firweall network mask question

[CosmicD]

I'm a bit confused about these /8 /16 /24 mask settings. I kinda remember that they are another way of having a wildcard for specific ip ranges,

I want to restrict ssh and admin access to my provider's network and so I've played with the new firewall,

(fake ip's follow)

if i use 83.0.0.0 /8 does that mean that anything in the 83.0.0.0 range (ip's starting with 83) will only be allowed ?

consequently, will it mean that when I use 83.84.0.0 / 16 mean that only the ip's starting with the range 83.84 will be allowed and the following subranges will be allowed ?

or is it just the other way around, that you have to type 83.0.0.0 /24 , and 83.84.0.0 / 16 ?

kinda confused on this one... i've implemented several restrictions like that into the firewall and it seems to work but i'm not sure if it's ok because i would need someone with foreign ip's to test and it's that I want to set only my provider's network to allow ssh and administrator access (also wanting to add a rule for plesk support ip's when they would join)

 

[atomicturtle]

Heres the short version (if you want the long version I can follow up), you're definitely on the right track:

83.0.0.0/8 means 83.*.*.*
83.0.0.0/16 means 83.0.*.*
83.0.0.0/24 means 83.0.0.*
83.0.0.0/32 means 83.0.0.0

We call this notation the "bitmask" its a shortcut for the same thing you'd do with the netmask (example, 83.0.0.0/24 is the same as 83.0.0.0/255.255.255.0)


As a firewall rule (assuming you had a default DROP policy) youd allow your provider, everyone in the 83. network, with:

$IPTABLES -A INPUT -p tcp --dport 22 -s 83.0.0.0/8 -j ACCEPT

 

[CosmicD]

well yep, then i'm right thx for kinda confirming..

I could start with / 16 because it would be more containing. but i'd have the risk of locking myself out because the second part of the ip's is sometims changing, could be 83.84;*.* but also 83.85.*.* and then i'm done .. I don't know if you can determine all of the classes that a provider has .. ? and then configure everything in advance so there's no surrprises....

 

[NightStorm]

I use a neat little program called "Bosun Calculator" to figure out the exact /? number to place to get the correct range, and it works great.
If you're looking at a single IP address, and want to know what the full range that is available, I head to dnsstuff.com and punch the IP in there.
http://www.dnsstuff.com/tools/whois.ch?ip=<ip address>
It will return the range that is owned by that company/host/ISP, and break down exactly what I need to target.
For example, I punch in the SW-SOFT IP address of 69.64.46.17 (URL http://www.dnsstuff.com/tools/whois.ch?ip=69.64.46.17), and I get:

OrgName: SWsoft, Inc
OrgID: SWSOF
Address: 13800 Coppermine Rd
Address: Suite 112
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US

NetRange: 69.64.46.0 - 69.64.46.255
CIDR: 69.64.46.0/24
NetName: SW-SOFT-1
NetHandle: NET-69-64-46-0-1
Parent: NET-69-64-32-0-1
NetType: Reassigned
NameServer: NS1.SW-SOFT.COM
NameServer: NS2.SW-SOFT.COM
NameServer: NS3.SW-SOFT.COM
Comment: http://www.sw-soft.com

Well, from there, you get the idea.

 

[JohnB@]

SW-SOFT support often logs in from Novosibirsk !! And that means a quite different IP range -- not sure now what it is.

Can someone be so very kind to post his/her full configuration for the Plesk Firewall here -- as a sample (maybe exachnging the actual IPs). That would be very helpful indeed!

Thanks!

 

[CosmicD]

i always see something like plesk-gw blabla something i don't remember I can't even see it with the last command anymore... and I don't know it wold be the full range of ip's..

a coool thing is that i'd ask them that when i need another support issue with them, surely they'll say it then because they'd want to be able to log in

#!/bin/sh
#
# Automatically generated by Plesk netconf
#

set -e

echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 113 -j ACCEPT
#for irc servers
/sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 51000 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 51001 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 51002 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 51003 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 51004 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 51005 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 51006 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 51007 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 51008 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 51009 -j ACCEPT
#some passive ftp slots i keep open, (becuse I only have a 30 #domain server it doesn't have to be much)

/sbin/iptables -A INPUT -p tcp --dport 8443 -s 83.0.0.0/8 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8443 -s 193.0.0.0/8 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8443 -s 313.0.0.0/8 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8443 -j DROP
# selective plesk administrator only from my isp :P
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 22 -s 83.0.0.0/8 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
#selective ssh input only from my isp
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP

/sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP

/sbin/iptables -A INPUT -p udp --dport 137 -j DROP
/sbin/iptables -A INPUT -p udp --dport 138 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 445 -j DROP

/sbin/iptables -A INPUT -p udp --dport 1194 -j DROP

/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
# pings, you can put that off with a standard rule in the plesk firwall
/sbin/iptables -A INPUT -j DROP
###############
# Now i've set the standard rule in plesk firewall  to block #forward and output traffic so you also have to see that when #you run some extra stuff you need to specify extra output rules
/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
# above output rule is needed if you want to use stuff on your server like drweb or apt-get, when you don't allow unspecified traffic output from the server 
/sbin/iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# above is needed to resolve ip's on your server if you deny all other output traffic that is not specified. 
/sbin/iptables -A OUTPUT -p tcp --dport 3200 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 3201 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 3202 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 3203 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 3204 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
# i changed the above ports that are shown here but in this manner I have some ports open from the server with an extra rule to allow dcc with my irc bot :) locally I have these representative ports in my mirc client

/sbin/iptables -A OUTPUT -j DROP
/sbin/iptables -A FORWARD -j DROP
# all the rest is denied :)
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /usr/local/psa/var/modules/firewall/ip_forward.active
chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active
#
# End of script
#
[/]code]

 

[Kamin]

OK, so how do I specify an even smaller range of IP addresses within the Plesk firewall config? Say I only want to block 213.209.216.16 - 213.209.216.23 and not all 256 IP addresses blocked by 213.209.216.0/24? Or am I missing something from the previous posts?

Thanks.

 

[NightStorm]

Well, 213.209.216.16/28 (subnet 255.255.255.240) blocks:
213.209.216.17 to 213.209.216.30
But that's about as close as you're going to get.
http://www.dnsstuff.com/tools/cidr.ch?ip=<IP> is a good calculator for figuring out just how much of a tweaking on the IP classes you need for your firewll to affect only the right people. You'd of course replace <IP> with the base IP address you're targetting.
http://www.dnsstuff.com/tools/whois.ch?ip=<IP> will tell you the ISP for an IP, and what range is owned by that ISP.