[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: hosts.deny vs iptables



CodeHeads wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 24 May 2006 10:34:23 -0500 Bruno Wolff III <bruno wolff to> wrote:

On Wed, May 24, 2006 at 10:46:39 -0400,
  CodeHeads <codeheads gmail com> wrote:
Ed,
Thank you, That what I was looking for to verify what I have learned so far.

Question on entering IP address in IPTables, say I want to add a range to
block the whole ip range of 10.0.0.0 (example of course)
Can I do this:
$iptables -A FORWARD -p tcp -s 10. -i eth0 -j DROP
OR
$iptables -A FORWARD -p tcp -s 10.* -i eth0 -j DROP
Either
$iptables -A FORWARD -p tcp -s 10.0.0.0/8 -i eth0 -j DROP
or
$iptables -A FORWARD -p tcp -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP
will work.

Thank you Bruno.  Just wanted to verify about the wild cards.

Sorry for all the questions, IP's confuse me a bit. :) LOL
Say if I have a range of 222.96.0.0 - 222.122.255.255
Is there a calculator that will tell me the netmask??

Will
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEdIKLfw3TK8jhZrsRAg9PAKDKEOBc+B6hV98Yk14O7pt55+YlJwCg4f1o
3HgXuIWAXRXipVlCR7AR4c0=
=zm19
-----END PGP SIGNATURE-----


Just a few things...
you are appending to the FORWARD chain in the above example... I'm guessing that this is correct and the webserver is NAT'd? otherwise you'd want to edit the INPUT chain.

I also use netmasks, but there is the capability to modify ranges as follows..

iptables -A FORWARD -m iprange --src-range 222.96.0.0-222.122.255.255 -j DROP
(syntax may not be correct, see man iptables)

--
Ed Kim, RHCE
http://www.rhatbox.com

Any sufficiently advanced technology is indistinguishable from magic. ~Arthur C. Clarke


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]