LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Using --dport --sport... When to use one or another (https://www.linuxquestions.org/questions/linux-security-4/using-dport-sport-when-to-use-one-or-another-358478/)

Palula 08-30-2005 10:07 AM

Using --dport --sport... When to use one or another
 
Hello all...

Iīm having a bit of trouble on understanding the basics of --dport/--sport usability...

Letīs take a very practical use for it. For example, I would like to prioritize incoming packets (downloads) over outgoing packets (uploads) using the mangle table (using Bittorrent). I know this is not very polite but sometimes I would like to uncomment the lines. I donīt even know if this is usable in Bitorrent. But anyway I would like to know the basic use for dport and sport for me interact with them in diffrent environments.

Here are the lines I came up with. The thing is that the use of dport & sport on the book Iīm reading are used diffrently... Iīll explai how I came to this and you guys tell me if itīs right or wrong.

Code:

#Bittorrent - Download
#/sbin/iptables -t mangle -A PREROUTING -p tcp -i $wanic --dport "myport" -j TOS --set-tos 16

On the line above, I want to prioritize incoming packets, so Iīm using mangle, specifying that every tcp packet, entering through my wanic destined to the port I specified for bittorrent should have the TOS set to 16, which is the highest possible. :-)

Code:

#Bittorrent - Upload
#/sbin/iptables -t mangle -A OUTPUT -p tcp -o $wanic --sport "myport" -j TOS --set-tos 0

On this one, I want to let outgoing packets at normal priority level, so Iīm using mangle specifying that every tcp packet, leaving through my wanic, exiting through the port specified for bittorrent should have the TOS set to 0 (which is normal).

Is this correct?
The main thing is: when should I use sport and when should I use dport?

Matir 08-30-2005 10:29 AM

I'm not sure about setting priorities, but I will answer your dport/sport question.

--dport stands for DESTINATION port. This matches against the target port of the connection.
--sport stands for SOURCE port. This is the port on which the packet originated.

For example, all http connections have DPORT 80 for packets from client->server, and SPORT 80 for server->client.

You need to look at how the bittorrent protocol works to see how connections are established to best limit them.

Also note that setting priorities will not have much (if any) effect in this case: outgoing and incoming packets are scheduled by different ends of the connection. The priority of your downloads will only be changed once it has already reached your computer (which will not do much).

Also note that bittorrent trackers will cut off your download if you do not upload enough (and rightly so).

Palula 08-30-2005 02:25 PM

Ok so the Bittorrent example is not the best. Itīs practical bot not politicaly correct. So letīs do something more useful. For example. I have a SSH server running and would like to make this the highest priority connection on my linuxbox... Ok?

This is what I came up with:
Code:

iptables -t mangle -A PREROUTING -p tcp --sport "MySshPort" -j TOS --set-tos 16
Is this right?
Here is the thinking... Iīm using mangle. Everything (protocol tcp) that leaves my server (is originated) using "the port I specified for SSH" will have the TOS set to 16 (which is the highest).

Thanks. :-)
Quote:

Also note that bittorrent trackers will cut off your download if you do not upload enough (and rightly so).
Yep... I know and I agree itīs bad. But I still would like to know the use dport/sport on this type of environment.

Matir 08-30-2005 09:28 PM

You can't affect the priority of inbound connections and packets, only outbound. :)

Palula 09-01-2005 01:40 PM

I still canīt understand when to use sport o dport?

Does dport relate uniquely to a computer connecting to my computer. Or can it be used for outbound connections, for example: my server connecting to another computer on a specific "destination" port on that computer?

Matir 09-01-2005 02:28 PM

Dport and sport are strictly source and destination ports. A network connection has a source IP, destination IP, source port, and destination port. Some ports are assigned to well known services (check /etc/services).

Palula 09-02-2005 07:19 AM

But for example if any computer connects to my server, it enters the server through a destination port right? And my server sends information throught a source port (the server sends packets through a source port and the client connects to the server through a detination port).

But if my computer is a client connecting to a server, it connects to a computer through a destination port and the other computer, wich in this case acts as server sends information to mine through a source port...

Does this make sense?

Thanks!!! :)

Matir 09-02-2005 11:32 AM

Ok, let's assume an arbitrary connection from a client (1.1.1.1) to a webserver (2.2.2.2). The webserver, of course, runs on port 80. The client will make its connection from some arbitrary port, say 1500.

Packet 1 (SYN):
1.1.1.1:1500 (source) ----> 2.2.2.2:80 (dest)
Packet 2: (SYN/ACK):
2.2.2.2:80 (source) ----> 1.1.1.1:1500 (dest)
Packet 3: (ACK):
1.1.1.1:1500 (source) ----> 2.2.2.2:80 (dest)

So packets FROM client to server have sport 1500 and dport 80. Packets FROM server to client have sport 80 and dport 1500.


All times are GMT -5. The time now is 12:29 AM.