Hey there,
Im looking to use the iptables to block every ip and the add for specific
ips access to a specific port (Ex. 21) how do I go about doing this?
Printable View
Hey there,
Im looking to use the iptables to block every ip and the add for specific
ips access to a specific port (Ex. 21) how do I go about doing this?
On Tue, 12 Feb 2008 20:12:09 -0600
tux <spiritsword2342135235656@yahoo.com> wrote:
[color=blue]
> Hey there,
>
> Im looking to use the iptables to block every ip and the add for
> specific ips access to a specific port (Ex. 21) how do I go about
> doing this?[/color]
I would try webmin from webmin.com, very intuitive for your purpose too.
--
:-)
tux <spiritsword2342135235656@yahoo.com> wrote:[color=blue]
> Hey there,
>
> Im looking to use the iptables to block every ip and the add for specific
> ips access to a specific port (Ex. 21) how do I go about doing this?[/color]
The thing to remember about iptables rules is that it checks them
in order and stops on the first one that matches. If nothing matches,
the default policy is usually to allow the packet. Thus to allow
only certain things and block all else, add your allows first and
put your blanket deny at the end. For example, to allow only the
local network to access port 21 and block everything else from that
port, you might do this:
/sbin/iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j DROP
This example assumes our local network is 192.168.0.0 with the 16
bit subnet mask (255.255.0.0). It also assumes we are only dealing
with the TCP port 21.
General rule of thumb when dealing with iptables: add your rules
in order starting with most specific and progressing toward most
general. Also, be extra careful when adding rules via a remote
session, especially if there would be driving involved to get
access to the system when you accidently block your own access.
If you are really uncertain of the rules you are adding, here is
a neat trick to protect against locking yourself out. Just be
sure to run this command BEFORE testing any new iptables rules.
( sleep 300 ; /sbin/iptables -F ) &
This command goes into the background, sleeps for 5 minutes
(300 seconds) and then flushes all the iptables rules (in case
you've really fouled things up and lost access). Feel free to
increase that number if you need more time to test your rules.
Thad
--
Yeah, I drank the Open Source cool-aid... Unlike the other brand, it had
all the ingredients on the label.
"tux" <spiritsword2342135235656@yahoo.com> schreef in bericht
news:7eKdnS7c0otkzC_anZ2dnUVZ_uLinZ2d@giganews.com...[color=blue]
> Hey there,
>
> Im looking to use the iptables to block every ip and the add for specific
> ips access to a specific port (Ex. 21) how do I go about doing this?[/color]
check this:
[url]www.shorewall.net[/url]
Very nice and well documentated iptables-tool
On Wednesday 13 Feb 2008 02:53 Holz licked a pencil and jotted:
[color=blue]
> On Tue, 12 Feb 2008 20:12:09 -0600
> tux <spiritsword2342135235656@yahoo.com> wrote:
>[color=green]
>> Hey there,
>>
>> Im looking to use the iptables to block every ip and the add for
>> specific ips access to a specific port (Ex. 21) how do I go about
>> doing this?[/color]
> I would try webmin from webmin.com, very intuitive for your purpose too.
>[/color]
I second this.
Webmin well worth installing even if you go for a different frontend for
iptables.
You can do SO much with it. I had issues setting up Samba shares in Kubuntu
I have lost the link but was a documented bug that needed manual editing of
the samba config to resolve, takes me moments to set up shares and Samba
users etc using Webmin, plus I can administer my pc from work over a SSH if
needed.
That's just scratching the surface, tis an excellent tool.
David
--
Knowledge is of two kinds: we know a subject ourselves, or we know where we
can find information upon it. (Samuel Johnson)
Only the mediocre are always at their best. (Jean Giraudoux)
(Reply address genuine - Checked occasionally)
On 2008-02-14, Baldylocks-Ubuntu <me.signup@gmail.com> wrote:[color=blue]
>
> I second this.
>
> Webmin well worth installing even if you go for a different frontend for
> iptables.
>
> You can do SO much with it. I had issues setting up Samba shares in Kubuntu
> I have lost the link but was a documented bug that needed manual editing of
> the samba config to resolve, takes me moments to set up shares and Samba
> users etc using Webmin, plus I can administer my pc from work over a SSH if
> needed.
>
> That's just scratching the surface, tis an excellent tool.[/color]
It is, and I like webmin a lot, but PLEASE, do NOT use the disk
partitioning tool in webmin. It will delete mounted partitions,
renumber your existing partitions, and basically make it really easy
for you to foul your system.
Don't ask me how I know... (But I'm glad I keep good backups ;-)
--
Joe - Linux User #449481/Ubuntu User #19733
joe at hits - buffalo dot com
"Hate is baggage, life is too short to go around pissed off all the
time..." - Danny, American History X
On Thursday 14 Feb 2008 20:24 Joe licked a pencil and jotted:
snip[color=blue][color=green]
>>
>> That's just scratching the surface, tis an excellent tool.[/color]
>
> It is, and I like webmin a lot, but PLEASE, do NOT use the disk
> partitioning tool in webmin. It will delete mounted partitions,
> renumber your existing partitions, and basically make it really easy
> for you to foul your system.
>
> Don't ask me how I know... (But I'm glad I keep good backups ;-)
>
>[/color]
Hmm, thanks for the heads up on that. :)
David
--
Knowledge is of two kinds: we know a subject ourselves, or we know where we
can find information upon it. (Samuel Johnson)
Only the mediocre are always at their best. (Jean Giraudoux)
(Reply address genuine - Checked occasionally)
On 2008-02-14, Baldylocks-Ubuntu <me.signup@gmail.com> wrote:[color=blue][color=green]
>> Don't ask me how I know... (But I'm glad I keep good backups ;-)
>>
>>[/color]
>
> Hmm, thanks for the heads up on that. :)[/color]
;) It was a painful learning process. I had 4 unused partitions on
my drive that I wanted to delete (from Feisty). Couldn't delete them
from inside of Gutsy normally, without unmounting the extended
partition. But in Webmin, I figured I'd give it a shot. Needed to
remove sda2, sda6, sda8 and sda9. Piece of cake. Removed 2, then 6,
then found that there was no longer an 8 or 9. Oh, and my / and /var
and /vmware partitions were gone, since I hadn't noticed the
renumbering. Yeyyy! ;)
Of course, the machine still ran fine. Couldn't write to those
partitions, but I was still able to use the machine as before, so long
as I didn't reboot. That gave me the opportunity to make one final
extra backup of everything before starting from scratch.
Now my partition table is much cleaner (until Hardy ;-). Try getting
windows to keep running even after you delete active partitions! ;-)
--
Joe - Linux User #449481/Ubuntu User #19733
joe at hits - buffalo dot com
"Hate is baggage, life is too short to go around pissed off all the
time..." - Danny, American History X
On Friday 15 Feb 2008 01:50 Joe licked a pencil and jotted:
[color=blue]
>
> Now my partition table is much cleaner (until Hardy ;-). Try getting
> windows to keep running even after you delete active partitions! ;-)
>
>[/color]
Heh, try getting Windows to keep running full stop :)
Reminds me of my experiences not that long ago when I had a h/w glitch after
a power cut. I did the wrong option when powering up (my fault entirely I
didn't read it properly), rather than spend ages at the command line to fix
it I took the opportunity to upgrade from Feisty to Gutsy and do a clean
install. I had put off upgrading until I had a good reason, besides it's
quite nice not having to reboot between releases ;)
Bear in mind it was an emergency re-install and I had been lackadaisical
with backups.
25 mins after putting the CD in I had my original desktop back, all my
files, all my settings; I even had the last 10 items I had copied still on
the clipboard.
As I reinstalled all my apps - a few minutes work - all their settings
remained too.
Try doing that in Windows, even just putting the same version back on, let
alone upgrading! Windows fans never quite get how it's not just security
that is better by design, it's useability, recoverability and portability.
I mentioned this in a general interest NG with an IT leaning and of course
all the Windows lot piped up how they would never have this trouble because
they create images daily and it's a matter of minutes to re-image and be
back to where they were. I think they missed the point lol.
David
--
Knowledge is of two kinds: we know a subject ourselves, or we know where we
can find information upon it. (Samuel Johnson)
Only the mediocre are always at their best. (Jean Giraudoux)
(Reply address genuine - Checked occasionally)
On Tue, 12 Feb 2008 20:12:09 -0600, tux wrote:
[color=blue]
> Im looking to use the iptables to block every ip and the add for
> specific ips access to a specific port (Ex. 21) how do I go about doing
> this?[/color]
I like Firestarter.
--
// This is my opinion.
[email]thad05@tux.glaci.delete-this.com[/email] wrote:
[color=blue]
> tux <spiritsword2342135235656@yahoo.com> wrote:[color=green]
>> Hey there,
>>
>> Im looking to use the iptables to block every ip and the add for specific
>> ips access to a specific port (Ex. 21) how do I go about doing this?[/color]
>
> The thing to remember about iptables rules is that it checks them
> in order and stops on the first one that matches. If nothing matches,
> the default policy is usually to allow the packet. Thus to allow
> only certain things and block all else, add your allows first and
> put your blanket deny at the end. For example, to allow only the
> local network to access port 21 and block everything else from that
> port, you might do this:
>
> /sbin/iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 21 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 21 -j DROP
>
> This example assumes our local network is 192.168.0.0 with the 16
> bit subnet mask (255.255.0.0). It also assumes we are only dealing
> with the TCP port 21.
>
> General rule of thumb when dealing with iptables: add your rules
> in order starting with most specific and progressing toward most
> general. Also, be extra careful when adding rules via a remote
> session, especially if there would be driving involved to get
> access to the system when you accidently block your own access.
>
> If you are really uncertain of the rules you are adding, here is
> a neat trick to protect against locking yourself out. Just be
> sure to run this command BEFORE testing any new iptables rules.
>
> ( sleep 300 ; /sbin/iptables -F ) &
>
> This command goes into the background, sleeps for 5 minutes
> (300 seconds) and then flushes all the iptables rules (in case
> you've really fouled things up and lost access). Feel free to
> increase that number if you need more time to test your rules.
>
> Thad[/color]
And YOU say you're getting old? Nice post... I archived a copy. Thanks.
--
Jerry McBride (jmcbride@mail-on.us)
tux wrote:
[color=blue]
> Hey there,
>
> Im looking to use the iptables to block every ip and the add for specific
> ips access to a specific port (Ex. 21) how do I go about doing this?[/color]
like:
iptables -s allowedipnr --dport 21 -j allowed
iptables -s 0/0 --dpor 21 drop
?