help with whitelist

help with whitelist

[Joey]

Hello All,

 

I have been refining my iptables code and have perfected the blocking side (
thanks to all who helped! ).  Rules here http://web56.net/iptables-save.cfg

 

But now, I need to create some whitelist entries.

 

Lets say I have a block rule of 207.144.68.0/24 and I need to whitelist
207.144.68.15

 

I tried this by hand for testing purposes:

 

Create chain

iptables -N WHITE_LIST

rue for chain

iptables -A WHITE_LIST -p tcp --dport 25 -s 207.144.68.15 -m state --state
NEW -j ACCEPT

hook rule

iptables -A INPUT -j WHITE_LIST

 

I also tried this, but no luck

 

iptables -A INPUT -p tcp -s 207.44.168.15 -j LOG --log-prefix JOEY-TEST-JOEY

iptables -A INPUT -p tcp -s 207.44.168.15 --dport 25 -j DROP

iptables -N WHITE_LIST

iptables -A SMTP_TRAFFIC -j WHITE_LIST

iptables -N LOG_WHITE_LIST

iptables -A LOG_WHITE_LIST -j LOG --log-prefix "WHITELISTED"

iptables -A LOG_WHITE_LIST -j ACCEPT

 

I'm not real clear on this so I figured before I break something ask for
help.

 

Thanks!


Joey

help with whitelist

[Joey]

Hello All,

 

Im having a problem with a whitelist I am trying to implement and apparently
we still block IP's on the whitelist.

 

First I execute the whitelist like so:

 

:CIDR-WHITE-LIST - [0:0]

:LOG_WHITE-LIST - [0:0]

-A CIDR-WHITE-LIST -s 1.2.3.4 -j LOG_WHITE-LIST 

-A LOG_WHITE-LIST -j LOG --log-prefix "CIDR-WHITE-LIST" 

-A LOG_WHITE-LIST -j ACCEPT 

-A SMTP_TRAFFIC -j CIDR-WHITE-LIST

 

Then the blacklist like so:

:CIDR-ASIAN - [0:0]

:LOG_ASIAN - [0:0]

:SMTP_TRAFFIC - [0:0]

-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j SMTP_TRAFFIC

-A CIDR-ASIAN -s 2.3.4.5 -j LOG_ASIAN 

-A LOG_ASIAN -j LOG --log-prefix "SPAM-BLOCK-CIDR-ASIAN" 

-A SMTP_TRAFFIC -j CIDR-ASIAN

 

I am basically blocking port 25 traffic to blocked IP's.

I must be missing something stupid, but cant see it.

 

Any help is greatly appreciated!

 

Thanks!

Re: help with whitelist

[Gáspár Lajos]

Hi,

Am I blind or there is no DROP/REJECT target at all???

Swifty

Joey írta:
> Hello All,
>
>  
>
> Im having a problem with a whitelist I am trying to implement and apparently
> we still block IP's on the whitelist.
>
>  
>
> First I execute the whitelist like so:
>
>  
>
> :CIDR-WHITE-LIST - [0:0]
>
> :LOG_WHITE-LIST - [0:0]
>
> -A CIDR-WHITE-LIST -s 1.2.3.4 -j LOG_WHITE-LIST 
>
> -A LOG_WHITE-LIST -j LOG --log-prefix "CIDR-WHITE-LIST" 
>
> -A LOG_WHITE-LIST -j ACCEPT 
>
> -A SMTP_TRAFFIC -j CIDR-WHITE-LIST
>
>  
>
> Then the blacklist like so:
>
> :CIDR-ASIAN - [0:0]
>
> :LOG_ASIAN - [0:0]
>
> :SMTP_TRAFFIC - [0:0]
>
> -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j SMTP_TRAFFIC
>
> -A CIDR-ASIAN -s 2.3.4.5 -j LOG_ASIAN 
>
> -A LOG_ASIAN -j LOG --log-prefix "SPAM-BLOCK-CIDR-ASIAN" 
>
> -A SMTP_TRAFFIC -j CIDR-ASIAN
>
>  
>
> I am basically blocking port 25 traffic to blocked IP's.
>
> I must be missing something stupid, but cant see it.
>
>  
>
> Any help is greatly appreciated!
>
>  
>
> Thanks!
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>   

RE: help with whitelist

[Joey]

Sorry I forgot the 

-A LOG_ASIAN -j DROP

Any idea on why the accept isn’t working?

> -----Original Message-----
> From: Gáspár Lajos [mailto:swifty@freemail.hu]
> Sent: Tuesday, February 10, 2009 9:50 AM
> To: Joey
> Cc: IPTables
> Subject: Re: help with whitelist
> 
> Hi,
> 
> Am I blind or there is no DROP/REJECT target at all???
> 
> Swifty
> 
> Joey írta:
> > Hello All,
> >
> >
> >
> > Im having a problem with a whitelist I am trying to implement and
apparently
> > we still block IP's on the whitelist.
> >
> >
> >
> > First I execute the whitelist like so:
> >
> >
> >
> > :CIDR-WHITE-LIST - [0:0]
> >
> > :LOG_WHITE-LIST - [0:0]
> >
> > -A CIDR-WHITE-LIST -s 1.2.3.4 -j LOG_WHITE-LIST
> >
> > -A LOG_WHITE-LIST -j LOG --log-prefix "CIDR-WHITE-LIST"
> >
> > -A LOG_WHITE-LIST -j ACCEPT
> >
> > -A SMTP_TRAFFIC -j CIDR-WHITE-LIST
> >
> >
> >
> > Then the blacklist like so:
> >
> > :CIDR-ASIAN - [0:0]
> >
> > :LOG_ASIAN - [0:0]
> >
> > :SMTP_TRAFFIC - [0:0]
> >
> > -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j SMTP_TRAFFIC
> >
> > -A CIDR-ASIAN -s 2.3.4.5 -j LOG_ASIAN
> >
> > -A LOG_ASIAN -j LOG --log-prefix "SPAM-BLOCK-CIDR-ASIAN"
> >
> > -A SMTP_TRAFFIC -j CIDR-ASIAN
> >
> >
> >
> > I am basically blocking port 25 traffic to blocked IP's.
> >
> > I must be missing something stupid, but cant see it.
> >
> >
> >
> > Any help is greatly appreciated!
> >
> >
> >
> > Thanks!
> >
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe netfilter" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> >

Re: help with whitelist

[Gáspár Lajos]

Hi,

Okay...
Try again... :D

:LOGDROP_ASIAN - [0:0]

-A LOGDROP_ASIAN -j LOG --log-prefix "SPAM-BLOCK-CIDR-ASIAN"

-A LOGDROP_ASIAN -j DROP

:SMTP_TRAFFIC - [0:0]

-A SMTP_TRAFFIC -s 2.3.4.5 -j LOGDROP_ASIAN

-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j SMTP_TRAFFIC


You can check the state (matching packets) with this command:

iptables -vnL

Swifty

Help with whitelist

[Joey]

Hello All,

 

Im having a problem with a whitelist I am trying to implement with iptables
and apparently we still block IP's on the whitelist.

I am basically blocking port 25 traffic to blocked IP's but also need to
whitelist some as well insuring they never get blocked by accident.

I have my iptables rules posted here: http://web56.net/iptables.txt

 

We also use fail2ban which blocks other IP's which fail password, so my
whitelist is to hopefully protect against false bocking of legit clients.

 

I must be missing something stupid, but I just cant see it.

 

Any help is greatly appreciated!

 

Thanks!

 

 

 

RE: Help with whitelist

[Nikolay S. Rybaloff]

You seem to have lots of entries in your lists. Did you consider using ipset?

As for the question. Look at iptables -L. Fail2ban adds it's rules to the head of the INPUT chain of the filter table by default, so it's rules trigger before whitelist.


-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Joey
Sent: Wednesday, March 11, 2009 9:21 PM
To: IPTables
Subject: Help with whitelist

Hello All,

 

Im having a problem with a whitelist I am trying to implement with iptables
and apparently we still block IP's on the whitelist.

I am basically blocking port 25 traffic to blocked IP's but also need to
whitelist some as well insuring they never get blocked by accident.

I have my iptables rules posted here: http://web56.net/iptables.txt

 

We also use fail2ban which blocks other IP's which fail password, so my
whitelist is to hopefully protect against false bocking of legit clients.

 

I must be missing something stupid, but I just cant see it.

 

Any help is greatly appreciated!

 

Thanks!

 

 

 



--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html