Login or Register to Ask a Question and Join Our Community


IP Networking

blocking traffic to destination network by port

 
Thread Tools Search this Thread
Special Forums IP Networking blocking traffic to destination network by port
Prev   Next
# 1  
Old 12-07-2011
blocking traffic to destination network by port
I am trying to block ALL traffic except when from ports 9100,22,23 to destination network 192.0.0.0 (my WAN): 2 networks 192.0.3.0 with static route to 192.0.0.0

Shouldn't this work?:

Code:
iptables -A INPUT -p tcp -d 192.0.0.0/24 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -d 192.0.0.0/24 --dport 23 -j ACCEPT
iptables -A INPUT -p tcp -d 192.0.0.0/24 --dport 9100 -j ACCEPT
iptables -A INPUT -d 192.0.0.0/24 -j DROP

I tried it but it blocked everything on my router and cut off internet access.
Should I but the "DROP" line before the "ACCEPT" lines?
Last edited by herot; 12-07-2011 at 10:36 AM..
 
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Unable to open firewall port for external traffic.

Below is what i did to open the firewall port on # sudo firewall-cmd --zone=public --add-port=27012/tcp --permanent Warning: ALREADY_ENABLED: 27012:tcp success # sudo firewall-cmd --reload success # firewall-cmd --list-all public target: default icmp-block-inversion: no ... (10 Replies)
Discussion started by: mohtashims
10 Replies

2. IP Networking

I would like to monitor network traffic for a computer on my network

My son does homework on a school laptop. I was thinking about setting up a gateway on my home network, so that I can monitor web traffic and know if he is doing his homework without standing over his shoulder. Ideally I would like to use the Raspberry Pi Model b that I already have. However, I... (15 Replies)
Discussion started by: gandolf989
15 Replies

3. AIX

How to re-route traffic from one port to another?

Hi Friends, How to do port forwarding in AIX? We would like to re route traffic from port A to port B on AIX LPAR. for example: my application is using 8080 port on LPAR and would like to use the 8081 instead of 8080. By default application was configured with 8080. But instead of changing... (2 Replies)
Discussion started by: System Admin 77
2 Replies

4. Infrastructure Monitoring

How do I know what traffic is in network port?

If I would like to know what connection , data , traffic in a network port ( eth0 ) , what can I do ? ps. because I always found the network is very slow , so I would like what the network port is doing . Thanks Login ID ust3 is currently in read-only mode for multiple infractions. Creating... (0 Replies)
Discussion started by: ust03
0 Replies

5. IP Networking

Question about blocking incomming traffic

Hello, Like many others, I have continued to get attempts to connect to my local net router from the Asia Pacific Network Information Centre and from RIPE Network Coordination Centre, Amsterdam. I would say that 90% of attempted connections come from these two locations. The originating IP... (5 Replies)
Discussion started by: LMHmedchem
5 Replies

6. AIX

Blocking/starting a Port in AIX 6.1

Hello Team, We are having weblogic which running on AIX 6.1 Lpar machine. We not enabled any firewall(IPSEC) in AIX level. Our weblogic is running on cluster.Whenever we stop/restart the cluster we would like to stop/start the port(by using command) which used by the weblogic. Please... (2 Replies)
Discussion started by: gowthamakanthan
2 Replies

7. IP Networking

iptables DNAT of outgoing destination port, unexpected behavior

Not sure if this should be here or in the security section. I am developing software that dynamically manipulates netfilter/iptables rules (through system() calls of the command strings, I'm not trying to hack the netfilter code). Basically, UDP messages that are sent by an application on, say,... (0 Replies)
Discussion started by: cjh19460
0 Replies

8. Solaris

How to enable Serial port on ILOM, when Network Port is enabled in parallel

Hi Everyone, In my environment, I have few T5220. On the iLOM Management Card, I have both Network and Serial port are cabled, I don't have any issues while I try to connect using Network Management port, but when I try to connect the serial port for the same server which is actually connected... (3 Replies)
Discussion started by: bobby320
3 Replies

9. Infrastructure Monitoring

Network Traffic

Hi all, Got a strange one here, well not so much strange, different :-) I need to work out if a server is particulary chatty, whether its talking / communicating heavily to a particular server, as Im planning to physically move the server to a different server, over a link. Hence the... (6 Replies)
Discussion started by: sbk1972
6 Replies

10. Cybersecurity

RedHat9:How to find what is blocking the port 1526/tcp

I'm trying to configure IDS9.40 on Ret Hat 9. The server has opened the port 1526/tcp nmap (nmap -sT -O linux) reports correctly that the port is open. However, portqry (portqry.exe -n 192.168.0.101 -e 1526 -p TCP) reports that the port is closed for connection: TCP port 1526 (turbo... (0 Replies)
Discussion started by: Juhasz Lajos
0 Replies
Login or Register to Ask a Question

LEARN ABOUT CENTOS

ipsec_eroute

IPSEC_EROUTE(5) 						  [FIXME: manual]						   IPSEC_EROUTE(5)

NAME

       ipsec_eroute - list of existing eroutes

SYNOPSIS

       ipsec eroute
	     cat/proc/net/ipsec_eroute

OBSOLETE

       Note that eroute is only supported on the classic KLIPS stack. It is not supported on any other stack and will be completely removed in
       future versions. On the mast stack, use ipsec policy, on the netkey stack, use ip xfrm

DESCRIPTION

       /proc/net/ipsec_eroute lists the IPSEC extended routing tables, which control what (if any) processing is applied to non-encrypted packets
       arriving for IPSEC processing and forwarding. At this point it is a read-only file.

       A table entry consists of:

       +
	   packet count,

       +
	   source address with mask and source port (0 if all ports or not applicable)

       +
	   a '->' separator for visual and automated parsing between src and dst

       +
	   destination address with mask and destination port (0 if all ports or not applicable)

       +
	   a '=>' separator for visual and automated parsing between selection criteria and SAID to use

       +
	   SAID (Security Association IDentifier), comprised of:

       +
	   protocol (proto),

       +
	   address family (af), where '.' stands for IPv4 and ':' for IPv6

       +
	   Security Parameters Index (SPI),

       +
	   effective destination (edst), where the packet should be forwarded after processing (normally the other security gateway) together
	   indicate which Security Association should be used to process the packet,

       +
	   a ':' separating the SAID from the transport protocol (0 if all protocols)

       +
	   source identity text string with no whitespace, in parens,

       +
	   destination identity text string with no whitespace, in parens

       Addresses are written as IPv4 dotted quads or IPv6 coloned hex, protocol is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed
       hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6

       SAIDs are written as "protoafSPI@edst". There are also 5 "magic" SAIDs which have special meaning:

       +
	   %drop means that matches are to be dropped

       +
	   %reject means that matches are to be dropped and an ICMP returned, if possible to inform

       +
	   %trap means that matches are to trigger an ACQUIRE message to the Key Management daemon(s) and a hold eroute will be put in place to
	   prevent subsequent packets also triggering ACQUIRE messages.

       +
	   %hold means that matches are to stored until the eroute is replaced or until that eroute gets reaped

       +
	   %pass means that matches are to allowed to pass without IPSEC processing

EXAMPLES

       1867 172.31.252.0/24:0 -> 0.0.0.0/0:0 => tun0x130@192.168.43.1:0

	() ()

       means that 1,867 packets have been sent to an eroute that has been set up to protect traffic between the subnet 172.31.252.0 with a subnet
       mask of 24 bits and the default address/mask represented by an address of 0.0.0.0 with a subnet mask of 0 bits using the local machine as a
       security gateway on this end of the tunnel and the machine 192.168.43.1 on the other end of the tunnel with a Security Association
       IDentifier of tun0x130@192.168.43.1 which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a Security Parameters Index of
       130 in hexadecimal with no identies defined for either end.

       746 192.168.2.110/32:0 -> 192.168.2.120/32:25 => esp0x130@192.168.2.120:6

	() ()

       means that 746 packets have been sent to an eroute that has been set up to protect traffic sent from any port on the host 192.168.2.110 to
       the SMTP (TCP, port 25) port on the host 192.168.2.120 with a Security Association IDentifier of tun0x130@192.168.2.120 which means that it
       is a transport mode connection with a Security Parameters Index of 130 in hexadecimal with no identies defined for either end.

       125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () ()

       means that 125 packets have been sent to an eroute that has been set up to protect traffic between the subnet 3049:1:: with a subnet mask
       of 64 bits and the default address/mask represented by an address of 0:0 with a subnet mask of 0 bits using the local machine as a security
       gateway on this end of the tunnel and the machine 3058:4::5 on the other end of the tunnel with a Security Association IDentifier of
       tun:130@3058:4::5 which means that it is a tunnel mode connection with a Security Parameters Index of 130 in hexadecimal with no identies
       defined for either end.

       42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough

       means that 42 packets have been sent to an eroute that has been set up to pass the traffic from the subnet 192.168.6.0 with a subnet mask
       of 24 bits and to subnet 192.168.7.0 with a subnet mask of 24 bits without any IPSEC processing with no identies defined for either end.

       2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) ()

       means that 2112 packets have been sent to an eroute that has been set up to hold the traffic from the host 192.168.8.55 and to host
       192.168.9.47 until a key exchange from a Key Management daemon succeeds and puts in an SA or fails and puts in a pass or drop eroute
       depending on the default configuration with the local client defined as "east" and no identy defined for the remote end.

       2001 192.168.2.110/32:0 -> 192.168.2.120/32:0 =>

	esp0xe6de@192.168.2.120:0 () ()

       means that 2001 packets have been sent to an eroute that has been set up to protect traffic between the host 192.168.2.110 and the host
       192.168.2.120 using 192.168.2.110 as a security gateway on this end of the connection and the machine 192.168.2.120 on the other end of the
       connection with a Security Association IDentifier of esp0xe6de@192.168.2.120 which means that it is a transport mode connection with a
       Security Parameters Index of e6de in hexadecimal using Encapsuation Security Payload protocol (50, IPPROTO_ESP) with no identies defined
       for either end.

       1984 3049:1::110/128 -> 3049:1::120/128 =>

	ah:f5ed@3049:1::120 () ()

       means that 1984 packets have been sent to an eroute that has been set up to authenticate traffic between the host 3049:1::110 and the host
       3049:1::120 using 3049:1::110 as a security gateway on this end of the connection and the machine 3049:1::120 on the other end of the
       connection with a Security Association IDentifier of ah:f5ed@3049:1::120 which means that it is a transport mode connection with a Security
       Parameters Index of f5ed in hexadecimal using Authentication Header protocol (51, IPPROTO_AH) with no identies defined for either end.

FILES

       /proc/net/ipsec_eroute, /usr/local/bin/ipsec

SEE ALSO

       ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_spi(5), ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5),
       ipsec_pf_key(5)

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by Richard Guy Briggs.

[FIXME: source] 						    10/06/2010							   IPSEC_EROUTE(5)