ipchains and -y

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MMmgcon@mail.neta.com at <-
M 
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: mgcon@mail.neta.commgconmail.neta.com
Date:  
Subject: ipchains and -y
Thanks! I think that made it pretty clear for me.

Can't "block" the telnet as The server I need to telnet into
is at my ISP and therefore allowing me to type this message :-)

Really appreciate the time you took explaining: Now I can apply
it to the rest of my rules.

Mike
>
> Am 31. Aug, 2000 schwäzte Mike Starke so:
>
> > Would someone be willing to explain the -y flag in ipchains for me?
>
> Y, because we love you. M-O-U-... :)
> 
>        [!] -y, --syn
>               Only match TCP packets with the SYN bit set and the
>               ACK and FIN bits cleared.  Such packets are used to
>               request TCP  connection  initiation;  for  example,
>               blocking  such  packets coming in an interface will
>               prevent incoming TCP connections, but outgoing  TCP
>               connections  will  be  unaffected.   This option is
>               only meaningful when the protocol type  is  set  to
>               TCP.   If the "!" flag precedes the "-y", the sense
>               of the option is inverted.

>
> What that means is the -y flags match packets initiating a tcp
> connection. The initiation has to be accepted for any other packets to be
> able to do something. By blocking the initiation packets, you're
> preventing tcp connections from being established, e.g. if you block them
> from port 80 nobody can connect to your web server.
>
> This does not affect udp connections. Look in /etc/services to find out
> what type of service and what port something should be on.
>
> > Maybe an example of when/why it would be used?
> >
> > I want to allow telnet to a outside (internet) server only
> > when the connection is initiated by a certain internal (192.168.2.x)
> > ip.
>
> ipchains -A int-in -j ACCEPT -p TCP -y -s 192.168.2.x/32 23
> ipchains -A int-in -j DENY -p TCP -y -s 0/0 23
>
> int-in is what I call the chain for incoming connections on the internal
> (to my network) card.
>
> Now if you don't do anything else to port 23 telnet connections from
> 192.168.2.x will work, but not from anywhere else.
>
> Better off removing telnetd altogether and setting up ssh :).
>
> ciao,
>
> der.hans
> --
> # home.pages.de/~lufthans/ www.Opnix.com
> # I'm not anti-social, I'm pro-individual. - der.hans
>
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> Plug-discuss mailing list -
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>





This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-ipchains and -y/dev/st0?->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)