LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-23-2006, 07:24 AM   #1
sarajevo
Member
 
Registered: Apr 2005
Distribution: Debian, OpenBSD,Fedora,RedHat
Posts: 228
Blog Entries: 1

Rep: Reputation: 31
Confusing iptables rule?


Hi people,
in iptables manual I found the next sentence

iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110
Here is how I understand this ...

in INPUT chain ACCEPT, DROP ... or else, what comes from source ports
22, 53, 80 , 110.
But what I do not understand? When some client initiates for example ssh connection it wants to connect to port 22 on destination computer.
Let's say it is client A. Client A use some port different than 22, it uses some random port ( correct me if I am wrong )???
Client A wants to log on port 22 on some client B.
In this context I do not understand above rule and it will be very useful if there is someone who can write some explanation. I have iptables manual, and many google materials, but I do not understand this.

Thanks in advance to whom answer me

Regards
 
Old 11-23-2006, 08:02 AM   #2
b0uncer
Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
Let's add an ACCEPT to the end to make it complete, but you can use DROP or DENY instead if you need it that way. And for this rule to make any sense, let's say that the POLICY of INPUT chain is set to DROP, for instance. Anyway:

Code:
iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110 -j ACCEPT
Let's consider that rule. Since rules that are applied before that rule might affect the result, let's think it's the only rule in the otherwise empty iptables configuration.

The above rule would add a new rule to the INPUT chain, that is, for incoming traffic. It states that if the traffic's protocol is tcp, we're going to inspect it more -- in other case the traffic omits this rule.

Now let's say the incoming traffic would be using tcp protocol -- the multiport option (if I'm right, not 110% sure) lets us specify more than one port number to deal with.

If the incoming traffic has been started from one of the mentioned ports (22, 53, 80, 110) then we're doing something for it -- in the above example we're ACCEPTing it, letting it go through. This far we should agree, right?

Let's now consider the example of machines A and B, where client A wants to connect to port 22 on B.

1) The above rule is on A. A sends traffic in this example, so it won't affect the INPUT chain, thus doing nothing (you'd need to use OUTPUT for it).

2) The above rule is on B. A sends traffic to port 22 of B, so the destination port is now 22; the source port, however, is some random port as you wanted.

Traffic comes to B, iptables grabs it in the INPUT chain since it's incoming traffic. It inspects the traffic and sees that it's tcp protocol -- allright, it inspects the rule further: now the source port was something random (in A) as you wanted, so iptables tries to see if it matches the given list (22, 53, 80, 110). If the random port A uses is one of the ports mentioned in the list, then the whole rule matches and is applied, thus the traffic is ACCEPTed. However if the random port is chosen so that it is not any one of the ports mentioned in the list, the rule does not match and is not applied -- if no other rule ACCEPTs the traffic, as in our example it doesn't (we assumed POLICY to be DROP, and only this one rule added), so the traffic gets DROPped rather than ACCEPTed.

Source port is the port where the traffic is coming from, and the port is in the sending machine. Destionation port is where the traffic is going to, and the port is in the receiving machine.

So, to cut it short: the above rule is only applied if the traffic is coming from one of the mentioned ports.
 
Old 11-23-2006, 12:29 PM   #3
sarajevo
Member
 
Registered: Apr 2005
Distribution: Debian, OpenBSD,Fedora,RedHat
Posts: 228
Blog Entries: 1

Original Poster
Rep: Reputation: 31
Thanks for the answer.
As you wrote the rule

iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110 -j ACCEPT

implemented on B will droped packets which originate from ports different than 22,53,80,110. That is clear to me.

But what is sense to implement this rule on destination machine in INPUT chain because we can not push sender to use some of these ports and as I know they do not use them when starting connection.
What I want to say, If I use ssh, dns , http, pop-3, from my machine to connect to port 22, catch dns information, web page etc, I do not use port 22, 53, 80 from my machine, I use some random port >1024 ( Please do not hesistate to clear this if I am wrong ). So implementing this rule on destination machine has not sense in INPUT chain, and I cannot understand why it is there in iptables manual ( without -j ACCEPT )

Books, links, manuals are welcome for this discussion.

Thanks
Regards

Last edited by sarajevo; 11-23-2006 at 12:31 PM.
 
Old 11-23-2006, 07:10 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by sarajevo
Thanks for the answer.
As you wrote the rule

iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110 -j ACCEPT

implemented on B will droped packets which originate from ports different than 22,53,80,110. That is clear to me.

But what is sense to implement this rule on destination machine in INPUT chain because we can not push sender to use some of these ports and as I know they do not use them when starting connection.
What I want to say, If I use ssh, dns , http, pop-3, from my machine to connect to port 22, catch dns information, web page etc, I do not use port 22, 53, 80 from my machine, I use some random port >1024 ( Please do not hesistate to clear this if I am wrong ). So implementing this rule on destination machine has not sense in INPUT chain, and I cannot understand why it is there in iptables manual ( without -j ACCEPT )

Books, links, manuals are welcome for this discussion.

Thanks
Regards
yes, most of the time connections will be started using random source ports, so using a --source-port rule wouldn't work... but there are *some* cases in which you do know the source port, such as lets say for example with DHCP packets... the DHCP daemon listens on port 67, and the requests should (RFC???) come from port 68... so a rule like this would make sense in this case:
Code:
iptables -A INPUT -p UDP --dport 67 --sport 68 -j ACCEPT
with connections like HTTP or SSH it would be very strange to use source ports in an iptables rule unless you are POSITIVE about the source port/range... like, if you are positive that host 192.168.1.23 will and should only connect via SSH to your box using source ports between 12000 and 19500 (cuz maybe that's the way you've configured it to behave) then a rule like this would be fine:
Code:
iptables -A INPUT -p TCP --dport 22 --sport 12000:19500 -j ACCEPT
just my ...

Last edited by win32sux; 11-23-2006 at 07:11 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables port 80 rule Q doronunu Linux - Security 3 06-04-2006 06:55 PM
What is it doing this iptables rule?? lanczer Linux - Security 1 02-24-2006 11:26 AM
help with iptables rule!! vishamr2000 Linux - Security 6 11-09-2005 05:34 AM
iptables; confusing internal access error sedulous Linux - Newbie 6 10-09-2003 11:52 PM
IPTables Rule... Grim Reaper Linux - Software 8 04-28-2003 12:20 PM


All times are GMT -5. The time now is 06:24 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration