LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-24-2011, 12:42 PM   #1
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,211

Rep: Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612
IPtables rule


Could anyone provide me with an IP tables command that will:
Quote:
Clear all IPtable rules
Allow anything incoming
Allow anything outgoing to 192.168.100.0/24 network
Do not Allow any outgoing anywhere else
More or less, I only want this server to be able to communicate with the 192.168.100/24 network, and nothing else.

Thank you
 
Old 02-24-2011, 01:23 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779
Try the following:

To clear: iptables -F (F is for flush)
Then set the policy for input and output as accept and drop respectively
iptables --policy INPUT accept
iptables --policy OUTPUT drop

Then on your output table set it to accept for the dport for the range of interest
iptables -p tcp --dport 192.168.100.0/24 -j ACCEPT

Once you have it running, use the iptables-save to save the configuration and iptables-restore to restore it automatically.

You may want to set the input to accept established and related instead of accept unless you think that nothing inbound from other sources will be a problem.
 
1 members found this post helpful.
Old 02-24-2011, 01:28 PM   #3
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,211

Original Poster
Rep: Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612
iptables -p tcp --dport 192.168.100.0/24 -j ACCEPT

this doesnt seem to work -- dport looks like it means destinate port. how do i specify destination network or something similar.

Last edited by szboardstretcher; 02-24-2011 at 01:37 PM.
 
Old 02-24-2011, 01:33 PM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779
Sorry about the capitalization. It is hard to remember with iptables what has to be capitalized and what doesn't.
 
Old 02-24-2011, 01:47 PM   #5
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,211

Original Poster
Rep: Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612
Quote:
Originally Posted by Noway2 View Post
Sorry about the capitalization. It is hard to remember with iptables what has to be capitalized and what doesn't.
Actually.. this doesnt work at all. Except the "clear/flush" part.

Again, what I would like is this:

Quote:
Clear all IPtable rules
Allow anything incoming (so we can hit ssh, web etc..)
Allow anything outgoing to 192.168.100.0/24 network (so we can pull files from trust)
Do not Allow any outgoing anywhere else (so it doesnt go anywhere else)
Allow loopback (is that needed?)

Last edited by szboardstretcher; 02-24-2011 at 01:49 PM.
 
Old 02-24-2011, 02:22 PM   #6
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,106
Blog Entries: 3

Rep: Reputation: 179Reputation: 179
This should do waht you are looking for.

Code:
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -d 192.168.100.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j DROP
If you let me know what you are trying to do I will be able to build you a better firewall.
You could also look at lokkit for building your firewall.
 
1 members found this post helpful.
Old 02-24-2011, 07:45 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by szboardstretcher View Post
I only want this server to be able to communicate with the 192.168.100/24 network, and nothing else.
Then it seems rather odd that you want to allow inbound packets from any network.

May I ask why you want your INPUT chain rules to be so lax, or rather, non-existent?
 
Old 02-24-2011, 08:30 PM   #8
coolsreejith
LQ Newbie
 
Registered: Oct 2010
Distribution: CentOS 5.5
Posts: 23

Rep: Reputation: 2
iptables -F
iptables -A OUTPUT -d ! 192.168.100.0/24 -j REJECT
service iptables save
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: rule with RETURN target just after a rule with ACCEPT target Nerox Linux - Networking 6 09-04-2011 04:33 PM
iptables rule kim_bcs Linux - Security 1 01-28-2011 10:34 AM
iptables rule DJ29Joesph Linux - Security 4 11-04-2008 01:55 AM
iptables rule help the_gripmaster Linux - Security 3 05-15-2007 08:19 AM
What is it doing this iptables rule?? lanczer Linux - Security 1 02-24-2006 12:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration