iptables invert issue

lappen · 09-25-2004, 08:01 PM

Code:

@tux.init.d # iptables -A INPUT --protocol ! tcp --dport 51000 -j ACCEPT
iptables: Invalid argument

@tux init.d # iptables -A INPUT -p ! tcp --dport 51000 -j ACCEPT
iptables: Invalid argument

@tux init.d # iptables -A INPUT --protocol !tcp --dport 51000 -j ACCEPT
bash: !tcp: event not found

@tux init.d # iptables -A INPUT -p !tcp --dport 51000 -j ACCEPT
bash: !tcp: event not found

Any suggestions on how to get it to work?

iptables v1.2.11
Linux tux 2.6.7 #1 Sun Jun 27 03:10:39 CEST 2004 i686 Celeron (Mendocino) GenuineIntel GNU/Linux
Gentoo

d0odman · 09-25-2004, 10:09 PM

It looks like you're trying to create a rule that accepts everything BUT that port? Try putting a REJECT at the end, and then right filter rules that let everything in by default.

lappen · 09-26-2004, 06:43 AM

Yes I am trying to accept everything but that port and it should work according to the manual.

I am not sure that I understand your answer 'RIGHT FILTER RULES?', I have a RULE at the end of my script that TAKES everything that hasn't a rule --ESTABLISHED --RELATED , DROP or ACCEPT.. then it sends all of those packets to a CHAIN for REJECTING/DROPPING and LOGGING depending on the package.

Linux~Powered · 09-26-2004, 10:53 AM

Quote:

Yes I am trying to accept everything but that port and it should work according to the manual.

If i'm right then you should have either REJECT or DROP at the end of your table. The way you have it now states...

iptables -A (append) INPUT -protocol ! (not) tcp --dport 51000 -j (make) ACCEPT

Code:

iptables -A INPUT -protocol ! tcp --dport 51000

Here your are telling the table 'not' to allow any packages to be able to pass through destination port 51000

Code:

-j ACCEPT

Here you are telling the table what to do with the packet when it reaches the end of the table...which is ACCEPT it. So why would you want to ACCEPT the packet when you just told the table ! (not) to allow anything to pass through dport 51000? When it should be REJECT or DROP
the packet, becasue you want the table to REJECT or DROP the packet and not ACCEPT it.

lappen · 09-26-2004, 12:22 PM

So basically if I do
iptables -A INPUT -protocol ! tcp --dport 51000 REJECT

I will deny udp and icmp on that port, but I allready hava a rule ot the bottom that captures all packets that hasnt been allowed so basically I wont need that.
What I need to do is to allow both udp and tcp in one rule, how would I do that then?

and here is the output the same as before
@tux init.d # iptables -A INPUT -p ! tcp --dport 51000 -j REJECT
iptables: Invalid argument
@tux init.d # iptables -A INPUT -p !tcp --dport 51000 -j REJECT
bash: !tcp: event not found
@tux init.d # iptables -A INPUT -p ! tcp --dport 51000 -j DENY
iptables v1.2.11: Couldn't load target `DENY':/lib/iptables/libipt_DENY.so: cannot open shared object file: No such file or directory
@tux init.d # iptables -A INPUT -p !tcp --dport 51000 -j DENY
bash: !tcp: event not found

Linux~Powered · 09-26-2004, 12:40 PM

Quote:

I will deny udp and icmp on that port, but I already hava a rule ot the bottom that captures all packets that hasnt been allowed so basically I wont need that.
What I need to do is to allow both udp and tcp in one rule, how would I do that then?

It will not drop udp or icmp because you told the table to only drop tcp packets. To use all three tcp/udp/icmp just use the flag --protocol all or -p all that will use all three in one table tcp/udp/icmp

Quote:

Yes I am trying to accept everything but that port

use... iptables -A INPUT -p all --dport 51000 -j DROP

this will DROP all packets trying to access dport 51000

lappen · 09-26-2004, 01:18 PM

I am completely lost... seems it is something wrong with my iptables, or I am doing it wrong..

all doesnt work and when using (invert) i in protocol it doesnt work

Linux~Powered · 09-26-2004, 01:24 PM

Are you root? Log into root and insert this command...

Code:

iptables -A INPUT -p all --dport 51000 -j DROP

again this should drop all packets tcp/udp/icmp trying to access port 51000

Then to see if it worked issue...

Code:

iptables -L

This will list what tables you have running.

lappen · 09-26-2004, 02:19 PM

seems it works with -d instead --dport, human error :)

but what about the invert (!) option?

Code:

       -p, --protocol [!] protocol
              The  protocol of the rule or of the packet to check.  The speci-
              fied protocol can be one of tcp, udp, icmp, or all, or it can be
              a  numeric  value, representing one of these protocols or a dif-
              ferent  one.   A  protocol  name  from  /etc/protocols  is  also
              allowed.   A  "!" argument before the protocol inverts the test.
              The number zero is equivalent to all.  Protocol all  will  match
              with  all  protocols and is taken as default when this option is
              omitted.

Does any of this work for you?
root@tux lappen # iptables -A INPUT -p !tcp --dport 51000 -j ACCEPT
bash: !tcp: event not found
root@tux lappen # iptables -A INPUT -p ! tcp --dport 51000 -j ACCEPT
iptables: Invalid argument

EDIT: seems the ! invert option works with -d but not --dport, should it work with --dport?

iptables -A INPUT -p ! tcp -d 192.168.0.3 -j ACCEPT
ACCEPT !tcp -- anywhere 192.168.0.3

I would want a source or destiantion port with that but it seems it doesnt work that way
iptables -A INPUT -p ! tcp -d 192.168.0.3 --dport 50000 -j ACCEPT
iptables: Invalid argument

Maybe I am still missunderstanding everything