LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables - how to block some IP-addresses (https://www.linuxquestions.org/questions/linux-networking-3/iptables-how-to-block-some-ip-addresses-4175527200/)

garett 12-03-2014 08:42 AM
iptables - how to block some IP-addresses
 
Hello everybody! :-) Looks like I need help with iptables... I have a task - should block some network resources for all users in office. So there is a network gateway (Linux based) and iptables script:
*filter
-A FORWARD -s 192.168.1.0/24 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.10/32 -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -d 192.168.1.20/32 -i eth1 -p tcp -m tcp --dport 3390 -j ACCEPT
COMMIT
*nat
-A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.10:3389
-A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3390 -j DNAT --to-destination 192.168.1.20:3390
-A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
COMMIT

There are 2 networks: 192.168.1.0/24 (office machines) and 192.168.0.0/24 ("real world"). So there is NAT and 2 port redirections only on this gateway now. And policy is - ACCEPT (all the chains). So I need to drop a packets to some real IP, for example, 8.8.8.8 - what rule should I write? Please help :-)

sudowtf 12-03-2014 10:21 AM
1 Attachment(s)
a good solution for not understanding iptables, might be to use webmin to edit the iptables firewall. that's how i did it before (and still do sometimes). it will certainly help you get your head around the concept before actually editing the iptables config.

but to answer more directly, I beleive you would add for example:
Code:
-A INPUT -s 8.8.8.8 -j DROP
or for a specific NIC, example eth0:
Code:
-A INPUT -s 8.8.8.8 -i eth0 -j DROP
i'll attach a screenshot of the firewall section of webmin for adding a rule in case it helps.

garett 12-04-2014 01:05 AM
Quote:
Originally Posted by sudowtf (Post 5278846)
a good solution for not understanding iptables, might be to use webmin to edit the iptables firewall. that's how i did it before (and still do sometimes). it will certainly help you get your head around the concept before actually editing the iptables config.

but to answer more directly, I beleive you would add for example:
Code:
-A INPUT -s 8.8.8.8 -j DROP
or for a specific NIC, example eth0:
Code:
-A INPUT -s 8.8.8.8 -i eth0 -j DROP
i'll attach a screenshot of the firewall section of webmin for adding a rule in case it helps.
Excuse me, in what section should I add this string? Should it look like:

*filter
-A INPUT -s 8.8.8.8 -i eth1 -j DROP
-A FORWARD -s 192.168.1.0/24 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.10/32 -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -d 192.168.1.20/32 -i eth1 -p tcp -m tcp --dport 3390 -j ACCEPT
COMMIT
*nat
-A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.10:3389
-A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3390 -j DNAT --to-destination 192.168.1.20:3390
-A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
COMMIT

And why is INPUT, not OUTPUT? Cause I need to block outgoing traffic to IP 8.8.8.8...

sudowtf 12-04-2014 10:19 AM
okay then, since you want outgoing stopped, then it might be: (also, i'm not the know-it-all here, mind you)
Code:
-A OUTPUT -d 8.8.8.8 -j REJECT
note that it's now a destination (-d)

i added 9.9.9.9 to mine via webmin just to test and it looks like this: (with all my custom stuff removed)
Code:
$ sudo cat /etc/iptables.up.rules

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -d 9.9.9.9 -i eth0 -j REJECT
COMMIT
:PREROUTING ACCEPT [13514:5085076]
:INPUT ACCEPT [13501:5076030]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12020:2730177]
:POSTROUTING ACCEPT [12085:2741160]
COMMIT
*nat
:PREROUTING ACCEPT [1133:318933]
:INPUT ACCEPT [97:7905]
:OUTPUT ACCEPT [735:48676]
:POSTROUTING ACCEPT [735:48676]
COMMIT
compare that to yours and you might have something. (and maybe some of the network guru's here might say something more correct)

good luck.

garett 12-09-2014 09:11 AM
You know - if I add this string:
-A OUTPUT -d 9.9.9.9 -i eth0 -j REJECT
ssh is not responding now :-(

sudowtf 12-09-2014 09:21 AM
Quote:
Originally Posted by garett (Post 5281942)
You know - if I add this string:
-A OUTPUT -d 9.9.9.9 -i eth0 -j REJECT
ssh is not responding now :-(
there's no reason you should add 9.9.9.9, that was my example.

also, no reason (that i know) that should have stopped ssh.


All times are GMT -5. The time now is 01:14 AM.