Results 1 to 4 of 4
Thread: Simple iptables question
|
Enjoy an ad free experience by logging in. Not a member yet? Register.
|
|
-
04-02-2012 #1
- Join Date
- Jul 2011
- Posts
- 3
Simple iptables question
I tried doing default DROP rules for everything, then a few iptables INPUT-A --s 192.168.1.0/24 -j ACCEPT but I think I'm getting something wrong. Can anyone give me advice?
(I'm putting this in a shell script that I'm calling from /etc/init.d)
-
04-02-2012 #2
what leads you to think something is wrong?
linux - Iptables: How to allow only one ip through specific port? - Server FaultBodhi 1.3 & Bodhi 1.4 using E17
Dell Studio 17, Intel Graphics card, 4 gigs of RAM, E17
"The beauty in life can only be found by moving past the materialism which defines human nature and into the higher realm of thought and knowledge"
-
04-03-2012 #3
- Join Date
- Mar 2005
- Location
- Charlotte, MI
- Posts
- 8
The following code will do the trick:
iptables -t nat -I PREROUTING -m iprange --src-range 0.0.0.0-255.255.255.255 -j DNAT --to 0
iptables -t nat -I PREROUTING -m iprange --src-range 192.168.1.0-192.168.1.255 -j ACCEPT
iptables -t nat -I PREROUTING -m iprange --src-range 127.0.0.0-127.0.0.255 -j ACCEPT
Note: Depending on how the forum formats the text here, those are two lines, each beginning with "iptables".
Now, you might run into one problem, but only if you use an early kernel. If iptables complains with an error, it will be due to the first line where it says "DNAT --to 0". If so, change that part to "DROP".
What this does is it inserts the first line into the PREROUTING table and then inserts the second line before it. The second line will actually come first, so that any traffic from the local network will be accepted. If the traffic is from anywhere else, it will be completely rejected. In fact, there will be no response at all. It will be just as if your computer is turned off and not responding. And of course, the third line above will be inserted at the head of the table so that you won't block out localhost.Last edited by oz; 04-03-2012 at 12:11 PM. Reason: removed manual signature
-
04-03-2012 #4
- Join Date
- Mar 2005
- Location
- Charlotte, MI
- Posts
- 8
I should have pointed out that the code in my previous message should be entered in a script. The particular order of the iptables commands would lock you out if entering each line one at a time from a command line prompt.
To do this from a command line, you would enter the ACCEPT lines first and have them inserted into the table with the reject line last and have it appended like so:
iptables -t nat -I PREROUTING -m iprange --src-range 192.168.1.0-192.168.1.255 -j ACCEPT
iptables -t nat -I PREROUTING -m iprange --src-range 127.0.0.0-127.0.0.255 -j ACCEPT
iptables -t nat -A PREROUTING -m iprange --src-range 0.0.0.0-255.255.255.255 -j DNAT --to 0
That will work in a script or from a command line. Notice the -A in the third line. The only problem with this is that if you have other PREROUTING rules, they will come before the appended line and if a match occurs, the connection will be accepted. So, with that said, this next method is probably the best way to do it.
This method will not take a chance on blocking localhost or the local network, it will block everything else.
iptables -t nat -I PREROUTING -m iprange --src-range 0.0.0.0-126.255.255.255 -j DNAT --to 0
iptables -t nat -I PREROUTING -m iprange --src-range 128.0.0.0-192.168.0.255 -j DNAT --to 0
iptables -t nat -I PREROUTING -m iprange --src-range 192.168.2.0-255.255.255.255 -j DNAT --to 0
That blocks every address leading up to 127.0.0.0 then every address from 128.0.0.0 to 192.168.0.255 and every address from 192.168.2.0 and beyond. And you can enter these into a script or one line at a time from the command line. Since they are inserted into the table, they will appear before any other rules you may have to guarantee the connections are blocked.
The PREROUTING table gets looked at before the INPUT table, so this is a sure way to block unwanted connections.Last edited by oz; 04-03-2012 at 12:12 PM. Reason: removed manual signature