• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 222
  • Last Modified:

Ip tables rules block specific range

Hi
I need help writing iptables rules that will allow a certain range of private address (192.168.0.80-100)  outgoing access to one or two specific named sites and nothing else.

Here is my current setup
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited


Thank you
0
santasvillage
Asked:
santasvillage
  • 3
  • 2
2 Solutions
 
Jordan MedlenCommented:
You would use the following syntax...

-m iprange --src-range 192.168.0.80-192.168.0.100 -j ACTION

You can read more in the following article.

http://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-range-of-ip-addresses-or-ports.html
0
 
santasvillageAuthor Commented:
Could you give more specific help?  This really is not my forte..

Thank you
0
 
Jordan MedlenCommented:
What are the two named sites that you want the IP addresses internally to be able to get to?
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
santasvillageAuthor Commented:
I do not know the exact domain names as of yet, will know soon, they are for a credit card processor.

but....

we could use any site as an example:
so 192.168.0.80-100 are allowed to go to google.com and no where else?

A proxy server is not a viable alternative right now

Thank you
0
 
santasvillageAuthor Commented:
?
0
 
skullnobrainsCommented:
-A INPUT --src-range 192.168.0.80-192.168.0.100 -m tcp -p tcp --dport 22 -j ACCEPT

would restrict your rule that allows ssh to the corresponding source range

--

you can remove the rule
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
and also " -m state --state NEW"
as all this is implicit in netfilter

--

don't freak, not understanding it quickly does not mean you are out of your league : netfilter uses a crazy syntax and it's documentation is far from complete, not to mention all the other reasons i have to hate it but that would probably start a useless flame war. if you can use pf or ipf, do so, it you're stuck with linux, you may consider installing one of the numerous so called "firewalls" that actually have simpler rule syntaxes and generate configs for netfilter so you don't have to learn the syntax yourself
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now