LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-30-2005, 01:27 PM   #1
cashton2k
Member
 
Registered: May 2004
Posts: 46

Rep: Reputation: 15
iptables question


hi need to block private i.p addresses on class a and class b networks entering through the external interface on my firewall, any suggestions on an iptables command?

cheers

10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
 
Old 11-30-2005, 04:29 PM   #2
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 78
Code:
# /sbin/iptables -A INPUT -p tcp -s 10.0.0.0/8 -i eth0 -j DROP
I'll let you figure out the cidr notation for the second one...

How do you suppose traffic from private IPs will get routed to your external interface? Are you just trying to block spoofs?

In any event, it is generally wiser to disallow _everything_ by default then add rules to allow stuff, rather than the inverse...
 
Old 11-30-2005, 04:53 PM   #3
cashton2k
Member
 
Registered: May 2004
Posts: 46

Original Poster
Rep: Reputation: 15
cheers for the help, is it dangerous to disallow everything as im using telnet to connect to the firewall?
 
Old 11-30-2005, 06:51 PM   #4
zamri
Member
 
Registered: May 2004
Location: Malaysia
Distribution: Mandrake,Slackware,RedHat
Posts: 157

Rep: Reputation: 30
i just think that u should use SSH instead of telnet. It is more secure because the connection is encrypted.
 
Old 12-01-2005, 05:10 AM   #5
cashton2k
Member
 
Registered: May 2004
Posts: 46

Original Poster
Rep: Reputation: 15
so I should just block everything and just allow 192.168.0.0 to 192.168.255.255?

switched to ssh now cheers
 
Old 12-01-2005, 05:23 AM   #6
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 78
Do 192.168.0.0 to 192.168.255.25 need to access you box? Only allow what needs to be allowed...

Perhaps you should explain your setup in detail, as well as what other boxes/IPs need access to it, and someone can probably give you more useful answers. You seem to be confusing the difference between untrusted connection (ie: those from the Internet) and trusted ones (ie: those from your private LAN). Presumably you have two interfaces on the firewall. Each will need different rules, because they are two vastly different ingress points. Again, more detail on your setup, and your goals, would help here.

BTW, good on you for using ssh. telnet is terribly insecure.
 
Old 12-01-2005, 05:26 AM   #7
cashton2k
Member
 
Registered: May 2004
Posts: 46

Original Poster
Rep: Reputation: 15
the firewall is to protect 2 machines on the 172.24.15.0 subnet, on the other side of the firewall is lots of 192.168.xxx.xxx networks

yeah i use a 192.168.x.x machine to ssh in

Last edited by cashton2k; 12-01-2005 at 05:38 AM.
 
Old 12-01-2005, 05:35 AM   #8
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
Are you sure that you have your inside and outside IPs straight. Both the 10.x.x.x and 192.168.x.x IP addresses are private and should not be coming in from the outside. These ranges definitely should be blocked.
 
Old 12-01-2005, 08:43 AM   #9
cashton2k
Member
 
Registered: May 2004
Posts: 46

Original Poster
Rep: Reputation: 15
yeah its right because the external interface on the firewall is connected to a large network before it gets to the internet
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables question wardialer Linux - Security 13 02-14-2005 04:03 PM
iptables question ruben0076 Linux - Networking 2 01-16-2005 12:26 PM
Another IPTABLES question 2buck56 Linux - Security 9 10-26-2004 08:06 AM
IPTables Question rootyard Linux - Networking 1 06-24-2004 04:31 PM
iptables question Ice9 Linux - Networking 1 02-20-2003 02:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration