Confusing iptables rule?
Hi people,
in iptables manual I found the next sentence iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110 Here is how I understand this ... in INPUT chain ACCEPT, DROP ... or else, what comes from source ports 22, 53, 80 , 110. But what I do not understand? When some client initiates for example ssh connection it wants to connect to port 22 on destination computer. Let's say it is client A. Client A use some port different than 22, it uses some random port ( correct me if I am wrong )??? Client A wants to log on port 22 on some client B. In this context I do not understand above rule and it will be very useful if there is someone who can write some explanation. I have iptables manual, and many google materials, but I do not understand this.:scratch: :study: Thanks in advance to whom answer me Regards |
Let's add an ACCEPT to the end to make it complete, but you can use DROP or DENY instead if you need it that way. And for this rule to make any sense, let's say that the POLICY of INPUT chain is set to DROP, for instance. Anyway:
Code:
iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110 -j ACCEPT The above rule would add a new rule to the INPUT chain, that is, for incoming traffic. It states that if the traffic's protocol is tcp, we're going to inspect it more -- in other case the traffic omits this rule. Now let's say the incoming traffic would be using tcp protocol -- the multiport option (if I'm right, not 110% sure) lets us specify more than one port number to deal with. If the incoming traffic has been started from one of the mentioned ports (22, 53, 80, 110) then we're doing something for it -- in the above example we're ACCEPTing it, letting it go through. This far we should agree, right? Let's now consider the example of machines A and B, where client A wants to connect to port 22 on B. 1) The above rule is on A. A sends traffic in this example, so it won't affect the INPUT chain, thus doing nothing (you'd need to use OUTPUT for it). 2) The above rule is on B. A sends traffic to port 22 of B, so the destination port is now 22; the source port, however, is some random port as you wanted. Traffic comes to B, iptables grabs it in the INPUT chain since it's incoming traffic. It inspects the traffic and sees that it's tcp protocol -- allright, it inspects the rule further: now the source port was something random (in A) as you wanted, so iptables tries to see if it matches the given list (22, 53, 80, 110). If the random port A uses is one of the ports mentioned in the list, then the whole rule matches and is applied, thus the traffic is ACCEPTed. However if the random port is chosen so that it is not any one of the ports mentioned in the list, the rule does not match and is not applied -- if no other rule ACCEPTs the traffic, as in our example it doesn't (we assumed POLICY to be DROP, and only this one rule added), so the traffic gets DROPped rather than ACCEPTed. Source port is the port where the traffic is coming from, and the port is in the sending machine. Destionation port is where the traffic is going to, and the port is in the receiving machine. So, to cut it short: the above rule is only applied if the traffic is coming from one of the mentioned ports. |
Thanks for the answer.
As you wrote the rule iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110 -j ACCEPT implemented on B will droped packets which originate from ports different than 22,53,80,110. That is clear to me. But what is sense to implement this rule on destination machine in INPUT chain because we can not push sender to use some of these ports and as I know they do not use them when starting connection. What I want to say, If I use ssh, dns , http, pop-3, from my machine to connect to port 22, catch dns information, web page etc, I do not use port 22, 53, 80 from my machine, I use some random port >1024 ( Please do not hesistate to clear this if I am wrong ). So implementing this rule on destination machine has not sense in INPUT chain, and I cannot understand why it is there in iptables manual ( without -j ACCEPT ) Books, links, manuals are welcome for this discussion.:study: Thanks Regards |
Quote:
Code:
iptables -A INPUT -p UDP --dport 67 --sport 68 -j ACCEPT Code:
iptables -A INPUT -p TCP --dport 22 --sport 12000:19500 -j ACCEPT |
All times are GMT -5. The time now is 01:41 AM. |