Solved

Ip tables rules block specific range

Posted on 2014-03-06
8
181 Views
Last Modified: 2014-10-21
Hi
I need help writing iptables rules that will allow a certain range of private address (192.168.0.80-100)  outgoing access to one or two specific named sites and nothing else.

Here is my current setup
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited


Thank you
0
Comment
Question by:santasvillage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
8 Comments
 
LVL 6

Assisted Solution

by:Jordan Medlen
Jordan Medlen earned 250 total points
ID: 39909291
You would use the following syntax...

-m iprange --src-range 192.168.0.80-192.168.0.100 -j ACTION

You can read more in the following article.

http://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-range-of-ip-addresses-or-ports.html
0
 

Author Comment

by:santasvillage
ID: 39909493
Could you give more specific help?  This really is not my forte..

Thank you
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39909513
What are the two named sites that you want the IP addresses internally to be able to get to?
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:santasvillage
ID: 39909525
I do not know the exact domain names as of yet, will know soon, they are for a credit card processor.

but....

we could use any site as an example:
so 192.168.0.80-100 are allowed to go to google.com and no where else?

A proxy server is not a viable alternative right now

Thank you
0
 

Author Comment

by:santasvillage
ID: 39926489
?
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 250 total points
ID: 39931405
-A INPUT --src-range 192.168.0.80-192.168.0.100 -m tcp -p tcp --dport 22 -j ACCEPT

would restrict your rule that allows ssh to the corresponding source range

--

you can remove the rule
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
and also " -m state --state NEW"
as all this is implicit in netfilter

--

don't freak, not understanding it quickly does not mean you are out of your league : netfilter uses a crazy syntax and it's documentation is far from complete, not to mention all the other reasons i have to hate it but that would probably start a useless flame war. if you can use pf or ipf, do so, it you're stuck with linux, you may consider installing one of the numerous so called "firewalls" that actually have simpler rule syntaxes and generate configs for netfilter so you don't have to learn the syntax yourself
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question