Mailinglist Archive: opensuse (5130 mails)

< Previous Next >
Re: [SLE] opening up reserved ports for non-registered custom applications
  • From: Darryl Gregorash <raven@xxxxxxxxxxxxx>
  • Date: Mon, 01 May 2006 11:47:04 -0600
  • Message-id: <44564998.7060007@xxxxxxxxxxxxx>
On 01/05/06 10:17, Brandon Spruth wrote:
> Has anyone had any experience opening up non-standard applications on
> ports below 1024? I have a situation now that I need to open up port 502
>
No different than opening any priviledged port. I assume you are not
using SuSEfirewall2, or you could have done all this in YaST.
> <snip>
>
> For some reason I am not able to access this port regardless that the
> firewall is open on the port. Am I missing anything here?
>
Your firewall is *not* open on port 502, it is only open for new
connections, but not for existing ones. The way your commands read makes
me think you are still thinking in the ipchains way. Your commands try
to mix stateful and stateless firewalling concepts in each command,
which will not work well at all.

> iptables -A INPUT -i eth0 -p tcp --sport $unprivports -d $ext_ip --dport
> 502 -m state --state NEW -j ACCEPT
>
^^^^
NEW, RELATED, ESTABLISHED

Also, I think that "-A INPUT .... -d $ext_ip" is redundant; anything
arriving for "this" machine automatically goes to the INPUT chain,
anything arriving for any other IP automatically goes to the FORWARD
chain. (At least, that is my take on what the netfilter howto says.)
> iptables -A OUTPUT -o eth0 -p tcp ! --syn -s $ext_ip --sport 502 --dport
> $unprivports -j ACCEPT
>

! --syn is equivalent to "-m state --state ESTABLISHED, RELATED".

In both commands, --sport/dport $unprivports is really unnecessary.

< Previous Next >
References