services for predetermined IP addresses

services for predetermined IP addresses

[kate]

Hello,

As I see increased scans on my IP address, I want to
limit access to only predetermined IP address ranges
for certain services - Is the following the correct
way to do this?

<snip>
# (Part A) Rules for incoming packets from Internet
# Packets for established connections
iptables -A INPUT -p ALL -d $ETH0_IP -m state --state
ESTABLISHED,RELATED -j ACCEPT

# (Part B) TCP Rules
iptables -A INPUT -p TCP -i eth0 -s 123.45.1.1
--destination-port 21 -j okay # userA
iptables -A INPUT -p TCP -i eth0 -s 123.45.0/16
--destination-port 22 -j okay  #users A - Z
</snip>

So I understand -
ONLY User A can ftp, and all those in 123.45. can ssh
, BUT no-one else on the Internet can request services
?

Thanks in advance
Kate


		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

Re: services for predetermined IP addresses

[Jason Opperisano]

On Fri, Oct 15, 2004 at 12:41:15PM -0700, kate wrote:
> Hello,
> 
> As I see increased scans on my IP address, I want to
> limit access to only predetermined IP address ranges
> for certain services - Is the following the correct
> way to do this?
> 
> <snip>
> # (Part A) Rules for incoming packets from Internet
> # Packets for established connections
> iptables -A INPUT -p ALL -d $ETH0_IP -m state --state
> ESTABLISHED,RELATED -j ACCEPT

stylistic note:  the "-p ALL" is kinda unnecessary...

> # (Part B) TCP Rules
> iptables -A INPUT -p TCP -i eth0 -s 123.45.1.1
> --destination-port 21 -j okay # userA
> iptables -A INPUT -p TCP -i eth0 -s 123.45.0/16
> --destination-port 22 -j okay  #users A - Z

i think you're missing a "0" there:  123.45.0/16 should really be
123.45.0.0/16.

> </snip>
> 
> So I understand -
> ONLY User A can ftp, and all those in 123.45. can ssh
> , BUT no-one else on the Internet can request services
> ?

yes--as along as somewhere further down the chain you hit a drop-all
rule of some sort...

-j

-- 
Jason Opperisano <opie@817west.com>

Re: services for predetermined IP addresses

[kate]

--- Jason Opperisano <opie@817west.com> wrote:

> On Fri, Oct 15, 2004 at 12:41:15PM -0700, kate
> wrote:
> > Hello,
> > 
> > As I see increased scans on my IP address, I want
> to
> > limit access to only predetermined IP address
> ranges
> > for certain services - Is the following the
> correct
> > way to do this?
> > 
> > <snip>
> > # (Part A) Rules for incoming packets from
> Internet
> > # Packets for established connections
> > iptables -A INPUT -p ALL -d $ETH0_IP -m state
> --state
> > ESTABLISHED,RELATED -j ACCEPT
> 
> stylistic note:  the "-p ALL" is kinda
> unnecessary...
> 
> > # (Part B) TCP Rules
> > iptables -A INPUT -p TCP -i eth0 -s 123.45.1.1
> > --destination-port 21 -j okay # userA
> > iptables -A INPUT -p TCP -i eth0 -s 123.45.0/16
> > --destination-port 22 -j okay  #users A - Z
> 
> i think you're missing a "0" there:  123.45.0/16
> should really be
> 123.45.0.0/16.
> 
> > </snip>
> > 
> > So I understand -
> > ONLY User A can ftp, and all those in 123.45. can
> ssh
> > , BUT no-one else on the Internet can request
> services
> > ?
> 
> yes--as along as somewhere further down the chain
> you hit a drop-all
> rule of some sort...

Yes, I see that now...
# (Part B) TCP Rules
iptables -A INPUT -p TCP -i eth0 -s 123.45.1.1
--destination-port 21 -j okay # userA
iptables -A INPUT -p TCP -i eth0 -s 123.45.0.0/16
--destination-port 22 -j okay  #users A - Z

so the drop-all would be..?

iptables -A INPUT -p TCP -i eth0 -s 0/0 -j DROP

or did I just invent my own thing here?
tia
Kate


		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

Re: services for predetermined IP addresses

[Jason Opperisano]

On Fri, Oct 15, 2004 at 01:14:13PM -0700, kate wrote:
> so the drop-all would be..?
> 
> iptables -A INPUT -p TCP -i eth0 -s 0/0 -j DROP
> 
> or did I just invent my own thing here?
> tia
> Kate

well--the standard way would be to set the policy of the built-in chain
to DROP; i.e.,

  iptables -P INPUT DROP

the same can be achieved by making the last rule in the chain a drop
rule, like

  iptables -A INPUT -j DROP

but that gets messy if you want to append rules "on the fly" so the
policy method is preferred.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: services for predetermined IP addresses

[kate]

--- Jason Opperisano <opie@817west.com> wrote:

> On Fri, Oct 15, 2004 at 01:14:13PM -0700, kate
> wrote:
> > so the drop-all would be..?
> > 
> > iptables -A INPUT -p TCP -i eth0 -s 0/0 -j DROP
> > 
> > or did I just invent my own thing here?
> > tia
> > Kate
> 
> well--the standard way would be to set the policy of
> the built-in chain
> to DROP; i.e.,
> 
>   iptables -P INPUT DROP
> 
> the same can be achieved by making the last rule in
> the chain a drop
> rule, like
> 
>   iptables -A INPUT -j DROP
> 
> but that gets messy if you want to append rules "on
> the fly" so the
> policy method is preferred.

Last question-
I have this at the top of my script, We should be good
to go with this right ?

#(1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

or do we need something below part 3

iptables -A INPUT -p TCP -i eth0 -s 123.45.1.1
--destination-port 21 -j okay # userA
iptables -A INPUT -p TCP -i eth0 -s 123.45.0.0/16
--destination-port 22 -j okay  #users A - Z

like ?
iptables -A INPUT -j DROP

many thanks for all your help. At least the LAN works!
Kate


		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

Re: services for predetermined IP addresses

[Jason Opperisano]

On Fri, Oct 15, 2004 at 01:40:52PM -0700, kate wrote:
> Last question-
> I have this at the top of my script, We should be good
> to go with this right ?
> 
> #(1) Policies (default)
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP

yes--we're good to go...

> or do we need something below part 3
> 
> iptables -A INPUT -p TCP -i eth0 -s 123.45.1.1
> --destination-port 21 -j okay # userA
> iptables -A INPUT -p TCP -i eth0 -s 123.45.0.0/16
> --destination-port 22 -j okay  #users A - Z
> 
> like ?
> iptables -A INPUT -j DROP

this would be redundant with "-P INPUT DROP" although it's worth noting
that this last rule would catch all the traffic, and the INPUT policy
counters would forever remain at zero.

i personally like to make my last rule some sort of logging rule--so in
the event i'm blocking something i shouldn't--i have a record of what it
looks like...i think my current iteration of the "log everything that's
about to be dropped by the chain policy" rule looks something like:

iptables -A INPUT -m limit --limit 1/sec --limit-burst 3 \
  -j LOG --log-level 4 --log-prefix "FW DROP INPUT: "

-j

-- 
Jason Opperisano <opie@817west.com>

RE: services for predetermined IP addresses

[Daniel Chemko]

> so the drop-all would be..?
> 
> iptables -A INPUT -p TCP -i eth0 -s 0/0 -j DROP
> 
> or did I just invent my own thing here?
> tia
> Kate

I was just about to comment:

To drop by-by-policy, any rule that doesn't get matched earier gets
picked up by the policy rule.

You would use:

iptables -P INPUT DROP

RE: services for predetermined IP addresses

[Jose Maria Lopez]

El vie, 15 de 10 de 2004 a las 22:25, Daniel Chemko escribió:
> > so the drop-all would be..?
> > 
> > iptables -A INPUT -p TCP -i eth0 -s 0/0 -j DROP
> > 
> > or did I just invent my own thing here?
> > tia
> > Kate
> 
> I was just about to comment:
> 
> To drop by-by-policy, any rule that doesn't get matched earier gets
> picked up by the policy rule.
> 
> You would use:
> 
> iptables -P INPUT DROP

But remember to put this line before the lines that accept
packets or you will be accepting packets before they reach
the default policy.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"