Iptables list

Marco Savo savomarco at gmail.com
Sat Nov 7 08:26:22 MST 2009 

Well,
at the moment I'm working on a dsl router tat is not on the market yet, they
use a customized linux version on it but they wants to port openwrt on it.
So for now I don't have the standard openwrt functions available yet, but
I'm working on it...
Thanks

On Fri, Nov 6, 2009 at 8:19 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:

>
>
> On Fri, Nov 6, 2009 at 10:12 AM, Marco Savo <savomarco at gmail.com> wrote:
>
>> Thanks a lot for your help
>> Marco
>>
>> On Fri, Nov 6, 2009 at 5:33 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>>
>>>
>>>
>>> On Fri, Nov 6, 2009 at 8:50 AM, Marco Savo <savomarco at gmail.com> wrote:
>>>
>>>> Thanks, but currently I have an embedded linux board (based on openwrt)
>>>> that use busybox, and there isn't netstat, neither nmap or lsof command. I
>>>> guess i can read /proc/net/tcp or udp, but iptables doesn't show a list of
>>>> used ports?
>>>>
>>>> On Fri, Nov 6, 2009 at 1:49 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>>>>
>>>>>
>>>>>
>>>>> On Fri, Nov 6, 2009 at 5:30 AM, Craig White <craigwhite at azapple.com>wrote:
>>>>>
>>>>>> On Fri, 2009-11-06 at 13:13 +0000, Marco Savo wrote:
>>>>>> > Hello,
>>>>>> > configuring iptables rules,
>>>>>> > how I can find out if one port number I want to use is already in
>>>>>> > use?
>>>>>> > example:
>>>>>> >
>>>>>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol udp
>>>>>> > --dport ${UDP_PORT}  --destination localhost
>>>>>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol tcp
>>>>>> > --dport ${TCP_PORT}  --destination localhost
>>>>>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol tcp
>>>>>> > --dport ${TCP_HOST_PORT}  --destination localhost
>>>>>> >
>>>>>> > How I can check if these ports (UDP_PORT TCP_PORT TCP_HOST_PORT) are
>>>>>> > in use from another application?
>>>>>> ----
>>>>>> you can use netstat - for example, I might check for port 10000...
>>>>>> # netstat -an|grep 10000
>>>>>> tcp        0      0 0.0.0.0:10000     0.0.0.0:*     LISTEN
>>>>>> udp        0      0 0.0.0.0:10000     0.0.0.0:*
>>>>>>
>>>>>> Craig
>>>>>>
>>>>>>
>>>>>> You can also use nmap
>>>>>
>>>>> # nmap localhost
>>>>>
>>>>> or
>>>>>
>>>>> # netstat -anpt
>>>>>
>>>>> to see what is listening on what (depending on your distro - check
>>>>> syntax)
>>>>>
>>>>>
>>>> --
>>>> 'The Magic Is In the Movement'
>>>>
>>>> Marco Savo
>>>> SW Engineer
>>>>
>>>> 882 East Glenn St.
>>>> Tucson, AZ 85719
>>>> +1 (520) 248-5681
>>>>
>>>> Hey Marco,
>>>
>>> 1) Your netstat is probably going to be your best solution:
>>>
>>> This is how you install netstat-nat (for instance) on OpenWRT:
>>>
>>> #ipkg install http://tornado.stormchasers.dk/openwrt/netstat-nat_1.4.3_mipsel.ipk
>>>
>>> Netstat should be similar (just find the right version).
>>>
>>> Reference:  https://forum.openwrt.org/viewtopic.php?id=6676
>>>
>>> 2) You can also use lsof (this one is for the whiterussian version of
>>> OpenWRT, so check your packages):
>>>
>>> # ipkg install http://jackassofalltrades.com/openwrt/whiterussian/packages/lsof_4.77-1_mipsel.ipk
>>>
>>> # lsof -i
>>>
>>> 3) Nmap IPTABLES testing:
>>>
>>> You can still nmap from both the inside interface(s) (from a linux
>>> machine or VMware machine - nmap is available for Window$s also) and from an
>>> online nmap portal to see what is available and listening on the outside WAN
>>> interface.
>>>
>>>
>>> http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-server-ports.html
>>>
>>> Some people configure their iptables with only nmap against each
>>> interface with the assumption that if it's not listening with iptables down,
>>> it doesn't need to be protected (be sure and check cron and anacron for any
>>> scripts edited if this is a possible encroached system).
>>>
>>> 4) IPTABLES kernel conntrack-tools assist to make really fine tables.
>>>
>>> Did you hand engineer your imbedded sources for that box?
>>>
>>> Are you using connection tracking:  (it's a small binary build)
>>> http://conntrack-tools.netfilter.org/conntrack.html
>>> http://svn.netfilter.org/netfilter/trunk/conntrack-tools/conntrack.8
>>>
>>> OpenWRT provides for conntrack (but there are bugs on some versions).
>>>
>>> --
>> 'The Magic Is In the Movement'
>>
>> Marco Savo
>> SW Engineer
>>
>> 882 East Glenn St.
>> Tucson, AZ 85719
>> +1 (520) 248-5681
>>
>
> These links provide additional sources for adding to OpenWRT:
>
> Official packages:  http://downloads.openwrt.org/kamikaze/
>
> Third Party Builds:
> http://www.ipkg.be/
> http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/
>
> Individual builds: http://tornado.stormchasers.dk/openwrt/
>
> More about building your own packages:
> http://wiki.openwrt.org/oldwiki/openwrtdocs/packages
>
> Also, check out this web based management for kamikazi - XWRT includes
> firewall tools:
> http://wiki.openwrt.org/oldwiki/openwrtdocs/xwrt
>
> You can always remove them if they don't work - or after use?
>
> --
> Skype: (623)239-3392
> AT&T: (503)754-4452
> www.obnosis.com
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
'The Magic Is In the Movement'

Marco Savo
SW Engineer

882 East Glenn St.
Tucson, AZ 85719
+1 (520) 248-5681
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20091107/0ae0fa5a/attachment.htm

More information about the PLUG-discuss mailing list