Building Firewalls with iptables, Part 1 - Page 3

By  Carla Schroder | May 28, 2003
Page 3 of 3   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Adding Rules

This example rule blocks traffic from a specific IP range because it belongs to a notoriously noxious spammer, and we don't want the spammer's spew polluting our nice systems:

# iptables -t filter -A INPUT -s 123.456.789.0/24 -j DROP

See how it follows the syntax described above. (See man iptables for definitions of the various switches and commands.) Now let's say your users are becoming increasingly vindictive and resentful towards spammers, which is understandable, but certain retaliatory tactics are simply not permissible, at least not from your network. We can also block all outgoing packets directed to the spammer's IPs easily enough with this slightly different syntax:

# iptables -t filter -A OUTPUT -d 123.456.789.0/24 -j DROP

Notice the -A switch. Use this to append rules to existing chains.

Deleting Rules

Spammers are shifty, experts at playing whack-a-mole (in the role of the mole) by continually changing IPs and DNS. Suppose our ignominious spammer moves to a new IP range, and the old IP address is then reassigned to some saintly nuns, whose bits are worthy to traverse your network. Simply delete the rule with the -D switch:

# iptables -t filter -D OUTPUT -d 123.456.789.0/24 -j DROP

Default Policies

Crafting rules to cover every contingency is a nice way to consume mass quantities of time. For those who would rather not, the basic principle is "deny all, allow only as needed." Let's set up the default rules for each chain:

# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT

-P sets the policy for the chain. Only the three built-in chains can have policies. These policies permit unfettered outgoing traffic, but no incoming traffic. At the very least, we want to hear from the nuns:

# iptables -t filter -A INPUT -s 123.456.789.0/24 -j ACCEPT

Stay tuned for Part 2, which will offer more sample rules and scripts.

Resources

iptables Tutorial 1.1.19
Netfilter/iptables home page, includes downloads, documentation, and mail lists


» See All Articles by Columnist Carla Schroder


cschroder@internet.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >