* iptables? @ Littlefield, Tyler ` iptables? Gregory Nowak ` iptables? Ralph W. Reid 0 siblings, 2 replies; 8+ messages in thread From: Littlefield, Tyler @ UTC (permalink / raw) To: Speakup Hello list, I've got the following iptables set. iptables -F iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT iptables -A INPUT -p tcp --sport 80 -j ACCEPT iptables -A INPUT -p tcp --sport 110 -j ACCEPT iptables -A INPUT -p tcp --sport 3784 -j ACCEPT iptables -A INPUT -p tcp --sport 443 -j ACCEPT iptables -A INPUT -p tcp --sport 6666:6670 -j ACCEPT iptables -A INPUT -p tcp --sport 10000 -j ACCEPT iptables -A INPUT -p tcp --sport 20000 -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT ACCEPT I'm dmzed, and when I run this, it puts everything to filter. Any idea what I'm doing wrong? Thanks, ~~TheCreator~~ ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: iptables? iptables? Littlefield, Tyler @ ` Gregory Nowak ` iptables? Anthony Creapeau ` iptables? Ralph W. Reid 1 sibling, 1 reply; 8+ messages in thread From: Gregory Nowak @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think I see the problem. Basically, you want to use --dport, instead of --sport. For example, the way you have it now: iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT means that you'd be accepting connections with source ports 20:22. If I understand tcp/ip correctly, that could never happen with those ports, I think they're used only for responding to already initiated connections. So, if what you want to do is to allow connections on ports 20:22 in this example into your box, use --dport. Greg On Sun, Mar 25, 2007 at 03:36:43PM -0700, Littlefield, Tyler wrote: > Hello list, > I've got the following iptables set. > iptables -F > iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT > iptables -A INPUT -p tcp --sport 80 -j ACCEPT > iptables -A INPUT -p tcp --sport 110 -j ACCEPT > iptables -A INPUT -p tcp --sport 3784 -j ACCEPT > iptables -A INPUT -p tcp --sport 443 -j ACCEPT > iptables -A INPUT -p tcp --sport 6666:6670 -j ACCEPT > iptables -A INPUT -p tcp --sport 10000 -j ACCEPT > iptables -A INPUT -p tcp --sport 20000 -j ACCEPT > iptables -P INPUT DROP > iptables -P OUTPUT ACCEPT > I'm dmzed, and when I run this, it puts everything to filter. > Any idea what I'm doing wrong? > Thanks, > ~~TheCreator~~ > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup - -- web site: http://www.romuald.net.eu.org gpg public key: http://www.romuald.net.eu.org/pubkey.asc skype: gregn1 (authorization required, add me to your contacts list first) - -- Free domains: http://www.eu.org/ or mail dns-manager@EU.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGBwgX7s9z/XlyUyARAsCLAJ97NBM9eFYvQtGXAtO205j37fTk1gCfW+HS ArSXMxhPWyq79WeX8FnJ8y4= =Em7O -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: iptables? ` iptables? Gregory Nowak @ ` Anthony Creapeau ` iptables? Gregory Nowak 0 siblings, 1 reply; 8+ messages in thread From: Anthony Creapeau @ UTC (permalink / raw) To: 'Speakup is a screen review system for Linux.' TCP Ports 20, 21 and 20 are FTP, SFTP and SSH ports respectively. These ports are outgoing communications used by the respective protocol, (IE. FTP, SFTP and SSH) and the responding or incoming communications usually are negotiated to use ports above 1024. Hope this makes sense. -----Original Message----- From: speakup-bounces@braille.uwo.ca [mailto:speakup-bounces@braille.uwo.ca] On Behalf Of Gregory Nowak Sent: Sunday, March 25, 2007 6:39 PM To: Speakup is a screen review system for Linux. Subject: Re: iptables? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think I see the problem. Basically, you want to use --dport, instead of --sport. For example, the way you have it now: iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT means that you'd be accepting connections with source ports 20:22. If I understand tcp/ip correctly, that could never happen with those ports, I think they're used only for responding to already initiated connections. So, if what you want to do is to allow connections on ports 20:22 in this example into your box, use --dport. Greg On Sun, Mar 25, 2007 at 03:36:43PM -0700, Littlefield, Tyler wrote: > Hello list, > I've got the following iptables set. > iptables -F > iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT iptables -A INPUT -p > tcp --sport 80 -j ACCEPT iptables -A INPUT -p tcp --sport 110 -j > ACCEPT iptables -A INPUT -p tcp --sport 3784 -j ACCEPT iptables -A > INPUT -p tcp --sport 443 -j ACCEPT iptables -A INPUT -p tcp --sport > 6666:6670 -j ACCEPT iptables -A INPUT -p tcp --sport 10000 -j ACCEPT > iptables -A INPUT -p tcp --sport 20000 -j ACCEPT iptables -P INPUT > DROP iptables -P OUTPUT ACCEPT I'm dmzed, and when I run this, it puts > everything to filter. > Any idea what I'm doing wrong? > Thanks, > ~~TheCreator~~ > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup - -- web site: http://www.romuald.net.eu.org gpg public key: http://www.romuald.net.eu.org/pubkey.asc skype: gregn1 (authorization required, add me to your contacts list first) - -- Free domains: http://www.eu.org/ or mail dns-manager@EU.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGBwgX7s9z/XlyUyARAsCLAJ97NBM9eFYvQtGXAtO205j37fTk1gCfW+HS ArSXMxhPWyq79WeX8FnJ8y4= =Em7O -----END PGP SIGNATURE----- _______________________________________________ Speakup mailing list Speakup@braille.uwo.ca http://speech.braille.uwo.ca/mailman/listinfo/speakup ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: iptables? ` iptables? Anthony Creapeau @ ` Gregory Nowak 0 siblings, 0 replies; 8+ messages in thread From: Gregory Nowak @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Mar 26, 2007 at 12:56:31AM -0500, Anthony Creapeau wrote: > TCP Ports 20, 21 and 20 are FTP, SFTP and SSH ports respectively. Actually, both tcp 20 and 21 are used for ftp, tcp 20 being ftp data I believe, (for the cases when passive ftp isn't being used), and 21 being for ftp. 22 is used for ssh, and sftp is a subsystem of that. Greg - -- web site: http://www.romuald.net.eu.org gpg public key: http://www.romuald.net.eu.org/pubkey.asc skype: gregn1 (authorization required, add me to your contacts list first) - -- Free domains: http://www.eu.org/ or mail dns-manager@EU.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGB/Tx7s9z/XlyUyARAkigAKCYVetWmLqWqs/RAgYvMLuis1SuiQCgh54c ZO07mPEtmQDizCQhZcVfREM= =3QCw -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: iptables? iptables? Littlefield, Tyler ` iptables? Gregory Nowak @ ` Ralph W. Reid ` iptables? Littlefield, Tyler 1 sibling, 1 reply; 8+ messages in thread From: Ralph W. Reid @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. You have only allowed tcp protocol on various ports. Could you perhaps be doing something which involves other protocols such as udp or icmp? On Sun, Mar 25, 2007 at 03:36:43PM -0700, Littlefield, Tyler wrote: > Hello list, > I've got the following iptables set. > iptables -F > iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT > iptables -A INPUT -p tcp --sport 80 -j ACCEPT > iptables -A INPUT -p tcp --sport 110 -j ACCEPT > iptables -A INPUT -p tcp --sport 3784 -j ACCEPT > iptables -A INPUT -p tcp --sport 443 -j ACCEPT > iptables -A INPUT -p tcp --sport 6666:6670 -j ACCEPT > iptables -A INPUT -p tcp --sport 10000 -j ACCEPT > iptables -A INPUT -p tcp --sport 20000 -j ACCEPT > iptables -P INPUT DROP > iptables -P OUTPUT ACCEPT > I'm dmzed, and when I run this, it puts everything to filter. > Any idea what I'm doing wrong? > Thanks, > ~~TheCreator~~ > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup -- Ralph. N6BNO. Wisdom comes from central processing, not from I/O. rreid@sunset.net http://personalweb.sunset.net/~rreid ...passing through The City of Internet at the speed of light... 1 = x^0 ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: iptables? ` iptables? Ralph W. Reid @ ` Littlefield, Tyler ` iptables? Ralph W. Reid 0 siblings, 1 reply; 8+ messages in thread From: Littlefield, Tyler @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. I'm trying to use apt-get, I'm not sure what I would need to enable to get that. ----- Original Message ----- From: "Ralph W. Reid" <rreid@sunset.net> To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca> Sent: Tuesday, March 27, 2007 11:40 AM Subject: Re: iptables? > You have only allowed tcp protocol on various ports. Could you > perhaps be doing something which involves other protocols such as udp > or icmp? > > On Sun, Mar 25, 2007 at 03:36:43PM -0700, Littlefield, Tyler wrote: > > Hello list, > > I've got the following iptables set. > > iptables -F > > iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT > > iptables -A INPUT -p tcp --sport 80 -j ACCEPT > > iptables -A INPUT -p tcp --sport 110 -j ACCEPT > > iptables -A INPUT -p tcp --sport 3784 -j ACCEPT > > iptables -A INPUT -p tcp --sport 443 -j ACCEPT > > iptables -A INPUT -p tcp --sport 6666:6670 -j ACCEPT > > iptables -A INPUT -p tcp --sport 10000 -j ACCEPT > > iptables -A INPUT -p tcp --sport 20000 -j ACCEPT > > iptables -P INPUT DROP > > iptables -P OUTPUT ACCEPT > > I'm dmzed, and when I run this, it puts everything to filter. > > Any idea what I'm doing wrong? > > Thanks, > > ~~TheCreator~~ > > _______________________________________________ > > Speakup mailing list > > Speakup@braille.uwo.ca > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > -- > Ralph. N6BNO. Wisdom comes from central processing, not from I/O. > rreid@sunset.net http://personalweb.sunset.net/~rreid > ...passing through The City of Internet at the speed of light... > 1 = x^0 > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: iptables? ` iptables? Littlefield, Tyler @ ` Ralph W. Reid ` iptables? Littlefield, Tyler 0 siblings, 1 reply; 8+ messages in thread From: Ralph W. Reid @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. You might want to try logging some of iptables' activities to determine what exactly is being blocked. If the lines you listed are in a script, you can insert the following line just before the 'INPUT DROP' line to log the incoming packets at that point to see what is reaching that point in your iptables rules: iptables -a INPUT -j LOG --log-prefix " input drop " The resulting log entries will be in /var/syslog ('grep "input drop" /var/syslog' will display the results). You may want to comment out or remove this new line from your script when you are done using it, and then use the iptables delete option or rerun the script to clear the tables--this iptables command may produce a lot of log entries very quickly. HTH, and have a great day. On Tue, Mar 27, 2007 at 01:16:15PM -0700, Littlefield, Tyler wrote: > I'm trying to use apt-get, I'm not sure what I would need to enable to get > that. > ----- Original Message ----- > From: "Ralph W. Reid" <rreid@sunset.net> > To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca> > Sent: Tuesday, March 27, 2007 11:40 AM > Subject: Re: iptables? > > > > You have only allowed tcp protocol on various ports. Could you > > perhaps be doing something which involves other protocols such as udp > > or icmp? > > > > On Sun, Mar 25, 2007 at 03:36:43PM -0700, Littlefield, Tyler wrote: > > > Hello list, > > > I've got the following iptables set. > > > iptables -F > > > iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT > > > iptables -A INPUT -p tcp --sport 80 -j ACCEPT > > > iptables -A INPUT -p tcp --sport 110 -j ACCEPT > > > iptables -A INPUT -p tcp --sport 3784 -j ACCEPT > > > iptables -A INPUT -p tcp --sport 443 -j ACCEPT > > > iptables -A INPUT -p tcp --sport 6666:6670 -j ACCEPT > > > iptables -A INPUT -p tcp --sport 10000 -j ACCEPT > > > iptables -A INPUT -p tcp --sport 20000 -j ACCEPT > > > iptables -P INPUT DROP > > > iptables -P OUTPUT ACCEPT > > > I'm dmzed, and when I run this, it puts everything to filter. > > > Any idea what I'm doing wrong? > > > Thanks, > > > ~~TheCreator~~ > > > _______________________________________________ > > > Speakup mailing list > > > Speakup@braille.uwo.ca > > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > -- > > Ralph. N6BNO. Wisdom comes from central processing, not from I/O. > > rreid@sunset.net http://personalweb.sunset.net/~rreid > > ...passing through The City of Internet at the speed of light... > > 1 = x^0 -- Ralph. N6BNO. Wisdom comes from central processing, not from I/O. rreid@sunset.net http://personalweb.sunset.net/~rreid ...passing through The City of Internet at the speed of light... TAN (x) = SIN (x) / COS (x) ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: iptables? ` iptables? Ralph W. Reid @ ` Littlefield, Tyler 0 siblings, 0 replies; 8+ messages in thread From: Littlefield, Tyler @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. Will do, thanks. ----- Original Message ----- From: "Ralph W. Reid" <rreid@sunset.net> To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca> Sent: Wednesday, March 28, 2007 9:06 AM Subject: Re: iptables? > You might want to try logging some of iptables' activities to > determine what exactly is being blocked. If the lines you listed are > in a script, you can insert the following line just before the 'INPUT > DROP' line to log the incoming packets at that point to see what is > reaching that point in your iptables rules: > > iptables -a INPUT -j LOG --log-prefix " input drop " > > The resulting log entries will be in /var/syslog ('grep "input drop" > /var/syslog' will display the results). You may want to comment out > or remove this new line from your script when you are done using it, > and then use the iptables delete option or rerun the script to clear > the tables--this iptables command may produce a lot of log entries > very quickly. > > HTH, and have a great day. > > On Tue, Mar 27, 2007 at 01:16:15PM -0700, Littlefield, Tyler wrote: > > I'm trying to use apt-get, I'm not sure what I would need to enable to get > > that. > > ----- Original Message ----- > > From: "Ralph W. Reid" <rreid@sunset.net> > > To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca> > > Sent: Tuesday, March 27, 2007 11:40 AM > > Subject: Re: iptables? > > > > > > > You have only allowed tcp protocol on various ports. Could you > > > perhaps be doing something which involves other protocols such as udp > > > or icmp? > > > > > > On Sun, Mar 25, 2007 at 03:36:43PM -0700, Littlefield, Tyler wrote: > > > > Hello list, > > > > I've got the following iptables set. > > > > iptables -F > > > > iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT > > > > iptables -A INPUT -p tcp --sport 80 -j ACCEPT > > > > iptables -A INPUT -p tcp --sport 110 -j ACCEPT > > > > iptables -A INPUT -p tcp --sport 3784 -j ACCEPT > > > > iptables -A INPUT -p tcp --sport 443 -j ACCEPT > > > > iptables -A INPUT -p tcp --sport 6666:6670 -j ACCEPT > > > > iptables -A INPUT -p tcp --sport 10000 -j ACCEPT > > > > iptables -A INPUT -p tcp --sport 20000 -j ACCEPT > > > > iptables -P INPUT DROP > > > > iptables -P OUTPUT ACCEPT > > > > I'm dmzed, and when I run this, it puts everything to filter. > > > > Any idea what I'm doing wrong? > > > > Thanks, > > > > ~~TheCreator~~ > > > > _______________________________________________ > > > > Speakup mailing list > > > > Speakup@braille.uwo.ca > > > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > > -- > > > Ralph. N6BNO. Wisdom comes from central processing, not from I/O. > > > rreid@sunset.net http://personalweb.sunset.net/~rreid > > > ...passing through The City of Internet at the speed of light... > > > 1 = x^0 > > -- > Ralph. N6BNO. Wisdom comes from central processing, not from I/O. > rreid@sunset.net http://personalweb.sunset.net/~rreid > ...passing through The City of Internet at the speed of light... > TAN (x) = SIN (x) / COS (x) > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~ UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
iptables? Littlefield, Tyler
` iptables? Gregory Nowak
` iptables? Anthony Creapeau
` iptables? Gregory Nowak
` iptables? Ralph W. Reid
` iptables? Littlefield, Tyler
` iptables? Ralph W. Reid
` iptables? Littlefield, Tyler
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).