LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-06-2009, 02:25 PM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Rep: Reputation: 33
Iptables : --dport vs. --sport


If I just want to allow incoming traffic on port 4569 and also outgoing traffic on port 4569, on my interface eth1, is this rule then well written :

Code:
-A INPUT ! -i eth1 -j ACCEPT
-A INPUT -p udp -m udp -i eth1 --sport 4569 -j ACCEPT
I don't know whether I need to use --sport or --dport ???

I think I still need to define a destination port for incoming traffic on port 4569, but how do I do that ?
Do I define an extra rule (--dport) or can I do it in the existing one ?

Last edited by jonaskellens; 05-06-2009 at 02:26 PM.
 
Old 05-06-2009, 02:32 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by jonaskellens
If I just want to allow incoming traffic on port 4569 and also outgoing traffic on port 4569...
So if a remote host establishes a tcp connection with port 4569 on your server, you want to allow that conversation to continue, correct?

If "yes", then you just need to allow stateful traffic.

Basic ruleset script example:
Code:
#!/bin/bash

cmd='/sbin/iptables'

# standard stuff - loopback and stateful
${cmd} -A INPUT -i lo -j ACCEPT
${cmd} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Log / allow in foo (on tcp 4569)
${cmd} -A INPUT -p tcp -m state --state NEW -m tcp --dport 4569 -j LOG
${cmd} -A INPUT -p tcp -m state --state NEW -m tcp --dport 4569 -j ACCEPT

# allow pings in
${cmd} -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

# default deny!
${cmd} -A INPUT -j DROP
 
Old 05-06-2009, 04:02 PM   #3
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
There is UDP-traffic on port 4569 (IAX).

Indeed if a remote client sends an invite on this port, I want the UDP-traffic on this port to continue...

It's very simple : a connection on port 4569 from the internet is allowed.

Last edited by jonaskellens; 05-07-2009 at 03:56 PM.
 
Old 05-06-2009, 06:20 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
The same solution applies. As you probably know, udp isn't really "stateful", but the bolded rule I noted above will track the connection anyway.
 
Old 05-07-2009, 03:59 PM   #5
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Do I need the part "-m state --state NEW" ?
Someone called me with his IAX-softphone (and thus on port 4569 of my Asterisk-server) and everything went well.
So for the moment, with my rule (as posted above) I have no problems at all...
 
Old 05-07-2009, 05:37 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by jonaskellens
Do I need the part "-m state --state NEW" ?
Someone called me with his IAX-softphone (and thus on port 4569 of my Asterisk-server) and everything went well.
So for the moment, with my rule (as posted above) I have no problems at all...
It would be a good idea. It helps to ensure that only packets with SYN set match the rule. (Well, in reality it's not quite that simple.) And then the established/related rule will let the conversation continue.

Without requiring that only new packets match, there is a risk of someone sending weird packets to match it -- i.e. with weird bits set that don't really make sense -- to try to run an exploit.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables problem with "--dport" or "--sport" jmhal Slackware 5 07-03-2007 11:50 AM
iptables - dport unknown arg mousi Linux - Networking 3 03-21-2007 07:44 PM
Using --dport --sport... When to use one or another Palula Linux - Security 7 09-02-2005 12:32 PM
iptables problem --sport not working ?? scs0 Linux - Security 5 11-09-2004 10:50 PM
iptables doesn't know what -dport 80 is... ? d33pdream Linux - Networking 6 04-04-2003 07:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration