Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to use iptables in order to reject a range of ports, from 1025 to 2025. What is the syntax?
The following chain is valid for just one port:
iptables -A INPUT -p tcp -s 0/0 -d 192.168.0.163 --dport 1024 -j REJECT
The following is valid for two ports:
iptables -A INPUT -p tcp -s 0/0 -d 192.168.0.163 -m multiport --dport 1024,1025 -j REJECT
Since i can't enumerate all the ports one by one, it will be to long. So what if I would like to reject many more ports let say from port 1025 until port 2025, how to write it using iptables of course?
thanks a lot for your reply
i looked in 'man iptables' but i could'nt sort it out.
You would be much better served to put in a broad reject all ports statement then add accept statements for only those ports you do want to accept. That is to say do your iptables by inclusion rather than exclusion. The list of ports you actually need to have open would be much shorter. It's not clear why you would only want to reject the range you gave given that there are thousands of ports.
On a DNS server for example I only open port 22 for ssh on the internal NIC along with 1 port for our backup software on that same NIC. I also open up transfer port for the slave DNS on that NIC. Externally I only open up the port that allows for DNS lookups. A total of 5 ports out of the thousand possible. Even on a system where you were running more than that you likely can limit it to very few ports. Remember you can limit inbound without limiting outbound.
You would be much better served to put in a broad reject all ports statement then add accept statements for only those ports you do want to accept. That is to say do your iptables by inclusion rather than exclusion. The list of ports you actually need to have open would be much shorter. It's not clear why you would only want to reject the range you gave given that there are thousands of ports.
On a DNS server for example I only open port 22 for ssh on the internal NIC along with 1 port for our backup software on that same NIC. I also open up transfer port for the slave DNS on that NIC. Externally I only open up the port that allows for DNS lookups. A total of 5 ports out of the thousand possible. Even on a system where you were running more than that you likely can limit it to very few ports. Remember you can limit inbound without limiting outbound.
In fact what i want to do is to close some utilities such as "SKYPE, AMULE, MSN" because here where i am many people are using them and they are just killing the bandwidth.
So i want to restrict some ports.
Well if you have a better idea it will be greatfull.
and modify this script and apply it to both the external(to control upload speed) and internal(to control download speed of your lan clients) interface: http://lartc.org/wondershaper/
I use both squid on my proxy server and htb on my router...and since then i'm in complete control of the bandwidth hogers on my network
blocking skype is not easy but doable with squid and a regular expression i found posted on another site by a pro...
and modify this script and apply it to both the external(to control upload speed) and internal(to control download speed of your lan clients) interface: http://lartc.org/wondershaper/
I use both squid on my proxy server and htb on my router...and since then i'm in complete control of the bandwidth hogers on my network
blocking skype is not easy but doable with squid and a regular expression i found posted on another site by a pro...
Well, thanks again for your reply and it seems that your answer should be delivered to a professional.
I am still a newbie and when i went through your links, i was afraid because i did not understand what they where talking about.
Do you have a less complicated answer.
I want to stop "SKYPE, AMULE and MSN" because i think that they are killing the bandwidth.
can't we use iptables?
Sorry but i am still a newbie and perhaps after a while i will try to go through your links.
The other way is to tell me wat should i do exactly, i mean step by step.
I downloaded the wondershaper but i don't know what to do after.
where should i put the script for example?
The sintaxis to enumerate a range of ports with iptables is with ":", for example
iptables -A INPUT -i eth0 -p tcp \
-d --dport 1024:65535 \
-j DROP
Will drop all incoming packet from the eth0 interface with destination any unprivileged port
Hope it will be of help to you
thanks for replying.
I followed your suggestio and i wrote since i 've got a LAN and a GATEWAY:
iptables -A FORWARD -p tcp --dport 1025:50000 -s O/O -d 192.168.0.5 -j REJECT
It says "invalid mask" what does this means?
I have an adsl, a subnet LAN 192.168.0.0, the masquerade is started, a Gateway which has two network cards: 192.168.0.2 which is my LAN and 192.168.1.2 which is linked to the modem.
I want to stop the 192.168.0.5 computer from using Skype, MSN and Amule.
ok tell me your total upstream/downstream bandwidth? Also tell me a client IP too...you can monitor the top bandwidth hoger by using a tool like iptraf ..
that red thing is not alphabet "O/O" but number "0/0" and that is a dirty way to do it and will definitely fail to block skype..haha i told u skype is interesting
ok tell me your total upstream/downstream bandwidth? Also tell me a client IP too...you can monitor the top bandwidth hoger by using a tool like iptraf ..
that red thing is not alphabet "O/O" but number "0/0" and that is a dirty way to do it and will definitely fail to block skype..haha i told u skype is interesting
the ip adress that i want to drop or reject is 192.168.0.55 which has a mac adress 00:08:a1:34:96:f7. Since I am using a DHCPD, it means that this ip adress could change.
This says to drop any incoming tcp traffic using ports 1025 - 50000 from this mac address going to 192.168.0.5.
You might want to think you might need both tcp and udp included?
Do you want to block it going to any destination rather than just 192.168.0.5? ( -d any)
This says to drop any incoming tcp traffic using ports 1025 - 50000 from this mac address going to 192.168.0.5.
You might want to think you might need both tcp and udp included?
Do you want to block it going to any destination rather than just 192.168.0.5? ( -d any)
The SKYPE option says that it can work on port:10229 which is the (default) and on 80/443 as an alternative, which means that i should reject the three port(80, 443, 10229). But if i do so, the host will not be able to go outside (internet), which is not my hope.
on the other hand i tried this folowing rule but without any good result:
iptables -A INPUT -p tcp --dport 1025:65000 -m mac --mac-source 00:08:A1:26:20:A1 -d 0/0 -j REJECT
Now since i can't deselecte the 80 and 443 ports (it is not my computer) so i am still scratching my head
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.