Gossamer Forum
(Advanced Search)
for
Nov 18, 2002, 2:23 PM
Paul
Veteran (19537 posts)
Nov 18, 2002, 2:23 PM
Post #1 of 8
Views: 6233
Shortcut
Quote Reply
iptables
I think I have the hang of iptables now and I've added a few rules to block certain hosts. I've restarted iptables and iptables --list shows:

Code:
target prot opt source destination
DROP all -- wanadoo.fr anywhere

...amongst others, but it seems that it isn't blocking anyone as I got someone to test and they can still access my website.

What did I do wrong?

Last edited by:

Paul: Nov 18, 2002, 2:23 PM
Nov 18, 2002, 2:26 PM
Alex
Administrator (9387 posts)
Nov 18, 2002, 2:26 PM
Post #2 of 8
Views: 6072
Shortcut
Quote Reply
Re: [Paul] iptables In reply to
Try enable logging like:

$IPTABLES -A INPUT -s 10.0.0.0/8 -j LOG --log-level info --log-prefix "Internal: "

and then check /var/log/messages for any output.

Cheers,

Alex
--
Gossamer Threads Inc.
Nov 18, 2002, 5:42 PM
brewt
Staff (4101 posts)
brewt's avatar
Nov 18, 2002, 5:42 PM
Post #3 of 8
Views: 6078
Shortcut
Quote Reply
Re: [Alex] iptables In reply to
Remember that to use -J LOG you need the required options or modules (depends on how you compiled your kernel).

You also will want to check if you have a rule earlier up that allows all/some hosts through, since ipchains/iptables goes top down through the rules till it hits a matching DROP/REJECT (or equiv).

Adrian
Nov 18, 2002, 5:43 PM
Paul
Veteran (19537 posts)
Nov 18, 2002, 5:43 PM
Post #4 of 8
Views: 6074
Shortcut
Quote Reply
Re: [brewt] iptables In reply to
I'm screwed again. I've blocked myself out.

I set up a rule to allow my ip access to any protocol and then added a rule to block everything else but the second rule seems to override the first and it blocks me completely.
Nov 18, 2002, 5:50 PM
Paul
Veteran (19537 posts)
Nov 18, 2002, 5:50 PM
Post #5 of 8
Views: 6059
Shortcut
Quote Reply
Re: [brewt] iptables In reply to
omg, you are meant to add the rules whilst iptables is stopped - is that right?

Ugh I had it on - I kept wondering why it was blocking me right away. Shit.

Still can't figure out why the rules aren't working as I expected :(
Nov 19, 2002, 2:25 AM
brewt
Staff (4101 posts)
brewt's avatar
Nov 19, 2002, 2:25 AM
Post #6 of 8
Views: 6057
Shortcut
Quote Reply
Re: [Paul] iptables In reply to
Basically, if you write your own ipchains/iptables firewall script you want to do something like:

1) flush rules
2) setup rules
3) add ip's with unrestricted access (if you want)
4) ip's with no access to certain ports or all ports
5) open up for services
6) block everything else w/ ports <= 1024

With a more relaxed firewall (as described above), you'll want to only block lower privileged ports (<= 1024) and just open up the ports where you're running services. You can be more restrictive and block all ports, but it's a little more complicated and you may run into problems.

Best bet would be to take a look at some of the scripts on freshmeat.net, but note that some of these are overly complicated and some just suck :).

Adrian
Nov 19, 2002, 2:28 AM
Paul
Veteran (19537 posts)
Nov 19, 2002, 2:28 AM
Post #7 of 8
Views: 6046
Shortcut
Quote Reply
Re: [brewt] iptables In reply to
I used the following and it works perfectly until the final four DENY rules just near the end, which is the point at which it blocks me totally....

http://www.sns.ias.edu/...es/index.html#CONFIG

Last edited by:

Paul: Nov 19, 2002, 2:28 AM
Nov 26, 2002, 9:04 AM
Paul
Veteran (19537 posts)
Nov 26, 2002, 9:04 AM
Post #8 of 8
Views: 5991
Shortcut
Quote Reply
Re: [brewt] iptables In reply to
Does this look like a decent example that will work?

http://www.brandonhutchinson.com/iptables_fw.html