Results 1 to 8 of 8

Thread: blocking a range of ips with iptables

  1. #1
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347

    blocking a range of ips with iptables

    Ok, hopefully this will make sense. I have a Linux Box A plugged into a Cisco Router, A has 2 network cards, external and internal, and has iptables natting the local network. These machines are 192.168.1.x

    Also plugged into the same router is another linux box B with a similar setup, 1 external IP and then natting for another internal network 192.168.2.x

    I was experimenting with Dsniff and I found that people on the 2.x block were able to recover passwords on the 1.x block, so I setup a rule on each box like so:

    on A
    iptables -A INPUT -p all -s 192.168.2.0/24 -j REJECT

    on B
    iptables -A INPUT -p all -s 192.168.1.0/24 -j REJECT

    people on the B network still seem to be able to sniff though...any ideas? I do not want them to see each other at all, they cannot ping or traceroute each other, but I want to stop all network access between the two.

    Thanks in advance.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  2. #2
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    input chain applies to packets that are targeting linux box.
    but since you are using those linux boxes as "routers",you should use "forward" chain.

    on A
    iptables -A FORWARD -s 192.168.2.0/24 -j REJECT

    on B
    iptables -A FORWARD -s 192.168.1.0/24 -j REJECT


    but instead i think you would consider configure your linux firewall on the oposite way.
    block everything and after allow only desired traffic.
    i think it is a better design
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #3
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    I know I had it working before....I appreciate your help, I will give it a go.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted here by cacosapo
    but instead i think you would consider configure your linux firewall on the oposite way.
    block everything and after allow only desired traffic.
    i think it is a better design
    This is the approach that should always be used.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  5. #5
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    Ya the script I have been using has been pretty tight so far, I found that it was blocking everything, but allowing access from 192.168.0.0/32, since it is assuming those are all going to be local machines you would let do anything apparently. thus wouldn;t 192.168.2.0/24 fall under that range?
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    No, a /32 always means one address. 192.168.1.0/7 would be the appropriate range (I think, I'm a bit rusty on my subnetting).

    A quick ref. for subnetting: http://www.sinclair.org.au/keith/net...g/subnet1.html
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  7. #7
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    192.168.0.0/32 <---- allowing just one host, since all bits (32 bits) are valid. But 192.168.0.0 is pretty odd, since is also a network address.
    I have no idea what happens if you have a rule like this....
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  8. #8
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    well i have had dsniff running for close to an hour, and its not picking up anything on the other block. Thanks for all the help guys!
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •