Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello all, i am having a problem with a iptables script, i hope someone can help me understand, here is the problem:
in my script i have this line:
iptables -A INPUT -s 192.168.0.0/16 -j DROP
which after running the script closes all connections to the server from 192.168.123.0/24, after commenting this line I can connect to the server, so the question is, why:
iptables -A INPUT -s 192.168.0.0/16 -j DROP is blocking 192.168.123.0/24, I am running debian 3.1 with 2.6.8 kernel,
Thank you all
here is the script:
Code:
# --- HOSTINGHACKS.NET/FIREWALL.SH ---
# IPTABLES FIREWALL SCRIPT FOR A
# WEBHOSTING SERVER. \\\!!////
# ( @ @ )
# __________o000......000o____________
# ____] [_____] [_____] [_____] [_____] [_
# __] [_____] [_____] [_____] [_____] [___
# ____] [_____] [_____] [_____] [_____] [_
# note: if you remove any variables here,
# make sure to remove them in the script body.
# The back-slash "\" may be used as the last
# character to continue the directive onto the next line.
# There must be no other characters or
# white space between the back-slash and
# the end of the line.
#!/bin/sh
iptables -F
# --- eth0
NET=192.168.123.3
# --- Development machines (allow SSH from these):
DEV_1=192.168.123.0/24
DEV_2=192.168.1.0/24
DEV_3=192.168.0.0/24
# --- DNS Secondaries (allow zone xfers to these):
ZONE_XFR_1=192.168.123.97
ZONE_XFR_2=192.168.1.97
ZONE_XFR_3=192.168.100.10
ZONE_XFR_4=192.168.0.165
# --- Time Servers --- (allow NTP queries to these):
TIME_SERVER=128.100.100.128
# --- Resolvers - (allow DNS queries to these):
DNS_1=206.13.28.12
DNS_2=206.13.31.12
# --- MX servers (allow email out to these):
MX_1=172.16.0.33
MX_2=172.16.10.0/24
MX_3=151.164.30.28
# --- A port for the control panel and webmail to run on:
CP_PORT=2081
WEBMAIL_PORT=1081
# --- load the ipconntrack module or ftp will fail
modprobe ip_conntrack_ftp
#---------------------------------------------------------------
# --- If a packet doesn't match the policy is to drop it
#---------------------------------------------------------------
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
#---------------------------------------------------------------
# --- Accept to the LOOPBACK
#---------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#---------------------------------------------------------------
# --- Bad Address tables ---
#---------------------------------------------------------------
###############################################################
###############################################################
###############################################################
iptables -A INPUT -s 192.168.0.0/255.255.0.0 -j DROP
###############################################################
###############################################################
###############################################################
iptables -A INPUT -s 10.0.0.0/255.0.0.0 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -p ! udp -j DROP
#---------------------------------------------------------------
# FRAGMENTS can be overlapped, and the interpretation of
# fragments presents a potential security risk.
# A valid packet can also fragment if larger than allowed by some
# router along the path. Here we choose to log and deny all fragments.
#----------------------------------------------------------------
iptables -A INPUT -f -j LOG --log-level 7 --log-prefix "TCP FRAGMENT: "
iptables -A INPUT -f -j DROP
#-----------------------------------------------------------------
# --- STEALTH SCANS ---
# --- Many FIN,SYN,RST,PSH,ACK,URG combinations are obvious forgeries.
#-------------------------------------------------------------------------- #
# --- SYN,RST,ACK flags --- #
# Any TCP packet which is not a part of an established connection falls into#
# one of three categories: (1) connection handshake, (2) stray resend, or #
# (3) invalid. See table below: #
# #
# SYN RST ACK What it means Action #
# =========== ============= ======= #
# 0 0 0 invalid logdrop #
# 0 0 1 strayresend(?) ok = --tcp-flags SYN,RST,ACK ACK #
# 0 1 0 stray resend DROP = --tcp-flags SYN,RST,ACK RST #
# 0 1 1 stray resend DROP #
# 1 0 0 conn attempt ok #
# 1 0 1 conn response ok #
# 1 1 0 invalid logdrop #
# 1 1 1 invalid logdrop #
# #
# some examples of valid traffic: #
# --tcp-flags SYN,RST,ACK ACK -> ssh communication in and out. #
# --tcp-flags SYN,RST RST -> mail servers closing a connection #
# --tcp-flags SYN,RST,ACK SYN -> browser connect to http service #
#-------------------------------------------------------------------------- #
# --- LOG and DROP bad SYN,RST,ACK combos with prejudice:
iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK NONE -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS1 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS2 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST,ACK NONE -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS3 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS4 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST,ACK NONE -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#--------------------------------------------------------------------------
# --- More bad FIN,SYN,RST,PSH,ACK,URG combos:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS5 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS6 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS7 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS8 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS9 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS10 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS11 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS12 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS13 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG \
--log-level 7 --log-prefix "BAD-FLAGS14 : " --log-tcp-options --log-tcp-sequence \
--log-ip-options
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG \
--log-level 7 --log-prefix "BAD-FLAGS15 : " --log-tcp-options --log-tcp-sequence \
--log-ip-options
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG \
--log-level 7 --log-prefix "BAD-FLAGS16 : " --log-tcp-options --log-tcp-sequence \
--log-ip-options
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-level 7 --log-prefix "BAD-FLAGS17 : " --log-tcp-options --log-tcp-sequence \
--log-ip-options
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#---------------------------------------------------------------
# --- Suspicous IP addresses - monitor and/or drop
#---------------------------------------------------------------
# --- this guy hits me with ACK,RST every 20 minutes or so
iptables -A INPUT -p tcp -s 64.164.160.154 -d $NET -j LOG --log-level 7 \
--log-prefix "WATCH! :"
iptables -A OUTPUT -p tcp -s $NET -d 64.164.160.154 -j LOG --log-level 7 \
--log-prefix "WATCH! :"
iptables -A INPUT -p tcp -s 64.164.160.154 -d $NET -j DROP
#----------------------------------------------------------------
# Allow HTTP
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j LOG --log-level 7 \
--log-prefix "PORT-80-PROBLEM: "
#----------------------------------------------------------------
# Allow HTTPS
#---------------------------------------------------------------
#iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp --dport 443 -j LOG --log-level 7 \
#--log-prefix "PORT-443-PROBLEM : "
#----------------------------------------------------------------
# Allow SMTP
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j LOG --log-level 7 --log-prefix "PORT-25-PROBLEM : "
#-----------------------------------------------------------------
# UDP in to DNS(53) ok
# TCP packets to/from Secondaries ok (needed for zone xfers)
#-----------------------------------------------------------------
iptables -A INPUT -p udp -s 0/0 -d $NET --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -s $NET -d 0/0 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_1 -d $NET --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_2 -d $NET --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_3 -d $NET --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_4 -d $NET --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_1 --dport 1023:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_2 --dport 1023:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_3 --dport 1023:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_4 --dport 1023:65535 -j ACCEPT
#****************************************************************************
#----------------------------------------------------------------
# --- Allow Outbound Connections
# --- *** SECURITY RISKS ***
#---------------------------------------------------------------
#---------------------------------------
# --- allow DNS queries to anywhere in the world:
# ---------------------------------------
iptables -A OUTPUT -p udp -s $NET -d $DNS_1 --sport 1024:65535 --dport 53 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -s $NET -d $DNS_2 --sport 1024:65535 --dport 53 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# iptables -A OUTPUT -p udp --sport 1024:65535 --dport 53 -m state \
# --state NEW,ESTABLISHED -j LOG --log-level 7 --log-prefix "OTHER-DNS : "
iptables -A OUTPUT -p udp -s $NET -d 0/0 --sport 1024:65535 --dport 53 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
### iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -m state \
### --state ESTABLISHED,RELATED -j LOG --log-level 7 --log-prefix "_DNS-IN_ : "
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#-------------------------------------------
# --- allow NTP packets to query specified public time servers:
#-------------------------------------------
iptables -A OUTPUT -p udp -s $NET -d $TIME_SERVER --sport 123 --dport 123 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -s $NET -d $TIME_SERVER \
-m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 7 \
--log-prefix "_TIME-OUT_ : "
iptables -A INPUT -p udp -s $TIME_SERVER -d $NET --sport 123 --dport 123 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s $TIME_SERVER -d $NET \
-m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 7 \
--log-prefix "_TIME-IN_ : "
#-------------------------------------------
# --- allow SMTP packets out to specified MX servers:
#-------------------------------------------
iptables -A OUTPUT -p tcp -s $NET -d $MX_1 --sport 1024:65535 --dport 25 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s $MX_1 -d $NET --sport 25 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $MX_2 --sport 1024:65535 --dport 25 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s $MX_2 -d $NET --sport 25 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $MX_3 --sport 1024:65535 --dport 25 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s $MX_3 -d $NET --sport 25 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#-------------------------------------------
# --- Other outbound connections - log and allow
#-------------------------------------------
iptables -A OUTPUT -m state --state NEW -j LOG \
--log-level 7 --log-prefix "OUTBOUND-CONNECT : " --log-tcp-options --log-ip-options
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
### iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################################
# --- I don't host websites outside of the United States
# --- so there is no reason for 'GEO-REMOTE IP-addresses'
# --- to connect to ftp, ssh or the control panel from anywhere
# --- but North America.
#####################################################################
#
# start dropping remote geographic ip's - but first log them.
#iptables -A INPUT -s 61.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 202.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 203.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 210.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 211.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 218.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 219.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 220.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#
iptables -A INPUT -s 61.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 202.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 203.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 210.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 211.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 218.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 219.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 220.0.0.0/8 -d 0/0 -j DROP
#----------------------------------------------------------------
# POP & Secure-POP (110, 995)
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j LOG --log-level 7 \
--log-prefix "PORT-110-PROBLEM : "
iptables -A INPUT -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j LOG --log-level 7 \
--log-prefix "PORT-995-PROBLEM : "
#---------------------------------------------------------------
# --- SSH - log + allow (from specific networks only)
# --- A dialup can usually be limited to /16 subnet
#---------------------------------------------------------------
iptables -A INPUT -p tcp --syn --dport 22 -j LOG --log-prefix "SSH SYN "
iptables -A INPUT -p tcp -s $DEV_1 -d 0/0 --dport 22 -m state \
--state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $DEV_2 -d 0/0 --dport 22 -m state \
--state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $DEV_3 -d 0/0 --dport 22 -m state \
--state NEW,ESTABLISHED -j ACCEPT
#---------------------------------------------------------------
# --- FTP --- make sure that the ip_conntrack_ftp module is loaded
#---------------------------------------------------------------
#
# --------------INITIAL CONNECT-------------------
#
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 --dport 1024:65535 \
-m state --state NEW,ESTABLISHED -j ACCEPT
# --------------PASSIVE IN --------------------
iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
# ----------------PASV OUT--------------------
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#------------------ACTIVE------------------------------
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# --- Accept connections to the WEBCP control panel ---
#---------------------------------------------------------------
iptables -A INPUT -p tcp --sport 1024:65535 --dport $CP_PORT \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport $CP_PORT --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#----------------------------------------------------------------
# Allow WebMail
#---------------------------------------------------------------
iptables -A INPUT -p tcp --sport 1024:65535 --dport $WEBMAIL_PORT \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport $WEBMAIL_PORT --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# --- ICMP response - The RFCs say to allow ICMP responses
# --- So be prepared to break the rules if you go into stealth mode
#---------------------------------------------------------------
iptables -A INPUT -p icmp -s $DEV_1 -d $NET -j ACCEPT
#---------------------------------------------------------------
# --- Allow the server to ping out to the world
#---------------------------------------------------------------
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
#---------------------------------------------------------------
# --- Drop all other ICMP
#---------------------------------------------------------------
iptables -A INPUT -p icmp -s 0/0 -d $NET -j DROP
#----------------------------------------------------------------
# --- Allow inbound packets if established (wget, lynx, etc.)
#---------------------------------------------------------------
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# reject every other SYN - (Redundant but no harm done)
#---------------------------------------------------------------
#iptables -A INPUT -p tcp --syn -j DROP
Not an IP netmask expert by any means but dropping 192.168.0.0/16 in this case means all IP address 192.168.xxx.xxx and 192.168.123.0/24 is in the range of addresses of 192.168.xxx.xxx.
Netmask starts at the most significant bit.
11000000.10101000 .00000000.00000000 (192.168.0.0)
11111111.11111111 .00000000.00000000 (/16)
11111111.11111111.11111111 .00000000 (/24)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.