iptables?

iptables?

[Littlefield, Tyler]

Hello list,
I've got the following iptables set.
iptables -F
iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 110 -j ACCEPT
iptables -A INPUT -p tcp --sport 3784 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 6666:6670 -j ACCEPT
iptables -A INPUT -p tcp --sport 10000 -j ACCEPT
iptables -A INPUT -p tcp --sport 20000 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
I'm dmzed, and when I run this, it puts everything to filter.
Any idea what I'm doing wrong?
Thanks,
~~TheCreator~~

Re: iptables?

[Gregory Nowak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think I see the problem.

Basically, you want to use --dport, instead of --sport. For example,
the way you have it now:

iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT

means that you'd be accepting connections with source ports 20:22. If
I understand tcp/ip correctly, that could never happen with those
ports, I think they're used only for responding to already initiated
connections. So, if what you want to do is to allow connections on
ports 20:22 in this example into your box, use --dport.

Greg



On Sun, Mar 25, 2007 at 03:36:43PM -0700, Littlefield, Tyler wrote:
> Hello list,
> I've got the following iptables set.
> iptables -F
> iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT
> iptables -A INPUT -p tcp --sport 80 -j ACCEPT
> iptables -A INPUT -p tcp --sport 110 -j ACCEPT
> iptables -A INPUT -p tcp --sport 3784 -j ACCEPT
> iptables -A INPUT -p tcp --sport 443 -j ACCEPT
> iptables -A INPUT -p tcp --sport 6666:6670 -j ACCEPT
> iptables -A INPUT -p tcp --sport 10000 -j ACCEPT
> iptables -A INPUT -p tcp --sport 20000 -j ACCEPT
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> I'm dmzed, and when I run this, it puts everything to filter.
> Any idea what I'm doing wrong?
> Thanks,
> ~~TheCreator~~
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGBwgX7s9z/XlyUyARAsCLAJ97NBM9eFYvQtGXAtO205j37fTk1gCfW+HS
ArSXMxhPWyq79WeX8FnJ8y4=
=Em7O
-----END PGP SIGNATURE-----

RE: iptables?

[Anthony Creapeau]

TCP Ports 20, 21 and 20 are FTP, SFTP and SSH ports respectively. These
ports are outgoing communications used by the respective protocol, (IE. FTP,
SFTP and SSH) and the responding or incoming communications usually are
negotiated to use ports above 1024. Hope this makes sense.

-----Original Message-----
From: speakup-bounces@braille.uwo.ca [mailto:speakup-bounces@braille.uwo.ca]
On Behalf Of Gregory Nowak
Sent: Sunday, March 25, 2007 6:39 PM
To: Speakup is a screen review system for Linux.
Subject: Re: iptables?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think I see the problem.

Basically, you want to use --dport, instead of --sport. For example, the way
you have it now:

iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT

means that you'd be accepting connections with source ports 20:22. If I
understand tcp/ip correctly, that could never happen with those ports, I
think they're used only for responding to already initiated connections. So,
if what you want to do is to allow connections on ports 20:22 in this
example into your box, use --dport.

Greg



On Sun, Mar 25, 2007 at 03:36:43PM -0700, Littlefield, Tyler wrote:
> Hello list,
> I've got the following iptables set.
> iptables -F
> iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT iptables -A INPUT -p 
> tcp --sport 80 -j ACCEPT iptables -A INPUT -p tcp --sport 110 -j 
> ACCEPT iptables -A INPUT -p tcp --sport 3784 -j ACCEPT iptables -A 
> INPUT -p tcp --sport 443 -j ACCEPT iptables -A INPUT -p tcp --sport 
> 6666:6670 -j ACCEPT iptables -A INPUT -p tcp --sport 10000 -j ACCEPT 
> iptables -A INPUT -p tcp --sport 20000 -j ACCEPT iptables -P INPUT 
> DROP iptables -P OUTPUT ACCEPT I'm dmzed, and when I run this, it puts 
> everything to filter.
> Any idea what I'm doing wrong?
> Thanks,
> ~~TheCreator~~
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

- --
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org -----BEGIN PGP
SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGBwgX7s9z/XlyUyARAsCLAJ97NBM9eFYvQtGXAtO205j37fTk1gCfW+HS
ArSXMxhPWyq79WeX8FnJ8y4=
=Em7O
-----END PGP SIGNATURE-----

_______________________________________________
Speakup mailing list
Speakup@braille.uwo.ca
http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: iptables?

[Gregory Nowak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Mar 26, 2007 at 12:56:31AM -0500, Anthony Creapeau wrote:
> TCP Ports 20, 21 and 20 are FTP, SFTP and SSH ports respectively. 

Actually, both tcp 20 and 21 are used for ftp, tcp 20 being ftp data I
believe, (for the cases when passive ftp isn't being used), and 21
being for ftp. 22 is used for ssh, and sftp is a subsystem of that.

Greg


- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGB/Tx7s9z/XlyUyARAkigAKCYVetWmLqWqs/RAgYvMLuis1SuiQCgh54c
ZO07mPEtmQDizCQhZcVfREM=
=3QCw
-----END PGP SIGNATURE-----

Re: iptables?

[Ralph W. Reid]

You have only allowed tcp protocol on various ports.  Could you
perhaps be doing something which involves other protocols such as udp
or icmp?

On Sun, Mar 25, 2007 at 03:36:43PM -0700, Littlefield, Tyler wrote:
> Hello list,
> I've got the following iptables set.
> iptables -F
> iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT
> iptables -A INPUT -p tcp --sport 80 -j ACCEPT
> iptables -A INPUT -p tcp --sport 110 -j ACCEPT
> iptables -A INPUT -p tcp --sport 3784 -j ACCEPT
> iptables -A INPUT -p tcp --sport 443 -j ACCEPT
> iptables -A INPUT -p tcp --sport 6666:6670 -j ACCEPT
> iptables -A INPUT -p tcp --sport 10000 -j ACCEPT
> iptables -A INPUT -p tcp --sport 20000 -j ACCEPT
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> I'm dmzed, and when I run this, it puts everything to filter.
> Any idea what I'm doing wrong?
> Thanks,
> ~~TheCreator~~
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

-- 
Ralph.  N6BNO.  Wisdom comes from central processing, not from I/O.
rreid@sunset.net  http://personalweb.sunset.net/~rreid
...passing through The City of Internet at the speed of light...
1 = x^0

Re: iptables?

[Littlefield, Tyler]

I'm trying to use apt-get, I'm not sure what I would need to enable to get
that.
----- Original Message ----- 
From: "Ralph W. Reid" <rreid@sunset.net>
To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca>
Sent: Tuesday, March 27, 2007 11:40 AM
Subject: Re: iptables?


> You have only allowed tcp protocol on various ports.  Could you
> perhaps be doing something which involves other protocols such as udp
> or icmp?
>
> On Sun, Mar 25, 2007 at 03:36:43PM -0700, Littlefield, Tyler wrote:
> > Hello list,
> > I've got the following iptables set.
> > iptables -F
> > iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT
> > iptables -A INPUT -p tcp --sport 80 -j ACCEPT
> > iptables -A INPUT -p tcp --sport 110 -j ACCEPT
> > iptables -A INPUT -p tcp --sport 3784 -j ACCEPT
> > iptables -A INPUT -p tcp --sport 443 -j ACCEPT
> > iptables -A INPUT -p tcp --sport 6666:6670 -j ACCEPT
> > iptables -A INPUT -p tcp --sport 10000 -j ACCEPT
> > iptables -A INPUT -p tcp --sport 20000 -j ACCEPT
> > iptables -P INPUT DROP
> > iptables -P OUTPUT ACCEPT
> > I'm dmzed, and when I run this, it puts everything to filter.
> > Any idea what I'm doing wrong?
> > Thanks,
> > ~~TheCreator~~
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
> -- 
> Ralph.  N6BNO.  Wisdom comes from central processing, not from I/O.
> rreid@sunset.net  http://personalweb.sunset.net/~rreid
> ...passing through The City of Internet at the speed of light...
> 1 = x^0
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: iptables?

[Ralph W. Reid]

You might want to try logging some of iptables' activities to
determine what exactly is being blocked.  If the lines you listed are
in a script, you can insert the following line just before the 'INPUT
DROP' line to log the incoming packets at that point to see what is
reaching that point in your iptables rules:

iptables -a INPUT -j LOG --log-prefix " input drop "

The resulting log entries will be in /var/syslog ('grep "input drop"
/var/syslog' will display the results).  You may want to comment out
or remove this new line from your script when you are done using it,
and then use the iptables delete option or rerun the script to clear
the tables--this iptables command may produce a lot of log entries
very quickly.

HTH, and have a great day.

On Tue, Mar 27, 2007 at 01:16:15PM -0700, Littlefield, Tyler wrote:
> I'm trying to use apt-get, I'm not sure what I would need to enable to get
> that.
> ----- Original Message ----- 
> From: "Ralph W. Reid" <rreid@sunset.net>
> To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca>
> Sent: Tuesday, March 27, 2007 11:40 AM
> Subject: Re: iptables?
> 
> 
> > You have only allowed tcp protocol on various ports.  Could you
> > perhaps be doing something which involves other protocols such as udp
> > or icmp?
> >
> > On Sun, Mar 25, 2007 at 03:36:43PM -0700, Littlefield, Tyler wrote:
> > > Hello list,
> > > I've got the following iptables set.
> > > iptables -F
> > > iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT
> > > iptables -A INPUT -p tcp --sport 80 -j ACCEPT
> > > iptables -A INPUT -p tcp --sport 110 -j ACCEPT
> > > iptables -A INPUT -p tcp --sport 3784 -j ACCEPT
> > > iptables -A INPUT -p tcp --sport 443 -j ACCEPT
> > > iptables -A INPUT -p tcp --sport 6666:6670 -j ACCEPT
> > > iptables -A INPUT -p tcp --sport 10000 -j ACCEPT
> > > iptables -A INPUT -p tcp --sport 20000 -j ACCEPT
> > > iptables -P INPUT DROP
> > > iptables -P OUTPUT ACCEPT
> > > I'm dmzed, and when I run this, it puts everything to filter.
> > > Any idea what I'm doing wrong?
> > > Thanks,
> > > ~~TheCreator~~
> > > _______________________________________________
> > > Speakup mailing list
> > > Speakup@braille.uwo.ca
> > > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
> > -- 
> > Ralph.  N6BNO.  Wisdom comes from central processing, not from I/O.
> > rreid@sunset.net  http://personalweb.sunset.net/~rreid
> > ...passing through The City of Internet at the speed of light...
> > 1 = x^0

-- 
Ralph.  N6BNO.  Wisdom comes from central processing, not from I/O.
rreid@sunset.net  http://personalweb.sunset.net/~rreid
...passing through The City of Internet at the speed of light...
TAN (x) = SIN (x) / COS (x)

Re: iptables?

[Littlefield, Tyler]

Will do, thanks.
----- Original Message ----- 
From: "Ralph W. Reid" <rreid@sunset.net>
To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca>
Sent: Wednesday, March 28, 2007 9:06 AM
Subject: Re: iptables?


> You might want to try logging some of iptables' activities to
> determine what exactly is being blocked.  If the lines you listed are
> in a script, you can insert the following line just before the 'INPUT
> DROP' line to log the incoming packets at that point to see what is
> reaching that point in your iptables rules:
>
> iptables -a INPUT -j LOG --log-prefix " input drop "
>
> The resulting log entries will be in /var/syslog ('grep "input drop"
> /var/syslog' will display the results).  You may want to comment out
> or remove this new line from your script when you are done using it,
> and then use the iptables delete option or rerun the script to clear
> the tables--this iptables command may produce a lot of log entries
> very quickly.
>
> HTH, and have a great day.
>
> On Tue, Mar 27, 2007 at 01:16:15PM -0700, Littlefield, Tyler wrote:
> > I'm trying to use apt-get, I'm not sure what I would need to enable to
get
> > that.
> > ----- Original Message ----- 
> > From: "Ralph W. Reid" <rreid@sunset.net>
> > To: "Speakup is a screen review system for Linux."
<speakup@braille.uwo.ca>
> > Sent: Tuesday, March 27, 2007 11:40 AM
> > Subject: Re: iptables?
> >
> >
> > > You have only allowed tcp protocol on various ports.  Could you
> > > perhaps be doing something which involves other protocols such as udp
> > > or icmp?
> > >
> > > On Sun, Mar 25, 2007 at 03:36:43PM -0700, Littlefield, Tyler wrote:
> > > > Hello list,
> > > > I've got the following iptables set.
> > > > iptables -F
> > > > iptables -A INPUT -p tcp --sport 20:22 -j ACCEPT
> > > > iptables -A INPUT -p tcp --sport 80 -j ACCEPT
> > > > iptables -A INPUT -p tcp --sport 110 -j ACCEPT
> > > > iptables -A INPUT -p tcp --sport 3784 -j ACCEPT
> > > > iptables -A INPUT -p tcp --sport 443 -j ACCEPT
> > > > iptables -A INPUT -p tcp --sport 6666:6670 -j ACCEPT
> > > > iptables -A INPUT -p tcp --sport 10000 -j ACCEPT
> > > > iptables -A INPUT -p tcp --sport 20000 -j ACCEPT
> > > > iptables -P INPUT DROP
> > > > iptables -P OUTPUT ACCEPT
> > > > I'm dmzed, and when I run this, it puts everything to filter.
> > > > Any idea what I'm doing wrong?
> > > > Thanks,
> > > > ~~TheCreator~~
> > > > _______________________________________________
> > > > Speakup mailing list
> > > > Speakup@braille.uwo.ca
> > > > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> > >
> > > -- 
> > > Ralph.  N6BNO.  Wisdom comes from central processing, not from I/O.
> > > rreid@sunset.net  http://personalweb.sunset.net/~rreid
> > > ...passing through The City of Internet at the speed of light...
> > > 1 = x^0
>
> -- 
> Ralph.  N6BNO.  Wisdom comes from central processing, not from I/O.
> rreid@sunset.net  http://personalweb.sunset.net/~rreid
> ...passing through The City of Internet at the speed of light...
> TAN (x) = SIN (x) / COS (x)
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup