LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-17-2010, 08:15 AM   #1
fedora_user
Member
 
Registered: Jan 2006
Posts: 112

Rep: Reputation: 15
blocking traffic using iptables -easy hopefully :)


hi
i used the angry ip scan software and found alot of the public ip addresses on our network are accessable from outside when they are not suppose to, For eg printers/ pcs etc. to make a start on locking down the network i was wondering if anybody knew th iptables command to add a rule which blocked all incoming traffic to specific ip adresses on the network and to a range of ip addresses.

really appreciate this
 
Old 03-17-2010, 08:33 AM   #2
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 249Reputation: 249Reputation: 249
public ip addresses are supposed to be accessible. Why have your printers got public ip addresses ?
Don't you have a router ?
 
Old 03-17-2010, 08:57 AM   #3
fedora_user
Member
 
Registered: Jan 2006
Posts: 112

Original Poster
Rep: Reputation: 15
thanks smoker
yes but way up stream Theres a switch but further upstream as well-no control over any of this.We're looking into bringing a firewall appliance, not sure when that will happan though. so for the time being im trying to block accesse to these addresses via any other means. As we have linux servers dealing with dns dhcpd etc on our network i'm trying to setup iptables.
 
Old 03-17-2010, 10:17 AM   #4
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,397
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
In order for you to assemble useful rules, you have to identify the likes of source & destination IPs, IP ports & protocols, and something about the topology of the network and the nature of the hosts which are attached to the network. It sounds like you have some hosts on a LAN which is otherwise unprotected. If so, then the smartest thing would be to insert a firewall between the LAN and the rest of the world. This allows you to consolidate the rule set onto one host, and relieves you from maintaining multiple hosts' rules. It also allows you to protect hosts which may not be well equipped with local firewalling capability.
You can implement rules on specific hosts to regulate traffic to & from those hosts. In either case, there are two general strategies. One strategy is to block all traffic, and then open up access for specific ports, IPs and other identifiable parameters. The other strategy is to open everything, and then block specific traffic. The nature of your servers and the nature of your usage patterns will dictate which is best for you. You must do your own analysis of this.
Composing a set of iptables rules that is thorough and correct is not a task for someone not well acquainted with networking. I strongly recommend using some package or tool that can generate a cohesive set of rules correctly, and that can be maintained and trusted. There are GUI tools for this, as well as canned packages that can be installed and customized to your specifications. Many of these can be found with online searches.
Typically, the implementation of firewalls is done with shell scripts that combine a coordinated collection of iptables rules. The firewall is started, stopped and restarted as a service much like any other service on a host. The shell script(s) get created either by you manually, as a pre-packaged collection with some recipe for customization, or by some GUI tool. Tools that create iptables rulesets are often geared toward one or the other of two configurations: for individual workstations & servers, or for a dedicated firewalling host, commonly equipped with multiple network interfaces, and configured to route traffic between networks such as LAN & WAN. Getting the right style of package for your scenario is, of course, important.

--- rod.
 
1 members found this post helpful.
Old 03-17-2010, 11:05 AM   #5
fedora_user
Member
 
Registered: Jan 2006
Posts: 112

Original Poster
Rep: Reputation: 15
thanks rod for the lengthy reply. i undestand where youre coming from. We do intend to buy a dedicated firewall. we were looking at check point as a possible solution. The only issue is that it maybe sometime before we get our hands on one hence was seeking advice related to iptables to deal wit this issue in the mean time. i have edited iptables before. if i can be provided with a rule which deals with a range of ips at least i can start from somwhere. i dont have the gui insalled on the servers so not sure if i can still use them as you recommended below...
 
Old 03-17-2010, 11:16 AM   #6
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 249Reputation: 249Reputation: 249
You don't want a range of ips, you want the specific port opened on a specific machine. You have to put rules on all the machines if you don't have a central firewall. Each machine should have all ports blocked except the specific port that that machine needs.
ie. the FTP machine has port 21 opened, the web server machine has port 80 opened, the DNS server machine has port 53 opened. I still don't understand how your printers have public ip addresses.
http://wiki.centos.org/HowTos/Network/IPTables
 
Old 03-17-2010, 01:21 PM   #7
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,397
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
Quote:
a rule which deals with a range of ips
Code:
/sbin/iptables -I INPUT -m iprange --src-range 0.0.0.0-255.255.255.255 -j DROP
This will block all incoming IP traffic from hosts in the range 0.0.0.0-255.255.255.255
You might want to whittle the range down a smidgen.

To be effective, you will want to use criteria other than just IPs. You should start by learning much of what the standard Iptables Tutorial explains.

--- rod.
 
1 members found this post helpful.
Old 03-18-2010, 05:34 AM   #8
fedora_user
Member
 
Registered: Jan 2006
Posts: 112

Original Poster
Rep: Reputation: 15
Thumbs up

thanks rod for the info. the link provided is pretty good and detailed.I will surely follow it through..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[HELP] redirect traffic to spesific port based on Traffic Content using iptables summersgone Linux - Server 2 06-22-2009 11:26 AM
Blocking specific outbound traffic - iptables mistersnorfles Linux - Security 5 08-08-2007 02:14 PM
iptables, and blocking all but non network traffic Argo Linux - Security 11 06-18-2007 07:42 PM
iptables blocking traffic JJX Linux - Networking 4 11-07-2005 05:36 AM
Iptables blocking all traffic on other NIC spede Linux - Security 3 05-05-2004 05:37 PM


All times are GMT -5. The time now is 05:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration