LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-02-2011, 03:50 PM   #1
nyheat
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 75

Rep: Reputation: 15
iptables rules for blocking everyone but certain ranges?


My intention is to redirect everyone by default, allow certain IP ranges and deny certain ranges:

Redirect everyone:
Code:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080
Accept range:
Code:
iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.100-111.222.333.200 -j ACCEPT
Block range:
Code:
iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.0-111.222.333.255 --dport 80 -j REDIRECT --to 8080
Will these rules work together?

Last edited by nyheat; 07-02-2011 at 03:51 PM.
 
Old 07-02-2011, 04:18 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
I get the first rule (transparent proxy), but I don't get the other two. Seems to me like you should be using the FORWARD chain to handle things like this. That third rule of yours won't ever be used, since the first one matches the same thing. As for the second rule, it's not needed since the policy for the PREROUTING chain is ACCEPT anyways.
 
Old 07-02-2011, 04:20 PM   #3
nyheat
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 75

Original Poster
Rep: Reputation: 15
What about doing this instead?


First rule stays the same:
Code:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080
Second rule watches for incoming port 8080 and redirects back to 80:
Code:
iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.100-111.222.333.200 --dport 8080 -j REDIRECT -to 80
Third rule stays the same, will catch anything allowed by the second rule and change the port back to 8080:
Code:
iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.0-111.222.333.255 --dport 80 -j REDIRECT --to 8080

I'm basically looking for a way to say disallow all numbers, but allow 0 through 100 unless it falls between 40 and 60

Last edited by nyheat; 07-02-2011 at 04:21 PM.
 
Old 07-02-2011, 04:24 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
What exactly are you trying to accomplish?

EDIT: Nevermind, just saw your edit.
 
Old 07-02-2011, 04:30 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by nyheat View Post
I'm basically looking for a way to say disallow all numbers, but allow 0 through 100 unless it falls between 40 and 60
What do you mean by disallow?

You mean filter the packets entirely? Or abstain from sending them to REDIRECT?
 
Old 07-03-2011, 03:08 PM   #6
nyheat
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 75

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
You mean filter the packets entirely? Or abstain from sending them to REDIRECT?
Redirect all by default to port 8080, but allow some to reach port 80 unless they fall into specific groups in which case they should go to port 8080.

Would those rules I posted in my previous reply work?

Linux networking/firewalling has always been my Achilles' heel I can't seem to wrap my head around iptables and how it prioritizes things.
 
Old 07-03-2011, 04:58 PM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by nyheat View Post
Redirect all by default to port 8080, but allow some to reach port 80 unless they fall into specific groups in which case they should go to port 8080.
I'd say the simplest way to approach this would be like (for example):
Code:
iptables -t nat -A PREROUTING -p TCP -i eth1 -m iprange --src-range 192.168.1.75-192.168.1.230 -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i eth1 -m iprange --src-range 192.168.1.34-192.168.1.64 -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 -j REDIRECT --to-ports 8080
In this example, relevant packets from all source IPs will be sent to REDIRECT, unless they are in the 192.168.1.75-230 or 192.168.1.34-64 range, in which case they are allowed to proceed untampered with.

BTW, notice that I specified the inbound interface, which is a good idea whenever possible.

Last edited by win32sux; 07-03-2011 at 04:59 PM.
 
  


Reply

Tags
debian, firewall, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Debian 6: iptables blocking certain IP ranges on a certain port range templar Linux - Security 1 05-16-2011 11:23 AM
Firestarter - iptables and blocking ranges ithawtewrong Linux - Security 4 11-04-2006 01:41 PM
Blocking IP ranges to the Internet caps_phisto Linux - Security 1 09-18-2006 10:19 AM
Blocking IP Address ranges in dhcpd.conf pmcdaid Linux - Networking 4 06-09-2004 09:18 AM
Blocking Iptables Ranges SuperSadSmile Linux - Security 6 02-09-2004 02:57 AM


All times are GMT -5. The time now is 09:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration