Page 1 of 2

iptables question (ip address)

Posted: Wed Apr 05, 2006 4:24 pm
by a94060
Well,basically,my question is how do i limit the ip's that can connect to a port. Really,what i want to do is allow any address from the 10.10.10.XXX to be able to connect to the ssh port and i dont want to allow anyone else on the rest of the internet to be able to connect.

if you need any more clarification,please ask.

Posted: Wed Apr 05, 2006 4:59 pm
by redmonkey
Use the source address switch with a mask i.e. add -s 10.10.10.0/24

Posted: Wed Apr 05, 2006 5:12 pm
by a94060
redmonkey wrote:Use the source address switch with a mask i.e. add -s 10.10.10.0/24
i tried this but it does not seem to work for the purpose i intended it to.

Code: Select all

#client all accept
        server ssh accept src 10.10.10.0/16
im using it with firehol,so would you be able to hint/tell me how to put it there (im sorry,linux newb/noob sitting here)

Posted: Wed Apr 05, 2006 5:30 pm
by redmonkey
Unfortunately not sorry, other than I know firehol is a util designed apparently to ease iptables config, I have no working knowledge of it's setup or syntax.

What's this firewall running on? server, workstation, router or some other set up?

For servers and workstations iptables syntax is fairly straight forward (or at least I think so) so I've never really seen the point in using any third party utils which require you to learn their own syntax. Routers can become a bit more complex but even then, once you understand the basic iptables rules, more complex sets start to become understandable.

Posted: Wed Apr 05, 2006 5:34 pm
by a94060
redmonkey wrote:Unfortunately not sorry, other than I know firehol is a util designed apparently to ease iptables config, I have no working knowledge of it's setup or syntax.

What's this firewall running on? server, workstation, router or some other set up?

For servers and workstations iptables syntax is fairly straight forward (or at least I think so) so I've never really seen the point in using any third party utils which require you to learn their own syntax. Routers can become a bit more complex but even then, once you understand the basic iptables rules, more complex sets start to become understandable.

im running it on debian its a server and basically its just DMZ'ed thru my home router so there is no nat problems. basicaly,i just want it to accept ssh from the LAN.

Posted: Wed Apr 05, 2006 5:48 pm
by redmonkey
You could try my iptables rule builder script which is exactly what I use to create a base iptables ruleset for servers.

Read the comments within the 'User Config' section, it should be fairly straight forward and should allow basic config for most standard server services.

There is a line within the user config section which reads....

Code: Select all

SSH_IPS=
Just change that to....

Code: Select all

SSH_IPS="10.10.10.0/24"
.. assumes of course that your internal network is 10.10.10.xxx

The script itself doesn't save itself as the permanent ruleset so if you mnake a mistake, you can simple reboot your box and all the rules the script has put in place will be removed. If you have physical access to the box then you can just remove the rules once you are logged in as root without the need to reboot.

Posted: Wed Apr 05, 2006 6:26 pm
by a94060
im a true noob,i tried running the script with typing ./ip.sh :? and nothing happened. im not sure what i did wrong,but keep in mind linux newbie here

Posted: Wed Apr 05, 2006 7:22 pm
by redmonkey
Well... if nothing happened that could be a good sign, if the script runs normally it doesn't produce any output.

You can check if anything has changed by looking at your iptables ruleset, from the command line type....

Code: Select all

iptables -vL
You should get a fairly verbose output from that, if you are unsure of the output post it here and I'll tell you if the script has run and is succesful or not.

Posted: Wed Apr 05, 2006 7:27 pm
by a94060
actually,i kinda found out that it worked ( :lol: ) i even added my thing to acces the webmin. My question now is,how do i do something along the lines of what was done here :

Code: Select all

#------------------------------------------------------------------------------
#
# define the acceptable source IP addresses for any services which are
# restricted to only descrete IP addresses or netmasks
#
# the format is SERVICE_IPS and can be a space seperated list for example to
# allow SSH connections from IP addresses 123.123.123.123 and 231.231.231.231
# the entry would be
#
# SSH_IPS="123.123.123.123 231.231.231.231"
#
# any services which are omitted or left blank are assumed to accept
# connections from any IP address, assuming of course they are defined in the
# ALLOW lists
#
# NOTE: you will most likely want to omit or leave blank for most services
#
#------------------------------------------------------------------------------
SSH_IPS="10.10.10.0/24"
can i do something like that to protect other services that i may want to run only on my LAN?

Posted: Wed Apr 05, 2006 7:32 pm
by redmonkey
The syntax for restricting services is simply SERVICENAME_IPS= so for example if you wanted to restrict POP3 access to only your internal network you would add...

Code: Select all

POP3_IPS="10.10.10.0/24"
Similarly, if you want to restrict remote MySQL access to internal only...

Code: Select all

MYSQL_IPS="10.10.10.0/24"
I could go on but hopefully you see the pattern forming here?

Posted: Wed Apr 05, 2006 8:00 pm
by a94060
yes sir,thank you very much. i thought those were just custom variables defined in your script so i did not think about those...i got that now,where are the logs stored?(jus want to know to protect from ahckrers)

Posted: Wed Apr 05, 2006 8:22 pm
by redmonkey
iptables by default logs to /var/log/messages. The script will only setup logging rules for services which have restrcited IP access and you also have to add those services into the "LOG_DROP" and "LOG_ACCEPT" variables.

The /var/log/messages file can get quite large, if you just want to look at output logging from the iptables log type.....

Code: Select all

cat /var/log/messages | grep "Drop:\|Accept:\|Invalid"
...which will essentially filter the contents of the log file and return only those relevant to the firewall rules.

Note, iptables normally logs to /var/log/messages but it can be distro dependant it may be logging to some other file. If the above command returns nothing, then either you have not defined logging for any services within the script or it is logging to another file somewhere.

Also note, the ruleset is not saved, if you reboot your machine you will need to run the script again or alternatively look into saving the ruleset. You could also just set the script up to run at boot time.

Posted: Wed Apr 05, 2006 8:26 pm
by a94060
ok,well actually the integration into the boot sequence was gonig to be my next question. i searched for integrating things int othe boot sequence,but was stumped.

My 2 questions:

1)How do i add services that run on the UDP port,or IP port?
2)i do i run your excellent script at the time my computer starts?


i have Debian 3 (the newest debian out) if they may help you. Im gonig to head off to bed,so ill respond to your message in the morning or later.

Posted: Wed Apr 05, 2006 11:43 pm
by redmonkey
a94060 wrote:1)How do i add services that run on the UDP port,or IP port?
UDP is noted in the 'todo' list within the header of the script. Currently if you want to add any service running UDP you'd either have to do it manually or adjust the script to suit. The alternative is to wait until I have a need for it myself and I'll add it to the script. There are very few services (that I can think of) that an average server would run that would require UDP so adding them would be similar to the way in which 'Ping' has currently been added.
a94060 wrote:2)i do i run your excellent script at the time my computer starts?
You have a couple of options here, you should just be able to drop the script into the /etc/network/if-up.d/ directory and the script will be run each time the network comes up. That's the theory anyway, I do have a machine here running Debian Sarge with a couple of scripts sitting in that directory but I've yet to reboot it so I have no idea if it will/does run those scripts each time the network comes up, you could always try it and see what happens.

Alternatively you could wrap the script up in an 'init' style script (something I've been meaning to do myself) and install it with update-rc.d

Posted: Thu Apr 06, 2006 5:12 am
by a94060
Im tryin to add posts for samba,assuming i am using the correct ports,i tried the following below,and it does not work:

Code: Select all

iptables -A INPUT -s 0/0 -i eth0 -d 10.10.10.5  -p UDP --sport 139 -j ACCEPT
iptables -A INPUT -s 0/0 -i eth0 -d 10.10.10.5  -p TCP --sport 135:139 -j ACCEPT
iptables -A OUTPUT -s 0/0 -d 10.10.10.5  -p UDP --sport 135:139 -j ACCEPT
Would you beable to tell me what to try?