iptables port range funny

Oskar Andreasson blueflux@koffein.net
Wed, 3 Oct 2001 15:00:42 +0200 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Hans, this was not the question if you look close at it again=)

He's set up a rule that _should_ block all ports in the range 6000-6010, but 
nmap only reports 6000-6009 as blocked.

As for Tim, I'd suggest upgrade iptables to 1.2.3 and kernel to 2.4.9/10 or 
some such. Then see if the problem persists and get back to the list if it 
does.

Have a nice day,


On Wednesday 03 October 2001 14:57, Hans Lohmander wrote:
> Hi,
> as you DROP nmap assumes it is behind a firewall, thus filtered.
> If you have no service running you get the equiv of
> REJECT --reject-with icmp-port-unreachable I belive.
>
> /Hans
>
> netfilter-request@lists.samba.org wrote:
> > Date: Wed, 03 Oct 2001 13:15:29 +0100
> > From: Tim <tim@domus29.freeserve.co.uk>
> > To: netfilter@lists.samba.org
> > Subject: iptables port range funny
> >
> > Hi there
> >
> > I can't find a reference to this, but I'm sure that it must have been
> > discovered before.
> >
> > I'm running iptables 1.2.1a-1.
> >
> > I have a rule that blocks access to X ports (6000:6010):
> >  iptables -A INPUT -i $EXTDEV -d $EXTNET -p tcp --dport 6000:6010 -j
> > DROP
> >
> > iptables -L -v confirms that this is in place
> >
> >     0     0 DROP       tcp  --  any    eth0    217.204.229.160/28
> > anywhere           tcp spts:X:6010
> >
> > However, when I run nmap (against this machine, it claims that only
> > ports 6000 to 6009 are filtered.
> > (nmap-2.54BETA22-3 - RedHat 7.1).
> >
> > Which is broken??
> >
> > Anyone else seen this?
> >
> > tc
>
> --

- -- 
 ----------------------------------- 
|Oskar Andreasson                   |
|Multisoft Education AB             |
|http://www.libendo.com             |
|phone: +46-8-6635555               |
|mailto: o.andreasson@libendo.com   |
 ----------------------------------- 
BOFH excuse #1:

clock speed
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7uwv+xO3KTTz2r/kRAvg7AKCU7FN8LnHdLnYDJNqg5FstsvlxqQCfeK28
2/5X/lOs5eiSsG9GdSjtsUo=
=tHhe
-----END PGP SIGNATURE-----