l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
August 5: Social gathering
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2006 May 15 21:25

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] ip tables questions
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] ip tables questions



Hi Z:

1:

root@somemachine# iptables -A INPUT -s 123.456.789.0/24 -j ACCEPT

You just need to add the '-s'ource address before you '-j'ump to your
target.


2:

fedora/redhat comes with a utility called 'iptables-save'.  This dumps
your current rules to stdout.  If you redirect those to a config file
where fc/rhl can pick it up, it will restore your rulesets on restart. 
The files are plain text files that live in a directory called
'/etc/sysconfig' and the file names are 'iptables' and
'iptables-config'.  The output of 'iptables-save' should go in
'iptables' and if you do any weird configuration, look in
'iptables-config'.  Also, there is a line in
'/etc/sysconfig/iptables-config' that reads:

IPTABLES_SAVE_ON_STOP="no"

If you change this value to "yes", then everything will be saved for
you on reboot :) 

Or, you can run 'iptables-save' manually.

eg:

root@somemachine# iptables-save > /etc/sysconfig/iptables
root@somemachine# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Mon May 15 12:54:51 2006
*filter
:INPUT ACCEPT [174:19028]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19:3920]
-A INPUT -s 123.456.789.0/255.255.255.0 -j ACCEPT 
COMMIT
# Completed on Mon May 15 12:54:51 2006

3:

Implement the policy for the chain (Input):

root@somemachine # iptables -P INPUT DROP

And to answer your question about how the rules are applied, the packet
traverses the chain until (if it matches no rules in the chain) it hits
the POLICY.  The policy is always the last rule in the chain.  

So if you wanted to allow a range in, and exclude everyone else, I
would add one rule to allow your range in, and set the policy to DROP
(conf 1).  Conversely, you could add a single rule to deny everyone who
is _not_ in your range, and set the policy to ACCEPT (conf 2).

conf 1:
iptables -A INPUT -s 123.456.789.0/24 -j ACCEPT
iptables -P INPUT DROP

conf 2**:

iptables -A INPUT -s '! 123.456.789.0/24' -j DROP 
iptables -P INPUT ACCEPT

** = the ! char means 'not' to iptables.  But many shells will gobble
it and treat it as a special character (or a reserved word or variable
or some such, but not as a string argument like we need it to be). 
Enclose the !address in single quotes, or just escape the ! with a
backslash \.

Post back if you have more questions.  Good luck!

--HTH

jan


--- Cylar Z <cylarz@yahoo.com> wrote:

> Hey Linux gurus...
> 
> I'm running Fedora Core 5 and want to customize my
> iptables firewall in order to bolster system security.
> I have three separate questions that aren't being
> answered by the tutorials I've read:
> 
> 1. I want to ban an entire range of IP address within
> a given network, not just a single IP. There's got to
> be a way to do that w/o typing out 256 or more
> addresses and entering them in one-by-one! I typed the
> following command, and this is what the system said:
> -----
> root# iptables -A INPUT -j DROP 123.456.789.0/24
> Bad argument `123.456.789.0/24'
> Try `iptables -h' or 'iptables --help' for more
> information.
> root#
> ------
> 
> Where of course 123.456.789.0 is the class C network
> whose incoming packets I'm trying to stop at my
> firewall. It is to be completely prohibited from
> contacting the system in any way and any packets that
> do arrive from there are to go unacknowledged. I don't
> even want users on that network being able to view my
> web pages.
> 
> Needless to say, I did as suggested and looked at
> iptables -h, as well as the man page. No help there.
> 
> So what's wrong with my syntax? The tutorial I was
> using swears up and down that the command *should*
> work as advertised. Maybe iptables has changed since
> it was written, so can anyone tell me the correct
> syntax?
> 
> 2. I entered a long list of individual IP addresses
> into the firewall using the command given above. I
> confirmed that they'd been loaded by running iptables
> -L. It showed me the rules as I expected to see.
> HOWEVER, the rules were all gone when I rebooted the
> entire system and ran iptables -L a second time. What
> do I need to do in order to make the iptables rules
> permanent so that they'll survive a system reboot?
> 
> 3. Lastly, I'd like to write a rule that says "Ban ALL
> connections from ALL systems, except for the ones
> explictly allowed to connect." I'd also like to write
> a rule that says, "If a system wants to connect to
> port 80, check the banned list. If it's not there, let
> it in." 
> 
> Where in the iptables rule list would I put such rules
> - the beginning or the end? I'm afraid of guessing
> wrong and locking myself out of my own server. Does
> iptables look at the "allow" section before it looks
> at the "deny" section (the way TCP wrappers does), or
> does it just apply the rules sequentially?
> 
> Thanks in advance, 
> Matt
> 
> 
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
> 


<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
I believe that unarmed truth and unconditional love will have the final word in reality. That is why right, temporarily defeated, is stronger than evil triumphant.
    Martin Luther King Jr., Accepting Nobel Peace Prize, Dec. 10, 1964
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.