Hi there,

What's the correct IP Tables rule to open all ports to and from one ip?

I.e., I want to open all ports to and from 192.168.1.100

Thanks for your help,

Jee

It depends a bit on your firewall layout. One simple - and, I believe, common - general set of rules is

(1) INPUT chain: allow ESTABLISHED and RELATED packets
(2) OUTPUT chain: allow NEW, ESTABLISHED and RELATED packets

If this is what you use, then all you have to do is open for NEW incoming packets (assuming your network interface is eth0):

iptables -I INPUT -i eth0 -p tcp --syn -m state --state NEW --source 192.168.1.100 -j ACCEPT

This is only for TCP traffic as you can see by the "-p tcp" part. This rule accepts incoming connections from 192.168.1.100, i.e. you can use ssh to login from 192.168.1.100, or access your web server or whatever.

To further also allow incoming NEW udp and icmp ("ping") packets, then add two more lines:

iptables -I INPUT -i eth0 -p udp -m state --state NEW --source 192.168.1.100 -j ACCEPT
iptables -I INPUT -i eth0 -p icmp -m state --state NEW --source 192.168.1.100 -j ACCEPT

The NEW state basically consists of "requests", which means that if you don't have any servers running on the box, then you don't need to accept anything NEW in the INPUT chain. Except for icmp stuff perhaps, if you want to be able to ping your box.

If you do NOT have your firewall set up according to (1) and (2) above, then add these lines (which are specifically written for 192.168.1.100):

iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED --source 192.168.1.100 -j ACCEPT
iptables -I OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED --destination 192.168.1.100 -j ACCEPT

The first line here takes care of (1), and the second (2) - but only for 192.168.1.100. Especially the OUTPUT chain rule that accepts NEW, ESTABLISHED and RELATED packets outbound for 192.168.1.100 is rather silly. I think it's quite common to use variants of the above two rules that takes care of packets to and from all hosts:

iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Cheers

my opinion is in the form of the following rules may be i could be wrong if i do so please guide me as well because i am also learning iptables right now...

rule 1 for input:

iptables -A input -p tcp --sport 1:1023 -i eth0 -d 192.168.1.100 -j accept

rule 2 for output:

iptables -A output -p tcp --sport 1024:65535 -i eth0 -d 192.168.1.100 -j accept


may be this could be the answer of the aforementioned question.


Thanks and Regards,

Faddi

fahadaziz, if you have a question please start your own thread.

Don't resurrect dead threads (this one has been dead for over three years).