A question for the iptables gurus. :)
![](https://seccdn.libravatar.org/avatar/8158834bb7fc43e462acf495a2ec91d7.jpg?s=120&d=mm&r=g)
I'm trying to write some iptables rules so that I can let someone telnet to machines on a 10.0.0.0 network but not allow them to telnet anywhere else.. effectively blocking outbound telnet to ANYTHING except the machines on the 10.0.0.0 network. I thought I had it but I guess I don't. The rules are as follows... # allow outgoing telnet traffic /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 10.0.0.0/8 --dport 23 -j ACCEPT # block all other outgoing telnet traffic /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 0/0 --dport 23 -j DROP This machine is a Compaq DL760 with 2 dual port 10/100 cards in it and eth2 is the first port on card 2. Any help would be appreciated. Thanks! -Ben -- Atheism is a non-prophet organization.
![](https://seccdn.libravatar.org/avatar/1471db58e7985d03f5658b54c2f9cf50.jpg?s=120&d=mm&r=g)
From: Ben Rosenberg <red.kryptonite@gmail.com> Date: Thu, 3 Nov 2005 20:44:02 -0800 To: sle <suse-linux-e@suse.com> Subject: [SLE] A question for the iptables gurus. :)
I'm trying to write some iptables rules so that I can let someone telnet to machines on a 10.0.0.0 network but not allow them to telnet anywhere else.. effectively blocking outbound telnet to ANYTHING except the machines on the 10.0.0.0 network. I thought I had it but I guess I don't. The rules are as follows...
# allow outgoing telnet traffic /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 10.0.0.0/8 --dport 23 -j ACCEPT # block all other outgoing telnet traffic /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 0/0 --dport 23 -j DROP
This machine is a Compaq DL760 with 2 dual port 10/100 cards in it and eth2 is the first port on card 2.
Right idea, but I think what you're actually looking for is the OUTPUT chain...could be wrong on that, though. Regardless: the default policy for the base iptables chains is ACCEPT, so I'd narrow it down to a single rule by doing: `iptables -A OUTPUT -p TCP -i eth2 -d ! 10.0.0.0/8 --dport 23 -j DROP` (If that doesn't work, then I was wrong about the output chain, and so try it with the FORWARD chain instead.)
![](https://seccdn.libravatar.org/avatar/1471db58e7985d03f5658b54c2f9cf50.jpg?s=120&d=mm&r=g)
From: Ian Marlier <ian.marlier@studentuniverse.com> Date: Fri, 04 Nov 2005 08:00:20 -0500 To: sle <suse-linux-e@suse.com> Conversation: [SLE] A question for the iptables gurus. :) Subject: Re: [SLE] A question for the iptables gurus. :)
From: Ben Rosenberg <red.kryptonite@gmail.com> Date: Thu, 3 Nov 2005 20:44:02 -0800 To: sle <suse-linux-e@suse.com> Subject: [SLE] A question for the iptables gurus. :)
I'm trying to write some iptables rules so that I can let someone telnet to machines on a 10.0.0.0 network but not allow them to telnet anywhere else.. effectively blocking outbound telnet to ANYTHING except the machines on the 10.0.0.0 network. I thought I had it but I guess I don't. The rules are as follows...
# allow outgoing telnet traffic /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 10.0.0.0/8 --dport 23 -j ACCEPT # block all other outgoing telnet traffic /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 0/0 --dport 23 -j DROP
This machine is a Compaq DL760 with 2 dual port 10/100 cards in it and eth2 is the first port on card 2.
Right idea, but I think what you're actually looking for is the OUTPUT chain...could be wrong on that, though.
Regardless: the default policy for the base iptables chains is ACCEPT, so I'd narrow it down to a single rule by doing:
`iptables -A OUTPUT -p TCP -i eth2 -d ! 10.0.0.0/8 --dport 23 -j DROP`
(If that doesn't work, then I was wrong about the output chain, and so try it with the FORWARD chain instead.)
Yes, you're looking for the OUTPUT chain.
From `man iptables`: filter: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
Since an outgoing telnet session is a locally-generated packet, that's what you're looking forward.
![](https://seccdn.libravatar.org/avatar/8158834bb7fc43e462acf495a2ec91d7.jpg?s=120&d=mm&r=g)
On 11/4/05, Ian Marlier <ian.marlier@studentuniverse.com> wrote:
I'm trying to write some iptables rules so that I can let someone telnet to machines on a 10.0.0.0 <http://10.0.0.0> network but not allow them to telnet anywhere else.. effectively blocking outbound telnet to ANYTHING except the machines on the 10.0.0.0 <http://10.0.0.0> network. I thought I had it but I guess I don't. The rules are as follows...
# allow outgoing telnet traffic /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 10.0.0.0/8<http://10.0.0.0/8>--dport 23 -j ACCEPT # block all other outgoing telnet traffic /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 0/0 --dport 23 -j DROP
This machine is a Compaq DL760 with 2 dual port 10/100 cards in it and eth2 is the first port on card 2.
Right idea, but I think what you're actually looking for is the OUTPUT chain...could be wrong on that, though.
Regardless: the default policy for the base iptables chains is ACCEPT, so I'd narrow it down to a single rule by doing:
`iptables -A OUTPUT -p TCP -i eth2 -d ! 10.0.0.0/8 <http://10.0.0.0/8>--dport 23 -j DROP`
(If that doesn't work, then I was wrong about the output chain, and so try it with the FORWARD chain instead.)
Well, I get this error when using the rule you posted.
orson:~ # iptables -A OUTPUT -p TCP -i eth2 -d ! 10.0.0.0/8<http://10.0.0.0/8>--dport 23 -j DROP iptables v1.2.8: Can't use -i with OUTPUT I wandered through the man page and I thought that the " -i " might need to be " -o " instead but that didn't work either. I'm not that good with iptables because 99% of the time I use ipfw under Solaris and the syntax is much different and quite a bit more simple. If you or anyone who reads this have ideas. I'm open to them. -Ben -- Atheism is a non-prophet organization.
![](https://seccdn.libravatar.org/avatar/7acbdae447cd30bea7b8f1b20b79ee34.jpg?s=120&d=mm&r=g)
On Fri, 04 Nov, 2005 at 11:03:09 -0800, Ben Rosenberg wrote:
orson:~ # iptables -A OUTPUT -p TCP -i eth2 -d ! 10.0.0.0/8<http://10.0.0.0/8>--dport 23 -j DROP iptables v1.2.8: Can't use -i with OUTPUT
I wandered through the man page and I thought that the " -i " might need to be " -o " instead but that didn't work either.
I think you might want to --insert rather than --append your rule to the OUTPUT chain. jon@a13:~> telnet 10.0.0.1 Trying 10.0.0.1... telnet: connect to address 10.0.0.1: Connection refused If I; `iptables -A OUTPUT -p tcp -d 10.0.0.0/8 --dport 23 -j DROP` I still get; jon@a13:~> telnet 10.0.0.1 Trying 10.0.0.1... telnet: connect to address 10.0.0.1: Connection refused But if I; `iptables -I OUTPUT -p tcp -d 10.0.0.0/8 --dport 23 -j DROP` I get; jon@a13:~> telnet 10.0.0.1 Trying 10.0.0.1... Try this; `iptables -I OUTPUT -p tcp -o eth2 -d ! 10.0.0.0/8 --dport 23 -j DROP` HTH /Jon -- YMMV
participants (3)
-
Ben Rosenberg
-
Ian Marlier
-
Jon Clausen