From: "Gáspár Lajos" <swifty@freemail.hu>
To: Netfilter IPtableMailinglist <netfilter@lists.netfilter.org>
Subject: Re: Blocking ip addresses and regulating bandwidth
Date: Mon, 07 Aug 2006 12:21:20 +0200 [thread overview]
Message-ID: <44D71420.7020009@freemail.hu> (raw)
In-Reply-To: <96bc76cf0608041411k6c610c44mcb351a9ebfedfce3@mail.gmail.com>
Vlad Janicek írta:
> Hey there,
>
> I have a linux router using netfilter. I've been using it for years
> now and now I'm starting to have a problem. I want to block some IPs
> for excess of traffic. I've been using this
>
> iptables -I FORWARD 1 -s 192.168.0.187 -j DROP
>
> and that IP it's still connected to the internet. It's there anything
> wrong there? also, what would be the best way to restrict bandwith to
> users with netfilter?? is there any gui or web interface for that??
For bandwith limiting Read The Fine Manual of lartc.... :) www.lartc.org
You have to play with "tc".
> This is my iptable script. Thanks a lot for your help
>
> Vlad
>
>
> #Cargando las reglas de firewall
> #cargando modulos
> modprobe ip_conntrack_ftp
> modprobe ip_conntrack_irc
> modprobe iptable_nat
> modprobe ip_nat_ftp
> echo "Borrando posibles reglas anteriores..."
>
> IPTABLES="/sbin/iptables"
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -t nat -P PREROUTING ACCEPT
> $IPTABLES -t nat -P POSTROUTING ACCEPT
> $IPTABLES -t nat -P OUTPUT ACCEPT
> $IPTABLES -t mangle -P PREROUTING ACCEPT
> $IPTABLES -t mangle -P OUTPUT ACCEPT
-P = Policy.... ACCEPT all ??? I would set to DROP all filter tables...
But be carefull...
> $IPTABLES -F
> $IPTABLES -t nat -F
> $IPTABLES -t mangle -F
> $IPTABLES -X
> $IPTABLES -t nat -X
> $IPTABLES -t mangle -X
Clean tables...
>
> echo "Habilitando politicas de negacion total de paquetes"
>
> iptables -P FORWARD DROP
> iptables -P INPUT DROP
Hmmm.... Why did you said ACCEPT a few lines before???
> echo "Reglas para paquetes de entrada y salida"
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> #iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> #iptables -A INPUT -p tcp -s mygmaildomain.fake --dport 3000 -j ACCEPT
> #iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> #iptables -A INPUT -p tcp --dport 143 -j ACCEPT
> #iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> #iptables -A INPUT -p tcp --dport 110 -j ACCEPT
>
> #Para dejar el acceso total al servidor desde adentro
> iptables -A INPUT -i eth1 -s 192.168.0.0/22 -j ACCEPT
>
ACCEPT EVERYTHING from the subnet !!!
> #para el redireccionamiento
>
> echo 0 > /proc/sys/net/ipv4/ip_forward
>
> #cadenas forward para acceso a internet
>
> iptables -P FORWARD DROP
Again... Why ACCEPT before???
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
>
> #Bloqueo limewire
> iptables -A FORWARD -p tcp --dport 6346 -j DROP
> iptables -A FORWARD -p udp --dport 6346 -j DROP
> iptables -A FORWARD -p tcp --dport 6345 -j DROP
> iptables -A FORWARD -p udp --dport 6345 -j DROP
>
> ##
> ##
> ##Redireccionamiento de paquetes a servidores internos
> ##
> ##
> ##
> #WebServer interno
> iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -d 192.168.74.2 -p tcp --dport 80 \
> -j DNAT --to-destination 192.168.0.2:80
>
> #ftp a netfinity
> iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 21 -j ACCEPT
> iptables -t nat -A PREROUTING -d 192.168.74.2 -p tcp --dport 21 \
> -j DNAT --to-destination 192.168.0.2:21
>
> #correo
> iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 25 -j ACCEPT
> iptables -t nat -A PREROUTING -d 192.168.74.2 -p tcp --dport 25 \
> -j DNAT --to-destination 192.168.0.2:25
>
> #pop
> iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 110 -j ACCEPT
> iptables -t nat -A PREROUTING -d 192.168.74.2 -p tcp --dport 110 \
> -j DNAT --to-destination 192.168.0.2:110
>
> #imap
> iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 143 -j ACCEPT
> iptables -t nat -A PREROUTING -d 192.168.74.2 -p tcp --dport 143 \
> -j DNAT --to-destination 192.168.0.2:143
>
>
> ##
> ##
> ##Acceso a clientes y servidores
> ##
> ##
> ##
>
> #cadena de acceso directo a internet
>
> #reenvio de paquetes para permitir el acceso del servidor Netfinity
> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> #usuarios bloqueados
> iptables -I FORWARD 1 -d 192.168.0.187 -j DROP
In the header of your mail you wrote:
iptables -I FORWARD 1 -s 192.168.0.187 -j DROP
Hmmm... -s or -d ????
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
>
prev parent reply other threads:[~2006-08-07 10:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-04 21:11 Blocking ip addresses and regulating bandwidth Vlad Janicek
2006-08-07 10:21 ` Gáspár Lajos [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44D71420.7020009@freemail.hu \
--to=swifty@freemail.hu \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.