[lug] iptables
D. Stimits
stimits at idcomm.com
Wed May 22 17:12:24 MDT 2002
John Hernandez wrote:
>
> In jd's first rule 10.0.0.0/8 is correct. The second rule should
> reflect a mask of /16. There should also be a third rule.
>
> These are the CIDR representations for RFC1918 addresses:
>
> 10/8
> 172.16/12
> 192.168/16
Yes, I figured I might have inverted something. The result of reject
versus accept.
D. Stimits, stimits at idcomm.com
>
> -John
>
> D. Stimits wrote:
> > j davis wrote:
> >
> >>Yes, D that was helpful. Now I'll just write rules like this in INPUT
> >>and FORWARD (along with other rules)
> >>
> >>/sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
> >>/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
> >>/sbin/iptables -A INPUT -i eth0 -p 23 -j DROP
> >
> >
> > I'm basically an ipchains person, but the above looks about right. One
> > thing to change though, the 10.0.0.0 non-routeable is a /24, rather than
> > a /8, so you want to change the mask to /24. Not positive, but perhaps
> > the 192.168.0.0 should be a /16 (anyone, is the 192.168.x.x
> > non-routeable over the Internet for a /16?). And of course if you add
> > logging initially, then you will be able to see if it is doing what you
> > want, and you can turn off logging later for the port 23 version. Since
> > you are guaranteed that a non-routeable range is an attack or a
> > configuration problem, you probably shouldn't turn off logging for those
> > ranges.
> >
> > D. Stimits, stimits at idcomm.com
More information about the LUG
mailing list