LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 09-25-2004, 09:01 PM   #1
lappen
Member
 
Registered: Aug 2003
Location: Sweden
Posts: 83

Rep: Reputation: 15
iptables invert issue


Code:
@tux.init.d # iptables -A INPUT --protocol ! tcp --dport 51000 -j ACCEPT
iptables: Invalid argument

@tux init.d # iptables -A INPUT -p ! tcp --dport 51000 -j ACCEPT
iptables: Invalid argument

@tux init.d # iptables -A INPUT --protocol !tcp --dport 51000 -j ACCEPT
bash: !tcp: event not found

@tux init.d # iptables -A INPUT -p !tcp --dport 51000 -j ACCEPT
bash: !tcp: event not found
Any suggestions on how to get it to work?

iptables v1.2.11
Linux tux 2.6.7 #1 Sun Jun 27 03:10:39 CEST 2004 i686 Celeron (Mendocino) GenuineIntel GNU/Linux
Gentoo

Last edited by lappen; 09-25-2004 at 09:03 PM.
 
Old 09-25-2004, 11:09 PM   #2
d0odman
Member
 
Registered: Sep 2004
Location: CA, USA
Distribution: Slackware 10.2
Posts: 132

Rep: Reputation: 15
REJECT?

It looks like you're trying to create a rule that accepts everything BUT that port? Try putting a REJECT at the end, and then right filter rules that let everything in by default.
 
Old 09-26-2004, 07:43 AM   #3
lappen
Member
 
Registered: Aug 2003
Location: Sweden
Posts: 83

Original Poster
Rep: Reputation: 15
Yes I am trying to accept everything but that port and it should work according to the manual.

I am not sure that I understand your answer 'RIGHT FILTER RULES?', I have a RULE at the end of my script that TAKES everything that hasn't a rule --ESTABLISHED --RELATED , DROP or ACCEPT.. then it sends all of those packets to a CHAIN for REJECTING/DROPPING and LOGGING depending on the package.
 
Old 09-26-2004, 11:53 AM   #4
Linux~Powered
Member
 
Registered: Jan 2004
Location: /lost+found
Distribution: Slack`er-current
Posts: 845

Rep: Reputation: 31
Quote:
Yes I am trying to accept everything but that port and it should work according to the manual.
If i'm right then you should have either REJECT or DROP at the end of your table. The way you have it now states...

iptables -A (append) INPUT -protocol ! (not) tcp --dport 51000 -j (make) ACCEPT


Code:
iptables -A INPUT -protocol ! tcp --dport 51000
Here your are telling the table 'not' to allow any packages to be able to pass through destination port 51000

Code:
-j ACCEPT
Here you are telling the table what to do with the packet when it reaches the end of the table...which is ACCEPT it. So why would you want to ACCEPT the packet when you just told the table ! (not) to allow anything to pass through dport 51000? When it should be REJECT or DROP
the packet, becasue you want the table to REJECT or DROP the packet and not ACCEPT it.

Last edited by Linux~Powered; 09-26-2004 at 02:03 PM.
 
Old 09-26-2004, 01:22 PM   #5
lappen
Member
 
Registered: Aug 2003
Location: Sweden
Posts: 83

Original Poster
Rep: Reputation: 15
So basically if I do
iptables -A INPUT -protocol ! tcp --dport 51000 REJECT

I will deny udp and icmp on that port, but I allready hava a rule ot the bottom that captures all packets that hasnt been allowed so basically I wont need that.
What I need to do is to allow both udp and tcp in one rule, how would I do that then?


and here is the output the same as before
@tux init.d # iptables -A INPUT -p ! tcp --dport 51000 -j REJECT
iptables: Invalid argument
@tux init.d # iptables -A INPUT -p !tcp --dport 51000 -j REJECT
bash: !tcp: event not found
@tux init.d # iptables -A INPUT -p ! tcp --dport 51000 -j DENY
iptables v1.2.11: Couldn't load target `DENY':/lib/iptables/libipt_DENY.so: cannot open shared object file: No such file or directory
@tux init.d # iptables -A INPUT -p !tcp --dport 51000 -j DENY
bash: !tcp: event not found
 
Old 09-26-2004, 01:40 PM   #6
Linux~Powered
Member
 
Registered: Jan 2004
Location: /lost+found
Distribution: Slack`er-current
Posts: 845

Rep: Reputation: 31
Quote:
I will deny udp and icmp on that port, but I already hava a rule ot the bottom that captures all packets that hasnt been allowed so basically I wont need that.
What I need to do is to allow both udp and tcp in one rule, how would I do that then?
It will not drop udp or icmp because you told the table to only drop tcp packets. To use all three tcp/udp/icmp just use the flag --protocol all or -p all that will use all three in one table tcp/udp/icmp





Quote:
Yes I am trying to accept everything but that port
use... iptables -A INPUT -p all --dport 51000 -j DROP

this will DROP all packets trying to access dport 51000

Last edited by Linux~Powered; 09-26-2004 at 03:18 PM.
 
Old 09-26-2004, 02:18 PM   #7
lappen
Member
 
Registered: Aug 2003
Location: Sweden
Posts: 83

Original Poster
Rep: Reputation: 15
I am completely lost... seems it is something wrong with my iptables, or I am doing it wrong..

all doesnt work and when using (invert) i in protocol it doesnt work
 
Old 09-26-2004, 02:24 PM   #8
Linux~Powered
Member
 
Registered: Jan 2004
Location: /lost+found
Distribution: Slack`er-current
Posts: 845

Rep: Reputation: 31
destination

Are you root? Log into root and insert this command...

Code:
iptables -A INPUT -p all --dport 51000 -j DROP
again this should drop all packets tcp/udp/icmp trying to access port 51000

Then to see if it worked issue...

Code:
iptables -L
This will list what tables you have running.

Last edited by Linux~Powered; 09-26-2004 at 03:18 PM.
 
Old 09-26-2004, 03:19 PM   #9
lappen
Member
 
Registered: Aug 2003
Location: Sweden
Posts: 83

Original Poster
Rep: Reputation: 15
seems it works with -d instead --dport, human error :)

but what about the invert (!) option?

Code:
       -p, --protocol [!] protocol
              The  protocol of the rule or of the packet to check.  The speci-
              fied protocol can be one of tcp, udp, icmp, or all, or it can be
              a  numeric  value, representing one of these protocols or a dif-
              ferent  one.   A  protocol  name  from  /etc/protocols  is  also
              allowed.   A  "!" argument before the protocol inverts the test.
              The number zero is equivalent to all.  Protocol all  will  match
              with  all  protocols and is taken as default when this option is
              omitted.
Does any of this work for you?
root@tux lappen # iptables -A INPUT -p !tcp --dport 51000 -j ACCEPT
bash: !tcp: event not found
root@tux lappen # iptables -A INPUT -p ! tcp --dport 51000 -j ACCEPT
iptables: Invalid argument

EDIT: seems the ! invert option works with -d but not --dport, should it work with --dport?

iptables -A INPUT -p ! tcp -d 192.168.0.3 -j ACCEPT
ACCEPT !tcp -- anywhere 192.168.0.3


I would want a source or destiantion port with that but it seems it doesnt work that way
iptables -A INPUT -p ! tcp -d 192.168.0.3 --dport 50000 -j ACCEPT
iptables: Invalid argument


Maybe I am still missunderstanding everything

Last edited by lappen; 09-26-2004 at 03:25 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Invert mouse in OS jakob_g Linux - Newbie 1 09-06-2005 11:25 AM
Invert to Basename strip filename carl0ski Programming 2 07-03-2005 03:36 AM
invert colors rksprst General 4 06-24-2005 11:31 PM
iptables issue f1uke Linux - Security 3 08-11-2003 08:58 PM
terminal colors invert gkhattak Linux - Newbie 0 08-29-2002 10:42 PM


All times are GMT -5. The time now is 10:02 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration