Re: IPTables question

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MMike Ballon at <-
Mkeith smith at ->
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: Re: IPTables question
Hi...

On Fri, Jul 1, 2011 at 12:22 PM, Mike Ballon <> wrote:

> When listing try iptables -L -n
>
> also you should see a port, ex:
>
> ACCEPT     tcp  --  10.0.0.0/8           0.0.0.0/0           state NEW tcp
> dpt:22

>
> or in your case I'm guessing ici is the protocol and you grep ici from
> /etc/services you'll see port 2200
>
> I would just use the IP on the rule unless you have a reason not to.
>
>
> On Fri, Jul 1, 2011 at 2:54 PM, keith smith <> wrote:
>
>> Hi,
>>
>> I added a rule : iptables -A INPUT -p tcp -s 24.221.202.36 --dport 22 -j
>> ACCEPT
>>
>> and when I list the iptables I see:
>>
>> ACCEPT     tcp  --  24-221-202-36.pools.static.spcsdns.net
>> anywhere            tcp dpt:ici

>>
>> Are the below two rules the same?
>>
>> iptables -A INPUT -p tcp -s 24.221.202.36 --dport 22 -j ACCEPT
>> iptables -A INPUT -p tcp -s 24-221-202-36.pools.static.spcsdns.net--dport 22 -j ACCEPT
>>
>> Depending on your DNS settings, yes. If you use a "hostname" entry in
/etc/hosts that conflicts with DNS, you might find a hang.

This is clearly your SWIP'd IP address in a dynamic pool from your upstream
utility provider; which is only loaned. Since SSH requires reverse DNS
authentication as part of the RFC, you cannot have mismatched IP to
hostname, especially if in your /etc/ssh/sshd_config you have strict
checking enabled.

I would ALWAYS use the IP address ONLY in iptables.


> in other words can I use 24-221-202-36.pools.static.spcsdns.net in place
>> of the IP?
>>
>> Also I do not see the port when I issue iptables -L ? How can I sell if
>> the rule applies to a specific port?
>>
> An easier way to learn iptables is to use the actual configuration syntax
reported via

# /sbin/iptables-save

You can see the port and each line EXACTLY as entered then. You can pipe to
a file:

# /sbin/iptables-save >/tmp/iptables-$date

You can edit that file

# vi /tmp/iptables-$date

You can restore that file after edits

BEWARE of FLUSHING DNS unless you are directly in front of your machine or
KNOW WHAT YOU ARE DOING!

#/sbin/iptables-restore </tmp/iptables-$date

Finally you can save that in a persistent state that will write to your
startup iptables files.

#/etc/init.d/iptables save

In that way, you don't corrupt your startup configuration. You always test
your config before adding it to a running config.

Use nmap to test your iptables from an external server (even on your local
network):

# nmap -P0 24.221.202.36 (or the NAT address 192.168.n.n)


>
>> Thanks!
>>
>> ------------------------
>> Keith Smith
>>
>
--
(602) 791-8002 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
Eat'N Cookies <http://www.securitytube.net/video/1991>
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: Debian running natively on motorola XoomRe: Linux & key Loggers->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)