LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-13-2006, 06:05 AM   #1
Vasili
LQ Newbie
 
Registered: Feb 2006
Location: At Home
Distribution: RHEL 4 AS
Posts: 23

Rep: Reputation: 15
Exclamation i want to block a range of ips using iptables...


hi all!

i have this network going on 192.168.0.0
and i would like to drop the incoming packets from 192.168.0.20-192.168.0.50 and i want to write one rule for it not thirty...see wat i mean? what option and how to write it? please

thx!!
 
Old 08-13-2006, 07:58 AM   #2
Centinul
Member
 
Registered: Jun 2005
Distribution: Gentoo
Posts: 552

Rep: Reputation: 30
There is an iprange filter match. A rule that you are asking for looks like the following:

Code:
/sbin/iptables -A FORWARD --src-range 192.168.0.20-192.168.0.50 -j DROP
or
Code:
/sbin/iptables -A INPUT --src-range 192.168.0.20-192.168.0.50 -j DROP
Hope this helps!
 
Old 09-18-2006, 07:39 AM   #3
wolfster306
LQ Newbie
 
Registered: Sep 2005
Location: Sydney, NSW, Australia
Distribution: Slax10.1
Posts: 13

Rep: Reputation: 0
Interesting, yet, I may have modprobe issues with libipt_iprange loading.

Edit: My aim is to allow packets to be sent to and from a (source ip range) or (single ip) to a (destination ip range) or (single ip) for each policy that I have set.

For example, DNS:

$IPT -A tcp_inbound -p TCP --src-range 192.168.0.1-192.168.0.6 -d 192.168.0.2 --destination-port 53 -j ACCEPT

$IPT -A tcp_outbound -p TCP -s 192.168.0.2 --dst-range 192.168.0.1-192.168.0.6 --destination-port 53 -j ACCEPT

192.168.0.1 is obviously a gateway with dhcp client ranging from 192.168.0.2-192.168.0.6 =)

192.168.0.2 is a DNS server, as you can tell..the DNS server handles requests... and all requests are sent to and from the DNS server, but I wish to only allow a specific range of IP in the DHCP range, to accept those packets.

Please note: I know how iptables work, I don't need a complete tutorial on iptables, just relevance to iprange. Thanks.

Regards,

WolF-X

Last edited by wolfster306; 09-18-2006 at 12:47 PM.
 
Old 09-18-2006, 12:16 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by wolfster306
Interesting, yet, I may have modprobe issues with libipt_iprange loading.

My aim is to allow a source ip range/single ip to a destination ip range/single ip for each policy.

For example, DNS Requests:

$IPT -A tcp_inbound -p TCP --src-range 192.168.0.1-192.168.0.6 -d 192.168.0.2 --destination-port 53 -j ACCEPT

$IPT -A tcp_outbound -p TCP -s 192.168.0.2 --dst-range 192.168.0.1-192.168.0.6 --destination-port 53 -j ACCEPT

Please note: I know how iptables work, I don't need a complete tutorial on iptables, just relevance to iprange. Thanks.

Regards,

WolF-X
i'm not sure i understand what your question is exactly... could you be a little more specific please?? BTW, DNS uses UDP, not TCP...
 
Old 09-18-2006, 12:29 PM   #5
wolfster306
LQ Newbie
 
Registered: Sep 2005
Location: Sydney, NSW, Australia
Distribution: Slax10.1
Posts: 13

Rep: Reputation: 0
Quote:
Originally Posted by win32sux
i'm not sure i understand what your question is exactly... could you be a little more specific please?? BTW, DNS uses UDP, not TCP...
Well actually it uses both, since you don't use windows, you obviously don't know about the services file...In the meantime, I'll just wait for a reply from someone else.

Last edited by wolfster306; 09-18-2006 at 12:37 PM.
 
Old 09-18-2006, 12:46 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by wolfster306
Well actually it uses both, since you don't use windows, you obviously don't know about the services file...
yes, you can make DNS work with TCP on linux too if you want... in fact most DNS daemons will have TCP fallback...

Quote:
In the meantime, I'll just wait for a reply from someone else.
once again, could you please explain your question?? are the rules not working for you or something like that??

EDIT: i can see you've updated your post now... thanks...

Last edited by win32sux; 09-18-2006 at 12:47 PM.
 
Old 09-18-2006, 12:56 PM   #7
wolfster306
LQ Newbie
 
Registered: Sep 2005
Location: Sydney, NSW, Australia
Distribution: Slax10.1
Posts: 13

Rep: Reputation: 0
Quite frankly, I think it's just the fact that the module libipt_iprange.so cannot be identified by the kernel...

I have updated to the latest version of iptables 1.3.5 =(

You see I have 1 network but a physical and wireless network.

I want to only allow most of what i have specified as ACCEPTED by the physical network, and only allow such things as HTTP,HTTPS,POP3,SMTP and DNS etc - common services to be allowed from the range of IPs that wireless clients use.

It's pretty much to disallow a friend of mine of trying to hack my network, he wants to be this big hacker and all :P
 
Old 09-18-2006, 12:58 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by wolfster306
$IPT -A tcp_inbound -p TCP --src-range 192.168.0.1-192.168.0.6 -d 192.168.0.2 --destination-port 53 -j ACCEPT

$IPT -A tcp_outbound -p TCP -s 192.168.0.2 --dst-range 192.168.0.1-192.168.0.6 --destination-port 53 -j ACCEPT
if your problem is that these rules aren't working, my money is on the missing match specifier...

i think it should go something like this:
Code:
$IPT -A tcp_inbound -p TCP -m iprange --src-range \
192.168.0.1-192.168.0.6 -d 192.168.0.2 \
--destination-port 53 -j ACCEPT

$IPT -A tcp_outbound -p TCP -s 192.168.0.2 -m iprange \
--dst-range 192.168.0.1-192.168.0.6 \
--destination-port 53 -j ACCEPT

Last edited by win32sux; 09-18-2006 at 12:59 PM.
 
Old 09-18-2006, 01:00 PM   #9
wolfster306
LQ Newbie
 
Registered: Sep 2005
Location: Sydney, NSW, Australia
Distribution: Slax10.1
Posts: 13

Rep: Reputation: 0
Quote:
Originally Posted by win32sux
if your problem is that these rules aren't working, my money is on the missing match specifier... i think it should go something like this:
Code:
$IPT -A tcp_inbound -p TCP -m iprange --src-range 192.168.0.1-192.168.0.6 \
-d 192.168.0.2 --destination-port 53 -j ACCEPT

$IPT -A tcp_outbound -p TCP -s 192.168.0.2 -m iprange --dst-range 192.168.0.1-192.168.0.6 \
--destination-port 53 -j ACCEPT
I tried that exactly, except previously I didn't add the '\' perhaps it may work, but I still get a problem with the module, though, I tried a modprobe on it, couldn't locate it.

Any method of installing the module, tried insmod, but I suppose I'm supposed to insmod on the .o file yeh?

Thanks.
 
Old 09-18-2006, 01:05 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by wolfster306
I tried that exactly, except previously I didn't add the '\' perhaps it may work
no, the \ doesn't have anything to do with this... it's just something you use to be able to span commands across multiple lines for clarity's sake...

Quote:
but I still get a problem with the module, though, I tried a modprobe on it, couldn't locate it.
you shouldn't have to modprobe anything... upon executing the commands, the ipt_iprange module should get loaded automatically...

Quote:
Any method of installing the module, tried insmod, but I suppose I'm supposed to insmod on the .o file yeh?
wait you patched your kernel for this?? if so, make sure you recompiled iptables after doing so...

Last edited by win32sux; 09-18-2006 at 01:09 PM.
 
Old 09-18-2006, 01:08 PM   #11
wolfster306
LQ Newbie
 
Registered: Sep 2005
Location: Sydney, NSW, Australia
Distribution: Slax10.1
Posts: 13

Rep: Reputation: 0
Patched nor recompiled, recompiling takes ages eugh... do i really have to? :P
 
Old 09-18-2006, 01:16 PM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by wolfster306
Patched nor recompiled, recompiling takes ages eugh... do i really have to? :P
i don't know if you *have* to... but that's how i've always applied netfilter patches (apply patch to kernel source, recompile kernel, boot new kernel, then recompile iptables)...

i'd assume that if you successfully added the module without recompiling the kernel, you'd still need to recompile iptables - which takes only a few seconds...

Last edited by win32sux; 09-18-2006 at 01:29 PM.
 
Old 09-18-2006, 01:53 PM   #13
wolfster306
LQ Newbie
 
Registered: Sep 2005
Location: Sydney, NSW, Australia
Distribution: Slax10.1
Posts: 13

Rep: Reputation: 0
Just adding all those '-m iprange' bits in the script...

recompile iptable, how? make install or....?
 
Old 09-18-2006, 01:59 PM   #14
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by wolfster306
recompile iptable, how? make install or....?
usually for iptables it goes something like:
Code:
make
make install
make install-devel
make experimental
make install-experimental
 
Old 09-18-2006, 04:54 PM   #15
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Quote:
Originally Posted by wolfster306
Quite frankly, I think it's just the fact that the module libipt_iprange.so cannot be identified by the kernel...
Can you the post the whole error line you are getting & your iptable rule for which you are getting that error? And if in case you are not having ipt_iprange module loaded in kernel; then you should get an error of "No chain/target/match by that name"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
block whole IP range with iptables jonfa Linux - Security 6 11-19-2008 08:37 AM
want to block some prots on some IPs......? shahg_shahg Linux - Networking 1 07-01-2005 01:38 PM
Squid: acl'ing range of IPs ivanatora Linux - Software 4 05-05-2005 03:43 AM
how to define a specific range of IPs and/or multiple IPs in an iptables rule?... TheHellsMaster Linux - Security 9 09-20-2004 11:06 AM
Using IPCHAINS to allow only a range of IPs ganninu Linux - Security 1 01-13-2004 12:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration