From: Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>
To: netfilter@lists.netfilter.org
Subject: Re: Trouble rejecting connections
Date: Thu, 29 Jan 2004 08:55:46 -0500 [thread overview]
Message-ID: <401910E2.7030401@Loudoun-Fairfax.com> (raw)
In-Reply-To: <E1AlxZm-0003j0-6i@aphex.cyberpixels.com>
Ben wrote:
>Jeff wrote:
>
>You need to move these DROP and LOG rules up so they come before the ACCEPT
>rules. Otherwise the packets may have already been accepted.
>
>Ok, I've now edited the script so it looks like this
>
>IPTABLES="/sbin/iptables"
>
>#Flush everything, start from scratch
>$IPTABLES -F
>
>#Set default policies to DROP
>$IPTABLES -P INPUT DROP
>$IPTABLES -P FORWARD DROP
>
>#Add DENY people here
>$IPTABLES -A INPUT -s blocked.ip.address.here -j DROP
>
>
This should drop anything coming into the host for the blocked IP. Are
you trying to block packets being forwarded to another box? The INPUT
chain only sees packets destined for the firewall host itself. If you
are trying to filter packets that are forwarded you need to use the
FORWARD chain.
>#Allow all lo traffic
>$IPTABLES -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
>
>#Allow all related and established connections
>$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
>#Set default OUTPUT policy to ACCEPT
>$IPTABLES -P OUTPUT ACCEPT
>
># Open ports for server/services
>$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 37 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 43 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
>$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT
>$IPTABLES -A INPUT -p udp --dport 465 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 873 -j ACCEPT
>$IPTABLES -A INPUT -p udp --dport 873 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 995 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 2082 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 2083 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 2086 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 2087 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 2089 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 2095 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 3306 -j ACCEPT
>$IPTABLES -A INPUT -p tcp --dport 6666 -j ACCEPT
>
>#Enable Blogger support (non-standards compliant piece of dogshit that it
>is)
>$IPTABLES -A INPUT -s 66.102.15.83 -j ACCEPT
>$IPTABLES -A INPUT -s 216.34.7.186 -j ACCEPT
>
>#Add passive-mode people here
>#$IPTABLES -A INPUT -s xxx.xxx.xxx.xxx -j ACCEPT
>
>#Logging
>$IPTABLES -A INPUT -j LOG --log-prefix "INPUTDEFAULT: "
>
>#Save rules
>iptables-save > /etc/sysconfig/iptables
>
>#Restart for rules to take effect
>service iptables restart
>
>However, I am still able to connect from blocked.ip.address.here
>
>
Try running iptables -L -n -v -x -Z . Make sure that the rules are
listed correctly and that you don't have rules in other tables that
might interfere with the filtering.
Jeff
prev parent reply other threads:[~2004-01-29 13:55 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-28 9:19 Trouble rejecting connections Ben
2004-01-28 9:48 ` Klemen Kecman
2004-01-28 21:39 ` Ben
2004-01-29 9:00 ` Klemen Kecman
2004-01-28 13:21 ` Jeffrey Laramie
2004-01-28 21:50 ` Ben
2004-01-29 13:55 ` Jeffrey Laramie [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=401910E2.7030401@Loudoun-Fairfax.com \
--to=jalaramie@loudoun-fairfax.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.