[ale] Using iptables

Sun Jun 25 10:23:28 EDT 2006

Michael H. Warfield wrote:

>On Sun, 2006-06-25 at 00:23 -0400, Jim Popovitch wrote:
>  
>
>>Terry Bailey wrote:
>>    
>>
>>>I would like to use iptables to restrict all but one IP address to a web 
>>>server.
>>>
>>>I tried
>>>
>>>	#/usr/sbin/iptables -t filter -A INPUT -p tcp -s !218.23.45.2 --dport 80 
>>>-j DROP
>>>
>>>but this is not accepted.
>>>
>>>Any help here would be appreciated.
>>>      
>>>
>
>  
>
>>I've never used "!" in iptables statements, but this should work for you:
>>    
>>
>
>  
>
>>iptables -A INPUT -p tcp -s 218.23.45.2 --dport 80 -j ACCEPT
>>iptables -A INPUT -p tcp --dport 80 -j DROP
>>    
>>
>
>	Won't work if he's already got a rule in his tables that accepts port
>80 first.  The -A appends after everything.  If he's got a -A ... --port
>80 ... -j ACCEPT in his /etc/sysconfig/iptables file (assuming he's
>using RedHat or FC or CentOS or any similar compatible flavor) then
>another -A after that won't do jack.  I've seen this too often where
>someone has a set of tables and expect an add-on rule to work when it
>never gets that far because a preceding rule takes precedence.
>  
>

Right. So use "-I" rather than "-A"; -I puts the new
rule at the top of the stack, not the bottom, by
default. (I think you can also insert a rule at
a particular position, but that sounds like more
of a way to get one's head to explode, than a
practical ruleset-writing feature.)

If you use "!" in a rule, the "!" must be a separate
token, and must appear before the predicate it modifies;
in which case, it inverts the sense of the predicate.
So the following modification of the OP's rule *may*
work, assuming the rest of his ruleset accepts traffic
on port 80:

#/usr/sbin/iptables -I INPUT -p tcp ! -s 218.23.45.2 --dport 80 -j DROP

(! has been moved, and surrounded with whitespace.)
If this rule works, his ruleset probably isn't dropping
or rejecting traffic by default, which is not a good
thing...

Ugh, the more I look at that, the more I hate it.
It's not totally obvious at first glance how the
negated -s predicate and the non-negated --dport
predicate interact.  Wouldn't you much rather see
this?

# Clean slate...
iptables -F INPUT

# Silently kill everything by default. (Or maybe
# reject with "host|port unreachable" would
# be better... I've seen convincing-looking
# arguments both ways.)
iptables -P INPUT DROP

# ACCEPT related and established traffic; this lets us
# talk to hosts that *we* have connected to, no matter
# their IP.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# And ACCEPT TCP to port 80 from our friend.
iptables -A INPUT -p tcp -s 218.23.45.2 --dport 80 -j ACCEPT

I just find it so much easier to understand when
I'm selectively *opening* holes in my firewall,
rather than trying to figure out all the possible
things I need to block.

-- JK