You are not logged in.
Hello everyone.
I don't have much experience with iptables. After about an hour on Google and several tries on getting iptables to limit a port on my server, I am forced to ask for help from you iptables gurus I have set up an OpenVPN server on TCP port 8080, which I only want a certain IP range (92.122.x.x) on the internet to be able to access, anyone elses packets to the port should be dropped.
I would appreciate if someone could guide me in the right direction or just give me a command which I should type into iptables.
Regards,
David
Last edited by nullvoid (2009-06-26 19:10:06)
Offline
I have no experience with it myself, but maybe the CIDR notation would help? Maybe something like 92.122.0.0/16?
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
Thank for the quick reply.
I have tried adding -s !92.122.0.0/16 and -s 92.122.0.0/16 without success. I have also tried --src-range and a various of other paramters, still without success. Probably I'm just missusing them.
Here's a few of my attempts which have failed:
iptables -A INPUT -i eth0 -p tcp -m tcp -s '!92.122.0.0/16' --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --src-range '!92.122.0.0-92.122.255.255' --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -m iprange ! --src-range '92.122.0.0-92.122.255.255' --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -m iprange --src-range '92.122.0.0-92.122.255.255' --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -m iprange --src-range '! 92.122.0.0-92.122.255.255' --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -m iprange -s '!92.122.0.0/16' --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -s '!92.122.0.0/16' -i eth0 --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -s '!92.122.0.0/16' --dport 8080 -j DROP
Either iptables gives me an error or it simply doesn't work the way I want.
Last edited by nullvoid (2009-06-26 17:35:07)
Offline
It was a wild guess... Seemed logical to be, but not to iptables it seems .
I don't know what you are using all the quotes for though... Did you try this, in the manner they described it (so without quotes):
http://www.cyberciti.biz/tips/linux-ipt … ports.html
Also - why not make the task simpler: instead of denying access for all IPs not in the specified range, just allow access for the ones in the range and set your policy to drop by default (which is never a bad thing, if you configure iptables correctly).
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
I got help from a friend, here's the correct syntax I was looking for:
iptables -A INPUT -s 92.122.0.0/16 -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j DROP
Offline
this document could spare time for many of you :: http://wiki.archlinux.org/index.php/Sim … wall_HOWTO
If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.
Offline
If the range of addresses you want to match doesn't fall within valid CIDR notation, yuo can use the iprange module too:
iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.0.10 -p tcp --dport 8080 -j ACCEPT
FYI, the use of '-m tcp' is synonymous with '-p tcp' and therefore redundant to specify both.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline