Linux – ip6tables only allow packages to a certain ip-range

iptablesipv6linuxrules

I am trying to configure ip6tables to only allow ssh connections to a specific range.
In iptables the command would be:

iptables -A OUTPUT -p tcp --dport 22 -m iprange --dst-range 192.168.178.0-192.168.178.254

But according to the man page the option -m iprange seems to be gone.
What would be the correct command to achieve such behavior ?
As always any help will be appreciated 🙂

Best Answer

I just checked the ip6tables man page on CentOS 6 and Debian 7 and they both include iprange:

iprange
   This matches on a given arbitrary range of IP addresses.

   [!] --src-range from[-to]
          Match source IP in the specified range.

   [!] --dst-range from[-to]
          Match destination IP in the specified range.

The man page for iptables-extensions on ArchLinux also indicates that iprange should exist.

A quick test on a CentOS 6 box shows that it does work:

www1 $ sudo ip6tables -A OUTPUT -p tcp --dport ssh -m iprange --dst-range 2001:db8::1-2001:db8::ff -j LOG
[sudo] password for fukawi2: 
www1  $ sudo ip6tables -nvL OUTPUT
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp      *      *       ::/0                 ::/0                tcp dpt:22 destination IP range 2001:db8::1-2001:db8::ff LOG flags 0 level 4

Have you looked at your actual man page instead of an online one?

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn't suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

Iptables HTTP Traffic – Iptables Rules to Allow HTTP Traffic to One Domain Only

With IPTables rules, order matters. The rules are added, and applied, in order. Moreover, when adding rules manually they get applied immediately. Thus, in your example, any packets going through the INPUT and OUTPUT chains start getting dropped as soon as the default policy is set. This is also, incidentally, why you received the error message you did. What is happening is this:

The default DROP policy get applied
IPTables receives a hostname as a destination
IPTables attempts a DNS lookup on 'serverfault.com'
The DNS lookup is blocked by the DROP action

While the source/destination options will accept hostnames, it is strongly discouraged. To quote the man page,

Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea.

Slillibri hit the nail on the head which his answer, you missed the DNS ACCEPT rule. In your case it won't matter, but generally I would set the default policy later on the process. The last thing you want is to be working remotely and allow SSH after turning on a default deny.

Also, depending on your distribution, you should be able to save your firewall rules such that they will be automatically applied at start time.

Knowing all that, and rearranging your script, here is what I would recommend.

# Allow loopback
iptables -I INPUT 1 -i lo -j ACCEPT

# Allow DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

# Now, allow connection to website serverfault.com on port 80
iptables -A OUTPUT -p tcp -d serverfault.com --dport 80 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Drop everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Iptables HTTP Traffic – Iptables Rules to Allow HTTP Traffic to One Domain Only

Related Topic