l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2006 May 15 04:23

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] ip tables questions
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] ip tables questions

i think its..

 iptables -A INPUT -s 123.456.789.0/24 -p tcp -j DROP
iptables -A INPUT -s 123.456.789.0/24 -p udp -j DROP

though i haven't tried removing the protocol option..  you may want to test 


On Monday 15 May 2006 17:05, Cylar Z wrote:
> Hey Linux gurus...
> I'm running Fedora Core 5 and want to customize my
> iptables firewall in order to bolster system security.
> I have three separate questions that aren't being
> answered by the tutorials I've read:
> 1. I want to ban an entire range of IP address within
> a given network, not just a single IP. There's got to
> be a way to do that w/o typing out 256 or more
> addresses and entering them in one-by-one! I typed the
> following command, and this is what the system said:
> -----
> root# iptables -A INPUT -j DROP 123.456.789.0/24
> Bad argument `123.456.789.0/24'
> Try `iptables -h' or 'iptables --help' for more
> information.
> root#
> ------
> Where of course 123.456.789.0 is the class C network
> whose incoming packets I'm trying to stop at my
> firewall. It is to be completely prohibited from
> contacting the system in any way and any packets that
> do arrive from there are to go unacknowledged. I don't
> even want users on that network being able to view my
> web pages.
> Needless to say, I did as suggested and looked at
> iptables -h, as well as the man page. No help there.
> So what's wrong with my syntax? The tutorial I was
> using swears up and down that the command *should*
> work as advertised. Maybe iptables has changed since
> it was written, so can anyone tell me the correct
> syntax?
> 2. I entered a long list of individual IP addresses
> into the firewall using the command given above. I
> confirmed that they'd been loaded by running iptables
> -L. It showed me the rules as I expected to see.
> HOWEVER, the rules were all gone when I rebooted the
> entire system and ran iptables -L a second time. What
> do I need to do in order to make the iptables rules
> permanent so that they'll survive a system reboot?
> 3. Lastly, I'd like to write a rule that says "Ban ALL
> connections from ALL systems, except for the ones
> explictly allowed to connect." I'd also like to write
> a rule that says, "If a system wants to connect to
> port 80, check the banned list. If it's not there, let
> it in."
> Where in the iptables rule list would I put such rules
> - the beginning or the end? I'm afraid of guessing
> wrong and locking myself out of my own server. Does
> iptables look at the "allow" section before it looks
> at the "deny" section (the way TCP wrappers does), or
> does it just apply the rules sequentially?
> Thanks in advance,
> Matt
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.