[vox-tech] ip tables questions

Jan W jcwynholds at yahoo.com
Mon May 15 13:30:25 PDT 2006 

Hi Z:

1:

root at somemachine# iptables -A INPUT -s 123.456.789.0/24 -j ACCEPT

You just need to add the '-s'ource address before you '-j'ump to your
target.


2:

fedora/redhat comes with a utility called 'iptables-save'.  This dumps
your current rules to stdout.  If you redirect those to a config file
where fc/rhl can pick it up, it will restore your rulesets on restart. 
The files are plain text files that live in a directory called
'/etc/sysconfig' and the file names are 'iptables' and
'iptables-config'.  The output of 'iptables-save' should go in
'iptables' and if you do any weird configuration, look in
'iptables-config'.  Also, there is a line in
'/etc/sysconfig/iptables-config' that reads:

IPTABLES_SAVE_ON_STOP="no"

If you change this value to "yes", then everything will be saved for
you on reboot :) 

Or, you can run 'iptables-save' manually.

eg:

root at somemachine# iptables-save > /etc/sysconfig/iptables
root at somemachine# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Mon May 15 12:54:51 2006
*filter
:INPUT ACCEPT [174:19028]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19:3920]
-A INPUT -s 123.456.789.0/255.255.255.0 -j ACCEPT 
COMMIT
# Completed on Mon May 15 12:54:51 2006

3:

Implement the policy for the chain (Input):

root at somemachine # iptables -P INPUT DROP

And to answer your question about how the rules are applied, the packet
traverses the chain until (if it matches no rules in the chain) it hits
the POLICY.  The policy is always the last rule in the chain.  

So if you wanted to allow a range in, and exclude everyone else, I
would add one rule to allow your range in, and set the policy to DROP
(conf 1).  Conversely, you could add a single rule to deny everyone who
is _not_ in your range, and set the policy to ACCEPT (conf 2).

conf 1:
iptables -A INPUT -s 123.456.789.0/24 -j ACCEPT
iptables -P INPUT DROP

conf 2**:

iptables -A INPUT -s '! 123.456.789.0/24' -j DROP 
iptables -P INPUT ACCEPT

** = the ! char means 'not' to iptables.  But many shells will gobble
it and treat it as a special character (or a reserved word or variable
or some such, but not as a string argument like we need it to be). 
Enclose the !address in single quotes, or just escape the ! with a
backslash \.

Post back if you have more questions.  Good luck!

--HTH

jan


--- Cylar Z <cylarz at yahoo.com> wrote:

> Hey Linux gurus...
> 
> I'm running Fedora Core 5 and want to customize my
> iptables firewall in order to bolster system security.
> I have three separate questions that aren't being
> answered by the tutorials I've read:
> 
> 1. I want to ban an entire range of IP address within
> a given network, not just a single IP. There's got to
> be a way to do that w/o typing out 256 or more
> addresses and entering them in one-by-one! I typed the
> following command, and this is what the system said:
> -----
> root# iptables -A INPUT -j DROP 123.456.789.0/24
> Bad argument `123.456.789.0/24'
> Try `iptables -h' or 'iptables --help' for more
> information.
> root#
> ------
> 
> Where of course 123.456.789.0 is the class C network
> whose incoming packets I'm trying to stop at my
> firewall. It is to be completely prohibited from
> contacting the system in any way and any packets that
> do arrive from there are to go unacknowledged. I don't
> even want users on that network being able to view my
> web pages.
> 
> Needless to say, I did as suggested and looked at
> iptables -h, as well as the man page. No help there.
> 
> So what's wrong with my syntax? The tutorial I was
> using swears up and down that the command *should*
> work as advertised. Maybe iptables has changed since
> it was written, so can anyone tell me the correct
> syntax?
> 
> 2. I entered a long list of individual IP addresses
> into the firewall using the command given above. I
> confirmed that they'd been loaded by running iptables
> -L. It showed me the rules as I expected to see.
> HOWEVER, the rules were all gone when I rebooted the
> entire system and ran iptables -L a second time. What
> do I need to do in order to make the iptables rules
> permanent so that they'll survive a system reboot?
> 
> 3. Lastly, I'd like to write a rule that says "Ban ALL
> connections from ALL systems, except for the ones
> explictly allowed to connect." I'd also like to write
> a rule that says, "If a system wants to connect to
> port 80, check the banned list. If it's not there, let
> it in." 
> 
> Where in the iptables rule list would I put such rules
> - the beginning or the end? I'm afraid of guessing
> wrong and locking myself out of my own server. Does
> iptables look at the "allow" section before it looks
> at the "deny" section (the way TCP wrappers does), or
> does it just apply the rules sequentially?
> 
> Thanks in advance, 
> Matt
> 
> 
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
> 


<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
I believe that unarmed truth and unconditional love will have the final word in reality. That is why right, temporarily defeated, is stronger than evil triumphant.
    Martin Luther King Jr., Accepting Nobel Peace Prize, Dec. 10, 1964
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the vox-tech mailing list