iptables src-range and dst-range - iptables

How do we use these flags with iptables? I keep getting invalid option/bad argument errors:
sudo iptables -A FORWARD --src-range 192.168.25.149-192.168.25.151 -j ACCEPT

You forgot "iprange" match.
This works:
sudo iptables -A INPUT -m iprange --src-range 192.168.25.149-192.168.25.151 -j ACCEPT
http://www.frozentux.net/iptables-tutorial/chunkyhtml/x2702.html#TABLE.IPRANGEMATCH

Related

What's the right way to allow systemd-timesyncd through iptables firewall?

First, I set up my firewall like this to allow everything:
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables --flush
Then, I check if NTP is working:
sudo systemctl daemon-reload
sudo systemctl restart systemd-timesyncd
timedatectl
and I can see that it says System clock synchronized: yes.
But then if I reboot and set up my firewall like this (reject everything except for NTP):
sudo iptables -P INPUT REJECT
sudo iptables -P OUTPUT REJECT
sudo iptables -P FORWARD REJECT
sudo iptables -A INPUT -p udp --dport 123 -j ACCEPT
sudo iptables -A OUTPUT -p udp --sport 123 -j ACCEPT
then I get System clock synchronized: no and the clock won't sync.
Based on the above steps, I'm convinced it's the firewall that's blocking timesyncd. I have read (for example, here) that perhaps it has to do with extra ports being opened by the service or the fact that is uses SNTP instead of NTP. I have tried different combinations of rules, but with no success yet as I am not an expert with iptables.
But there must be a way to set it up such that it works without altogether disabling the firewall.
Summary
--dport and --sport are switched.
Explanation
For the other services that I am allowing through the firewall, my machine is the server. For NTP, my machine is the client. Because the rest of my original configuration actually looked more like this:
...
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 5353 -j ACCEPT
...
sudo iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
sudo iptables -A OUTPUT -p udp --sport 5353 -j ACCEPT
...
I assumed that --dport was meant to be used with INPUT and --sport was used with OUTPUT. However, you have to think about what it means. To use NTP as a client, I need to allow INPUT packets that are coming from a source port of 123, not input packets that are coming to a destination port of 123. Likewise, I need to allow OUTPUT packets with destination port 123, not output with source 123.
So the answer to my question is to use this:
sudo iptables -P INPUT REJECT
sudo iptables -P OUTPUT REJECT
sudo iptables -P FORWARD REJECT
sudo iptables -A INPUT -p udp --sport 123 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 123 -j ACCEPT

iptables does not recognize the --dport argument

I'm trying to set some iptables rules on a Linux Yocto device but this command keeps giving me an error:
# iptables -I INPUT -p tcp --dport ssh -j MYCHAIN
iptables: No chain/target/match by that name.
The problematic argument is "--dport" as the following command works perfectly:
# iptables -I INPUT -p tcp -j MYCHAIN
Researching, I have found similar problems (match, redirect) related with missing kernel modules. If this is my case, how can I know which one it is?

mirroring traffic with iptables doesn't work

I want to mirror specific traffic to ip 192.168.200.1
I use the following solution:
Mirror Port via iptables
However, when I enter following command, this error occurs:
iptables –I PREROUTING -t mangle -j ROUTE --gw 192.168.200.1 --tee
iptables v1.4.12: unknown option "--gw"
When I replace "--gw" with "-gateway", like this:
iptables –I PREROUTING -t mangle -j ROUTE -gateway 192.168.200.1 --tee
this error occur:
iptables v1.4.12:multiple -j flag not allowed
Why is this?
Try:
iptables -t mangle -A PREROUTING -j TEE --gateway 192.168.200.1
For that version of iptables -j ROUTE doesn't work.

iptables and password protection

I am trying to find the way to block all web-pages that I browse that use plaintext password for their logins with iptables.
Here is the command I tried, something it wrong with it. How do I enter this command? This is for educational purpose only. Say, if I use "password" for all my logins.
Thanks.
nata#nata-VirtualBox:~$ iptables -A OUTPUT -s match --string "password" --dport 80 -p tcp -j DROP
iptables v1.4.12: unknown option "--string"
Try `iptables -h' or 'iptables --help' for more information.
nata#nata-VirtualBox:~$ iptables -A OUTPUT -m string --string "password" --dport 80 -p tcp -j DROP
string: Could not determine whether revision 1 is supported, assuming it is.
iptables v1.4.12: unknown option "--dport"
Try `iptables -h' or 'iptables --help' for more information.
Try with this:
iptables -A OUTPUT -p tcp --dport 80 -m string --string password --algo bm -j DROP
To get help on a specific match, you can do:
iptables -m Match-Name --help

Block IP address which matches a rule

The following will drop packets which contain the string specified:
iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "therichsheickc#yahoo.com"
The string is one which a botnet spammer uses (from 1000's upon 1000's of ip addresses) to hammer my email servers constantly. This rule is somewhat effective, but doesn't stop the connections. I'd like it to -j DROP the IP as well after a match. Can I do this in iptables without going to userspace?
This particular scanner always greet with EHLO 192.168.2.33. Use these rules to stop them:
iptables -t raw -A PREROUTING -i eth+ -p tcp --dport 25 -m string --string "192.168.2.33" --algo bm -m recent --set --name SBOT
iptables -I INPUT -i eth+ -p tcp --dport 25 -m recent --rcheck --name SBOT -j REJECT --reject-with tcp-reset
or maybe this will help :
iptables -A FORWARD -m string --algo bm --string "therichsheickc#yahoo.com" -j DROP