More elaborate rules can be created that control access to specific
subnets, or even specific nodes, within a LAN. You can also restrict
certain dubious services such as trojans, worms, and other client/server
viruses from contacting their server. For example, there are some
trojans that scan networks for services on ports from 31337 to 31340
(called the elite ports in cracking
terminology). Since there are no legitimate services that communicate
via these non-standard ports, blocking it can effectively diminish the
chances that potentially infected nodes on your network independently
communicate with their remote master servers.
iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP |
You can also block outside connections that attempt to spoof private
IP address ranges to infiltrate your LAN. For example, if your LAN uses
the 192.168.1.0/24 range, a rule can set the Internet facing network
device (for example, eth0) to drop any packets to that device with an
address in your LAN IP range. Because it is recommended to reject
forwarded packets as a default policy, any other spoofed IP address to
the external-facing device (eth0) is rejected automatically.
iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP |
 | Note |
|---|
| | There is a distinction between the
DROP and
REJECT targets when dealing with
appended rules. The
REJECT target denies access and
returns a connection refused error to
users who attempt to connect to the service. The
DROP target, as the name implies,
drops the packet without any warning. Administrators can use their
own discretion when using these targets. However, to avoid user
confusion and attempts to continue connecting, the
REJECT target is recommended.
|
