[vox-tech] ip tables questions

JM jerome at gmanmi.tv
Mon May 15 03:24:08 PDT 2006


i think its..

 iptables -A INPUT -s 123.456.789.0/24 -p tcp -j DROP
iptables -A INPUT -s 123.456.789.0/24 -p udp -j DROP

though i haven't tried removing the protocol option..  you may want to test 
it..

hth
 

On Monday 15 May 2006 17:05, Cylar Z wrote:
> Hey Linux gurus...
>
> I'm running Fedora Core 5 and want to customize my
> iptables firewall in order to bolster system security.
> I have three separate questions that aren't being
> answered by the tutorials I've read:
>
> 1. I want to ban an entire range of IP address within
> a given network, not just a single IP. There's got to
> be a way to do that w/o typing out 256 or more
> addresses and entering them in one-by-one! I typed the
> following command, and this is what the system said:
> -----
> root# iptables -A INPUT -j DROP 123.456.789.0/24
> Bad argument `123.456.789.0/24'
> Try `iptables -h' or 'iptables --help' for more
> information.
> root#
> ------
>
> Where of course 123.456.789.0 is the class C network
> whose incoming packets I'm trying to stop at my
> firewall. It is to be completely prohibited from
> contacting the system in any way and any packets that
> do arrive from there are to go unacknowledged. I don't
> even want users on that network being able to view my
> web pages.
>
> Needless to say, I did as suggested and looked at
> iptables -h, as well as the man page. No help there.
>
> So what's wrong with my syntax? The tutorial I was
> using swears up and down that the command *should*
> work as advertised. Maybe iptables has changed since
> it was written, so can anyone tell me the correct
> syntax?
>
> 2. I entered a long list of individual IP addresses
> into the firewall using the command given above. I
> confirmed that they'd been loaded by running iptables
> -L. It showed me the rules as I expected to see.
> HOWEVER, the rules were all gone when I rebooted the
> entire system and ran iptables -L a second time. What
> do I need to do in order to make the iptables rules
> permanent so that they'll survive a system reboot?
>
> 3. Lastly, I'd like to write a rule that says "Ban ALL
> connections from ALL systems, except for the ones
> explictly allowed to connect." I'd also like to write
> a rule that says, "If a system wants to connect to
> port 80, check the banned list. If it's not there, let
> it in."
>
> Where in the iptables rule list would I put such rules
> - the beginning or the end? I'm afraid of guessing
> wrong and locking myself out of my own server. Does
> iptables look at the "allow" section before it looks
> at the "deny" section (the way TCP wrappers does), or
> does it just apply the rules sequentially?
>
> Thanks in advance,
> Matt
>
>
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech


More information about the vox-tech mailing list