LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables Help (https://www.linuxquestions.org/questions/linux-security-4/iptables-help-746283/)

billli 08-09-2009 04:00 PM
iptables Help
 
Hi!

I was wondering if someone could help me with iptables.

I have a server and I need to block all IPs except for:
the blocks: 128.96.*.* and 67.215.52.1

This is what I have so far: (at least I think what is correct)

iptables -A INPUT -s ! 128.96.0.0/16 -j DROP
iptables -A INPUT -s 67.215.52.1 -j ACCEPT


There are no other rules in the chain.

Any help would be appreciated.

win32sux 08-09-2009 04:09 PM
Welcome to LQ! :)

Quote:
Originally Posted by billli (Post 3636962)
I was wondering if someone could help me with iptables.

I have a server and I need to block all IPs except for:
the blocks: 128.96.*.* and 67.215.52.1

This is what I have so far: (at least I think what is correct)

iptables -A INPUT -s ! 128.96.0.0/16 -j DROP
iptables -A INPUT -s 67.215.52.1 -j ACCEPT
Your second rule would never get a chance to work, since the first one would have sent those packets to DROP.

I would suggest this approach instead:
Code:
iptables -A INPUT -s 128.96.0.0/16 -j ACCEPT
iptables -A INPUT -s 67.215.52.1 -j ACCEPT
iptables -A INPUT -j DROP
Of course, you probably want to allow packets on the loopback interface, so:
Code:
iptables -A INPUT -s 128.96.0.0/16 -j ACCEPT
iptables -A INPUT -s 67.215.52.1 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j DROP

billli 08-09-2009 11:25 PM
Oh, I sees!
Thanks! =]

Just on a side note, for my information.

Say is it possible to only allow port 25 be accessed from 128.96.*.* and 67.215.52.1, while all the other port could be accessed by everyone?

Cheers

win32sux 08-10-2009 07:36 AM
Quote:
Originally Posted by billli (Post 3637263)
Say is it possible to only allow port 25 be accessed from 128.96.*.* and 67.215.52.1, while all the other port could be accessed by everyone?
Sure. One way could be like:
Code:
iptables -A INPUT -p TCP --dport ! 25 -s 128.96.0.0/16 -j DROP
iptables -A INPUT -p TCP --dport ! 25 -s 67.215.52.1 -j DROP
iptables -A INPUT -p TCP --dport 25 -j DROP
iptables -A INPUT -j ACCEPT
The last line isn't needed if you have your INPUT policy set to ACCEPT.

My next examples assume the policy is set to ACCEPT.

Another way might me:
Code:
iptables -A INPUT -p TCP --dport 25 -s 128.96.0.0/16 -j ACCEPT
iptables -A INPUT -p TCP --dport 25 -s 67.215.52.1 -j ACCEPT
iptables -A INPUT -s 128.96.0.0/16 -j DROP
iptables -A INPUT -s 67.215.52.1 -j DROP
iptables -A INPUT -p TCP --dport 25 -j DROP
Both examples assume that for those two IPs you only want port 25 to be accessible. In other words, any other ports won't be accessible to those two IPs. If what you meant was that you wanted port 25 to be accessible only to those IPs (while still allowing those two IPs to access any other port) then something like this could be used instead:
Code:
iptables -A INPUT -s 128.96.0.0/16 -j ACCEPT
iptables -A INPUT -s 67.215.52.1 -j ACCEPT
iptables -A INPUT -p TCP --dport 25 -j DROP


All times are GMT -5. The time now is 02:50 PM.