LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-18-2006, 01:34 AM   #1
Crazed_Mofo
Registered User
 
Registered: Apr 2006
Posts: 12

Rep: Reputation: 0
192.168.1.1/24???


Just a bit confused about an iptables function. I was hoping that someone could clear this up for me. I keep reading that to enable access through iptables to machines on my network only, that I would use the address "192.168.1.1/24" and that would cover all of the addresses in my 192.168.1.X range. I really don't understand what they are talking about. The real confusion sets in when I check the address range on my router. It's programmed to start at 192.168.1.100 and has a limited dhcp address issuance of 50. So....192.168.1.100-150. So what do they mean by the "192.168.1.1/24" will cover all addresses within the 192.168.1.x range.

I guess what I'm asking is what in the heck is the "/24" in reference to?
 
Old 05-18-2006, 01:50 AM   #2
nadroj
Senior Member
 
Registered: Jan 2005
Location: Canada
Distribution: ubuntu
Posts: 2,539

Rep: Reputation: 59
it has to do with subnetting.. if you are not on a large network and are not using subnetting then i dont think you need to do it this way. research subnetting and/or CIDR on wikipedia or another reference site. sorry for the brief answer
 
Old 05-18-2006, 01:54 AM   #3
Crazed_Mofo
Registered User
 
Registered: Apr 2006
Posts: 12

Original Poster
Rep: Reputation: 0
Ahhhhhhh! I got it! Hey never mind the brief post. It was all I needed to point me in the right direction. Thanks for your help.



Ok...so the other computers are receiving their ip's via dhcp (so they could have any number of ip addresses at any point in time). So how could I go about allowing 192.168.1.100 through 192.168.1.150 without setting chains for every individual address?

Last edited by Crazed_Mofo; 05-18-2006 at 02:00 AM.
 
Old 05-18-2006, 03:58 AM   #4
IBall
Senior Member
 
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088

Rep: Reputation: 61
This is from memory (research subnetting like nadroj suggested), so I may not be 100% correct.

Your IP address (192.168.1.0) is a hexadecimal number, and so can be converted to binary:
Code:
11000000.10101000.00000001.00000000
The /24 means to use the 1st 24 bits as the network address, which in this case means 192.168.1. The next 8 are the host number. So using 192.168.1.0/24 means that you are refering to any traffic from a host on the 192.168.1 network.

Do you have any machines in the range 1-99 and 151-254? If not, then just go with 192.168.1/24.

I hope this helps
--Ian
 
Old 05-18-2006, 07:48 AM   #5
rickh
Senior Member
 
Registered: May 2004
Location: Albuquerque, NM USA
Distribution: Debian-Lenny/Sid 32/64 Desktop: Generic AMD64-EVGA 680i Laptop: Generic Intel SIS-AC97
Posts: 4,250

Rep: Reputation: 60
I'm vague on this myself, but I think that 192.168.1.0/8 will take care of anything on the 192.168.1 network ... 192.168.0.0/16 will allow anything starting with 192.168 ... and 192.0.0.0/24 will allow anything starting with 192.

My DHCP router can assign any IP ending with a number 1-255. Behind that, I have Firestarter on my individual machines. I have a Firestarter rule that says, 'Accept connections from 192.168.123.0/8,' and it's never failed me yet.
 
Old 05-18-2006, 01:50 PM   #6
Crazed_Mofo
Registered User
 
Registered: Apr 2006
Posts: 12

Original Poster
Rep: Reputation: 0
I just wanted to let all of you know that you have been very helpful with your post. Thank ou so much! After nadroj pointed me to some subnetting articles I figured it out. Your all right, the /24 does in fact refer to the first 24 bits of the network addess. I think im going to take Iball's advice and just go with the /24 mask.

Hey thanks again all.
 
Old 05-18-2006, 09:13 PM   #7
IBall
Senior Member
 
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088

Rep: Reputation: 61
Quote:
Originally Posted by rickh
I'm vague on this myself, but I think that 192.168.1.0/8 will take care of anything on the 192.168.1 network ... 192.168.0.0/16 will allow anything starting with 192.168 ... and 192.0.0.0/24 will allow anything starting with 192.

My DHCP router can assign any IP ending with a number 1-255. Behind that, I have Firestarter on my individual machines. I have a Firestarter rule that says, 'Accept connections from 192.168.123.0/8,' and it's never failed me yet.
I think you are back to front. See http://en.wikipedia.org/wiki/Subnetw...orking_concept. The /8 refers to the first 8 bits, or 192. /16 refers to the 1st 16 bits 192.168 and /24 refers to the first 24 bits, or 192.168.123.

Your firestarter rule is allowing anything from the 192 network, which also includes non-private addresses. But since you have a router, it is probably doing NAT as well, which acts as a natural firewall. This means that the rule will work, because your box will only see addresses on the 192.168 network anyway.

I hope this helps
--Ian
 
Old 05-18-2006, 10:12 PM   #8
rickh
Senior Member
 
Registered: May 2004
Location: Albuquerque, NM USA
Distribution: Debian-Lenny/Sid 32/64 Desktop: Generic AMD64-EVGA 680i Laptop: Generic Intel SIS-AC97
Posts: 4,250

Rep: Reputation: 60
OK. So I changed my Firestarter rule (which is primarily used for ftp behind the firewall) to 'Accept connections from 192.168.123.0/24) Is that right? I will go read the link, tho.
 
Old 05-18-2006, 11:32 PM   #9
IBall
Senior Member
 
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088

Rep: Reputation: 61
Quote:
Originally Posted by rickh
OK. So I changed my Firestarter rule (which is primarily used for ftp behind the firewall) to 'Accept connections from 192.168.123.0/24) Is that right? I will go read the link, tho.
Yep. That should allow connections from any computer on the 192.168.123 network.

--Ian
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What route to access daisy chained 2d router 192.168.1.1 after 192.168.0.1 (subnets?) Emmanuel_uk Linux - Networking 6 05-05-2006 02:47 AM
Is someone on my network?! ::ffff:192.168.0.10:ssh ::ffff:192.168.0.:38201 ESTABLISHE ming0 Linux - Security 4 04-12-2005 02:04 AM
192.168.2.1 network with 192.168.0.1? Micro420 Linux - Networking 2 02-27-2005 07:59 AM
Iptables is converting -s 192.168.1.0/8 into 192.0.0.0/8 why !? qwijibow Linux - Security 2 01-26-2005 10:57 AM
192.168.0.0/25 ? Firew Linux - Networking 1 04-12-2001 02:02 PM


All times are GMT -5. The time now is 09:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration