You are not logged in.
- Topics: Active | Unanswered
#1 2004-06-19 16:58:53
- Enrico
- Member
- Registered: 2004-06-19
- Posts: 7
problems with https web pages and my iptables scripts
[root@Arch root]# iptables -A INPUT -p tcp -i eth0 --sport https -j ACCEPT
iptables v1.2.10: invalid TCP port/service `https' specified
Try `iptables -h' or 'iptables --help' for more information.
Why?
In others distro it works perfectly ...
Offline
#2 2004-06-20 04:18:09
- cactus
- Taco Eater
- From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
- Registered: 2004-05-25
- Posts: 4,622
- Website
Re: problems with https web pages and my iptables scripts
IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
you probably actually want destination port if it is on a server. Clients connect from a high number random port to the server on 443 (https). The dport matches the destination of the packet...
hence..
IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
would be right for a server, whereas a client would simply need
IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
#3 2004-07-04 16:54:01
- Enrico
- Member
- Registered: 2004-06-19
- Posts: 7
Re: problems with https web pages and my iptables scripts
IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
you probably actually want destination port if it is on a server. Clients connect from a high number random port to the server on 443 (https). The dport matches the destination of the packet...
hence..
IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
would be right for a server, whereas a client would simply need
IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Thx , now it works 
But... Why :?:
Offline
#4 2004-07-05 09:47:48
- cactus
- Taco Eater
- From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
- Registered: 2004-05-25
- Posts: 4,622
- Website
Re: problems with https web pages and my iptables scripts
the iptables comparison is performed on the packet itself, and its contents. If you sniffed the packet, you would see that the source for the packet is the machine of the person requesting the website, and the destination of the packet would be your server.
Since the packet is allowed in the the rule, it gets to the box. The outgoing return data is either allowed by default (some people let anything out, but only filter incoming) or allowed via connection tracking (since it is part of a message that was allowed in, it gets allowed out).
You can do a man iptables to find all kinds of other info, and searching google helps too. Best thing of all to do is just fire up a packet sniffer and watch...
8)
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline