On Fri, Nov 6, 2009 at 10:12 AM, Marco Savo wrote: > Thanks a lot for your help > Marco > > On Fri, Nov 6, 2009 at 5:33 PM, Lisa Kachold wrote: > >> >> >> On Fri, Nov 6, 2009 at 8:50 AM, Marco Savo wrote: >> >>> Thanks, but currently I have an embedded linux board (based on openwrt) >>> that use busybox, and there isn't netstat, neither nmap or lsof command. I >>> guess i can read /proc/net/tcp or udp, but iptables doesn't show a list of >>> used ports? >>> >>> On Fri, Nov 6, 2009 at 1:49 PM, Lisa Kachold wrote: >>> >>>> >>>> >>>> On Fri, Nov 6, 2009 at 5:30 AM, Craig White wrote: >>>> >>>>> On Fri, 2009-11-06 at 13:13 +0000, Marco Savo wrote: >>>>> > Hello, >>>>> > configuring iptables rules, >>>>> > how I can find out if one port number I want to use is already in >>>>> > use? >>>>> > example: >>>>> > >>>>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol udp >>>>> > --dport ${UDP_PORT} --destination localhost >>>>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol tcp >>>>> > --dport ${TCP_PORT} --destination localhost >>>>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol tcp >>>>> > --dport ${TCP_HOST_PORT} --destination localhost >>>>> > >>>>> > How I can check if these ports (UDP_PORT TCP_PORT TCP_HOST_PORT) are >>>>> > in use from another application? >>>>> ---- >>>>> you can use netstat - for example, I might check for port 10000... >>>>> # netstat -an|grep 10000 >>>>> tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN >>>>> udp 0 0 0.0.0.0:10000 0.0.0.0:* >>>>> >>>>> Craig >>>>> >>>>> >>>>> You can also use nmap >>>> >>>> # nmap localhost >>>> >>>> or >>>> >>>> # netstat -anpt >>>> >>>> to see what is listening on what (depending on your distro - check >>>> syntax) >>>> >>>> >>> -- >>> 'The Magic Is In the Movement' >>> >>> Marco Savo >>> SW Engineer >>> >>> 882 East Glenn St. >>> Tucson, AZ 85719 >>> +1 (520) 248-5681 >>> >>> Hey Marco, >> >> 1) Your netstat is probably going to be your best solution: >> >> This is how you install netstat-nat (for instance) on OpenWRT: >> >> #ipkg install http://tornado.stormchasers.dk/openwrt/netstat-nat_1.4.3_mipsel.ipk >> >> Netstat should be similar (just find the right version). >> >> Reference: https://forum.openwrt.org/viewtopic.php?id=6676 >> >> 2) You can also use lsof (this one is for the whiterussian version of >> OpenWRT, so check your packages): >> >> # ipkg install http://jackassofalltrades.com/openwrt/whiterussian/packages/lsof_4.77-1_mipsel.ipk >> >> # lsof -i >> >> 3) Nmap IPTABLES testing: >> >> You can still nmap from both the inside interface(s) (from a linux machine >> or VMware machine - nmap is available for Window$s also) and from an online >> nmap portal to see what is available and listening on the outside WAN >> interface. >> >> >> http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-server-ports.html >> >> Some people configure their iptables with only nmap against each interface >> with the assumption that if it's not listening with iptables down, it >> doesn't need to be protected (be sure and check cron and anacron for any >> scripts edited if this is a possible encroached system). >> >> 4) IPTABLES kernel conntrack-tools assist to make really fine tables. >> >> Did you hand engineer your imbedded sources for that box? >> >> Are you using connection tracking: (it's a small binary build) >> http://conntrack-tools.netfilter.org/conntrack.html >> http://svn.netfilter.org/netfilter/trunk/conntrack-tools/conntrack.8 >> >> OpenWRT provides for conntrack (but there are bugs on some versions). >> >> -- > 'The Magic Is In the Movement' > > Marco Savo > SW Engineer > > 882 East Glenn St. > Tucson, AZ 85719 > +1 (520) 248-5681 > These links provide additional sources for adding to OpenWRT: Official packages: http://downloads.openwrt.org/kamikaze/ Third Party Builds: http://www.ipkg.be/ http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/ Individual builds: http://tornado.stormchasers.dk/openwrt/ More about building your own packages: http://wiki.openwrt.org/oldwiki/openwrtdocs/packages Also, check out this web based management for kamikazi - XWRT includes firewall tools: http://wiki.openwrt.org/oldwiki/openwrtdocs/xwrt You can always remove them if they don't work - or after use? -- Skype: (623)239-3392 AT&T: (503)754-4452 www.obnosis.com