LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables rules for blocking everyone but certain ranges? (http://www.linuxquestions.org/questions/linux-security-4/iptables-rules-for-blocking-everyone-but-certain-ranges-889581/)

nyheat 07-02-2011 03:50 PM

iptables rules for blocking everyone but certain ranges?
 
My intention is to redirect everyone by default, allow certain IP ranges and deny certain ranges:

Redirect everyone:
Code:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080
Accept range:
Code:

iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.100-111.222.333.200 -j ACCEPT
Block range:
Code:

iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.0-111.222.333.255 --dport 80 -j REDIRECT --to 8080
Will these rules work together?

win32sux 07-02-2011 04:18 PM

I get the first rule (transparent proxy), but I don't get the other two. Seems to me like you should be using the FORWARD chain to handle things like this. That third rule of yours won't ever be used, since the first one matches the same thing. As for the second rule, it's not needed since the policy for the PREROUTING chain is ACCEPT anyways.

nyheat 07-02-2011 04:20 PM

What about doing this instead?


First rule stays the same:
Code:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080
Second rule watches for incoming port 8080 and redirects back to 80:
Code:

iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.100-111.222.333.200 --dport 8080 -j REDIRECT -to 80
Third rule stays the same, will catch anything allowed by the second rule and change the port back to 8080:
Code:

iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.0-111.222.333.255 --dport 80 -j REDIRECT --to 8080

I'm basically looking for a way to say disallow all numbers, but allow 0 through 100 unless it falls between 40 and 60

win32sux 07-02-2011 04:24 PM

What exactly are you trying to accomplish?

EDIT: Nevermind, just saw your edit.

win32sux 07-02-2011 04:30 PM

Quote:

Originally Posted by nyheat (Post 4402817)
I'm basically looking for a way to say disallow all numbers, but allow 0 through 100 unless it falls between 40 and 60

What do you mean by disallow?

You mean filter the packets entirely? Or abstain from sending them to REDIRECT?

nyheat 07-03-2011 03:08 PM

Quote:

Originally Posted by win32sux (Post 4402826)
You mean filter the packets entirely? Or abstain from sending them to REDIRECT?

Redirect all by default to port 8080, but allow some to reach port 80 unless they fall into specific groups in which case they should go to port 8080.

Would those rules I posted in my previous reply work?

Linux networking/firewalling has always been my Achilles' heel :( I can't seem to wrap my head around iptables and how it prioritizes things.

win32sux 07-03-2011 04:58 PM

Quote:

Originally Posted by nyheat (Post 4403628)
Redirect all by default to port 8080, but allow some to reach port 80 unless they fall into specific groups in which case they should go to port 8080.

I'd say the simplest way to approach this would be like (for example):
Code:

iptables -t nat -A PREROUTING -p TCP -i eth1 -m iprange --src-range 192.168.1.75-192.168.1.230 -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i eth1 -m iprange --src-range 192.168.1.34-192.168.1.64 -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 -j REDIRECT --to-ports 8080

In this example, relevant packets from all source IPs will be sent to REDIRECT, unless they are in the 192.168.1.75-230 or 192.168.1.34-64 range, in which case they are allowed to proceed untampered with.

BTW, notice that I specified the inbound interface, which is a good idea whenever possible.


All times are GMT -5. The time now is 10:29 PM.