Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 01-26-2005, 08:42 AM   #1
LQ Guru
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
Iptables is converting -s into why !?

My firewall needs often change, in in an effort to make a easily felaxable firewall, i went tith the following format.

Chains like "DO_SSHD" find ssh traffic from valid hosts, then -j jumps it to anouther chain called "SSH_RULE"

i can then turn ON of OFF SSf with a simply comman...
iptables -F SSH_RULE
iptables -A SSH_RULE -j DROP

i do the same for Samba / FTP and HTTP servers.

there are 2 trusted Ip address ranges.. my university x.243.0.0/16 and the local network.
Iptables accepts x.243.0.0/16, and traffic from university is allowde through... however when i write the rule....

iptables -A DO_FTPD -p tcp --dport ftp -s -j FTP_RULE

whn i look at the rile with "iptables -vL" the rule has changed to

0 0 FTP_RULE tcp -- any any anywhere tcp dpt:ftp
the WRONG ip range.

why is iptables doing this ? how should i specify all IP's in my home network (between 192.168.1.X ???)

i cant work it out, this is driving me mad !

incase its important, im running a freshly compiled Gentoo on the MAD64 platform, with kernel gentoo-2.6.9-r14.

Old 01-26-2005, 08:58 AM   #2
Senior Member
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 67
The problem is the /8. The mask (number after the /) indicates how many bits to consider. An IP (version 4) is a 32 bit number. Each number between the .'s is 8 bits. By saying /8 you mean only match the first 8 bits. Thus 192.anything/8 would be matched as If you want to match 192.168.1.x then you need to put Since the first 3 bytes equals 24 bits.
Old 01-26-2005, 09:57 AM   #3
LQ Guru
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Original Poster
Rep: Reputation: 47
Ahhh.. I thought /X meant consider the IP address, with range of IP + X bits From the right.... thanks

Last edited by qwijibow; 01-26-2005 at 10:06 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Is someone on my network?! ::ffff: ::ffff:192.168.0.:38201 ESTABLISHE ming0 Linux - Security 4 04-12-2005 01:04 AM network with Micro420 Linux - Networking 2 02-27-2005 06:59 AM
What does this mean? costasm Linux - Networking 5 12-06-2003 04:57 PM
192.168.0.# and webserver. Is it possible? woranl Linux - Networking 16 06-02-2003 12:16 PM ? Firew Linux - Networking 1 04-12-2001 01:02 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:23 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration