1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice

firweall network mask question

Discussion in 'Plesk for Linux - 8.x and Older' started by CosmicD, Dec 11, 2004.

  1. CosmicD

    CosmicD Guest

    I'm a bit confused about these /8 /16 /24 mask settings. I kinda remember that they are another way of having a wildcard for specific ip ranges,

    I want to restrict ssh and admin access to my provider's network and so I've played with the new firewall,

    (fake ip's follow)

    if i use /8 does that mean that anything in the range (ip's starting with 83) will only be allowed ?

    consequently, will it mean that when I use / 16 mean that only the ip's starting with the range 83.84 will be allowed and the following subranges will be allowed ?

    or is it just the other way around, that you have to type /24 , and / 16 ?

    kinda confused on this one... i've implemented several restrictions like that into the firewall and it seems to work but i'm not sure if it's ok because i would need someone with foreign ip's to test and it's that I want to set only my provider's network to allow ssh and administrator access (also wanting to add a rule for plesk support ip's when they would join)
  2. atomicturtle

    atomicturtle Golden Pleskian

    Nov 20, 2002
    Likes Received:
    Washington, DC
    Heres the short version (if you want the long version I can follow up), you're definitely on the right track: means 83.*.*.* means 83.0.*.* means 83.0.0.* means

    We call this notation the "bitmask" its a shortcut for the same thing you'd do with the netmask (example, is the same as

    As a firewall rule (assuming you had a default DROP policy) youd allow your provider, everyone in the 83. network, with:

    $IPTABLES -A INPUT -p tcp --dport 22 -s -j ACCEPT
  3. CosmicD

    CosmicD Guest

    well yep, then i'm right thx for kinda confirming..

    I could start with / 16 because it would be more containing. but i'd have the risk of locking myself out because the second part of the ip's is sometims changing, could be 83.84;*.* but also 83.85.*.* and then i'm done :(.. I don't know if you can determine all of the classes that a provider has .. ? and then configure everything in advance so there's no surrprises....
  4. NightStorm

    NightStorm Guest

    I use a neat little program called "Bosun Calculator" to figure out the exact /? number to place to get the correct range, and it works great.
    If you're looking at a single IP address, and want to know what the full range that is available, I head to dnsstuff.com and punch the IP in there.
    http://www.dnsstuff.com/tools/whois.ch?ip=<ip address>
    It will return the range that is owned by that company/host/ISP, and break down exactly what I need to target.
    For example, I punch in the SW-SOFT IP address of (URL http://www.dnsstuff.com/tools/whois.ch?ip=, and I get:
    Well, from there, you get the idea.
  5. JohnB@

    JohnB@ Guest

    SW-SOFT support often logs in from Novosibirsk !! And that means a quite different IP range -- not sure now what it is.

    Can someone be so very kind to post his/her full configuration for the Plesk Firewall here -- as a sample (maybe exachnging the actual IPs). That would be very helpful indeed!

  6. CosmicD

    CosmicD Guest

    i always see something like plesk-gw blabla something i don't remember I can't even see it with the last command anymore... and I don't know it wold be the full range of ip's..

    a coool thing is that i'd ask them that when i need another support issue with them, surely they'll say it then because they'd want to be able to log in :p

    # Automatically generated by Plesk netconf
    set -e
    echo 0 > /proc/sys/net/ipv4/ip_forward
    /sbin/iptables -F
    /sbin/iptables -X
    /sbin/iptables -Z
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A INPUT -m state --state INVALID -j DROP
    /sbin/iptables -P OUTPUT DROP
    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -o lo -j ACCEPT
    /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
    /sbin/iptables -t mangle -F
    /sbin/iptables -t mangle -X
    /sbin/iptables -t mangle -Z
    /sbin/iptables -t mangle -P PREROUTING ACCEPT
    /sbin/iptables -t mangle -P OUTPUT ACCEPT
    /sbin/iptables -t mangle -P INPUT ACCEPT
    /sbin/iptables -t mangle -P FORWARD ACCEPT
    /sbin/iptables -t mangle -P POSTROUTING ACCEPT
    /sbin/iptables -t nat -F
    /sbin/iptables -t nat -X
    /sbin/iptables -t nat -Z
    /sbin/iptables -t nat -P PREROUTING ACCEPT
    /sbin/iptables -t nat -P OUTPUT ACCEPT
    /sbin/iptables -t nat -P POSTROUTING ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 113 -j ACCEPT
    #for irc servers
    /sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51000 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51001 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51002 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51003 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51004 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51005 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51006 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51007 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51008 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51009 -j ACCEPT
    #some passive ftp slots i keep open, (becuse I only have a 30 #domain server it doesn't have to be much)
    /sbin/iptables -A INPUT -p tcp --dport 8443 -s -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8443 -s -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8443 -s 313.0.0.0/8 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8443 -j DROP
    # selective plesk administrator only from my isp :P
    /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 22 -s -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
    #selective ssh input only from my isp
    /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 137 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 138 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
    # pings, you can put that off with a standard rule in the plesk firwall
    /sbin/iptables -A INPUT -j DROP
    # Now i've set the standard rule in plesk firewall  to block #forward and output traffic so you also have to see that when #you run some extra stuff you need to specify extra output rules
    /sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    # above output rule is needed if you want to use stuff on your server like drweb or apt-get, when you don't allow unspecified traffic output from the server 
    /sbin/iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    # above is needed to resolve ip's on your server if you deny all other output traffic that is not specified. 
    /sbin/iptables -A OUTPUT -p tcp --dport 3200 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 3201 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 3202 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 3203 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 3204 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
    # i changed the above ports that are shown here but in this manner I have some ports open from the server with an extra rule to allow dcc with my irc bot :) locally I have these representative ports in my mirc client
    /sbin/iptables -A OUTPUT -j DROP
    /sbin/iptables -A FORWARD -j DROP
    # all the rest is denied :)
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 1 > /usr/local/psa/var/modules/firewall/ip_forward.active
    chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active
    # End of script
  7. Kamin

    Kamin Guest

    OK, so how do I specify an even smaller range of IP addresses within the Plesk firewall config? Say I only want to block - and not all 256 IP addresses blocked by Or am I missing something from the previous posts?

  8. NightStorm

    NightStorm Guest

    Well, (subnet blocks: to
    But that's about as close as you're going to get.
    http://www.dnsstuff.com/tools/cidr.ch?ip=<IP> is a good calculator for figuring out just how much of a tweaking on the IP classes you need for your firewll to affect only the right people. You'd of course replace <IP> with the base IP address you're targetting.
    http://www.dnsstuff.com/tools/whois.ch?ip=<IP> will tell you the ISP for an IP, and what range is owned by that ISP.