-   Linux - Newbie (
-   -   blocking traffic using iptables -easy hopefully :) (

fedora_user 03-17-2010 09:15 AM

blocking traffic using iptables -easy hopefully :)
i used the angry ip scan software and found alot of the public ip addresses on our network are accessable from outside when they are not suppose to, For eg printers/ pcs etc. to make a start on locking down the network i was wondering if anybody knew th iptables command to add a rule which blocked all incoming traffic to specific ip adresses on the network and to a range of ip addresses.

really appreciate this :)

smoker 03-17-2010 09:33 AM

public ip addresses are supposed to be accessible. Why have your printers got public ip addresses ?
Don't you have a router ?

fedora_user 03-17-2010 09:57 AM

thanks smoker
yes but way up stream Theres a switch but further upstream as well-no control over any of this.We're looking into bringing a firewall appliance, not sure when that will happan though. so for the time being im trying to block accesse to these addresses via any other means. As we have linux servers dealing with dns dhcpd etc on our network i'm trying to setup iptables.

theNbomr 03-17-2010 11:17 AM

In order for you to assemble useful rules, you have to identify the likes of source & destination IPs, IP ports & protocols, and something about the topology of the network and the nature of the hosts which are attached to the network. It sounds like you have some hosts on a LAN which is otherwise unprotected. If so, then the smartest thing would be to insert a firewall between the LAN and the rest of the world. This allows you to consolidate the rule set onto one host, and relieves you from maintaining multiple hosts' rules. It also allows you to protect hosts which may not be well equipped with local firewalling capability.
You can implement rules on specific hosts to regulate traffic to & from those hosts. In either case, there are two general strategies. One strategy is to block all traffic, and then open up access for specific ports, IPs and other identifiable parameters. The other strategy is to open everything, and then block specific traffic. The nature of your servers and the nature of your usage patterns will dictate which is best for you. You must do your own analysis of this.
Composing a set of iptables rules that is thorough and correct is not a task for someone not well acquainted with networking. I strongly recommend using some package or tool that can generate a cohesive set of rules correctly, and that can be maintained and trusted. There are GUI tools for this, as well as canned packages that can be installed and customized to your specifications. Many of these can be found with online searches.
Typically, the implementation of firewalls is done with shell scripts that combine a coordinated collection of iptables rules. The firewall is started, stopped and restarted as a service much like any other service on a host. The shell script(s) get created either by you manually, as a pre-packaged collection with some recipe for customization, or by some GUI tool. Tools that create iptables rulesets are often geared toward one or the other of two configurations: for individual workstations & servers, or for a dedicated firewalling host, commonly equipped with multiple network interfaces, and configured to route traffic between networks such as LAN & WAN. Getting the right style of package for your scenario is, of course, important.

--- rod.

fedora_user 03-17-2010 12:05 PM

thanks rod for the lengthy reply. i undestand where youre coming from. We do intend to buy a dedicated firewall. we were looking at check point as a possible solution. The only issue is that it maybe sometime before we get our hands on one hence was seeking advice related to iptables to deal wit this issue in the mean time. i have edited iptables before. if i can be provided with a rule which deals with a range of ips at least i can start from somwhere. i dont have the gui insalled on the servers so not sure if i can still use them as you recommended below...

smoker 03-17-2010 12:16 PM

You don't want a range of ips, you want the specific port opened on a specific machine. You have to put rules on all the machines if you don't have a central firewall. Each machine should have all ports blocked except the specific port that that machine needs.
ie. the FTP machine has port 21 opened, the web server machine has port 80 opened, the DNS server machine has port 53 opened. I still don't understand how your printers have public ip addresses.

theNbomr 03-17-2010 02:21 PM


a rule which deals with a range of ips

/sbin/iptables -I INPUT -m iprange --src-range -j DROP
This will block all incoming IP traffic from hosts in the range
You might want to whittle the range down a smidgen.

To be effective, you will want to use criteria other than just IPs. You should start by learning much of what the standard Iptables Tutorial explains.

--- rod.

fedora_user 03-18-2010 06:34 AM

thanks rod for the info. the link provided is pretty good and detailed.I will surely follow it through.. :)

All times are GMT -5. The time now is 09:47 PM.