Security :: Blocking An Ip Address Range Within Iptables?
Mar 30, 2009
I am setting up a iptables firewall on one of our servers, and I would like to block a range of addresses from getting into the system. I am using a script that does a BLACKIN and BLACKOUT methodology for specific addresses. One example is the following:
Code:
$IPTABLES -A BLACKIN -s 202.109.114.147 -j DROP
...
$IPTABLES -A BLACKOUT -d 202.109.114.117 -j DROP
What would be the correct syntax to use if I wanted to block an entire remote subnet from getting into the server?
View 4 Replies
ADVERTISEMENT
May 16, 2011
I am currently running Debian 6. I would like to know if there is a way and how i would go about blocking a certain IP range from connecting to my server within a certain port range. Say for example.
i want to block ip range 123.123.123.* from connecting to my server on the ports 33000 - 43000. But, i want to allow them to connect on any other port range, and i want to be able to allow connections from my server to the blocked ip range on those same ports. so, blocking incoming only on the above port range.
using iptables.
View 1 Replies
View Related
Dec 31, 2010
I'm assuming that the following should block the complete 178.123.xxx.xxx address range.
Code:
iptables -I INPUT -s 178.123.0.0/24 -j DROP
Then I believe that I need to save this change.
Code:
service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
However, I'm not so sure that it is actually working based on the fact that there continues to be access to my wiki from that address range. The following is after I made the firewall change.
Quote:
178.123.177.61 - - [31/Dec/2010:04:24:40 -0500] "GET /mywiki/Opera%20Web%20Browser?action=edit&editor=text HTTP/1.1" 200 6346 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
code....
Let me state that I'm new at this iptables thing. I did some reading and decided that I need to make the above change to the firewall but it doesn't seem to make a difference.
View 12 Replies
View Related
Aug 8, 2010
Is possible blocking web with content for adults with iptables?
View 3 Replies
View Related
Feb 11, 2011
I set up iptables but it is blocking my SSH set up. I did allow it by opening port 22 but it did not work. Here is my config:
Code:
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
### this should allow SSH traffic
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
How do you allow SSH through the iptables firewall?
View 5 Replies
View Related
Jun 6, 2011
I have a fiberoptic broadband 20MB synchronous pipe at my home. Over summer at my place of employment its pretty much dead for 3 months so when I'm not busy I play around on my home server. I have my 20mb pipe going directly into my wrt54gl, from there I have a wired connection going to my server (Centos 5.3 recently upgraded to 5.5 through updates.) It serves as a file server(Samba, SSH). My wrt54gl handles natting port 22 to my server. I have my wireless AP setup to hand out leases from .2-.20 and my server has a static of .100. Dyndns.org handles my name resolution via their free account method.
I have a Mac Pro, iMac, Macbook, and a Toshiba Laptop with 64bit 7 running off wireless along with our cell phones, and my XBOX 360 also is wired directly for the gaming speed. I use all of the computers around my home to access the samba shares via unc path for file sharing and or working on projects. I had originally planned to upgrade the wrt54gl with a cisco e3200 or an e3000 but unfortunately I've come to find out dyndns and the e lines of cisco wireless AP's dont work with dyndns and get banned. So I would have to install the daemon on my server and put it as a directly connected server to my WAN link and install a second ethernet card and pass traffic through my server for the rest of my home which I am not going to do.
All of the previous sentence because it would update dyndns with a 192.168.x.x address since its not directly connected. I use a combination of putty.exe and vnc viewer to tunnel 5900 through port 22 to my server. So from anywhere I am at I can access my screen securely and then rdp or vnc to the desktop of my local LAN computers. This allows me to only have port 22 open. I've been looking at my ssh logs and noticed I have been getting hit alot with ssh scans. I want to implement an iptables firewall on my linux machine just for the purpose of further securing port 22. I dont necessarily need natting on the iptables firewall but all I need is ssh in and out, web in, and samba out to local ip's only.
For SSH this is what I want. I want to allow SSH from any IP but if it tries to login more than 3 times in one minute I want to block that IP for a full minute before it can try 3 more attempts. I also would like log to a file but have been having issues getting that to work as well. That way when I review logs and I see that an ip tries three times and then waits a minute and tries three more, etc... I can permanently block that ip or range of ip's by adding it to the iptables script. Here is my current iptables script and it doesnt seem to be working for me. I have played with this and read for almost two weeks and still cannot get it to work correctly.
Code:
#!/bin/bash
# In order to use this iptables firewall script you must have iptables installed. You also must be using a 2.4.x series Kernel, with iptables suppport compiled into it, which is standard for most newer linux distributions.
# If you need help compiling iptables into your kernel, please see our kernel Compile/Upgrade Guide located at [URL]
# Once the script has been edited with all your relevant information (IP's Network Interfaces, etc..) simply make the script executable and run it as root.
# chmod 700 fw_rules.sh
# ./fw_rules.sh .....
# Our final trap. Everything on INPUT goes to the dropwall
# So we don't get silent drops.
$IPT -A INPUT -j dropwall
View 3 Replies
View Related
Jan 11, 2011
I am at a loss how to prevent Denial of Service attacks to port 25 and not block legitimate connections from 2 Barracuda 800(s) and block smart phones such as iPhones/Blackberrys/iPhones that use the server smtp.server.com for email.
Presently for port 25
RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
The 2 Barracuda 800(s) make port 25 connections all the time, plus users with smart_phones have the incoming server type:
IMAP
pop.server.com
smtp.server.com
Is there a way to keep Denial of Service attacks from happening with iptables rules without causing blocking to the Barracuda(s) that make constant port 25 connections & smart phones that poll? I was thinking if I allowed the Barracuda(s) in these lines
-s (barracuda)24.xx.xx.xx -d (emailserver)24.00.xx.xx -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
Where the source would be the Barracuda going to the email server. It would be allowed, then I am left with how to allow other connections like Smart_Phones that connect via Port 25. I am thinking if I put rules in place doing connection counts in a minute it would result in errors connecting to the server and people would start complaining. Plus any limiting may result in blocking real traffic. Then would I need to allow the ISP range in the above example to accept port 25, I am still left with how to drop a flood/denial of service attack.
View 4 Replies
View Related
Jul 15, 2010
I want to ask about securing the FTP connection... I have one server that Installed with Redhat Linux Fedora 6.
And now, i want to securing the FTP access, so only the selected IP will be allowed to connect. Do anyone know how to do this?
Another thing is, my server using Webmin 1.3 to manage the server and there not installed / not configured yet with Frox FTP, ProFTPD Server, WU-FTP Server... even there is such thing in my Webmin...
Can i make use one of the three FTP i mention above, and if yes, will it be affecting the current FTP access?
View 1 Replies
View Related
May 8, 2010
I would like to COMPLETELY block a specific IP address using iptables. I found this one:
Code:
iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j REJECT --reject-with tcp-reset
Will this work? How do I undo the changes later?
View 2 Replies
View Related
Jul 24, 2010
i need to open this address ftp.nai.com, is there a way to use address not ip in iptables?
View 7 Replies
View Related
Feb 6, 2010
I am trying to configure my Linux router to restrict Internet access for one computer on my LAN. It needs to be restrictive based on the time of day and the days of the week. I am using the MAC address of the computer to single out the one computer that needs to be blocked. However, this is my first attempt at making any rules with iptables, and I am not sure if I am doing this right. If some one can take a look at this I would greatly appreciate it. This is what I have done so far.
Here is my thinking. Create a new target. Check the MAC address, if it is NOT the offending computer return to the default chain. If it is the offending computer check that we are between the allowed hours and dates and ACCEPT. If we are not within the time/date range then drop the packet.
Code:
Here I am trying to route all packets regardless of the computer on the LAN into the blocked_access chain for checking.
Code:
Is it a good idea to route all traffic through the blocked_access chain? I do run other servers that are accessible from the Internet, so I am not sure how this setup will affect that. I also use shorewall on the router to setup iptables for me. How would I integrate this with shorewall?
I am using squid to block access when he is using the web browser. However, he is still able to play games(World of Warcraft) and the like.
I am using Debian sid, iptable(1.4.6), shorewall(4.4.6), kernel 2.6.32-trunk-686.
View 7 Replies
View Related
Sep 4, 2009
I hv Cent OS 5.3 installed as server. I hv a network of approx 100 desktops and laptops. For a security purpose i want to block certain laptops from gaining a the network access using dhcp. Can we block the ip address leasing if a specific MAC address request for a ip lease?
View 7 Replies
View Related
Sep 3, 2011
How would one block an IP range access to a Debian-based Linux system for say 47.1.1.1. - 48.255.255.255? Would it be with the hosts.deny file? If so, how would it be written in the file? Also, would the system require being restarted for the changes to take effect, after writing to the file?
View 14 Replies
View Related
May 12, 2011
I am working on implementing a protocol on NS2.34 .I really need help to solve this problem . Actually , I don't now whether the problem is generated by the tcl code or the c++ code when I run the simulation, I get this result :
Code:
num_nodes is set 64
INITIALIZE THE LIST xListHead
34
45
channel.cc:sendUp - Calc highestAntennaZ_ and distCST_
highestAntennaZ_ = 1.5, distCST_ = 550.0
SORTING LISTS ...DONE!
code....
View 1 Replies
View Related
Nov 12, 2009
I want to block the icmp packets(ping) from the other computer to my RHEL-4 what's the syntax I should use to do so in IPTABLES.
View 2 Replies
View Related
Aug 19, 2009
I want to block all the outgoing ssh form my machine, i.e my machine will not be able to ssh to any outside machine using iptables. The distro is RHEL, I added the following entry in the iptables but unfortunately it didnt worked, -A OUTPUT -p tcp -m tcp --dport 22 -j DROP
View 13 Replies
View Related
Mar 17, 2010
i used the angry ip scan software and found alot of the public ip addresses on our network are accessable from outside when they are not suppose to, For eg printers/ pcs etc. to make a start on locking down the network i was wondering if anybody knew th iptables command to add a rule which blocked all incoming traffic to specific ip adresses on the network and to a range of ip addresses.
View 7 Replies
View Related
Jul 9, 2011
Friends the following shall block a particular machine in the same network, what can be done if it is dynamic IP and from other network?
iptables -A INPUT -s 192.168.0.0/24 -m mac --mac-source 00:50:8D:FD:E6:32 -j DROP
View 3 Replies
View Related
Jun 5, 2010
I have two asterisk servers each one behind a linux firewall/gw. Linux is Centos 5.4, kernel 2.6.18-164.el5, iptables v1.3.5. Routes on the fws are ok and when iptables is stoped the servers are see each other, all good. But when I run iptables script in any fw, one server (not always the same) goes unreachable. I verify this with asterisk -r, then show sip trunk, and status becomes UNREACHABLE.
Iptables scripts is generated by fwbuilder. The weird part is I put only one rule to de script and it looks like Source=any, Destination=any, Service=any, Interface=any, Direction (Inbound,Outbound)=any, Time=Any, Action=ACCEPT. So as you can see I tried something like "Do not do anything at all". But anyway I run the script in any fw and one server becomes UNREACHABLE. I think the script does something wrong after all or maybe I have some missconfiguration in my asterisk conf files. The point is I am not so expert in iptables or shell scripting so I can't see anything in the iptables script. I have look for some issues like iptables blocking because of ip_conntrack table full, or "dont fragment" bit set in kernel problem, but nothing seems to be the right problem at all.
View 14 Replies
View Related
Nov 30, 2010
When i was try to execute this command in my router device it will show error...
First execution:-
Second Execution:-
So I Need to block this kind of websites ...kindly tell me what i have to rectify & change..here i didnt execute this command...
View 1 Replies
View Related
Feb 4, 2011
How to block an ip address from mikrotik so that when a fake user use this ip he doesn't get internet but in the mean time real user gets internet. Real user will not harm if fake user trying to access.
View 3 Replies
View Related
Apr 6, 2011
I need to block mac address in my network then i foolowed as below acl's but am getting output as follows I tried as in /etc/squid/squid.conf acl block arp aa:aa:yy:yy:xx:xx http_access deny block but it give me error as like: - (This is the output of # squid -k parse) aclParseAclLine: Invalid ACL type 'arp' FATAL: Bungled squid.conf line 1234: acl block arp aa:aa:yy:yy:xx:xx squid Cache (Version 2.5.STABLE6): Terminated abnormally.
View 7 Replies
View Related
Jun 18, 2010
I have one server that has Asterisk running.On front of that, I use DD-WRT router as gateway. As I have checked the log files, I saw that there is a specific IP Address that is continuously accessing the application and trying to authenticate to SIP with a series of extensions. This is like DoS attack for SIP. What I did was to block/drop the IP in DD-WRT using the iptables. I can see from the /proc/net/ip_conntrack that it is being "UNREPLIED". But my concern is that does it still uses a lot of bandwidth even though it is already being blocked?
View 14 Replies
View Related
Jun 29, 2011
I have UBUNTU server 10.04 LTS with 3 NIC "eth0" local and eth1,2 as internet connection and it acts as firewall, http proxy and samba file server ,I installed Zentyal panel manager for my server for easier management I did not configure any specific rule for my firewall but I have some problem with my clients who wants to connect to my server as gateway or as file server even my self experienced these problems too. these problems are as follow:
1. some time for a few minutes (maximum 10 minutes) my server block some of my clients to access it or internet but just for minutes but it is very annoying.
2. all of my clients those who login to an https servers or login to their mail or those who has some software like team viewer say that they are logging out from their session randomly I mean some of them logging out from their mail(yahoomail or googlemail ) or disconnecting from teamviewer connection or as I saw team viewer disconnecting for a few seconds and then comes back again. but I did not set any thing in my firewall or other services. this is my complete iptable rules:
View 9 Replies
View Related
Mar 30, 2010
I use F12 and I need help with correct syntax to specify range of IP address in hosts.allow or hosts.deny or in /etc/exports file eg. 192.168.1.100 to 192.168.1.255.
View 13 Replies
View Related
Feb 24, 2010
I need to create two Access Control Lists for my networks using SQUID proxy. The ip address range from 165.165.42.10 to 165.165.42.50 for one network and from 165.165.42.60 to 165.165.42.90 for another network. How can I make it?
View 2 Replies
View Related
May 18, 2010
Can someone recommend software that can be used to map the geographic location of a given ip address range?
View 1 Replies
View Related
Apr 27, 2010
I would like to set a double range of IP address with my DHCP3-server. Now, I have eth0 (which is my only network card) with this IP address : 172.16.93.1 and I have created a second interface eth0:1 with this address: 192.168.3.1. The goal is to give an IP address 172.16.93.X to phones (with option 66) and the IP address 192.168.3.X to the computers.
This is my DHCPD.conf :
ddns-update-style none;
option domain-name "mycompany.com";
option domain-name-servers 172.16.93.1;
default-lease-time 3600;
max-lease-time 2347200;
authoritative;
log-facility local7;
option ip-forwarding off;
default-lease-time 20;
max-lease-time 20; .....
Right now my DHCP server work fine, (I means, no error at the startup ) but the server give always the same kind of IP address, whatever if it's a phone or a computer. I notice something "wired", if I put the :
subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.100 192.168.3.199;
option routers 192.168.3.254; }
(Which is first in the dhcpd.conf) after the "subnet 172.16.93.0 netmask 255.255.255.0", the server will give IP address 172.16.93.X at all the clients. Is it possible to give more than one IP range with one network card at the same time? And how set the option 66 to only give IP address (172.16.93.X) to the phones?
View 4 Replies
View Related
Apr 15, 2011
I am running Debian Squeeze with the following basic services running:DNS
DHCP
Samba
Squid
The server is setup with three NICs: eth0 (WAN1), eth1 (WAN2), and eth2 (LAN).The server addresses clients with an IP range of 10.0.30.1 - 10.0.30.254. Some clients will be set with reservations so they fall into the 10.0.40.1 - 254 range.
What I want to do is have any outgoing external traffic coming from the first range (10.0.30.0) to use WAN link 1, and any outgoing external traffic coming from the second range (10.0.40.0) to use WAN link 2.
I have sort of got something working. I have created a bare minimum transparent squid3 setup on port 3128, and set the iptables as follows:
Code:
iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
I can get internet access, however obviously it only goes through one WAN link. It also seems slower than it should be. I experimented with tcp_outgoing_address, but seemed to not be my friend.
View 4 Replies
View Related
Sep 14, 2009
Im an academic (university networks and security lecturer) studying/teaching network and operating system security, and inspired by the work of Hovav Shacham set about testing ASLR on linux. Principley I did this by performing a brute force buffer overflow attack on Fedora 10 and Ubuntu 9. I did this by writting a little concurrent server daemon which accidently on purpose didnt do bounds checking.
I then wrote a client to send it a malicious string brute forcing guessed addresses which caused a return-to-libc to the function usleep with a parameter of 16m causing a delay of 16 seconds as laid out in [URL] Once I hit the delay I new I had found the function and could calculate delta_mmap allowing me to create a standard chained ret-to-libc attack. All of that works fine. However .... To complete my understanding I am trying establish where I can find the standard base address for ubuntu 9 (and other distros) for the following, taken from Shacham:-
Quote:
[code]....
/proc/uid/maps gives me some information but not the base address ldd also gives me the randomised starting address for sections in the user address space but neither gives me the base address. Intrestingly ... when a run ldd with aslr on for over (about) 100 times and checked the start point of libc I determined that the last 3 (least significant) hex digits were always 0's and the fist 4 (most significant) where between 0xB7D7 and 0xB7F9. To me this indicated that bits 22-31 were fixed and bits 12-21 were randomized with bits 11-0 fixed. Although even that doesnt define the boundaries observed correctly.
Note: I am replicating the attack to provide signatures to detect it using IDS, and for teaching purposes. I am NOT a hacker and if needed to could reply from my .ac.uk email address as verification.
View 1 Replies
View Related