Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Ip tables rules block specific range

Posted on 2014-03-06
Medium Priority
Last Modified: 2014-10-21
I need help writing iptables rules that will allow a certain range of private address (  outgoing access to one or two specific named sites and nothing else.

Here is my current setup
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Thank you
Question by:santasvillage
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Assisted Solution

by:Jordan Medlen
Jordan Medlen earned 1000 total points
ID: 39909291
You would use the following syntax...

-m iprange --src-range -j ACTION

You can read more in the following article.


Author Comment

ID: 39909493
Could you give more specific help?  This really is not my forte..

Thank you

Expert Comment

by:Jordan Medlen
ID: 39909513
What are the two named sites that you want the IP addresses internally to be able to get to?
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.


Author Comment

ID: 39909525
I do not know the exact domain names as of yet, will know soon, they are for a credit card processor.


we could use any site as an example:
so are allowed to go to google.com and no where else?

A proxy server is not a viable alternative right now

Thank you

Author Comment

ID: 39926489
LVL 27

Accepted Solution

skullnobrains earned 1000 total points
ID: 39931405
-A INPUT --src-range -m tcp -p tcp --dport 22 -j ACCEPT

would restrict your rule that allows ssh to the corresponding source range


you can remove the rule
and also " -m state --state NEW"
as all this is implicit in netfilter


don't freak, not understanding it quickly does not mean you are out of your league : netfilter uses a crazy syntax and it's documentation is far from complete, not to mention all the other reasons i have to hate it but that would probably start a useless flame war. if you can use pf or ipf, do so, it you're stuck with linux, you may consider installing one of the numerous so called "firewalls" that actually have simpler rule syntaxes and generate configs for netfilter so you don't have to learn the syntax yourself

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question