LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-21-2006, 05:21 AM   #1
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Rep: Reputation: 15
Smile iptables and ports


hy

I want to use iptables in order to reject a range of ports, from 1025 to 2025. What is the syntax?

The following chain is valid for just one port:
iptables -A INPUT -p tcp -s 0/0 -d 192.168.0.163 --dport 1024 -j REJECT

The following is valid for two ports:
iptables -A INPUT -p tcp -s 0/0 -d 192.168.0.163 -m multiport --dport 1024,1025 -j REJECT

Since i can't enumerate all the ports one by one, it will be to long. So what if I would like to reject many more ports let say from port 1025 until port 2025, how to write it using iptables of course?

thanks a lot for your reply

i looked in 'man iptables' but i could'nt sort it out.

thanks again
red

Last edited by hermouche; 10-21-2006 at 06:56 AM.
 
Old 10-21-2006, 08:32 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
You would be much better served to put in a broad reject all ports statement then add accept statements for only those ports you do want to accept. That is to say do your iptables by inclusion rather than exclusion. The list of ports you actually need to have open would be much shorter. It's not clear why you would only want to reject the range you gave given that there are thousands of ports.

On a DNS server for example I only open port 22 for ssh on the internal NIC along with 1 port for our backup software on that same NIC. I also open up transfer port for the slave DNS on that NIC. Externally I only open up the port that allows for DNS lookups. A total of 5 ports out of the thousand possible. Even on a system where you were running more than that you likely can limit it to very few ports. Remember you can limit inbound without limiting outbound.
 
Old 10-22-2006, 08:01 AM   #3
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Original Poster
Rep: Reputation: 15
hy jlightner

Quote:
Originally Posted by jlightner
You would be much better served to put in a broad reject all ports statement then add accept statements for only those ports you do want to accept. That is to say do your iptables by inclusion rather than exclusion. The list of ports you actually need to have open would be much shorter. It's not clear why you would only want to reject the range you gave given that there are thousands of ports.

On a DNS server for example I only open port 22 for ssh on the internal NIC along with 1 port for our backup software on that same NIC. I also open up transfer port for the slave DNS on that NIC. Externally I only open up the port that allows for DNS lookups. A total of 5 ports out of the thousand possible. Even on a system where you were running more than that you likely can limit it to very few ports. Remember you can limit inbound without limiting outbound.
In fact what i want to do is to close some utilities such as "SKYPE, AMULE, MSN" because here where i am many people are using them and they are just killing the bandwidth.
So i want to restrict some ports.
Well if you have a better idea it will be greatfull.

thanks a lot for your reply

red

Last edited by hermouche; 10-22-2006 at 09:35 AM.
 
Old 10-22-2006, 02:20 PM   #4
~=gr3p=~
Member
 
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227

Rep: Reputation: 30
better use squid or setup htb and shape bandwidth and put the assh0l3s ip in the low priority class...

understand HTB reading this:
http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm

and modify this script and apply it to both the external(to control upload speed) and internal(to control download speed of your lan clients) interface:
http://lartc.org/wondershaper/

I use both squid on my proxy server and htb on my router...and since then i'm in complete control of the bandwidth hogers on my network

blocking skype is not easy but doable with squid and a regular expression i found posted on another site by a pro...

Last edited by ~=gr3p=~; 10-22-2006 at 02:22 PM.
 
Old 10-22-2006, 06:06 PM   #5
Wistoka
LQ Newbie
 
Registered: Apr 2005
Posts: 7

Rep: Reputation: 0
The sintaxis to enumerate a range of ports with iptables is with ":", for example

iptables -A INPUT -i eth0 -p tcp \
-d --dport 1024:65535 \
-j DROP

Will drop all incoming packet from the eth0 interface with destination any unprivileged port

Hope it will be of help to you
 
Old 10-22-2006, 06:54 PM   #6
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Original Poster
Rep: Reputation: 15
thanks gr3p for your reply

Quote:
Originally Posted by ~=gr3p=~
better use squid or setup htb and shape bandwidth and put the assh0l3s ip in the low priority class...

understand HTB reading this:
http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm

and modify this script and apply it to both the external(to control upload speed) and internal(to control download speed of your lan clients) interface:
http://lartc.org/wondershaper/

I use both squid on my proxy server and htb on my router...and since then i'm in complete control of the bandwidth hogers on my network

blocking skype is not easy but doable with squid and a regular expression i found posted on another site by a pro...
Well, thanks again for your reply and it seems that your answer should be delivered to a professional.

I am still a newbie and when i went through your links, i was afraid because i did not understand what they where talking about.

Do you have a less complicated answer.

I want to stop "SKYPE, AMULE and MSN" because i think that they are killing the bandwidth.

can't we use iptables?

Sorry but i am still a newbie and perhaps after a while i will try to go through your links.

The other way is to tell me wat should i do exactly, i mean step by step.

I downloaded the wondershaper but i don't know what to do after.
where should i put the script for example?

How to use htb?
red

thanks again

red

Last edited by hermouche; 10-22-2006 at 07:00 PM.
 
Old 10-22-2006, 07:25 PM   #7
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Original Poster
Rep: Reputation: 15
hy wistoka

Quote:
Originally Posted by Wistoka
The sintaxis to enumerate a range of ports with iptables is with ":", for example

iptables -A INPUT -i eth0 -p tcp \
-d --dport 1024:65535 \
-j DROP

Will drop all incoming packet from the eth0 interface with destination any unprivileged port

Hope it will be of help to you

thanks for replying.

I followed your suggestio and i wrote since i 've got a LAN and a GATEWAY:
iptables -A FORWARD -p tcp --dport 1025:50000 -s O/O -d 192.168.0.5 -j REJECT

It says "invalid mask" what does this means?

I have an adsl, a subnet LAN 192.168.0.0, the masquerade is started, a Gateway which has two network cards: 192.168.0.2 which is my LAN and 192.168.1.2 which is linked to the modem.

I want to stop the 192.168.0.5 computer from using Skype, MSN and Amule.

red

thanks again
 
Old 10-22-2006, 09:58 PM   #8
~=gr3p=~
Member
 
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227

Rep: Reputation: 30
ok tell me your total upstream/downstream bandwidth? Also tell me a client IP too...you can monitor the top bandwidth hoger by using a tool like iptraf ..

Quote:
iptables -A FORWARD -p tcp --dport 1025:50000 -s O/O -d 192.168.0.5 -j REJECT

It says "invalid mask" what does this means?
that red thing is not alphabet "O/O" but number "0/0" and that is a dirty way to do it and will definitely fail to block skype..haha i told u skype is interesting

Last edited by ~=gr3p=~; 10-22-2006 at 10:05 PM.
 
Old 10-23-2006, 06:17 AM   #9
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by ~=gr3p=~
ok tell me your total upstream/downstream bandwidth? Also tell me a client IP too...you can monitor the top bandwidth hoger by using a tool like iptraf ..



that red thing is not alphabet "O/O" but number "0/0" and that is a dirty way to do it and will definitely fail to block skype..haha i told u skype is interesting
This is what i get from a bandwidth test:

Modem 56k Modem 56k 56 Kbps (7 KB/sec) 56 Kbps (7 KB/sec)
Cable/Numeris 64k Cable/Numeris 64k 64 Kbps (8 KB/sec) 64 Kbps (8 KB/sec)
Cable/ADSL/Numeris 128k Cable/ADSL/Numeris 128k 128 Kbps (16 KB/sec) 128 Kbps (16 KB/sec)
Cable 256k Cable 256k 256 Kbps (32 KB/sec) 256 Kbps (32 KB/sec)
Cable/ADSL 512k Cable/ADSL 512k 512 Kbps (64 KB/sec) 512 Kbps (64 KB/sec)
Cable/ADSL 1024k Cable/ADSL 1024k 1024 Kbps (128 KB/sec) 1024 Kbps (128 KB/sec)
Cable 1100k Cable 1100k 1100 Kbps (137.5 KB/sec) 1100 Kbps (137.5 KB/sec)
T1 T1 1500 Kbps (187.5 KB/sec) 1500 Kbps (187.5 KB/sec)
Cable/DSL 2M Cable/DSL 2M 2000 Kbps (250 KB/sec) 2000 Kbps (250 KB/sec)
Your BandWidth Your BandWidth 130.729 Kbps (16.341 KB/sec) 130.729 Kbps (16.341 KB/sec)

EDPnet Speed Test

the ip adress that i want to drop or reject is 192.168.0.55 which has a mac adress 00:08:a1:34:96:f7. Since I am using a DHCPD, it means that this ip adress could change.

red
 
Old 10-23-2006, 11:49 AM   #10
mossy
Member
 
Registered: Aug 2003
Location: USexIRL
Distribution: *nix
Posts: 849

Rep: Reputation: 30
Try something like this:

Code:
iptables -A INPUT -p tcp --dport 1025:50000 -s --mac-source XX:XX:XX:XX:XX:XX -d 192.168.0.5 -j REJECT
This says to drop any incoming tcp traffic using ports 1025 - 50000 from this mac address going to 192.168.0.5.

You might want to think you might need both tcp and udp included?
Do you want to block it going to any destination rather than just 192.168.0.5? ( -d any)
 
Old 10-23-2006, 05:04 PM   #11
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Original Poster
Rep: Reputation: 15
Thanks mossy for replying

Quote:
Originally Posted by mossy
Try something like this:

Code:
iptables -A INPUT -p tcp --dport 1025:50000 -s --mac-source XX:XX:XX:XX:XX:XX -d 192.168.0.5 -j REJECT
This says to drop any incoming tcp traffic using ports 1025 - 50000 from this mac address going to 192.168.0.5.

You might want to think you might need both tcp and udp included?
Do you want to block it going to any destination rather than just 192.168.0.5? ( -d any)
The SKYPE option says that it can work on port:10229 which is the (default) and on 80/443 as an alternative, which means that i should reject the three port(80, 443, 10229). But if i do so, the host will not be able to go outside (internet), which is not my hope.

on the other hand i tried this folowing rule but without any good result:
iptables -A INPUT -p tcp --dport 1025:65000 -m mac --mac-source 00:08:A1:26:20:A1 -d 0/0 -j REJECT


Now since i can't deselecte the 80 and 443 ports (it is not my computer) so i am still scratching my head

Last edited by hermouche; 10-23-2006 at 05:46 PM.
 
Old 10-23-2006, 05:51 PM   #12
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Original Poster
Rep: Reputation: 15
do we have to use the FORWARD or the INPUT chain?
 
Old 10-24-2006, 06:34 AM   #13
bruj3w
Member
 
Registered: Mar 2004
Location: england
Distribution: slackware
Posts: 164

Rep: Reputation: 30
Quote:
Originally Posted by hermouche
do we have to use the FORWARD or the INPUT chain?
input.

and

'iptables -A INPUT -p tcp -s 0/0 -d 192.168.0.163 --dport 1024:2025 -j REJECT' should do it, unless im missing something :/
 
Old 10-24-2006, 01:10 PM   #14
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Original Poster
Rep: Reputation: 15
I will check and you will get the response soon, actually i am outside my desk

thanks for following with me.

red
 
Old 10-26-2006, 10:39 PM   #15
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Original Poster
Rep: Reputation: 15
hy bruj3w

Quote:
Originally Posted by bruj3w
input.

and

'iptables -A INPUT -p tcp -s 0/0 -d 192.168.0.163 --dport 1024:2025 -j REJECT' should do it, unless im missing something :/

Well, i am sorry but still working.

I also stopped the port 80: still working also.
I stopped both tcp and udp still working.
I stopped from ports "1025:60000": still working.

I am still searching how to stop SKYPE, MSN and AMULE with iptables

red

Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh ports and iptables mjmwired Linux - Networking 2 08-09-2006 10:35 PM
iptables ports Roosta21 Linux - Software 2 03-16-2006 04:00 AM
Open All Ports - iptables Artik Linux - Networking 2 06-21-2005 03:17 PM
Iptables not forwarding ports pIscIs Linux - Networking 9 05-02-2005 07:56 AM
UDP ports and IPTables estranged0877 Linux - Networking 4 02-18-2003 01:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration