Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
10-21-2006, 05:21 AM
|
#1
|
Member
Registered: Nov 2004
Location: Algeria
Posts: 111
Rep:
|
iptables and ports
hy
I want to use iptables in order to reject a range of ports, from 1025 to 2025. What is the syntax?
The following chain is valid for just one port:
iptables -A INPUT -p tcp -s 0/0 -d 192.168.0.163 --dport 1024 -j REJECT
The following is valid for two ports:
iptables -A INPUT -p tcp -s 0/0 -d 192.168.0.163 -m multiport --dport 1024,1025 -j REJECT
Since i can't enumerate all the ports one by one, it will be to long. So what if I would like to reject many more ports let say from port 1025 until port 2025, how to write it using iptables of course?
thanks a lot for your reply
i looked in 'man iptables' but i could'nt sort it out.
thanks again
red
Last edited by hermouche; 10-21-2006 at 06:56 AM.
|
|
|
10-21-2006, 08:32 AM
|
#2
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
You would be much better served to put in a broad reject all ports statement then add accept statements for only those ports you do want to accept. That is to say do your iptables by inclusion rather than exclusion. The list of ports you actually need to have open would be much shorter. It's not clear why you would only want to reject the range you gave given that there are thousands of ports.
On a DNS server for example I only open port 22 for ssh on the internal NIC along with 1 port for our backup software on that same NIC. I also open up transfer port for the slave DNS on that NIC. Externally I only open up the port that allows for DNS lookups. A total of 5 ports out of the thousand possible. Even on a system where you were running more than that you likely can limit it to very few ports. Remember you can limit inbound without limiting outbound.
|
|
|
10-22-2006, 08:01 AM
|
#3
|
Member
Registered: Nov 2004
Location: Algeria
Posts: 111
Original Poster
Rep:
|
hy jlightner
Quote:
Originally Posted by jlightner
You would be much better served to put in a broad reject all ports statement then add accept statements for only those ports you do want to accept. That is to say do your iptables by inclusion rather than exclusion. The list of ports you actually need to have open would be much shorter. It's not clear why you would only want to reject the range you gave given that there are thousands of ports.
On a DNS server for example I only open port 22 for ssh on the internal NIC along with 1 port for our backup software on that same NIC. I also open up transfer port for the slave DNS on that NIC. Externally I only open up the port that allows for DNS lookups. A total of 5 ports out of the thousand possible. Even on a system where you were running more than that you likely can limit it to very few ports. Remember you can limit inbound without limiting outbound.
|
In fact what i want to do is to close some utilities such as "SKYPE, AMULE, MSN" because here where i am many people are using them and they are just killing the bandwidth.
So i want to restrict some ports.
Well if you have a better idea it will be greatfull.
thanks a lot for your reply
red
Last edited by hermouche; 10-22-2006 at 09:35 AM.
|
|
|
10-22-2006, 02:20 PM
|
#4
|
Member
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227
Rep:
|
better use squid or setup htb and shape bandwidth and put the assh0l3s ip in the low priority class...
understand HTB reading this:
http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm
and modify this script and apply it to both the external(to control upload speed) and internal(to control download speed of your lan clients) interface:
http://lartc.org/wondershaper/
I use both squid on my proxy server and htb on my router...and since then i'm in complete control of the bandwidth hogers on my network
blocking skype is not easy but doable with squid and a regular expression i found posted on another site by a pro...
Last edited by ~=gr3p=~; 10-22-2006 at 02:22 PM.
|
|
|
10-22-2006, 06:06 PM
|
#5
|
LQ Newbie
Registered: Apr 2005
Posts: 7
Rep:
|
The sintaxis to enumerate a range of ports with iptables is with ":", for example
iptables -A INPUT -i eth0 -p tcp \
-d --dport 1024:65535 \
-j DROP
Will drop all incoming packet from the eth0 interface with destination any unprivileged port
Hope it will be of help to you
|
|
|
10-22-2006, 06:54 PM
|
#6
|
Member
Registered: Nov 2004
Location: Algeria
Posts: 111
Original Poster
Rep:
|
thanks gr3p for your reply
Quote:
Originally Posted by ~=gr3p=~
better use squid or setup htb and shape bandwidth and put the assh0l3s ip in the low priority class...
understand HTB reading this:
http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm
and modify this script and apply it to both the external(to control upload speed) and internal(to control download speed of your lan clients) interface:
http://lartc.org/wondershaper/
I use both squid on my proxy server and htb on my router...and since then i'm in complete control of the bandwidth hogers on my network
blocking skype is not easy but doable with squid and a regular expression i found posted on another site by a pro...
|
Well, thanks again for your reply and it seems that your answer should be delivered to a professional.
I am still a newbie and when i went through your links, i was afraid because i did not understand what they where talking about.
Do you have a less complicated answer.
I want to stop "SKYPE, AMULE and MSN" because i think that they are killing the bandwidth.
can't we use iptables?
Sorry but i am still a newbie and perhaps after a while i will try to go through your links.
The other way is to tell me wat should i do exactly, i mean step by step.
I downloaded the wondershaper but i don't know what to do after.
where should i put the script for example?
How to use htb?
red
thanks again
red
Last edited by hermouche; 10-22-2006 at 07:00 PM.
|
|
|
10-22-2006, 07:25 PM
|
#7
|
Member
Registered: Nov 2004
Location: Algeria
Posts: 111
Original Poster
Rep:
|
hy wistoka
Quote:
Originally Posted by Wistoka
The sintaxis to enumerate a range of ports with iptables is with ":", for example
iptables -A INPUT -i eth0 -p tcp \
-d --dport 1024:65535 \
-j DROP
Will drop all incoming packet from the eth0 interface with destination any unprivileged port
Hope it will be of help to you
|
thanks for replying.
I followed your suggestio and i wrote since i 've got a LAN and a GATEWAY:
iptables -A FORWARD -p tcp --dport 1025:50000 -s O/O -d 192.168.0.5 -j REJECT
It says "invalid mask" what does this means?
I have an adsl, a subnet LAN 192.168.0.0, the masquerade is started, a Gateway which has two network cards: 192.168.0.2 which is my LAN and 192.168.1.2 which is linked to the modem.
I want to stop the 192.168.0.5 computer from using Skype, MSN and Amule.
red
thanks again
|
|
|
10-22-2006, 09:58 PM
|
#8
|
Member
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227
Rep:
|
ok tell me your total upstream/downstream bandwidth? Also tell me a client IP too...you can monitor the top bandwidth hoger by using a tool like iptraf ..
Quote:
iptables -A FORWARD -p tcp --dport 1025:50000 -s O/O -d 192.168.0.5 -j REJECT
It says "invalid mask" what does this means?
|
that red thing is not alphabet "O/O" but number "0/0" and that is a dirty way to do it and will definitely fail to block skype..haha i told u skype is interesting
Last edited by ~=gr3p=~; 10-22-2006 at 10:05 PM.
|
|
|
10-23-2006, 06:17 AM
|
#9
|
Member
Registered: Nov 2004
Location: Algeria
Posts: 111
Original Poster
Rep:
|
Quote:
Originally Posted by ~=gr3p=~
ok tell me your total upstream/downstream bandwidth? Also tell me a client IP too...you can monitor the top bandwidth hoger by using a tool like iptraf ..
that red thing is not alphabet "O/O" but number "0/0" and that is a dirty way to do it and will definitely fail to block skype..haha i told u skype is interesting
|
This is what i get from a bandwidth test:
Modem 56k Modem 56k 56 Kbps (7 KB/sec) 56 Kbps (7 KB/sec)
Cable/Numeris 64k Cable/Numeris 64k 64 Kbps (8 KB/sec) 64 Kbps (8 KB/sec)
Cable/ADSL/Numeris 128k Cable/ADSL/Numeris 128k 128 Kbps (16 KB/sec) 128 Kbps (16 KB/sec)
Cable 256k Cable 256k 256 Kbps (32 KB/sec) 256 Kbps (32 KB/sec)
Cable/ADSL 512k Cable/ADSL 512k 512 Kbps (64 KB/sec) 512 Kbps (64 KB/sec)
Cable/ADSL 1024k Cable/ADSL 1024k 1024 Kbps (128 KB/sec) 1024 Kbps (128 KB/sec)
Cable 1100k Cable 1100k 1100 Kbps (137.5 KB/sec) 1100 Kbps (137.5 KB/sec)
T1 T1 1500 Kbps (187.5 KB/sec) 1500 Kbps (187.5 KB/sec)
Cable/DSL 2M Cable/DSL 2M 2000 Kbps (250 KB/sec) 2000 Kbps (250 KB/sec)
Your BandWidth Your BandWidth 130.729 Kbps (16.341 KB/sec) 130.729 Kbps (16.341 KB/sec)
EDPnet Speed Test
the ip adress that i want to drop or reject is 192.168.0.55 which has a mac adress 00:08:a1:34:96:f7. Since I am using a DHCPD, it means that this ip adress could change.
red
|
|
|
10-23-2006, 11:49 AM
|
#10
|
Member
Registered: Aug 2003
Location: USexIRL
Distribution: *nix
Posts: 849
Rep:
|
Try something like this:
Code:
iptables -A INPUT -p tcp --dport 1025:50000 -s --mac-source XX:XX:XX:XX:XX:XX -d 192.168.0.5 -j REJECT
This says to drop any incoming tcp traffic using ports 1025 - 50000 from this mac address going to 192.168.0.5.
You might want to think you might need both tcp and udp included?
Do you want to block it going to any destination rather than just 192.168.0.5? ( -d any)
|
|
|
10-23-2006, 05:04 PM
|
#11
|
Member
Registered: Nov 2004
Location: Algeria
Posts: 111
Original Poster
Rep:
|
Thanks mossy for replying
Quote:
Originally Posted by mossy
Try something like this:
Code:
iptables -A INPUT -p tcp --dport 1025:50000 -s --mac-source XX:XX:XX:XX:XX:XX -d 192.168.0.5 -j REJECT
This says to drop any incoming tcp traffic using ports 1025 - 50000 from this mac address going to 192.168.0.5.
You might want to think you might need both tcp and udp included?
Do you want to block it going to any destination rather than just 192.168.0.5? ( -d any)
|
The SKYPE option says that it can work on port:10229 which is the (default) and on 80/443 as an alternative, which means that i should reject the three port(80, 443, 10229). But if i do so, the host will not be able to go outside (internet), which is not my hope.
on the other hand i tried this folowing rule but without any good result:
iptables -A INPUT -p tcp --dport 1025:65000 -m mac --mac-source 00:08:A1:26:20:A1 -d 0/0 -j REJECT
Now since i can't deselecte the 80 and 443 ports (it is not my computer) so i am still scratching my head
Last edited by hermouche; 10-23-2006 at 05:46 PM.
|
|
|
10-23-2006, 05:51 PM
|
#12
|
Member
Registered: Nov 2004
Location: Algeria
Posts: 111
Original Poster
Rep:
|
do we have to use the FORWARD or the INPUT chain?
|
|
|
10-24-2006, 06:34 AM
|
#13
|
Member
Registered: Mar 2004
Location: england
Distribution: slackware
Posts: 164
Rep:
|
Quote:
Originally Posted by hermouche
do we have to use the FORWARD or the INPUT chain?
|
input.
and
'iptables -A INPUT -p tcp -s 0/0 -d 192.168.0.163 --dport 1024:2025 -j REJECT' should do it, unless im missing something :/
|
|
|
10-24-2006, 01:10 PM
|
#14
|
Member
Registered: Nov 2004
Location: Algeria
Posts: 111
Original Poster
Rep:
|
I will check and you will get the response soon, actually i am outside my desk
thanks for following with me.
red
|
|
|
10-26-2006, 10:39 PM
|
#15
|
Member
Registered: Nov 2004
Location: Algeria
Posts: 111
Original Poster
Rep:
|
hy bruj3w
Quote:
Originally Posted by bruj3w
input.
and
'iptables -A INPUT -p tcp -s 0/0 -d 192.168.0.163 --dport 1024:2025 -j REJECT' should do it, unless im missing something :/
|
Well, i am sorry but still working.
I also stopped the port 80: still working also.
I stopped both tcp and udp still working.
I stopped from ports "1025:60000": still working.
I am still searching how to stop SKYPE, MSN and AMULE with iptables
red
Thanks
|
|
|
All times are GMT -5. The time now is 06:17 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|