Iptables list

Lisa Kachold lisakachold at obnosis.com
Fri Nov 6 10:33:16 MST 2009 

On Fri, Nov 6, 2009 at 8:50 AM, Marco Savo <savomarco at gmail.com> wrote:

> Thanks, but currently I have an embedded linux board (based on openwrt)
> that use busybox, and there isn't netstat, neither nmap or lsof command. I
> guess i can read /proc/net/tcp or udp, but iptables doesn't show a list of
> used ports?
>
> On Fri, Nov 6, 2009 at 1:49 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>
>>
>>
>> On Fri, Nov 6, 2009 at 5:30 AM, Craig White <craigwhite at azapple.com>wrote:
>>
>>> On Fri, 2009-11-06 at 13:13 +0000, Marco Savo wrote:
>>> > Hello,
>>> > configuring iptables rules,
>>> > how I can find out if one port number I want to use is already in
>>> > use?
>>> > example:
>>> >
>>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol udp
>>> > --dport ${UDP_PORT}  --destination localhost
>>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol tcp
>>> > --dport ${TCP_PORT}  --destination localhost
>>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol tcp
>>> > --dport ${TCP_HOST_PORT}  --destination localhost
>>> >
>>> > How I can check if these ports (UDP_PORT TCP_PORT TCP_HOST_PORT) are
>>> > in use from another application?
>>> ----
>>> you can use netstat - for example, I might check for port 10000...
>>> # netstat -an|grep 10000
>>> tcp        0      0 0.0.0.0:10000     0.0.0.0:*     LISTEN
>>> udp        0      0 0.0.0.0:10000     0.0.0.0:*
>>>
>>> Craig
>>>
>>>
>>> You can also use nmap
>>
>> # nmap localhost
>>
>> or
>>
>> # netstat -anpt
>>
>> to see what is listening on what (depending on your distro - check syntax)
>>
>>
> --
> 'The Magic Is In the Movement'
>
> Marco Savo
> SW Engineer
>
> 882 East Glenn St.
> Tucson, AZ 85719
> +1 (520) 248-5681
>
> Hey Marco,

1) Your netstat is probably going to be your best solution:

This is how you install netstat-nat (for instance) on OpenWRT:

#ipkg install http://tornado.stormchasers.dk/openwrt/netstat-nat_1.4.3_mipsel.ipk

Netstat should be similar (just find the right version).

Reference:  https://forum.openwrt.org/viewtopic.php?id=6676

2) You can also use lsof (this one is for the whiterussian version of
OpenWRT, so check your packages):

# ipkg install http://jackassofalltrades.com/openwrt/whiterussian/packages/lsof_4.77-1_mipsel.ipk

# lsof -i

3) Nmap IPTABLES testing:

You can still nmap from both the inside interface(s) (from a linux machine
or VMware machine - nmap is available for Window$s also) and from an online
nmap portal to see what is available and listening on the outside WAN
interface.

http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-server-ports.html

Some people configure their iptables with only nmap against each interface
with the assumption that if it's not listening with iptables down, it
doesn't need to be protected (be sure and check cron and anacron for any
scripts edited if this is a possible encroached system).

4) IPTABLES kernel conntrack-tools assist to make really fine tables.

Did you hand engineer your imbedded sources for that box?

Are you using connection tracking:  (it's a small binary build)
http://conntrack-tools.netfilter.org/conntrack.html
http://svn.netfilter.org/netfilter/trunk/conntrack-tools/conntrack.8

OpenWRT provides for conntrack (but there are bugs on some versions).

-- 
Skype: (623)239-3392
AT&T: (503)754-4452
www.obnosis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20091106/3d3c41ac/attachment.htm

More information about the PLUG-discuss mailing list