Iptables help - Ubuntu

This is a discussion on Iptables help - Ubuntu ; Hey there, Im looking to use the iptables to block every ip and the add for specific ips access to a specific port (Ex. 21) how do I go about doing this?...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Iptables help

  1. Iptables help

    Hey there,

    Im looking to use the iptables to block every ip and the add for specific
    ips access to a specific port (Ex. 21) how do I go about doing this?

  2. Re: Iptables help

    On Tue, 12 Feb 2008 20:12:09 -0600
    tux wrote:

    > Hey there,
    >
    > Im looking to use the iptables to block every ip and the add for
    > specific ips access to a specific port (Ex. 21) how do I go about
    > doing this?

    I would try webmin from webmin.com, very intuitive for your purpose too.

    --
    :-)


  3. Re: Iptables help

    tux wrote:
    > Hey there,
    >
    > Im looking to use the iptables to block every ip and the add for specific
    > ips access to a specific port (Ex. 21) how do I go about doing this?


    The thing to remember about iptables rules is that it checks them
    in order and stops on the first one that matches. If nothing matches,
    the default policy is usually to allow the packet. Thus to allow
    only certain things and block all else, add your allows first and
    put your blanket deny at the end. For example, to allow only the
    local network to access port 21 and block everything else from that
    port, you might do this:

    /sbin/iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 21 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 21 -j DROP

    This example assumes our local network is 192.168.0.0 with the 16
    bit subnet mask (255.255.0.0). It also assumes we are only dealing
    with the TCP port 21.

    General rule of thumb when dealing with iptables: add your rules
    in order starting with most specific and progressing toward most
    general. Also, be extra careful when adding rules via a remote
    session, especially if there would be driving involved to get
    access to the system when you accidently block your own access.

    If you are really uncertain of the rules you are adding, here is
    a neat trick to protect against locking yourself out. Just be
    sure to run this command BEFORE testing any new iptables rules.

    ( sleep 300 ; /sbin/iptables -F ) &

    This command goes into the background, sleeps for 5 minutes
    (300 seconds) and then flushes all the iptables rules (in case
    you've really fouled things up and lost access). Feel free to
    increase that number if you need more time to test your rules.

    Thad
    --
    Yeah, I drank the Open Source cool-aid... Unlike the other brand, it had
    all the ingredients on the label.

  4. Re: Iptables help


    "tux" schreef in bericht
    news:7eKdnS7c0otkzC_anZ2dnUVZ_uLinZ2d@giganews.com ...
    > Hey there,
    >
    > Im looking to use the iptables to block every ip and the add for specific
    > ips access to a specific port (Ex. 21) how do I go about doing this?

    check this:
    www.shorewall.net
    Very nice and well documentated iptables-tool



  5. Re: Iptables help

    On Wednesday 13 Feb 2008 02:53 Holz licked a pencil and jotted:

    > On Tue, 12 Feb 2008 20:12:09 -0600
    > tux wrote:
    >
    >> Hey there,
    >>
    >> Im looking to use the iptables to block every ip and the add for
    >> specific ips access to a specific port (Ex. 21) how do I go about
    >> doing this?

    > I would try webmin from webmin.com, very intuitive for your purpose too.
    >


    I second this.

    Webmin well worth installing even if you go for a different frontend for
    iptables.

    You can do SO much with it. I had issues setting up Samba shares in Kubuntu
    I have lost the link but was a documented bug that needed manual editing of
    the samba config to resolve, takes me moments to set up shares and Samba
    users etc using Webmin, plus I can administer my pc from work over a SSH if
    needed.

    That's just scratching the surface, tis an excellent tool.

    David
    --
    Knowledge is of two kinds: we know a subject ourselves, or we know where we
    can find information upon it. (Samuel Johnson)
    Only the mediocre are always at their best. (Jean Giraudoux)
    (Reply address genuine - Checked occasionally)

  6. Re: Iptables help

    On 2008-02-14, Baldylocks-Ubuntu wrote:
    >
    > I second this.
    >
    > Webmin well worth installing even if you go for a different frontend for
    > iptables.
    >
    > You can do SO much with it. I had issues setting up Samba shares in Kubuntu
    > I have lost the link but was a documented bug that needed manual editing of
    > the samba config to resolve, takes me moments to set up shares and Samba
    > users etc using Webmin, plus I can administer my pc from work over a SSH if
    > needed.
    >
    > That's just scratching the surface, tis an excellent tool.


    It is, and I like webmin a lot, but PLEASE, do NOT use the disk
    partitioning tool in webmin. It will delete mounted partitions,
    renumber your existing partitions, and basically make it really easy
    for you to foul your system.

    Don't ask me how I know... (But I'm glad I keep good backups ;-)


    --
    Joe - Linux User #449481/Ubuntu User #19733
    joe at hits - buffalo dot com
    "Hate is baggage, life is too short to go around pissed off all the
    time..." - Danny, American History X

  7. Re: Iptables help

    On Thursday 14 Feb 2008 20:24 Joe licked a pencil and jotted:

    snip
    >>
    >> That's just scratching the surface, tis an excellent tool.

    >
    > It is, and I like webmin a lot, but PLEASE, do NOT use the disk
    > partitioning tool in webmin. It will delete mounted partitions,
    > renumber your existing partitions, and basically make it really easy
    > for you to foul your system.
    >
    > Don't ask me how I know... (But I'm glad I keep good backups ;-)
    >
    >


    Hmm, thanks for the heads up on that.

    David
    --
    Knowledge is of two kinds: we know a subject ourselves, or we know where we
    can find information upon it. (Samuel Johnson)
    Only the mediocre are always at their best. (Jean Giraudoux)
    (Reply address genuine - Checked occasionally)

  8. Re: Iptables help

    On 2008-02-14, Baldylocks-Ubuntu wrote:
    >> Don't ask me how I know... (But I'm glad I keep good backups ;-)
    >>
    >>

    >
    > Hmm, thanks for the heads up on that.


    It was a painful learning process. I had 4 unused partitions on
    my drive that I wanted to delete (from Feisty). Couldn't delete them
    from inside of Gutsy normally, without unmounting the extended
    partition. But in Webmin, I figured I'd give it a shot. Needed to
    remove sda2, sda6, sda8 and sda9. Piece of cake. Removed 2, then 6,
    then found that there was no longer an 8 or 9. Oh, and my / and /var
    and /vmware partitions were gone, since I hadn't noticed the
    renumbering. Yeyyy!

    Of course, the machine still ran fine. Couldn't write to those
    partitions, but I was still able to use the machine as before, so long
    as I didn't reboot. That gave me the opportunity to make one final
    extra backup of everything before starting from scratch.

    Now my partition table is much cleaner (until Hardy ;-). Try getting
    windows to keep running even after you delete active partitions! ;-)


    --
    Joe - Linux User #449481/Ubuntu User #19733
    joe at hits - buffalo dot com
    "Hate is baggage, life is too short to go around pissed off all the
    time..." - Danny, American History X

  9. Re: Iptables help

    On Friday 15 Feb 2008 01:50 Joe licked a pencil and jotted:

    >
    > Now my partition table is much cleaner (until Hardy ;-). Try getting
    > windows to keep running even after you delete active partitions! ;-)
    >
    >


    Heh, try getting Windows to keep running full stop

    Reminds me of my experiences not that long ago when I had a h/w glitch after
    a power cut. I did the wrong option when powering up (my fault entirely I
    didn't read it properly), rather than spend ages at the command line to fix
    it I took the opportunity to upgrade from Feisty to Gutsy and do a clean
    install. I had put off upgrading until I had a good reason, besides it's
    quite nice not having to reboot between releases

    Bear in mind it was an emergency re-install and I had been lackadaisical
    with backups.

    25 mins after putting the CD in I had my original desktop back, all my
    files, all my settings; I even had the last 10 items I had copied still on
    the clipboard.

    As I reinstalled all my apps - a few minutes work - all their settings
    remained too.

    Try doing that in Windows, even just putting the same version back on, let
    alone upgrading! Windows fans never quite get how it's not just security
    that is better by design, it's useability, recoverability and portability.

    I mentioned this in a general interest NG with an IT leaning and of course
    all the Windows lot piped up how they would never have this trouble because
    they create images daily and it's a matter of minutes to re-image and be
    back to where they were. I think they missed the point lol.

    David
    --
    Knowledge is of two kinds: we know a subject ourselves, or we know where we
    can find information upon it. (Samuel Johnson)
    Only the mediocre are always at their best. (Jean Giraudoux)
    (Reply address genuine - Checked occasionally)

  10. Re: Iptables help

    On Tue, 12 Feb 2008 20:12:09 -0600, tux wrote:

    > Im looking to use the iptables to block every ip and the add for
    > specific ips access to a specific port (Ex. 21) how do I go about doing
    > this?


    I like Firestarter.

    --
    // This is my opinion.

  11. Re: Iptables help

    thad05@tux.glaci.delete-this.com wrote:

    > tux wrote:
    >> Hey there,
    >>
    >> Im looking to use the iptables to block every ip and the add for specific
    >> ips access to a specific port (Ex. 21) how do I go about doing this?

    >
    > The thing to remember about iptables rules is that it checks them
    > in order and stops on the first one that matches. If nothing matches,
    > the default policy is usually to allow the packet. Thus to allow
    > only certain things and block all else, add your allows first and
    > put your blanket deny at the end. For example, to allow only the
    > local network to access port 21 and block everything else from that
    > port, you might do this:
    >
    > /sbin/iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 21 -j ACCEPT
    > /sbin/iptables -A INPUT -p tcp --dport 21 -j DROP
    >
    > This example assumes our local network is 192.168.0.0 with the 16
    > bit subnet mask (255.255.0.0). It also assumes we are only dealing
    > with the TCP port 21.
    >
    > General rule of thumb when dealing with iptables: add your rules
    > in order starting with most specific and progressing toward most
    > general. Also, be extra careful when adding rules via a remote
    > session, especially if there would be driving involved to get
    > access to the system when you accidently block your own access.
    >
    > If you are really uncertain of the rules you are adding, here is
    > a neat trick to protect against locking yourself out. Just be
    > sure to run this command BEFORE testing any new iptables rules.
    >
    > ( sleep 300 ; /sbin/iptables -F ) &
    >
    > This command goes into the background, sleeps for 5 minutes
    > (300 seconds) and then flushes all the iptables rules (in case
    > you've really fouled things up and lost access). Feel free to
    > increase that number if you need more time to test your rules.
    >
    > Thad


    And YOU say you're getting old? Nice post... I archived a copy. Thanks.


    --

    Jerry McBride (jmcbride@mail-on.us)

  12. Re: Iptables help

    tux wrote:

    > Hey there,
    >
    > Im looking to use the iptables to block every ip and the add for specific
    > ips access to a specific port (Ex. 21) how do I go about doing this?


    like:

    iptables -s allowedipnr --dport 21 -j allowed
    iptables -s 0/0 --dpor 21 drop

    ?

+ Reply to Thread