LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-28-2015, 05:39 PM   #1
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Rep: Reputation: 106Reputation: 106
iptables open range of ports


I'm having trouble opening up a range of ports. I am trying to permit ports 6000:6050 to be open to LAN addresses (any - not just tcp)

Code:
iptables -A INPUT -s 192.168.1.1/24 -p all --dport 6000:6050
iptables v1.4.21: unknown option "--dport"
Try `iptables -h' or 'iptables --help' for more information.
changing all to tcp results in a successful command, but I want it to be available via any protocol.

I know it's correct per the man page:

Code:
The  specified protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or the special  keyword  "all"
Edit: This might actually be more relevant in Linux - Networking. I'm unable to move the thread though.

Last edited by Miati; 01-28-2015 at 07:48 PM.
 
Old 01-28-2015, 06:29 PM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
Quote:
Originally Posted by Miati View Post
Edit: This might actually be more relevant in Linux - Networking. I'm unable to move the thread though.
Well, if you really want to move it, the thing to do is report the thread and the mods will move it for you. It is probably not the worst case of a mis-located thread that I've seen, so maybe it is not worth the bother.

Quote:
Originally Posted by Miati View Post
I'm having trouble opening up a range of ports. I am trying to permit ports 6000:6050 to be open to LAN addresses (any - not just tcp)

Code:
iptables -A INPUT -s 192.168.1.1/24 -p all --dport 6000:6050
iptables v1.4.21: unknown option "--dport"
Try `iptables -h' or 'iptables --help' for more information.
changing all to tcp results in a successful command, but I want it to be available via any protocol.

I know it's correct per the man page:

Code:
The  specified protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or the special  keyword  "all"
You don't know that it is correct as per the man page.

Firstly, notice that what it is objecting to is the option '--dport'. It may not be the most helpful error message, but it didn't say that 'all' was the problem, but 'dport'. Now, have a look at that list of protocols. I don't think that a dport specified like that (ie, with that syntax) could be valid for a 'v6' protocol, so I can't see how '--dport' could be valid with 'all' (because ports would be specified in a different way for some protocols than others).

Do you really need all of those protocols? I could see you needing, say, tcp, udp and maybe one other, but all of them seems a bit excessive. You might want to say why you think all are required.

In any case, you can always do what you want one protocol at a time (but, I'd still be a bit surprised if you needed more than two or three).

Quote:
Originally Posted by Miati View Post
I'm having trouble opening up a range of ports. I am trying to permit ports 6000:6050 to be open to LAN addresses (any - not just tcp)
Just being nitpicky, but you're not really. Iptables either does or does not allow packets through, this isn't quite the same as opening a port. If there is nothing listening, the packet will still drop in the bit bucket (get thrown away) and the port won't, in any real sense, be open.

Oh, and this. The man page is one of the better man pages, but you want something better explained.
 
Old 01-28-2015, 07:31 PM   #3
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Original Poster
Rep: Reputation: 106Reputation: 106
Quote:
Originally Posted by salasi View Post
Do you really need all of those protocols? I could see you needing, say, tcp, udp and maybe one other, but all of them seems a bit excessive. You might want to say why you think all are required.
In any case, you can always do what you want one protocol at a time (but, I'd still be a bit surprised if you needed more than two or three).

Just being nitpicky, but you're not really. Iptables either does or does not allow packets through, this isn't quite the same as opening a port. If there is nothing listening, the packet will still drop in the bit bucket (get thrown away) and the port won't, in any real sense, be open.

Oh, and this. The man page is one of the better man pages, but you want something better explained.
In most cases, nothing will be listening. However, I often like to use nc to move files around the network (I know I can use scp, etc but sometimes I need a straight connection) or use other programs. I want to be able to connect to these services & not have to constantly adjust which packets are allowed through specific to the program/protocol (hence my desire for all)
Right now, I want to be able to use netcat on these ports, to be able to start a listening server.

I added these two rules:
Code:
iptables -A INPUT -s 192.168.1.1/24 -p tcp --dport 6000:6050 --sport 6000:6050 -j ACCEPT
iptables -A INPUT -s 192.168.1.1/24 -p udp --dport 6000:6050 --sport 6000:6050 -j ACCEPT
But I am unable to connect from outside the computer (connections from locahost works but 192.168.1.* doesn't)
I don't think I understand --dport/sport very well.. & the man page doesn't mention it.
Hopefully I'm using it in the correct context. I'm new to iptables & trying to learn it.

Thanks for the link, but it gives me a "Error establishing a database connection"

Last edited by Miati; 01-28-2015 at 07:48 PM.
 
Old 01-28-2015, 07:53 PM   #4
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Original Poster
Rep: Reputation: 106Reputation: 106
Ok, so this worked & I understand --dport and --sport a little better.

Code:
iptables -A INPUT -s 192.168.1.1/24 -p udp --dport 6000:6050 -j ACCEPT
iptables -A INPUT -s 192.168.1.1/24 -p tcp --dport 6000:6050 -j ACCEPT
Basically, if it comes from either a tcp or udp protocol from the address in the range of 192.168.1.1/24 between ports 6000-6050, accept it.

edit:
I found a good guide to packet filtering in iptables that might benefit anyone else that comes across this
http://www.netfilter.org/documentati...entation-howto

Last edited by Miati; 01-28-2015 at 09:41 PM.
 
Old 01-28-2015, 08:10 PM   #5
jlinkels
LQ Guru
 
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195

Rep: Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043
IIRC --dport is only valid with UDP and TCP protocols. Specifying other protocols (or "all" for that matter) throws an error.

jlinkels
 
Old 01-29-2015, 05:25 AM   #6
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
Quote:
Originally Posted by Miati View Post

Thanks for the link, but it gives me a "Error establishing a database connection"
Well, it works fine for me, but it does redirect to to get there, so maybe the redirection is the problem. In any case, in plain text the link is here:

https://www.frozentux.net/documents/iptables-tutorial/

This is as good a document as I've seen on iptables, but it isn't short (given that it covers networking first, that's probably inevitable). You can either read through from one end to the other, having noted my warning that it isn't short!, or just dip in as a reference manual to a particular section that is of interest.

Anyway, good to hear that you are making progress.
 
1 members found this post helpful.
Old 01-29-2015, 06:04 PM   #7
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Original Poster
Rep: Reputation: 106Reputation: 106
Quote:
Originally Posted by salasi View Post
Well, it works fine for me, but it does redirect to to get there, so maybe the redirection is the problem. In any case, in plain text the link is here:

https://www.frozentux.net/documents/iptables-tutorial/

This is as good a document as I've seen on iptables, but it isn't short (given that it covers networking first, that's probably inevitable). You can either read through from one end to the other, having noted my warning that it isn't short!, or just dip in as a reference manual to a particular section that is of interest.

Anyway, good to hear that you are making progress.
Yes this one worked fine.

Thank you for the link - it is quite comprehensive (~500 pages)
It actually answered some lingering questions I've had too about firewalls (eg. If INPUT is drop all, how does anything get sent to you when you browse the internet? A: It's a ESTABLISHED or RELATED connection)
 
  


Reply

Tags
iptables, ports


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Use iptables to secure active ftp, what range of ports thllgo Linux - Security 7 03-23-2009 05:21 PM
open ports for utorrent using iptables n close smpt to that ports shtorrent00 Linux - Networking 2 09-30-2008 03:34 PM
iptables - Opening a range of ports DeadTaco Linux - Networking 3 08-10-2005 03:11 PM
how to open ports for an ip range xuying Linux - Networking 0 11-17-2004 01:06 AM
iptables and open ports benjithegreat98 Linux - Networking 5 12-23-2003 08:12 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration