LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-14-2005, 09:55 AM   #1
slzckboy
Member
 
Registered: May 2005
Location: uk - Reading
Distribution: slack 10.2 kde 3.4.2 kernel 2.6.15
Posts: 452

Rep: Reputation: 30
dynamic iptables rules


scuse my ignorance.

I'm interested in only allowing a connection to my ident service(auth) only if i have recently connected to the site who is making the request.

Is there a way i can achieve this with iptables without just leaving the port open to responses from anywhere or statically assigning the source ip ?

thnks

rj
 
Old 09-14-2005, 12:59 PM   #2
rjkfsm
Member
 
Registered: Apr 2004
Location: Charleston, SC
Distribution: Debian, Gentoo, Knoppix & DSL
Posts: 120

Rep: Reputation: 15
Use the '-m state ESTABLISHED,RELATED' condition on that port.

If that doesn't suit your needs, check out recent matches at:
http://iptables-tutorial.frozentux.n...cent-match.txt


RK

Last edited by rjkfsm; 09-14-2005 at 01:22 PM.
 
Old 09-14-2005, 01:43 PM   #3
slzckboy
Member
 
Registered: May 2005
Location: uk - Reading
Distribution: slack 10.2 kde 3.4.2 kernel 2.6.15
Posts: 452

Original Poster
Rep: Reputation: 30
Many thnks.
 
Old 09-15-2005, 10:38 AM   #4
slzckboy
Member
 
Registered: May 2005
Location: uk - Reading
Distribution: slack 10.2 kde 3.4.2 kernel 2.6.15
Posts: 452

Original Poster
Rep: Reputation: 30
m state ESTABLISHED,RELATED dosn't suit my needs.

one thing....re the link.

Code:
iptables -A http-recent-final1 -p tcp -m recent --name httplist \
--tcp-flags SYN,ACK,FIN FIN,ACK --close -j ACCEPT
i can find no information on the "--close" switch in the man pages google etc..

can anyone explain?

thnks

slzckboy
 
Old 10-18-2005, 01:28 PM   #5
slzckboy
Member
 
Registered: May 2005
Location: uk - Reading
Distribution: slack 10.2 kde 3.4.2 kernel 2.6.15
Posts: 452

Original Poster
Rep: Reputation: 30
this seems to work in that the irc server now advises that it got an ident response.

Code:
$IPTABLES -A OUTPUT -p tcp -s $NTL_IP -m tcp --dport 6667 -j recent-irc-connection
$IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j recent-irc-connection

# recent-irc-connection chain.
$IPTABLES -N recent-irc-connection
#for output connections
$IPTABLES -A recent-irc-connection -s $NTL_IP -m recent --name irclist --set --rdest -j ACCEPT

#for input connections
$IPTABLES -A recent-irc-connection -s 0/0 -m recent --name irclist --rcheck -j ACCEPT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables Rules metallica1973 Linux - Security 26 09-14-2005 12:10 AM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
iptables and dynamic rules.... ProtoformX Linux - Security 10 10-20-2004 07:50 AM
Dynamic Firewall Rules DavidPhillips Linux - General 2 12-06-2001 06:41 PM
Viruses, ipchains, dynamic rules, rules with regular expressions marktaff Linux - Security 2 09-25-2001 04:01 AM


All times are GMT -5. The time now is 11:12 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration