Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 14
How do I block incoming connections only using iptables? I'm trying to block an entire range, i'm using iptables -A INPUT -m iprange --src-range 21.86.0.0-21.86.255.255 -j DROP. And that does ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2006
    Posts
    14

    iptables


    How do I block incoming connections only using iptables? I'm trying to block an entire range, i'm using iptables -A INPUT -m iprange --src-range 21.86.0.0-21.86.255.255 -j DROP. And that does the job, but also blocks outgoing connections too. If it makes a difference, i'm using this to block certain ftp sites from fxping to my machine.

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    I don't see an obvious reason why that should block outgoing connections. Post your entire ruleset?

    # iptables -nvL

    Put it in code blocks so that it's readable.

  3. #3
    Just Joined!
    Join Date
    Jul 2006
    Posts
    14
    I know ftp isn't the best way of testing, so I tried sshing between boxs, it definetely doesn't connect from either side.
    Code:
    Chain INPUT (policy ACCEPT 3814K packets, 3408M bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           source IP range 21.86.0.0-21.86.255.255
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain OUTPUT (policy ACCEPT 3311K packets, 2255M bytes)
     pkts bytes target     prot opt in     out     source               destination
    Last edited by BL4CKFIRE64; 11-01-2007 at 06:41 AM. Reason: adding

  4. #4
    Just Joined! vigour's Avatar
    Join Date
    Oct 2007
    Posts
    68
    Quote Originally Posted by BL4CKFIRE64 View Post
    How do I block incoming connections only using iptables? I'm trying to block an entire range, i'm using iptables -A INPUT -m iprange --src-range 21.86.0.0-21.86.255.255 -j DROP. And that does the job, but also blocks outgoing connections too. If it makes a difference, i'm using this to block certain ftp sites from fxping to my machine.
    iptables -I INPUT -s 21.86.0.0/16 -p tcp --dport 21 -j DROP --tcp-flags ALL SYN


    Whit this line you'll drop all incoming tcp traffic with rised SYN flag from 21.86.0.0-21.86.255.255 targeted at your port 21 (FTP)...
    Tcp handshake is initiated by a SYN flagged packed... by dropping those packets you'll ban the access to your services, but won't actually deny your connection attempts at that range...


    Cheers,
    Ventsi

  5. #5
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    The idea to block incoming tcp SYN packets to port 21 is nice and precise, but I'm still curious why OP's outbound connections were being blocked. There should be nothing in that tiny ruleset causing it.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    This should fix your firewall problems. It allows only connections you started in and everything you do out:

    Code:
     /sbin/iptables -Z
     /sbin/iptables -X
     /sbin/iptables -F
     /sbin/iptables -P INPUT DROP
     /sbin/iptables -P OUTPUT DROP
     /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
     /sbin/iptables -A INPUT -j DROP
     /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
     /sbin/iptables -A OUTPUT -m state --state NEW -j ACCEPT

    Quote Originally Posted by anomie View Post
    The idea to block incoming tcp SYN packets to port 21 is nice and precise, but I'm still curious why OP's outbound connections were being blocked. There should be nothing in that tiny ruleset causing it.
    Simple, because there was no statement to allow connections from those ip addresses back in. Those ip's were dropped unconditionally.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    The policy on his INPUT chain is ACCEPT, and he has only one rule that targets a specific subnet. Maybe OP should define what is meant by "blocks outgoing connections". To what??

    Good suggestion on the stateful rules.

  8. #8
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Here's the ruleset to use, IMO:
    Code:
    # iptables -F
    # iptables -A INPUT -i lo -j ACCEPT 
    # iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    # iptables -A INPUT -s 21.86.0.0/16 -p tcp -m state --state NEW -m tcp --dport 21 -j DROP
    <other rules go here> 
    <set policy for chain as appropriate>
    Flush, allow loopback traffic, allow stateful, drop new connections from the subnet OP specified to tcp 21. Simple.

    I didn't see anything in his requirements about making changes to the OUTPUT chain policy or rules.

  9. #9
    Just Joined!
    Join Date
    Jul 2006
    Posts
    14
    Well i'm not trying to block traffic to my actual ftp port, but i'm trying to block FXP'ing (ftp to ftp), which would be transfers to my passive ports. But instead of blocking everything, I want to do only incoming transfers (from other servers, to mine).

  10. #10
    Just Joined!
    Join Date
    Mar 2007
    Posts
    4

    iptables open shared object file

    [root@localhost root]# iptables -A input -s 127.0.0.1 -p icmp -j DENY
    iptables v1.2.9: Couldn't load target `DENY':/lib/iptables/libipt_DENY.so: cannot open shared object file: No such file or directory

    Try `iptables -h' or 'iptables --help' for more information.
    [root@localhost root]#

    some body can u help me, because i am new at linux sistem
    i used fedora core 2

    thanks

    lefter

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •