l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2006 May 15 13:37

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox-tech] ip tables questions
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox-tech] ip tables questions



Hey Linux gurus...

I'm running Fedora Core 5 and want to customize my
iptables firewall in order to bolster system security.
I have three separate questions that aren't being
answered by the tutorials I've read:

1. I want to ban an entire range of IP address within
a given network, not just a single IP. There's got to
be a way to do that w/o typing out 256 or more
addresses and entering them in one-by-one! I typed the
following command, and this is what the system said:
-----
root# iptables -A INPUT -j DROP 123.456.789.0/24
Bad argument `123.456.789.0/24'
Try `iptables -h' or 'iptables --help' for more
information.
root#
------

Where of course 123.456.789.0 is the class C network
whose incoming packets I'm trying to stop at my
firewall. It is to be completely prohibited from
contacting the system in any way and any packets that
do arrive from there are to go unacknowledged. I don't
even want users on that network being able to view my
web pages.

Needless to say, I did as suggested and looked at
iptables -h, as well as the man page. No help there.

So what's wrong with my syntax? The tutorial I was
using swears up and down that the command *should*
work as advertised. Maybe iptables has changed since
it was written, so can anyone tell me the correct
syntax?

2. I entered a long list of individual IP addresses
into the firewall using the command given above. I
confirmed that they'd been loaded by running iptables
-L. It showed me the rules as I expected to see.
HOWEVER, the rules were all gone when I rebooted the
entire system and ran iptables -L a second time. What
do I need to do in order to make the iptables rules
permanent so that they'll survive a system reboot?

3. Lastly, I'd like to write a rule that says "Ban ALL
connections from ALL systems, except for the ones
explictly allowed to connect." I'd also like to write
a rule that says, "If a system wants to connect to
port 80, check the banned list. If it's not there, let
it in." 

Where in the iptables rule list would I put such rules
- the beginning or the end? I'm afraid of guessing
wrong and locking myself out of my own server. Does
iptables look at the "allow" section before it looks
at the "deny" section (the way TCP wrappers does), or
does it just apply the rules sequentially?

Thanks in advance, 
Matt


_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.