iptables issue

Lexus45 · 04-09-2010, 02:01 PM

Hi guys.

I've consulted the iptables documentation, but the question is still actual. I wonder if the firewall has some parameter, which can handle multiple IP-addresses in the rule.

To make the problem more clear, I can show an example from OpenBSD's firewall - pf (from the oficial FAQ). OpenBSD's pf has a tool called 'tables' - it can store many addresses in one table:

Code:

table <goodguys> { 192.0.2.0/24 }
table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, \
   10.0.0.0/8 }
table <spammers> persist

block in on fxp0 from { <rfc1918>, <spammers> } to any
pass  in on fxp0 from <goodguys> to any

Now let's go back to iptables.
Say, I'd like to restrict access to my webserver from 1.1.1.1, 2.2.2.2 and 3.3.3.3.

Do I have any opportunity to do it with one line ?

Code:

iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 1.1.1.1 -j DROP
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 2.2.2.2 -j DROP
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 3.3.3.3 -j DROP

^^ this doesn't look nice :-) But as far as i remember, there is not any option which could be useful to me (something like -m multiport --dport port1, port2, port3 but according to IP-addresses).

So, if there is, let me know please.

Regards, Lexus45

nimnull22 · 04-09-2010, 02:17 PM

Make DEFAULT rule DROP, allow only what you need.

rweaver · 04-09-2010, 02:44 PM

Nimnull already gave the best solution in this particular situation but what you're asking for as far as I know, except for specifying networks there is no good way to do. You can of course use netmask and cidr notation.

win32sux · 04-10-2010, 01:17 AM

Quote:

Originally Posted by Lexus45

this doesn't look nice :-)

Uh, okay, but it's a firewall script – not ASCII artwork.

Seriously, though, are you really wanting to do this for purely cosmetic reasons?

Quote:

Originally Posted by nimnull22

Make DEFAULT rule DROP, allow only what you need.

Always good advice. Of course, he might already be doing that (which would make these akin to exceptions).

Lexus45 · 04-10-2010, 02:55 AM

Quote:

Originally Posted by nimnull22

Make DEFAULT rule DROP, allow only what you need.

Of course, I do it :-)
(Even more, iptables - was the first thing I started learning about Linux. But it was some years ago...) :-)

Besides, the idea could be used not only with -j DROP in INPUT chain of the 'filter' table, but also in SNAT or REDIRECT or something else.
That's why I wonder...

Quote:

Originally Posted by rweaver

You can of course use netmask and cidr notation.

Sure, I know about netmasks :-) Nevertheless, thanks for advice ;-D
There may be situations when the addresses belong to different subnets (as in my example).
That's why I wonder.

Quote:

Originally Posted by win32sux

Uh, okay, but it's a firewall script – not ASCII artwork.

Quote:

Originally Posted by win32sux

Seriously, though, are you really wanting to do this for purely cosmetic reasons?

I think it's much of pure interest...
I don't have really serious problems because of the absence of such a feature in iptables.

But I think it could be rather nice to have one.

So, as I was sure and as I also see from our discussion, iptables seems not to have such a feature.

jayjwa · 04-11-2010, 01:35 AM

I think what you are wanting to do is provided by an iptables friend called 'ipset'. I used to have it here for awhile, but at each new kernel updated they (kernel devs) seemed to break something and I got sick and tired of patching it and my patch-o-matic iptables extensions all the time to keep it working when I didn't use it that much. So I let it go. Maybe it's still around and buildable, depending on what kernel version you have going. I see the -m match for it is still in the iptables man page:

Quote:

set
This modules macthes IP sets which can be defined by ipset(8).

but I can't say if it fully works now or will meet your needs. The URL for it escapes me ATM, but it's on the Netfilter ftp server (where the iptables source is). Maybe ftp://ftp.netfilter.org/ ?

Lexus45 · 04-11-2010, 04:17 AM

jayjwa, an interesting note, thanks.
So I think, it's better not to change anything because my problem is not serious. :-)

salasi · 04-11-2010, 05:17 AM

Quote:

Originally Posted by Lexus45

I wonder if the firewall has some parameter, which can handle multiple IP-addresses in the rule.

Not, as far as I know, a firewall parameter...

Quote:

Code:

iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 1.1.1.1 -j DROP
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 2.2.2.2 -j DROP
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 3.3.3.3 -j DROP

^^ this doesn't look nice :-)

I'm with win32sux on this; if there was ever an area in function has to take priority over pretty looking code, this (security, generally) is it.

Having said that, it seems that modules like blockhosts, fail2ban, denyhosts, sshban could do what you say that you want. These are things that are aimed at working with dynamic ip lists, but there doesn't seem to be a reason that they cannot be used with a short, static, list of bad guys. It would be more of an issue if there were hundreds of them, rather than three...

But you have to question whether this is a worthwhile objective - there is a little messy complexity, and you have succeeded in putting it somewhere other than in the basic iptables set of rules, which does keep iptables looking clean. But does it make things any more secure?

The difficulty with any of these measures is that if they don't work quickly, they can increase your susceptibility to DoS and more specifically DDoS attacks.

So would you want to clean up your iptables rules, at the expense of increasing you susceptibility to a particular type of attack (if that is what it would do)? Well, I don't think, put like that, it would be a worthwhile objective.