LARTC - Feb 2001 - Another newbyish question I'm afraid, -m state --state matters

I''d like to be able to deny all new connections to a firewall, with the
exception of port 22 (sshd) and some ports I''d like to forward
internally.

Now, there is this nice feature Rusty describes to do that:

iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

However, it seems I can''t make a rule that is using the state AND a
source/dest
port in there. Eg the following won''t work:

iptables -A INPUT -i eth0 -m state --state NEW,INVALID --dport 22 -j DROP
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

Anyone? :)

Paul
-- 
Just patent your virus and sue the anti-virus companies for reverse
enineering it.
                  --- cne_pc@youknowwhattodo.yahoo.com, in response to
Norton''s
                      patent on "software updates"

Please post this on the netfilter mailinglist instead of here as this is an
iproute2-mailinglist, not dedicated to iproute2.

See more info at http://netfilter.samba.org

use iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport ! 22 -j
DROP

/Patrik

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Paul Wouters
Sent: den 28 februari 2001 18:07
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Another newbyish question I''m afraid, -m state --state
matters


I''d like to be able to deny all new connections to a firewall, with the
exception of port 22 (sshd) and some ports I''d like to forward
internally.

Now, there is this nice feature Rusty describes to do that:

iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

However, it seems I can''t make a rule that is using the state AND a
source/dest
port in there. Eg the following won''t work:

iptables -A INPUT -i eth0 -m state --state NEW,INVALID --dport 22 -j DROP
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID --dport 25 -j
ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

Anyone? :)

Paul
--
Just patent your virus and sue the anti-virus companies for reverse
enineering it.
                  --- cne_pc@youknowwhattodo.yahoo.com, in response to
Norton''s
                      patent on "software updates"


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/

On Wed, 28 Feb 2001, Paul Wouters wrote:
> I''d like to be able to deny all new connections to a firewall,
with the
> exception of port 22 (sshd) and some ports I''d like to forward
internally.
> However, it seems I can''t make a rule that is using the state
> AND a source/dest port in there. Eg the following won''t work:
>
> iptables -A INPUT -i eth0 -m state --state NEW,INVALID --dport 22 -j DROP
> iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
> iptables -A FORWARD -i eth0 -m state --state NEW,INVALID --dport 25 -j
ACCEPT
> iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
>
> Anyone? :)
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,INVALID -j DROP
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 25 -m state --state NEW,INVALID -j
ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

--sport and --dport need the -p tcp or -p udp flags to be set, as source and
destination ports may not make sense for certain protocols, most notably
ICMP.

Doei, Arthur.

-- 
  /\    / |      arthurvl@sci.kun.nl      | Work like you don''t need
the money
 /__\  /  | A friend is someone with whom | Love like you have never been hurt
/    \/__ | you can dare to be yourself   | Dance like there''s nobody
watching