Hey guys. I'm running Fedora Core 5 and want to customize my IPTABLES firewall in order to bolster system security. I have two separate questions that aren't being answered by the tutorials I've read:

1. I want to ban an entire range of IP address within a given network, not just a single IP. There's got to be a way to do that w/o typing out 256 or more addresses and entering them in one-by-one! I typed the following:
-----
root# iptables -A INPUT -j DROP 123.456.789.0/24
Bad argument `123.456.789.0/24'
Try `iptables -h' or 'iptables --help' for more information.
root#
------

Where of course 123.456.789.0 is the class C network whose incoming packets I'm trying to stop at my firewall. It is to be completely prohibited from contacting the system in any way and any packets that do arrive from there are to go unacknowledged. I don't even want users on that network being able to view my web pages.

So what's wrong with my syntax? The tutorial I was using swears up and down that the command *should* work as advertised. Maybe iptables has changed since it was written, so can anyone tell me the correct syntax?

2. I entered a long list of individual IP addresses into the firewall using the command given above. I confirmed that they'd been loaded by running iptables -L. It showed me the rules as I expected to see. HOWEVER, the rules were all gone when I rebooted the entire system and ran iptables -L a second time. What do I need to do in order to make the iptables rules permanent so that they'll survive a system reboot?

Thanks in advance, Matt

1. The ip address(es) is/are specified via the -s (source address) option, e.g.

2. Use iptables-save and iptables-restore. You need to redirect the input/output, e.g. 'iptables-save > /root/iptables.conf', and put 'iptables-restore < /root/iptables.conf' in your rc.local.

Thanks for your help. Apparently I was being tripped up by a simple typo.

One more question. I'd like to write a rule that says "Ban ALL connections from ALL systems, except for the ones explictly allowed to connect." I'd also like to write a rule that says, "If a system wants to connect to port 80, check the banned list. If it's not there, let it in."

Where in the iptables rule list would I put such rules - the beginning or the end? I'm afraid of guessing wrong and locking myself out of my own server. Does iptables look at the "allow" section before it looks at the "deny" section (the way TCP wrappers does), or does it just apply the rules sequentially?

Thanks

One more thing...when you say put that command in rc.local, do you mean simply edit the file and type in a line that says "iptables-restore" after running the command above?

Ccheck post #2 in this thread: http://www.linuxquestions.org/questi...d.php?t=438127 for my iptables script. I think it doeas a lot of what you are wanting to do. Basically, just set your default policy to DROP, and then add ACCEPT rules for those you want ot allow in.

Yes, the kernel applies the rules sequentially.

haertig has covered the rest.

As for rc.local, yeah, just would type the line in somewhere, but if you use haertig's script, you don't need iptables-{save,restore} anymore.

I might add a quick note:

is there any difference between 0.0.0.0/24 and the one I've been using; e.g. -m iprange --src-range 1.1.1.1-2.2.2.2 -j LOG?