1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

firweall network mask question

Discussion in 'Plesk for Linux - 8.x and Older' started by CosmicD, Dec 11, 2004.

  1. CosmicD

    CosmicD Guest

    I'm a bit confused about these /8 /16 /24 mask settings. I kinda remember that they are another way of having a wildcard for specific ip ranges,

    I want to restrict ssh and admin access to my provider's network and so I've played with the new firewall,

    (fake ip's follow)

    if i use /8 does that mean that anything in the range (ip's starting with 83) will only be allowed ?

    consequently, will it mean that when I use / 16 mean that only the ip's starting with the range 83.84 will be allowed and the following subranges will be allowed ?

    or is it just the other way around, that you have to type /24 , and / 16 ?

    kinda confused on this one... i've implemented several restrictions like that into the firewall and it seems to work but i'm not sure if it's ok because i would need someone with foreign ip's to test and it's that I want to set only my provider's network to allow ssh and administrator access (also wanting to add a rule for plesk support ip's when they would join)
  2. atomicturtle

    atomicturtle Golden Pleskian

    Nov 20, 2002
    Likes Received:
    Washington, DC
    Heres the short version (if you want the long version I can follow up), you're definitely on the right track: means 83.*.*.* means 83.0.*.* means 83.0.0.* means

    We call this notation the "bitmask" its a shortcut for the same thing you'd do with the netmask (example, is the same as

    As a firewall rule (assuming you had a default DROP policy) youd allow your provider, everyone in the 83. network, with:

    $IPTABLES -A INPUT -p tcp --dport 22 -s -j ACCEPT
  3. CosmicD

    CosmicD Guest

    well yep, then i'm right thx for kinda confirming..

    I could start with / 16 because it would be more containing. but i'd have the risk of locking myself out because the second part of the ip's is sometims changing, could be 83.84;*.* but also 83.85.*.* and then i'm done :(.. I don't know if you can determine all of the classes that a provider has .. ? and then configure everything in advance so there's no surrprises....
  4. NightStorm

    NightStorm Guest

    I use a neat little program called "Bosun Calculator" to figure out the exact /? number to place to get the correct range, and it works great.
    If you're looking at a single IP address, and want to know what the full range that is available, I head to dnsstuff.com and punch the IP in there.
    http://www.dnsstuff.com/tools/whois.ch?ip=<ip address>
    It will return the range that is owned by that company/host/ISP, and break down exactly what I need to target.
    For example, I punch in the SW-SOFT IP address of (URL http://www.dnsstuff.com/tools/whois.ch?ip=, and I get:
    Well, from there, you get the idea.
  5. JohnB@

    JohnB@ Guest

    SW-SOFT support often logs in from Novosibirsk !! And that means a quite different IP range -- not sure now what it is.

    Can someone be so very kind to post his/her full configuration for the Plesk Firewall here -- as a sample (maybe exachnging the actual IPs). That would be very helpful indeed!

  6. CosmicD

    CosmicD Guest

    i always see something like plesk-gw blabla something i don't remember I can't even see it with the last command anymore... and I don't know it wold be the full range of ip's..

    a coool thing is that i'd ask them that when i need another support issue with them, surely they'll say it then because they'd want to be able to log in :p

    # Automatically generated by Plesk netconf
    set -e
    echo 0 > /proc/sys/net/ipv4/ip_forward
    /sbin/iptables -F
    /sbin/iptables -X
    /sbin/iptables -Z
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A INPUT -m state --state INVALID -j DROP
    /sbin/iptables -P OUTPUT DROP
    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -o lo -j ACCEPT
    /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
    /sbin/iptables -t mangle -F
    /sbin/iptables -t mangle -X
    /sbin/iptables -t mangle -Z
    /sbin/iptables -t mangle -P PREROUTING ACCEPT
    /sbin/iptables -t mangle -P OUTPUT ACCEPT
    /sbin/iptables -t mangle -P INPUT ACCEPT
    /sbin/iptables -t mangle -P FORWARD ACCEPT
    /sbin/iptables -t mangle -P POSTROUTING ACCEPT
    /sbin/iptables -t nat -F
    /sbin/iptables -t nat -X
    /sbin/iptables -t nat -Z
    /sbin/iptables -t nat -P PREROUTING ACCEPT
    /sbin/iptables -t nat -P OUTPUT ACCEPT
    /sbin/iptables -t nat -P POSTROUTING ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 113 -j ACCEPT
    #for irc servers
    /sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51000 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51001 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51002 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51003 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51004 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51005 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51006 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51007 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51008 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51009 -j ACCEPT
    #some passive ftp slots i keep open, (becuse I only have a 30 #domain server it doesn't have to be much)
    /sbin/iptables -A INPUT -p tcp --dport 8443 -s -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8443 -s -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8443 -s 313.0.0.0/8 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8443 -j DROP
    # selective plesk administrator only from my isp :P
    /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 22 -s -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
    #selective ssh input only from my isp
    /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 137 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 138 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
    # pings, you can put that off with a standard rule in the plesk firwall
    /sbin/iptables -A INPUT -j DROP
    # Now i've set the standard rule in plesk firewall  to block #forward and output traffic so you also have to see that when #you run some extra stuff you need to specify extra output rules
    /sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    # above output rule is needed if you want to use stuff on your server like drweb or apt-get, when you don't allow unspecified traffic output from the server 
    /sbin/iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    # above is needed to resolve ip's on your server if you deny all other output traffic that is not specified. 
    /sbin/iptables -A OUTPUT -p tcp --dport 3200 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 3201 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 3202 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 3203 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 3204 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
    # i changed the above ports that are shown here but in this manner I have some ports open from the server with an extra rule to allow dcc with my irc bot :) locally I have these representative ports in my mirc client
    /sbin/iptables -A OUTPUT -j DROP
    /sbin/iptables -A FORWARD -j DROP
    # all the rest is denied :)
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 1 > /usr/local/psa/var/modules/firewall/ip_forward.active
    chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active
    # End of script
  7. Kamin

    Kamin Guest

    OK, so how do I specify an even smaller range of IP addresses within the Plesk firewall config? Say I only want to block - and not all 256 IP addresses blocked by Or am I missing something from the previous posts?

  8. NightStorm

    NightStorm Guest

    Well, (subnet blocks: to
    But that's about as close as you're going to get.
    http://www.dnsstuff.com/tools/cidr.ch?ip=<IP> is a good calculator for figuring out just how much of a tweaking on the IP classes you need for your firewll to affect only the right people. You'd of course replace <IP> with the base IP address you're targetting.
    http://www.dnsstuff.com/tools/whois.ch?ip=<IP> will tell you the ISP for an IP, and what range is owned by that ISP.