Hot Downloads

×

Notice

The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Difference btn protocol "tcp" and "all"

Difference btn protocol "tcp" and "all" 12 years 5 months ago #14210

  • Nimmy
  • Nimmy's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 5
  • Thank you received: 0
Dear Friends,

While writing firewall rule in iptables we can use the protocol value

tcp
udp
icmp
all

Can any one explain me

(1). If we Allow one firewall forward rule for the "tcp" protocol, for example

iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j ACCEPT -p tcp -d 0/0 --dport 80 -s 0/0 --sport 1:65535

and then the second rule for "ip" protocol

iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j DROP -p all -d 0/0 -s 0/0

if we execute these two rules,

am able to browse.

I want to know what is the difference between these "tcp" and "all" and others.

How "all" Differ from other protocol "tcp", "Udp" and Icmp.

Thank You.

With Regards,
Nimmy
Nirmal Babu
Chennai

Protocols 12 years 5 months ago #14212

'all' allows you to create a rule that applies to any protocol, for example one that just restricts by IP address. If you want to be more granular then you can actually define the protocol that a rule will apply to, for example 'tcp'

Re: Difference btn protocol "tcp" and "all" 12 years 5 months ago #14215

In addition to TheBishop's reply, 'all' includes protocols that may not be covered by 'ip' like 'esp', 'ah', 'gre', etc.

Re: Difference btn protocol "tcp" and "all" 12 years 5 months ago #14217

  • Nimmy
  • Nimmy's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 5
  • Thank you received: 0
Hi,

Thank U very much.

Let me explain my problem,

First i have created one forwared rule which is allow the tcp traffic to the external network to the port 80

iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j ACCEPT -p tcp -d 0/0 --dport 80 -s 0/0 --sport 1:65535

the next rule i have execute one forward rule which is block the ip traffic to the external network to the port 80

iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j DROP -p all -d 0/0 -s 0/0

The Source IP and Destination IP range of both the above two rules are same, only the action is different.

Here "all" protocol means for all protocol which includes 'tcp', 'ucp','icmp' and etc.

In this situation whether the traffic to the external network is allow or blocked, after the two firewall rules executed.

Sorry if i am wrong.

Thanks and Regards,
Nimmy
Nirmal Babu
Chennai

Re: Difference btn protocol "tcp" and "all" 12 years 5 months ago #14219

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Honored Member
  • Posts: 1302
  • Karma: 1
  • Thank you received: 0
Iptables processes the rules in turn and when a match is attained, it performs the specified instruction. Thus the second rule you've written
[code:1]iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j DROP -p all -d 0/0 -s 0/0[/code:1]
will only be reached for all non-tcp traffic or for tcp traffic heading for ports other than 80.

Some additional comments on your rules syntax:

You do not need to specify "-s 0/0" or "-d 0/0" as these are implied by default. i.e. only specify them when you want to restrict to a particular IP range.
Likewise, "--sport 1:65535" is also redundant unless you want to restrict to a particular port number.
And come to think of it, "-p all" is also redundant as this is assumed unless of course you wish to specify a particular protocol. Of course, if you want to leave these options in to improve the readability of the rules, it's your choice.

Finally, to answer your initial query, you should be able to browse (on port 80) at least with the rules you specified.

Re: Difference btn protocol "tcp" and "all" 12 years 5 months ago #14221

  • Nimmy
  • Nimmy's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 5
  • Thank you received: 0
Hi Da Light,

Thanks a lot for u r Explanation. I got clear about these firewall rule execution.

Thank U Very Much. :)

Cheers,
Nimmy
Nirmal Babu
Chennai
  • Page:
  • 1
  • 2
Time to create page: 0.141 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup