You are not logged in.

#1 2004-06-19 16:58:53

Enrico
Member
Registered: 2004-06-19
Posts: 7

problems with https web pages and my iptables scripts

[root@Arch root]# iptables -A INPUT -p tcp -i eth0 --sport https -j ACCEPT
iptables v1.2.10: invalid TCP port/service `https' specified
Try `iptables -h' or 'iptables --help' for more information.

Why?

In others distro it works perfectly ...

Offline

#2 2004-06-20 04:18:09

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: problems with https web pages and my iptables scripts

IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT

you probably actually want destination port if it is on a server. Clients connect from a high number random port to the server on 443 (https). The dport matches the destination of the packet...

hence..
IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
would be right for a server, whereas a client would simply need
IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#3 2004-07-04 16:54:01

Enrico
Member
Registered: 2004-06-19
Posts: 7

Re: problems with https web pages and my iptables scripts

cactus wrote:

IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT

you probably actually want destination port if it is on a server. Clients connect from a high number random port to the server on 443 (https). The dport matches the destination of the packet...

hence..
IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
would be right for a server, whereas a client would simply need
IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Thx , now it works   big_smile
But... Why  :?:

Offline

#4 2004-07-05 09:47:48

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: problems with https web pages and my iptables scripts

the iptables comparison is performed on the packet itself, and its contents. If you sniffed the packet, you would see that the source for the packet is the machine of the person requesting the website, and the destination of the packet would be your server.
Since the packet is allowed in the the rule, it gets to the box. The outgoing return data is either allowed by default (some people let anything out, but only filter incoming) or allowed via connection tracking (since it is part of a message that was allowed in, it gets allowed out).

You can do a man iptables to find all kinds of other info, and searching google helps too. Best thing of all to do is just fire up a packet sniffer and watch...
8)


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

Board footer

Powered by FluxBB