ipchains and -y

mgcon@mail.neta.com mgcon@mail.neta.com
Thu, 31 Aug 2000 19:17:38 -0700 (MST) 

Thanks! I think that made it pretty clear for me.

Can't "block" the telnet as The server I need to telnet into
is at my ISP and therefore allowing me to type this message :-)

Really appreciate the time you took explaining: Now I can apply
it to the rest of my rules.

Mike
> 
> Am 31. Aug, 2000 schwäzte Mike Starke so:
> 
> > Would someone be willing to explain the -y flag in ipchains for me?
> 
> Y, because we love you. M-O-U-... :)
> 
>        [!] -y, --syn
>               Only match TCP packets with the SYN bit set and the
>               ACK and FIN bits cleared.  Such packets are used to
>               request TCP  connection  initiation;  for  example,
>               blocking  such  packets coming in an interface will
>               prevent incoming TCP connections, but outgoing  TCP
>               connections  will  be  unaffected.   This option is
>               only meaningful when the protocol type  is  set  to
>               TCP.   If the "!" flag precedes the "-y", the sense
>               of the option is inverted.
> 
> What that means is the -y flags match packets initiating a tcp
> connection. The initiation has to be accepted for any other packets to be
> able to do something. By blocking the initiation packets, you're
> preventing tcp connections from being established, e.g. if you block them
> from port 80 nobody can connect to your web server.
> 
> This does not affect udp connections. Look in /etc/services to find out
> what type of service and what port something should be on.
> 
> > Maybe an example of when/why it would be used?
> > 
> > I want to allow telnet to a outside (internet) server only
> > when the connection is initiated by a certain internal (192.168.2.x)
> > ip.
> 
> ipchains -A int-in -j ACCEPT -p TCP -y -s 192.168.2.x/32 23
> ipchains -A int-in -j DENY -p TCP -y -s 0/0 23
> 
> int-in is what I call the chain for incoming connections on the internal
> (to my network) card.
> 
> Now if you don't do anything else to port 23 telnet connections from
> 192.168.2.x will work, but not from anywhere else.
> 
> Better off removing telnetd altogether and setting up ssh :).
> 
> ciao,
> 
> der.hans
> -- 
> #  der.hans@LuftHans.com   home.pages.de/~lufthans/   www.Opnix.com
> #  I'm not anti-social, I'm pro-individual. - der.hans
> 
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>