Solved

Ip tables rules block specific range

Posted on 2014-03-06
8
176 Views
Last Modified: 2014-10-21
Hi
I need help writing iptables rules that will allow a certain range of private address (192.168.0.80-100)  outgoing access to one or two specific named sites and nothing else.

Here is my current setup
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited


Thank you
0
Comment
Question by:santasvillage
  • 3
  • 2
8 Comments
 
LVL 6

Assisted Solution

by:Jordan Medlen
Jordan Medlen earned 250 total points
Comment Utility
You would use the following syntax...

-m iprange --src-range 192.168.0.80-192.168.0.100 -j ACTION

You can read more in the following article.

http://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-range-of-ip-addresses-or-ports.html
0
 

Author Comment

by:santasvillage
Comment Utility
Could you give more specific help?  This really is not my forte..

Thank you
0
 
LVL 6

Expert Comment

by:Jordan Medlen
Comment Utility
What are the two named sites that you want the IP addresses internally to be able to get to?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:santasvillage
Comment Utility
I do not know the exact domain names as of yet, will know soon, they are for a credit card processor.

but....

we could use any site as an example:
so 192.168.0.80-100 are allowed to go to google.com and no where else?

A proxy server is not a viable alternative right now

Thank you
0
 

Author Comment

by:santasvillage
Comment Utility
?
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 250 total points
Comment Utility
-A INPUT --src-range 192.168.0.80-192.168.0.100 -m tcp -p tcp --dport 22 -j ACCEPT

would restrict your rule that allows ssh to the corresponding source range

--

you can remove the rule
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
and also " -m state --state NEW"
as all this is implicit in netfilter

--

don't freak, not understanding it quickly does not mean you are out of your league : netfilter uses a crazy syntax and it's documentation is far from complete, not to mention all the other reasons i have to hate it but that would probably start a useless flame war. if you can use pf or ipf, do so, it you're stuck with linux, you may consider installing one of the numerous so called "firewalls" that actually have simpler rule syntaxes and generate configs for netfilter so you don't have to learn the syntax yourself
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now