iptables question
hi need to block private i.p addresses on class a and class b networks entering through the external interface on my firewall, any suggestions on an iptables command?
cheers 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 |
Code:
# /sbin/iptables -A INPUT -p tcp -s 10.0.0.0/8 -i eth0 -j DROP How do you suppose traffic from private IPs will get routed to your external interface? Are you just trying to block spoofs? In any event, it is generally wiser to disallow _everything_ by default then add rules to allow stuff, rather than the inverse... |
cheers for the help, is it dangerous to disallow everything as im using telnet to connect to the firewall?
|
i just think that u should use SSH instead of telnet. It is more secure because the connection is encrypted.
|
so I should just block everything and just allow 192.168.0.0 to 192.168.255.255?
switched to ssh now cheers |
Do 192.168.0.0 to 192.168.255.25 need to access you box? Only allow what needs to be allowed...
Perhaps you should explain your setup in detail, as well as what other boxes/IPs need access to it, and someone can probably give you more useful answers. You seem to be confusing the difference between untrusted connection (ie: those from the Internet) and trusted ones (ie: those from your private LAN). Presumably you have two interfaces on the firewall. Each will need different rules, because they are two vastly different ingress points. Again, more detail on your setup, and your goals, would help here. BTW, good on you for using ssh. telnet is terribly insecure. |
the firewall is to protect 2 machines on the 172.24.15.0 subnet, on the other side of the firewall is lots of 192.168.xxx.xxx networks
yeah i use a 192.168.x.x machine to ssh in |
Are you sure that you have your inside and outside IPs straight. Both the 10.x.x.x and 192.168.x.x IP addresses are private and should not be coming in from the outside. These ranges definitely should be blocked.
|
yeah its right because the external interface on the firewall is connected to a large network before it gets to the internet
|
All times are GMT -5. The time now is 02:58 PM. |