Find the answer to your Linux question:
Results 1 to 4 of 4
Hi everyone. I have a Debian server that is currently acting only as a samba fileshare. I would like to use iptables to block all traffic except for traffic on ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2011
    Posts
    3

    Simple iptables question


    Hi everyone. I have a Debian server that is currently acting only as a samba fileshare. I would like to use iptables to block all traffic except for traffic on the 192.168.1.0/24 local network.

    I tried doing default DROP rules for everything, then a few iptables INPUT-A --s 192.168.1.0/24 -j ACCEPT but I think I'm getting something wrong. Can anyone give me advice?

    (I'm putting this in a shell script that I'm calling from /etc/init.d)

  2. #2
    Linux Guru jmadero's Avatar
    Join Date
    Jul 2007
    Location
    California
    Posts
    1,998
    Bodhi 1.3 & Bodhi 1.4 using E17
    Dell Studio 17, Intel Graphics card, 4 gigs of RAM, E17

    "The beauty in life can only be found by moving past the materialism which defines human nature and into the higher realm of thought and knowledge"

  3. #3
    Just Joined!
    Join Date
    Mar 2005
    Location
    Charlotte, MI
    Posts
    8
    Quote Originally Posted by FoxMulder View Post
    Hi everyone. I have a Debian server that is currently acting only as a samba fileshare. I would like to use iptables to block all traffic except for traffic on the 192.168.1.0/24 local network.
    The following code will do the trick:

    iptables -t nat -I PREROUTING -m iprange --src-range 0.0.0.0-255.255.255.255 -j DNAT --to 0
    iptables -t nat -I PREROUTING -m iprange --src-range 192.168.1.0-192.168.1.255 -j ACCEPT
    iptables -t nat -I PREROUTING -m iprange --src-range 127.0.0.0-127.0.0.255 -j ACCEPT

    Note: Depending on how the forum formats the text here, those are two lines, each beginning with "iptables".

    Now, you might run into one problem, but only if you use an early kernel. If iptables complains with an error, it will be due to the first line where it says "DNAT --to 0". If so, change that part to "DROP".

    What this does is it inserts the first line into the PREROUTING table and then inserts the second line before it. The second line will actually come first, so that any traffic from the local network will be accepted. If the traffic is from anywhere else, it will be completely rejected. In fact, there will be no response at all. It will be just as if your computer is turned off and not responding. And of course, the third line above will be inserted at the head of the table so that you won't block out localhost.
    Last edited by oz; 04-03-2012 at 12:11 PM. Reason: removed manual signature

  4. #4
    Just Joined!
    Join Date
    Mar 2005
    Location
    Charlotte, MI
    Posts
    8
    I should have pointed out that the code in my previous message should be entered in a script. The particular order of the iptables commands would lock you out if entering each line one at a time from a command line prompt.

    To do this from a command line, you would enter the ACCEPT lines first and have them inserted into the table with the reject line last and have it appended like so:

    iptables -t nat -I PREROUTING -m iprange --src-range 192.168.1.0-192.168.1.255 -j ACCEPT
    iptables -t nat -I PREROUTING -m iprange --src-range 127.0.0.0-127.0.0.255 -j ACCEPT
    iptables -t nat -A PREROUTING -m iprange --src-range 0.0.0.0-255.255.255.255 -j DNAT --to 0

    That will work in a script or from a command line. Notice the -A in the third line. The only problem with this is that if you have other PREROUTING rules, they will come before the appended line and if a match occurs, the connection will be accepted. So, with that said, this next method is probably the best way to do it.

    This method will not take a chance on blocking localhost or the local network, it will block everything else.

    iptables -t nat -I PREROUTING -m iprange --src-range 0.0.0.0-126.255.255.255 -j DNAT --to 0
    iptables -t nat -I PREROUTING -m iprange --src-range 128.0.0.0-192.168.0.255 -j DNAT --to 0
    iptables -t nat -I PREROUTING -m iprange --src-range 192.168.2.0-255.255.255.255 -j DNAT --to 0

    That blocks every address leading up to 127.0.0.0 then every address from 128.0.0.0 to 192.168.0.255 and every address from 192.168.2.0 and beyond. And you can enter these into a script or one line at a time from the command line. Since they are inserted into the table, they will appear before any other rules you may have to guarantee the connections are blocked.

    The PREROUTING table gets looked at before the INPUT table, so this is a sure way to block unwanted connections.
    Last edited by oz; 04-03-2012 at 12:12 PM. Reason: removed manual signature

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •