[lug] iptables

John Hernandez John.Hernandez at noaa.gov
Wed May 22 15:33:37 MDT 2002 

In jd's first rule 10.0.0.0/8 is correct.  The second rule should 
reflect a mask of /16.  There should also be a third rule.

These are the CIDR representations for RFC1918 addresses:

10/8
172.16/12
192.168/16

-John

D. Stimits wrote:
> j davis wrote:
> 
>>Yes, D that was helpful. Now I'll just write rules like this in INPUT
>>and FORWARD (along with other rules)
>>
>>/sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
>>/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
>>/sbin/iptables -A INPUT -i eth0 -p 23 -j DROP
> 
> 
> I'm basically an ipchains person, but the above looks about right. One
> thing to change though, the 10.0.0.0 non-routeable is a /24, rather than
> a /8, so you want to change the mask to /24. Not positive, but perhaps
> the 192.168.0.0 should be a /16 (anyone, is the 192.168.x.x
> non-routeable over the Internet for a /16?). And of course if you add
> logging initially, then you will be able to see if it is doing what you
> want, and you can turn off logging later for the port 23 version. Since
> you are guaranteed that a non-routeable range is an attack or a
> configuration problem, you probably shouldn't turn off logging for those
> ranges.
> 
> D. Stimits, stimits at idcomm.com
> 
> 
>>thanks :)
>>jd
>>
>>>j davis wrote:
>>>
>>>>so your telling me that iptables would never dnat any traffic to my
>>>
>>>firewall
>>>
>>>>from the internet to the private ip associated with the firewall unless
>>>
>>>i
>>>
>>>>wrote
>>>>a rule in prerouting. And my dameons will take request from either
>>>
>>>because
>>>
>>>>they are not bound to a specfic ip?
>>>
>>>NAT can route an IP from any IP to any other IP if it thinks it is
>>>supposed to. But the 10.x.x.x IP addresses are not routable on the
>>>Internet, there is a big difference, especially if someone is trying to
>>>crack your system. Because 10.x.x.x is not routeable on the Internet,
>>>you are guaranteed that anything wanting to connect directly to a
>>>10.x.x.x address, and not indirectly via NAT, is via spoofing and is
>>>malicious. Just because the Internet won't route it, doesn't mean
>>>someone can't spoof it. So any packet arriving from the Internet,
>>>directly asking for a 10.x.x.x IP, should be rejected. If the packet
>>>originates internally, then don't reject it. Your IP that is visible to
>>>the outside world is a non-10.x.x.x IP. So take the ethernet with a
>>>non-10.x.x.x IP, and reject port 23, this is the one a valid non-spoofed
>>>packet will go to initially. Now if for some reason you have a NAT rule,
>>>then a *valid* packet that arrives from the outside will say it is bound
>>>for a port of the visible public address, it won't know anything about
>>>the 10.x.x.x address, this is where the kernel knows and redirects
>>>it...thus the redirect in that case is arriving initially on the
>>>non-10.x.x.x, and the 10.x.x.x ethernet never sees it until the kernel
>>>itself does its thing. Was the helpful or confusing?
>>>
>>>The short answer is that the outside world packets will *never* hit the
>>>10.x.x.x ethernet unless the kernel does something or if the packets are
>>>spoofed.
>>>
>>>D. Stimits, stimits at idcomm.com
>>>
>>>
>>>>Please Help,
>>>>jd
>>>>
>>>>
>>>>>From: "D. Stimits" <stimits at idcomm.com>
>>>>>Reply-To: lug at lug.boulder.co.us
>>>>>To: lug at lug.boulder.co.us
>>>>>Subject: Re: [lug] iptables
>>>>>Date: Tue, 21 May 2002 21:18:31 -0600
>>>>
>>>...
>>>
>>>>>j davis wrote:
>>>>>
>>>>>>Hi,
>>>>>>so if a request is made to the public interface of my firewall is
>>>>>>the request processed as the public IP or the private IP for the
>>>>>
>>>>>firewall.
>>>>>
>>>>>>example :
>>>>>>
>>>>>>I want to block telnet access to my firewall from the internet. I
>>>>>
>>>write
>>>
>>>>>>rules
>>>>>>in the INPUT chain to do this.Would i write the rule blocking telnet
>>>>>
>>>>>using
>>>>>
>>>>>>the public or private interface
>>>>>>
>>>>>>/sbin/iptables -A INPUT -i eth0 -d 10.0.0.1 -p tcp --dport 23 -j
>>>>>
>>>DROP
>>>
>>>>>>                      or
>>>>>>
>>>>>>/sbin/iptables -A INPUT -i eth0 -d $MY_PUB_IP -p tcp --dport 23 -j
>>>>>
>>>DROP
>>>
>>>>>>Thanks
>>>>>>jd
>>>>>
>>>>>What is the routeable IP visible to the world? That is the IP you
>>>>
>>>block.
>>>
>>>>>Anything arriving from the outside that is pointed at a non-routable
>>>>>10.x.x.x IP should be considered hostile and summarily banned; if
>>>>>something on the inside is supposed to receive the packet via
>>>>>masquerade, then it will not know about the non-routeable IP, it will
>>>>
>>>be
>>>
>>>>>up to the kernel to put it to the right IP/port.
>>>>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug


-- 

   - John Hernandez - Network Engineer - 303-497-6392 -
  |  National Oceanic and Atmospheric Administration   |
  |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |
   ----------------------------------------------------

More information about the LUG mailing list