Re: [SLUG] iptables

From: Scotty Logan (scotty@scottylogan.com)
Date: Wed May 04 2005 - 00:33:39 EDT


On May 3, 2005, at 7:40 PM, Glenn Meyer wrote:
> I don't know why I can't use that either. It looks like it should
> work, but here's the error I get....
>
> root@m700l:~# iptables -A INPUT -s 192.168.10.0/24 --dport 22 -j ACCEPT
> iptables v1.2.11: Unknown arg `--dport'
> Try `iptables -h' or 'iptables --help' for more information.
>

The answer is in the manual page:

> But even the man pages shows....
> ...
> specified. It can only be used in conjunction with -p tcp or -p
> udp.

You need to specify a protocol, since ports are not supported in all
protocols:

        iptables -A INPUT -s 192.168.10.0/24 -p tcp --dport 22 -j ACCEPT

This is stateless filtering, but you should probably use stateful
filtering (it more useful as the rules get more complex, and as you
start filtering more complicated protocols).

First, allow new SSH sessions to be established from 192.168.10.0/24:

        iptables -A INPUT -m state --state NEW -m tcp -p tcp -s
192.168.10.0/24 --dport 22 -j ACCEPT

Now allow all packets that are part of an established TCP session, or
that are related (ICMP messages, etc) through the firewall:

        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        

   Scotty
        

-- 
Scotty Logan <scotty@scottylogan.com>
Never take life seriously, Nobody gets out alive anyway

----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:37:33 EDT