iptables rules for blocking everyone but certain ranges?

nyheat · 07-02-2011, 03:50 PM

My intention is to redirect everyone by default, allow certain IP ranges and deny certain ranges:

Redirect everyone:

Code:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080

Accept range:

Code:

iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.100-111.222.333.200 -j ACCEPT

Block range:

Code:

iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.0-111.222.333.255 --dport 80 -j REDIRECT --to 8080

Will these rules work together?

win32sux · 07-02-2011, 04:18 PM

I get the first rule (transparent proxy), but I don't get the other two. Seems to me like you should be using the FORWARD chain to handle things like this. That third rule of yours won't ever be used, since the first one matches the same thing. As for the second rule, it's not needed since the policy for the PREROUTING chain is ACCEPT anyways.

nyheat · 07-02-2011, 04:20 PM

What about doing this instead?

First rule stays the same:

Code:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080

Second rule watches for incoming port 8080 and redirects back to 80:

Code:

iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.100-111.222.333.200 --dport 8080 -j REDIRECT -to 80

Third rule stays the same, will catch anything allowed by the second rule and change the port back to 8080:

Code:

iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.0-111.222.333.255 --dport 80 -j REDIRECT --to 8080

I'm basically looking for a way to say disallow all numbers, but allow 0 through 100 unless it falls between 40 and 60

win32sux · 07-02-2011, 04:24 PM

What exactly are you trying to accomplish?

EDIT: Nevermind, just saw your edit.

win32sux · 07-02-2011, 04:30 PM

Quote:

Originally Posted by nyheat

I'm basically looking for a way to say disallow all numbers, but allow 0 through 100 unless it falls between 40 and 60

What do you mean by disallow?

You mean filter the packets entirely? Or abstain from sending them to REDIRECT?

nyheat · 07-03-2011, 03:08 PM

Quote:

Originally Posted by win32sux

You mean filter the packets entirely? Or abstain from sending them to REDIRECT?

Redirect all by default to port 8080, but allow some to reach port 80 unless they fall into specific groups in which case they should go to port 8080.

Would those rules I posted in my previous reply work?

Linux networking/firewalling has always been my Achilles' heel

I can't seem to wrap my head around iptables and how it prioritizes things.

win32sux · 07-03-2011, 04:58 PM

Quote:

Originally Posted by nyheat

Redirect all by default to port 8080, but allow some to reach port 80 unless they fall into specific groups in which case they should go to port 8080.

I'd say the simplest way to approach this would be like (for example):

Code:

iptables -t nat -A PREROUTING -p TCP -i eth1 -m iprange --src-range 192.168.1.75-192.168.1.230 -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i eth1 -m iprange --src-range 192.168.1.34-192.168.1.64 -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 -j REDIRECT --to-ports 8080

In this example, relevant packets from all source IPs will be sent to REDIRECT, unless they are in the 192.168.1.75-230 or 192.168.1.34-64 range, in which case they are allowed to proceed untampered with.

BTW, notice that I specified the inbound interface, which is a good idea whenever possible.