LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-09-2010, 02:01 PM   #1
Lexus45
Member
 
Registered: Jan 2010
Location: Kurgan, Russia
Distribution: Slackware, Ubuntu
Posts: 339
Blog Entries: 3

Rep: Reputation: 47
iptables issue


Hi guys.

I've consulted the iptables documentation, but the question is still actual. I wonder if the firewall has some parameter, which can handle multiple IP-addresses in the rule.

To make the problem more clear, I can show an example from OpenBSD's firewall - pf (from the oficial FAQ). OpenBSD's pf has a tool called 'tables' - it can store many addresses in one table:
Code:
table <goodguys> { 192.0.2.0/24 }
table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, \
   10.0.0.0/8 }
table <spammers> persist

block in on fxp0 from { <rfc1918>, <spammers> } to any
pass  in on fxp0 from <goodguys> to any
Now let's go back to iptables.
Say, I'd like to restrict access to my webserver from 1.1.1.1, 2.2.2.2 and 3.3.3.3.

Do I have any opportunity to do it with one line ?

Code:
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 1.1.1.1 -j DROP
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 2.2.2.2 -j DROP
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 3.3.3.3 -j DROP
^^ this doesn't look nice :-) But as far as i remember, there is not any option which could be useful to me (something like -m multiport --dport port1, port2, port3 but according to IP-addresses).

So, if there is, let me know please.

Regards, Lexus45

Last edited by Lexus45; 04-09-2010 at 02:02 PM.
 
Old 04-09-2010, 02:17 PM   #2
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Make DEFAULT rule DROP, allow only what you need.
 
Old 04-09-2010, 02:44 PM   #3
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Nimnull already gave the best solution in this particular situation but what you're asking for as far as I know, except for specifying networks there is no good way to do. You can of course use netmask and cidr notation.
 
Old 04-10-2010, 01:17 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Lexus45 View Post
this doesn't look nice :-)
Uh, okay, but it's a firewall script not ASCII artwork.

Seriously, though, are you really wanting to do this for purely cosmetic reasons?

Quote:
Originally Posted by nimnull22 View Post
Make DEFAULT rule DROP, allow only what you need.
Always good advice. Of course, he might already be doing that (which would make these akin to exceptions).

Last edited by win32sux; 04-10-2010 at 01:22 AM.
 
Old 04-10-2010, 02:55 AM   #5
Lexus45
Member
 
Registered: Jan 2010
Location: Kurgan, Russia
Distribution: Slackware, Ubuntu
Posts: 339
Blog Entries: 3

Original Poster
Rep: Reputation: 47
Quote:
Originally Posted by nimnull22 View Post
Make DEFAULT rule DROP, allow only what you need.
Of course, I do it :-)
(Even more, iptables - was the first thing I started learning about Linux. But it was some years ago...) :-)

Besides, the idea could be used not only with -j DROP in INPUT chain of the 'filter' table, but also in SNAT or REDIRECT or something else.
That's why I wonder...

Quote:
Originally Posted by rweaver View Post
You can of course use netmask and cidr notation.
Sure, I know about netmasks :-) Nevertheless, thanks for advice ;-D
There may be situations when the addresses belong to different subnets (as in my example).
That's why I wonder.

Quote:
Originally Posted by win32sux View Post
Uh, okay, but it's a firewall script – not ASCII artwork.

Quote:
Originally Posted by win32sux View Post
Seriously, though, are you really wanting to do this for purely cosmetic reasons?
I think it's much of pure interest...
I don't have really serious problems because of the absence of such a feature in iptables.

But I think it could be rather nice to have one.


So, as I was sure and as I also see from our discussion, iptables seems not to have such a feature.

Last edited by Lexus45; 04-10-2010 at 02:57 AM.
 
Old 04-11-2010, 01:35 AM   #6
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
I think what you are wanting to do is provided by an iptables friend called 'ipset'. I used to have it here for awhile, but at each new kernel updated they (kernel devs) seemed to break something and I got sick and tired of patching it and my patch-o-matic iptables extensions all the time to keep it working when I didn't use it that much. So I let it go. Maybe it's still around and buildable, depending on what kernel version you have going. I see the -m match for it is still in the iptables man page:

Quote:
set
This modules macthes IP sets which can be defined by ipset(8).
but I can't say if it fully works now or will meet your needs. The URL for it escapes me ATM, but it's on the Netfilter ftp server (where the iptables source is). Maybe ftp://ftp.netfilter.org/ ?
 
Old 04-11-2010, 04:17 AM   #7
Lexus45
Member
 
Registered: Jan 2010
Location: Kurgan, Russia
Distribution: Slackware, Ubuntu
Posts: 339
Blog Entries: 3

Original Poster
Rep: Reputation: 47
jayjwa, an interesting note, thanks.
So I think, it's better not to change anything because my problem is not serious. :-)
 
Old 04-11-2010, 05:17 AM   #8
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,901

Rep: Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775
Quote:
Originally Posted by Lexus45 View Post
I wonder if the firewall has some parameter, which can handle multiple IP-addresses in the rule.
Not, as far as I know, a firewall parameter...

Quote:
Code:
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 1.1.1.1 -j DROP
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 2.2.2.2 -j DROP
iptables -A INPUT -p tcp -d <my_webserver_ip> --dport 80 -s 3.3.3.3 -j DROP
^^ this doesn't look nice :-)
I'm with win32sux on this; if there was ever an area in function has to take priority over pretty looking code, this (security, generally) is it.

Having said that, it seems that modules like blockhosts, fail2ban, denyhosts, sshban could do what you say that you want. These are things that are aimed at working with dynamic ip lists, but there doesn't seem to be a reason that they cannot be used with a short, static, list of bad guys. It would be more of an issue if there were hundreds of them, rather than three...

But you have to question whether this is a worthwhile objective - there is a little messy complexity, and you have succeeded in putting it somewhere other than in the basic iptables set of rules, which does keep iptables looking clean. But does it make things any more secure?

The difficulty with any of these measures is that if they don't work quickly, they can increase your susceptibility to DoS and more specifically DDoS attacks.

So would you want to clean up your iptables rules, at the expense of increasing you susceptibility to a particular type of attack (if that is what it would do)? Well, I don't think, put like that, it would be a worthwhile objective.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
issue with iptables mrmnemo Slackware 3 09-22-2009 09:11 PM
Iptables Issue satish Linux - Networking 1 02-04-2009 04:51 AM
iptables issue pushpraj Linux - Networking 2 12-04-2008 09:08 AM
Issue with iptables SentralOrigin Linux - Networking 6 07-14-2007 03:42 PM
iptables issue f1uke Linux - Security 3 08-11-2003 07:58 PM


All times are GMT -5. The time now is 08:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration