[TriLUG] IP Tables rule to block all non-local traffic
Paul G. Szabady via TriLUG
trilug at trilug.org
Sat Oct 8 11:07:42 EDT 2016
Ron,
Maybe something like this would work for you..? After a little testing
and monitoring (look for "fw drop" in syslog (e.g.: /var/log/messages on
rhel), un-comment the actual reject lines.
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -m state -s 192.168.100.21/24 --state NEW -j ACCEPT
-A INPUT -p udp -m udp -m state -s 192.168.100.21/24 --state NEW -j ACCEPT
-A INPUT -j LOG --log-prefix "fw drop INPUT: "
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j LOG --log-prefix "fw drop FORWARD: "
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Paul
@ Thy Service
On 10/7/2016 9:22 PM, Ron Kelley via TriLUG wrote:
> Greetings all.
>
> My IP Tables skills are very lacking, and I don’t want to break anything in the process. Thus, I am reaching out…
>
> I need the right iptables command to do the following:
> ----------------------------------------------
> * Allow any connection to any ip on the local subnet
> * Allow any connection to any ip on an adjacent subnet
> * Block all other traffic
>
> server_ip: 192.168.100.21/24
> adjacent_subnet: 172.16.0.0/16
>
>
> iptables -A OUTPUT —dport=<any> -s 192.168.100.0/24 -j ACCEPT
> iptables -A OUTPUT —dport=<any> -s 172.16.0.0/16 -j ACCEPT
> iptables -A OUTPUT -dport=<any> -j REJECT
>
>
> Thanks for any pointers.
>
> -Ron
More information about the TriLUG
mailing list