iptables problem

Forum Moderators: bakedjake

Message Too Old, No Replies

iptables problem

Dropping IP ranges if port 80 or 443

dstiles

2:32 pm on Sep 24, 2020 (gmt 0)

Any iptables experts here?

I'm trying to drop IP ranges depending on the port used, specifically to stop IP ranges from hitting a web server whilst allowing them access to a mail server on the same box. I've got as far as the line below but iptables rejects it (Couldn't load match 'mport': no such file...). If I replace mport with multiport I just get "Bad argument '--dports'. I'm assuming I've got something wrong and that it's not just a version problem (iptables v1.6.0).

 iptables -I INPUT -s $ip -p tcp -m mport –-dports 80,443 -j DROP

lammert

3:02 pm on Sep 24, 2020 (gmt 0)

Did you try --match multiport instead of -m mport?

dstiles

5:44 pm on Sep 24, 2020 (gmt 0)

Thanks for the idea. Just tried it and got "Bad argument '--dports'".

lucy24

9:24 pm on Sep 24, 2020 (gmt 0)

Did you try --match multiport instead of -m mport?

i.e. change three separate things? (It was easy to overlook one of them.)

dstiles

8:37 am on Sep 25, 2020 (gmt 0)

Lucy - ?
I tried:

iptables -I INPUT -s $ip -p tcp --match multiport –-dports 80,443 -j DROP

(Forgot to say, the $1 is the IP passed into a bash script)

I have just tried a single-port version but with the same "bad argument --dport"...

iptables -I INPUT -s $ip -p tcp –-dport 443 -j DROP

phranque

8:45 am on Sep 25, 2020 (gmt 0)

(Forgot to say, the $1 is the IP passed into a bash script)

$1 or $ip?

lammert

8:55 am on Sep 25, 2020 (gmt 0)

If $ip is empty, the -p is seen as an argument to -s and the -p tcp is not recognized. Becaue --dport(s) is dependent on -p tcp, you get the bad argument error. So I think @phranque is right with his observation that probably $1 should be used instead of $ip.

dstiles

9:19 am on Sep 25, 2020 (gmt 0)

Sorry, working on two different scripts. It is, of course, $ip - the lines are pasted direct from the scripts. The full script is based on another which has been running for several years but just adds the IP drop to iptables. The full script for this one is...


#!/bin/bash
#
ip=""
echo 'Block HTTP: Enter the IP... (end with empty entry)'
while read -r ip
do
 if [ "$ip" == "" ]; then break
 fi
 iptables -I INPUT -s $ip -p tcp --match multiport –-dports 80,443 -j DROP
done

lammert

9:50 am on Sep 25, 2020 (gmt 0)

I found the problem, but it is a tricky one.

The first minus sign in your script in the --dports is not the minus from your keyboard, but a Unicode ndash or mdash sign. It looks almost the same but is not recognized by the script. Just remove the minus characters, and type them again.

dstiles

10:01 am on Sep 25, 2020 (gmt 0)

Genius! Thanks, that did it. Serves me right for pasting from a web site - at least, the dports bit. Something to remember in future. :)