[lug] iptables

Wed May 22 12:25:23 MDT 2002

j davis wrote:
> 
> Yes, D that was helpful. Now I'll just write rules like this in INPUT
> and FORWARD (along with other rules)
> 
> /sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
> /sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
> /sbin/iptables -A INPUT -i eth0 -p 23 -j DROP

I'm basically an ipchains person, but the above looks about right. One
thing to change though, the 10.0.0.0 non-routeable is a /24, rather than
a /8, so you want to change the mask to /24. Not positive, but perhaps
the 192.168.0.0 should be a /16 (anyone, is the 192.168.x.x
non-routeable over the Internet for a /16?). And of course if you add
logging initially, then you will be able to see if it is doing what you
want, and you can turn off logging later for the port 23 version. Since
you are guaranteed that a non-routeable range is an attack or a
configuration problem, you probably shouldn't turn off logging for those
ranges.

D. Stimits, stimits at idcomm.com

> 
> thanks :)
> jd
> >j davis wrote:
> > >
> > > so your telling me that iptables would never dnat any traffic to my
> >firewall
> > > from the internet to the private ip associated with the firewall unless
> >i
> > > wrote
> > > a rule in prerouting. And my dameons will take request from either
> >because
> > > they are not bound to a specfic ip?
> >
> >NAT can route an IP from any IP to any other IP if it thinks it is
> >supposed to. But the 10.x.x.x IP addresses are not routable on the
> >Internet, there is a big difference, especially if someone is trying to
> >crack your system. Because 10.x.x.x is not routeable on the Internet,
> >you are guaranteed that anything wanting to connect directly to a
> >10.x.x.x address, and not indirectly via NAT, is via spoofing and is
> >malicious. Just because the Internet won't route it, doesn't mean
> >someone can't spoof it. So any packet arriving from the Internet,
> >directly asking for a 10.x.x.x IP, should be rejected. If the packet
> >originates internally, then don't reject it. Your IP that is visible to
> >the outside world is a non-10.x.x.x IP. So take the ethernet with a
> >non-10.x.x.x IP, and reject port 23, this is the one a valid non-spoofed
> >packet will go to initially. Now if for some reason you have a NAT rule,
> >then a *valid* packet that arrives from the outside will say it is bound
> >for a port of the visible public address, it won't know anything about
> >the 10.x.x.x address, this is where the kernel knows and redirects
> >it...thus the redirect in that case is arriving initially on the
> >non-10.x.x.x, and the 10.x.x.x ethernet never sees it until the kernel
> >itself does its thing. Was the helpful or confusing?
> >
> >The short answer is that the outside world packets will *never* hit the
> >10.x.x.x ethernet unless the kernel does something or if the packets are
> >spoofed.
> >
> >D. Stimits, stimits at idcomm.com
> >
> > >
> > > Please Help,
> > > jd
> > >
> > > >From: "D. Stimits" <stimits at idcomm.com>
> > > >Reply-To: lug at lug.boulder.co.us
> > > >To: lug at lug.boulder.co.us
> > > >Subject: Re: [lug] iptables
> > > >Date: Tue, 21 May 2002 21:18:31 -0600
> >...
> > > >j davis wrote:
> > > > >
> > > > > Hi,
> > > > > so if a request is made to the public interface of my firewall is
> > > > > the request processed as the public IP or the private IP for the
> > > >firewall.
> > > > >
> > > > > example :
> > > > >
> > > > > I want to block telnet access to my firewall from the internet. I
> >write
> > > > > rules
> > > > > in the INPUT chain to do this.Would i write the rule blocking telnet
> > > >using
> > > > > the public or private interface
> > > > >
> > > > > /sbin/iptables -A INPUT -i eth0 -d 10.0.0.1 -p tcp --dport 23 -j
> >DROP
> > > > >
> > > > >                       or
> > > > >
> > > > > /sbin/iptables -A INPUT -i eth0 -d $MY_PUB_IP -p tcp --dport 23 -j
> >DROP
> > > > >
> > > > > Thanks
> > > > > jd
> > > >
> > > >What is the routeable IP visible to the world? That is the IP you
> >block.
> > > >Anything arriving from the outside that is pointed at a non-routable
> > > >10.x.x.x IP should be considered hostile and summarily banned; if
> > > >something on the inside is supposed to receive the packet via
> > > >masquerade, then it will not know about the non-routeable IP, it will
> >be
> > > >up to the kernel to put it to the right IP/port.