destination ports are
            equal to one of the given ports.

My iptables is a self compiled 1.3.3 running on Sarge, one box with 
kernel 2.4.31 the other box with kernel 2.6.13.1. May be an iptables 
version issue ?

Have a nice time,

Joerg