1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

firweall network mask question

Discussion in 'Plesk for Linux - 8.x and Older' started by CosmicD, Dec 11, 2004.

  1. CosmicD

    CosmicD Guest

    0
     
    I'm a bit confused about these /8 /16 /24 mask settings. I kinda remember that they are another way of having a wildcard for specific ip ranges,

    I want to restrict ssh and admin access to my provider's network and so I've played with the new firewall,

    (fake ip's follow)

    if i use 83.0.0.0 /8 does that mean that anything in the 83.0.0.0 range (ip's starting with 83) will only be allowed ?

    consequently, will it mean that when I use 83.84.0.0 / 16 mean that only the ip's starting with the range 83.84 will be allowed and the following subranges will be allowed ?

    or is it just the other way around, that you have to type 83.0.0.0 /24 , and 83.84.0.0 / 16 ?

    kinda confused on this one... i've implemented several restrictions like that into the firewall and it seems to work but i'm not sure if it's ok because i would need someone with foreign ip's to test and it's that I want to set only my provider's network to allow ssh and administrator access (also wanting to add a rule for plesk support ip's when they would join)
     
  2. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Heres the short version (if you want the long version I can follow up), you're definitely on the right track:

    83.0.0.0/8 means 83.*.*.*
    83.0.0.0/16 means 83.0.*.*
    83.0.0.0/24 means 83.0.0.*
    83.0.0.0/32 means 83.0.0.0

    We call this notation the "bitmask" its a shortcut for the same thing you'd do with the netmask (example, 83.0.0.0/24 is the same as 83.0.0.0/255.255.255.0)


    As a firewall rule (assuming you had a default DROP policy) youd allow your provider, everyone in the 83. network, with:

    $IPTABLES -A INPUT -p tcp --dport 22 -s 83.0.0.0/8 -j ACCEPT
     
  3. CosmicD

    CosmicD Guest

    0
     
    well yep, then i'm right thx for kinda confirming..

    I could start with / 16 because it would be more containing. but i'd have the risk of locking myself out because the second part of the ip's is sometims changing, could be 83.84;*.* but also 83.85.*.* and then i'm done :(.. I don't know if you can determine all of the classes that a provider has .. ? and then configure everything in advance so there's no surrprises....
     
  4. NightStorm

    NightStorm Guest

    0
     
    I use a neat little program called "Bosun Calculator" to figure out the exact /? number to place to get the correct range, and it works great.
    If you're looking at a single IP address, and want to know what the full range that is available, I head to dnsstuff.com and punch the IP in there.
    http://www.dnsstuff.com/tools/whois.ch?ip=<ip address>
    It will return the range that is owned by that company/host/ISP, and break down exactly what I need to target.
    For example, I punch in the SW-SOFT IP address of 69.64.46.17 (URL http://www.dnsstuff.com/tools/whois.ch?ip=69.64.46.17), and I get:
    Well, from there, you get the idea.
     
  5. JohnB@

    JohnB@ Guest

    0
     
    SW-SOFT support often logs in from Novosibirsk !! And that means a quite different IP range -- not sure now what it is.

    Can someone be so very kind to post his/her full configuration for the Plesk Firewall here -- as a sample (maybe exachnging the actual IPs). That would be very helpful indeed!

    Thanks!
     
  6. CosmicD

    CosmicD Guest

    0
     
    i always see something like plesk-gw blabla something i don't remember I can't even see it with the last command anymore... and I don't know it wold be the full range of ip's..

    a coool thing is that i'd ask them that when i need another support issue with them, surely they'll say it then because they'd want to be able to log in :p

    Code:
    #!/bin/sh
    #
    # Automatically generated by Plesk netconf
    #
    
    set -e
    
    echo 0 > /proc/sys/net/ipv4/ip_forward
    /sbin/iptables -F
    /sbin/iptables -X
    /sbin/iptables -Z
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A INPUT -m state --state INVALID -j DROP
    /sbin/iptables -P OUTPUT DROP
    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -o lo -j ACCEPT
    /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
    /sbin/iptables -t mangle -F
    /sbin/iptables -t mangle -X
    /sbin/iptables -t mangle -Z
    /sbin/iptables -t mangle -P PREROUTING ACCEPT
    /sbin/iptables -t mangle -P OUTPUT ACCEPT
    /sbin/iptables -t mangle -P INPUT ACCEPT
    /sbin/iptables -t mangle -P FORWARD ACCEPT
    /sbin/iptables -t mangle -P POSTROUTING ACCEPT
    /sbin/iptables -t nat -F
    /sbin/iptables -t nat -X
    /sbin/iptables -t nat -Z
    /sbin/iptables -t nat -P PREROUTING ACCEPT
    /sbin/iptables -t nat -P OUTPUT ACCEPT
    /sbin/iptables -t nat -P POSTROUTING ACCEPT
    
    /sbin/iptables -A INPUT -p tcp --dport 113 -j ACCEPT
    #for irc servers
    /sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51000 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51001 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51002 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51003 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51004 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51005 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51006 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51007 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51008 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 51009 -j ACCEPT
    #some passive ftp slots i keep open, (becuse I only have a 30 #domain server it doesn't have to be much)
    
    /sbin/iptables -A INPUT -p tcp --dport 8443 -s 83.0.0.0/8 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8443 -s 193.0.0.0/8 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8443 -s 313.0.0.0/8 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8443 -j DROP
    # selective plesk administrator only from my isp :P
    /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    
    /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
    
    /sbin/iptables -A INPUT -p tcp --dport 22 -s 83.0.0.0/8 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
    #selective ssh input only from my isp
    /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
    
    /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
    
    /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
    
    /sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT
    
    /sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
    
    /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP
    
    /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP
    
    /sbin/iptables -A INPUT -p udp --dport 137 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 138 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP
    
    /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP
    
    /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
    
    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
    # pings, you can put that off with a standard rule in the plesk firwall
    /sbin/iptables -A INPUT -j DROP
    ###############
    # Now i've set the standard rule in plesk firewall  to block #forward and output traffic so you also have to see that when #you run some extra stuff you need to specify extra output rules
    /sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    # above output rule is needed if you want to use stuff on your server like drweb or apt-get, when you don't allow unspecified traffic output from the server 
    /sbin/iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    # above is needed to resolve ip's on your server if you deny all other output traffic that is not specified. 
    /sbin/iptables -A OUTPUT -p tcp --dport 3200 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 3201 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 3202 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 3203 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 3204 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
    # i changed the above ports that are shown here but in this manner I have some ports open from the server with an extra rule to allow dcc with my irc bot :) locally I have these representative ports in my mirc client
    
    /sbin/iptables -A OUTPUT -j DROP
    /sbin/iptables -A FORWARD -j DROP
    # all the rest is denied :)
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 1 > /usr/local/psa/var/modules/firewall/ip_forward.active
    chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active
    #
    # End of script
    #
    [/]code]
     
  7. Kamin

    Kamin Guest

    0
     
    OK, so how do I specify an even smaller range of IP addresses within the Plesk firewall config? Say I only want to block 213.209.216.16 - 213.209.216.23 and not all 256 IP addresses blocked by 213.209.216.0/24? Or am I missing something from the previous posts?

    Thanks.
     
  8. NightStorm

    NightStorm Guest

    0
     
    Well, 213.209.216.16/28 (subnet 255.255.255.240) blocks:
    213.209.216.17 to 213.209.216.30
    But that's about as close as you're going to get.
    http://www.dnsstuff.com/tools/cidr.ch?ip=<IP> is a good calculator for figuring out just how much of a tweaking on the IP classes you need for your firewll to affect only the right people. You'd of course replace <IP> with the base IP address you're targetting.
    http://www.dnsstuff.com/tools/whois.ch?ip=<IP> will tell you the ISP for an IP, and what range is owned by that ISP.
     
Loading...