ipchains and -y

[der.hans]

Am 31. Aug, 2000 schwäzte Mike Starke so:

> Would someone be willing to explain the -y flag in ipchains for me?

Y, because we love you. M-O-U-... :)

       [!] -y, --syn
              Only match TCP packets with the SYN bit set and the
              ACK and FIN bits cleared.  Such packets are used to
              request TCP  connection  initiation;  for  example,
              blocking  such  packets coming in an interface will
              prevent incoming TCP connections, but outgoing  TCP
              connections  will  be  unaffected.   This option is
              only meaningful when the protocol type  is  set  to
              TCP.   If the "!" flag precedes the "-y", the sense
              of the option is inverted.

What that means is the -y flags match packets initiating a tcp
connection. The initiation has to be accepted for any other packets to be
able to do something. By blocking the initiation packets, you're
preventing tcp connections from being established, e.g. if you block them
from port 80 nobody can connect to your web server.

This does not affect udp connections. Look in /etc/services to find out
what type of service and what port something should be on.

> Maybe an example of when/why it would be used?
> 
> I want to allow telnet to a outside (internet) server only
> when the connection is initiated by a certain internal (192.168.2.x)
> ip.

ipchains -A int-in -j ACCEPT -p TCP -y -s 192.168.2.x/32 23
ipchains -A int-in -j DENY -p TCP -y -s 0/0 23

int-in is what I call the chain for incoming connections on the internal
(to my network) card.

Now if you don't do anything else to port 23 telnet connections from
192.168.2.x will work, but not from anywhere else.

Better off removing telnetd altogether and setting up ssh :).

ciao,

der.hans
-- 
#  der.hans@LuftHans.com   home.pages.de/~lufthans/   www.Opnix.com
#  I'm not anti-social, I'm pro-individual. - der.hans