Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
IPTABLES: effect 2 ports with one rule
Results 1 to 5 of 5

Thread: IPTABLES: effect 2 ports with one rule

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    417

    IPTABLES: effect 2 ports with one rule

    Hi,

    I wanted to give access to ports 22 and 80 to one ip address or even subnet. I can do it like this

    ./iptables -I INPUT -s 129.0.0.1 -p tcp --dport 22 -j ACCEPT
    ./iptables -I INPUT -s 129.0.0.1 -p tcp --dport 80 -j ACCEPT

    But can I do this with just one rule instead of 2??

    thanx,

  2. #2

    Re:IPTABLES: effect 2 ports with one rule

    I forget the exact syntax, but you can if you use the --multiport option. I'll check my script tomorrow if you want and post the exact syntax.

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    417

    Re:IPTABLES: effect 2 ports with one rule

    yea, if you can do that I'd appreciate it.

    also, I created a rule at the bottom of the chain that should block out every port from every address except the machine itself.

    -A INPUT -s ! 127.0.0.1 -j DROP

    when I do this it blocks ALL traffic. IN and OUT, I can't ping, nothing. Im really trying to block every port and use rules at the top of the table if I want to allow access to ports, or from other IP's. Why does this block everything?

    thanx,


  4. #4

    Re:IPTABLES: effect 2 ports with one rule

    OK here's what you need to do:
    Code:
    iptables -A INPUT -i $your_interface -p tcp --multiport --destination-port 22,80 --syn -j ACCEPT
    The multiport switch must proceed the protocol sepcification in the line.

    If you want to drop everything else, I would start out your script with a default target policy, such as
    Code:
    iptables --policy INPUT DROP
    iptables --policy OUTPUT DROP
    iptables --policy FORWARD DROP
    Now you must accept everything on the loopback, and all outgoing traffic from the box itself. You must also accept incoming server replies to local client requests (like upd traffic for your DNS client).
    Code:
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    iptables -A OUTPUT -o $your_interface -s $your_ip_address -j ACCEPT
    iptables -A INPUT -i $your_interface -p tcp ! --syn -d $your_ip -J ACCEPT
    iptables -A INPUT -i $your_interface -p udp -s $your_name_server \
         --source-port 53 --destination-port 1024:65535 -J ACCEPT
    Rule precidence matters. The last rule in your script wins out. So if you put a rule blocking everything at the end of your script, it will override all rules that come before it. Hope this helps some and is not confusing.

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    417

    Re:IPTABLES: effect 2 ports with one rule

    Code:
    iptables -A INPUT -i $your_interface -p tcp --multiport --destination-port 22,80 --syn -j ACCEPT
    Actually you have to put the module switch in front of multiport and it only works when the -p tcp/udp switch is used.

    Code:
    iptables -A INPUT -i $your_interface -p tcp -m multiport --dport 22,80 --syn -j ACCEPT
    At least, that's the only way I could get it to work on my machine.

Similar Threads

  1. Tedious job to detect http_access rule in squid
    By Suhas! in forum Redhat / Fedora
    Replies: 0
    Last Post: 05-04-2007, 05:35 AM
  2. sendmail.cf mail rule written language
    By lasanthaindika in forum Linux - Hardware, Networking & Security
    Replies: 2
    Last Post: 02-27-2007, 07:18 AM
  3. Geeks Rule?
    By Fatal Error in forum General Chat
    Replies: 1
    Last Post: 11-08-2004, 11:33 PM
  4. Will SCO effect BSD?
    By TeRG in forum General Chat
    Replies: 6
    Last Post: 12-01-2003, 01:44 AM
  5. Why geek dudes rule
    By Frith in forum General Chat
    Replies: 21
    Last Post: 07-23-2002, 07:07 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •