| View previous topic :: View next topic |
| Author |
Message |
mgillespie
Apprentice
Joined: 16 Dec 2003
Posts: 170
|
 Posted: Fri Sep 22, 2006 11:41 pm Post subject: Adding / Removing Netfilter rules via a CRON job |
 |
|
Hi, I have a basic IPFilter set, (fine, as I am already behind a NAT).
| Code: |
# Completed on Sat Sep 23 00:53:53 2006
# Generated by iptables-save v1.3.5 on Sat Sep 23 00:53:53 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [205:75915]
[12:912] -A INPUT -s 127.0.0.1 -j ACCEPT
[124:14716] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[1:52] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 9000 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m udp --dport 1030 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m udp --dport 1900 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m udp --dport 9080 -j ACCEPT
[9:468] -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT
[51:13474] -A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sat Sep 23 00:53:53 2006
|
However, I also want to add a range of ports, between certain hours of the day, and block them the rest of the time. The restriction should apply to incoing and outgoing connections.
Can someone help me with commands to stick in my crontab?
|
|
| Back to top |
|
 |
thpani
Tux's lil' helper
Joined: 20 Mar 2006
Posts: 144
Location: Tulln, Austria
|
|
| Back to top |
|
|
mgillespie
Apprentice
Joined: 16 Dec 2003
Posts: 170
|
| Posted: Sat Sep 23, 2006 7:30 pm Post subject: |
|
|
Looked at all the documentation, and none the wiser, the IPTables documentation and howtos don't seem to be very newbie friendly.
Can someone give me a clue to to which command I need to run to add a rule to block in incomming and outgoing ports (including active connections), in a port range, and the command to remove the port blocks.
My current attempts at getting this working, have added the rule at the end of the rule chain, which does nothing, and it created duplicate rules  |
|
| Back to top |
|
|
thpani
Tux's lil' helper
Joined: 20 Mar 2006
Posts: 144
Location: Tulln, Austria
|
| Posted: Sat Sep 23, 2006 7:43 pm Post subject: |
|
|
example:
| Code: | | iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT |
-A appends to the end of the chain (-D deletes it)
INPUT is the chain which gets all packets destined for the local host
-p tcp means protocol tcp
--dport specifies a destination port (137:139 the range 137-139; --sport for source port)
-j jumps to the specifed action (ACCEPT permits the packet, DROP drops it)
-i name allows you to specify the incoming-interface
of course, if you run the command twice, the rule will be appended each time. |
|
| Back to top |
|
|
mgillespie
Apprentice
Joined: 16 Dec 2003
Posts: 170
|
| Posted: Sat Sep 23, 2006 8:55 pm Post subject: |
|
|
| I get that bit, the problem is that adding rules to ACCEPT or REJECT just adds them to the end of the list, so in a week, I have a long list of ACCEPT and REJECTS, which I assume do nothign amyway, as they appear after the -A INPUT -j REJECT --reject-with icmp-port-unreachable |
|
| Back to top |
|
|
Antimatter
Guru
Joined: 11 Aug 2003
Posts: 463
|
| Posted: Sun Sep 24, 2006 8:03 am Post subject: |
|
|
| mgillespie wrote: | | I get that bit, the problem is that adding rules to ACCEPT or REJECT just adds them to the end of the list, so in a week, I have a long list of ACCEPT and REJECTS, which I assume do nothign amyway, as they appear after the -A INPUT -j REJECT --reject-with icmp-port-unreachable |
You can actually insert via this command
| Quote: |
Command -I, --insert
Example iptables -I INPUT 1 --dport 80 -j ACCEPT
Explanation Insert a rule somewhere in a chain. The rule is inserted as the actual number that we specify. In other words, the above example would be inserted as rule 1 in the INPUT chain, and hence from now on it would be the very first rule in the chain.
|
So if you want to "allow a certain range of ports" then you can perhaps do something such as
iptable -I INPUT 2 -m multiport --destination-port 423:453 -j ACCEPT
And it should be inserted after the "2nd" rule in your input chain.
Then to delete it out of the iptable you would execute something such as
iptable -D INPUT 3
Which should delete the 3rd rule which should be the rule we've inserted. |
|
| Back to top |
|
|
thpani
Tux's lil' helper
Joined: 20 Mar 2006
Posts: 144
Location: Tulln, Austria
|
| Posted: Sun Sep 24, 2006 8:07 am Post subject: |
|
|
Inserting / deleting via the rule number could be a little complicated, so:
Of course if you do not delete the rules whenever you do a switchover between ACCEPT/REJECT, you'll end up in an endless list.
To delete a rule just run the command you used to append it, but instead of the -A option use -D.
So, if you had a
| Code: | | iptables -A INPUT -m multiport --destination-port 423:453 -j ACCEPT |
you delete it with
| Code: | | iptables -D INPUT -m multiport --destination-port 423:453 -j ACCEPT |
I didn't notice the REJECT at the end of your dump first. Of course any rules appended later will be useless.
To solve this you should use the default policy. The default policy specifies the action if no rule matches the packet.
Yours currently is ACCEPT ( :INPUT ACCEPT [0:0] ). You should set it to REJECT using
| Code: | | iptables -P INPUT REJECT |
and then remove the REJECT rule. |
|
| Back to top |
|
|
|
Networking & Security
