Friday, October 28, 2005

iptables - network firewall

First log the ip address if it matches criteria


/sbin/iptables -A INPUT -p tcp -s 59.104.0.0/15 --dport 25 -j LOG
## and then reject
#BLOCK / REJECT
/sbin/iptables -A INPUT -p tcp -s 59.104.0.0/15 --dport 25 -j DROP




Get the current firewall rules


[root@plain iptables]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG tcp -- 59.104.0.0/15 anywhere tcp dpt:smtp LOG level warning
DROP tcp -- 59.104.0.0/15 anywhere tcp dpt:smtp

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination





Go to and run those commands on your server. Following are the changes I recommend:




# In addition to default REJECT entries, add the rules for LOG chain (before DROP/REJECT)
# Block the following lists IF YOU DON'T GET TRAFFFIC FROM THESE COUNTRIES ON THESE PORTS
# PORTS
# smtp 25(tcp), ssh 22(tcp),ftp 20,21(tcp),http 80(tcp),dns 53(udp),53(tcp)
# COUNTRIES
# TAIWAN, 22


REJECT tcp -- 210.244.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 211.20.0.0/14 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 211.72.0.0/13 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 218.32.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 218.34.0.0/15 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 218.160.0.0/12 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 218.184.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 218.187.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 219.68.0.0/14 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 219.80.0.0/15 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 219.84.0.0/14 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 219.90.0.0/18 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 219.91.0.0/17 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 220.128.0.0/12 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 220.228.0.0/15 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 220.247.128.0/19 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 221.120.0.0/18 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 221.120.64.0/19 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 221.169.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 222.156.0.0/15 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 222.250.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 222.251.0.0/17 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 222.251.0.0/17 0.0.0.0/0 reject-with icmp-port-unreachable


-

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home