Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've consulted the iptables documentation, but the question is still actual. I wonder if the firewall has some parameter, which can handle multiple IP-addresses in the rule.
To make the problem more clear, I can show an example from OpenBSD's firewall - pf (from the oficial FAQ). OpenBSD's pf has a tool called 'tables' - it can store many addresses in one table:
Code:
table <goodguys> { 192.0.2.0/24 }
table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8 }
table <spammers> persist
block in on fxp0 from { <rfc1918>, <spammers> } to any
pass in on fxp0 from <goodguys> to any
Now let's go back to iptables.
Say, I'd like to restrict access to my webserver from 1.1.1.1, 2.2.2.2 and 3.3.3.3.
Do I have any opportunity to do it with one line ?
Code:
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 1.1.1.1 -j DROP
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 2.2.2.2 -j DROP
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 3.3.3.3 -j DROP
^^ this doesn't look nice :-) But as far as i remember, there is not any option which could be useful to me (something like -m multiport --dport port1, port2, port3 but according to IP-addresses).
Nimnull already gave the best solution in this particular situation but what you're asking for as far as I know, except for specifying networks there is no good way to do. You can of course use netmask and cidr notation.
Of course, I do it :-)
(Even more, iptables - was the first thing I started learning about Linux. But it was some years ago...) :-)
Besides, the idea could be used not only with -j DROP in INPUT chain of the 'filter' table, but also in SNAT or REDIRECT or something else.
That's why I wonder...
Quote:
Originally Posted by rweaver
You can of course use netmask and cidr notation.
Sure, I know about netmasks :-) Nevertheless, thanks for advice ;-D
There may be situations when the addresses belong to different subnets (as in my example).
That's why I wonder.
Quote:
Originally Posted by win32sux
Uh, okay, but it's a firewall script – not ASCII artwork.
Quote:
Originally Posted by win32sux
Seriously, though, are you really wanting to do this for purely cosmetic reasons?
I think it's much of pure interest...
I don't have really serious problems because of the absence of such a feature in iptables.
But I think it could be rather nice to have one.
So, as I was sure and as I also see from our discussion, iptables seems not to have such a feature.
I think what you are wanting to do is provided by an iptables friend called 'ipset'. I used to have it here for awhile, but at each new kernel updated they (kernel devs) seemed to break something and I got sick and tired of patching it and my patch-o-matic iptables extensions all the time to keep it working when I didn't use it that much. So I let it go. Maybe it's still around and buildable, depending on what kernel version you have going. I see the -m match for it is still in the iptables man page:
Quote:
set
This modules macthes IP sets which can be defined by ipset(8).
but I can't say if it fully works now or will meet your needs. The URL for it escapes me ATM, but it's on the Netfilter ftp server (where the iptables source is). Maybeftp://ftp.netfilter.org/ ?
I wonder if the firewall has some parameter, which can handle multiple IP-addresses in the rule.
Not, as far as I know, a firewall parameter...
Quote:
Code:
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 1.1.1.1 -j DROP
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 2.2.2.2 -j DROP
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 3.3.3.3 -j DROP
^^ this doesn't look nice :-)
I'm with win32sux on this; if there was ever an area in function has to take priority over pretty looking code, this (security, generally) is it.
Having said that, it seems that modules like blockhosts, fail2ban, denyhosts, sshban could do what you say that you want. These are things that are aimed at working with dynamic ip lists, but there doesn't seem to be a reason that they cannot be used with a short, static, list of bad guys. It would be more of an issue if there were hundreds of them, rather than three...
But you have to question whether this is a worthwhile objective - there is a little messy complexity, and you have succeeded in putting it somewhere other than in the basic iptables set of rules, which does keep iptables looking clean. But does it make things any more secure?
The difficulty with any of these measures is that if they don't work quickly, they can increase your susceptibility to DoS and more specifically DDoS attacks.
So would you want to clean up your iptables rules, at the expense of increasing you susceptibility to a particular type of attack (if that is what it would do)? Well, I don't think, put like that, it would be a worthwhile objective.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.