?
Solved

Ip tables rules block specific range

Posted on 2014-03-06
8
Medium Priority
?
194 Views
Last Modified: 2014-10-21
Hi
I need help writing iptables rules that will allow a certain range of private address (192.168.0.80-100)  outgoing access to one or two specific named sites and nothing else.

Here is my current setup
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited


Thank you
0
Comment
Question by:santasvillage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
8 Comments
 
LVL 6

Assisted Solution

by:Jordan Medlen
Jordan Medlen earned 1000 total points
ID: 39909291
You would use the following syntax...

-m iprange --src-range 192.168.0.80-192.168.0.100 -j ACTION

You can read more in the following article.

http://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-range-of-ip-addresses-or-ports.html
0
 

Author Comment

by:santasvillage
ID: 39909493
Could you give more specific help?  This really is not my forte..

Thank you
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39909513
What are the two named sites that you want the IP addresses internally to be able to get to?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:santasvillage
ID: 39909525
I do not know the exact domain names as of yet, will know soon, they are for a credit card processor.

but....

we could use any site as an example:
so 192.168.0.80-100 are allowed to go to google.com and no where else?

A proxy server is not a viable alternative right now

Thank you
0
 

Author Comment

by:santasvillage
ID: 39926489
?
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 1000 total points
ID: 39931405
-A INPUT --src-range 192.168.0.80-192.168.0.100 -m tcp -p tcp --dport 22 -j ACCEPT

would restrict your rule that allows ssh to the corresponding source range

--

you can remove the rule
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
and also " -m state --state NEW"
as all this is implicit in netfilter

--

don't freak, not understanding it quickly does not mean you are out of your league : netfilter uses a crazy syntax and it's documentation is far from complete, not to mention all the other reasons i have to hate it but that would probably start a useless flame war. if you can use pf or ipf, do so, it you're stuck with linux, you may consider installing one of the numerous so called "firewalls" that actually have simpler rule syntaxes and generate configs for netfilter so you don't have to learn the syntax yourself
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses
Course of the Month10 days, 16 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question