Iptables list

Lisa Kachold lisakachold at obnosis.com
Fri Nov 6 13:19:29 MST 2009 

On Fri, Nov 6, 2009 at 10:12 AM, Marco Savo <savomarco at gmail.com> wrote:

> Thanks a lot for your help
> Marco
>
> On Fri, Nov 6, 2009 at 5:33 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>
>>
>>
>> On Fri, Nov 6, 2009 at 8:50 AM, Marco Savo <savomarco at gmail.com> wrote:
>>
>>> Thanks, but currently I have an embedded linux board (based on openwrt)
>>> that use busybox, and there isn't netstat, neither nmap or lsof command. I
>>> guess i can read /proc/net/tcp or udp, but iptables doesn't show a list of
>>> used ports?
>>>
>>> On Fri, Nov 6, 2009 at 1:49 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>>>
>>>>
>>>>
>>>> On Fri, Nov 6, 2009 at 5:30 AM, Craig White <craigwhite at azapple.com>wrote:
>>>>
>>>>> On Fri, 2009-11-06 at 13:13 +0000, Marco Savo wrote:
>>>>> > Hello,
>>>>> > configuring iptables rules,
>>>>> > how I can find out if one port number I want to use is already in
>>>>> > use?
>>>>> > example:
>>>>> >
>>>>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol udp
>>>>> > --dport ${UDP_PORT}  --destination localhost
>>>>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol tcp
>>>>> > --dport ${TCP_PORT}  --destination localhost
>>>>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol tcp
>>>>> > --dport ${TCP_HOST_PORT}  --destination localhost
>>>>> >
>>>>> > How I can check if these ports (UDP_PORT TCP_PORT TCP_HOST_PORT) are
>>>>> > in use from another application?
>>>>> ----
>>>>> you can use netstat - for example, I might check for port 10000...
>>>>> # netstat -an|grep 10000
>>>>> tcp        0      0 0.0.0.0:10000     0.0.0.0:*     LISTEN
>>>>> udp        0      0 0.0.0.0:10000     0.0.0.0:*
>>>>>
>>>>> Craig
>>>>>
>>>>>
>>>>> You can also use nmap
>>>>
>>>> # nmap localhost
>>>>
>>>> or
>>>>
>>>> # netstat -anpt
>>>>
>>>> to see what is listening on what (depending on your distro - check
>>>> syntax)
>>>>
>>>>
>>> --
>>> 'The Magic Is In the Movement'
>>>
>>> Marco Savo
>>> SW Engineer
>>>
>>> 882 East Glenn St.
>>> Tucson, AZ 85719
>>> +1 (520) 248-5681
>>>
>>> Hey Marco,
>>
>> 1) Your netstat is probably going to be your best solution:
>>
>> This is how you install netstat-nat (for instance) on OpenWRT:
>>
>> #ipkg install http://tornado.stormchasers.dk/openwrt/netstat-nat_1.4.3_mipsel.ipk
>>
>> Netstat should be similar (just find the right version).
>>
>> Reference:  https://forum.openwrt.org/viewtopic.php?id=6676
>>
>> 2) You can also use lsof (this one is for the whiterussian version of
>> OpenWRT, so check your packages):
>>
>> # ipkg install http://jackassofalltrades.com/openwrt/whiterussian/packages/lsof_4.77-1_mipsel.ipk
>>
>> # lsof -i
>>
>> 3) Nmap IPTABLES testing:
>>
>> You can still nmap from both the inside interface(s) (from a linux machine
>> or VMware machine - nmap is available for Window$s also) and from an online
>> nmap portal to see what is available and listening on the outside WAN
>> interface.
>>
>>
>> http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-server-ports.html
>>
>> Some people configure their iptables with only nmap against each interface
>> with the assumption that if it's not listening with iptables down, it
>> doesn't need to be protected (be sure and check cron and anacron for any
>> scripts edited if this is a possible encroached system).
>>
>> 4) IPTABLES kernel conntrack-tools assist to make really fine tables.
>>
>> Did you hand engineer your imbedded sources for that box?
>>
>> Are you using connection tracking:  (it's a small binary build)
>> http://conntrack-tools.netfilter.org/conntrack.html
>> http://svn.netfilter.org/netfilter/trunk/conntrack-tools/conntrack.8
>>
>> OpenWRT provides for conntrack (but there are bugs on some versions).
>>
>> --
> 'The Magic Is In the Movement'
>
> Marco Savo
> SW Engineer
>
> 882 East Glenn St.
> Tucson, AZ 85719
> +1 (520) 248-5681
>

These links provide additional sources for adding to OpenWRT:

Official packages:  http://downloads.openwrt.org/kamikaze/

Third Party Builds:
http://www.ipkg.be/
http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/

Individual builds: http://tornado.stormchasers.dk/openwrt/

More about building your own packages:
http://wiki.openwrt.org/oldwiki/openwrtdocs/packages

Also, check out this web based management for kamikazi - XWRT includes
firewall tools:
http://wiki.openwrt.org/oldwiki/openwrtdocs/xwrt

You can always remove them if they don't work - or after use?

-- 
Skype: (623)239-3392
AT&T: (503)754-4452
www.obnosis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20091106/fb6cf527/attachment.htm

More information about the PLUG-discuss mailing list