iptables bloquear intervalo de rede

1

Estou tentando REJECT network via iptables(8) e, por qualquer motivo, não está fazendo isso:

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.6 (Santiago)
# uname -a
Linux X 2.6.32-504.16.2.el6.x86_64 #1 SMP Tue Mar 10 17:01:00 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q iptables
iptables-1.4.7-14.el6.x86_64
# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
iptables: Loading additional modules: nf_conntrack_ftp     [  OK  ]
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:nfs 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:memcache 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:memcache 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:5666 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:snmp 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
# iptables -A INPUT -s 172.16.0.0/16 -j REJECT
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:nfs 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:memcache 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:memcache 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:5666 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:snmp 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
REJECT     all  --  172.16.0.0/16        anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
# 

O que estou fazendo de errado?

    
por alexus 01.05.2015 / 18:12

1 resposta

3

IPtables aplica regras de cima para baixo na lista. Se houver regras de permissão antes de uma rejeição, as regras de permissão terão precedência.

Para bloquear um intervalo de rede, ele precisa ser adicionado no início das Regras do IPTables.

iptables -I INPUT 1 -s 172.16.0.0/16 -j REJECT

Inserirá uma regra de rejeição para a rede 172.16.0.0/16 como a primeira linha em IPtables.

Um bom COMO para IPTABLES.

    
por 01.05.2015 / 19:06