OpenSUSE Linux Rants

OpenSUSE Linux Tips, tricks, how-tos, opinions, and news

My Resume  -  My LinkedIn Profile

July 14, 2009

Securing Linux – A Crash Course in iptables

by Scott Morris @ 6:27 pm. Filed under command-line, General Linux, How-To, security

Once in awhile, it’s nice to block hostile machines on the kernel level. Specifically, this is done with iptables or ipchains. Iptables if you are living in this millenium.

If a specific host is known to be hostile, execute the ‘whois’ command on the ip address. This will give you the IP range of the organization assigned the ip block to which the offending ip belongs. If it is outside of the country and you only service clients inside your country, it doesn’t hurt to block the whole ip range. So, we’re going to block a hostile block from China. As root, run the following command:

iptables -I INPUT -s 125.71.214.0/24 -j DROP

Why not REJECT instead of drop? This adds a rule to the firewall that simply drops the packets. This is more annoying to the other end because they never get a response. If you explicitly reject the packets, they get a message to the effect instantaneously. You want them to have to wait. It slows them down, which is bad for them.

To list the rules in the INPUT chain:

iptables –line-numbers -L INPUT

To delete a rule from the INPUT chain:

iptables -D INPUT [line number]

ex. iptables -D INPUT 1

Would delete the first rule in the INPUT chain.

Cool subnet calculator at : http://www.subnet-calculator.com/

Helpful comments with more useful or better commands welcome.

5 Responses to “Securing Linux – A Crash Course in iptables”

  1. henare Says:
    July 14th, 2009 at 8:28 pm

    Hi Scott,

    ipcalc and sipcalc are command line subnet calculators availble in the OBS.

  2. Scott Morris Says:
    July 14th, 2009 at 10:01 pm

    henare,

    Hey, thanks. Great point. Thanks for stopping by!

  3. Subnet Calculator « Node28 Says:
    July 15th, 2009 at 4:06 pm

    […] wrote about iptables and how to block hostile machines at the kernel level.  He then mentioned a cool little tool called Online IP Subnet Calulator.  It would have been […]

  4. Synthea Says:
    August 9th, 2009 at 12:06 am

    Don’t know whether it is the perfect place to ask question,
    But while enhancing security of my temporary folder in the post described in http://www.sysadmin.md/secure-temporary-folders-on-existing-unix-or-linux-systems.html my redirection fails. This commands always fails
    echo “/mnt/tmp /tmp ext3 loop,noexec,nosuid,rw 0 0” >> /etc/fstab
    Can anybody please tell my why?

  5. Synthea Says:
    August 9th, 2009 at 12:07 am

    My another question is, how I can make it work string for big file? while enhancing security of my temporary folder in the post described in http://www.sysadmin.md/secure-temporary-folders-on-existing-unix-or-linux-systems.html my redirection fails. This commands always fails
    echo “/mnt/tmp /tmp ext3 loop,noexec,nosuid,rw 0 0” >> /etc/fstab
    Can anybody please tell my why?

OpenSUSE Linux Rants
Official OpenSUSE Linux Site

internal links:

categories:

SUSE Resources

search blog:

archives:

May 2021
S M T W T F S
« Feb    
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

63 queries. 1.474 seconds