Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
05-18-2006, 01:34 AM
|
#1
|
Registered User
Registered: Apr 2006
Posts: 12
Rep:
|
192.168.1.1/24???
Just a bit confused about an iptables function. I was hoping that someone could clear this up for me. I keep reading that to enable access through iptables to machines on my network only, that I would use the address "192.168.1.1/24" and that would cover all of the addresses in my 192.168.1.X range. I really don't understand what they are talking about. The real confusion sets in when I check the address range on my router. It's programmed to start at 192.168.1.100 and has a limited dhcp address issuance of 50. So....192.168.1.100-150. So what do they mean by the "192.168.1.1/24" will cover all addresses within the 192.168.1.x range.
I guess what I'm asking is what in the heck is the "/24" in reference to?
|
|
|
05-18-2006, 01:50 AM
|
#2
|
Senior Member
Registered: Jan 2005
Location: Canada
Distribution: ubuntu
Posts: 2,539
Rep:
|
it has to do with subnetting.. if you are not on a large network and are not using subnetting then i dont think you need to do it this way. research subnetting and/or CIDR on wikipedia or another reference site. sorry for the brief answer
|
|
|
05-18-2006, 01:54 AM
|
#3
|
Registered User
Registered: Apr 2006
Posts: 12
Original Poster
Rep:
|
Ahhhhhhh! I got it! Hey never mind the brief post. It was all I needed to point me in the right direction. Thanks for your help.
Ok...so the other computers are receiving their ip's via dhcp (so they could have any number of ip addresses at any point in time). So how could I go about allowing 192.168.1.100 through 192.168.1.150 without setting chains for every individual address?
Last edited by Crazed_Mofo; 05-18-2006 at 02:00 AM.
|
|
|
05-18-2006, 03:58 AM
|
#4
|
Senior Member
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088
Rep:
|
This is from memory (research subnetting like nadroj suggested), so I may not be 100% correct.
Your IP address (192.168.1.0) is a hexadecimal number, and so can be converted to binary:
Code:
11000000.10101000.00000001.00000000
The /24 means to use the 1st 24 bits as the network address, which in this case means 192.168.1. The next 8 are the host number. So using 192.168.1.0/24 means that you are refering to any traffic from a host on the 192.168.1 network.
Do you have any machines in the range 1-99 and 151-254? If not, then just go with 192.168.1/24.
I hope this helps
--Ian
|
|
|
05-18-2006, 07:48 AM
|
#5
|
Senior Member
Registered: May 2004
Location: Albuquerque, NM USA
Distribution: Debian-Lenny/Sid 32/64 Desktop: Generic AMD64-EVGA 680i Laptop: Generic Intel SIS-AC97
Posts: 4,250
Rep:
|
I'm vague on this myself, but I think that 192.168.1.0/8 will take care of anything on the 192.168.1 network ... 192.168.0.0/16 will allow anything starting with 192.168 ... and 192.0.0.0/24 will allow anything starting with 192.
My DHCP router can assign any IP ending with a number 1-255. Behind that, I have Firestarter on my individual machines. I have a Firestarter rule that says, 'Accept connections from 192.168.123.0/8,' and it's never failed me yet.
|
|
|
05-18-2006, 01:50 PM
|
#6
|
Registered User
Registered: Apr 2006
Posts: 12
Original Poster
Rep:
|
I just wanted to let all of you know that you have been very helpful with your post. Thank ou so much! After nadroj pointed me to some subnetting articles I figured it out. Your all right, the /24 does in fact refer to the first 24 bits of the network addess. I think im going to take Iball's advice and just go with the /24 mask.
Hey thanks again all.
|
|
|
05-18-2006, 09:13 PM
|
#7
|
Senior Member
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088
Rep:
|
Quote:
Originally Posted by rickh
I'm vague on this myself, but I think that 192.168.1.0/8 will take care of anything on the 192.168.1 network ... 192.168.0.0/16 will allow anything starting with 192.168 ... and 192.0.0.0/24 will allow anything starting with 192.
My DHCP router can assign any IP ending with a number 1-255. Behind that, I have Firestarter on my individual machines. I have a Firestarter rule that says, 'Accept connections from 192.168.123.0/8,' and it's never failed me yet.
|
I think you are back to front. See http://en.wikipedia.org/wiki/Subnetw...orking_concept. The /8 refers to the first 8 bits, or 192. /16 refers to the 1st 16 bits 192.168 and /24 refers to the first 24 bits, or 192.168.123.
Your firestarter rule is allowing anything from the 192 network, which also includes non-private addresses. But since you have a router, it is probably doing NAT as well, which acts as a natural firewall. This means that the rule will work, because your box will only see addresses on the 192.168 network anyway.
I hope this helps
--Ian
|
|
|
05-18-2006, 10:12 PM
|
#8
|
Senior Member
Registered: May 2004
Location: Albuquerque, NM USA
Distribution: Debian-Lenny/Sid 32/64 Desktop: Generic AMD64-EVGA 680i Laptop: Generic Intel SIS-AC97
Posts: 4,250
Rep:
|
OK. So I changed my Firestarter rule (which is primarily used for ftp behind the firewall) to 'Accept connections from 192.168.123.0/24) Is that right? I will go read the link, tho.
|
|
|
05-18-2006, 11:32 PM
|
#9
|
Senior Member
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088
Rep:
|
Quote:
Originally Posted by rickh
OK. So I changed my Firestarter rule (which is primarily used for ftp behind the firewall) to 'Accept connections from 192.168.123.0/24) Is that right? I will go read the link, tho.
|
Yep. That should allow connections from any computer on the 192.168.123 network.
--Ian
|
|
|
All times are GMT -5. The time now is 06:15 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|