More elaborate rules can be created that control access to
specific subnets, or even specific nodes, within a LAN. You can
also restrict certain dubious services such as trojans, worms, and
other client/server viruses from contacting their server. For
example, there are some trojans that scan networks for services on
ports from 31337 to 31340 (called the elite
ports in cracking terminology). Since there are no legitimate
services that communicate via these non-standard ports, blocking it
can effectively diminish the chances that potentially infected
nodes on your network independently communicate with their remote
master servers.
iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
|
You can also block outside connections that attempt to spoof
private IP address ranges to infiltrate your LAN. For example, if
your LAN uses the 192.168.1.0/24 range, a rule can set the Internet
facing network device (for example, eth0) to drop any packets to
that device with an address in your LAN IP range. Because it is
recommended to reject forwarded packets as a default policy, any
other spoofed IP address to the external-facing device (eth0) is
rejected automatically.
iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP
|
 |
Note |
| |
There is a distinction between the DROP and REJECT targets when dealing with appended rules. The REJECT target denies access and returns a
connection refused error to
users who attempt to connect to the service. The DROP target, as the name implies, drops the
packet without any warning. Administrators can use their own
discretion when using these targets. However, to avoid user
confusion and attempts to continue connecting, the REJECT target is recommended.
|
