Am 31. Aug, 2000 schwäzte Mike Starke so:
> Would someone be willing to explain the -y flag in ipchains for me?
Y, because we love you. M-O-U-... :)
[!] -y, --syn
Only match TCP packets with the SYN bit set and the
ACK and FIN bits cleared. Such packets are used to
request TCP connection initiation; for example,
blocking such packets coming in an interface will
prevent incoming TCP connections, but outgoing TCP
connections will be unaffected. This option is
only meaningful when the protocol type is set to
TCP. If the "!" flag precedes the "-y", the sense
of the option is inverted.
What that means is the -y flags match packets initiating a tcp
connection. The initiation has to be accepted for any other packets to be
able to do something. By blocking the initiation packets, you're
preventing tcp connections from being established, e.g. if you block them
from port 80 nobody can connect to your web server.
This does not affect udp connections. Look in /etc/services to find out
what type of service and what port something should be on.
> Maybe an example of when/why it would be used?
>
> I want to allow telnet to a outside (internet) server only
> when the connection is initiated by a certain internal (192.168.2.x)
> ip.
ipchains -A int-in -j ACCEPT -p TCP -y -s 192.168.2.x/32 23
ipchains -A int-in -j DENY -p TCP -y -s 0/0 23
int-in is what I call the chain for incoming connections on the internal
(to my network) card.
Now if you don't do anything else to port 23 telnet connections from
192.168.2.x will work, but not from anywhere else.
Better off removing telnetd altogether and setting up ssh :).
ciao,
der.hans
--
#
der.hans@LuftHans.com home.pages.de/~lufthans/
www.Opnix.com
# I'm not anti-social, I'm pro-individual. - der.hans
(text/plain)