* correct net fitler rule
@ 2009-10-28 4:00 Ralph Blach
2009-10-28 10:45 ` Mart Frauenlob
0 siblings, 1 reply; 6+ messages in thread
From: Ralph Blach @ 2009-10-28 4:00 UTC (permalink / raw)
To: netfilter
I want to log all drop packets but just pass some packets
I wrote these rules.
'
Will these test of rules allow all packets on the input of wlan allow
packets with source address in the 10.0.0.0/255.255.255.0
and drop/log the selected networks>
Thanks
Chip
/sbin/iptables -F
/sbin/iptables -N LOGDROP
/sbin/iptables -A LOGDROP -i wlan0 -j LOG --log-level 7
/sbin/iptables -A LOGDROP -j DROP
/sbin/iptables -A INPUT -i wlan -s 10.0.0.0/255.255.255.0 -j
RETURN #return
/sbin/iptables -A INPUT -i wlan -s 24.25.5.148 -j RETURN
/sbin/iptables -A INPUT -i wlan -s 24.25.5.147 -j RETURN
/sbin/iptables -A INPUT -i wlan0 -s 58.102.198.29/255.255.255.0 -j
LOGDROP # log and drop
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: correct net fitler rule
2009-10-28 4:00 correct net fitler rule Ralph Blach
@ 2009-10-28 10:45 ` Mart Frauenlob
2009-10-28 12:49 ` Ralph Blach
0 siblings, 1 reply; 6+ messages in thread
From: Mart Frauenlob @ 2009-10-28 10:45 UTC (permalink / raw)
To: netfilter
Ralph Blach wrote:
> I want to log all drop packets but just pass some packets
>
> I wrote these rules.
> '
> Will these test of rules allow all packets on the input of wlan allow
> packets with source address in the 10.0.0.0/255.255.255.0
> and drop/log the selected networks>
>
> Thanks
> Chip
>
> /sbin/iptables -F
> /sbin/iptables -N LOGDROP
> /sbin/iptables -A LOGDROP -i wlan0 -j LOG --log-level 7
> /sbin/iptables -A LOGDROP -j DROP
> /sbin/iptables -A INPUT -i wlan -s 10.0.0.0/255.255.255.0 -j
> RETURN #return
> /sbin/iptables -A INPUT -i wlan -s 24.25.5.148 -j RETURN
> /sbin/iptables -A INPUT -i wlan -s 24.25.5.147 -j RETURN
> /sbin/iptables -A INPUT -i wlan0 -s 58.102.198.29/255.255.255.0 -j
> LOGDROP # log and drop
you should really take more care to get your facts straight, imho. it's
not the first time you try to request on that issue...
you also should read the iptables tutorial:
http://www.frozentux.net/documents/iptables-tutorial/
still having a hard time to figure out what you want, this is my best guess:
#!/bin/bash
ipt=/sbin/iptables
if_wlan=wlan0
allow_net=10.0.0.0/24
allow_hosts="24.25.5.148 24.25.5.147"
# first set INPUT policy to DROP
$ipt -P INPUT DROP
# allow from allowed network
$ipt -A INPUT -i $if_wlan -s $allow_net -j ACCEPT
# allow from certain hosts
for host in ${allow_hosts}; do
$ipt -A INPUT -s $host -j ACCEPT
done
# log what is left, as the policy will drop it afterwards
$ipt -A INPUT -j LOG --log-level 7 --log-prefix "INPUT_POLICY_DROP: "
Regards
Mart
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: correct net fitler rule
2009-10-28 10:45 ` Mart Frauenlob
@ 2009-10-28 12:49 ` Ralph Blach
2009-10-28 12:53 ` Richard Horton
0 siblings, 1 reply; 6+ messages in thread
From: Ralph Blach @ 2009-10-28 12:49 UTC (permalink / raw)
To: netfilter
Ok,
Let me explain more precisely what I am trying to accomplish
I have sshd open on my firewall and it forwards ports to my linux
server. My firewall is is a linksys wireless router and does not have
the capability to block networks.
For my local 10.0.0.0/24 network on the interface wlan0, I just want
traffic to pass
For the the external name servers, I just want traffic to pass
Since I get attached, I want to drop and log from any attaching network.
This happens on a daily bassis, so I am constally updating the list.
What is the best set of rules to accomplish this
How have people on the list sovled this problem.
Thanks
Mart Frauenlob wrote:
> Ralph Blach wrote:
>> I want to log all drop packets but just pass some packets
>>
>> I wrote these rules.
>> '
>> Will these test of rules allow all packets on the input of wlan allow
>> packets with source address in the 10.0.0.0/255.255.255.0
>> and drop/log the selected networks>
>>
>> Thanks
>> Chip
>>
>> /sbin/iptables -F
>> /sbin/iptables -N LOGDROP
>> /sbin/iptables -A LOGDROP -i wlan0 -j LOG --log-level 7
>> /sbin/iptables -A LOGDROP -j DROP
>> /sbin/iptables -A INPUT -i wlan -s 10.0.0.0/255.255.255.0 -j
>> RETURN #return
>> /sbin/iptables -A INPUT -i wlan -s 24.25.5.148 -j RETURN
>> /sbin/iptables -A INPUT -i wlan -s 24.25.5.147 -j RETURN
>> /sbin/iptables -A INPUT -i wlan0 -s 58.102.198.29/255.255.255.0 -j
>> LOGDROP # log and drop
> you should really take more care to get your facts straight, imho.
> it's not the first time you try to request on that issue...
> you also should read the iptables tutorial:
> http://www.frozentux.net/documents/iptables-tutorial/
>
> still having a hard time to figure out what you want, this is my best
> guess:
>
>
> #!/bin/bash
>
> ipt=/sbin/iptables
> if_wlan=wlan0
> allow_net=10.0.0.0/24
> allow_hosts="24.25.5.148 24.25.5.147"
>
> # first set INPUT policy to DROP
> $ipt -P INPUT DROP
>
> # allow from allowed network
> $ipt -A INPUT -i $if_wlan -s $allow_net -j ACCEPT
>
> # allow from certain hosts
> for host in ${allow_hosts}; do
> $ipt -A INPUT -s $host -j ACCEPT
> done
>
> # log what is left, as the policy will drop it afterwards
> $ipt -A INPUT -j LOG --log-level 7 --log-prefix "INPUT_POLICY_DROP: "
>
>
> Regards
>
> Mart
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: correct net fitler rule
2009-10-28 12:49 ` Ralph Blach
@ 2009-10-28 12:53 ` Richard Horton
2009-10-31 19:37 ` Ralph Blach
0 siblings, 1 reply; 6+ messages in thread
From: Richard Horton @ 2009-10-28 12:53 UTC (permalink / raw)
To: Ralph Blach; +Cc: netfilter
2009/10/28 Ralph Blach <rcblach@gmail.com>:
> Ok,
>
[snip]
> Since I get attached, I want to drop and log from any attaching network.
>
> This happens on a daily bassis, so I am constally updating the list.
>
> What is the best set of rules to accomplish this
If you only wish to allow traffic from your internal network and the
external nameservers then its simple.
set your iptables policies, as said earlier, to DROP.
Then create explicit rules to accept the traffic you want in each
chain as needed.
If you want to log any DROP traffic then just make the LAST rule in
each chain a logging rule...
If you use DROP as a policy and only allow specific traffic you will
not have to keep updating your rule set to block additional networks.
--
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
http://www.pbase.com/arimus - My online photogallery
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: correct net fitler rule
2009-10-28 12:53 ` Richard Horton
@ 2009-10-31 19:37 ` Ralph Blach
2009-10-31 23:44 ` Richard Horton
0 siblings, 1 reply; 6+ messages in thread
From: Ralph Blach @ 2009-10-31 19:37 UTC (permalink / raw)
To: Richard Horton; +Cc: netfilter
I am not so good at writing what I wish to accomplish
I am often not at home and wish to access my system. That means when I
ssh into my machine, it will be from
a ip address of a hotels or other ISP network.
Internternet
linksys 10.0.0.0/255.255.255.0
-------------------| firewall with portt 22 forwarded |
----------------|linux server|------------
For my home machine, I wish to block traffic from network which I see in
my /var/log/secure file have attached my machine.
( By now I have a long list, I anybody wants it)
But for certain well know address, like the 10.0.0.0/255.255.255.0 and
the nameserver addresses, I just wish to accept those
There seens to be a never ending stream of break in attempts.
in sshd, I have all dened all uses except a 2 users with Complex names
and passwords.
so allow the internal local network.
allow the nameservers.
deny attacking networks.
Richard Horton wrote:
> 2009/10/28 Ralph Blach <rcblach@gmail.com>:
>
>> Ok,
>>
>>
> [snip]
>
>> Since I get attached, I want to drop and log from any attaching network.
>>
>> This happens on a daily bassis, so I am constally updating the list.
>>
>> What is the best set of rules to accomplish this
>>
>
> If you only wish to allow traffic from your internal network and the
> external nameservers then its simple.
>
> set your iptables policies, as said earlier, to DROP.
>
> Then create explicit rules to accept the traffic you want in each
> chain as needed.
> If you want to log any DROP traffic then just make the LAST rule in
> each chain a logging rule...
>
> If you use DROP as a policy and only allow specific traffic you will
> not have to keep updating your rule set to block additional networks.
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: correct net fitler rule
2009-10-31 19:37 ` Ralph Blach
@ 2009-10-31 23:44 ` Richard Horton
0 siblings, 0 replies; 6+ messages in thread
From: Richard Horton @ 2009-10-31 23:44 UTC (permalink / raw)
To: Ralph Blach; +Cc: netfilter
2009/10/31 Ralph Blach <rblach@intrex.net>
>
> I am not so good at writing what I wish to accomplish
>
> I am often not at home and wish to access my system. That means when I ssh into my machine, it will be from
> a ip address of a hotels or other ISP network.
>
> Internternet linksys 10.0.0.0/255.255.255.0
> -------------------| firewall with portt 22 forwarded | ----------------|linux server|------------
>
> For my home machine, I wish to block traffic from network which I see in my /var/log/secure file have attached my machine.
> ( By now I have a long list, I anybody wants it)
> But for certain well know address, like the 10.0.0.0/255.255.255.0 and the nameserver addresses, I just wish to accept those
> There seens to be a never ending stream of break in attempts.
>
> in sshd, I have all dened all uses except a 2 users with Complex names and passwords.
>
> so allow the internal local network.
> allow the nameservers.
> deny attacking networks.
>
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -N ALLOW
iptables -A ALLOW -s <internal network> -j ACCEPT
iptables -A ALLOW -d <internal network> -j ACCEPT
iptables -A ALLOW -s <dns> --sport 53 -j ACCEPT
iptables -A ALLOW -d <dns> --dport 53 -j ACCEPT
iptables -A INPUT -j ALLOW
iptables -A INPUT -j LOG --log-prefix "FW DROP >" --log-ip-options
--log-tcp-options
Repeat the last two rules for the OUTPUT and FORWARD chains as well.
The last (log) rule is only if you want a record of whats going on.
***ANY*** traffic not explicitly added to the ALLOW user-defined chain
will get dropped.
--
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
http://www.pbase.com/arimus - My online photogallery
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2009-10-31 23:44 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-10-28 4:00 correct net fitler rule Ralph Blach
2009-10-28 10:45 ` Mart Frauenlob
2009-10-28 12:49 ` Ralph Blach
2009-10-28 12:53 ` Richard Horton
2009-10-31 19:37 ` Ralph Blach
2009-10-31 23:44 ` Richard Horton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.