Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
I configured iptables according to this guide https://wiki.debian.org/iptables I just want to check if my rules from the specific sources in the input chain are valid, ie; I want to deny any source address outside of network 172.10.88.0 - 255.255.255.248 to reach my debian desktop on TCP port 22,3389 and 32400. My desktop has an address assigned from the DHCP server on 172.10.88.0 - 255.255.255.248 network.
dave@hal9000:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere source IP range 172.10.88.1-172.10.88.6 tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere source IP range 172.10.88.1-172.10.88.6 tcp dpt:3389
ACCEPT tcp -- anywhere anywhere source IP range 172.10.88.1-172.10.88.6 tcp dpt:32400
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
dave@hal9000:~$ cat /etc/iptables.up.rules
# Generated by iptables-save v1.6.0 on Tue Mar 13 20:28:14 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m iprange --src-range 172.10.88.1-172.10.88.6 -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m iprange --src-range 172.10.88.1-172.10.88.6 -m tcp --dport 3389 -j ACCEPT
-A INPUT -p tcp -m iprange --src-range 172.10.88.1-172.10.88.6 -m tcp --dport 32400 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Tue Mar 13 20:28:14 2018
I am not able to test this from another RFC1918 network at the moment, I just want to check with you if the syntax in the rulebase is correct, because the source/destination anywhere/anywhere columns from the sudo iptables -L output confuses me.
The output of "iptables -L" is incomplete and rather useless. Use the output of iptables-save instead. I guess this is what is in /etc/iptables.up.rules.
Note that you don't need to use the "iprange" match, you can use "-s 172.10.88.0/29" instead.
Also, you can use the "multiport" match instead of --dport to match the 3 ports in a single rule.
IIUC, you want to :
- drop incoming packets to ports 22,3389 and 32400 not from 172.10.88.0/255.255.255.248 (172.10.88.0/29)
- allow all other incoming packets to any port from any address.
However, your current ruleset does :
- allow incoming packets to ports 22,3389 and 32400 from 172.10.88.0/255.255.255.248
- drop all other incoming packets to any port from any address.
p.H wrote:However, your current ruleset does :
- allow incoming packets to ports 22,3389 and 32400 from 172.10.88.0/255.255.255.248
- drop all other incoming packets to any port from any address.
Not quite the same thing.
Thanks for your reply! Yes, I noticed that when I tried sudo apt-get update, guess the packets went to dev null, I need to do some more research on iptables. Yes, I want to deny from source any (except any host on 172.10.88.0/29) destination my host on 172.10.88.x:22,3389,32400. When I bring my laptop to work I don't want my co-workers to try to access my plex-server on 32400 or try to ssh to my laptop. I have denied root ssh access but still. I just want packets from networks, outside my "home net" to be able to reach those three services
Just install The Uncomplicated Firewall (ufw). It is a frontend for iptables and is particularly well-suited for host-based firewalls. Ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall.