Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 19
# 1 Eth0 - 208.98.98.1 (outside network aka the internet) Eth1 - 192.168.111.2 (DMZ) Eth2 - 10.23.23.2 (Internal Network) Packets that enter eth0 begin with IP "192.168." or "10.". Only ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2013
    Posts
    10

    2 questions about iptables configuration


    # 1

    Eth0 - 208.98.98.1 (outside network aka the internet)
    Eth1 - 192.168.111.2 (DMZ)
    Eth2 - 10.23.23.2 (Internal Network)

    Packets that enter eth0 begin with IP "192.168." or "10.". Only packets of the DMZ or internal network has such IP

    Eth0 has an internet address range 10.0.0.8 and 192.168.0/16 private address range

    Setup of IP tables
    iptables -I INPUT 1 -i eth0 -s 192.168.0.0/16 -j DROP
    iptables -I INPUT 2 -i eth0 -s 10.0.0.0/8 -j DROP
    iptables -I INPUT 3 -i eth1 -s ! 192.168.111.0/24 -j DROP
    iptables -I INPUT 4 -i eth2 -s ! 10.0.0.0/8 -j DROP

    iptables -I FORWARD 1 -i eth0 -s 192.168.0.0/16 -j DROP
    iptables -I FORWARD 2 -i eth0 -s 10.0.0.0/8 -j DROP
    iptables -I FORWARD 3 -i eth1 -s ! 192.168.111.0/24 -j DROP
    iptables -I FORWARD 4 -i eth2 -s ! 10.0.0.0/8 -j DROP

    looked up what -s ! is used for
    "A "!" argument before the address specification inverts the sense of the address." what is meant with inverts the sense of the address SOLVED!

    If i got it right the first two rules are there to block internal spoofing
    rules 3 and 4 for spoofing of it own address range
    SOLVED!

    can't really figure out the meaning of the last four just yet
    probably yet again against ip spoofing but kinda make no sense to me - imo you need a source and destination if you forward packets PENDING

    ---

    #2

    trying to allow incoming TCP connections to active services with #iptables

    listing all active services --> netstat -tulpn
    thinking about sudo

    iptables -A INPUT -i eth0 -p TCP -m conntrack --ctstate NEW -j ACCEPT
    Last edited by Daemorog; 03-11-2013 at 07:47 PM. Reason: spelling mistakes + solved subquestions

  2. #2
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    882
    ! means 'is not'
    You could read the third rule like this:
    For all incoming packets, on interface eth1, if the source 'is not' a 192.168.111.0/24 address, then drop.

    Unless your system is acting as a gateway for other systems, or you are hosting VMs, you do not need forwarding typically.

  3. #3
    Just Joined!
    Join Date
    Mar 2013
    Posts
    10
    Thnx a bunch for that answer should have known what "!" meant from my background in programming. But i wasn't entirely sure of it.

    Regarding the forwarding i would really like to know why it is there - i still doesn't really make since the rules doesn't have a destination appointed to them

    #2 is still open too

  4. #4
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    882
    Forwarding is forwarding packets from one interface to another.

    iptables -I FORWARD 1 -i eth0 -s 192.168.0.0/16 -j DROP = If I receive a forward request on eth0, and the source address is 192.168.x.x (spoofed), drop.
    iptables -I FORWARD 2 -i eth0 -s 10.0.0.0/8 -j DROP = If I receive a forward request on eth0, and the source address is 10.0.x.x (spoofed), drop.
    iptables -I FORWARD 3 -i eth1 -s ! 192.168.111.0/24 -j DROP = If I receive a forward request on eth1, and the source address 'is not' from 192.168.111.0/24, drop.
    iptables -I FORWARD 4 -i eth2 -s ! 10.0.0.0/8 -j DROP = If I receive a forward request on eth2, and the source address 'is not' from 10.0.0.0/8, drop.

    So, what is a forward exactly? Say your machine is acting as a gateway for another device on the 192.168.111.x network. The final destination isn't your server, it's likely the internet or the other private network. Thus, your server will do little more than forward those packets along.

  5. #5
    Just Joined!
    Join Date
    Mar 2013
    Posts
    10
    i don't really get forward yet can you explain it a little bit more plz
    (the example without a destination is keep messing with my mind)

    You had my curiosity, now you have full attention
    Last edited by Daemorog; 03-11-2013 at 07:54 PM. Reason: grammar mistakes

  6. #6
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    882
    This article explains the gist of it:
    How to implement ip forwarding in Linux

  7. #7
    Just Joined!
    Join Date
    Mar 2013
    Posts
    10
    so basically forward can been seen as a routing method who connect to separate networks together

    so what rules actually says is that traffic should come from the subnet (inside - 192.168.111.x) to the gateway (eth[0-2]) before it can be forwarded to the other networks. Which also concludes that in the 2 first iptables the -s should be a -d (destination) to make a lot more sense

  8. #8
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    882
    No, the rules look to be correct to protect against spoofing.

  9. #9
    Just Joined!
    Join Date
    Mar 2013
    Posts
    10
    plz clarify further

  10. #10
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    882
    What exactly are you trying to accomplish with these rules? Perhaps you are confused because you are intending the rules to do something they aren't.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •