Iptables is converting -s 192.168.1.0/8 into 192.0.0.0/8 why !?

qwijibow · 01-26-2005, 09:42 AM

My firewall needs often change, in in an effort to make a easily felaxable firewall, i went tith the following format.

Chains like "DO_SSHD" find ssh traffic from valid hosts, then -j jumps it to anouther chain called "SSH_RULE"

i can then turn ON of OFF SSf with a simply comman...
iptables -F SSH_RULE
iptables -A SSH_RULE -j DROP

i do the same for Samba / FTP and HTTP servers.

there are 2 trusted Ip address ranges.. my university x.243.0.0/16 and the local network.
Iptables accepts x.243.0.0/16, and traffic from university is allowde through... however when i write the rule....

iptables -A DO_FTPD -p tcp --dport ftp -s 192.168.1.0/8 -j FTP_RULE

whn i look at the rile with "iptables -vL" the rule has changed to

Quote:

0 0 FTP_RULE tcp -- any any 192.0.0.0/8 anywhere tcp dpt:ftp

the WRONG ip range.

why is iptables doing this ? how should i specify all IP's in my home network (between 192.168.1.X ???)

i cant work it out, this is driving me mad !

incase its important, im running a freshly compiled Gentoo on the MAD64 platform, with kernel gentoo-2.6.9-r14.

thanX

jtshaw · 01-26-2005, 09:58 AM

The problem is the /8. The mask (number after the /) indicates how many bits to consider. An IP (version 4) is a 32 bit number. Each number between the .'s is 8 bits. By saying /8 you mean only match the first 8 bits. Thus 192.anything/8 would be matched as 192.0.0.0. If you want to match 192.168.1.x then you need to put 192.168.1.0/24. Since the first 3 bytes equals 24 bits.

qwijibow · 01-26-2005, 10:57 AM

Ahhh.. I thought /X meant consider the IP address, with range of IP + X bits From the right.... thanks