[clue-tech] Need a quick IPTABLES line
David L. Anselmi
anselmi at anselmi.us
Fri Jun 13 20:31:26 MDT 2008
David L. Willson wrote:
[...]
> iptables -A INPUT -s 77.41.40.0/21 -j DROP
>
> Dave Anselmi or someone else of equally deific intelligence level will validate. :-)
Yeah, you have it right. Though I hardly count as deific, just anal.
I'd have probably locked myself out in the course of setting up the rule.
Of course you'd like to check your work to see that you got it right,
rather than counting on me (answering the mail, or answering correctly).
So. You can't try out connections with nc or telnet or such because you
can't get a source address that works and actually routes to you.
(Well, maybe you could set up an IP alias on the box and some local
routes and use that, but it'd give you a headache to figure out how.)
But you could use 127.41.40.0/21 in your command and see whether you can
ping something like 127.41.4x.x. That range is in the loop back subnet
(127.0.0.0/8). So you can see that it pings, then run your command,
then it doesn't ping.
That's not exactly a guarantee, and may not work for more complicated
things. Everything is running locally and you don't know which
direction is being blocked. But it's better than nothing.
Dave
More information about the clue-tech
mailing list