tvlad Posted January 21, 2003 Report Share Posted January 21, 2003 If i want to block a range of ip's, how do i put it : iptables -A input -i eth1 -s 192.168.0-255.0-255 -d 0/0 -j DROP iptables -A input -i eth1 -s 192.168.0.101:192.168.255.255 -d 0/0 -j DROP because i tried like that and it didn't work. And one more thing, i want to block by mac adress: iptables -A INPUT -i eth1 --mac-source 00:40:F4:4B:35:3C -d 0/0 -j DROP is there smth wrong to it, because iptables says unknown arg --mac-source. Quote Link to comment Share on other sites More sharing options...
aru Posted January 26, 2003 Report Share Posted January 26, 2003 If i want to block a range of ip's, how do i put it : iptables -A input -i eth1 -s 192.168.0-255.0-255 -d 0/0 -j DROP iptables -A input -i eth1 -s 192.168.0.101:192.168.255.255 -d 0/0 -j DROP because i tried like that and it didn't work. This is more or less how I did what I think that you want to do (I use a isdn interface): --notice the syntax-- #!/bin/sh #/etc/sysconfig/iptables <...snip...> EXTERNAL_INTERFACE="ippp0" <...snip...> CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" <...snip...> # Protect against IP *robery* for f in /proc/sys/net/ipv4/conf/{tcp_syncookies,ip_forward,*/rp_filter} do echo 1 > $f done <... snip ...> # Drop *internet* packages that say they come or go to private addresses iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_A -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_B -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_C -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -d $CLASS_A -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -d $CLASS_B -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -d $CLASS_C -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_A -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_B -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_C -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_A -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_B -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_C -j DROP <...snip...> HTH © CAUP (campaing against unanswered posts) Quote Link to comment Share on other sites More sharing options...
tvlad Posted January 27, 2003 Author Report Share Posted January 27, 2003 I finally figured how to block by mac-address $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m mac --mac-source 00:20:ED:50:A3:AA -d $UNIVERSE -j DROP Now, aru, are u sure that for 172.16.0.0, to cover the hole range of ip's u must put a /12, i understand why /16 for 192.168, why /8 for 10.0 , but not why /12 for 172.16. Quote Link to comment Share on other sites More sharing options...
aru Posted January 27, 2003 Report Share Posted January 27, 2003 Now, aru, are u sure that for 172.16.0.0, to cover the hole range of ip's u must put a /12, i understand why /16 for 192.168, why /8 for 10.0 , but not why /12 for 172.16. Because the range of reserved IPs to protect is 172.16.0.0 to 172.31.255.255, and not just 172.16.0.0 to 172.16.255.255. This works as: - Class A: XXX.abc.abc.abc - Class B: XXX.YYY.abc.abc - Class C: XXX.YYY.ZZZ.abc 8 bits = 1 byte so the 1st octect if fixed the other 3 changes (Class A) 16 bits = 2 bytes so the 1st and the 2nd octect are fixed the other 2 changes (Class B) 24 bits = 3 bytes so the all octects are fixed except the last one (Class C) 32 bits = all octects are fixed (single IP). 12 bits = 1 byte + 4 bits; it is a type of Class B where the 2nd octect can be between 16 and 32. Quote Link to comment Share on other sites More sharing options...
tvlad Posted January 31, 2003 Author Report Share Posted January 31, 2003 Yup, silly/stupid me. Quote Link to comment Share on other sites More sharing options...
hilbert Posted February 1, 2003 Report Share Posted February 1, 2003 For those who are interested in iptables, NAT and IP redirection are common services. How is the scripts in http://sourceforge.net/project/shownotes.p...lease_id=128663 ? Quote Link to comment Share on other sites More sharing options...
aru Posted February 1, 2003 Report Share Posted February 1, 2003 I've checked only the nat.sh one, and it doesn't give me very good feelings, seems to be not in a productive status. It doesn't handle errors at all (for example, running it as "nat.sh foo bar" is perfectly possible), and a whole "confirm" code section (important for those who will try to run the script without knowing exactly what they are doing --many cases--) is commented out. Also, IMHO, the job that it does can be easily achieved editing by hand a couple of lines at your own iptables script w/o disabling all your current rules. While it seems to do what it has to do, I wouldn't put it in my /sbin directory in its current status. Sorry hilbert, but all is just in MHO. :D BTW, you should have started a new thead on tips&tricks or here in Networking because your scripts could be of interest for many users. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.