IP Table implementation

Shruti_Soumya · 01-25-2017, 01:11 AM

I am trying to implement IP tables on my server, to allow around 1500 Ips and reject the rest which are coming.

Questions:
1. Precedence of the rule?
Tried putting these commands:

iptables -A INPUT -m set --match-set setname src -p tcp -m multiport -j ACCEPT

iptables -A INPUT -j DROP

But then was unable to access the server. Performance issue?
Note- by default my server accepts all connections.

TB0ne · 01-25-2017, 07:59 AM

Quote:

Originally Posted by Shruti_Soumya

I am trying to implement IP tables on my server, to allow around 1500 Ips and reject the rest which are coming.

Questions: 1. Precedence of the rule? Tried putting these commands:

iptables -A INPUT -m set --match-set setname src -p tcp -m multiport -j ACCEPT
iptables -A INPUT -j DROP

But then was unable to access the server. Performance issue? Note- by default my server accepts all connections.

Sounds very much like a homework question, but it is very easy to try swapping the position of the rules. DROP first, THEN accept.

Code:

iptables -P INPUT -j DROP
iptables -A INPUT -m iprange --src-range 192.193.0-150 -j ACCEPT

...will accept things in the range specified. Modify commands as needed.

szboardstretcher · 01-25-2017, 08:34 AM

I think it's worth noting that this example 'can' be misinterpreted if you aren't paying attention. It looks like all traffic is dropped and nothing will ever reach the allow. Ie: A top down ruleset.

But: the '-P' means 'default policy' for the specified chain -- in this case 'INPUT'. So the default policy once a packet has traversed the entire rule set in the chain, is DROP. You could read it in plain english like this:

Code:

iptables -P INPUT -j DROP # If a packet traverses the ENTIRE ruleset in the chain INPUT then DROP

jefro · 01-25-2017, 03:36 PM

Just an idea.
You may also consider using FWbuilder to make it slightly more easy.