[vox-tech] ip tables questions

Cylar Z cylarz at yahoo.com
Mon May 15 02:05:17 PDT 2006


Hey Linux gurus...

I'm running Fedora Core 5 and want to customize my
iptables firewall in order to bolster system security.
I have three separate questions that aren't being
answered by the tutorials I've read:

1. I want to ban an entire range of IP address within
a given network, not just a single IP. There's got to
be a way to do that w/o typing out 256 or more
addresses and entering them in one-by-one! I typed the
following command, and this is what the system said:
-----
root# iptables -A INPUT -j DROP 123.456.789.0/24
Bad argument `123.456.789.0/24'
Try `iptables -h' or 'iptables --help' for more
information.
root#
------

Where of course 123.456.789.0 is the class C network
whose incoming packets I'm trying to stop at my
firewall. It is to be completely prohibited from
contacting the system in any way and any packets that
do arrive from there are to go unacknowledged. I don't
even want users on that network being able to view my
web pages.

Needless to say, I did as suggested and looked at
iptables -h, as well as the man page. No help there.

So what's wrong with my syntax? The tutorial I was
using swears up and down that the command *should*
work as advertised. Maybe iptables has changed since
it was written, so can anyone tell me the correct
syntax?

2. I entered a long list of individual IP addresses
into the firewall using the command given above. I
confirmed that they'd been loaded by running iptables
-L. It showed me the rules as I expected to see.
HOWEVER, the rules were all gone when I rebooted the
entire system and ran iptables -L a second time. What
do I need to do in order to make the iptables rules
permanent so that they'll survive a system reboot?

3. Lastly, I'd like to write a rule that says "Ban ALL
connections from ALL systems, except for the ones
explictly allowed to connect." I'd also like to write
a rule that says, "If a system wants to connect to
port 80, check the banned list. If it's not there, let
it in." 

Where in the iptables rule list would I put such rules
- the beginning or the end? I'm afraid of guessing
wrong and locking myself out of my own server. Does
iptables look at the "allow" section before it looks
at the "deny" section (the way TCP wrappers does), or
does it just apply the rules sequentially?

Thanks in advance, 
Matt




More information about the vox-tech mailing list