LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-19-2015, 10:07 AM   #1
lol_lee_lol
LQ Newbie
 
Registered: Nov 2015
Posts: 3

Rep: Reputation: Disabled
blocking ports of specified IP with iptables


Hello,
I recently installed OpenWRT on my router and it's pretty much linux with the firewall and all. I went to configure it and I wanted to create a rule to block some IP address from accessing multiple ports (from 81 to 65535 with the exception of 123 (NTP), 443 and 8080). I seemed to have figured out that the best way would be iptables so here,s the line I (and my search through multiple forums) came up with :

Code:
iptables -A INPUT -m iprange --src-range 192.168.1.3-192.168.1.255 -i eth1 -m state --state NEW,ESTABLISHED -p tcp --ports 81:122,124:442,444-8079,8081-65535 -j DROP
It pretty much look like a mess to me so I'm really unsure if it will work and I don't want to block myself from accessing the router to change it if it doesn't work (note: router ip: 192.168.1.1, my ip: 192.168.1.2/24)

The idea is to only allow http(s) (in case that wasn't clear)

I'm not sure if I should put "-A" or "-I" since I don't really understand the difference.
Should I allow 192.168.1.255 since it's the broadcast?
Does INPUT means it will only block incoming access?
If this works, I will pretty much do the same afterward for udp unless there is a way to do it in one line.

A huge thank you in advance to anyone for helping. (Also I don't know if I'm in the right section but since I'm a noob in Linux, newbie section sounded the best for me)
 
Old 11-19-2015, 10:36 AM   #2
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: Redhat/Centos, Ubuntu, Raspbian, Fedora, Alpine, Cirros, OpenSuse/SLES
Posts: 3,464

Rep: Reputation: 915Reputation: 915Reputation: 915Reputation: 915Reputation: 915Reputation: 915Reputation: 915Reputation: 915
What stands out to me is ESTABLISHED. I don't know if it has a practical effect on a router, but it means packets that belong to a connection initiated by the router. Do you want to block that?

Yes, INPUT is what its name suggests.

-A appends at the end of the chain, -I at the beginning or any position (integer value after the I).
 
Old 11-19-2015, 11:00 AM   #3
lol_lee_lol
LQ Newbie
 
Registered: Nov 2015
Posts: 3

Original Poster
Rep: Reputation: Disabled
Oh, I thought ESTABLISHED were for the already existing connections. Well, in that case I will remove it.
If INPUT does only one way, if I remove the word and don't replace it with anything will it block both ways or will it just fail to do anything?
Also for the -A -I param, I read that, but it doesn't really speak to me. What will it change if the rule is at the beginning or the end of a chain? (also what chain?)
 
Old 11-19-2015, 05:53 PM   #4
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: Redhat/Centos, Ubuntu, Raspbian, Fedora, Alpine, Cirros, OpenSuse/SLES
Posts: 3,464

Rep: Reputation: 915Reputation: 915Reputation: 915Reputation: 915Reputation: 915Reputation: 915Reputation: 915Reputation: 915
Quote:
Originally Posted by lol_lee_lol View Post
Oh, I thought ESTABLISHED were for the already existing connections. Well, in that case I will remove it.
If INPUT does only one way, if I remove the word and don't replace it with anything will it block both ways or will it just fail to do anything?
I don't think I understand what you mean by "one way". You mean incoming packets only? Yes, only incoming packets enter the INPUT chain.
If you remove which word, "ESTABLISHED"? It will only mean that packets from established connections won't match the rule's condition.
"fail to do anything" - yes, in the sense that an incoming packet from an established connection won't match the rule and therefore the rule's action won't be carried out.

Quote:
Originally Posted by lol_lee_lol View Post
Also for the -A -I param, I read that, but it doesn't really speak to me. What will it change if the rule is at the beginning or the end of a chain? (also what chain?)
The chain is INPUT.

A packet enters the chain at the beginning. It is matched against the conditions of the first rule. If they match, the corresponding action, such as DROP or ACCEPT, is carried out. Most actions will also end processing, that is further rules are not applied. Thus the position of the rule in the chain is significant.

The "-I" option will ensure the new rule will be applied first. Until you run another iptables -I, of course.
With the "-A" option, the rule might not be applied at all, and if it is applied, it will be the last one. Until you run another iptables -A, of course.

Last edited by berndbausch; 11-19-2015 at 05:55 PM. Reason: formatting
 
Old 11-19-2015, 08:01 PM   #5
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,298

Rep: Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957
Only packets destined for the router itself will pass through the router's INPUT chain. Forwarded packets go through the FORWARD chain.

Similarly, only packets that originate on the router itself will pass through the router's OUTPUT chain.

I recommend that you download Oskar Andreasson's excellent Iptables Tutorial and at least look at Chapter 6, "Traversing of tables and chains."
 
Old 11-19-2015, 08:06 PM   #6
jefro
Moderator
 
Registered: Mar 2008
Posts: 19,217

Rep: Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926
FWBuilder may or may not help you build a good iptables but might peek at it. http://www.fwbuilder.org/4.0/docs/us.../openwrt.shtml
 
Old 11-19-2015, 08:16 PM   #7
lol_lee_lol
LQ Newbie
 
Registered: Nov 2015
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by berndbausch View Post
The "-I" option will ensure the new rule will be applied first. Until you run another iptables -I, of course.
With the "-A" option, the rule might not be applied at all, and if it is applied, it will be the last one. Until you run another iptables -A, of course.
Oh. Well now it's clearer. I didn't realized the other matters. I thought it was pretty much "go through all of it to be sure it passes everything but stop once you see something that blocks you". Clearly I was wrong.

Quote:
Originally Posted by rknichols View Post
I recommend that you download Oskar Andreasson's excellent Iptables Tutorial and at least look at Chapter 6, "Traversing of tables and chains."
Oh sweet! I will read that tonight it will really... oh... Damn Iptables is a lot stronger than I realized considering this is 459 pages (or 421 of material). Thanks a lot I will try to go through it all but for now I will concentrate on Chapter 6

Quote:
Originally Posted by jefro View Post
FWBuilder may or may not help you build a good iptables but might peek at it. http://www.fwbuilder.org/4.0/docs/us.../openwrt.shtml
I will try to go through that too. It can't do any harm and might help me understand some stuff

A huge thank you to everyone
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Completly blocking ports with IPTables? Prosaca Linux - Networking 4 04-06-2011 11:03 AM
open ports for utorrent using iptables n close smpt to that ports shtorrent00 Linux - Networking 2 09-30-2008 03:34 PM
how? redirect apache2 outbound ports to specific ports w/iptables? nowshining Linux - Security 5 05-27-2008 02:46 AM
Blocking specific ports on IPTABLES stonereh Linux - Security 8 02-15-2006 10:49 AM
blocking ports rocketgo Linux - Software 3 11-11-2003 06:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration