[lug] iptables

Tue May 21 23:27:05 MDT 2002

Yes, D that was helpful. Now I'll just write rules like this in INPUT
and FORWARD (along with other rules)

/sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
/sbin/iptables -A INPUT -i eth0 -p 23 -j DROP

thanks :)
jd

>From: "D. Stimits" <stimits at idcomm.com>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] iptables
>Date: Tue, 21 May 2002 22:29:08 -0600
>MIME-Version: 1.0
>Received: from [66.54.152.73] by hotmail.com (3.2) with ESMTP id 
>MHotMailBEB46961004B400431554236984904F70; Tue, 21 May 2002 21:28:18 -0700
>Received: (qmail 15192 invoked by uid 0); 22 May 2002 04:28:11 -0000
>Received: from localhost (HELO community.tummy.com) 
>(?Foj+Xf7RiokJtAWRGVpbR8/jWJXXcAiG?@127.0.0.1)  by localhost with SMTP; 22 
>May 2002 04:28:04 -0000
>Received: (qmail 15028 invoked by alias); 22 May 2002 04:27:41 -0000
>Received: (qmail 15025 invoked by uid 0); 22 May 2002 04:27:40 -0000
>Received: from mailhost.idcomm.com (207.40.196.14)  by community.tummy.com 
>with SMTP; 22 May 2002 04:27:40 -0000
>Received: from idcomm.com 
>(IDENT:9WBud0dw38ps1LgZFTbV8FWkRrBX4nSy at tnt01-ppp-251.idcomm.com 
>[216.98.194.251])by mailhost.idcomm.com (8.10.2/8.10.0) with ESMTP id 
>g4M4STK27814for <lug at lug.boulder.co.us>; Tue, 21 May 2002 22:28:29 -0600
>From lug-admin at lug.boulder.co.us Tue, 21 May 2002 21:29:11 -0700
>Return-Path: <alias-blug_dom-lug-owner at lug.boulder.co.us>
>Delivered-To: mailman-lists.lug.boulder.co.us-lug at lists.lug.boulder.co.us
>Delivered-To: alias-blug_dom-lug at lug.boulder.co.us
>Message-ID: <3CEB1E94.D20D4DFD at idcomm.com>
>X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.6-pre1-xfs-4 i686)
>X-Accept-Language: en
>References: <F245Fds7b8quUyNuDjE00005bac at hotmail.com>
>Sender: lug-admin at lug.boulder.co.us
>Errors-To: lug-admin at lug.boulder.co.us
>X-BeenThere: lug at lug.boulder.co.us
>X-Mailman-Version: 2.0.8
>Precedence: bulk
>X-Reply-To: stimits at idcomm.com
>List-Help: <mailto:lug-request at lug.boulder.co.us?subject=help>
>List-Post: <mailto:lug at lug.boulder.co.us>
>List-Subscribe: 
><http://lists.lug.boulder.co.us/mailman/listinfo/lug>,<mailto:lug-request at lug.boulder.co.us?subject=subscribe>
>List-Id: Boulder (Colorado) Linux Users Group -- General Mailing List 
><lug.lug.boulder.co.us>
>List-Unsubscribe: 
><http://lists.lug.boulder.co.us/mailman/listinfo/lug>,<mailto:lug-request at lug.boulder.co.us?subject=unsubscribe>
>List-Archive: <http://lists.lug.boulder.co.us/pipermail/lug/>
>
>j davis wrote:
> >
> > so your telling me that iptables would never dnat any traffic to my 
>firewall
> > from the internet to the private ip associated with the firewall unless 
>i
> > wrote
> > a rule in prerouting. And my dameons will take request from either 
>because
> > they are not bound to a specfic ip?
>
>NAT can route an IP from any IP to any other IP if it thinks it is
>supposed to. But the 10.x.x.x IP addresses are not routable on the
>Internet, there is a big difference, especially if someone is trying to
>crack your system. Because 10.x.x.x is not routeable on the Internet,
>you are guaranteed that anything wanting to connect directly to a
>10.x.x.x address, and not indirectly via NAT, is via spoofing and is
>malicious. Just because the Internet won't route it, doesn't mean
>someone can't spoof it. So any packet arriving from the Internet,
>directly asking for a 10.x.x.x IP, should be rejected. If the packet
>originates internally, then don't reject it. Your IP that is visible to
>the outside world is a non-10.x.x.x IP. So take the ethernet with a
>non-10.x.x.x IP, and reject port 23, this is the one a valid non-spoofed
>packet will go to initially. Now if for some reason you have a NAT rule,
>then a *valid* packet that arrives from the outside will say it is bound
>for a port of the visible public address, it won't know anything about
>the 10.x.x.x address, this is where the kernel knows and redirects
>it...thus the redirect in that case is arriving initially on the
>non-10.x.x.x, and the 10.x.x.x ethernet never sees it until the kernel
>itself does its thing. Was the helpful or confusing?
>
>The short answer is that the outside world packets will *never* hit the
>10.x.x.x ethernet unless the kernel does something or if the packets are
>spoofed.
>
>D. Stimits, stimits at idcomm.com
>
> >
> > Please Help,
> > jd
> >
> > >From: "D. Stimits" <stimits at idcomm.com>
> > >Reply-To: lug at lug.boulder.co.us
> > >To: lug at lug.boulder.co.us
> > >Subject: Re: [lug] iptables
> > >Date: Tue, 21 May 2002 21:18:31 -0600
>...
> > >j davis wrote:
> > > >
> > > > Hi,
> > > > so if a request is made to the public interface of my firewall is
> > > > the request processed as the public IP or the private IP for the
> > >firewall.
> > > >
> > > > example :
> > > >
> > > > I want to block telnet access to my firewall from the internet. I 
>write
> > > > rules
> > > > in the INPUT chain to do this.Would i write the rule blocking telnet
> > >using
> > > > the public or private interface
> > > >
> > > > /sbin/iptables -A INPUT -i eth0 -d 10.0.0.1 -p tcp --dport 23 -j 
>DROP
> > > >
> > > >                       or
> > > >
> > > > /sbin/iptables -A INPUT -i eth0 -d $MY_PUB_IP -p tcp --dport 23 -j 
>DROP
> > > >
> > > > Thanks
> > > > jd
> > >
> > >What is the routeable IP visible to the world? That is the IP you 
>block.
> > >Anything arriving from the outside that is pointed at a non-routable
> > >10.x.x.x IP should be considered hostile and summarily banned; if
> > >something on the inside is supposed to receive the packet via
> > >masquerade, then it will not know about the non-routeable IP, it will 
>be
> > >up to the kernel to put it to the right IP/port.
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx