Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm having trouble opening up a range of ports. I am trying to permit ports 6000:6050 to be open to LAN addresses (any - not just tcp)
Code:
iptables -A INPUT -s 192.168.1.1/24 -p all --dport 6000:6050
iptables v1.4.21: unknown option "--dport"
Try `iptables -h' or 'iptables --help' for more information.
changing all to tcp results in a successful command, but I want it to be available via any protocol.
I know it's correct per the man page:
Code:
The specified protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or the special keyword "all"
Edit: This might actually be more relevant in Linux - Networking. I'm unable to move the thread though.
Edit: This might actually be more relevant in Linux - Networking. I'm unable to move the thread though.
Well, if you really want to move it, the thing to do is report the thread and the mods will move it for you. It is probably not the worst case of a mis-located thread that I've seen, so maybe it is not worth the bother.
Quote:
Originally Posted by Miati
I'm having trouble opening up a range of ports. I am trying to permit ports 6000:6050 to be open to LAN addresses (any - not just tcp)
Code:
iptables -A INPUT -s 192.168.1.1/24 -p all --dport 6000:6050
iptables v1.4.21: unknown option "--dport"
Try `iptables -h' or 'iptables --help' for more information.
changing all to tcp results in a successful command, but I want it to be available via any protocol.
I know it's correct per the man page:
Code:
The specified protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or the special keyword "all"
You don't know that it is correct as per the man page.
Firstly, notice that what it is objecting to is the option '--dport'. It may not be the most helpful error message, but it didn't say that 'all' was the problem, but 'dport'. Now, have a look at that list of protocols. I don't think that a dport specified like that (ie, with that syntax) could be valid for a 'v6' protocol, so I can't see how '--dport' could be valid with 'all' (because ports would be specified in a different way for some protocols than others).
Do you really need all of those protocols? I could see you needing, say, tcp, udp and maybe one other, but all of them seems a bit excessive. You might want to say why you think all are required.
In any case, you can always do what you want one protocol at a time (but, I'd still be a bit surprised if you needed more than two or three).
Quote:
Originally Posted by Miati
I'm having trouble opening up a range of ports. I am trying to permit ports 6000:6050 to be open to LAN addresses (any - not just tcp)
Just being nitpicky, but you're not really. Iptables either does or does not allow packets through, this isn't quite the same as opening a port. If there is nothing listening, the packet will still drop in the bit bucket (get thrown away) and the port won't, in any real sense, be open.
Oh, and this. The man page is one of the better man pages, but you want something better explained.
Do you really need all of those protocols? I could see you needing, say, tcp, udp and maybe one other, but all of them seems a bit excessive. You might want to say why you think all are required.
In any case, you can always do what you want one protocol at a time (but, I'd still be a bit surprised if you needed more than two or three).
Just being nitpicky, but you're not really. Iptables either does or does not allow packets through, this isn't quite the same as opening a port. If there is nothing listening, the packet will still drop in the bit bucket (get thrown away) and the port won't, in any real sense, be open.
Oh, and this. The man page is one of the better man pages, but you want something better explained.
In most cases, nothing will be listening. However, I often like to use nc to move files around the network (I know I can use scp, etc but sometimes I need a straight connection) or use other programs. I want to be able to connect to these services & not have to constantly adjust which packets are allowed through specific to the program/protocol (hence my desire for all)
Right now, I want to be able to use netcat on these ports, to be able to start a listening server.
But I am unable to connect from outside the computer (connections from locahost works but 192.168.1.* doesn't)
I don't think I understand --dport/sport very well.. & the man page doesn't mention it.
Hopefully I'm using it in the correct context. I'm new to iptables & trying to learn it.
Thanks for the link, but it gives me a "Error establishing a database connection"
Thanks for the link, but it gives me a "Error establishing a database connection"
Well, it works fine for me, but it does redirect to to get there, so maybe the redirection is the problem. In any case, in plain text the link is here:
This is as good a document as I've seen on iptables, but it isn't short (given that it covers networking first, that's probably inevitable). You can either read through from one end to the other, having noted my warning that it isn't short!, or just dip in as a reference manual to a particular section that is of interest.
Anyway, good to hear that you are making progress.
Well, it works fine for me, but it does redirect to to get there, so maybe the redirection is the problem. In any case, in plain text the link is here:
This is as good a document as I've seen on iptables, but it isn't short (given that it covers networking first, that's probably inevitable). You can either read through from one end to the other, having noted my warning that it isn't short!, or just dip in as a reference manual to a particular section that is of interest.
Anyway, good to hear that you are making progress.
Yes this one worked fine.
Thank you for the link - it is quite comprehensive (~500 pages)
It actually answered some lingering questions I've had too about firewalls (eg. If INPUT is drop all, how does anything get sent to you when you browse the internet? A: It's a ESTABLISHED or RELATED connection)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.