hosts.deny vs iptables
Ed Kim
ed.kim at rhatbox.com
Wed May 24 18:27:20 UTC 2006
CodeHeads wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, 24 May 2006 10:34:23 -0500 Bruno Wolff III <bruno at wolff.to> wrote:
>
>> On Wed, May 24, 2006 at 10:46:39 -0400,
>> CodeHeads <codeheads at gmail.com> wrote:
>>> Ed,
>>> Thank you, That what I was looking for to verify what I have learned so far.
>>>
>>> Question on entering IP address in IPTables, say I want to add a range to
>>> block the whole ip range of 10.0.0.0 (example of course)
>>> Can I do this:
>>> $iptables -A FORWARD -p tcp -s 10. -i eth0 -j DROP
>>> OR
>>> $iptables -A FORWARD -p tcp -s 10.* -i eth0 -j DROP
>> Either
>> $iptables -A FORWARD -p tcp -s 10.0.0.0/8 -i eth0 -j DROP
>> or
>> $iptables -A FORWARD -p tcp -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP
>> will work.
>
> Thank you Bruno. Just wanted to verify about the wild cards.
>
> Sorry for all the questions, IP's confuse me a bit. :) LOL
> Say if I have a range of 222.96.0.0 - 222.122.255.255
> Is there a calculator that will tell me the netmask??
>
> Will
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFEdIKLfw3TK8jhZrsRAg9PAKDKEOBc+B6hV98Yk14O7pt55+YlJwCg4f1o
> 3HgXuIWAXRXipVlCR7AR4c0=
> =zm19
> -----END PGP SIGNATURE-----
>
Just a few things...
you are appending to the FORWARD chain in the above example... I'm
guessing that this is correct and the webserver is NAT'd? otherwise
you'd want to edit the INPUT chain.
I also use netmasks, but there is the capability to modify ranges as
follows..
iptables -A FORWARD -m iprange --src-range 222.96.0.0-222.122.255.255 -j
DROP
(syntax may not be correct, see man iptables)
--
Ed Kim, RHCE
http://www.rhatbox.com
Any sufficiently advanced technology is indistinguishable from magic.
~Arthur C. Clarke
More information about the users
mailing list