iptables Help

billli · 08-09-2009, 04:00 PM

Hi!

I was wondering if someone could help me with iptables.

I have a server and I need to block all IPs except for:
the blocks: 128.96.*.* and 67.215.52.1

This is what I have so far: (at least I think what is correct)

iptables -A INPUT -s ! 128.96.0.0/16 -j DROP
iptables -A INPUT -s 67.215.52.1 -j ACCEPT

There are no other rules in the chain.

Any help would be appreciated.

win32sux · 08-09-2009, 04:09 PM

Welcome to LQ!

Quote:

Originally Posted by billli

I was wondering if someone could help me with iptables.

I have a server and I need to block all IPs except for:
the blocks: 128.96.*.* and 67.215.52.1

This is what I have so far: (at least I think what is correct)

iptables -A INPUT -s ! 128.96.0.0/16 -j DROP
iptables -A INPUT -s 67.215.52.1 -j ACCEPT

Your second rule would never get a chance to work, since the first one would have sent those packets to DROP.

I would suggest this approach instead:

Code:

iptables -A INPUT -s 128.96.0.0/16 -j ACCEPT
iptables -A INPUT -s 67.215.52.1 -j ACCEPT
iptables -A INPUT -j DROP

Of course, you probably want to allow packets on the loopback interface, so:

Code:

iptables -A INPUT -s 128.96.0.0/16 -j ACCEPT
iptables -A INPUT -s 67.215.52.1 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j DROP

billli · 08-09-2009, 11:25 PM

Oh, I sees!
Thanks! =]

Just on a side note, for my information.

Say is it possible to only allow port 25 be accessed from 128.96.*.* and 67.215.52.1, while all the other port could be accessed by everyone?

Cheers

win32sux · 08-10-2009, 07:36 AM

Quote:

Originally Posted by billli

Say is it possible to only allow port 25 be accessed from 128.96.*.* and 67.215.52.1, while all the other port could be accessed by everyone?

Sure. One way could be like:

Code:

iptables -A INPUT -p TCP --dport ! 25 -s 128.96.0.0/16 -j DROP
iptables -A INPUT -p TCP --dport ! 25 -s 67.215.52.1 -j DROP
iptables -A INPUT -p TCP --dport 25 -j DROP
iptables -A INPUT -j ACCEPT

The last line isn't needed if you have your INPUT policy set to ACCEPT.

My next examples assume the policy is set to ACCEPT.

Another way might me:

Code:

iptables -A INPUT -p TCP --dport 25 -s 128.96.0.0/16 -j ACCEPT
iptables -A INPUT -p TCP --dport 25 -s 67.215.52.1 -j ACCEPT
iptables -A INPUT -s 128.96.0.0/16 -j DROP
iptables -A INPUT -s 67.215.52.1 -j DROP
iptables -A INPUT -p TCP --dport 25 -j DROP

Both examples assume that for those two IPs you only want port 25 to be accessible. In other words, any other ports won't be accessible to those two IPs. If what you meant was that you wanted port 25 to be accessible only to those IPs (while still allowing those two IPs to access any other port) then something like this could be used instead:

Code:

iptables -A INPUT -s 128.96.0.0/16 -j ACCEPT
iptables -A INPUT -s 67.215.52.1 -j ACCEPT
iptables -A INPUT -p TCP --dport 25 -j DROP