Hi, I'm fairly new at using iptables, but I know how to do some stuff, my questions is how do you dynamiclly open an incoming port? like I don't want any ports open really so I thought this was the best way to do just that, but how would one do so in iptables? I'm not on a network at all.

what do you mean dynamically open ?

Well, I want to DROP all incoming pakets, but now I have a problem nothing I use will work because the server I'm trying to connect to can't send any data back to me. so I want to have my computer dynamiclly open a port.

Example: If I DROP every INPUT and OUTPUT packet but I accept port 53 tcp, 53 udp and 80 tcp OUTPUT only, but not INPUT I want my computer to randomly pick a port and open it (INPUT only) when I send a request, that way all my ports are techniclly stealthed and no ports are statically open. meaning as soon as my computer is done requesting the information it needs and the server sends it to the randomly open port I want that port closed.

Make sense?

lol.. you were right, you dont understand networks... hehe.

OKAY... a Packet (TCP UDP or ICMP) can have many different states....
state NEW means this is the first packet from a remote computer... possible a connection request.
state ESTABLISHED means this packet is part of an already started connection... for example a reply from a http GET request.
state RELATED means this packet is part of a new connection that has been started by an already ESTABLISHED connection... for example an FTP download or upload (FTP uses 2 different 'channels' a data channel and a command channel.

so a simple firewall rule would be.

#input rules....
this firewall input rule would drop all connection attempts, and ping attempts.
rule 1 means allow everything on the loopback device (allow the computer to talk to itself)
rules 2 allows all related and established traffic.
rules 3 allows same as 2 but for the udp protocol.
rule 4 allows ping reply's but NOT ping requests.... so you can ping other people, but they cannot ping you.
rule 5 drops everything else.

with this rule set, nobody can send information to your computer unless they are sending it as reply to a request you send to them.

as for output.... most poeple dont need to restrict output. and leave output policy to default ACCEPT...
but if you do want to restrict output.. make sure you have at least these rules...
this is ismilar to the input rule....
note that you will need to add rules to the output rules...
there is nothing in the output rules that allows new connections... just releated ones... and nothing can be related unless a new packet is allowed out.

so add rules like

to allow your machine to connect to remote machines on port 80 (http) for viewing web pages.


OR... you could just allow a firewall program to qutomatically configure iptables firewall for you.
programs like "firestarter" are good for newbs.

You know quijibow, that was the best quick explanation of the basics of iptables I think I've seen.

lol.. Cool. thanX.
always good to know im making a good contribution to the site that helped me so much when i started out 2 years ago.

Chanks qwijibow, That totally clears things up. but what if I wanted to allow file transfers via ICQ? it uses a dynamic port < 1024 I believe. How would you get iptables to auto detect the port ICQ is trying to use, or do I have to open 1024 to 5000 ports?

hmm... in old kernels there used to be a kernel driver module to track icq connections and open the correct ports... however after kernel 2.2 (or maybe 2.0) this driver dissapeared....

im not sure if support was dropped, or wether the icq support was simply merged into the iptables main connection tracking module....

try it.. see if it works wihtout opeining all those ports.... hopefully the ICQ INPUT traffic will be allowed through the RELATED or ESTABLSIHED rule.

as for output... well... im assuming you didnt bother writing an output rules set and left it at default ACCEPT policy.

Actully I did, opened up ports for only the things I wanted to use then dropped everything else, but I can set the firewalled port on LICQ to a fixed port, then set New and Estiblished as the match peramiter.

sound right?

I wonder if this would also work for MSN and AIM?


EDIT: It doesn't work for any of them, oh well.

you dont really need to restrict output.....

the way i understand it... is you would normally set the output to allow all... then just add a few rules to block certain things you want to block.. like P2P or MSN or ICQ or HTTP to address slashdot.org to stop users wasting time..

to get it all working, providing the program only uses one connection, just just need a rule to allow the first connection request... all other tranmitions and recieving packets will get through as ESTABLISHED packets.

dont just use the destination port to allow connections.. you can also use -s (source) and -d (destination) URL's or IP's or a combination of IP's and Ports.

read "man netstat".
turn off your firewall and run netstat while serives you are using are running. netstat will give info about ports' ip address's and protocols that you can use to build firewall rules.

for example, a "netstai --all -p" shows

looks a bit mad.. but it shows usefull info on whats happening.

for example... the programs cupsd listening on tcp port 631.. this is printing daemon.... i dont share the printer on the network.. so i will not open a port for it... the machine can print to this printer using the iptables rule that allows it to talk to itself.

tcp port 1213 is the gift server for controlling my downloads.. no port open because only the local machine should controll downloads.

however i do open an incomming port on tcp 1214 for FastTrack / Kazzaa Downloading (PUSH)

anyways.. you get the idea.

Chanks qwijibow