From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Gilles Yue" Subject: Help on IPTABLES Date: Thu, 9 Oct 2003 16:24:03 +0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <83055D4B014C9E478D2F04624B9E82CF39E7D2@noveldc.novelgmt.mu> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C38E60.39AD946C" Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C38E60.39AD946C Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi all, Can somebody explain to me why is when i changed my Chain INPUT Rules from ACCEPT to DROP, i cannot browse the internet despite opening port 80 in the INPUT rule. However, when Chain INPUT is changed to ACCEPT, browsing the internet works fine. (Note: CHAIN Output is accept for ALL) The configurations on my IPTABLES are as follows Chain INPUT (policy DROP) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp spt:http ACCEPT udp -- anywhere anywhere udp spt:http Note that my OUTPUT Rules are as follows: Chain OUTPUT (policy ACCEPT) target prot opt source destination I have two network cards installed on my pc - running Red Hat 9.0 Routing for static routes are follows: xx.yy.zz.aa 0.0.0.0 255.255.255.0 U 0 0 0 eth0 xx.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 0 eth0 0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 0 eth1 Where zz.zz.zz.zz is my gateway to the internet. eth0 - Interface with local address eth1 - Interface with Internet address. By the way, is there a way to save static routes because when i reboot my pc, all routes are lost. Thanks for any help. gilles =20 _____ =20 =20 =20 ------_=_NextPart_001_01C38E60.39AD946C Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi all,

Can somebody explain to me why is when i changed my Chain INPUT Rules = from ACCEPT to DROP, i cannot browse the internet despite opening port 80 in = the INPUT rule.
However, when Chain INPUT is changed to ACCEPT, browsing the internet = works fine. (Note: CHAIN Output is accept for ALL)

The configurations on my IPTABLES are as follows

Chain INPUT (policy DROP)
target     prot opt = source           &= nbsp;   destination
RH-Lokkit-0-50-INPUT all -- anywhere           = ; anywhere
ACCEPT     tcp -- anywhere           = ; anywhere           tcp = spt:http
ACCEPT     udp -- anywhere           = ; anywhere           udp = spt:http

Note that my OUTPUT Rules are as follows:

Chain OUTPUT (policy = ACCEPT)
target     prot opt source           &= nbsp;   destination

I have two network cards installed on my pc - running Red Hat 9.0

Routing for static routes are follows:

xx.yy.zz.aa        0.0.0.0         = 255.255.255.0       U     = 0      0        0 eth0
xx.0.0.0           0.0.0.0         255.0.0.0           U     0      = 0        0 eth1
127.0.0.0          0.0.0.0         255.0.0.0           U     0      = 0        0 lo
0.0.0.0            = zz.zz.zz.zz       = 0.0.0.0         UG    0      0        0 eth0
0.0.0.0            = zz.zz.zz.zz       0.0.0.0         UG    0      0        0 eth1

Where zz.zz.zz.zz is my gateway to the internet.
eth0 - Interface with local address
eth1 - Interface with Internet address.

By the way, is there a way to save static routes because when i reboot = my pc, all routes are lost.

Thanks for any help.

gilles

=00 ------_=_NextPart_001_01C38E60.39AD946C-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Rob Sterenborg" Subject: RE: Help on IPTABLES Date: Thu, 9 Oct 2003 15:54:45 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <20031009164635.174791B8D7@smtp.ttp.nl> References: <83055D4B014C9E478D2F04624B9E82CF39E7D2@noveldc.novelgmt.mu> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <83055D4B014C9E478D2F04624B9E82CF39E7D2@noveldc.novelgmt.mu> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: 'Gilles Yue' , netfilter@lists.netfilter.org > Can somebody explain to me why is when i changed my Chain > INPUT Rules from ACCEPT to DROP, i cannot browse the internet > despite opening port 80 in the INPUT rule. ... > Chain INPUT (policy DROP) > target prot opt source destination > RH-Lokkit-0-50-INPUT all -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere > tcp spt:http > ACCEPT udp -- anywhere anywhere > udp spt:http Because you used sport. You are trying to reach servers that are *listening* on port 80/443 so you should use dport (destination = port 80/443). You are most likely not sending from port 80/443. Gr, Rob From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Gilles Yue" Subject: RE: Help on IPTABLES Date: Fri, 10 Oct 2003 10:43:55 +0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <83055D4B014C9E478D2F04624B9E82CFD46F@noveldc.novelgmt.mu> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C38EF9.E0439152" Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Rob Sterenborg , netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C38EF9.E0439152 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Rob,=20 =20 I have made changes just like you said. And I still I cannot browse!=20 Is there something wrong with my other chain rules or with the routing with my network cards?(Note I have two network cards) Please help. Thanks.=20 =20 =20 Chain INPUT (policy DROP) =20 target prot opt source destination =20 RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80 =20 Chain FORWARD (policy ACCEPT) =20 target prot opt source destination RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0 =20 Chain OUTPUT (policy ACCEPT) =20 target prot opt source destination =20 Chain RH-Lokkit-0-50-INPUT (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp=20 dpts:0:1023 flag s:0x16/0x02=20 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 flags:0 x16/0x02 reject-with=20 icmp-port-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp=20 dpts:0:1023 reje ct-with=20 icmp-port-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 reject- with=20 icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp=20 dpts:6000:6009 f =20 lags:0x16/0x02 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7100 flags:0 x16/0x02 reject-with=20 icmp-port-unreachable =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 -----Original Message----- From: Rob Sterenborg [mailto:rob@sterenborg.info]=20 Sent: Thursday, October 09, 2003 5:55 PM To: Gilles Yue; netfilter@lists.netfilter.org Subject: RE: Help on IPTABLES =20 > Can somebody explain to me why is when i changed my Chain=20 > INPUT Rules from ACCEPT to DROP, i cannot browse the internet=20 > despite opening port 80 in the INPUT rule. ... > Chain INPUT (policy DROP) > target prot opt source destination > RH-Lokkit-0-50-INPUT all -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere =20 > tcp spt:http > ACCEPT udp -- anywhere anywhere =20 > udp spt:http =20 Because you used sport. You are trying to reach servers that are *listening* on port 80/443 so you should use dport (destination =3D port 80/443). You are most likely not sending from port 80/443. =20 =20 Gr, Rob =20 ------_=_NextPart_001_01C38EF9.E0439152 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Rob,

I have made changes just like you said. And I still I cannot = browse!

Is there something wrong with my other chain rules or with the = routing with my network cards?(Note I have two network cards) Please help. = Thanks.

Chain INPUT (policy = DROP)

target prot opt source &= nbsp; destination

RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 &nbs= p; 0.0.0.0/0

ACCEPT tcp -- 0.0.0.0/0 &nbs= p; 0.0.0.0/0 tcp dpt:80

ACCEPT udp -- 0.0.0.0/0 &nbs= p; 0.0.0.0/0 udp dpt:80

Chain FORWARD (policy = ACCEPT)

target prot opt source &= nbsp; destination

RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 &nbs= p; 0.0.0.0/0

Chain OUTPUT (policy = ACCEPT)

target = prot opt source &= nbsp; destination

Chain = RH-Lokkit-0-50-INPUT (2 references)

target prot opt source &= nbsp; destination

ACCEPT all -- 0.0.0.0/0 &nbs= p; 0.0.0.0/0

REJECT tcp -- 0.0.0.0/0 &nbs= p; 0.0.0.0/0 tcp

dpts:0:1023 flag &nb= sp; &nbs= p; = ; s:0x16/0x02

reject-with = icmp-port-unreachable

REJECT tcp -- 0.0.0.0/0 &nbs= p; 0.0.0.0/0 tcp dpt:2049

flags:0 = &= nbsp; &n= bsp; x16/0x02 reject-with

icmp-port-unreachable

REJECT udp -- 0.0.0.0/0 &nbs= p; 0.0.0.0/0 udp

dpts:0:1023 = reje &nb= sp; &nbs= p; = ; ct-with

icmp-port-unreachable

REJECT udp -- 0.0.0.0/0 &nbs= p; 0.0.0.0/0 udp dpt:2049

reject- = &= nbsp; &n= bsp; with

icmp-port-unreachable

REJECT tcp -- 0.0.0.0/0 &nbs= p; 0.0.0.0/0 tcp

dpts:6000:6009 f = &= nbsp; &n= bsp;

lags:0x16/0x02 = reject-with icmp-port-unreachable

REJECT tcp -- 0.0.0.0/0 &nbs= p; 0.0.0.0/0 tcp dpt:7100

flags:0 = &= nbsp; &n= bsp; x16/0x02 reject-with

icmp-port-unreachable

-----Original Message-----
From: Rob Sterenborg [mailto:rob@sterenborg.info]
Sent: Thursday, October 09, 2003 5:55 PM
To: Gilles Yue; netfilter@lists.netfilter.org
Subject: RE: Help on IPTABLES

> Can somebody explain to me why is when i changed my Chain =

> INPUT Rules from ACCEPT to DROP, i cannot browse the = internet

> despite opening port 80 in the INPUT = rule.

...

> Chain INPUT (policy DROP)

> target prot opt source &= nbsp; destination

> RH-Lokkit-0-50-INPUT all -- anywhere = ; anywhere

> ACCEPT tcp -- anywhere = ; anywhere =

> tcp spt:http

> ACCEPT udp -- anywhere = ; anywhere =

> udp spt:http

Because you used sport. You are trying to reach servers that = are

*listening* on port 80/443 so you should use dport (destination = =3D port

80/443). You are most likely not sending from port = 80/443.

Gr,

Rob

=00 ------_=_NextPart_001_01C38EF9.E0439152-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: info Subject: Help on IPTABLES Date: Thu, 09 Oct 2003 16:20:02 +0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3F855272.2080201@novelgmt.intnet.mu> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="------------000000080202080701010709" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org --------------000000080202080701010709 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit hi all, Can somebody explain to me why is when i changed my Chain INPUT Rules from ACCEPT to DROP, i cannot browse the internet despite opening port 80 in the INPUT rule. However, when Chain INPUT is changed to ACCEPT, browsing the internet works fine. (Note: CHAIN Output is accept for ALL) The configurations on my IPTABLES are as follows _*Chain INPUT (policy DROP)*_ target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp spt:http ACCEPT udp -- anywhere anywhere udp spt:http Note that my OUTPUT Rules are as follows: _*Chain OUTPUT (policy ACCEPT)*_ target prot opt source destination I have two network cards installed on my pc - running Red Hat 9.0 Routing for static routes are follows: xx.yy.zz.aa 0.0.0.0 255.255.255.0 U 0 0 0 eth0 xx.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 0 eth0 0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 0 eth1 where zz.zz.zz.zz is my gateway to the internet. eth0 - Interface with local address eth1 - Interface with Internet address. By the way, is there a way to save static routes because when i reboot my pc, all routes are lost. Thanks for any help. guy --------------000000080202080701010709 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit hi all,

Can somebody explain to me why is when i changed my Chain INPUT Rules from ACCEPT to DROP, i cannot browse the internet despite opening port 80 in the INPUT rule.
However, when Chain INPUT is changed to ACCEPT, browsing the internet works fine. (Note: CHAIN Output is accept for ALL)

The configurations on my IPTABLES are as follows

Chain INPUT (policy DROP)
target     prot opt source               destination
RH-Lokkit-0-50-INPUT all -- anywhere             anywhere
ACCEPT     tcp -- anywhere             anywhere           tcp spt:http
ACCEPT     udp -- anywhere             anywhere           udp spt:http

Note that my OUTPUT Rules are as follows:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I have two network cards installed on my pc - running Red Hat 9.0

Routing for static routes are follows:

xx.yy.zz.aa        0.0.0.0         255.255.255.0       U     0      0        0 eth0
xx.0.0.0           0.0.0.0         255.0.0.0           U     0      0        0 eth1
127.0.0.0          0.0.0.0         255.0.0.0           U     0      0        0 lo
0.0.0.0            zz.zz.zz.zz       0.0.0.0         UG    0      0        0 eth0
0.0.0.0            zz.zz.zz.zz       0.0.0.0         UG    0      0        0 eth1

where zz.zz.zz.zz is my gateway to the internet.
eth0 - Interface with local address
eth1 - Interface with Internet address.

By the way, is there a way to save static routes because when i reboot my pc, all routes are lost.

Thanks for any help.

guy

--------------000000080202080701010709-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?iso-8859-1?Q?Leonardo_Rodrigues_Magalh=E3es?= Subject: Re: Help on IPTABLES Date: Sat, 11 Oct 2003 11:32:37 -0300 Sender: netfilter-admin@lists.netfilter.org Message-ID: <001901c39004$861778e0$8b00000a@casa> References: <3F855272.2080201@novelgmt.intnet.mu> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0016_01C38FEB.5F77D040" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: info , netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_0016_01C38FEB.5F77D040 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable You'll probably browse with no problems if you use IP addresses. If = you try to browse using names (www.something.com), you'll need to do a = DNS request for the IP of that hostname. The request will go out with no = problems, as OUTPUT is ACCEPT. But DNS reply will be blocked, as INPUT = only allows port 80 traffic. For allowing web browsing ONLY, you'll have to allow AT LEAST = packets with source port 53 (TCP and UDP - almost all will be UDP but = TCP can be also used). Dont forget HTTPS too, which is port 443. You should also analyse the RH-Lokkit-0-50-INPUT chain. As packets = are getting to this chain BEFORE reaching your rules, if something gets = blocked there, it will NEVER reach YOUR rules. For static rules, you can create them on /etc/rc.d/rc.local. This = file will be executed after ALL daemons got UP on the reboot process. Sincerily, Leonardo Rodrigues ----- Original Message -----=20 From: info=20 To: netfilter@lists.netfilter.org=20 Sent: Thursday, October 09, 2003 9:20 AM Subject: Help on IPTABLES hi all, Can somebody explain to me why is when i changed my Chain INPUT Rules = from ACCEPT to DROP, i cannot browse the internet despite opening port = 80 in the INPUT rule. However, when Chain INPUT is changed to ACCEPT, browsing the internet = works fine. (Note: CHAIN Output is accept for ALL) The configurations on my IPTABLES are as follows Chain INPUT (policy DROP) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp = spt:http ACCEPT udp -- anywhere anywhere udp = spt:http Note that my OUTPUT Rules are as follows: Chain OUTPUT (policy ACCEPT) target prot opt source destination I have two network cards installed on my pc - running Red Hat 9.0 Routing for static routes are follows: xx.yy.zz.aa 0.0.0.0 255.255.255.0 U 0 0 = 0 eth0 xx.0.0.0 0.0.0.0 255.0.0.0 U 0 0 = 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 = 0 lo 0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 = 0 eth0 0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 = 0 eth1 where zz.zz.zz.zz is my gateway to the internet. eth0 - Interface with local address eth1 - Interface with Internet address. By the way, is there a way to save static routes because when i reboot = my pc, all routes are lost. Thanks for any help. guy ------=_NextPart_000_0016_01C38FEB.5F77D040 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

You'll probably = browse with no=20 problems if you use IP addresses. If you try to browse using names (www.something.com), you'll need to = do a DNS=20 request for the IP of that hostname. The request will go out with no = problems,=20 as OUTPUT is ACCEPT. But DNS reply will be blocked, as INPUT only allows = port 80=20 traffic.

For allowing web = browsing ONLY,=20 you'll have to allow AT LEAST packets with source port 53 (TCP and UDP - = almost=20 all will be UDP but TCP can be also used). Dont forget HTTPS too, which = is port=20 443.

You should also = analyse the=20 RH-Lokkit-0-50-INPUT chain. As packets are getting to this = chain BEFORE=20 reaching your rules, if something gets blocked there, it will NEVER = reach YOUR=20 rules.

For static rules, = you can create=20 them on /etc/rc.d/rc.local. This file will be executed after ALL daemons = got UP=20 on the reboot process.

= Sincerily,

Leonardo = Rodrigues

----- Original Message -----

From:=20 info

To: netfilter@lists.netfilter.o= rg=20

Sent: Thursday, October 09, = 2003 9:20=20 AM

Subject: Help on IPTABLES

hi all,

Can somebody explain to me why is = when i=20 changed my Chain INPUT Rules from ACCEPT to DROP, i cannot browse the = internet=20 despite opening port 80 in the INPUT rule.
However, when Chain = INPUT is=20 changed to ACCEPT, browsing the internet works fine. (Note: CHAIN = Output is=20 accept for ALL)

The configurations on my IPTABLES are as=20 follows

Chain INPUT (policy=20 DROP)
target     prot opt=20 = source           &= nbsp;  =20 destination
RH-Lokkit-0-50-INPUT all -- =20 = anywhere           = ; =20 anywhere
ACCEPT     tcp -- =20 = anywhere           = ; =20 anywhere           = tcp=20 spt:http
ACCEPT     udp -- =20 = anywhere           = ; =20 anywhere           = udp=20 spt:http

Note that my OUTPUT Rules are as follows:

Chain OUTPUT (policy=20 ACCEPT)
target     prot opt=20 = source           &= nbsp;  =20 destination

I have two network cards installed on my pc - = running Red=20 Hat 9.0

Routing for static routes are follows:

xx.yy.zz.aa=20       =20 0.0.0.0        =20 255.255.255.0       U     = 0      = 0        0=20 eth0
xx.0.0.0        =   =20 0.0.0.0        =20 255.0.0.0          =20 U     0     =20 0        0=20 eth1
127.0.0.0         =20 0.0.0.0        =20 255.0.0.0          =20 U     0     =20 0        0=20 lo
0.0.0.0         =   =20 zz.zz.zz.zz      =20 0.0.0.0         =20 UG    0     =20 0        0=20 eth0
0.0.0.0         =   =20 zz.zz.zz.zz      =20 0.0.0.0         =20 UG    0     =20 0        0 eth1

where = zz.zz.zz.zz is my gateway to the internet.
eth0 - Interface with = local=20 address
eth1 - Interface with Internet address.

By the way, = is there=20 a way to save static routes because when i reboot my pc, all routes = are=20 lost.

Thanks for any=20 help.

guy

------=_NextPart_000_0016_01C38FEB.5F77D040-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Gilles Yue" Subject: RE: Help on IPTABLES Date: Mon, 13 Oct 2003 16:09:20 +0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <83055D4B014C9E478D2F04624B9E82CFD475@noveldc.novelgmt.mu> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C39182.D5293C32" Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: =?iso-8859-1?Q?Leonardo_Rodrigues_Magalh=E3es?= Cc: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C39182.D5293C32 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dear Leonardo, Thanks for your reply. =20 I've just allowed port 53/443 as well. Still cannot browse. Do u think = it's got something to do with the routing of my two network cards. =20 When I change my INPUT chain to accept all, = browsing works. (Note I am talking about browsing on the host where = iptables has been installed) =20 Or do I have to insert a new rule to enable NAT. = Below is my chain rules. Thanks for replying. =20 gilles =20 =20 Chain INPUT (policy DROP) target prot opt source destination RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 =20 Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0 =20 Chain OUTPUT (policy ACCEPT) target prot opt source destination =20 Chain RH-Lokkit-0-50-INPUT (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp=20 dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 = flags:0x16/0x02 reject-with icmp-port-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp=20 dpts:0:1023 reject-with icmp-port-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 = reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp=20 dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7100 = flags:0x16/0x02 reject-with icmp-port-unreachable =20 =20 =20 =20 -----Original Message----- From: Leonardo Rodrigues Magalh=E3es [mailto:leolistas@solutti.com.br]=20 Sent: Saturday, October 11, 2003 6:33 PM To: info; netfilter@lists.netfilter.org Subject: Re: Help on IPTABLES =20 =20 You'll probably browse with no problems if you use IP addresses. If = you try to browse using names (www.something.com), you'll need to do a = DNS request for the IP of that hostname. The request will go out with no = problems, as OUTPUT is ACCEPT. But DNS reply will be blocked, as INPUT = only allows port 80 traffic. =20 For allowing web browsing ONLY, you'll have to allow AT LEAST = packets with source port 53 (TCP and UDP - almost all will be UDP but = TCP can be also used). Dont forget HTTPS too, which is port 443. =20 You should also analyse the RH-Lokkit-0-50-INPUT chain. As packets = are getting to this chain BEFORE reaching your rules, if something gets = blocked there, it will NEVER reach YOUR rules. =20 For static rules, you can create them on /etc/rc.d/rc.local. This = file will be executed after ALL daemons got UP on the reboot process. =20 Sincerily, Leonardo Rodrigues =20 ----- Original Message -----=20 From: info =20 To: netfilter@lists.netfilter.org=20 Sent: Thursday, October 09, 2003 9:20 AM Subject: Help on IPTABLES =20 hi all, =09 Can somebody explain to me why is when i changed my Chain INPUT Rules = from ACCEPT to DROP, i cannot browse the internet despite opening port = 80 in the INPUT rule. However, when Chain INPUT is changed to ACCEPT, browsing the internet = works fine. (Note: CHAIN Output is accept for ALL) =09 =09 The configurations on my IPTABLES are as follows =09 Chain INPUT (policy DROP) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp = spt:http ACCEPT udp -- anywhere anywhere udp = spt:http =09 Note that my OUTPUT Rules are as follows: =09 Chain OUTPUT (policy ACCEPT) target prot opt source destination =09 I have two network cards installed on my pc - running Red Hat 9.0 =09 Routing for static routes are follows: =09 xx.yy.zz.aa 0.0.0.0 255.255.255.0 U 0 0 = 0 eth0 xx.0.0.0 0.0.0.0 255.0.0.0 U 0 0 = 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 = 0 lo 0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 = 0 eth0 0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 = 0 eth1 =09 where zz.zz.zz.zz is my gateway to the internet. eth0 - Interface with local address eth1 - Interface with Internet address. =09 By the way, is there a way to save static routes because when i reboot = my pc, all routes are lost. =09 Thanks for any help. =09 guy =09 =09 ------_=_NextPart_001_01C39182.D5293C32 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Dear Leonardo,

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Thanks for your reply.

I’ve just allowed port 53/443 as well. Still cannot = browse. Do u think it’s got something to do with the routing of my two = network cards.

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 When I change my INPUT chain to accept all, browsing works. (Note I am talking about = browsing on the host where iptables has been installed)

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Or do I have to insert a new rule to enable NAT. Below is my chain rules. Thanks for = replying.

gilles

Chain INPUT (policy = DROP)

target=A0=A0=A0=A0 = prot opt source=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = destination

RH-Lokkit-0-50-INPUT=A0 all=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0

ACCEPT=A0=A0=A0=A0 = tcp=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0 tcp dpt:80

ACCEPT=A0=A0=A0=A0 = udp=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0 udp dpt:80

ACCEPT=A0=A0=A0=A0 = tcp=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0 tcp dpt:443

ACCEPT=A0=A0=A0=A0 = udp=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0 udp dpt:443

ACCEPT=A0=A0=A0=A0 = tcp=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0 tcp spt:53

ACCEPT=A0=A0=A0=A0 = udp=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0 udp spt:53

Chain FORWARD (policy = ACCEPT)

target=A0=A0=A0=A0 = prot opt source=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = destination

RH-Lokkit-0-50-INPUT=A0 all=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0

Chain OUTPUT (policy = ACCEPT)

target=A0=A0=A0=A0 = prot opt source=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 destination

Chain = RH-Lokkit-0-50-INPUT (2 references)

target=A0=A0=A0=A0 = prot opt source=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = destination

ACCEPT=A0=A0=A0=A0 = all=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 0.0.0.0/0

REJECT=A0=A0=A0=A0 = tcp=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0 tcp

dpts:0:1023 = flags:0x16/0x02 reject-with icmp-port-unreachable

REJECT=A0=A0=A0=A0 = tcp=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0 tcp dpt:2049

flags:0x16/0x02 = reject-with icmp-port-unreachable

REJECT=A0=A0=A0=A0 = udp=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0 udp

dpts:0:1023 = reject-with icmp-port-unreachable

REJECT=A0=A0=A0=A0 = udp=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0 udp dpt:2049

reject-with = icmp-port-unreachable

REJECT=A0=A0=A0=A0 = tcp=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0 tcp

dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable

REJECT=A0=A0=A0=A0 = tcp=A0 --=A0 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = 0.0.0.0/0=A0=A0=A0=A0=A0=A0=A0=A0=A0 tcp dpt:7100

flags:0x16/0x02 = reject-with icmp-port-unreachable

-----Original = Message-----
From: Leonardo Rodrigues = Magalh=E3es [mailto:leolistas@solutti.com.br]
Sent: Saturday, October = 11, 2003 6:33 PM
To: info; netfilter@lists.netfilter.org
Subject: Re: Help on = IPTABLES

You'll = probably browse with no problems if you use IP addresses. If you try to browse = using names (www.something.com), = you'll need to do a DNS request for the IP of that hostname. The request will go out = with no problems, as OUTPUT is ACCEPT. But DNS reply will be blocked, as INPUT = only allows port 80 traffic.

For = allowing web browsing ONLY, you'll have to allow AT LEAST packets with source port 53 = (TCP and UDP - almost all will be UDP but TCP can be also used). Dont forget = HTTPS too, which is port 443.

You = should also analyse the RH-Lokkit-0-50-INPUT chain. As packets are getting to this chain BEFORE reaching your rules, if something gets blocked there, = it will NEVER reach YOUR rules.

For = static rules, you can create them on /etc/rc.d/rc.local. This file will be executed = after ALL daemons got UP on the reboot process.

= Sincerily,

Leonardo Rodrigues

----- Original Message = -----

From: info

To:<= /font> netfilter@lists.netfilter.org=

Sent: Thursday, October 09, 2003 9:20 AM

Subject: Help on IPTABLES

hi all,

Can somebody explain to me why is when i changed my Chain INPUT = Rules from ACCEPT to DROP, i cannot browse the internet despite opening port = 80 in the INPUT rule.
However, when Chain INPUT is changed to ACCEPT, browsing the internet = works fine. (Note: CHAIN Output is accept for ALL)

The configurations on my IPTABLES are as follows

Chain INPUT (policy DROP)
target     prot opt source           &= nbsp;   destination
RH-Lokkit-0-50-INPUT all -- anywhere           = ; anywhere
ACCEPT     tcp -- anywhere           = ; anywhere           tcp spt:http
ACCEPT     udp -- anywhere           = ; anywhere           udp spt:http

Note that my OUTPUT Rules are as follows:

Chain OUTPUT (policy = ACCEPT)
target     prot opt source           &= nbsp;   destination

I have two network cards installed on my pc - running Red Hat 9.0

Routing for static routes are follows:

xx.yy.zz.aa        0.0.0.0         255.255.255.0       U     0      = 0        0 eth0
xx.0.0.0           0.0.0.0         255.0.0.0           U     0      = 0        0 eth1
127.0.0.0          0.0.0.0         255.0.0.0           U     0      = 0        0 lo
0.0.0.0            zz.zz.zz.zz       0.0.0.0         UG    0      = 0        0 eth0
0.0.0.0            zz.zz.zz.zz       0.0.0.0         UG    0      = 0        0 eth1

where zz.zz.zz.zz is my gateway to the internet.
eth0 - Interface with local address
eth1 - Interface with Internet address.

By the way, is there a way to save static routes because when i reboot = my pc, all routes are lost.

Thanks for any help.

guy

=00 ------_=_NextPart_001_01C39182.D5293C32-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ralf Spenneberg Subject: RE: Help on IPTABLES Date: 13 Oct 2003 15:23:04 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1066051384.4193.61.camel@kermit> References: <83055D4B014C9E478D2F04624B9E82CFD475@noveldc.novelgmt.mu> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <83055D4B014C9E478D2F04624B9E82CFD475@noveldc.novelgmt.mu> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: Gilles Yue Cc: Netfilter Am Mon, 2003-10-13 um 14.09 schrieb Gilles Yue: > Chain INPUT (policy DROP) >=20 > target prot opt source destination >=20 > RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0 >=20 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 When establishing a connection with a webserver the packets in the INPUT chain are coming from the webserver port 80, therefore spt:80 not dpt:80 Same to the rest with the exception of DNS. Here you did it correct: > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 By the way, you get more info on the rules using=20 iptables -vnL Cheers, Ralf --=20 Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection f=FCr Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joel Newkirk Subject: Re: Help on IPTABLES Date: Tue, 14 Oct 2003 02:59:01 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1066114741.2384.118.camel@alpha.newkirk.us> References: <83055D4B014C9E478D2F04624B9E82CF39E7D2@noveldc.novelgmt.mu> Reply-To: firewalldude@newkirk.us Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <83055D4B014C9E478D2F04624B9E82CF39E7D2@noveldc.novelgmt.mu> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Gilles Yue Cc: netfilter@lists.netfilter.org On Thu, 2003-10-09 at 08:24, Gilles Yue wrote: > Hi all, > > Can somebody explain to me why is when i changed my Chain INPUT Rules > from ACCEPT to DROP, i cannot browse the internet despite opening port > 80 in the INPUT rule. > However, when Chain INPUT is changed to ACCEPT, browsing the internet > works fine. (Note: CHAIN Output is accept for ALL) Are you talking about the rule targets, or the chain policy, changing? I'll assume you're talking about changing policy. OUTPUT lets connections from this machine out. Fine. Input controls connections to this machine, which you want to control. Find out what RH-Lokkit-0-50-INPUT does, and consider ditching it. Add a stateful rule: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT And now most connections you initiate are allowed back. (providing something before this rule, like RH-Lokkit, doesn't drop it first) > The configurations on my IPTABLES are as follows > > Chain INPUT (policy DROP) > target prot opt source destination > RH-Lokkit-0-50-INPUT all -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere tcp > spt:http > ACCEPT udp -- anywhere anywhere udp > spt:http > > Note that my OUTPUT Rules are as follows: > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > I have two network cards installed on my pc - running Red Hat 9.0 If this box is 'sharing' the internet connection, you need to deal with FORWARD chain rules and nat table rules as well... > Routing for static routes are follows: > > xx.yy.zz.aa 0.0.0.0 255.255.255.0 U 0 > 0 0 eth0 > xx.0.0.0 0.0.0.0 255.0.0.0 U 0 > 0 0 eth1 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 > 0 0 lo > 0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 > 0 0 eth0 > 0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 > 0 0 eth1 > > Where zz.zz.zz.zz is my gateway to the internet. > eth0 - Interface with local address > eth1 - Interface with Internet address. OK. Question... Why is your internet gateway accessible via the local interface?? Is it perhaps the default as well? Definitely an issue there. > By the way, is there a way to save static routes because when i reboot > my pc, all routes are lost. > > Thanks for any help. > > gilles BTW - dport80 on input would allow the internet to access a web server at your IP, sport80 would allow HTTP replies back in. And L Rodrigues' advice is also valid. ( Suggestions - leave OUTPUT chain empty with ACCEPT policy for now. Work on getting INPUT back into the box working the way you want it. Then transplant most of those rules to FORWARD to allow machines behind this one to access the internet with similar restrictions. And try using "iptables -vnL" to list rules - more useful information that way. j > From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Gilles Yue" Subject: Re: Help on IPTABLES Date: Tue, 14 Oct 2003 16:50:40 +0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <83055D4B014C9E478D2F04624B9E82CFD47A@noveldc.novelgmt.mu> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C39251.C6008EFC" Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Joel Newkirk Cc: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C39251.C6008EFC Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Dear Joel, Browsing is working now. I have removed all chains in output and forward and starting with INPUT rules first. (Juat like u told me) =20 But I am now trying to check my mail on the box with iptables installed. Note I have opened ports 25 and 110 and tried with both sport and dport. Connection with local mail server cannot be made. Did I miss something? =20 Sorry to bother you about those basic questions but I am VERY new to iptables. =20 Thanks & Best Regards gy =20 =20 Chain INPUT (policy DROP 2858 packets, 315K bytes) pkts bytes target prot opt in out source =20 destination =20 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53 =20 1 456 ACCEPT udp -- * * 0.0.0.0/0 =20 0.0.0.0/0 udp spt:53 =20 0 0 ACCEPT udp -- * * 0.0.0.0/0 =20 0.0.0.0/0 udp spt:80 =20 33 6571 ACCEPT tcp -- * * 0.0.0.0/0 =20 0.0.0.0/0 tcp spt:80 =20 0 0 ACCEPT udp -- * * 0.0.0.0/0 =20 0.0.0.0/0 udp spt:443 =20 0 0 ACCEPT tcp -- * * 0.0.0.0/0 =20 0.0.0.0/0 tcp spt:443 =20 0 0 ACCEPT tcp -- * * 0.0.0.0/0 =20 0.0.0.0/0 tcp spt:110 =20 0 0 ACCEPT udp -- * * 0.0.0.0/0 =20 0.0.0.0/0 udp spt:110 =20 0 0 ACCEPT tcp -- * * 0.0.0.0/0 =20 0.0.0.0/0 tcp spt:25 =20 0 0 ACCEPT udp -- * * 0.0.0.0/0 =20 0.0.0.0/0 udp spt:25 =20 =20 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source =20 destination =20 Chain OUTPUT (policy ACCEPT 664 packets, 67152 bytes) pkts bytes target prot opt in out source =20 destination =20 ------_=_NextPart_001_01C39251.C6008EFC Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Dear Joel,

Browsing is working now. I have removed all = chains in output and forward and starting with INPUT rules first. (Juat like u = told me)

= ;

But I am now trying to check my mail on the = box with iptables installed. Note I have opened ports 25 and 110 and tried with both sport = and dport. Connection with local mail server cannot be made. Did I miss = something?

Sorry to bother you about those basic = questions but I am VERY new to iptables.

Thanks & Best Regards

Chain INPUT = (policy DROP 2858 packets, 315K bytes)

pkts bytes target prot opt in out source &= nbsp;

destination

0 0 ACCEPT = tcp -- * * 0.0.0.0/0 = 0.0.0.0/0 tcp spt:53

1 456 ACCEPT udp = -- * * 0.0.0.0/0 &nbs= p;

0.0.0.0/0 = udp spt:53

0 0 ACCEPT = udp -- * * 0.0.0.0/0 &nbs= p;

0.0.0.0/0 = udp spt:80

33 6571 ACCEPT tcp -- * * 0.0.0.0/0 &nbs= p;

0.0.0.0/0 = tcp spt:80

0 0 ACCEPT = udp -- * * 0.0.0.0/0 &nbs= p;

0.0.0.0/0 = udp spt:443

0 0 ACCEPT = tcp -- * * 0.0.0.0/0 &nbs= p;

0.0.0.0/0 = tcp spt:443

0 0 ACCEPT = tcp -- * * 0.0.0.0/0 &nbs= p;

0.0.0.0/0 = tcp spt:110

0 0 ACCEPT = udp -- * * 0.0.0.0/0 &nbs= p;

0.0.0.0/0 = udp spt:110

0 0 ACCEPT = tcp -- * * 0.0.0.0/0 &nbs= p;

0.0.0.0/0 = tcp spt:25

0 0 ACCEPT = udp -- * * 0.0.0.0/0 &nbs= p;

0.0.0.0/0 = udp spt:25

Chain FORWARD = (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source =

destination

Chain OUTPUT = (policy ACCEPT 664 packets, 67152 bytes)

pkts bytes target prot opt in out source &= nbsp;

destination

=00 ------_=_NextPart_001_01C39251.C6008EFC-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: wlagmay@yanbulink.net Subject: Help on Iptables Date: Sat, 16 Dec 2006 20:04:15 +0300 Message-ID: <1166288655.4584270fe0f14@webmail.yanbulink.net> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Hi all, I just want to know How am I going to do a blocking of multiple ports on a single line let say port 700 to 800. Im trying this command but it is not working iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 700-800 -j DROP iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 700 --to 800 -j DROP I'm trying the above commands and its not working. Can you help me please? Thanks, Wennie From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pascal Hambourg Subject: Re: Help on Iptables Date: Sat, 16 Dec 2006 20:20:11 +0100 Message-ID: <458446EB.8030005@plouf.fr.eu.org> References: <1166288655.4584270fe0f14@webmail.yanbulink.net> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1166288655.4584270fe0f14@webmail.yanbulink.net> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: netfilter@lists.netfilter.org Hello, wlagmay@yanbulink.net a =E9crit : >=20 > I just want to know How am I going to do a blocking of multiple ports o= n a > single line let say port 700 to 800. >=20 > Im trying this command but it is not working >=20 > iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 700-800 -= j DROP > iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 700 --to = 800 -j > DROP man iptables says the port range syntax in port matches is "700:800".=20 The port range syntax "700-800" is used only in NAT targets. From mboxrd@z Thu Jan 1 00:00:00 1970 From: wlagmay@yanbulink.net Subject: Re: Help on Iptables Date: Sun, 17 Dec 2006 15:08:38 +0300 Message-ID: <1166357318.458533468def6@webmail.yanbulink.net> References: <1166288655.4584270fe0f14@webmail.yanbulink.net> <458446EB.8030005@plouf.fr.eu.org> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <458446EB.8030005@plouf.fr.eu.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1" To: Pascal Hambourg Cc: netfilter@lists.netfilter.org Thanks Pascal, anyway maybe you can help me with my other problem, I already post it but up to now I don't have any reply so I'm just thinking that you might help me. You see I'm using "SAME" for my Network Address translation. example -A POSTROUTING -s 192.168.64.0/255.255.224.0 -j SAME --nodst --to 212.xxx.xxx.9-212.xxx.xxx.14 My question is, how can I log and trace which private IP is using a certain public IP a any given time and date. example let say, somebody is complaining that there is a network flood or a= ttack coming form 212.xxx.xxx.14, so in order for me to trace which machine is ma= king the flood I should know whick private IP address is using 212.xxx.xxx.14 at that given time. Thank you very much and I hope that you can help me. Wennie Quoting Pascal Hambourg : > Hello, > > wlagmay@yanbulink.net a =E9crit : > > > > I just want to know How am I going to do a blocking of multiple ports o= n a > > single line let say port 700 to 800. > > > > Im trying this command but it is not working > > > > iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 700-800 -j > DROP > > iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 700 --to = 800 > -j > > DROP > > man iptables says the port range syntax in port matches is "700:800". > The port range syntax "700-800" is used only in NAT targets. > >