Simple iptables question

[FoxMulder]

---

Hi everyone. I have a Debian server that is currently acting only as a samba fileshare. I would like to use iptables to block all traffic except for traffic on the 192.168.1.0/24 local network.

I tried doing default DROP rules for everything, then a few iptables INPUT-A --s 192.168.1.0/24 -j ACCEPT but I think I'm getting something wrong. Can anyone give me advice?

(I'm putting this in a shell script that I'm calling from /etc/init.d)

[jmadero]

what leads you to think something is wrong?

linux - Iptables: How to allow only one ip through specific port? - Server Fault

[Mopar93]

Hi everyone. I have a Debian server that is currently acting only as a samba fileshare. I would like to use iptables to block all traffic except for traffic on the 192.168.1.0/24 local network.

The following code will do the trick:

iptables -t nat -I PREROUTING -m iprange --src-range 0.0.0.0-255.255.255.255 -j DNAT --to 0
iptables -t nat -I PREROUTING -m iprange --src-range 192.168.1.0-192.168.1.255 -j ACCEPT
iptables -t nat -I PREROUTING -m iprange --src-range 127.0.0.0-127.0.0.255 -j ACCEPT

Note: Depending on how the forum formats the text here, those are two lines, each beginning with "iptables".

Now, you might run into one problem, but only if you use an early kernel. If iptables complains with an error, it will be due to the first line where it says "DNAT --to 0". If so, change that part to "DROP".

What this does is it inserts the first line into the PREROUTING table and then inserts the second line before it. The second line will actually come first, so that any traffic from the local network will be accepted. If the traffic is from anywhere else, it will be completely rejected. In fact, there will be no response at all. It will be just as if your computer is turned off and not responding. And of course, the third line above will be inserted at the head of the table so that you won't block out localhost.

[Mopar93]

I should have pointed out that the code in my previous message should be entered in a script. The particular order of the iptables commands would lock you out if entering each line one at a time from a command line prompt.

To do this from a command line, you would enter the ACCEPT lines first and have them inserted into the table with the reject line last and have it appended like so:

iptables -t nat -I PREROUTING -m iprange --src-range 192.168.1.0-192.168.1.255 -j ACCEPT
iptables -t nat -I PREROUTING -m iprange --src-range 127.0.0.0-127.0.0.255 -j ACCEPT
iptables -t nat -A PREROUTING -m iprange --src-range 0.0.0.0-255.255.255.255 -j DNAT --to 0

That will work in a script or from a command line. Notice the -A in the third line. The only problem with this is that if you have other PREROUTING rules, they will come before the appended line and if a match occurs, the connection will be accepted. So, with that said, this next method is probably the best way to do it.

This method will not take a chance on blocking localhost or the local network, it will block everything else.

iptables -t nat -I PREROUTING -m iprange --src-range 0.0.0.0-126.255.255.255 -j DNAT --to 0
iptables -t nat -I PREROUTING -m iprange --src-range 128.0.0.0-192.168.0.255 -j DNAT --to 0
iptables -t nat -I PREROUTING -m iprange --src-range 192.168.2.0-255.255.255.255 -j DNAT --to 0

That blocks every address leading up to 127.0.0.0 then every address from 128.0.0.0 to 192.168.0.255 and every address from 192.168.2.0 and beyond. And you can enter these into a script or one line at a time from the command line. Since they are inserted into the table, they will appear before any other rules you may have to guarantee the connections are blocked.

The PREROUTING table gets looked at before the INPUT table, so this is a sure way to block unwanted connections.