iptables - how to block some IP-addresses

garett · 12-03-2014, 08:42 AM

Hello everybody! :-) Looks like I need help with iptables... I have a task - should block some network resources for all users in office. So there is a network gateway (Linux based) and iptables script:
*filter
-A FORWARD -s 192.168.1.0/24 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.10/32 -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -d 192.168.1.20/32 -i eth1 -p tcp -m tcp --dport 3390 -j ACCEPT
COMMIT
*nat
-A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.10:3389
-A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3390 -j DNAT --to-destination 192.168.1.20:3390
-A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
COMMIT

There are 2 networks: 192.168.1.0/24 (office machines) and 192.168.0.0/24 ("real world"). So there is NAT and 2 port redirections only on this gateway now. And policy is - ACCEPT (all the chains). So I need to drop a packets to some real IP, for example, 8.8.8.8 - what rule should I write? Please help :-)

sudowtf · 12-03-2014, 10:21 AM

a good solution for not understanding iptables, might be to use webmin to edit the iptables firewall. that's how i did it before (and still do sometimes). it will certainly help you get your head around the concept before actually editing the iptables config.

but to answer more directly, I beleive you would add for example:

Code:

-A INPUT -s 8.8.8.8 -j DROP

or for a specific NIC, example eth0:

Code:

-A INPUT -s 8.8.8.8 -i eth0 -j DROP

i'll attach a screenshot of the firewall section of webmin for adding a rule in case it helps.

garett · 12-04-2014, 01:05 AM

Quote:

Originally Posted by sudowtf

a good solution for not understanding iptables, might be to use webmin to edit the iptables firewall. that's how i did it before (and still do sometimes). it will certainly help you get your head around the concept before actually editing the iptables config.

but to answer more directly, I beleive you would add for example:

Code:

-A INPUT -s 8.8.8.8 -j DROP

or for a specific NIC, example eth0:

Code:

-A INPUT -s 8.8.8.8 -i eth0 -j DROP

i'll attach a screenshot of the firewall section of webmin for adding a rule in case it helps.

Excuse me, in what section should I add this string? Should it look like:

*filter
-A INPUT -s 8.8.8.8 -i eth1 -j DROP
-A FORWARD -s 192.168.1.0/24 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.10/32 -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -d 192.168.1.20/32 -i eth1 -p tcp -m tcp --dport 3390 -j ACCEPT
COMMIT
*nat
-A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.10:3389
-A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3390 -j DNAT --to-destination 192.168.1.20:3390
-A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
COMMIT

And why is INPUT, not OUTPUT? Cause I need to block outgoing traffic to IP 8.8.8.8...

sudowtf · 12-04-2014, 10:19 AM

okay then, since you want outgoing stopped, then it might be: (also, i'm not the know-it-all here, mind you)

Code:

-A OUTPUT -d 8.8.8.8 -j REJECT

note that it's now a destination (-d)

i added 9.9.9.9 to mine via webmin just to test and it looks like this: (with all my custom stuff removed)

Code:

$ sudo cat /etc/iptables.up.rules

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -d 9.9.9.9 -i eth0 -j REJECT
COMMIT
:PREROUTING ACCEPT [13514:5085076]
:INPUT ACCEPT [13501:5076030]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12020:2730177]
:POSTROUTING ACCEPT [12085:2741160]
COMMIT
*nat
:PREROUTING ACCEPT [1133:318933]
:INPUT ACCEPT [97:7905]
:OUTPUT ACCEPT [735:48676]
:POSTROUTING ACCEPT [735:48676]
COMMIT

compare that to yours and you might have something. (and maybe some of the network guru's here might say something more correct)

good luck.

garett · 12-09-2014, 09:11 AM

You know - if I add this string:
-A OUTPUT -d 9.9.9.9 -i eth0 -j REJECT
ssh is not responding now :-(

sudowtf · 12-09-2014, 09:21 AM

Quote:

Originally Posted by garett

You know - if I add this string:
-A OUTPUT -d 9.9.9.9 -i eth0 -j REJECT
ssh is not responding now :-(

there's no reason you should add 9.9.9.9, that was my example.

also, no reason (that i know) that should have stopped ssh.