Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
![Reply](https://www.linuxquestions.org/questions/images/buttons/reply.gif) |
|
08-13-2006, 06:05 AM
|
#1
|
LQ Newbie
Registered: Feb 2006
Location: At Home
Distribution: RHEL 4 AS
Posts: 23
Rep:
|
i want to block a range of ips using iptables...
hi all!
i have this network going on 192.168.0.0
and i would like to drop the incoming packets from 192.168.0.20-192.168.0.50 and i want to write one rule for it not thirty...see wat i mean? what option and how to write it? please
thx!!
|
|
|
08-13-2006, 07:58 AM
|
#2
|
Member
Registered: Jun 2005
Distribution: Gentoo
Posts: 552
Rep:
|
There is an iprange filter match. A rule that you are asking for looks like the following:
Code:
/sbin/iptables -A FORWARD --src-range 192.168.0.20-192.168.0.50 -j DROP
or
Code:
/sbin/iptables -A INPUT --src-range 192.168.0.20-192.168.0.50 -j DROP
Hope this helps!
|
|
|
09-18-2006, 07:39 AM
|
#3
|
LQ Newbie
Registered: Sep 2005
Location: Sydney, NSW, Australia
Distribution: Slax10.1
Posts: 13
Rep:
|
Interesting, yet, I may have modprobe issues with libipt_iprange loading.
Edit: My aim is to allow packets to be sent to and from a (source ip range) or (single ip) to a (destination ip range) or (single ip) for each policy that I have set.
For example, DNS:
$IPT -A tcp_inbound -p TCP --src-range 192.168.0.1-192.168.0.6 -d 192.168.0.2 --destination-port 53 -j ACCEPT
$IPT -A tcp_outbound -p TCP -s 192.168.0.2 --dst-range 192.168.0.1-192.168.0.6 --destination-port 53 -j ACCEPT
192.168.0.1 is obviously a gateway with dhcp client ranging from 192.168.0.2-192.168.0.6 =)
192.168.0.2 is a DNS server, as you can tell..the DNS server handles requests... and all requests are sent to and from the DNS server, but I wish to only allow a specific range of IP in the DHCP range, to accept those packets.
Please note: I know how iptables work, I don't need a complete tutorial on iptables, just relevance to iprange. Thanks.
Regards,
WolF-X
Last edited by wolfster306; 09-18-2006 at 12:47 PM.
|
|
|
09-18-2006, 12:16 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by wolfster306
Interesting, yet, I may have modprobe issues with libipt_iprange loading.
My aim is to allow a source ip range/single ip to a destination ip range/single ip for each policy.
For example, DNS Requests:
$IPT -A tcp_inbound -p TCP --src-range 192.168.0.1-192.168.0.6 -d 192.168.0.2 --destination-port 53 -j ACCEPT
$IPT -A tcp_outbound -p TCP -s 192.168.0.2 --dst-range 192.168.0.1-192.168.0.6 --destination-port 53 -j ACCEPT
Please note: I know how iptables work, I don't need a complete tutorial on iptables, just relevance to iprange. Thanks.
Regards,
WolF-X
|
i'm not sure i understand what your question is exactly... could you be a little more specific please?? BTW, DNS uses UDP, not TCP...
|
|
|
09-18-2006, 12:29 PM
|
#5
|
LQ Newbie
Registered: Sep 2005
Location: Sydney, NSW, Australia
Distribution: Slax10.1
Posts: 13
Rep:
|
Quote:
Originally Posted by win32sux
i'm not sure i understand what your question is exactly... could you be a little more specific please?? BTW, DNS uses UDP, not TCP...
|
Well actually it uses both, since you don't use windows, you obviously don't know about the services file...In the meantime, I'll just wait for a reply from someone else.
Last edited by wolfster306; 09-18-2006 at 12:37 PM.
|
|
|
09-18-2006, 12:46 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by wolfster306
Well actually it uses both, since you don't use windows, you obviously don't know about the services file...
|
yes, you can make DNS work with TCP on linux too if you want... in fact most DNS daemons will have TCP fallback...
Quote:
In the meantime, I'll just wait for a reply from someone else.
|
once again, could you please explain your question?? are the rules not working for you or something like that??
EDIT: i can see you've updated your post now... thanks...
Last edited by win32sux; 09-18-2006 at 12:47 PM.
|
|
|
09-18-2006, 12:56 PM
|
#7
|
LQ Newbie
Registered: Sep 2005
Location: Sydney, NSW, Australia
Distribution: Slax10.1
Posts: 13
Rep:
|
Quite frankly, I think it's just the fact that the module libipt_iprange.so cannot be identified by the kernel...
I have updated to the latest version of iptables 1.3.5 =(
You see I have 1 network but a physical and wireless network.
I want to only allow most of what i have specified as ACCEPTED by the physical network, and only allow such things as HTTP,HTTPS,POP3,SMTP and DNS etc - common services to be allowed from the range of IPs that wireless clients use.
It's pretty much to disallow a friend of mine of trying to hack my network, he wants to be this big hacker and all :P
|
|
|
09-18-2006, 12:58 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by wolfster306
$IPT -A tcp_inbound -p TCP --src-range 192.168.0.1-192.168.0.6 -d 192.168.0.2 --destination-port 53 -j ACCEPT
$IPT -A tcp_outbound -p TCP -s 192.168.0.2 --dst-range 192.168.0.1-192.168.0.6 --destination-port 53 -j ACCEPT
|
if your problem is that these rules aren't working, my money is on the missing match specifier...
i think it should go something like this:
Code:
$IPT -A tcp_inbound -p TCP -m iprange --src-range \
192.168.0.1-192.168.0.6 -d 192.168.0.2 \
--destination-port 53 -j ACCEPT
$IPT -A tcp_outbound -p TCP -s 192.168.0.2 -m iprange \
--dst-range 192.168.0.1-192.168.0.6 \
--destination-port 53 -j ACCEPT
Last edited by win32sux; 09-18-2006 at 12:59 PM.
|
|
|
09-18-2006, 01:00 PM
|
#9
|
LQ Newbie
Registered: Sep 2005
Location: Sydney, NSW, Australia
Distribution: Slax10.1
Posts: 13
Rep:
|
Quote:
Originally Posted by win32sux
if your problem is that these rules aren't working, my money is on the missing match specifier... i think it should go something like this:
Code:
$IPT -A tcp_inbound -p TCP -m iprange --src-range 192.168.0.1-192.168.0.6 \
-d 192.168.0.2 --destination-port 53 -j ACCEPT
$IPT -A tcp_outbound -p TCP -s 192.168.0.2 -m iprange --dst-range 192.168.0.1-192.168.0.6 \
--destination-port 53 -j ACCEPT
|
I tried that exactly, except previously I didn't add the '\' perhaps it may work, but I still get a problem with the module, though, I tried a modprobe on it, couldn't locate it.
Any method of installing the module, tried insmod, but I suppose I'm supposed to insmod on the .o file yeh?
Thanks.
|
|
|
09-18-2006, 01:05 PM
|
#10
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by wolfster306
I tried that exactly, except previously I didn't add the '\' perhaps it may work
|
no, the \ doesn't have anything to do with this... it's just something you use to be able to span commands across multiple lines for clarity's sake...
Quote:
but I still get a problem with the module, though, I tried a modprobe on it, couldn't locate it.
|
you shouldn't have to modprobe anything... upon executing the commands, the ipt_iprange module should get loaded automatically...
Quote:
Any method of installing the module, tried insmod, but I suppose I'm supposed to insmod on the .o file yeh?
|
wait you patched your kernel for this?? if so, make sure you recompiled iptables after doing so...
Last edited by win32sux; 09-18-2006 at 01:09 PM.
|
|
|
09-18-2006, 01:08 PM
|
#11
|
LQ Newbie
Registered: Sep 2005
Location: Sydney, NSW, Australia
Distribution: Slax10.1
Posts: 13
Rep:
|
Patched nor recompiled, recompiling takes ages eugh... do i really have to? :P
|
|
|
09-18-2006, 01:16 PM
|
#12
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by wolfster306
Patched nor recompiled, recompiling takes ages eugh... do i really have to? :P
|
i don't know if you *have* to... but that's how i've always applied netfilter patches (apply patch to kernel source, recompile kernel, boot new kernel, then recompile iptables)...
i'd assume that if you successfully added the module without recompiling the kernel, you'd still need to recompile iptables - which takes only a few seconds...
Last edited by win32sux; 09-18-2006 at 01:29 PM.
|
|
|
09-18-2006, 01:53 PM
|
#13
|
LQ Newbie
Registered: Sep 2005
Location: Sydney, NSW, Australia
Distribution: Slax10.1
Posts: 13
Rep:
|
Just adding all those '-m iprange' bits in the script...
recompile iptable, how? make install or....?
|
|
|
09-18-2006, 01:59 PM
|
#14
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by wolfster306
recompile iptable, how? make install or....?
|
usually for iptables it goes something like:
Code:
make
make install
make install-devel
make experimental
make install-experimental
|
|
|
09-18-2006, 04:54 PM
|
#15
|
Member
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777
Rep:
|
Quote:
Originally Posted by wolfster306
Quite frankly, I think it's just the fact that the module libipt_iprange.so cannot be identified by the kernel...
|
Can you the post the whole error line you are getting & your iptable rule for which you are getting that error? And if in case you are not having ipt_iprange module loaded in kernel; then you should get an error of "No chain/target/match by that name"
|
|
|
All times are GMT -5. The time now is 08:23 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|