LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables (https://www.linuxquestions.org/questions/linux-security-4/iptables-694013/)

please 12-31-2008 03:00 AM
iptables
 
Hi

how can i configure in my iptables?
For Following

I want to allow for any access 10.10.10.10 to 22.22.22.22.
I want other 10.* can get access all except 22.22.22.22
I want 10.10.10.10 can all access
how can I do?

Please
Help me

win32sux 12-31-2008 03:09 AM
Quote:
Originally Posted by please (Post 3392358)
how can i configure in my iptables?
For Following

I want to allow for any access 10.10.10.10 to 22.22.22.22.
I want other 10.* can get access all except 22.22.22.22
I want 10.10.10.10 can all access
how can I do?
This single command should do what it sounds like you want:
Code:
iptables -I INPUT -i eth0 -m iprange ! --src-range 10.10.10.10-22.22.22.21 -j DROP
But I'm not sure I properly understand what you've posted. This command would allow all packets coming from 10.10.10.10-22.22.22.21, which means packets from 22.22.22.22 would be filtered. If this wasn't what you were asking for then please rephrase your post.

jschiwal 12-31-2008 04:10 AM
The 10/8 network is private. the others in the range aren't so what you want to do doesn't make sense from a security standpoint.

please 12-31-2008 04:57 AM
Hi sirs

I have 2 uplinks.
I got load balancing but not OK for fail over.
I found 1 script for fail over with ping command.Very good
But My ISP was denied ping for Dos virus attack.
So I need to replace ping with other command.
I found host command but the host command has not -I interface option as ping.

I thought if I use iptables for
example:
eth1=10.10.10.10(up link)
eth2=11.11.11.11(up link)
eth0=192.168.1.1

>host 22.22.22.22 when I type

I want listen this query eth1 to 22.22.22.22
not want listen from eth2
>host 33.33.33.33 when I type

I want listen this query eth2 to 33.33.33.33
not want listen from eth1
Is it can OK?

win32sux 12-31-2008 08:36 AM
Quote:
Originally Posted by please (Post 3392437)
I want listen this query eth2 to 33.33.33.33
not want listen from eth1
Is it can OK?
If you don't want packets with a source address of 33.33.33.33 to ever be allowed into the box via eth1, you could do something like:
Code:
iptables -I INPUT -i eth1 -s 33.33.33.33 -j DROP

please 12-31-2008 11:05 AM
Hi sir
Thanks for your help
:)
Next time If I have problem please again help me sir

please 12-31-2008 12:50 PM
Hi sirs

I am OK for your IPtables.
I used tcping :)
My script is auto delete gateway address when link down.
I used auto delete for fail over.
tcping can`t use when deleted gateway.
How can I use this tcping without gateway?
Please advice me sirs
Please

win32sux 12-31-2008 02:04 PM
Quote:
Originally Posted by please (Post 3392791)
Hi sirs

I am OK for your IPtables.
I used tcping :)
My script is auto delete gateway address when link down.
I used auto delete for fail over.
tcping can`t use when deleted gateway.
How can I use this tcping without gateway?
Please advice me sirs
Please
AFAICT this is a completely different issue, and as such it belongs in its own thread.

Please open a thread for this new issue in the Networking forum. Thanks.

please 01-01-2009 01:53 AM
Hi sir

I posted New but

Please check again my iptables file

/etc/sysconfig/iptables
# Generated by iptables-save v1.3.7 on Thu Jan 1 06:35:21 2009
*filter
:INPUT ACCEPT [60:4288]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [36:13344]
-A INPUT -s 203.81.71.113 -d 10.241.177.51 -j ACCEPT
-A INPUT -s 203.81.71.119 -d 10.241.184.99 -j ACCEPT
-A INPUT -s 203.81.71.119 -d 10.241.177.51 -j DROP
-A INPUT -s 203.81.71.113 -d 10.241.184.99 -j DROP
-A INPUT -s 203.81.71.113 -i eth3 -j DROP
-A INPUT -s 203.81.71.119 -i eth3 -j DROP
COMMIT
# Completed on Thu Jan 1 06:35:21 2009

eth1=10.241.177.51
eth2=10.241.184.99
eth3=eth3


Now I tested with tcping
Result 1
==============
[root@server ~]#tcping 203.81.71.113 80 -t 2
203.81.71.113 port 80 user timeout.

[root@server ~]#tcping 203.81.71.119 80 -t 2
203.81.71.119 port 80 user timeout.

I got following result when I stopped iptables
==============================================
Result 2
=============

[root@server ~]#tcping 203.81.71.113 80 -t 2
203.81.71.113 port 80 open.

[root@server ~]#tcping 203.81.71.119 80 -t 2
203.81.71.119 port 80 open.


sometime I got if "119 port open ","113 port 80 user timeout" when running Iptables.
I should get as Result 1 when running Iptables.
Please check for me sir what wrong in My iptables?

win32sux 01-01-2009 03:35 AM
When executing that tcping command, 203.81.71.113 will be the destination address on the packet. Your iptables rules are looking for 203.81.71.113 as the source address on the packet.

please 01-01-2009 06:20 AM
HI

OK I will be change 203.81.71.113 to -d

If Not OK I will be come back

Thanks for supporting

please 01-01-2009 06:41 AM
hi I am OK with My Old Rules for other 2 NIC card PC.But not ok with my 3 NIC PC.

I can use tcping. how do you think?

Thanks
Please

unixfool 01-01-2009 12:18 PM
Quote:
Originally Posted by jschiwal (Post 3392408)
The 10/8 network is private. the others in the range aren't so what you want to do doesn't make sense from a security standpoint.
Actually it does, if this is an external interface. Spoof attacks use such IPs externally. You should block such incoming traffic from entering your LAN.

jschiwal 01-02-2009 06:00 PM
You said that you wanted to open up 10/8 to 22/8. That is a large range of addresses you want to trust, most of which are public internet addresses.

Quote:
any access 10.10.10.10 to 22.22.22.22
By the way, you can use the telnet client to test a connection instead of the ping command:

telnet hostname 22

If the ssh daemon is running and port 22 is open, you will get a prompt from the server. You don't get farther than that, but this even allows you to learn the version of ssh used, from the reply message. This can be even more useful than the ping command.


All times are GMT -5. The time now is 12:51 AM.