[Bug 1379] New: Rule to accept INPUT address range does not block address that are not in range specified
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Nov 7 07:28:00 CET 2019
https://bugzilla.netfilter.org/show_bug.cgi?id=1379
Bug ID: 1379
Summary: Rule to accept INPUT address range does not block
address that are not in range specified
Product: iptables
Version: 1.4.x
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: P5
Component: iptables
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: sprakash at amiindia.co.in
After setting RULE to ACCEPT input address range, it is observed that IP
address not in range also can have access to the machine.
~ # iptables -V
iptables v1.4.21
~ # iptables -I INPUT -p all -m iprange --src-range 192.168.1.70-192.168.1.90
-j ACCEPT
~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere source IP range
192.168.1.70-192.168.1.90
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ZERO_WINDOW_RECENT (0 references)
target prot opt source destination
After setting the rule in the server, still able to access server via web and
other client tools from IP address 192.168.1.124 which is outside the range
192.168.1.70-192.168.1.90.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191107/b68b2e8f/attachment.html>
More information about the netfilter-buglog
mailing list