LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-26-2013, 04:53 AM   #1
linuxcenter
LQ Newbie
 
Registered: Jun 2013
Posts: 5

Rep: Reputation: Disabled
Lightbulb Iptables rules should always start with dport ?


for eg : to Allow Outgoing HTTPS

iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
(why its dport to sport )

( why not sport to dport)

can we convert the rule to this
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT


Last edited by linuxcenter; 07-01-2013 at 02:07 AM.
 
Old 06-26-2013, 05:52 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
You will not start a new connection coming from port 443, what are you actually trying to do and why do you want to arbitrarily swap two parameters in different lines?? Are you are of what a source or destination port really is?
 
Old 06-26-2013, 06:09 AM   #3
linuxcenter
LQ Newbie
 
Registered: Jun 2013
Posts: 5

Original Poster
Rep: Reputation: Disabled
Lightbulb Iptables rules should always start with dport ?

To allow internet access u need to allow outgoing connection to tcp port 80 & 443

The rule starts as: TO/DESTINATION PORT - FROM/SOURCE PORT IN both OUTPUT OR INPUT
EG: TO:
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

FROM :
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

(why destination port is emphasized as first, as per outgoing connections its from source to destination. But in iptables to make an outgoing connection its always destination and than source port. even the same applies for input/incoming connections)
 
Old 06-26-2013, 06:20 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
You mean first as in the first command in the list? They are different tables, they do not relate to each other at all. They happen to relate to the same potential set of network connections, but a single TCP packet can not match on both INPUT and OUTPUT rules.
 
Old 06-26-2013, 06:42 AM   #5
linuxcenter
LQ Newbie
 
Registered: Jun 2013
Posts: 5

Original Poster
Rep: Reputation: Disabled
Lightbulb Iptables rules should always start with dport ?

The question is simple for any rules we create for input or output

the rule says to dport(others pc/website/server) from sport(my pc) for Output rule

whereas in Input its to dport (my pc ) from sport (others pc/website/server)


For both INPUT OR OUPUT
its always destination port first
 
Old 06-26-2013, 08:29 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
yes, I think it's an easy question, but it's not written in good English, and I've already answered it twice and you appear to just be repeating yourself. You don't appear to understand the function of the INPUT and OUTPUT tables and how they relate to TCP connections. Some back ground reading in this area would benefit you unless you can as a specific question about it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set deadeyes Linux - Server 14 07-29-2009 05:30 AM
Iptables : --dport vs. --sport jonaskellens Linux - Newbie 5 05-07-2009 05:37 PM
iptables - dport unknown arg mousi Linux - Networking 3 03-21-2007 07:44 PM
iptables - "unknown arg" --dport crowhurst01 Linux - Security 7 10-16-2006 02:10 AM
iptables doesn't know what -dport 80 is... ? d33pdream Linux - Networking 6 04-04-2003 07:22 PM


All times are GMT -5. The time now is 02:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration