Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-03-2013, 02:21 PM
|
#1
|
LQ Newbie
Registered: Aug 2013
Location: Parsippany, NJ
Distribution: SUSE 11.0 SP2 & SP3
Posts: 7
Rep:
|
iptables blocking all ips except US & US Amazon. Can't log dropped IPs.
I'm looking for help logging dropped IPs (Non US). If I place the log request before the -P INPUT DROP all IPs get logged. Can someone please advise.
-A INPUT -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -j ACCEPT
-A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
-P INPUT DROP
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -s 172.16.1.30/24 -j ACCEPT
.
. Accepting US IPs
.
-A INPUT -s 149.11.66.6/31 -j ACCEPT
-A INPUT -s 72.44.32.0/19 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Amazonaws IP Drop A:"
-A INPUT -s 67.202.0.0/18 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Amazonaws IP Drop A:"
.
. Logging Amazon Cloud
.
-A INPUT -s 54.233.0.0/18 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Amazonaws IP Drop A:"
-A INPUT -s 96.127.0.0/18 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Amazonaws IP Drop A:"
-A INPUT -s 72.44.32.0/19 -j DROP
-A INPUT -s 67.202.0.0/18 -j DROP
.
. Dropping Amazon Cloud
.
-A INPUT -s 174.129.0.0/16 -j DROP
-A INPUT -s 204.236.192.0/18 -j DROP
Thanks,
Jamie
|
|
|
10-05-2013, 03:00 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
Couple of problems with your post: you seem to miss common rules with respect to state and devices (loopback), your rules do not seem to have a logical order and you're trying to -j DROP stuff even while you have a DROP ingress policy. That can be easily remedied by reading http://www.frozentux.net/documents/iptables-tutorial/. You also posted a seemingly incomplete rule set: best just run 'iptables-save' to get the right output. If you understand what you're doing you could change the filter table INPUT chain default policy to ACCEPT, the use -j LOG lines directly before -j DROPping traffic and end the chain with a catch all REJECT or DROP rule.
|
|
1 members found this post helpful.
|
10-08-2013, 11:43 AM
|
#3
|
LQ Newbie
Registered: Aug 2013
Location: Parsippany, NJ
Distribution: SUSE 11.0 SP2 & SP3
Posts: 7
Original Poster
Rep:
|
Thanks for your advice. I am new to iptables and am still trying to understand it better. I thought making the INPUT policy DROP and accepting USA would be easier then identifying all Non-US country IP & would take less storage to load. The reason I logged & dropped Amazon AWS was because the IP's were in the US. Our Linux system is in between the Internet and our mainframe. It was getting hammered and I had to come up with a solution which is working but needs to be setup properly. I will check out the link you provided.
|
|
|
10-08-2013, 01:18 PM
|
#4
|
Senior Member
Registered: Sep 2009
Location: Raleigh, NC
Distribution: Ubuntu, PopOS, Raspbian
Posts: 1,899
|
To be clear, order in iptables matters. So if you have "ACCEPT" rules before your "BLOCK" rules then the "ACCEPT" rules will skip over them. You must order them in a way in which you wish them to be addressed. That means if you accept certain IP blocks but wish to drop ip ranges which fall inside the accepted blocks then you must put those DROP rules for the blocked range before the encompassing ACCEPT range.
|
|
|
All times are GMT -5. The time now is 02:01 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|