iptables: allowing only listed hosts to connect to a port
in [Linux Networking]
|
Prev: VPN with tinc.
Next: Link failover with ping
From: Mark Hobley on 2 Jul 2008 17:06 I want to allow only hosts from the local area network and certain external networks to be able to access a specific port number. I have created a script firewall.sh, as follows: #!/bin/sh ALLOWED=" 10.0.0.0/8 192.168.0.0/16 51.0.0.0/8 62.30.0.0/16 80.0.0.0/13 " for addr in $ALLOWED do iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT done iptables -A INPUT -p tcp --dport 7500 -jDROP After running the script iptables -L -n reveals: Chain INPUT (policy ACCEPT) ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500 ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500 ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500 ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500 ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500 I find that hosts outside of the list are still able to access the port. Is the last entry in the table correct? DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500 | Should this read "anywhere"? Why isn't my filter working? Please advise. Mark. -- Mark Hobley, 393 Quinton Road West, Quinton, BIRMINGHAM. B32 1QE.
From: pk on 2 Jul 2008 17:21 On Wednesday 2 July 2008 23:06, Mark Hobley wrote: > I want to allow only hosts from the local area network and certain > external networks to be able to access a specific port number. I have > created a script firewall.sh, as follows: > > #!/bin/sh > > ALLOWED=" > 10.0.0.0/8 > 192.168.0.0/16 > 51.0.0.0/8 > 62.30.0.0/16 > 80.0.0.0/13 > " > > for addr in $ALLOWED > do > iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT > done > > iptables -A INPUT -p tcp --dport 7500 -jDROP > > After running the script iptables -L -n reveals: > > Chain INPUT (policy ACCEPT) > ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500 > ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500 > ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500 > ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500 > ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500 > DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500 > > I find that hosts outside of the list are still able to access the port. Set a DROP default policy for the INPUT chain: iptables -P INPUT -j DROP (usually this is done before allowing anything) this will drop anything not explicitly allowed, so be careful if you run that command while you are remotely connected.
From: Mark Hobley on 2 Jul 2008 18:33 pk <pk(a)pk.invalid> wrote: > Set a DROP default policy for the INPUT chain: Doesn't this affect the overall networking policy for every port number? On the whole, I want my network traffic unfiltered (allowed by default). However there are certain ports that I want traffic blocked on, unless I specifically allow it. Maybe I need some sort of allow by default for some ports, but drop by default for other ports type of policy. (Is that possible?) > iptables -P INPUT -j DROP > > (usually this is done before allowing anything) > > this will drop anything not explicitly allowed, so be careful if you run > that command while you are remotely connected. I am remotely connected (though not via port 7500 which is a different kind of service and nothing to do with my remote connection). I am concerned that that will zap all of my network services. This is a busy server. I only want to make changes to port 7500. Regards, Mark. -- Mark Hobley, 393 Quinton Road West, Quinton, BIRMINGHAM. B32 1QE.
From: h.stroph on 2 Jul 2008 19:42 "Mark Hobley" <markhobley(a)hotpop.donottypethisbit.com> wrote in message news:ebctj5-rqg.ln1(a)neptune.markhobley.yi.org... > > Set a DROP default policy for the INPUT chain: > > Doesn't this affect the overall networking policy for every port number? No, it only affects the default policy for the INPUT chain on that interface. Deny all, allow only what is specified. > On the whole, I want my network traffic unfiltered (allowed by default). Only an incompetent fool of an administrator would want such an unfiltered traffic.
From: Mark Hobley on 2 Jul 2008 21:02
h.stroph <me(a)privacy.net> wrote: > Only an incompetent fool of an administrator would want such an unfiltered > traffic. This particular computer is a public access machine and the traffic is already being filtered by a remote hardware based firewall device and intermediate routing devices. The specific filtering on port 7500 is being done locally on the machine in supplement to the external firewalling due to a limitation of the external hardware based firewall, which is not able to handle a lengthy access list chain against the forwarded 7500 service port. The computer is providing public access web services, news feeds, email, internet relay chat, game services and internal networking services, such as internal client access, and network file services on several port numbers. I don't want a change to the iptables list to affect those services. All I want to do through iptables is limit access to port 7500 to those networks on the access list. I want the remaining networking ports to remain operational, as they are now. I would have made these restrictions on one of the external firewalling devices rather than on the local machine had this been possible. Regards, Mark. -- Mark Hobley, 393 Quinton Road West, Quinton, BIRMINGHAM. B32 1QE. |