iptables

**BL4CKFIRE64** · 10-31-2007

How do I block incoming connections only using iptables? I'm trying to block an entire range, i'm using iptables -A INPUT -m iprange --src-range 21.86.0.0-21.86.255.255 -j DROP. And that does the job, but also blocks outgoing connections too. If it makes a difference, i'm using this to block certain ftp sites from fxping to my machine.

**anomie** · 11-01-2007

I don't see an obvious reason why that should block outgoing connections. Post your entire ruleset?

# iptables -nvL

Put it in code blocks so that it's readable.

**BL4CKFIRE64** · 11-01-2007

I know ftp isn't the best way of testing, so I tried sshing between boxs, it definetely doesn't connect from either side.

Code:

Chain INPUT (policy ACCEPT 3814K packets, 3408M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           source IP range 21.86.0.0-21.86.255.255

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3311K packets, 2255M bytes)
 pkts bytes target     prot opt in     out     source               destination

**vigour** · 11-01-2007

Originally Posted by BL4CKFIRE64

How do I block incoming connections only using iptables? I'm trying to block an entire range, i'm using iptables -A INPUT -m iprange --src-range 21.86.0.0-21.86.255.255 -j DROP. And that does the job, but also blocks outgoing connections too. If it makes a difference, i'm using this to block certain ftp sites from fxping to my machine.

iptables -I INPUT -s 21.86.0.0/16 -p tcp --dport 21 -j DROP --tcp-flags ALL SYN

Whit this line you'll drop all incoming tcp traffic with rised SYN flag from 21.86.0.0-21.86.255.255 targeted at your port 21 (FTP)...
Tcp handshake is initiated by a SYN flagged packed... by dropping those packets you'll ban the access to your services, but won't actually deny your connection attempts at that range...

Cheers,
Ventsi

**anomie** · 11-02-2007

The idea to block incoming tcp SYN packets to port 21 is nice and precise, but I'm still curious why OP's outbound connections were being blocked. There should be nothing in that tiny ruleset causing it.

**Lazydog** · 11-03-2007

This should fix your firewall problems. It allows only connections you started in and everything you do out:

Code:

 /sbin/iptables -Z
 /sbin/iptables -X
 /sbin/iptables -F
 /sbin/iptables -P INPUT DROP
 /sbin/iptables -P OUTPUT DROP
 /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -A INPUT -j DROP
 /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -A OUTPUT -m state --state NEW -j ACCEPT

Originally Posted by anomie

The idea to block incoming tcp SYN packets to port 21 is nice and precise, but I'm still curious why OP's outbound connections were being blocked. There should be nothing in that tiny ruleset causing it.

Simple, because there was no statement to allow connections from those ip addresses back in. Those ip's were dropped unconditionally.

**anomie** · 11-03-2007

The policy on his INPUT chain is ACCEPT, and he has only one rule that targets a specific subnet. Maybe OP should define what is meant by "blocks outgoing connections". To what??

Good suggestion on the stateful rules.

**anomie** · 11-03-2007

Here's the ruleset to use, IMO:

Code:

# iptables -F
# iptables -A INPUT -i lo -j ACCEPT 
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
# iptables -A INPUT -s 21.86.0.0/16 -p tcp -m state --state NEW -m tcp --dport 21 -j DROP
<other rules go here> 
<set policy for chain as appropriate>

Flush, allow loopback traffic, allow stateful, drop new connections from the subnet OP specified to tcp 21. Simple.

I didn't see anything in his requirements about making changes to the OUTPUT chain policy or rules.

**BL4CKFIRE64** · 11-03-2007

Well i'm not trying to block traffic to my actual ftp port, but i'm trying to block FXP'ing (ftp to ftp), which would be transfers to my passive ports. But instead of blocking everything, I want to do only incoming transfers (from other servers, to mine).

**lefter** · 11-08-2007

[root@localhost root]# iptables -A input -s 127.0.0.1 -p icmp -j DENY
iptables v1.2.9: Couldn't load target `DENY':/lib/iptables/libipt_DENY.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
[root@localhost root]#

some body can u help me, because i am new at linux sistem
i used fedora core 2

thanks

lefter

Thread Tools

Display

iptables

iptables open shared object file

Posting Permissions