Quote:
Originally Posted by Tom Douglas
So I'd need to define from the command prompt? ...As opposed to putting it directly into iptables?
I'm manually editing iptables because I haven't found the file that "IPT -A FILTER_BAD_IPS -s...", etc. go to.
|
When you execute iptables commands, they only change your active configuration - no file is edited.
Quote:
I know that the resulting iptable can be listed (iptable -L).
|
Yes, you view your active configuration like that.
Quote:
I suppose I could set up a script to have run upon boot.
|
You could, but you don't need to - see below.
Quote:
Is editing the iptables file itself not the correct way? Wouldn't the command line entries get purged every time I restart iptables? I'd want to hang on to them.
|
The kosher way of going about this is to use iptables to set everything up the way you want it (active configuration). Then, once you know you have everything set right, you proceed to save the active configuration so that it will be loaded automatically every startup. To save your configuration you can use either of these two commands:
Code:
service iptables save
Code:
iptables-save > /etc/sysconfig/iptables
Both of these commands will properly populate your config file.
IMHO you should never manually edit the configuration file - no matter what any tutorial might say.
Quote:
This example looks like we're DROPing specific IP addresses -- is this true?
|
Yes, we are
sending to DROP any packets with those source addresses.
Quote:
I need to ACCEPT very few specific IP addresses on my private LAN, and DROP the rest.
|
I assume this means you want to allow incoming connections from certain IPs on your LAN - while denying any incoming connections from any other IPs. This can be done as follows.
Code:
$IPT -P INPUT DROP
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
This example above denies any incoming connections whatsoever. We are only sending to ACCEPT packets which are in state RELATED or ESTABLISHED - essentially, packets which are a part of existing connections (or separate connections which were required). Any packets which are not in either of those states will get sent to DROP when they run into the chain's policy. So we basically just need to make ACCEPT rules for the IPs we wish to make exceptions for:
Code:
$IPT -P INPUT DROP
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s 192.168.1.123 -m state --state NEW -j ACCEPT
$IPT -A INPUT -s 192.168.1.234 -m state --state NEW -j ACCEPT
Now there are two IPs which are allowed to start connections to us. When these IPs try to start a connection with us, their first packets will be of state NEW (and will be sent to ACCEPT) - their subsequent packets (of a particular connection) will be either of state RELATED or ESTABLISHED (and will be sent to ACCEPT). Any non-local packets (regardless of source address) of state INVALID will get sent to DROP by our policy, since they won't match any rule.
Quote:
Just because I'm paranoid.
|
Welcome to the club!