When do you know you need the "-m multiport" option? I see examples with -dport xx:xxx for example that sometimes use it and sometimes don't? I have read the man page and see what "-m multiport" requires, but don't see the requirement involving its use.
Thanks! jlc
Joseph L. Casale wrote:
When do you know you need the "-m multiport" option? I see examples with -dport xx:xxx for example that sometimes use it and sometimes don't? I have read the man page and see what "-m multiport" requires, but don't see the requirement involving its use.
Thanks! jlc
I'll take a guess but am happy to be corrected if someone knows better...
My understanding is that --dport can only specify a single port (--dport 80) or port range (--dport 137:139) inclusive. Use of the multiport module allows up to 15 ports (or port ranges) to be specified.
As for a potential usage - off the top of my head, suppose you wanted to open ports 137-139 and 445 for SMB/Samba. This could be achieved with a single rule using the multiport module whereas 2 individual rules would otherwise be needed. Again, suppose you wanted to open ports 21 (FTP), 22 (SSH) and 110 (POP3) to a select IP address - you could do this in a single rule rather than 3 individual rules which opens up possibilities for optimizing/minimizing the number of iptables rules within a chain.
Ned
My understanding is that --dport can only specify a single port (--dport 80) or port range (--dport 137:139) inclusive. Use of the multiport module allows up to 15 ports (or port ranges) to be specified.
Ned, So to write --dport 5060,10000:60000 you need to write: -m multiport -p udp -dport 5060,10000:60000 Correct?
Thanks for the help! jlc
Joseph L. Casale wrote:
My understanding is that --dport can only specify a single port (--dport 80) or port range (--dport 137:139) inclusive. Use of the multiport module allows up to 15 ports (or port ranges) to be specified.
Ned, So to write --dport 5060,10000:60000 you need to write: -m multiport -p udp -dport 5060,10000:60000 Correct?
Thanks for the help! jlc
I've not used multiport so am unsure of the exact syntax, but that looks reasonable.
I'd keep the -m multiport and --dports together though (also note it's --dports, not -dport), so something like this:
iptables -A INPUT -p udp -m multiport --dports 5060,10000:60000 -j ACCEPT
would accept all UDP packets destined for ports 5060 and 10000-60000.
On Tuesday 26 August 2008 16:17, Ned Slider wrote:
Joseph L. Casale wrote:
My understanding is that --dport can only specify a single port (--dport 80) or port range (--dport 137:139) inclusive. Use of the multiport module allows up to 15 ports (or port ranges) to be specified.
Ned, So to write --dport 5060,10000:60000 you need to write: -m multiport -p udp -dport 5060,10000:60000 Correct?
Thanks for the help! jlc
I've not used multiport so am unsure of the exact syntax, but that looks reasonable.
I'd keep the -m multiport and --dports together though (also note it's --dports, not -dport), so something like this:
iptables -A INPUT -p udp -m multiport --dports 5060,10000:60000 -j ACCEPT
would accept all UDP packets destined for ports 5060 and 10000-60000.
Some light reading on IPTABLES. :)
http://iptables.rlworkman.net/chunkyhtml/index.html
Nice doc, any ideas on how to print it (or many chapters easily) so I can haul with me on my plane ride this weekend?
Thanks! jlc
on 8-27-2008 4:27 PM Joseph L. Casale spake the following:
Nice doc, any ideas on how to print it (or many chapters easily) so I can haul with me on my plane ride this weekend?
Thanks! jlc
E-mail me offlist and I can get make a pdf if you want it.
ssilva at sgvwater dot com
on 8-27-2008 4:27 PM Joseph L. Casale spake the following:
Nice doc, any ideas on how to print it (or many chapters easily) so I can haul with me on my plane ride this weekend?
Thanks! jlc
Or here is a link to a non chunk version
http://iptables.rlworkman.net/iptables-tutorial.html
On Wednesday 27 August 2008 19:27, Joseph L. Casale wrote:
Nice doc, any ideas on how to print it (or many chapters easily) so I can haul with me on my plane ride this weekend?
Nope, but I'm open to suggestions. :)
Nope, but I'm open to suggestions. :)
Scott provided a PDF a link to a non chunky html version that worked! I have it printed on my desk right now! That will make for some good dry reading on my plane ride Saturday. IPTables is something for me that has a few to many core holes and I need to develop a better grasp of this.
I tried writing out a FWBuilder script but man that thing was something messy to look at, geesh... Nice tool though!
Back to my original script that works, but needs the fancy touches added...
Thanks! jlc
On 28 Aug 2008, at 15:22, Joseph L. Casale wrote:
I tried writing out a FWBuilder script but man that thing was something messy to look at, geesh...
Since you mentioned a FWBuilder script you might want to look at FireHOL as well (http://firehol.sourceforge.net/). I've been using it for a couple of years now. The config is dead simple and allows for custom rules where needed.
Jeremiah
-
Jeremiah Heller -
Joseph L. Casale -
Ned Slider -
Robert Spangler -
Scott Silva