IP Tables Drop not working

[Vector]

I've been googling this for a while now, and trying different examples, like:

iptables -A INPUT -s 3.2.1.0 -j DROP

iptables -A INPUT -s 3.2.1.0/24 -j DROP

service iptables restart

and none of them seem to be working. And when i view the iptables using

vi /etc/sysconfig/iptables

or

iptables -S

or

iptables -L

they are not there.

and trying to delete the rule, via

iptables -D INPUT -s 3.2.1.0 -j DROP

returns an error: iptables: Bad rule (does a matching rule exist in that chain?).

I'm new to iptables, but afaiu, those should be working, right?

I'm trying to block a range of IP Addresses from even being able to connect to my servers...

[Evil_Bert]

When you use the command 'iptables' like that, you are adding the rule to the active ruleset immediately. You do not need to restart the service.

If you do:

Code:

iptables -A INPUT -s 3.2.1.0 -j DROP
iptables -L

... you will see your new rule.

When you restart the service, you flush the active ruleset and re-load from the saved ruleset (in /etc/sysconfig/iptables).

[Vector]

Ok, so is there a command to tell it to store the active ruleset permanently? I'm man it again right now to see if i can find it...

[Evil_Bert]

Yes.

Code:

iptables-save > filename

You can also edit the file /etc/sysconfig/iptables with any text editor and save manually. (Edit: That's when you actually do have to restart the service).

[Vector]

I will check into that when i get more time to do my "network admin crash course in bandwidth control (TC)". I was recently looking into how to set bandwidth quotas, and throughput limits. I won't have time to actually READ everything i found for another few weeks, but now i know what things that i'll need to do my homework on, when the time comes. So, at that time, i'll look into shorewall, as well, thanks.

[Vector]

Ok, thanks bert. Now i've got just one more question. I read the wikipedia page on CIDR http://en.wikipedia.org/wiki/CIDR_notation and i'm still not exactly clear on how to go about blocking only 5 ip addresses at a time, instead of the entire subnet.

I understand that the 0/24 blocks all 255 possible ips, but what if i just wanted to block from .8 to .12? Would it be something like .8/4 or .8/2?

@ giulix:
yeah, that was what my "I will check into that when i get more time to ..." post was in response to (not the one from Bert). Thanks.

Wait, i think i've got it:
http://en.wikipedia.org/wiki/Classle...Domain_Routing

So, if i understand that correctly, then the answer would be .8/30

[abhijitsarangi]

Hi Guys,

Regarding the IP Tables Drop not working issue.. my suggestions would be.... once you add any kind of rule to the iptables then please ensure that you are heating these two commands....

1. service iptables save ( to save the rule)
2. Service iptables restart ( to restart the service)

then you can fell the effects of your added rules.

[Gödel]

iptables-save doesn't store the changes (see 'man iptables-save'), you must use

Code:

service iptables save

(as root)

edit: someone else just posted same point

[Evil_Bert]

Well you can use a sub-table (as a target) in the /etc/stsconfig/iptables files if you edit it directly. This makes things easier to manage. (Technically, you can use iptables at the command line to do all this too, bit it's a PITA).

For example to block five addresses, then in the file /etc/sysconfig/iptables:

Define a sub-table (put it with the other table definitions):

Code:

:BLOCKLIST [0:0]

Define the sub-table contents with addresses or ranges you want to block:

Code:

-A BLOCKLIST -s 3.2.1.8 -j DROP
-A BLOCKLIST -s 3.2.1.9 -j DROP
-A BLOCKLIST -s 3.2.1.10 -j DROP
-A BLOCKLIST -s 3.2.1.11 -j DROP
-A BLOCKLIST -s 3.2.1.12 -j DROP

Prcessing will return to the calling table when this sub-table has been traversed (or a match occurs).

Call it from inside the INPUT table as a target:

Code:

-A INPUT -j BLOCKLIST

... then traffic processed by the above command will be sent to the target sub-table and processed there.

You should also read up on how to use 'RETURN' in iptables, which can be used to exit a table/sub-table immediately if the condition matches.

Note: It's been a while and I don't have any examples with me, so hopefully there are no syntax errors in the above.

[Evil_Bert]

Quote:

Originally Posted by Gödel

iptables-save doesn't store the changes

Sure, but if you redirect to the filename it does the same thing, which is in the code I gave. So, 'must use' is overstating the issue.

PS: Good to see you back!

[Vector]

@ bert:
Wow, that blocklist rule seems like it might come in handy. I think i'll do some homework on that, too, when i get a chance to do my crash course in the other above mentioned stuff.

@ the rest:
Thanks guys. I'll make use of that.

[William Haller]

I'd also recommend possibly looking at an iptables management tool like fwbuilder.

It may be overkill for what you are trying to do, but it makes management of firewalls very nice if you need to get beyond what can be done with the system configuration options. It allows you to link address tables into your firewall from a file on the disk which might be easier to manage in the long run than adding individual hosts via iptables directly (it provides scripts in the file it generates to build the iptables rules for the specified addresses).

It's really nice for managing multiple machines from one rule database and can create rule sets for various operating systems, various versions of iptables, and even a few routers all from one interface.

[Vector]

well, i'm going to be a fully-fledged web host, at some point, but only for websites using my systems. So, nothing is overkill, and thanks for the tip