| View previous topic :: View next topic |
| Author |
Message |
knueven7
n00b
Joined: 01 May 2004
Posts: 42
|
 Posted: Tue Jul 27, 2004 12:34 pm Post subject: iptables rule |
 |
|
I am writing an iptables rule:
iptables -A FORWARD -s 0/0 -d x.x.x.3 -p TCP --sport 19283 --dport 19283 -j ACCEPT
Can I add another port to this rule? I know I can do a range of ports:
--sport 19283:19287
I would like to just have two ports instead of a range. Unfortunately the ports are not close together so I can't use a range.
ports:
19283 and 19315
Thanks for the help |
|
| Back to top |
|
 |
Jeremy_Z
l33t
Joined: 05 Apr 2004
Posts: 671
Location: Shanghai
|
|
| Back to top |
|
|
cold_flame
Tux's lil' helper
Joined: 23 Jun 2003
Posts: 88
Location: Australia
|
| Posted: Tue Jul 27, 2004 1:21 pm Post subject: |
|
|
| or you could just execute the rule twice, changing the port each time..... |
|
| Back to top |
|
|
knueven7
n00b
Joined: 01 May 2004
Posts: 42
|
| Posted: Tue Jul 27, 2004 1:42 pm Post subject: iptables question |
|
|
I'm new to iptables and a little confused on when to use INPUT and when to use FORWARD.
If I have a web server and want to allow access on port 80 should I use INPUT of FORWARD?
Also, I am in campus environment where they do DNS for the entire campus so DNS must be allowed in. Would that be an INPUT?
Any easy hints to figure out which to use?
My firewall is a bridging firewall so I'm not sure if I even need to use FORWARD at all since it routes the traffic.
Thanks. |
|
| Back to top |
|
|
Jeremy_Z
l33t
Joined: 05 Apr 2004
Posts: 671
Location: Shanghai
|
| Posted: Tue Jul 27, 2004 2:12 pm Post subject: |
|
|
INPUT applies to packets that are targeted to your linux server and used by process on your server (like httpd, sshd, ect ..)
FORWARD applies to packet that are targeted to an ip behind your linux box, this happen when your act as a router, masquerading or forwarding packets. Those packets are not used by your internal process.
It also applies to packets coming from behind your box.
FORWARD is used to filter packets between two interfaces, should should use it for bridging, try setting the policy to DROP, and your bridge should stop.
OUTPUT applies to packets made by your linux box.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals |
|
| Back to top |
|
|
knueven7
n00b
Joined: 01 May 2004
Posts: 42
|
| Posted: Tue Jul 27, 2004 2:34 pm Post subject: making sure |
|
|
Just want to make sure I'm on the right track here.
I have 3 NIC's in my bridge. The one that's assigned an IP needs DNS. For DNS to that interface on my bridge I use the INPUT command? Then use the INPUT command again for ssh to my bridge. So any service going to the eth0 device on my bridge itself will use INPUT.
The rest of my servers sit behind the bridge/firewall so I will use FORWARD for rules applying to traffic sent to them through the bridge.
Do I have the right idea here? |
|
| Back to top |
|
|
splooge
l33t
Joined: 30 Aug 2002
Posts: 636
|
| Posted: Tue Jul 27, 2004 2:55 pm Post subject: |
|
|
input, output and forward are only filter chains. They allow or disallow packets. What you're looking to do is called network address translation, or NAT. This is done in the prerouting and postrouting chains.
_________________
http://get.a.clue.de |
|
| Back to top |
|
|
Jeremy_Z
l33t
Joined: 05 Apr 2004
Posts: 671
Location: Shanghai
|
| Posted: Tue Jul 27, 2004 2:56 pm Post subject: |
|
|
Yeap, any connection that go to your box is managed by INPUT/OUTPUT whatever the interface is, and any connection that goes through is managed by FORWARD.
You can use -i and/or -o flags to specify the interface.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals |
|
| Back to top |
|
|
Jeremy_Z
l33t
Joined: 05 Apr 2004
Posts: 671
Location: Shanghai
|
| Posted: Tue Jul 27, 2004 2:58 pm Post subject: |
|
|
| splooge wrote: | | input, output and forward are only filter chains. They allow or disallow packets. What you're looking to do is called network address translation, or NAT. This is done in the prerouting and postrouting chains. |
NAT is not always needed, only if the machines behind do not have valid internet IP and you want to multiplex the internet connexion.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals |
|
| Back to top |
|
|
splooge
l33t
Joined: 30 Aug 2002
Posts: 636
|
| Posted: Tue Jul 27, 2004 3:01 pm Post subject: |
|
|
| Jeremy_Z wrote: | | splooge wrote: | | input, output and forward are only filter chains. They allow or disallow packets. What you're looking to do is called network address translation, or NAT. This is done in the prerouting and postrouting chains. |
NAT is not always needed, only if the machines behind do not have valid internet IP and you want to multiplex the internet connexion. |
| knueven7 wrote: | | The rest of my servers sit behind the firewall |
_________________
http://get.a.clue.de |
|
| Back to top |
|
|
Jeremy_Z
l33t
Joined: 05 Apr 2004
Posts: 671
Location: Shanghai
|
| Posted: Tue Jul 27, 2004 3:06 pm Post subject: |
|
|
Yep but could work without NAT. But i think the "bridge word" confused me.
knueven7 : can you post the topology of your network (with ips, servers, ect ..), just to clarify.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals |
|
| Back to top |
|
|
knueven7
n00b
Joined: 01 May 2004
Posts: 42
|
| Posted: Tue Jul 27, 2004 4:23 pm Post subject: Net Topology |
|
|
Building Switch(outside world) -->Bridge --> Switch(My Network) --> Network(servers, workstations)
The building switch is controlled by our University Office of Info. Technology. They pump a feed to my switch that allows my network to connect to the outside world. The bridge will sit between their switch and mine. On my network I have an Open Directory server, web server, radmind server, key server, a bunch of other little things and about 300 desktop machines. My servers are connected to from 5 other subnets around campus for various things.
I am not using NAT or MASQ. |
|
| Back to top |
|
|
knueven7
n00b
Joined: 01 May 2004
Posts: 42
|
| Posted: Tue Jul 27, 2004 4:25 pm Post subject: Another question |
|
|
I have written a script for iptables, but don't know how to apply it. How can I apply it so that it will automatically run if the bridge is restarted?
Thanks for all of the help. |
|
| Back to top |
|
|
Jeremy_Z
l33t
Joined: 05 Apr 2004
Posts: 671
Location: Shanghai
|
| Posted: Tue Jul 27, 2004 4:27 pm Post subject: |
|
|
run it
check it (iptables -L -v)
save it : /etc/init.d/iptables save
add it to boot : rc-update add iptables default
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals |
|
| Back to top |
|
|
knueven7
n00b
Joined: 01 May 2004
Posts: 42
|
| Posted: Tue Jul 27, 2004 5:10 pm Post subject: running the script |
|
|
When I run the script it gives me an error:
iptables v1.2.9: bad rate 'l/s'
I have no idea what it means. Any ideas? |
|
| Back to top |
|
|
Jeremy_Z
l33t
Joined: 05 Apr 2004
Posts: 671
Location: Shanghai
|
| Posted: Tue Jul 27, 2004 5:19 pm Post subject: |
|
|
Probably an error in your script after -m limit or something like that. Post your script, for error checking.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals |
|
| Back to top |
|
|
knueven7
n00b
Joined: 01 May 2004
Posts: 42
|
| Posted: Tue Jul 27, 2004 6:12 pm Post subject: error |
|
|
It was an error in the script.
How can I get my bridge configuration to stay when the machine is restarted? Do I need to write a script and have it run when the machine restarts? |
|
| Back to top |
|
|
Jeremy_Z
l33t
Joined: 05 Apr 2004
Posts: 671
Location: Shanghai
|
|
| Back to top |
|
|
knueven7
n00b
Joined: 01 May 2004
Posts: 42
|
| Posted: Tue Jul 27, 2004 6:54 pm Post subject: iptables |
|
|
I did that and it just kept my iptables configuration. When I restart I have to reconfigure my bridge everytime.
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 eth2
ifconfig br0 0.0.0.0 up
Is it similar (or exact) to what i had to do for iptables? |
|
| Back to top |
|
|
Jeremy_Z
l33t
Joined: 05 Apr 2004
Posts: 671
Location: Shanghai
|
| Posted: Tue Jul 27, 2004 7:01 pm Post subject: |
|
|
This is in /etc/conf.d/net..., should be set up at install. Search in the install handbook if you need documentation.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals |
|
| Back to top |
|
|
|
Networking & Security
