Find the answer to your Linux question:
Results 1 to 4 of 4
Hi all, I am using linux kernel 2.4.19 on my NAT server. I need help on couple of issues regd. IPTABLES. 1. When I run my iptables script, it says ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2003
    Location
    India
    Posts
    3

    need help with iptables


    Hi all,

    I am using linux kernel 2.4.19 on my NAT server. I need help on couple of issues regd. IPTABLES.

    1. When I run my iptables script, it says

    iptables: Chain already exists
    iptables: Chain already exists
    iptables: Chain already exists
    iptables: Chain already exists
    iptables: Chain already exists

    2. I am trying to restrict 10.250.0.100/16 from accessing www.yahoo.com, it doesn't work.

    any suggestions are welcome

    Here is a part of my script:

    iptables -A allowed -p TCP --syn -j ACCEPT
    iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A allowed -p TCP -j DROP
    iptables -A allowed -p TCP -s 10.250.0.100/16 --destination www.yahoo.com -j DROP
    #
    # TCP rules
    #
    iptables -A tcp_packets -p TCP --dport 21 -j allowed
    iptables -A tcp_packets -p TCP -s 10.250.0.0/16 --dport 22 -j allowed
    iptables -A tcp_packets -p TCP -s 10.250.0.0/16 --dport 80 -j allowed
    iptables -A tcp_packets -p TCP -s 10.250.0.0/16 --dport 110 -j allowed
    iptables -A tcp_packets -p TCP -s 10.250.0.0/16 --dport 113 -j allowed
    iptables -A tcp_packets -p TCP -s 10.250.0.0/16 --dport 8100 -j allowed
    iptables -A tcp_packets -p TCP -s 10.250.0.0/16 --dport 8080 -j allowed
    iptables -A tcp_packets -p TCP -s 10.250.0.0/16 --dport 53 -j ACCEPT
    iptables -A tcp_packets -p TCP -s 172.16.20.31 -j allowed
    iptables -A tcp_packets -p 50 -j allowed
    iptables -A tcp_packets -p 51 -j allowed

    regds,
    mahi

  2. #2
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284

    Re: need help with iptables

    Hiya,

    Firstly, i would advise against putting DNS names into your IPTables script for performance reasons. drop to a command box, and type ping www.yahoo.com it will ping yahoo.com, and give you their IP address. i got 216.109.125.78, but i know they also have a 66.?.?.? address range as well.

    then type "whois 216.109.125.78", and it will give you the netblock (CIDR) in this case, "216.109.112.0/20". it is this you should then use in your script as opposed to www.yahoo.com. remember yahoo have more than 1 netblock, you will need to find the others and bar those as well.

    for each netblock, create 2 rules like:
    "iptables -A INPUT -p tcp --dport 80 -d 216.109.112.0/20 -s 10.250.0.100/16 -j DROP"
    "iptables -A OUTPUT -p tcp --dport 80 -d 216.109.112.0/20 -s 10.250.0.100/16 -j DROP"

    these should then block access from the 10x network specified to port 80 (http) of yahoo- after you have done that for all the netblocks yahoo has servers sitting on.


    Quote Originally Posted by mahesh
    1. When I run my iptables script, it says
    iptables: Chain already exists
    iptables: Chain already exists
    iptables: Chain already exists
    iptables: Chain already exists
    iptables: Chain already exists
    This normally indicates you are creating the chain more than once. ie, a line like this exists multiple times: iptables -N <chain name>.

    Have a look for the whole of your script for reoccurances of the same declaration.

    Jason

  3. #3
    flw
    flw is offline
    Linux Engineer
    Join Date
    Mar 2003
    Location
    U.S.A.
    Posts
    1,025
    Firstly, i would advise against putting DNS names into your IPTables script for performance reasons. drop to a command box, and type ping www.yahoo.com it will ping yahoo.com, and give you their IP address. i got 216.109.125.78, but i know they also have a 66.?.?.? address range as well.
    Since business's can and do change hosting services, ISP's etc I was always under the direct impression to alway use FQDN when possible so when they change ip's you don't have to change any scripts or even html hyperlinks to it. Let the dns severs do thier job and like any lookup it will take some ms to resolve the FQDN to a ip. Just my opinion.
    Dan

    \"Keep your friends close and your enemies even closer\" from The Art of War by Sun Tzu\"

  4. #4
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    Quote Originally Posted by fastlanwan
    Since business's can and do change hosting services, ISP's etc I was always under the direct impression to alway use FQDN when possible so when they change ip's you don't have to change any scripts or even html hyperlinks to it. Let the dns severs do thier job and like any lookup it will take some ms to resolve the FQDN to a ip. Just my opinion.
    This is true, i think i was concentrating on the performance hit (could be a DNS lookup every packet !!!), but what you say is very true.

    If youve got a good internet connection, your linux box is fast, and you have a full public facing DNS server on the local network segment i wouldnt worry too much, and use www.yahoo.com instead of an IP address.

    Jason

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •