LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Iptables : --dport vs. --sport (https://www.linuxquestions.org/questions/linux-newbie-8/iptables-dport-vs-sport-724193/)

jonaskellens 05-06-2009 01:25 PM
Iptables : --dport vs. --sport
 
If I just want to allow incoming traffic on port 4569 and also outgoing traffic on port 4569, on my interface eth1, is this rule then well written :

Code:
-A INPUT ! -i eth1 -j ACCEPT
-A INPUT -p udp -m udp -i eth1 --sport 4569 -j ACCEPT
I don't know whether I need to use --sport or --dport ???

I think I still need to define a destination port for incoming traffic on port 4569, but how do I do that ?
Do I define an extra rule (--dport) or can I do it in the existing one ?

anomie 05-06-2009 01:32 PM
Quote:
Originally Posted by jonaskellens
If I just want to allow incoming traffic on port 4569 and also outgoing traffic on port 4569...
So if a remote host establishes a tcp connection with port 4569 on your server, you want to allow that conversation to continue, correct?

If "yes", then you just need to allow stateful traffic.

Basic ruleset script example:
Code:
#!/bin/bash

cmd='/sbin/iptables'

# standard stuff - loopback and stateful
${cmd} -A INPUT -i lo -j ACCEPT
${cmd} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Log / allow in foo (on tcp 4569)
${cmd} -A INPUT -p tcp -m state --state NEW -m tcp --dport 4569 -j LOG
${cmd} -A INPUT -p tcp -m state --state NEW -m tcp --dport 4569 -j ACCEPT

# allow pings in
${cmd} -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

# default deny!
${cmd} -A INPUT -j DROP

jonaskellens 05-06-2009 03:02 PM
There is UDP-traffic on port 4569 (IAX).

Indeed if a remote client sends an invite on this port, I want the UDP-traffic on this port to continue...

It's very simple : a connection on port 4569 from the internet is allowed.

anomie 05-06-2009 05:20 PM
The same solution applies. As you probably know, udp isn't really "stateful", but the bolded rule I noted above will track the connection anyway.

jonaskellens 05-07-2009 02:59 PM
Do I need the part "-m state --state NEW" ?
Someone called me with his IAX-softphone (and thus on port 4569 of my Asterisk-server) and everything went well.
So for the moment, with my rule (as posted above) I have no problems at all...

anomie 05-07-2009 04:37 PM
Quote:
Originally Posted by jonaskellens
Do I need the part "-m state --state NEW" ?
Someone called me with his IAX-softphone (and thus on port 4569 of my Asterisk-server) and everything went well.
So for the moment, with my rule (as posted above) I have no problems at all...
It would be a good idea. It helps to ensure that only packets with SYN set match the rule. (Well, in reality it's not quite that simple.) And then the established/related rule will let the conversation continue.

Without requiring that only new packets match, there is a risk of someone sending weird packets to match it -- i.e. with weird bits set that don't really make sense -- to try to run an exploit.


All times are GMT -5. The time now is 07:20 AM.