LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-03-2014, 08:42 AM   #1
garett
LQ Newbie
 
Registered: Dec 2014
Posts: 7

Rep: Reputation: Disabled
iptables - how to block some IP-addresses


Hello everybody! :-) Looks like I need help with iptables... I have a task - should block some network resources for all users in office. So there is a network gateway (Linux based) and iptables script:
*filter
-A FORWARD -s 192.168.1.0/24 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.10/32 -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -d 192.168.1.20/32 -i eth1 -p tcp -m tcp --dport 3390 -j ACCEPT
COMMIT
*nat
-A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.10:3389
-A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3390 -j DNAT --to-destination 192.168.1.20:3390
-A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
COMMIT

There are 2 networks: 192.168.1.0/24 (office machines) and 192.168.0.0/24 ("real world"). So there is NAT and 2 port redirections only on this gateway now. And policy is - ACCEPT (all the chains). So I need to drop a packets to some real IP, for example, 8.8.8.8 - what rule should I write? Please help :-)
 
Old 12-03-2014, 10:21 AM   #2
sudowtf
Member
 
Registered: Nov 2013
Posts: 206

Rep: Reputation: 46
a good solution for not understanding iptables, might be to use webmin to edit the iptables firewall. that's how i did it before (and still do sometimes). it will certainly help you get your head around the concept before actually editing the iptables config.

but to answer more directly, I beleive you would add for example:
Code:
-A INPUT -s 8.8.8.8 -j DROP
or for a specific NIC, example eth0:
Code:
-A INPUT -s 8.8.8.8 -i eth0 -j DROP
i'll attach a screenshot of the firewall section of webmin for adding a rule in case it helps.
Attached Thumbnails
Click image for larger version

Name:	2014-12-03_Selection_001.png
Views:	22
Size:	65.1 KB
ID:	17002  
 
Old 12-04-2014, 01:05 AM   #3
garett
LQ Newbie
 
Registered: Dec 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sudowtf View Post
a good solution for not understanding iptables, might be to use webmin to edit the iptables firewall. that's how i did it before (and still do sometimes). it will certainly help you get your head around the concept before actually editing the iptables config.

but to answer more directly, I beleive you would add for example:
Code:
-A INPUT -s 8.8.8.8 -j DROP
or for a specific NIC, example eth0:
Code:
-A INPUT -s 8.8.8.8 -i eth0 -j DROP
i'll attach a screenshot of the firewall section of webmin for adding a rule in case it helps.
Excuse me, in what section should I add this string? Should it look like:

*filter
-A INPUT -s 8.8.8.8 -i eth1 -j DROP
-A FORWARD -s 192.168.1.0/24 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.10/32 -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -d 192.168.1.20/32 -i eth1 -p tcp -m tcp --dport 3390 -j ACCEPT
COMMIT
*nat
-A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.10:3389
-A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3390 -j DNAT --to-destination 192.168.1.20:3390
-A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
COMMIT

And why is INPUT, not OUTPUT? Cause I need to block outgoing traffic to IP 8.8.8.8...
 
Old 12-04-2014, 10:19 AM   #4
sudowtf
Member
 
Registered: Nov 2013
Posts: 206

Rep: Reputation: 46
okay then, since you want outgoing stopped, then it might be: (also, i'm not the know-it-all here, mind you)
Code:
-A OUTPUT -d 8.8.8.8 -j REJECT
note that it's now a destination (-d)

i added 9.9.9.9 to mine via webmin just to test and it looks like this: (with all my custom stuff removed)
Code:
$ sudo cat /etc/iptables.up.rules

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -d 9.9.9.9 -i eth0 -j REJECT
COMMIT
:PREROUTING ACCEPT [13514:5085076]
:INPUT ACCEPT [13501:5076030]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12020:2730177]
:POSTROUTING ACCEPT [12085:2741160]
COMMIT
*nat
:PREROUTING ACCEPT [1133:318933]
:INPUT ACCEPT [97:7905]
:OUTPUT ACCEPT [735:48676]
:POSTROUTING ACCEPT [735:48676]
COMMIT
compare that to yours and you might have something. (and maybe some of the network guru's here might say something more correct)

good luck.
 
Old 12-09-2014, 09:11 AM   #5
garett
LQ Newbie
 
Registered: Dec 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
You know - if I add this string:
-A OUTPUT -d 9.9.9.9 -i eth0 -j REJECT
ssh is not responding now :-(
 
Old 12-09-2014, 09:21 AM   #6
sudowtf
Member
 
Registered: Nov 2013
Posts: 206

Rep: Reputation: 46
Quote:
Originally Posted by garett View Post
You know - if I add this string:
-A OUTPUT -d 9.9.9.9 -i eth0 -j REJECT
ssh is not responding now :-(
there's no reason you should add 9.9.9.9, that was my example.

also, no reason (that i know) that should have stopped ssh.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can I use iptables to limit bandwidth to certain IP addresses and MAC addresses baronobeefdip Linux - Networking 2 01-07-2014 07:36 PM
[SOLVED] Trying to block all IP addresses except US and CA. Dafydd Programming 5 04-03-2013 01:03 PM
How to block the ip addresses using iptables onlymahendra7 Linux - Networking 5 05-27-2012 10:57 AM
Block ALL IP addresses only allow 3 IP addresses on port 80/443 yelluc Linux - Security 8 03-28-2012 04:20 AM
[SOLVED] ipTables rule to block a port for all internal IP Addresses except one pranaysharmadelhi Linux - Security 8 07-08-2009 07:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration