Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

opening a range of ports + xinetd

Status
Not open for further replies.
eanda10

eanda10

Programmer
Apr 9, 2002
141
US
I need to open a range of ports i.e. everything greater then 1023 on my redhat box I think what is blocking the connections is the xinted deamon how can I open a range of ports 1023 - 50,000?


can I just assign port to read 1023-50000

service AS2
{
port = 1023
socket_type = stream
protocol = tcp
user = root
server = /sbin/LexiCom/LexiCom
type = UNLISTED
wait = no
}
 
Sort by date Sort by votes
I am setting up my server for the lovely AS2 communications with walmart they are telling me i have to open any port greater then 1024 to accept data from them.

 
Upvote 0 Downvote
What they mean is that you need to have available
client recv ports(INPUT chain) available greater
than 1024.
This is SOP on a well configured desktop firewall, but
never are all ports necessary. This is
laziness/stupidity on the tech support side.

A minimal config could look like this:
iptables -P INPUT DROP
iptables -A INPUT -s 0/0 -d $localbox -p tcp --dport 1024:5500 -j RECV_CHAIN(or just ACCEPT, but this
is cheesy and not really safe)
iptables -A INPUT -s 0/0 -d $localbox -p udp --dport 1024:5500 -j RECV_CHAIN/ACCEPT
iptables -A INPUT -s 0/0 -d $localbox -p tcp --dport 30000:65000 -j RECV_CHAIN/ACCEPT
iptables -A INPUT -s 0/0 -d $localbox -p udp --dport 30000:65000 -j RECV_CHAIN/ACCEPT
iptables -A INPUT -s 0/0 -d $localbox -p icmp -j icmp_chain

Where the user defined targets are rulesets you
implement to do what you need for your protection.
Given liberal rules elsewhere this should allow you
to talk with their services. Otherwise get them to
give you an exact client port range. gt 1024 is not acceptable IMO.

General theory:
You allow the input and watch your services and output,
that's the better rule than blocking ports that no
services are running on.
A decent stateful outbound chain makes sure
that conversations between client and server are
monitored and logged so aberrancies are noticed in
case of some backdoor or security breach.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
815
gbaughma
gbaughma
Steve Bowman
  • Locked
  • Question
I have a Debian server (buster) I h
Replies
0
Views
205
Steve Bowman
Steve Bowman
donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
376
spamjim
spamjim
kasperelectronics
  • Locked
  • Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
179
kasperelectronics
kasperelectronics
grazinggoat2
  • Locked
  • Question
Old PIDS after script runs
Replies
0
Views
230
grazinggoat2
grazinggoat2

Part and Inventory Search

Sponsor

Back
Top