Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What are you trying to do? Open all the ports? Open only this port? Open some ports, plus this one, but not others? What does your complete firewall script look like?
I Want To Open Only This Port For Limewire. My Iptables Is Version 1.2.10.i Just Don't Know The Exactly Commants For This Part Of The Script.thank You For The Reply!!!
# Our policy on the public interface:
# Incoming connections:
# o Allow SSH connections from a list of hosts.
# Outgoing connections:
# o Allow DNS queries to the campus nameservers.
# o Allow TELNET connections to any host.
# o Allow SSH connections to any host.
# o Allow FTP connections to any host.
# o Allow HTTP and HTTPS connections to any host.
# o Allow NTP queries to the GRNET NTP server.
# o Allow PRINTER connections to specific printers.
# o Allow PROXY connections to the campus proxy server.
# o Allow SMTP connections to any host.
#
# Our policy on the private interfaces:
# o Allow all incoming/outgoing traffic.
# ------------------------------------------------------------------------
# Enforce reverse path filtering.
for intf in /proc/sys/net/ipv4/conf/*
do
/bin/echo 1 > $intf/rp_filter
done
# Dont accept source routed packets.
for intf in /proc/sys/net/ipv4/conf/*
do
/bin/echo 0 > $intf/accept_source_route
done
# Dont accept icmp redirects.
for intf in /proc/sys/net/ipv4/conf/*
do
/bin/echo 0 > $intf/accept_redirects
done
# Disable response to broadcasts (dont become a smurf amplifier).
/bin/echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message protection.
/bin/echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn off ip forwarding.
/bin/echo 0 > /proc/sys/net/ipv4/ip_forward
# Log spoofed packets, source routed packets, redirect packets.
for intf in /proc/sys/net/ipv4/conf/*
do
/bin/echo 1 > $intf/log_martians
done
# ------------------------------------------------------------------------
# Set the default policy. We do it before flushing the chains so that
# all unmatched packets are dropped until the script completes execution
# (paranoid). Note that flushing does not affect the default policies.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# Flush all rules, remove user-chains, zero counters.
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
# ------------------------------------------------------------------------
# Prepare our logging chains.
$IPTABLES -N LOG_DROP
if [ "$LOG" = "yes" ]
then
$IPTABLES -A LOG_DROP -d xxx -j DROP
$IPTABLES -A LOG_DROP -d xxx -j DROP
$IPTABLES -A LOG_DROP -d xxx -j DROP
$IPTABLES -A LOG_DROP -m limit --limit $LOG_LIMIT/s --limit-burst $LOG_BURST \
-j LOG --log-tcp-options --log-ip-options \
--log-prefix 'IPTABLES-DROP: '
fi
$IPTABLES -A LOG_DROP -j DROP
$IPTABLES -N LOG_REJECT_RST
if [ "$LOG" = "yes" ]
then
$IPTABLES -A LOG_REJECT_RST -m limit --limit $LOG_LIMIT/s --limit-burst $LOG_BURST \
-j LOG --log-tcp-options --log-ip-options \
--log-prefix 'IPTABLES-REJECT-RST: '
fi
# Note: "-p tcp" is not strictly needed, since this chain is only
# called for a tcp packet. However if "-p tcp" is missing, we cannot
# specify "--reject-with tcp-reset".
$IPTABLES -A LOG_REJECT_RST -p tcp -j REJECT --reject-with tcp-reset
# ------------------------------------------------------------------------
# Prepare the SYN-flooding chain.
$IPTABLES -N SYN_FLOOD
$IPTABLES -A SYN_FLOOD -m limit --limit $SYN_LIMIT/s --limit-burst $SYN_BURST -j RETURN
$IPTABLES -A SYN_FLOOD -j LOG_DROP
# ------------------------------------------------------------------------
# START OF FILTERING RULES.
# ------------------------------------------------------------------------
# Permit all traffic from/to the private interfaces.
# At least the loopback interface should be here.
for intf in $SAFE_IFS
do
$IPTABLES -A INPUT -i $intf -j ACCEPT
$IPTABLES -A OUTPUT -o $intf -j ACCEPT
/bin/echo No traffic filtering on interface $intf.
done
##$IPTABLES -A INPUT -p icmp -j ACCEPT
##$IPTABLES -A OUTPUT -p icmp -j ACCEPT
# ------------------------------------------------------------------------
# Handle SYN flooding.
$IPTABLES -A INPUT -i $PUB -p tcp --syn -j SYN_FLOOD
# Make sure NEW tcp connections are SYN packets.
$IPTABLES -A INPUT -i $PUB -p tcp ! --syn -m state --state NEW -j LOG_DROP
# Refuse packets pretending to be from our public ip address.
$IPTABLES -A INPUT -i $PUB -s $ME -j LOG_DROP
# ------------------------------------------------------------------------
# Incoming SSH.
if [ -f $SSH_ALLOWED ]
then
for ip in `/usr/bin/cat $SSH_ALLOWED`
do
$IPTABLES -A INPUT -i $PUB -p tcp -s $ip -d $ME --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o $PUB -p tcp -d $ip -s $ME --sport 22 \
-m state --state ESTABLISHED -j ACCEPT
/bin/echo Enabling incoming SSH for $ip
done
else
/bin/echo File $SSH_ALLOWED does not exist. Incoming ssh disabled.
fi
# ------------------------------------------------------------------------
# Outgoing DNS to campus nameservers.
for ip in $DNS_SERVERS
do
$IPTABLES -A OUTPUT -o $PUB -p udp -s $ME -d $ip --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $PUB -p udp -s $ip --sport 53 -d $ME -j ACCEPT
$IPTABLES -A OUTPUT -o $PUB -p tcp -s $ME -d $ip --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $PUB -p tcp -s $ip --sport 53 -d $ME \
-m state --state ESTABLISHED -j ACCEPT
done
# Outgoing TELNET to any host.
$IPTABLES -A OUTPUT -o $PUB -p tcp -s $ME --dport 23 -j ACCEPT
$IPTABLES -A INPUT -i $PUB -p tcp -d $ME --sport 23 -m state --state ESTABLISHED -j ACCEPT
# Outgoing SSH to any host.
$IPTABLES -A OUTPUT -o $PUB -p tcp -s $ME --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $PUB -p tcp -d $ME --sport 22 -m state --state ESTABLISHED -j ACCEPT
# Outgoing FTP to any host.
$IPTABLES -A OUTPUT -o $PUB -p tcp -s $ME --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i $PUB -p tcp -d $ME --sport 21 -m state --state ESTABLISHED -j ACCEPT
# FTP DATA (active)
$IPTABLES -A INPUT -i $PUB -p tcp -d $ME --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $PUB -p tcp -s $ME --dport 20 -m state --state ESTABLISHED -j ACCEPT
# FTP DATA (passive)
$IPTABLES -A INPUT -i $PUB -p tcp -d $ME --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $PUB -p tcp -s $ME --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
# Outgoing HTTP to any host.
$IPTABLES -A OUTPUT -o $PUB -p tcp -s $ME --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $PUB -p tcp -d $ME --sport 80 -m state --state ESTABLISHED -j ACCEPT
# Outgoing HTTPS to any host.
$IPTABLES -A OUTPUT -o $PUB -p tcp -s $ME --dport 443 -j ACCEPT
$IPTABLES -A INPUT -i $PUB -p tcp -d $ME --sport 443 -m state --state ESTABLISHED -j ACCEPT
# Outgoing PRINTER connections.
for ip in $PRINTERS
do
$IPTABLES -A OUTPUT -o $PUB -p tcp -s $ME -d $ip --dport 515 -j ACCEPT
$IPTABLES -A INPUT -i $PUB -p tcp -s $ip --sport 515 -d $ME -m state --state ESTABLISHED -j ACCEPT
done
# Outgoing NTP to any host.
for ip in $NTP_SERVERS
do
$IPTABLES -A OUTPUT -o $PUB -p udp -s $ME --sport 123 -d $ip --dport 123 -j ACCEPT
$IPTABLES -A INPUT -i $PUB -p udp -s $ip --sport 123 -d $ME --dport 123 -j ACCEPT
done
# Outgoing PROXY connections to the campus proxy server.
$IPTABLES -A OUTPUT -o $PUB -p tcp -s $ME -d xxx --dport 8080 -j ACCEPT
$IPTABLES -A INPUT -i $PUB -p tcp -s xxx --sport 8080 -d $ME -m state --state ESTABLISHED -j ACCEPT
# Outgoing SMTP to any host.
$IPTABLES -A OUTPUT -o $PUB -p tcp -s $ME --dport 25 -j ACCEPT
$IPTABLES -A INPUT -i $PUB -p tcp -d $ME --sport 25 -m state --state ESTABLISHED -j ACCEPT
# limewire
#$IPTABLES -A INPUT -p tcp -m tcp --dport 48188 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp -m tcp --dport 48188 -j ACCEPT
#$IPTABLES -A INPUT -p udp -m udp --dport 48188 -j ACCEPT
#$IPTABLES -A OUTPUT -p udp -m udp --dport 48188 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 45368 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 45368 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 45368 -j ACCEPT
#$IPTABLES -A OUTPUT -p udp --dport 45368 -j ACCEPT
$IPTABLES -t filter -A INPUT -p udp --dport 45368 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p udp --dport 45368 -j ACCEPT
$IPTABLES -t filter -A INPUT -p tcp --dport 45368 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p tcp --dport 45368 -j ACCEPT
# ------------------------------------------------------------------------
# Reject all other tcp input connections, returning a TCP-RST.
# This trick makes our ports appear as "closed" and not "filtered"
# when scanned with nmap.
$IPTABLES -A INPUT -p tcp -j LOG_REJECT_RST
# Exlicitly allow outgoing TCP-RST. This is needed since the
# previous rule will send back a TCP-RST.
$IPTABLES -A OUTPUT -p tcp --tcp-flags RST RST -j ACCEPT
# Drop all other incoming packets.
$IPTABLES -A INPUT -j LOG_DROP
# Drop all other outgoing packets.
$IPTABLES -A OUTPUT -j LOG_DROP
# End of rules. The default policy should take effect now (in case
# we missed something).
# ------------------------------------------------------------------------
This error tells us that there is no such chain, target or match. This could depend upon a huge set of factors, the most common being that you have misspelled the chain, target or match in question. Also, this could be generated in case you are trying to use a match that is not available, either because you did not load the proper module, it was not compiled into kernel or iptables failed to automatically load the module. In general, you should look for all of the above solutions but also look for misspelled targets of some sort or another in your rule.
who i can see which ports are available. maybe this port doesn't exists. now i am trying another port 45368 again i didn't manage anything. is there any difference to rules when i open udp or tcp ports because i must open and the both of them.
Well maybe you really need to look up at iptables help
1. In case u need to have rule applicable to tcp n udp both, then DO not give any -p option.This means it will be applicable for both udp and tcp
2. U will get the Bad chain/table etc error when the chain name is wrong
make sure u have the table (-t nat or -t mangle) when the chain is PREROUTING or POSTROUTING chain. for INPUT, OUTPUT, FORWARD chains the table is Filter (-t filter is optional)
do look up at the iptables man pages.They are well documented.
Do ask for any other specific problem
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.