Re: Converting ipchains rules to iptables!

From: Andrew Carson (acarson@NOSPAM.iinet.net.au)
Date: 10/19/02


From: "Andrew Carson" <acarson@NOSPAM.iinet.net.au>
Date: Sat, 19 Oct 2002 20:35:59 +0800


> # Deny TCP and UDP packets to privileged ports
> ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY
> ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY
>
> now, you helped me with these where $EXTIF and $ANY is assigned with
values.
>
> # Deny TCP and UDP packets to privileged ports
>
> iptables -A INPUT -p udp -i $EXTIF -d $ANY 0:1023 -p udp -j LOG
> iptables -A INPUT -p udp -i $EXTIP -d $ANY 0:1023 -j DROP
>
> iptables -A INPUT -p tcp -i $EXTIF -d $ANY 0:1023 -j LOG
> iptables -A INPUT -p tcp -i $EXTIF -d $ANY 0:1023 -j DROP
>
> Now, iptables says ...
>
> Warning: wierd character in interface `-d' (No aliases, :, ! or *).
> Bad argument `0-1023'
>
> Why is this happening, please?
>
> thanks in advance.

When referring to a port in iptables, you refer to either destination port
or source port.. so in this case you'd use:
-d $ANY --dport 0:1023

However.. since iptables is stateful, there's no need to do this.. you can
just do:
iptables -A INPUT -p tcp -i $EXTIF -m state --state NEW,INVALID -j DROP
This wont let *any* *new* packets in on $EXTIF, you just put your holes in
afterwards for services you are running.

HTH