opening up reserved ports for non-registered custom applications
Has anyone had any experience opening up non-standard applications on ports below 1024? I have a situation now that I need to open up port 502 on a custom application, however starting up the app as a root user and opening up the ports on iptables does not seem to do the trick. Below are my iptables rules and a lsof of the app running on 502. iptables -A INPUT -i eth0 -p tcp --sport $unprivports -d $ext_ip --dport 502 -m state --state NEW -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp ! --syn -s $ext_ip --sport 502 --dport $unprivports -j ACCEPT listing of my iptables on port 502... ACCEPT tcp -- 0.0.0.0/0 192.168.0.2 tcp spts:1024:65535 dpt:502 state NEW ACCEPT tcp -- 192.168.0.2 0.0.0.0/0 tcp spt:502 dpts:1024:65535 flags:!0x17/0x02 Below is the lsof on port 502... COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME reciever. 10273 root 3u IPv4 49966 TCP 2-0-168-192.example.com:custom_application (LISTEN) For some reason I am not able to access this port regardless that the firewall is open on the port. Am I missing anything here? -------------------- Brandon Spruth brandon@xolia.net
On 01/05/06 10:17, Brandon Spruth wrote:
Has anyone had any experience opening up non-standard applications on ports below 1024? I have a situation now that I need to open up port 502
No different than opening any priviledged port. I assume you are not using SuSEfirewall2, or you could have done all this in YaST.
<snip>
For some reason I am not able to access this port regardless that the firewall is open on the port. Am I missing anything here?
Your firewall is *not* open on port 502, it is only open for new connections, but not for existing ones. The way your commands read makes me think you are still thinking in the ipchains way. Your commands try to mix stateful and stateless firewalling concepts in each command, which will not work well at all.
iptables -A INPUT -i eth0 -p tcp --sport $unprivports -d $ext_ip --dport 502 -m state --state NEW -j ACCEPT
^^^^ NEW, RELATED, ESTABLISHED Also, I think that "-A INPUT .... -d $ext_ip" is redundant; anything arriving for "this" machine automatically goes to the INPUT chain, anything arriving for any other IP automatically goes to the FORWARD chain. (At least, that is my take on what the netfilter howto says.)
iptables -A OUTPUT -o eth0 -p tcp ! --syn -s $ext_ip --sport 502 --dport $unprivports -j ACCEPT
! --syn is equivalent to "-m state --state ESTABLISHED, RELATED". In both commands, --sport/dport $unprivports is really unnecessary.
participants (2)
-
Brandon Spruth -
Darryl Gregorash