blocking traffic using iptables -easy hopefully :)
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
blocking traffic using iptables -easy hopefully :)
hi
i used the angry ip scan software and found alot of the public ip addresses on our network are accessable from outside when they are not suppose to, For eg printers/ pcs etc. to make a start on locking down the network i was wondering if anybody knew th iptables command to add a rule which blocked all incoming traffic to specific ip adresses on the network and to a range of ip addresses.
thanks smoker
yes but way up stream Theres a switch but further upstream as well-no control over any of this.We're looking into bringing a firewall appliance, not sure when that will happan though. so for the time being im trying to block accesse to these addresses via any other means. As we have linux servers dealing with dns dhcpd etc on our network i'm trying to setup iptables.
In order for you to assemble useful rules, you have to identify the likes of source & destination IPs, IP ports & protocols, and something about the topology of the network and the nature of the hosts which are attached to the network. It sounds like you have some hosts on a LAN which is otherwise unprotected. If so, then the smartest thing would be to insert a firewall between the LAN and the rest of the world. This allows you to consolidate the rule set onto one host, and relieves you from maintaining multiple hosts' rules. It also allows you to protect hosts which may not be well equipped with local firewalling capability.
You can implement rules on specific hosts to regulate traffic to & from those hosts. In either case, there are two general strategies. One strategy is to block all traffic, and then open up access for specific ports, IPs and other identifiable parameters. The other strategy is to open everything, and then block specific traffic. The nature of your servers and the nature of your usage patterns will dictate which is best for you. You must do your own analysis of this.
Composing a set of iptables rules that is thorough and correct is not a task for someone not well acquainted with networking. I strongly recommend using some package or tool that can generate a cohesive set of rules correctly, and that can be maintained and trusted. There are GUI tools for this, as well as canned packages that can be installed and customized to your specifications. Many of these can be found with online searches.
Typically, the implementation of firewalls is done with shell scripts that combine a coordinated collection of iptables rules. The firewall is started, stopped and restarted as a service much like any other service on a host. The shell script(s) get created either by you manually, as a pre-packaged collection with some recipe for customization, or by some GUI tool. Tools that create iptables rulesets are often geared toward one or the other of two configurations: for individual workstations & servers, or for a dedicated firewalling host, commonly equipped with multiple network interfaces, and configured to route traffic between networks such as LAN & WAN. Getting the right style of package for your scenario is, of course, important.
thanks rod for the lengthy reply. i undestand where youre coming from. We do intend to buy a dedicated firewall. we were looking at check point as a possible solution. The only issue is that it maybe sometime before we get our hands on one hence was seeking advice related to iptables to deal wit this issue in the mean time. i have edited iptables before. if i can be provided with a rule which deals with a range of ips at least i can start from somwhere. i dont have the gui insalled on the servers so not sure if i can still use them as you recommended below...
You don't want a range of ips, you want the specific port opened on a specific machine. You have to put rules on all the machines if you don't have a central firewall. Each machine should have all ports blocked except the specific port that that machine needs.
ie. the FTP machine has port 21 opened, the web server machine has port 80 opened, the DNS server machine has port 53 opened. I still don't understand how your printers have public ip addresses. http://wiki.centos.org/HowTos/Network/IPTables
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.