l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
December 2: Social Gathering 		Next Installfest:
TBA 		Latest News:
Nov. 18: Officers elected 		Page last updated:
2006 May 16 10:11
Events
 Meetings
 Installfests
 Demos
 Photos
Services
 Library
 LERT
 Jobs
 Documents
Interact
 Mailing Lists
 - Search
 - Archives
 Chat (IRC)
 Social Networks
About Us
 Members
 Projects
 Testimonials
 Call for Speakers
 Why Not MS?
 Finances
 Sponsors

^Home
?Search
?News & RSS
?Calendar
@Contact Us
$Buy Stuff
=Printable


The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

 Report this post as spam:

(Enter your email address)
[vox-tech] re: iptables questions
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox-tech] re: iptables questions

First, thank you for your reply.

>1.
>Looks to me like the -s� in front of the source ip
is
>missing. Not sure
>if that is it.

Yeah, it turned out to be a simple typo. D'oh!

>I would write the rule like this:
>iptables -t filter -A INPUT -i <server-ip> -s
>123.456.789.0/24 -j DROP

>2.
>Your iptables will not survive a system reboot. You
>need to make a script
>that adds the rules you want and run it at startup.
>It’s a good idea to
>make the script from the beginning so you don’t
have >to type in the
>commands over and over again.

I wrote a bash script as you suggested, one that
inserts the rows into iptables. However, I still have
to re-run that script every time the system reboots.

To get around the problem and make the rules
permanent, I followed this advice:

"Use iptables-save and iptables-restore. You need to
redirect the input/output, e.g. 'iptables-save >
/root/iptables.conf', and put 'iptables-restore <
/root/iptables.conf' in your rc.local."

Unfortunately, when I inserted the line
"iptables-restore" in the rc.local file, the system
hung during startup, and wouldn't start properly on
its next reboot. I finally figured out that restoring
rc.local to its original state would fix the problem,
but now I'm back to square one. Ideas?

Also, is there any reason to think inserting that line
would cause the system to mysteriously reboot on its
own without my intervention? Because that is exactly
what happened a few minutes after I edited rc.local.

>3.
>Iptables apply the rules sequentially. You are able
to >deny all and then
>only allow what you want.

>In your example, you would probably allow all access
>to port 80, and then
>drop all connections from the IP-addresses in your
ban >list. Of course,
>depending on which list is bigger, your allow-list or
>your ban-list.

As far as the ban list goes, is it possible to make
iptables refer to a text file containing a list of
IP's, or is it absolutely necessary to type in /
script in a separate iptables command for every
IP/network I want to keep out?

<SNIP>

Thanks, Matt


_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech
LinkedIn
LUGOD Group on LinkedIn 		facebook
LUGOD Group on Facebook

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
1105 Kennedy Place, Suite 1, Davis, CA 95616
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

 Sponsored in part by:
Richard Mancusi
For a generous donation to allow us to continue meeting at the Davis Library.