FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 07-15-2011, 04:33 AM
Jatin K
 
Default how to specify IP not equal to in iptables rules ????

On Thursday 14 July 2011 06:37 PM, Robert Nichols wrote:
> On 07/14/2011 07:48 AM, Jatin K wrote:
>> Dear All Gurus,
>>
>> I want to deny a particular IP (172.16.158.111) address in my network to
>> FTP on server (RHEL6), I'm trying to add the following[1][2] iptabls
>> rules on server and getting error [3]
>>
>>
>> [1] iptables -A INPUT -s! 172.16.158.111 -p tcp --dport 21 -j DROP
>> [2] iptables -A INPUT -s! 172.16.158.111 -p tcp --dport 20 -j DROP
>>
>> [3] Using intrapositioned negation (`--option ! this`) is deprecated in
>> favor of extrapositioned (`! --option this`).
>>
>>
>> if I try following [4] it throws error like " bash: !172: event not
>> found " (I think it tries to recall a command from history ..may be not
>> sure )
>>
>> [4] iptables -A INPUT -s !172.16.158.111 -p tcp --dport 21 -j DROP
>>
>>
>> So how to go ...??? and any one guide to the right direction ????? how
>> do I add a rule like IP or the PORTs is not equal to ?
> The exclamation point needs to be followed by white space to keep the shell
> from trying to interpret it. The recommended syntax is to put the '!'
> _before_ the option flag:
>
> iptables -A INPUT ! -s 172.16.158.111 -p tcp --dport 21 -j DROP
>


'!' Solved my problem

Thank you very very much all of you


Warm Regards

--
v
/(_)
^ ^ Jatin Khatri
Registerd Linux user No #501175
www.counter.li.org
No M$

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-15-2011, 09:40 AM
James Hogarth
 
Default how to specify IP not equal to in iptables rules ????

>

> '!' Solved my problem

>


Really? Because what you have there is the opposite of that which you stated you were trying to accomplish in your first post.


Now that IP is the only IP that can access your FTP server and all others get dropped.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-15-2011, 09:46 AM
Jatin K
 
Default how to specify IP not equal to in iptables rules ????

On Friday 15 July 2011 03:10 PM, James Hogarth wrote:
>
>
> >
> > '!' Solved my problem
> >
>
> Really? Because what you have there is the opposite of that which you
> stated you were trying to accomplish in your first post.
>
> Now that IP is the only IP that can access your FTP server and all
> others get dropped.
>
yes and thats what I wanted ,,,,, Only specified IP can ftp to the server




--
v
/(_)
^ ^ Jatin Khatri
Registerd Linux user No #501175
www.counter.li.org
No M$

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-15-2011, 09:52 AM
Reindl Harald
 
Default how to specify IP not equal to in iptables rules ????

Am 15.07.2011 11:46, schrieb Jatin K:
> On Friday 15 July 2011 03:10 PM, James Hogarth wrote:
>>
>>>
>>> '!' Solved my problem
>>
>> Really? Because what you have there is the opposite of that which you
>> stated you were trying to accomplish in your first post.
>>
>> Now that IP is the only IP that can access your FTP server and all
>> others get dropped.
>>
> yes and thats what I wanted ,,,,, Only specified IP can ftp to the server

why do you not say this at the begin

sorry, but first open a port and after that drop all except
one ip is a really ugly style no one should do in production

why do you not simply open the port only for the ip you want?
and this way you can open fro 2, 3, 4 IPs later
iptables -A INPUT -p tcp -s source-ip --dport 21 -j ACCEPT

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-15-2011, 02:19 PM
g
 
Default how to specify IP not equal to in iptables rules ????

On 07/15/2011 09:46 AM, Jatin K wrote:
> On Friday 15 July 2011 03:10 PM, James Hogarth wrote:
>>
>>> '!' Solved my problem
>>>
>> Really? Because what you have there is the opposite of that which you
>> stated you were trying to accomplish in your first post.
>>
>> Now that IP is the only IP that can access your FTP server and all
>> others get dropped.
>>
> yes and thats what I wanted ,,,,, Only specified IP can ftp to the server
---


which is not what you stated in your first post, which was;

}> I want to deny a particular IP (172.16.158.111) address in my network to
}> FTP on server (RHEL6), I'm trying to add the following[1][2] iptabls
}> rules on server and getting error [3]


therefore, if you want to drop "IP (172.16.158.111)", you would use;


[1] iptables -A INPUT -s 172.16.158.111 -p tcp --dport 21 -j DROP
[2] iptables -A INPUT -s 172.16.158.111 -p tcp --dport 20 -j DROP

if you want to drop all except "IP (172.16.158.111)", you would use;

[1] iptables -A INPUT -s ! 172.16.158.111 -p tcp --dport 21 -j DROP
[2] iptables -A INPUT -s ! 172.16.158.111 -p tcp --dport 20 -j DROP

--

peace out.

tc.hago,

g
.

****
in a free world without fences, who needs gates.
**
help microsoft stamp out piracy - give linux to a friend today.
**
to mess up a linux box, you need to work at it.
to mess up an ms windows box, you just need to *look* at it.
**
The installation instructions stated to install Windows 2000 or better.
So I installed Linux.
**
learn linux:
'Rute User's Tutorial and Exposition' http://rute.2038bug.com/index.html
'The Linux Documentation Project' http://www.tldp.org/
'LDP HOWTO-index' http://www.tldp.org/HOWTO/HOWTO-INDEX/index.html
'HowtoForge' http://howtoforge.com/
****

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-16-2011, 04:20 AM
Jatin K
 
Default how to specify IP not equal to in iptables rules ????

On Friday 15 July 2011 03:22 PM, Reindl Harald wrote:
>
> Am 15.07.2011 11:46, schrieb Jatin K:
>> On Friday 15 July 2011 03:10 PM, James Hogarth wrote:
>>>> '!' Solved my problem
>>> Really? Because what you have there is the opposite of that which you
>>> stated you were trying to accomplish in your first post.
>>>
>>> Now that IP is the only IP that can access your FTP server and all
>>> others get dropped.
>>>
>> yes and thats what I wanted ,,,,, Only specified IP can ftp to the server
> why do you not say this at the begin
>
> sorry, but first open a port and after that drop all except
> one ip is a really ugly style no one should do in production

I do not have any control over that decision , I've to have do the
things as per company's requirement.

I'm the service provider , my duty is to provide setup as per direction
and documentations given by my customer ( company )

> why do you not simply open the port only for the ip you want?
> and this way you can open fro 2, 3, 4 IPs later

if I would have control over the setup, I definitely go with your said
solution.


> iptables -A INPUT -p tcp -s source-ip --dport 21 -j ACCEPT
>

thanks for you suggestions and help


Warm Regards T.C.

--
v
/(_)
^ ^ Jatin Khatri
Registerd Linux user No #501175
www.counter.li.org
No M$

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-16-2011, 04:25 AM
Jatin K
 
Default how to specify IP not equal to in iptables rules ????

On Friday 15 July 2011 07:49 PM, g wrote:
> On 07/15/2011 09:46 AM, Jatin K wrote:
>> On Friday 15 July 2011 03:10 PM, James Hogarth wrote:
>>>> '!' Solved my problem
>>>>
>>> Really? Because what you have there is the opposite of that which you
>>> stated you were trying to accomplish in your first post.
>>>
>>> Now that IP is the only IP that can access your FTP server and all
>>> others get dropped.
>>>
>> yes and thats what I wanted ,,,,, Only specified IP can ftp to the server
> ---
>
>
> which is not what you stated in your first post, which was;
>
> }> I want to deny a particular IP (172.16.158.111) address in my network to
> }> FTP on server (RHEL6), I'm trying to add the following[1][2] iptabls
> }> rules on server and getting error [3]
>

Sorry, that was my mistake :-(

actually I got the solution what was needed , from this list .

--
v
/(_)
^ ^ Jatin Khatri
Registerd Linux user No #501175
www.counter.li.org
No M$

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-16-2011, 04:48 AM
g
 
Default how to specify IP not equal to in iptables rules ????

On 07/16/2011 04:25 AM, Jatin K wrote:
<>

> Sorry, that was my mistake :-(

that happens. but does make things difficult to help.

> actually I got the solution what was needed, from this list.

and was so noted. wherein, a little more info would be nice.

did blocking work with;

[1] iptables -A INPUT ! -s 172.16.158.111 -p tcp --dport 21 -j DROP
or
[2] iptables -A INPUT -s ! 172.16.158.111 -p tcp --dport 21 -j DROP

syntax tends to indicate that [2] is correct, as [1] would tend to
indicate "NOT source".

--

peace out.

tc.hago,

g
.

****
in a free world without fences, who needs gates.
**
help microsoft stamp out piracy - give linux to a friend today.
**
to mess up a linux box, you need to work at it.
to mess up an ms windows box, you just need to *look* at it.
**
The installation instructions stated to install Windows 2000 or better.
So I installed Linux.
**
learn linux:
'Rute User's Tutorial and Exposition' http://rute.2038bug.com/index.html
'The Linux Documentation Project' http://www.tldp.org/
'LDP HOWTO-index' http://www.tldp.org/HOWTO/HOWTO-INDEX/index.html
'HowtoForge' http://howtoforge.com/
****

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-16-2011, 05:40 AM
Jatin K
 
Default how to specify IP not equal to in iptables rules ????

On Saturday 16 July 2011 10:18 AM, g wrote:
> On 07/16/2011 04:25 AM, Jatin K wrote:
> <>
>
>> Sorry, that was my mistake :-(
> that happens. but does make things difficult to help.
>
>> actually I got the solution what was needed, from this list.
> and was so noted. wherein, a little more info would be nice.
>
> did blocking work with;
>
> [1] iptables -A INPUT ! -s 172.16.158.111 -p tcp --dport 21 -j DROP
> or
> [2] iptables -A INPUT -s ! 172.16.158.111 -p tcp --dport 21 -j DROP
>
> syntax tends to indicate that [2] is correct, as [1] would tend to
> indicate "NOT source".
>


[2] worked for me ...by the way we need to indicate ! like '!' ( in
single quote)

iptables -A INPUT -s '!' 172.16.158.111 -p tcp --dport 21 -j DROP




--
v
/(_)
^ ^ Jatin Khatri
Registerd Linux user No #501175
www.counter.li.org
No M$

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-16-2011, 08:52 AM
g
 
Default how to specify IP not equal to in iptables rules ????

On 07/16/2011 05:40 AM, Jatin K wrote:
> On Saturday 16 July 2011 10:18 AM, g wrote:
>> On 07/16/2011 04:25 AM, Jatin K wrote:
>> <>
>>
>>> Sorry, that was my mistake :-(
>>
>> that happens. but does make things difficult to help.
>>
>>> actually I got the solution what was needed, from this list.
>>
>> and was so noted. wherein, a little more info would be nice.
>>
>> did blocking work with;
>>
>> [1] iptables -A INPUT ! -s 172.16.158.111 -p tcp --dport 21 -j DROP
>> or
>> [2] iptables -A INPUT -s ! 172.16.158.111 -p tcp --dport 21 -j DROP
>>
>> syntax tends to indicate that [2] is correct, as [1] would tend to
>> indicate "NOT source".
>
>
> [2] worked for me

this is what i recall having used, and more logical.

> ...by the way we need to indicate ! like '!' ( in
> single quote)
>
> iptables -A INPUT -s '!' 172.16.158.111 -p tcp --dport 21 -j DROP

this is not as i recall using, nor is it as such in man page or in
'Red Hat Linux Firewalls'.

in man page, when shown as an option, [!] is used. when in description,
"!" is used. (with 2 exceptions)

in 'Red Hat Linux Firewalls', examples are show without quotes.

so,

[1] did you find without single quote to not work and then tried
with single quotes?

or,

[2] are you using "echo" to send line to iptables?

and please, excuse my questioning, as at this time i do not have a
networking system available to experiment with, and your answers will
help when i do. thank you.

--

peace out.

tc.hago,

g
.

****
in a free world without fences, who needs gates.
**
help microsoft stamp out piracy - give linux to a friend today.
**
to mess up a linux box, you need to work at it.
to mess up an ms windows box, you just need to *look* at it.
**
The installation instructions stated to install Windows 2000 or better.
So I installed Linux.
**
learn linux:
'Rute User's Tutorial and Exposition' http://rute.2038bug.com/index.html
'The Linux Documentation Project' http://www.tldp.org/
'LDP HOWTO-index' http://www.tldp.org/HOWTO/HOWTO-INDEX/index.html
'HowtoForge' http://howtoforge.com/
****

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 09:38 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org