Re: [vox-tech] ip tables questions
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox-tech] ip tables questions
Looks to me like the “–s” in front of the source ip is missing. Not sure
if that is it.
I would write the rule like this:
iptables -t filter -A INPUT -i <server-ip> -s 123.456.789.0/24 -j DROP
Your iptables will not survive a system reboot. You need to make a script
that adds the rules you want and run it at startup. It’s a good idea to
make the script from the beginning so you don’t have to type in the
commands over and over again.
Iptables apply the rules sequentially. You are able to deny all and then
only allow what you want.
In your example, you would probably allow all access to port 80, and then
drop all connections from the IP-addresses in your ban list. Of course,
depending on which list is bigger, your allow-list or your ban-list.
You shouldn’t be too worried about locking yourself out, as long as you
have local access. You will probably lock yourself out a bunch of times
while testing this out, which is why you don’t want to be doing it if you
only have remote access.
As long as you have local access you can always flush the rules with the
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
It is a good idea to have your rules in a script from the beginning. Run
your script and test if it works. If something went wrong, you make
corrections to your script, flush iptables, and run your script again.
HTH and please correct me if I am wrong :)
> i think its..
> iptables -A INPUT -s 123.456.789.0/24 -p tcp -j DROP
> iptables -A INPUT -s 123.456.789.0/24 -p udp -j DROP
> though i haven't tried removing the protocol option.. you may want to
> On Monday 15 May 2006 17:05, Cylar Z wrote:
>> Hey Linux gurus...
>> I'm running Fedora Core 5 and want to customize my
>> iptables firewall in order to bolster system security.
>> I have three separate questions that aren't being
>> answered by the tutorials I've read:
>> 1. I want to ban an entire range of IP address within
>> a given network, not just a single IP. There's got to
>> be a way to do that w/o typing out 256 or more
>> addresses and entering them in one-by-one! I typed the
>> following command, and this is what the system said:
>> root# iptables -A INPUT -j DROP 123.456.789.0/24
>> Bad argument `123.456.789.0/24'
>> Try `iptables -h' or 'iptables --help' for more
>> Where of course 123.456.789.0 is the class C network
>> whose incoming packets I'm trying to stop at my
>> firewall. It is to be completely prohibited from
>> contacting the system in any way and any packets that
>> do arrive from there are to go unacknowledged. I don't
>> even want users on that network being able to view my
>> web pages.
>> Needless to say, I did as suggested and looked at
>> iptables -h, as well as the man page. No help there.
>> So what's wrong with my syntax? The tutorial I was
>> using swears up and down that the command *should*
>> work as advertised. Maybe iptables has changed since
>> it was written, so can anyone tell me the correct
>> 2. I entered a long list of individual IP addresses
>> into the firewall using the command given above. I
>> confirmed that they'd been loaded by running iptables
>> -L. It showed me the rules as I expected to see.
>> HOWEVER, the rules were all gone when I rebooted the
>> entire system and ran iptables -L a second time. What
>> do I need to do in order to make the iptables rules
>> permanent so that they'll survive a system reboot?
>> 3. Lastly, I'd like to write a rule that says "Ban ALL
>> connections from ALL systems, except for the ones
>> explictly allowed to connect." I'd also like to write
>> a rule that says, "If a system wants to connect to
>> port 80, check the banned list. If it's not there, let
>> it in."
>> Where in the iptables rule list would I put such rules
>> - the beginning or the end? I'm afraid of guessing
>> wrong and locking myself out of my own server. Does
>> iptables look at the "allow" section before it looks
>> at the "deny" section (the way TCP wrappers does), or
>> does it just apply the rules sequentially?
>> Thanks in advance,
vox-tech mailing list