LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-30-2005, 11:07 AM   #1
Palula
Member
 
Registered: May 2005
Location: Brazil
Distribution: Fedore Core 3
Posts: 138

Rep: Reputation: 15
Using --dport --sport... When to use one or another


Hello all...

Iīm having a bit of trouble on understanding the basics of --dport/--sport usability...

Letīs take a very practical use for it. For example, I would like to prioritize incoming packets (downloads) over outgoing packets (uploads) using the mangle table (using Bittorrent). I know this is not very polite but sometimes I would like to uncomment the lines. I donīt even know if this is usable in Bitorrent. But anyway I would like to know the basic use for dport and sport for me interact with them in diffrent environments.

Here are the lines I came up with. The thing is that the use of dport & sport on the book Iīm reading are used diffrently... Iīll explai how I came to this and you guys tell me if itīs right or wrong.

Code:
#Bittorrent - Download
#/sbin/iptables -t mangle -A PREROUTING -p tcp -i $wanic --dport "myport" -j TOS --set-tos 16
On the line above, I want to prioritize incoming packets, so Iīm using mangle, specifying that every tcp packet, entering through my wanic destined to the port I specified for bittorrent should have the TOS set to 16, which is the highest possible. :-)

Code:
#Bittorrent - Upload
#/sbin/iptables -t mangle -A OUTPUT -p tcp -o $wanic --sport "myport" -j TOS --set-tos 0
On this one, I want to let outgoing packets at normal priority level, so Iīm using mangle specifying that every tcp packet, leaving through my wanic, exiting through the port specified for bittorrent should have the TOS set to 0 (which is normal).

Is this correct?
The main thing is: when should I use sport and when should I use dport?
 
Old 08-30-2005, 11:29 AM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
I'm not sure about setting priorities, but I will answer your dport/sport question.

--dport stands for DESTINATION port. This matches against the target port of the connection.
--sport stands for SOURCE port. This is the port on which the packet originated.

For example, all http connections have DPORT 80 for packets from client->server, and SPORT 80 for server->client.

You need to look at how the bittorrent protocol works to see how connections are established to best limit them.

Also note that setting priorities will not have much (if any) effect in this case: outgoing and incoming packets are scheduled by different ends of the connection. The priority of your downloads will only be changed once it has already reached your computer (which will not do much).

Also note that bittorrent trackers will cut off your download if you do not upload enough (and rightly so).
 
Old 08-30-2005, 03:25 PM   #3
Palula
Member
 
Registered: May 2005
Location: Brazil
Distribution: Fedore Core 3
Posts: 138

Original Poster
Rep: Reputation: 15
Ok so the Bittorrent example is not the best. Itīs practical bot not politicaly correct. So letīs do something more useful. For example. I have a SSH server running and would like to make this the highest priority connection on my linuxbox... Ok?

This is what I came up with:
Code:
iptables -t mangle -A PREROUTING -p tcp --sport "MySshPort" -j TOS --set-tos 16
Is this right?
Here is the thinking... Iīm using mangle. Everything (protocol tcp) that leaves my server (is originated) using "the port I specified for SSH" will have the TOS set to 16 (which is the highest).

Thanks. :-)
Quote:
Also note that bittorrent trackers will cut off your download if you do not upload enough (and rightly so).
Yep... I know and I agree itīs bad. But I still would like to know the use dport/sport on this type of environment.
 
Old 08-30-2005, 10:28 PM   #4
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
You can't affect the priority of inbound connections and packets, only outbound.
 
Old 09-01-2005, 02:40 PM   #5
Palula
Member
 
Registered: May 2005
Location: Brazil
Distribution: Fedore Core 3
Posts: 138

Original Poster
Rep: Reputation: 15
I still canīt understand when to use sport o dport?

Does dport relate uniquely to a computer connecting to my computer. Or can it be used for outbound connections, for example: my server connecting to another computer on a specific "destination" port on that computer?
 
Old 09-01-2005, 03:28 PM   #6
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Dport and sport are strictly source and destination ports. A network connection has a source IP, destination IP, source port, and destination port. Some ports are assigned to well known services (check /etc/services).
 
Old 09-02-2005, 08:19 AM   #7
Palula
Member
 
Registered: May 2005
Location: Brazil
Distribution: Fedore Core 3
Posts: 138

Original Poster
Rep: Reputation: 15
But for example if any computer connects to my server, it enters the server through a destination port right? And my server sends information throught a source port (the server sends packets through a source port and the client connects to the server through a detination port).

But if my computer is a client connecting to a server, it connects to a computer through a destination port and the other computer, wich in this case acts as server sends information to mine through a source port...

Does this make sense?

Thanks!!!
 
Old 09-02-2005, 12:32 PM   #8
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Ok, let's assume an arbitrary connection from a client (1.1.1.1) to a webserver (2.2.2.2). The webserver, of course, runs on port 80. The client will make its connection from some arbitrary port, say 1500.

Packet 1 (SYN):
1.1.1.1:1500 (source) ----> 2.2.2.2:80 (dest)
Packet 2: (SYN/ACK):
2.2.2.2:80 (source) ----> 1.1.1.1:1500 (dest)
Packet 3: (ACK):
1.1.1.1:1500 (source) ----> 2.2.2.2:80 (dest)

So packets FROM client to server have sport 1500 and dport 80. Packets FROM server to client have sport 80 and dport 1500.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
dport 113 yoursmile Linux - Networking 2 06-23-2005 10:58 PM
Lexar JumpDrive Sport 128MB and CentOS 4.0 linux-rulz Linux - Hardware 6 04-08-2005 07:33 AM
iptables problem --sport not working ?? scs0 Linux - Security 5 11-09-2004 10:50 PM
How do I get the Rio Sport S30S to work under Mandrake 9.2 Valshak Linux - Hardware 0 03-01-2004 08:36 PM
iptables doesn't know what -dport 80 is... ? d33pdream Linux - Networking 6 04-04-2003 07:22 PM


All times are GMT -5. The time now is 04:10 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration